NEI 99-02, Regulatory Assessment Performance Indicator Guideline

From kanterella
Jump to navigation Jump to search

Regulatory Assessment Performance Indicator Guideline

August 31, 2013

ML13261A116

Rev 7


Nuclear Energy Institute, 1201 F Street N.W., Suite 1100, Washington D.C. 20004 (202.739.8000) 

ACKNOWLEDGMENTS

This guidance document, Regulatory Assessment Performance Indicator Guideline, NEI 99-02, was originally developed by the NEI Safety Performance Assessment Task Force in conjunction with the NRC staff. We appreciate the direct participation of the many utilities, INPO and the NRC who contributed to the development of the original guidance. Today (2013), the industry role in supporting and maintaining NEI 99-02 is led by the efforts of the NEI Reactor Oversight Process Task Force (ROPTF). The ROPTF is comprised of representatives of NEI member utilities and vendors, and INPO. This document benefits from their collaboration and from our continuing interactions with, and inputs from, the NRC staff.

Additional information on the ROPTF can be found at www.nei.org, or by contacting James Slider at NEI, phone number (202) 739-8015 and e-mail jes@nei.org.


INFORMATION COLLECTION

Licensee submission of performance indicator information to the Nuclear Regulatory Commission (NRC) is an information collection that was approved by the Office of Management and Budget. Additional information regarding this information collection is contained in NRC Regulatory Issue Summary 2000-08, Revision 1, "Voluntary Submission of Performance Indicator Data."

NOTICE Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assume any legal responsibility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information apparatus, methods, or process disclosed in this report or that such may not infringe privately-owned rights.


EXECUTIVE SUMMARY

In 2000 the Nuclear Regulatory Commission revised its regulatory oversight process for inspection, assessment and enforcement of commercial nuclear power reactors. This process utilizes information obtained from licensee-reported performance indicators and NRC inspection findings. The purpose of this manual is to provide the guidance necessary for power reactor licensees to collect and report the data elements that will be used to compute the Performance Indicators.

An overview of the complete oversight process is provided in NUREG 1649 , “Reactor Oversight Process.” More detail is provided in SECY 99-007 , “Recommendations for Reactor Oversight Process Improvements,” as amended in SECY 99-007A and SECY 00-049 “Results of the Revised Reactor Oversight Process Pilot Program.”

This revision is effective for data collection as of October 1, 2013 and includes Frequently Asked Questions approved through March 31, 2013.

Summary of Changes to NEI 99-02 Revision 6 to Revision 7

Page or Section Major Changes p. iii Added list of FAQs incorporated in Rev. 7 pp. 1-6 Editorial corrections from Slider, Heffner, Balazik p. 4 Tabularized the criteria for submitting comments in CDE. pp. 8-9 Editorial corrections to Table 2, Performance Indicators p. 13 Editorial corrections to data example p. 14-16 Incorporated FAQ 469 (09-09) for unplanned power changes indicator p. 17-19 Editorial corrections from Gary Miller eliminating repetition in definition of unplanned power changes p. 20 Editorial corrections to data example pp. 21-29 Incorporated numerous changes to unplanned scrams with complications per FAQ 481 (10-02) p. 28 Editorial corrections to data example p. 32 Amplified guidance saying SSFF report date is tied to date of revised LER. p. 33 Editorial corrections to data example pp. 34-39 Incorporated numerous changes on guidance for updating PRA data and basis document, per FAQ 477 (11-02) and conforming changes per Roy Linthicum. p. 40 Editorial corrections to data example p. 43 Editorial corrections to data example p. 45 Editorial corrections to data example p. 46 Incorporated clarification on notification criterion, per FAQ 12-06 p. 49 Incorporated clarification on multi-site ERO members, per FAQ 09-10 p. 49 Incorporated clarification on phone-talker, per FAQ 09-06 p. 53 Editorial corrections to data example p. 54 Incorporated clarification on multi-site ERO members, per FAQ 09-10 p. 53 Incorporated clarification on performance enhancing opportunities, per FAQ 12-06 pp. 55-56 Incorporated clarification on multi-site ERO members, per FAQ 09-10 p.59 Editorial corrections to data example p. 61 Incorporated guidance on sirens deliberately unavailable, per FAQ 11-13 p. 64 Editorial corrections to data example p. 70 Editorial corrections to data example p. 72 Editorial corrections to data example pp. 73-78 Misc. clarifications per FAQ 12-02 p. 79 Editorial corrections to data example Table B-1 Corrected MSPI data element descriptions App. D Replaced discussion of FAQ timeliness with a reference pointing to App. E p. D-13 Inserted Point Beach addition of auxiliary feedwater pumps, per FAQ 11-05 p. D-15 Inserted Fort Calhoun case on sirens de-powered because of flood, per FAQ 11-11 App. E Inserted guidance on timely submittal of FAQs per whitepaper accepted May 2013 p. E-3 Inserted guidance on withdrawal of FAQs, per FAQ 10-01 Figure E-1 Revised FAQ template to link to updates of PRA information or basis document App. F Incorporated numerous conforming changes and corrections provided by Roy Linthicum throughout this appendix (e.g., adding “segment” where “train” appears) pp. F-1 to F-3, F-7, F-33 Clarified guidance on no cascading of unavailability, per FAQ 10-06. p. F-5 Clarified guidance on operability, per FAQ 09-08 p. F-10 Clarified guidance on changes in baseline unavailability, per FAQ 09-07 F2.1.2 Clarified that the fuel oil transfer pump is part of the EDG super-component, per FAQ 11-07 p. F-29 Revised EDG failure mode definitions per FAQ 09-08 App. F, Table 7 Incorporated Browns Ferry generic common cause factor adjustments, per FAQ 10-03. p. F-57 Clarified treatment of last isolation valve in a cooling water line, per FAQ 11-01 Fig. F-1 Revised to show FOTP is within the boundary of the EDG, per FAQ 11-07 Fig. F-6 Revised to show treatment of last isolation valve, per FAQ 11-01 App. G Incorporated conforming changes and corrections provided by Roy Linthicum App. H Clarified guidance regarding availability of main feedwater in determining complicated scrams, per FAQ 10-02


Frequently Asked Questions

The following table identifies where NRC-approved FAQs were incorporated in the text. Not all FAQs required a text change, and those FAQs are also identified. All of these FAQs will be placed in the archived FAQ file which is available on the NRC website for reference only.

FAQ# PI Subject Subject Text Rev.6 Changes Text? Final Approval Date and Documentation Where Found in Revision 7? 09-04 (467) IE04 USwC, Availability of Feedwater pp. 21-22. No October 15, 2009 Meeting http://pbadupws.nrc.gov/docs/ML0930/ML093060290.html

Subject was Brunswick scram on 11/26/2008 that was judged to be uncomplicated. The proposed resolution called for generic guidance to be clarified in a future generic FAQ.

09-08 (472) MS06 MS07 MS08 MS09 MS10 Definition of Availability App. F, §1.2.1 Yes Done. December 2, 2009 Meeting http://pbadupws.nrc.gov/docs/ML0930/ML093060290.html

Changes are effective April 1, 2010 for data to be reported on July 21, 2010. Page F-6, “Return to Service:…” Page F-8, “or return to service…” Page F-29, “…when the EDG output breaker…” Page F-30, Added “Include all failures…” text to definitions of pump and valve failures. 09-07 (468) MS06 MS07 MS08 MS09 MS10 Baseline Revisions App. F, §1.2.1 Yes Done. January 21, 2010 Meeting http://pbadupws.nrc.gov/docs/ML1002/ML100261638.html

Changes are effective April 1, 2010 for data to be reported on July 21, 2010. Page F-10, “Prior to implementation…”

09-09 (469) IE03 Unplanned Power Changes p. 14 Yes Done. March 18, 2010 Meeting http://pbadupws.nrc.gov/docs/ML1008/ML100850185.html Pages 14-16, delineation of applicable power changes 10-01 (470) None Withdrawal of FAQs App. E Yes Done. March 18, 2010 Meeting http://pbadupws.nrc.gov/docs/ML1008/ML100850185.html Page E-3, “Withdrawal of FAQs…” 09-06 (471) EP01 Designated Notifier pp. 45-46 Yes Done. April 21, 2010 Meeting http://pbadupws.nrc.gov/docs/ML1011/ML101130117.html Effective July 1, 2010. Page 51, “Demonstrating sufficient knowledge…” 10-04 (473) MS06 Browns Ferry CCF Values App. F, Table 7 Yes Done. May 26, 2010 Meeting http://pbadupws.nrc.gov/docs/ML1015/ML101530434.html Page F-42, Table 7, Added Unit 1 CCF adjustment value. 10-03 (474) IE04 Wolf Creek Scrams App. H No June 23, 2010 Meeting http://pbadupws.nrc.gov/docs/ML1018/ML101800474.pdf Decided scram should count as complicated 10-05 (475) IE04 Palo Verde Scrams App. H No June 23, 2010 Meeting http://pbadupws.nrc.gov/docs/ML1018/ML101800474.pdf NRC suggests generic FAQ should follow. This was later determined to be unneeded. 09-10 (476) EP02 Common EOF p. 50 Yes Done. February 16, 2011 http://pbadupws.nrc.gov/docs/ML1106/ML11068A001.pdf Effective 3Q2011, for data to be reported by October 21, 2011. Page 50, “If an ERO member…” Page 55, “The participation indicator…” Pages 56-58, “Option for ERO…” 11-02 (477) MS05 MSPI Basis Document Update pp. 33- 34 Yes Done. February 16, 2011 http://pbadupws.nrc.gov/docs/ML1106/ML11068A001.pdf Page 37-38, Inserted various mentions of when to update the basis document. 11-03 (478) IE04 Robinson Scram App. H No February 16, 2011 http://pbadupws.nrc.gov/docs/ML1106/ML11068A001.pdf Scram determined not to count as complicated. No change in text needed. 11-05 (479) MS08 Point Beach AFW Pumps App. D Yes Done May 4, 2011 http://pbadupws.nrc.gov/docs/ML1114/ML11140A101.html Page D-13, “Point Beach…” Page F-43, Table 7, Revised Point Beach MDP Standby value. 10-02 (481) IE04 USwC p. 20, lines 22-46 Yes Done September 21, 2011 http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf Effective October 1, 2011, for data to be reported by January 21, 2012 Pages 20-26, Edited in role of MFW availability. Page H-1, Revised introduction to mention unavailability of MFW. Page H-4, Extensive revisions of Question H1.5. Page H-5, conforming edits to text of H1.5. Page H-20, conforming edits to H3.5. 11-01 (482) MS10 Cooling Water Valve p. F-52 Yes Done September 21, 2011 http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf Effective January 1, 2012 for data to be reported by April 21, 2012. Page F-58, Revised “Cooling Water Support System” description. Page F-66, Revised Figure F-6 to show train boundaries consistent with FAQ. 11-04 (483) IE03 Downpower to Recover Lost Recirc Pump p. 13, lines 24-29 Yes Done September 21, 2011 http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf Effective October 1, 2011 for data to be reported by January 21, 2012. Page 17, “Power changes to restore…” 11-06 (480) MS06 EDG Run Hours App. F, §2.2.1 Yes Done September 21, 2011 http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf Page F-24, “For pumps, run hours…” 11-07 (484) MS05 Fuel Oil Transfer Pump App. F, §2.1.2 Yes Done May 4, 2011 http://pbadupws.nrc.gov/docs/ML1114/ML11140A101.html Effective January 1, 2012 for data to be reported by April 21, 2012 Page F-21, “…which are part of the EDG super-component…” Page F-22, Table 2, “Diesel Generators…” Page F-50, Revised “Scope” section to mention fuel oil transfer pump and valve. Page F-60, Revised Figure F-1 to clarify that FOTP is within EDG Component Boundary depicted. 11-08 (487) MS06 EDG Failure Modes p.F-26, lines 3-15 Yes Done October 26, 2011 http://pbadupws.nrc.gov/docs/ML1130/ML11304A260.pdf Effective January 1, 2012 for data to be reported by April 21, 2012 Page F-29, Revised definition of EDF failure to run. 11-11 (485) EP03 Siren Testing p. 57, lines 6-10 Yes Done September 21, 2011 http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf Effective 2Q2011 Page D-15, “Fort Calhoun…” 10-06 (486) MS06 Cascaded Unavailability §2.2, pp.31-36 Yes Done October 26, 2011 http://pbadupws.nrc.gov/docs/ML1130/ML11304A260.pdf Effective April 1, 2012, for data to be reported by July 21, 2012. Pages 35-40, “…train/system boundaries…” Page F-1, “The cooling water support system…” Page F-2, “The impact of room cooling…” Page F-7, “No Cascading…” Page F-33, Revised “Failures of Discovered Conditions”. Page F-55, Revised Scope to mention CST. 11-09 (488) MS Crystal River Shutdown App. D No October 26, 2011 http://pbadupws.nrc.gov/docs/ML1130/ML11304A260.pdf Withdrawn 10-07 IE04 Vendor EOPs No May 4, 2011 http://pbadupws.nrc.gov/docs/ML1114/ML11140A101.html Withdrawn 11-10 PP01 Security OUO No January 19, 2012 http://pbadupws.nrc.gov/docs/ML1203/ML12030A117.pdf Approved final; see generic FAQ 12-02 for text changes needed 11-12 IE03 Fitzpatrick Downpowers No January 19, 2012 http://pbadupws.nrc.gov/docs/ML1203/ML12030A117.pdf Approved final; determination only; no change required. 11-13 EP03 Suspension of Siren Testing Yes Done March 28, 2012 http://pbadupws.nrc.gov/docs/ML1211/ML12110A103.pdf Effective April 1, 2012, for data to be reported by July 21, 2012. Page 63, “Additionally, if sirens are not…” 12-01 MS06 Columbia EDG Failure No August 29, 2012 http://pbadupws.nrc.gov/docs/ML1224/ML12249A179.html Withdrawn 12-02 PP01 Counting of Compensatory Hours for PIDS Yes Done August 29, 2012 http://pbadupws.nrc.gov/docs/ML1224/ML12249A179.html Page 77, “This indicator serves as a measure of…” Page 79, “Compensatory measures: Measures…” Page 81, “Degradation:…” 12-03 IE04 St. Lucie USwC No August 29, 2012 http://pbadupws.nrc.gov/docs/ML1224/ML12249A179.html

12-06 EP02 DEP Oppys p. 51 Yes Done March 27, 2013 http://pbadupws.nrc.gov/docs/ML1311/ML13113A355.html Section 2.4



[This page left intentionally blank]


TABLE OF CONTENTS EXECUTIVE SUMMARY i SUMMARY OF CHANGES TO NEI 99-02 ii FAQ TABLE iv 1 INTRODUCTION 1 Background 1 General Reporting Guidance 2 Guidance for Correcting Previously Submitted Performance Indicator Data 3 Comment Fields 3 Numerical Reporting Criteria 5 Submittal of Performance Indicator Data 5 2 PERFORMANCE INDICATORS 10 2.1 INITIATING EVENTS CORNERSTONE 10 UNPLANNED SCRAMS PER 7,000 CRITICAL HOURS 10 UNPLANNED POWER CHANGES PER 7,000 CRITICAL HOURS 14 UNPLANNED SCRAMS WITH COMPLICATIONS 21 2.2 MITIGATING SYSTEMS CORNERSTONE 30 SAFETY SYSTEM FUNCTIONAL FAILURES 30 MITIGATING SYSTEM PERFORMANCE INDEX 34 2.3 BARRIER INTEGRITY CORNERSTONE 41 REACTOR COOLANT SYSTEM (RCS) SPECIFIC ACTIVITY 41 REACTOR COOLANT SYSTEM LEAKAGE 44 2.4 EMERGENCY PREPAREDNESS CORNERSTONE 46 DRILL/EXERCISE PERFORMANCE 46 EMERGENCY RESPONSE ORGANIZATION DRILL PARTICIPATION 53 ALERT AND NOTIFICATION SYSTEM RELIABILITY 60 2.5 OCCUPATIONAL RADIATION SAFETY CORNERSTONE 65 OCCUPATIONAL EXPOSURE CONTROL EFFECTIVENESS 65 2.6 PUBLIC RADIATION SAFETY CORNERSTONE 71 RETS/ODCM RADIOLOGICAL EFFLUENT OCCURRENCE 71 2.7 SECURITY CORNERSTONE 73 PROTECTED AREA (PA) SECURITY EQUIPMENT PERFORMANCE INDEX 73



Appendices

A. Acronyms & Abbreviations A-1 B. Structure and Format of NRC Performance Indicator Data Files B-1 C. Background Information and Cornerstone Development C-1 D. Plant-Specific Design Issues D-1 E. Frequently Asked Questions E-1 F. Methodologies for Computing the Unavailability Index, the Unreliability Index and Component Performance Limits F-1 G. MSPI Basis Document Development G-1 H. USwC Basis Document …………………………………………… H-1


1 INTRODUCTION

This guideline describes the data and calculations for each performance indicator in the United States Nuclear Regulatory Commission’s (NRC) power reactor licensee assessment process. The guideline also describes the licensee quarterly indicator reports that are to be submitted to the NRC for use in its licensee assessment process.

This guideline provides the definitions and guidance for the purposes of reporting performance indicator data. Responses to Frequently Asked Questions (FAQs) that have been approved by the Industry/NRC working group and posted on the NRC’s external website become addenda to this guideline. No other documents should be used for definitions or guidance unless specifically referenced in this document. This guideline should not be used for purposes other than collection and reporting of performance indicator data in the NRC licensee assessment process.

Background

In 1998 and 1999, the NRC conducted a series of public meetings to develop a more objective process for assessing a licensee’s regulatory and safety performance. The new process uses risk-informed insights to focus on those matters that are of safety significance. The objective is to monitor performance in three broad areas – reactor safety (avoiding accidents and reducing the consequences of accidents if they occur); radiation safety for plant workers and the public during routine operations; and protection of the plant against sabotage or other security threats.

The three broad areas are divided into seven cornerstones: Initiating Events, Mitigating Systems, Barrier Integrity, Emergency Preparedness, Public Radiation Safety, Occupational Radiation Safety and Security. Performance indicators are used to assess licensee performance in each cornerstone. The NRC uses a risk-informed baseline inspection process to supplement and complement the performance indicators. This guideline focuses on the performance indicator segment of the assessment process.

The thresholds for each performance indicator provide objective indication of the potential need to modify NRC inspection resources or to take other regulatory actions based on licensee performance. Table 1 provides a summary of the performance indicators and their associated thresholds.

The overall objectives of the process are to:

  • improve the objectivity of the oversight processes so that subjective decisions and judgment are not central process features,
  • improve the scrutability of the NRC assessment process so that NRC actions have a clear tie to licensee performance, and
  • Risk-inform the regulatory assessment process so that NRC and licensee resources are focused on those aspects of performance having the greatest impact on safe plant operation.

In identifying those aspects of licensee performance that are important to the NRC’s mission, adequate protection of public health and safety, the NRC set high level performance goals for regulatory oversight. These goals are:

  • maintain a low frequency of events that could lead to a nuclear reactor accident;
  • zero significant radiation exposures resulting from civilian nuclear reactors;
  • no increase in the number of offsite releases of radioactive material from civilian nuclear reactors that exceed 10 CFR Part 20 limits; and
  • No substantiated breakdown of physical protection that significantly weakens protection against radiological sabotage, theft, or diversion of special nuclear materials.

These performance goals are represented in the new assessment framework as the strategic performance areas of Reactor Safety, Radiation Safety, and Safeguards.

Figure 1 provides a graphical representation of the licensee assessment process.

General Reporting Guidance At quarterly intervals, each licensee will submit to the NRC the performance assessment data described in this guideline. The data is submitted electronically to the NRC by the 21st calendar day of the month following the end of the reporting quarter. If a submittal date falls on a Saturday, Sunday, or federal holiday, the next federal working day becomes the official due date (in accordance with 10 CFR 50.4). The format and examples of the data provided in each subsection show the complete data record for an indicator, and provide a chart of the indicator. These are provided for illustrative purposes only. Each licensee sends to the NRC only the data set from the previous quarter, as defined in each Data Reporting Elements subsection (See Appendix B) along with any changes to previously submitted data.

The reporting of performance indicators is a separate and distinct function from other NRC reporting requirements. Licensees will continue to submit other regulatory reports as required by regulations, such as, 10 CFR 50.72 and 10 CFR 50.73.

Performance indicator reports are submitted to the NRC for each power reactor unit. Some indicators are based on station parameters. In these cases the station value is reported for each power reactor unit at the station.

Issues regarding interpretation or implementation of NEI 99-02 guidance may occur during implementation. Licensees are encouraged to resolve these issues with the Region. In those instances where the NRC staff and the Licensee are unable to reach resolution, or to address plant-specific exceptions, the issue should be escalated to appropriate industry and NRC management using the FAQ process. In the interim period until the issue is resolved, the Licensee is encouraged to maintain open communication with the NRC. Issues involving enforcement are not addressed through the FAQ process.


Guidance for Correcting Previously Submitted Performance Indicator Data If data errors or a newly identified faulted condition are determined to have occurred in a previous reporting period, the previously submitted indicator data are amended only to the extent necessary to calculate the indicator(s) for the current reporting period correctly. This amended information is submitted using the “change report” feature provided in the INPO Consolidated Data Entry (CDE) software. The values of previous reporting periods are revised, as appropriate, when the amended data is used by the NRC to recalculate the affected performance indicator. The current report should reflect the new information, as discussed in the detailed sections of this document. In these cases, the quarterly data report should include a comment to indicate that the indicator values for past reporting periods are different than previously reported. If a Licensee Event Report (LER) was required and the number is available at the time of the report, the LER reference is noted.

If a performance indicator data reporting error is discovered, an amended “mid-quarter” report does not need to be submitted if both the previously reported and amended performance indicator values are within the same performance indicator band. In these instances, corrected data should be included in the next quarterly report along with a brief description of the reason for the change(s). If a performance indicator data error is discovered that causes a threshold to be crossed, a “mid-quarter” report should be submitted as soon as practical following discovery of the error. Probabilistic Risk Assessment (PRAError! Bookmark not defined.) model changes are the exception to this guidance (see “Clarifying Notes” under Mitigating System Performance Index description on page 35-37 for additional details).

Comment Fields

The quarterly report allows comments to be included with performance indicator data. A general comment field is provided for comments pertinent to the quarterly submittal that are not specific to an individual performance indicator. A separate comment field is provided for each performance indicator. Comments included in the report should be brief and understandable by the general public. Comments provided as part of the quarterly report will be included along with performance indicator data as part of the NRC Public Web site on the oversight program. If multiple PI comments are received by NRC that are applicable to the same unit/PI/quarter, the NRC Public Web site will display all applicable comments for the quarter in the order received (e.g., If a comment for the current quarter is received via quarterly report and a comment for the same PI is received via a change report, then both comments will be displayed on the Web site.) For General Comments, the NRC Public Web site will display only the latest “general” comment received for the current quarter (e.g., A “general” comment received via a change report will replace any “general” comment provided via a previously submitted quarterly report.)

Comments should be generally limited to instances as directed in this guideline. These instances are summarized in Table 1 below.

Table 1 – Guidance for Submitting Comments with PI Data Submit a Comment When… Guidance A threshold has been exceeded Comment should include a brief explanation and should be repeated in subsequent quarterly reports as necessary to address the exceedance.

Revising previously submitted data Comment should include a brief characterization of the change, should identify affected time periods and should identify whether the change affects the “color” of the indicator. Data is unavailable for the quarterly report For example, RCS activity may be unavailable for one or more months due to plant conditions that do not require calculation of RCS activity.

An FAQ has been submitted that could impact current or previously submitted data A Safety System Functional Failure (SSFF) is reported Comment shall include the LER number A Notice of Enforcement Discretion or Technical Specification change has been granted without which the unit would have had an unplanned power change of greater than 20-percent of full power There is a failure to perform regularly-scheduled tests of the Alert and Notification System (ANS) There is a change in the ANS test methodology There is a change in Mitigating System Performance Index (MSPI) coefficients The comments automatically generated by CDE do not fulfill this requirement. The plant must generate a plant-specific comment that describes what was changed. There is a change in the MSPI Basis Document that affects the value of an indicator

Compensatory hours for security equipment upgrade modifications are excluded Engineering evaluations of a degraded condition are incomplete

In specific circumstances, some plants, because of unique design characteristics, may typically appear in the “increased regulatory response band,” as shown in Table 2. In such cases the unique condition and the resulting impact on the specific indicator should be explained in the associated comment field. Additional guidance is provided under the appropriate indicator sections.

The quarterly data reports are submitted to the NRC under 10 CFR 50.4 requirements. The quarterly reports are to be submitted in electronic form only. Separate submittal of a paper copy is not requested. Licensees should apply standard commercial quality practices to provide assurance that the quarterly data submittals are correct, since they are subject to the requirements of 10 CFR 50.9. Licensees should plan to retain the data consistent with the historical data requirements for each performance indicator. For example, data associated with the barrier cornerstone should be retained for 12 months.

The criterion for reporting is based on the time the failure or deficiency is identified, with the exception of the Safety System Functional Failure indicator, which is based on the Report Date of the LER. In some cases the time of failure is immediately known, in other cases there may be a time-lapse while calculations are performed to determine whether a deficiency exists, and in some instances the time of occurrence is not known and has to be estimated. Additional clarification is provided in specific indicator sections.

Numerical Reporting Criteria

Final calculations are rounded up or down to the same number of significant digits as shown in Table 2. Where required, percentages are reported and noted as: 9.0%, 25%.

Submittal of Performance Indicator Data

Performance indicator data should be submitted as a delimited text file (data stream) for each unit, attached to an email addressed to Pidata.Resource@nrc.gov. The structure and format of the delimited text files is discussed in Appendix B. The email message can include report files containing PI data for the quarter (quarterly reports) for all units at a site and can also include any report file(s) providing changes to previously submitted data (change reports). The title/subject of the email should indicate the unit(s) for which data is included, the applicable quarter, and whether the attachment includes quarterly report(s) (QR), change report(s) (CR) or both. The recommended format of the email message title line is “<Plant Name(s)>-<quarter/year>-PI Data Elements (QR and/or CR)” (e.g., “Salem Units 1 and 2 – 1Q2000 – PI Data Elements (QR)”). Licensees should not submit hard copies of the PI data submittal (with the possible exception of a back-up if the email system is unavailable).

The NRC will send return emails with the licensee’s submittal attached to confirm and authenticate receipt of the proper data, generally within 2 business days. The licensee is responsible for ensuring that the submitted data is received without corruption by comparing the response file with the original file. Any problems with the data transmittal should be identified in an email to Pidata.Resource@nrc.gov within 4 business days of the original data transmittal.

Additional guidance on the collection of performance indicator data and the creation of quarterly reports and change reports is provided in the INPO CDE Job Aids available on the INPO CDE webpage.

Figure 1 - Regulatory Oversight Framework

Table 2 – PERFORMANCE INDICATORS


Cornerstone Indicator Thresholds

(see Note 1 and Note 2 for PLE)

Increased Regulatory Response Band Required Regulatory Response Band Unacceptable Performance Band Initiating Events IE01 Unplanned Scrams per 7000 Critical Hours (automatic and manual scrams during the previous four quarters) >3.0 >6.0 >25.0 IE03 Unplanned Power Changes per 7000 Critical Hours (over previous four quarters) >6.0 N/A N/A

IE04 Unplanned Scrams with Complications (over the previous four quarters) >1 N/A N/A Mitigating Systems MS05 Safety System Functional Failures (over previous four quarters) BWRs PWRs >6 >5 N/A N/A N/A N/A MS06 Mitigating System Performance Index (Emergency AC Power Systems) >1.0E-06 or PLE = YES >1.0E-05 >1.0E-04 MS07 Mitigating System Performance Index (High Pressure Injection Systems) >1.0E-06 or PLE = YES >1.0E-05 >1.0E-04 MS08 Mitigating System Performance Index (Heat Removal Systems) >1.0E-06 or PLE = YES >1.0E-05 >1.0E-04 MS09 Mitigating System Performance Index (Residual Heat Removal Systems) >1.0E-06 or PLE = YES >1.0E-05 >1.0E-04 MS10 Mitigating System Performance Index (Cooling Water Systems) >1.0E-06 or PLE = YES >1.0E-05 >1.0E-04 Barrier Integrity Fuel Cladding BI01 Reactor Coolant System (RCS) Specific Activity (maximum monthly values, percent of Tech. Spec limit) >50.0% >100.0% N/A Reactor Coolant System BI02 RCS Identified Leak Rate (maximum monthly values, percent of Tech. Spec. limit) >50.0% >100.0% N/A   Table 2 - PERFORMANCE INDICATORS Cont’d

Cornerstone Indicator Thresholds (see Note 1 and Note 2 for PLE)

Increased Regulatory Response Band Required Regulatory Response Band Unacceptable Performance Band Emergency Preparedness EP01 Drill/Exercise Performance (over previous eight quarters) <90.0% <70.0% N/A EP02 ERO Drill Participation (percentage of Key ERO personnel that have participated in a drill or exercise in the previous eight quarters) <80.0% <60.0% N/A EP03 Alert and Notification System Reliability (percentage reliability during previous four quarters) <94.0% <90.0% N/A Occupational Radiation Safety OR01 Occupational Exposure Control Effectiveness (occurrences during previous 4 quarters) >2 >5 N/A Public Radiation Safety PR01 RETS/ODCM Radiological Effluent Occurrence (occurrences during previous four quarters) >1 >3 N/A Security PP01 Protected Area Security Equipment Performance Index (over a four quarter period) >0.080 N/A N/A

Note 1: Thresholds that are specific to a site or unit will be provided in Appendix D when identified. Note 2: PLE = System Component Performance Limit Exceeded (see Appendix F, section F4)


2 PERFORMANCE INDICATORS

2.1 INITIATING EVENTS CORNERSTONE

The objective of this cornerstone is to limit the frequency of those events that upset plant stability and challenge critical safety functions during power operations. If not properly mitigated, and if multiple barriers are breached, a reactor accident could result which may compromise public health and safety. Licensees can reduce the likelihood of a reactor accident by maintaining a low frequency of these initiating events. Such events include reactor scrams due to turbine trips, loss of feedwater, loss of off-site power, and other significant reactor transients.

The indicators for this cornerstone are reported and calculated per reactor unit.

There are three indicators in this cornerstone:

  • Unplanned (automatic and manual) Scrams per 7,000 critical hours
  • Unplanned Power Changes per 7,000 critical hours
  • Unplanned Scrams with Complications

UNPLANNED SCRAMS PER 7,000 CRITICAL HOURS

Purpose This indicator monitors the number of unplanned scrams. It measures the rate of scrams per year of operation at power and provides an indication of initiating event frequency.

Indicator Definition The number of unplanned scrams during the previous four quarters, both manual and automatic, while critical per 7,000 hours.

Data Reporting Elements

The following data are reported for each reactor unit:

  • the number of unplanned automatic and manual scrams while critical in the previous quarter
  • the number of hours of critical operation in the previous quarter

Calculation The indicator is determined using the values for the previous four quarters as follows:

Value =

Definition of Terms Scram means the shutdown of the reactor by the rapid addition of negative reactivity by any means, e.g., insertion of control rods, boron, use of diverse scram switch, or opening reactor trip breakers.

Unplanned scram means that the scram was not an intentional part of a planned evolution or test as directed by a normal operating or test procedure. This includes scrams that occurred during the execution of procedures or evolutions in which there was a high chance of a scram occurring but the scram was neither planned nor intended.

Criticality, for the purposes of this indicator, typically exists when a licensed reactor operator declares the reactor critical. There may be instances where a transient initiates from a subcritical condition and is terminated by a scram after the reactor is critical—this condition would count as a scram.

Clarifying Notes The value of 7,000 hours is used because it represents one year of reactor operation at about an 80% availability factor.

If there are fewer than 2,400 critical hours in the previous four quarters the indicator value is displayed as N/A because rate indicators can produce misleadingly high values when the denominator is small. The data elements (unplanned scrams and critical hours) are still reported.

Dropped rods, single rod scrams, or half scrams are not considered reactor scrams. Partial rod insertions, such as runbacks, and rod insertion by the control system at normal speed also do not count unless the resulting conditions subsequently cause a reactor scram.

Anticipatory plant shutdowns intended to reduce the impact of external events, such as tornadoes or range fires threatening offsite power transmission lines, are excluded.

Examples of the types of scrams that are included:

  • Scrams that resulted from unplanned transients, equipment failures, spurious signals, human error, or those directed by abnormal, emergency, or annunciator response procedures.
  • A scram that is initiated to avoid exceeding a technical specification action statement time limit.
  • A scram that occurs during the execution of a procedure or evolution in which there is a high likelihood of a scram occurring but the scram was neither planned nor intended.

Examples of scrams that are not included:

  • Scrams that are planned to occur as part of a test (e.g., a reactor protection system actuation test), or scrams that are part of a normal planned operation or evolution.
  • Reactor protection system actuation signals or operator actions to trip the reactor that occur while the reactor is sub-critical.
  • Scrams that are initiated at less than or equal to 35% reactor power in accordance with normal operating procedures (i.e., not an abnormal or emergency operating procedure) to complete a planned shutdown and scram signals that occur while the reactor is shut down.
  • Plant shutdown to comply with technical specification Limiting Condition for Operation (LCO) , if conducted in accordance with normal shutdown procedures which include a manual scram to complete the shutdown.


Data Example

UNPLANNED POWER CHANGES PER 7,000 CRITICAL HOURS Purpose This indicator monitors the number of unplanned power changes (excluding scrams) that could have, under other plant conditions, challenged safety functions. It may provide leading indication of risk-significant events but is not itself risk-significant. The indicator measures the number of plant power changes for a typical year of operation at power.

Indicator Definition The number of unplanned changes in reactor power of greater than 20% of full-power, per 7,000 hours of critical operation excluding manual and automatic scrams.

Data Reporting Elements The following data is reported for each reactor unit:

  • the number of unplanned power changes, excluding scrams, during the previous quarter
  • the number of hours of critical operation in the previous quarter

Calculation The indicator is determined using the values reported for the previous four quarters as follows:

Value =

Definition of Terms Unplanned change in reactor power, for the purposes of this indicator, is a change in reactor power that (1) was initiated less than 72 hours following the discovery of an off-normal condition that required or resulted in a power change of greater than 20% of full power to resolve, and (2) has not been excluded from counting per the guidance below. Unplanned changes in reactor power also include uncontrolled excursions of greater than 20% of full power that occur in response to changes in reactor or plant conditions and are not an expected part of a planned evolution or test.

Clarifying Notes The value of 7,000 hours is used because it represents one year of reactor operation at about an 80% availability factor.

If there are fewer than 2,400 critical hours in the previous four quarters the indicator value is displayed as “N/A” because rate indicators can produce misleadingly high values when the denominator is small. The data elements (unplanned power changes and critical hours) are still reported.

The 72-hour period between discovery of an off-normal condition and the corresponding change in power level is based on the typical time to assess the plant condition, and prepare, review, and approve the necessary work orders, procedures, and safety reviews, to effect a repair. The key element to be used in determining whether a power change should be counted as part of this indicator is the 72-hour period and not the extent of the planning that is performed between the discovery of the condition and initiation of the power change.

Given the above, it is incumbent upon licensees to provide objective evidence that identifies when the off-normal condition was discovered and when the power change of more than 20% was initiated. Such objective evidence may include logs, troubleshooting plans, meeting minutes, corrective action program documents, or similar type documentation.

Examples of occurrences that would be counted against this indicator include:

  • Power reductions that exceed 20% of full power and are not part of a planned and documented evolution or test. Such power changes may include those conducted in response to equipment failures or personnel errors or those conducted to perform maintenance.
  • Runbacks and power oscillations greater than 20% of full power. A power oscillation that results in an unplanned power decrease of greater than 20% followed by an unplanned power increase of 20% should be counted as two separate PI events, unless the power restoration is implemented using approved procedures. For example, an operator mistakenly opens a breaker causing a recirculation flow decrease and a decrease in power of greater than 20%. The operator, hearing an alarm, suspects it was caused by his action and closes the breaker resulting in a power increase of greater than 20%. Both transients would count since they were the result of two separate errors (or unplanned/non-proceduralized action).
  • Unplanned downpowers of greater than 20% of full power for ALARA reasons.
  • Power reductions due to equipment failures that are under the control of the nuclear unit are included in this indicator.

Examples of occurrences that are not counted include the following:

  • Planned power reductions (anticipated and contingency) that exceed 20% of full power and are initiated in response to an off-normal condition discovered at least 72 hours before initiation of the power change.
  • Unanticipated equipment problems that are encountered and repaired during a planned power reduction greater than 20% that alone could have required a power reduction of 20% or more to repair.
  • Apparent power changes that are determined to be caused by instrument problems.
  • If conditions arise that would normally require unit shutdown, and a Notice of Enforcement Discretion (NOED) is granted that allows continued operation before power is reduced greater than 20%, an unplanned power change is not reported because no actual change in power greater than 20% of full power occurred. However, a comment should be made that the NRC had granted an NOED during the quarter, which, if not granted, may have resulted in an unplanned power change.
  • Anticipatory power reductions intended to reduce the impact of external events such as hurricanes or range fires threatening offsite power transmission lines, and power changes requested by the system load dispatcher.
  • Power changes to make rod pattern adjustments.
  • Power changes directed by the load dispatcher under normal operating conditions due to load demand, for economic reasons, for grid stability, or for nuclear plant safety concerns.

Anticipated power changes greater than 20% in response to expected environmental problems (such as accumulation of marine debris, biological contaminants, or frazil icing) which are proceduralized but cannot be predicted greater than 72 hours in advance may not need to be counted unless they are reactive to the sudden discovery of off-normal conditions. However, unique environmental conditions which have not been previously experienced and could not have been anticipated and mitigated by procedure or plant modification, may not count, even if they are reactive. The licensee is expected to take reasonable steps to prevent intrusion of marine or other biological growth from causing power reductions. Intrusion events that can be anticipated as part of a maintenance activity or as part of a predictable cyclic behavior would normally be counted unless the down power was planned 72 hours in advance. The circumstances of each situation are different and should be identified in a FAQ if the licensee and resident inspector disagree so that a determination can be made concerning whether the power change should be counted.

Licensees should use the power indication that is used to control the plant to determine if a change of greater than 20% of full power has occurred.

If a condition is identified that is slowly degrading and the licensee prepares plans to reduce power when the condition reaches a predefined limit, and 72 hours have elapsed since the condition was first identified, the power change does not count. If however, the condition suddenly degrades beyond the predefined limits and requires rapid response, this situation would count. If the licensee has previously identified a slowly degraded off-normal condition but has not prepared plans recognizing the potential need to reduce power when the condition reaches predefined limits, then a sudden degradation of that condition requiring rapid response would constitute a new off-normal condition and therefore, a new time of discovery.

Off-normal conditions that begin with one or more power reductions and end with an unplanned reactor trip are counted in the unplanned reactor scram indicator only. However, if the cause of the downpower(s) and the scram are different, an unplanned power change and an unplanned scram must both be counted. For example, an unplanned power reduction is made to take the turbine generator off line while remaining critical to repair a component. However, when the generator is taken off line, vacuum drops rapidly due to a separate problem and a scram occurs. In this case, both an unplanned power change and an unplanned scram would be counted. If an off-normal condition occurs above 20% power, and the plant is shut down by a planned reactor trip using normal operating procedures, only an unplanned power change is counted.

In developing a plan to conduct a power reduction, additional contingency power reductions may be incorporated. These additional power reductions are not counted if they are implemented to address the initial condition.

Equipment problems encountered during a planned power reduction greater than 20% that alone may have required a power reduction of 20% or more to repair are not counted as part of this indicator if they are repaired during the planned power reduction. However, if during the implementation of a planned power reduction, power is reduced by more than 20% of full power beyond the planned reduction, then an unplanned power change has occurred.

Unplanned power changes and shutdowns include those conducted in response to equipment failures or personnel errors and those conducted to perform maintenance. They do not include automatic or manual scrams or load-follow power changes. Power changes to restore equipment to service in accordance with approved procedures are excluded.


Unplanned power changes include runbacks and power oscillations greater than 20% of full power. If the power change is implemented to restore equipment to service and is performed using an approved procedure, the power change(s) (increases or decreases) to restore the equipment to service would not count against this indicator. For example, in BWRs, a power reduction for the purpose of re-starting a recently tripped reactor recirculation pump to re-establish two-loop operation is excluded if the initial power reduction is caused by the recirculation pump trip. The second power reduction to recover the tripped recirculation pump does not count if it is implemented by an approved procedure in response to the initial condition.


For an environmental event to be excluded, any of the following may be applied:

  • If the conditions have been experienced before and they exhibit a pattern of predictability or periodicity (e.g., seasons, temperatures, weather events, animals, etc.), the station must have a monitoring procedure in place or make a permanent modification to prevent recurrence for the event to be considered for exclusion from the indicator. If monitoring identifies the condition, the licensee must have implemented a proactive procedure (or procedures) to specifically address mitigation of the condition before it results in impact to operation. This procedure cannot be a general Abnormal Operating Procedure (AOP) or Emergency Operating Procedure (EOP) addressing the symptoms or consequences of the condition (e.g., low condenser vacuum); rather, it must be a condition-specific procedure that directs actions to be taken to address the specific environmental conditions (e.g., jellyfish, gracilaria, frazil ice, etc.)
  • If the event is predictable, but the magnitude of the event becomes unique, the licensee must take appropriate actions and equipment designed to mitigate the event must be fully functional at the time of the event to receive an exclusion.
  • Environmental conditions that are unpredictable (i.e., lightning strikes) may not need to count if equipment designed to mitigate the event was fully functional at the time of the event.
  • Downpowers caused by adherence to environmental regulations, NPDES permits, or ultimate heat sink temperature limits may be excluded from the indicator.

The circumstances of each situation are different. In all cases, the NRC Region and Resident Inspectors should evaluate the circumstances of the power change, and if in disagreement with the licensee’s position, the event should be identified in an FAQ so that a decision can be made concerning whether the power change should be counted. If the event is truly unique, an FAQ should be submitted unless the NRC Region and Resident Inspectors agree with the licensee’s position.



This indicator captures changes in reactor power that are initiated following the discovery of an off-normal condition. If a condition is identified that is slowly degrading and the licensee prepares plans to reduce power when the condition reaches a predefined limit, and 72 hours have elapsed since the condition was first identified, the power change does not count. If, however, the condition suddenly degrades beyond the predefined limits and requires rapid response, this situation would count.

Data Example


UNPLANNED SCRAMS WITH COMPLICATIONS (USWC) Purpose This indicator monitors that subset of unplanned automatic and manual scrams that either require additional operator actions beyond that of the normal scram or involve the unavailability of or inability to recover main feedwater. Such events or conditions have the potential to present additional challenges to the plant operations staff and therefore, may be more risk-significant than uncomplicated scrams.

Indicator Definition The USwC indicator is defined as the number of unplanned scrams while critical, both manual and automatic, during the previous four quarters that require additional operator actions or involve the unavailability of or inability to recover main feedwater as defined by the applicable flowchart (Figure 2) during the scram response (see definition of scram response in the Definitions of Terms section) and the associated flowchart questions.

Data Reporting Elements The following data are required to be reported for each reactor unit.

The number of unplanned automatic and manual scrams while critical in the previous quarter that required additional operator actions or involved the unavailability of or inability to recover main feedwater as determined by the flowchart criteria during the scram response.

Calculation The indicator is determined using the values reported for the previous four quarters as follows:

Value = total unplanned scrams while critical in the previous four quarters that required additional operator actions or involved the unavailability of or inability to recover main feedwater as defined by the applicable flowchart and the associated flowchart questions (Figure 2) during the scram response.

Definition of Terms Scram means the shutdown of the reactor by the rapid addition of negative reactivity by any means, e.g., insertion of control rods, boron, use of diverse scram switches, or opening reactor trip breakers.

Normal Scram means any scram that is not determined to be complicated in accordance with the guidance provided in the Unplanned Scrams with Complications indicator. A normal scram is synonymous with an uncomplicated scram.

Unplanned scram means that the scram was not an intentional part of a planned evolution or test as directed by a normal operating or test procedure. This includes scrams that occurred during the execution of procedures or evolutions in which there was a high chance of a scram occurring but the scram was neither planned nor intended.

Criticality, for the purposes of this indicator, typically exists when a licensed reactor operator declares the reactor critical. There may be instances where a transient initiates from a subcritical condition and is terminated by a scram after the reactor is critical—this condition would count as a scram.

Scram Response refers to the period of time that starts with the scram and concludes when operators have completed the scram response procedures and the plant has achieved a stabilized condition in accordance with approved plant procedures and as demonstrated by meeting the following criteria:

For a PWR:

  • Pressurizer pressure is within the normal operating pressure band.
  • Pressurizer level is within the no-load pressurizer band.
  • Level and pressure of all steam generators are within the normal operating bands.
  • RCS temperature is within the allowable RCS no-load temperature band (Tave if any RCS pump running, Tcold if no RCS pumps running).

For a BWR:

  • No emergency operating procedure (EOP) entry conditions exist related to either the primary containment or the reactor.
  • Reactor cool-down rates are less than 100 degrees F/hr.
  • Reactor water level is being maintained within the range specified by plant procedures.

Clarifying Notes This indicator is a subset of the IE01 indicator “Unplanned Scrams” and to be considered in this indicator the scram must have counted in IE01.

PWR FLOWCHART QUESTIONS (See Figure 2) Did two or more control rods fail to fully insert?

Did control rods that are required to move on a reactor trip fail to fully insert into the core as evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an example, for some PWRs using rod bottom light indications, if more than one rod bottom light is not illuminated, this question must be answered "Yes." The basis of this step is to determine if additional actions are required by the operators as a result of the failure of all rods to insert. Additional actions, such as emergency boration, pose a complication beyond the normal scram response that this metric is attempting to measure. It is allowable to have one control rod not fully inserted since core protection design accounts for one control rod remaining fully withdrawn from the core on a reactor trip. This question must be evaluated using the criteria contained in the plant EOP used to verify that control rods inserted. During performance of this step of the EOP, the licensee staff would not need to apply the “Response Not Obtained” actions. Other means not specified in the EOPs are not allowed for this metric.

Did the turbine fail to trip?

Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To be a successful trip, steam flow to the main turbine must have been isolated by the turbine trip logic actuated by the reactor trip signal, or by operator action from a single switch or pushbutton. The allowance of operator action to trip the turbine is based on the operation of the turbine trip logic from the operator action if directed by the EOP. Operator action to close valves or secure pumps to trip the turbine beyond use of a single turbine trip switch would count in this indicator as a failure to trip and a complication beyond the normal reactor trip response. Trips that occur prior to the turbine being placed in service or “latched” should have this question answered as “No”.

Was power lost to any ESF bus?

During a reactor trip or during the period operators are responding to a reactor trip using reactor trip response procedures, was power lost to any ESF (Emergency Safeguards Features) bus that was not restored automatically by the Emergency Alternating Current (EAC) power system and remained de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from the main control board is allowed as an acceptable action to satisfy this metric.

This question is looking for a loss of power at any time for any duration where the bus was not energized/re-energized within 10 minutes. The bus must have:

  • Remained energized until the scram response procedure was exited, or
  • Been re-energized automatically by the plant EAC power system (i.e., EDG), or
  • Been re-energized from normal or emergency sources by an operator closing a breaker from the main control board.

The question applies to all ESF busses (switchgear, load centers, motor control centers and DC busses). This does NOT apply to 120-volt power panels. It is expected that operator action to re-energize an ESF bus would not take longer than 10 minutes.

Was a Safety Injection signal received?

Was a Safety Injection signal generated either manually or automatically during the reactor trip response? The question’s purpose is to determine if the operator had to respond to an abnormal condition that required a safety injection or respond to the actuation of additional equipment that would not normally actuate on an uncomplicated scram. This question would include any condition that challenged Reactor Coolant System (RCS) inventory, pressure, or temperature severely enough to require a safety injection. A severe steam generator tube leak that would require a manual reactor trip because it was beyond the capacity of the normal at power running charging system should be counted even if a safety injection was not used since additional charging pumps would be required to be started.

Was Main Feedwater unavailable or not recoverable using approved plant procedures during the scram response?

If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be restarted during the reactor scram response? The consideration for this question is whether Main Feedwater could be used to feed the steam generators if necessary. The qualifier of “not recoverable using approved plant procedures” will allow a licensee to answer “No” to this question if there is no physical equipment restraint to prevent the operations staff from starting the necessary equipment, aligning the required systems, or satisfying required logic using plant procedures approved for use and in place prior to the reactor scram occurring.

The operations staff must be able to start and operate the required equipment using normal alignments and approved emergency, normal and off-normal operating procedures to provide the required flow to the minimum number of steam generators required by the EOPs. Manual operation of controllers/equipment, even if normally automatic, is allowed if addressed by procedure. Situations that require maintenance or repair activities or non-proceduralized operating alignments require an answer of “Yes.” Additionally, the restoration of Feedwater must be capable of feeding the Steam Generators in a reasonable period of time. Operations should be able to start a Main Feedwater pump and start feeding Steam Generators with the Main Feedwater System within about 30 minutes from the time it was recognized that Main Feedwater was needed. During startup conditions where Main Feedwater was not placed in service prior to the scram this question would not be considered and should be skipped. For plants with design features or procedural prohibitions that prevent restarting Main Feedwater, this question should be answered as “No” if Main Feedwater is free from damage or failure that would prevent it from performing its intended function and is available for use.

Was the scram response procedure unable to be completed without entering another EOP?

The response to the scram must be completed without transitioning to an additional EOP after entering the scram response procedure (e.g., ES01 for Westinghouse). This step is used to determine if the scram was uncomplicated by counting if additional procedures beyond the normal scram response required entry after the scram. A plant exiting the normal scram response procedure without using another EOP would answer this step as “No”. The discretionary use of the lowest level Function Restoration Guideline (Yellow Path) by the operations staff is an approved exception to this requirement. Use of the Re-diagnosis Procedure by Operations is acceptable unless a transition to another EOP is required.

BWR FLOWCHART QUESTIONS (See Figure 2)

Did an RPS actuation fail to indicate / establish a shutdown rod pattern for a cold clean core?

Withdrawn control rods are required to be inserted to ensure the reactor will remain shutdown under all conditions without boron to ensure the reactor will have the required shutdown margin in a cold, xenon-free state.

Any initial evaluation that calls into question the shutdown condition of the reactor requires this question to be answered “Yes.” The required entry into the Anticipated Transient without Scram (ATWS) leg of the EOP or required use of Alternate Rod Insertion (ARI) requires this question to be answered “Yes.” Failure of the rod position indication in conjunction with the loss of full-in-lights on enough rods to question the cold clean core shutdown status would require this question to be answered “Yes.”

The basis of this step is to determine if additional actions are required by the operators to ensure the plant remains shutdown as a result of the failure of any withdrawn rods to insert (or indicate inserted). Additional actions, such as boron injection, or other actions to insert control rods to maintain shutdown, pose a complication beyond a normal scram response. This question must be evaluated using the criteria contained in the plant EOP used to verify the insertion of withdrawn control rods.

Was pressure control unable to be established following the initial transient?

To be successful, reactor pressure must be controlled following the initial transient without the use of Safety Relief Valves (SRVs). Automatic cycling of the SRV(s) that may have occurred as a result of the initial transient would result in a “No” response, but automatic cycling of the SRV(s) subsequent to the initial transient would result in a “Yes” response. Additionally, the SRV(s) cannot fail open. The failure of the pressure control system (i.e., turbine valves / turbine bypass valves / HPCI / RCIC/isolation condenser) to maintain the reactor pressure or a failed open SRV(s) counts in this indicator as a complication beyond the normal reactor trip response and would result in a “Yes” response.

Was power lost to any Class 1E Emergency / ESF bus?

During a reactor trip or during the period operators are responding to a reactor trip using reactor trip response procedures, was power lost to any ESF bus that was not restored automatically by the Emergency Alternating Current (EAC) power system and remained de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from the main control board is allowed as an acceptable action to result in a “No” response. The focus of this question is a loss of power for any duration where the bus was not energized/re-energized within 10 minutes. The bus must have:

  • Remained energized until the scram response procedure was exited, or
  • Been re-energized automatically by the plant EAC power system (i.e., EDG), or
  • Been re-energized from normal or emergency sources by an operator closing a breaker or switch from the main control board.

The question applies to all ESF busses (switchgear, load centers, motor control centers and DC busses). This does NOT apply to 120-volt power panels. It is expected that operator action to re-energize an ESF bus would not take longer than 10 minutes.

Was a Level 1 Injection signal received?

Was a Level 1 Injection signal generated either manually or automatically during the reactor scram response? The consideration here is whether or not the operator had to respond to abnormal conditions that required a low pressure safety injection or the actuation of additional equipment that would not normally actuate on an uncomplicated scram. This question would include any condition that challenged RCS inventory, or drywell pressure severely enough to require a safety injection. Alternately the question would be plants that do not have a high pressure Emergency Core Cooling System (ECCS) level signal that is different from the low pressure ECCS level signal would ask “was low pressure injection required?”

Was Main Feedwater not available or not recoverable using approved plant procedures during the scram response?

If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be restarted during the reactor scram response? The consideration for this question is whether Main Feedwater could be used to feed the reactor vessel if necessary. The qualifier of “not recoverable using approved plant procedures” will allow a licensee to answer “NO” to this question if there is no physical equipment restraint to prevent the operations staff from starting the necessary equipment, aligning the required systems, or satisfying required logic circuitry using plant procedures approved for use that were in place prior to the scram occurring.

The operations staff must be able to start and operate the required equipment using normal alignments and approved emergency, normal and off-normal operating procedures. Manual operation of controllers/equipment, even if normally automatic, is allowed if addressed by procedure. Situations that require maintenance or repair activities or non-proceduralized operating alignments will not satisfy this question. Additionally, the restoration of Main Feedwater must be capable of being restored to provide feedwater to the reactor vessel in a reasonable period of time. Operations should be able to start a Main Feedwater pump and start feeding the reactor vessel with the Main Feedwater System within about 30 minutes from the time it was recognized that Main Feedwater was needed. During startup conditions where Main Feedwater was not placed in service prior to the scram, this question would not be considered, and should be skipped.

Following initial transient, did stabilization of reactor pressure/level and drywell pressure meet the entry conditions for EOPs?

This step is used to determine if the scram was uncomplicated and did not require using other procedures beyond the normal scram response. Following the initial transient, maintaining reactor and drywell pressures below the Emergency Procedure entry values while ensuring reactor water level is above the Emergency Procedure entry values allows answering ”No.” The requirement to remain in the EOPs because of reactor pressure/water level and drywell pressure following the initial transient indicates complications beyond the typical reactor scram. Additionally, reactor water level scram signal(s) during the scram response indicate level could not be stabilized and require this question be answered “Yes”.

Data Examples


IE04 Unplanned Scrams with Complications – Flowchart Figure 2

2.2 MITIGATING SYSTEMS CORNERSTONE The objective of this cornerstone is to monitor the availability, reliability, and capability of systems that mitigate the effects of initiating events to prevent core damage. Licensees reduce the likelihood of reactor accidents by maintaining the availability and reliability of mitigating systems. Mitigating systems include those systems associated with safety injection, decay heat removal, and their support systems, such as emergency AC power. This cornerstone includes mitigating systems that respond to both operating and shutdown events.

The definitions and guidance contained in this section, while similar to guidance developed in support of INPO/WANO indicators and the Maintenance Rule, are unique to the Reactor Oversight Process (ROP). Differences in definitions and guidance in most instances are deliberate and are necessary to meet the unique requirements of the ROP.

While safety systems are generally thought of as those that are designed to mitigate design basis accidents, not all mitigating systems have the same risk importance. PRAs have shown that risk is often influenced not only by front-line mitigating systems, but also by support systems and equipment. Such systems and equipment, both safety- and non-safety related, have been considered in selecting the performance indicators for this cornerstone. Not all aspects of licensee performance can be monitored by performance indicators, and risk-informed baseline inspections are used to supplement these indicators.


SAFETY SYSTEM FUNCTIONAL FAILURES Purpose This indicator monitors events or conditions that prevented, or could have prevented, the fulfillment of the safety function of structures or systems that are needed to:

(a) Shut down the reactor and maintain it in a safe shutdown condition; (b) Remove residual heat; (c) Control the release of radioactive material; or (d) Mitigate the consequences of an accident.

Indicator Definition The number of events or conditions that prevented, or could have prevented, the fulfillment of the safety function of structures or systems in the previous four quarters.

Data Reporting Elements The following data is reported for each reactor unit:

  • the number of safety system functional failures reported during the previous quarter

Calculation Unit value = number of safety system functional failures in previous four quarters

Definition of Terms A Safety System Functional Failure (SSFF) is any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to:

(A) Shut down the reactor and maintain it in a safe shutdown condition; (B) Remove residual heat; (C) Control the release of radioactive material; or (D) Mitigate the consequences of an accident.

The indicator includes a wide variety of events or conditions, ranging from actual failures on demand to potential failures attributable to various causes, including environmental qualification, seismic qualification, human error, design or installation errors, etc. Many SSFFs do not involve actual failures of equipment.

Because the contribution to risk of the structures and systems included in the SSFF varies considerably, and because potential as well as actual failures are included, it is not possible to assign a risk-significance to this indicator. It is intended to be used as a possible precursor to more important equipment problems, until an indicator of safety system performance more directly related to risk can be developed.

Clarifying Notes The definition of SSFFs is identical to the wording of the current revision to 10 CFR 50.73(a)(2)(v). Because of overlap among various reporting requirements in 10 CFR 50.73, some events or conditions that result in safety system functional failures may be properly reported in accordance with other paragraphs of 10 CFR 50.73, particularly paragraphs (a)(2)(i), (a)(2)(ii), and (a)(2)(vii). An event or condition that meets the requirements for reporting under another paragraph of 10 CFR 50.73 should be evaluated to determine if it also prevented the fulfillment of a safety function. Should this be the case, the requirements of paragraph (a)(2)(v) are also met and the event or condition should be included in the quarterly performance indicator report as an SSFFError! Bookmark not defined.. The level of judgment for reporting an event or condition under paragraph (a)(2)(v) as an SSFF is a reasonable expectation of preventing the fulfillment of a safety function.

In the past, LERs may not have explicitly identified whether an event or condition was reportable under 10 CFR 50.73(a)(2)(v) (i.e., all pertinent boxes may not have been checked). It is important to ensure that the applicability of 10 CFR 50.73(a)(2)(v) has been explicitly considered for each LER considered for this performance indicator.

NUREG-1022: Unless otherwise specified in this guideline, guidance contained in the latest revision to NUREG-1022, “Event Report Guidelines, 10CFR 50.72 and 50.73,” that is applicable to reporting under 10 CFR 50.73(a)(2)(v), should be used to assess reportability for this performance indicator. Questions regarding interpretation of NUREG-1022 should not be referred to the FAQ process. They must be addressed to the appropriate NRC branch responsible for NUREG-1022.

Planned Evolution for maintenance or surveillance testing: NUREG-1022, Revision 2, page 56 states, “The following types of events or conditions generally are not reportable under these criteria:…Removal of a system or part of a system from service as part of a planned evolution for maintenance or surveillance testing…”

“Planned” means the activity is undertaken voluntarily, at the licensee’s discretion, and is not required to restore operability or for continued plant operation.

A single event or condition that affects several systems: counts as only one failure.

Multiple occurrences of a system failure: the number of failures to be counted depends upon whether the system was declared operable between occurrences. If the licensee knew that the problem existed, tried to correct it, and considered the system to be operable, but the system was subsequently found to have been inoperable the entire time, multiple failures will be counted whether or not they are reported in the same LER. But if the licensee knew that a potential problem existed and declared the system inoperable, subsequent failures of the system for the same problem would not be counted as long as the system was not declared operable in the interim. Similarly, in situations where the licensee did not realize that a problem existed (and thus could not have intentionally declared the system inoperable or corrected the problem), only one failure is counted.

Additional failures: a failure leading to an evaluation in which additional failures are found is only counted as one failure; new problems found during the evaluation are not counted, even if the causes or failure modes are different. The intent is to not count additional events when problems are discovered while resolving the original problem.

Engineering analyses: events in which the licensee declared a system inoperable but an engineering analysis later determined that the system was capable of performing its safety function are not counted, even if the system was removed from service to perform the analysis.

Reporting date: the date of the SSFF is the Report Date of the LER. If the LER is revised to reflect the occurrence of an SSFF, the date of the SSFF is the Report Date of the revised LER. The LER number should be entered in the comment field when an SSFF is reported. Data Examples


MITIGATING SYSTEM PERFORMANCE INDEX

Purpose The purpose of the Mitigating System Performance Index is to monitor the performance of selected systems based on their ability to perform risk-significant functions as defined herein. It is comprised of three elements - system unavailability, system unreliability and system component performance limits. The index is used to determine the cumulative significance of failures and unavailability over the monitored time period.

Indicator Definition Mitigating System Performance Index (MSPI) is the sum of changes in a simplified core damage frequency evaluation resulting from differences in unavailability and unreliability relative to industry standard baseline values. The MSPI is supplemented with system component performance limits. Unavailability is the ratio of the hours the train/system was unavailable to perform its monitored functions (as defined by the train/system boundaries, PRA success criteria and mission times) due to planned and unplanned maintenance or test during the previous 12 quarters while critical to the number of critical hours during the previous 12 quarters. (Fault exposure hours are not included; unavailable hours are counted only from the time of discovery of a failed condition to the time the train’s monitored functions are recovered.) Time of discovery of a failed monitored component is when the licensee determines that a failure has occurred or when an evaluation determines that the train would not have been able to perform its monitored function(s). In any case where a monitored component has been declared inoperable due to a degraded condition, if the component is considered available, there must be a documented basis for that determination, otherwise a failure will be assumed and unplanned unavailability would accrue. If the component is degraded but considered operable, timeliness of completing additional evaluations would be addressed through the inspection process.

Unreliability is the probability that the train/system would not perform its monitored functions, as defined by PRA success criteria, for a 24 hour run, when called upon during the previous 12 quarters. Baseline values are the values for unavailability and unreliability against which current plant unavailability and unreliability are measured. Component performance limit is a measure of degraded performance that indicates when the performance of a monitored component in an MSPI system is significantly lower than expected industry performance.

The MSPI is calculated separately for each of the following five systems for each reactor type.

BWRs

  • emergency AC power system
  • high pressure injection system (high pressure coolant injection, high pressure core spray, or feedwater coolant injection)
  • reactor core isolation cooling (or isolation condenser)
  • residual heat removal system (or the equivalent function as described in the Additional Guidance for Specific Systems section of Appendix F)
  • cooling water support system (includes direct cooling functions provided by service water and component cooling water or their cooling water equivalents for the above four monitored systems)

PWRs

  • emergency AC power system
  • high pressure safety injection system
  • auxiliary feedwater system
  • residual heat removal system (or the equivalent function as described in the Additional Guidance for Specific Systems section of Appendix F)
  • cooling water support system (includes direct cooling functions provided by service water and component cooling water or their cooling water equivalents for the above four monitored systems)

Data Reporting Elements The following data elements are reported for each train/system

  • Unavailability Index (UAI) due to unavailability for each monitored system
  • Unreliability Index (URI) due to unreliability for each monitored system
  • Systems that have exceeded their component performance limits

Calculation

The MSPI for each system is the sum of the UAI due to unavailability for the system plus URI due to unreliability for the system during the previous twelve quarters. MSPI = UAI + URI

Component performance limits for each system are calculated as a maximum number of allowed failures (Fm) from the plant specific number of system demands and run hours. Actual numbers of equipment failures (Fa) are compared to these limits. When the actual number of failures exceeds the component performance limit (i.e., Fa>Fm), this is designated as “Performance Limit Exceeded” or PLE=”yes”. This part of the indicator only applies to the green-white threshold. See Appendix F for the calculation methodology for UAI due to system unavailability, URI due to system unreliability and system component performance limits. The decision rules for assigning a performance color to a system are:

THEN performance is GREEN
THEN performance is WHITE
THEN performance is YELLOW
THEN performance is RED

Plant-specific PRA

The MSPI calculation uses coefficients that are developed from plant-specific PRAs. The PRA used to develop these coefficients should reasonably reflect the as-built, as-operated configuration of each plant.

Specific requirements appropriate for this PRA application are defined in Appendix G. Any questions related to the interpretation of these requirements, the use of alternate methods to meet the requirements or the conformance of a plant-specific PRA to these requirements will be arbitrated by an Industry/NRC expert panel. If the panel determines that a plant-specific PRA does not meet the requirements of Appendix G such that the MSPI would be adversely affected, an appropriate remedy will be determined by the licensee and approved by the panel. The decisions of this panel will be binding.

Definition of Terms

Risk Significant Functions: those at-power functions described in the Appendix F section “Additional Guidance for Specific Systems,” that were determined to be risk-significant in accordance with NUMARC 93-01, or NRC-approved equivalents (e.g., the STP exemption request). The risk-significant system functions described in Appendix F, “Additional Guidance for Specific Systems,” should be modeled in the plant’s PRA/PSA. System and equipment performance requirements for performing the risk-significant functions are determined from the PRA success criteria, mission times, and boundaries for the system. Mission Time: The mission time modeled in the PRA for satisfying the function of reaching a stable plant condition where normal shutdown cooling is sufficient. Note that PRA models typically use a mission time of 24 hours. However, shorter intervals, as justified by analyses and modeled in the PRA, may be used.

Success criteria: The plant-specific values of parameters the train/system is required to achieve to perform its monitored functions. Success criteria to be used are those documented in the plant-specific PRA. Design Basis success criteria should be used in the case where the plant-specific PRA has not documented alternative success criteria for use in the PRA.

Individual component capability must be evaluated against train/system level success criteria (e.g., a valve stroke time may exceed an ASME requirement, but if the valve still strokes in time to meet the PRA success criteria for the train/system, the component has not failed for the purposes of this indicator.).

Clarifying Notes

Documentation and Changes

Each licensee will have the system boundaries, monitored components, and monitored functions and success criteria which differ from design basis readily available for NRC inspection on site. Design basis criteria do not need to be separately documented. Additionally, plant-specific information used in Appendix F should also be readily available for inspection. An acceptable format, listing the minimum required information, is provided in Appendix G. As stated in the Introduction section of NEI 99-02, plant-specific comments should be provided in the data submittal when either the MSPI basis document or an MSPI coefficient is changed. Changes to the site PRA of record, the site basis document, and the CDE database should be made in accordance with the following:

PRA Model Revisions: Updates to the MSPI coefficients -(which are directly obtained from the plant-specific PRA) will be made in the quarter following approval of an update to the plant-specific PRA of record. Thus, the MSPI coefficients in use at the beginning of a quarter will remain in effect for the remainder of that quarter. In addition, changes to the CDE database and MSPI basis document that are necessary to reflect changes to the plant-specific PRA of record should be incorporated prior to the next quarter’s data submittal. For example, if a plant’s PRA model of record is approved on September 29 (third quarter), MSPI coefficients based on that model of record should be used for the fourth quarter. Updates to the MSPI basis document and the - CDE database should be made prior to reporting the fourth quarter’s data (i.e., completed by January 21).

Changes to non-PRA information: Updates to information that is not directly obtained from the PRA (e.g., unavailability baseline data, estimated demands/run hours) can affect both the MSPI basis document and the MSPI inputs into the CDE database. Changes to the MSPI basis document and MSPI inputs into the CDE database that are needed to reflect changes to non-PRA information will be made prior to the next quarterly data submittal. This does not imply that any change to estimated demands/run hours is required to be reflected in the MSPI basis document or CDE (See Appendix F, Section F.2.2.1 for requirements on when MSPI basis document and CDE changes are required for estimated demands/run hours). The quarterly data submittal should include a comment that provides a summary of any changes to the MSPI basis document and inputs to the CDE database. The comments automatically generated by CDE when PRA coefficients are changed do not fulfill this requirement. For example, changes to the planned unavailability baseline that do not require a change to the PRA model must be documented in an MSPI basis document revision in the quarter prior to the revised values being used as inputs into the CDE database. This means completed by the 21st day of the month after the end of the quarter.

Plant Modifications: Any changes to the plant should be evaluated for their impact on the MSPI basis document, MSPI inputs into the CDE database, and the PRA of record. Plant modifications have the potential to involve both changes to the PRA model and non-PRA information, while some modifications may be limited to either the PRA model or non-PRA information. Modifications to the plant design that result in a change to segment or train boundaries, monitored components, or affect monitored functions or success criteria, shall be reflected in the MSPI basis document the quarter following the completed implementation (i.e., completed by the 21st day of the month after the end of the quarter). Additionally, if modifications are made to sub-components within the boundary of a monitored component (such as the replacement of an emergency AC voltage regulator with a different type) and that sub-component is described in the basis document, the basis document should be updated to reflect the sub-component modification the quarter following the completed implementation (i.e., completed by the 21st day of the month after the end of the quarter).

If the plant modification has the potential to impact the PRA model in a manner that affects MSPI results, the modification shall be evaluated to determine if it results in a factor of three change in the corrected Birnbaum value of an MSPI monitored train or component. If the new Birnbaum value is greater than 1E-6, the MSPI basis document shall be updated to reflect the new Birnbaum values the quarter following the completed implementation (i.e., completed by the 21st day of the month after the end of the quarter). Note that the use of supplemental evaluations to estimate the revised MSPI inputs for pending PRA model changes is allowed as an interim alternative until the PRA model of record is updated.

Example CDE Comments: Following a periodic update to a PRA model, the following CDE comment would be appropriate: The XYZ PRA Model Revision 6 was approved on 7/6/10 with a corresponding MSPI Basis Document Revision 3 approved on 12/21/10. The PRA model revision was a periodic update to the model which included a data update, incorporation of an Auxiliary Feedwater Crosstie between Units and a change in Human Error Probabilities using the EPRI HRA calculator. As a result of the PRA model change, the CDF, Fussel-Vesely and Basic Event Probabilities for all monitored trains and components were revised.

Following a change to baseline unavailability, the following CDE comments would be appropriate:

Scenario 1: Change Results in Negligible (≤1E-8) Increase in Train Birnbaum

The planned unavailability baseline for the Residual Heat Removal was system was increased by 30 hours per three years as a result of a new preventive maintenance task. The increase in planned unavailability baseline was evaluated in the MSPI basis document Revision 3, dated 3/23/11, and determined to result in a negligible increase in Train Birnbaum values. Therefore, the revised values were incorporated into CDE effective the second quarter 2011.

Scenario 2: Change Results in Significant (>1E-8) Increase in Train Birnbaum Values

The planned unavailability baseline for the Residual Heat Removal was system was increased by 30 hours per three years as a result of a new preventive maintenance task. The increase in planned unavailability baseline was evaluated in the MSPI basis document Revision 3, dated 3/23/11, concluding that a revision to the PRA model was required prior to implementing the change. PRA model Revision 4 to reflect this change in planned unavailability was approved on 2/15/11. The revised values were incorporated into CDEError! Bookmark not defined. effective the second quarter 2011.

Following a design change that has a significant impact (≥ factor of three increase) on Birnbaum values, the following CDE comment would be appropriate:

A modification was completed on 1/15/11 that removed a monitored MOV in the Residual Heat Removal system. The MSPI basis document Revision 2 was approved on 3/12/11 to account for this impact. As removal of the MOV had a negligible impact on the overall CDF, the PRA model was not updated to reflect this change. The MSPI Basis Document Revision includes an evaluation of the impact on MSPI inputs which will be used until the next revision of the PRA model is completed.

Monitored Systems

Systems have been generically selected for this indicator based on their importance in preventing reactor core damage. The systems include the principal systems needed for maintaining reactor coolant inventory following a loss of coolant accident, for decay heat removal following a reactor trip or loss of main feedwater, and for providing emergency AC power following a loss of plant off-site power. One support function (cooling water support system) is also monitored. The cooling water support system monitors the cooling functions provided by service water and component cooling water, or their direct cooling water equivalents, for the four front-line monitored systems. Other support systems (e.g., HVAC room coolers, DC power, instrument air, etc.) will not be cascaded onto the monitored systems’ unavailability or reliability data. For the purposes of MSPI, a failure or unavailability of a support system component that is outside the system and train boundary of a monitored system will not result in unavailability of a monitored train or failure of a monitored component.

Diverse Systems

Except as specifically stated in the indicator definition and reporting guidance, no credit is given for the achievement of a monitored function by an unmonitored system in determining unavailability or unreliability of the monitored systems. Use of Plant-Specific PRAError! Bookmark not defined. and SPAR Models The MSPI is an approximation using information from a plant’s PRA and is intended as an indicator of system performance. More accurate calculations using plant-specific PRAs or SPAR models cannot be used to question the outcome of the PIs computed in accordance with this guideline.

Data Examples

2.3 BARRIER INTEGRITY CORNERSTONE

The purpose of this cornerstone is to provide reasonable assurance that the physical design barriers (fuel cladding, reactor coolant system, and containment) protect the public from radionuclide releases caused by accidents or events. These barriers are an important element in meeting the NRC mission of assuring adequate protection of public health and safety. The performance indicators assist in monitoring the functionality of the fuel cladding and the reactor coolant system. There is currently no performance indicator for the containment barrier. The performance of this barrier is assured through the inspection program.

There are two performance indicators for this cornerstone:

  • Reactor Coolant System (RCS) Specific Activity
  • RCS Identified Leak Rate

REACTOR COOLANT SYSTEM (RCS) SPECIFIC ACTIVITY Purpose This indicator monitors the integrity of the fuel cladding, the first of the three barriers to prevent the release of fission products. It measures the radioactivity in the RCS as an indication of functionality of the cladding.

Indicator Definition The maximum monthly RCS activity in micro-Curies per gram (µCi/gm) dose equivalent Iodine-131 per the technical specifications, and expressed as a percentage of the technical specification limit. Those plants whose technical specifications are based on micro-curies per gram (μCi/gm) total Iodine should use that measurement.

Data Reporting Elements The following data are reported for each reactor unit:

  • Maximum calculated RCS activity for each unit, in micro-Curies per gram dose equivalent Iodine-131, as required by technical specifications at steady state power, for each month during the previous quarter (three values are reported).
  • Technical Specification limit


Calculation The indicator is calculated as follows:

Unit value =

Definitions of Terms (Blank)

Clarifying Notes This indicator is recorded monthly and reported quarterly.

The indicator is calculated using the same methodology, assumptions and conditions as for the Technical Specification calculation. If more than one method can be used to meet Technical Specifications, use the results of the method that was used at the time to satisfy the Technical Specifications.

Unless otherwise defined by the licensee, steady state is defined as continuous operation for at least three days at a power level that does not vary more than ±5 percent.

This indicator monitors the steady state integrity of the fuel-cladding barrier at power. Transient spikes in RCS Specific Activity following power changes, shutdowns and scrams may not provide a reliable indication of cladding integrity and should not be included in the monthly maximum for this indicator.

Samples taken using technical specification methodology, when shutdown, are not reported. However, samples taken using the technical specification methodology at steady state power more frequently than required are to be reported. If in the entire month, plant conditions do not require RCS activity to be calculated, the data field is left blank for that month and the status “Final – N/A” is selected.

Licensees should use the most restrictive regulatory limit (e.g., technical specifications (TS) or license condition). However, if the most restrictive regulatory limit is insufficient to assure plant safety, then NRC Administrative Letter 98-10 applies, which states that imposition of administrative controls is an acceptable short-term corrective action. When an administrative control is in place as a temporary measure to ensure that TS limits are met and to ensure public health and safety (i.e., to ensure 10 CFR Part 100 dose limits are not exceeded), that administrative limit should be used for this PI.



Data Examples


REACTOR COOLANT SYSTEM LEAKAGE Purpose This indicator monitors the integrity of the RCS pressure boundary, the second of the three barriers to prevent the release of fission products. It measures RCS Identified Leakage as a percentage of the technical specification allowable Identified Leakage to provide an indication of RCS integrity.

Indicator Definition The maximum RCS Identified Leakage in gallons per minute each month per the technical specifications and expressed as a percentage of the technical specification limit.

Data Reporting Elements The following data are required to be reported each quarter:

  • The maximum RCS Identified Leakage calculation for each month of the previous quarter (three values).
  • Technical Specification limit

Calculation The unit value for this indicator is calculated as follows:

Unit value =

Definition of Terms RCS Identified Leakage as defined in Technical Specifications.

Clarifying Notes This indicator is recorded monthly and reported quarterly.

Normal steam generator tube leakage is included in the unit value calculation if required by the plant’s Technical Specification definition of RCS identified leakage.

For those plants that do not have a Technical Specification limit on Identified Leakage, substitute RCS Total Leakage in the Data Reporting Elements.

Any RCS leakage determination made in accordance with plant Technical Specifications methodology is included in the performance indicator calculation. If in the entire month, plant conditions do not require RCS leakage to be calculated, the data field is left blank for that month and the status “Final-N/A” is selected )

If the source and collection point of the leakage were unknown during the time period of the leak, and the actual collection point was not a monitored tank or sump per the RCS Leakage Calculation Procedure, then, for the purposes of this indicator, the leakage is not considered RCS identified leakage and is not to be included in PI data. RCS leakage not captured under this indicator may be evaluated in the inspection program.

Data Examples


2.4 EMERGENCY PREPAREDNESS CORNERSTONE

The objective of this cornerstone is to ensure that the licensee is capable of implementing adequate measures to protect the public health and safety during a radiological emergency. Licensees maintain this capability through Emergency Response Organization (ERO) participation in drills, exercises, actual events, training, and subsequent problem identification and resolution. The Emergency Preparedness performance indicators provide a quantitative indication of the licensee’s ability to implement adequate measures to protect the public health and safety. These performance indicators create a licensee response band that allows NRC oversight of Emergency Preparedness programs through a baseline inspection program. These performance indicators measure onsite Emergency Preparedness programs. Offsite programs are evaluated by FEMA.

The protection of public health and safety is assured by a defense in depth philosophy that relies on: safe reactor design and operation, the operation of mitigation features and systems, a multi-layered barrier system to prevent fission product release, and emergency preparedness.

The Emergency Preparedness cornerstone performance indicators are:

  • Drill/Exercise performance (DEP),
  • Emergency Response Organization Drill Participation (ERO),
  • Alert and Notification System Reliability (ANS)

DRILL/EXERCISE PERFORMANCE

Purpose This indicator monitors timely and accurate licensee performance in drills and exercises when presented with opportunities for classification of emergencies, notification of offsite authorities, and development of protective action recommendations (PARs). It is the ratio, in percent, of timely and accurate performance of those actions to total opportunities.

The notification timeliness criterion for this PI is met when the licensee makes contact with the first responsible State or local governmental agency within 15 minutes. This success criterion normalizes the notification capabilities of licensees, regardless of the number of site specific offsite notification requirements. As such, NRC and licensees can assess a site’s specific capability to a common industry baseline to identify the possible need for additional inspection resources. Further, the notification performance enhancement opportunity provides the NRC assurance that a licensee is conducting the notification process in its entirety and evaluating compliance with the regulatory offsite notification requirement of Appendix E.IV.D.3 to 10 CFR Part 50.


Indicator Definition

The percentage of all drill, exercise, and actual opportunities that were performed timely and accurately by Key Positions, as defined in the ERO Drill Participation performance indicator, during the previous eight quarters.

Data Reporting Elements The following data are required to calculate this indicator:

  • The number of drill, exercise, and actual event opportunities during the previous quarter.
  • The number of drill, exercise, and actual event opportunities performed timely and accurately during the previous quarter.

The indicator is calculated and reported quarterly. (See clarifying notes) Calculation The site average values for this indicator are calculated as follows:


  • DE & AEs = Drills, Exercises, and Actual Events

Definition of Terms Opportunities should include multiple events during a single drill or exercise (if supported by the scenario) or actual event, as follows:

  • each expected classification or upgrade in classification
  • each initial notification of an emergency class declaration
  • each initial notification of PARs or change to PARs
  • each PAR developed

Timely means:

  • classifications are made consistent with the goal of 15 minutes once available plant parameters reach an Emergency Action Level (EAL)
  • PARs are made consistent with the goal of 15 minutes once data is available.
  • offsite notifications are initiated within 15 minutes of event classification and/or PAR development (see clarifying notes)

Accurate means:

  • Classification and PAR appropriate to the event as specified by the approved plan and implementing procedures (see clarifying notes)
  • Initial notification form completed appropriate to the event to include (see clarifying notes):

- Class of emergency - EAL number - Description of emergency - Wind direction and speed - Whether offsite protective measures are necessary - Potentially affected population and areas - Whether a release is taking place - Date and time of declaration of emergency - Whether the event is a drill or actual event - Plant and/or unit as applicable

Clarifying Notes While actual event opportunities are included in the performance indicator data, the NRC will also inspect licensee response to all actual events.

As a minimum, actual emergency declarations and evaluated exercises are to be included in this indicator. In addition, other simulated emergency events that the licensee formally assesses for performance of classification, notification or PAR development may be included in this indicator (opportunities cannot be removed from the indicator due to poor performance).

The following information provides additional clarification of the accuracy requirements described above:

  • It is understood that initial notification forms are negotiated with offsite authorities. If the approved form does not include these elements, they need not be added. Alternately, if the form includes elements in addition to these, those elements need not be assessed for accuracy when determining the DEP PI. It is, however, expected that errors in such additional elements would be critiqued and addressed through the corrective action system.
  • The description of the event causing the classification may be brief and need not include all plant conditions. At some sites, the EAL number is the description.
  • “Release” means a radiological release attributable to the emergency event.
  • Minor discrepancies in the wind speed and direction provided on the emergency notification form need not count as a missed notification opportunity provided the discrepancy would not result in an incorrect PAR being provided.

The licensee shall identify, in advance, drills, exercises and other performance enhancing experiences in which opportunities will be formally assessed, and shall be available for NRC review. The licensee has the latitude to include opportunities in the PI statistics as long as the drill (in whatever form) simulates the appropriate level of inter-facility interaction. The criteria for suitable drills/performance enhancing experiences are provided under the ERO Drill Participation PI clarifying notes.

If credit for an opportunity is given in the ERO Drill Participation performance indicator, then that opportunity must be included in the drill/exercise performance indicator. For example, if the communicator performing the entire notification during performance enhancing scenario is an ERO member in a Key Position, then the notification may be considered as an opportunity and, if so, participation credit awarded to the ERO member in the Key Position.

If an ERO member in a Key Position supports multiple units (at one or more sites), Drill/Exercise Performance (DEP) opportunities performed by the ERO member may be credited to all sites potentially served by the ERO member, in addition to the specific site participating in the drill or exercise.

When a performance enhancing experience occurs before an individual is assigned to a Key Position in the ERO, then opportunities for that individual that were identified in advance shall contribute to the Drill/Exercise (DEP) metric at the time the member is assigned to the ERO.

Performance statistics from operating shift simulator training evaluations may be included in this indicator only when the scope requires classification. Classification and PARs performed in the simulator may be included in the indicator. Notifications for Classification and Notifications for PARs may be included in this indicator if they are performed to the point of filling out the appropriate forms and demonstrating sufficient knowledge to perform the actual notification.

“Demonstrating sufficient knowledge” is defined as demonstrating the use of communications equipment to contact the first offsite stakeholder for the purpose of transmitting initial notification information (offsite stakeholder maybe role-played) in accordance with site communication procedure(s), as well as, if used, demonstration of the needed interface between the key ERO communicator and the phone-talker. It is recognized that key control room positions may not perform the actual communication with offsite agencies as part of the notification process. Personnel filling non-key positions for contacting offsite agencies (phone-talker) may not be available during simulator training. If an evaluator role-plays the phone-talker during the simulator session, a phone-talker is required to complete the notification process out of sequence (e.g. notification form completed in the simulator is provided to a phone-talker at a later time and the phone-talker demonstrates use of the telephone equipment to an evaluator). Interactions normally between the Key Communicator and the phone-talker (e.g. receiving instruction, discussion of the notification and correction of errors in the notification form) occur between the phone-talker and an evaluator role playing the Key Communicator for this off-sequence demonstration. Timeliness is determined by adding the time required to complete the notification form in the simulator to the time required by the phone-talker to interact and then utilize the communications equipment out of sequence. However, there is no intent to disrupt ongoing operator qualification programs. Appropriate operator training evolutions should be included in the indicator only when Emergency Preparedness aspects are consistent with training goals. A successful PI opportunity is determined by evaluating performance against program expectations. Thus, if it is part of a pre-established expectation to enhance the realism of the training environment by marking “actual” on the notification forms, it should be considered a successful PI opportunity if a simulator crew marks “actual” on the notification form. However, all notification forms must be marked consistently, either “drill” or “actual” in accordance with the requirements of the licensee’s emergency preparedness program expectation. Not marking either drill or actual event (regardless of expectations) shall be a failed opportunity.

Some licensees have specific arrangements with their State authorities that provide for different notification requirements than those prescribed by the performance indicator, e.g., within one hour, not 15 minutes. In these instances the licensee should determine success against the specific state requirements.

For sites with multiple agencies to notify, the notification is considered to be initiated when contact is made with the first agency to transmit the initial notification information.

Simulation of notification to offsite agencies is allowed. It is not expected that State/local agencies be available to support all drills conducted by licensees. The drill should reasonably simulate the contact and the participants should demonstrate their ability to use the equipment.

Classification is expected to be made promptly following indication that the conditions have reached an emergency threshold in accordance with the licensee’s EAL scheme. With respect to classification of emergencies, the 15 minute goal is a reasonable period of time for assessing and classifying an emergency once indications are available to control room operators that an EAL has been exceeded. Allowing a delay in classifying an emergency up to 15 minutes will have minimal impact upon the overall emergency response to protect the public health and safety. The 15-minute goal should not be interpreted as providing a grace period in which a licensee may attempt to restore plant conditions and avoid classifying the emergency.

If an event has occurred that resulted in an emergency classification where no EAL was exceeded, the incorrect classification should be considered a missed opportunity. The subsequent notification should be considered an opportunity and evaluated on its own merits.

During drill performance, the ERO may not always classify an event exactly the way that the scenario specifies. This could be due to conservative decision making, Emergency Director judgment call, or a simulator driven scenario that has the potential for multiple ‘forks’. Situations can arise in which assessment of classification opportunities is subjective due to deviation from the expected scenario path. In such cases, evaluators should document the rationale supporting their decision for eventual NRC inspection. Evaluators must determine if the classification was appropriate to the event as presented to the participants and in accordance with the approved emergency plan and implementing procedures.

If the expected classification level is missed because an EAL is not recognized within 15 minutes of availability, but a subsequent EAL for the same classification level is subsequently recognized, the subsequent classification is not an opportunity for DEP statistics. The reason that the classification is not an opportunity is that the appropriate classification level was not attained in a timely manner.

If a controller intervenes (e.g., coaching, prompting) with the performance of an individual to make an independent and correct classification, notification, or PAR, then that DEP PI opportunity shall be considered a failure.

Failure to appropriately classify an event counts as only one failure: This is because notification of the classification, development of any PARs and PAR notification are subsequent actions to classification. Similarly, if the same error occurs in follow-up notifications, it should only be considered a missed opportunity on the initial notification form. A Classification based on a downgrade from a previously existing higher classification is not counted as an opportunity. It was not the intent to count downgrades as opportunities for the DEP performance indicator. When a higher classification is reached in a drill, exercise or real event it is probable that multiple EALs at equal or lower levels have also been exceeded. When the reason for the highest classification is cleared, many of the lower conditions may still exist. It is impractical to evaluate downgrades in classification from a timeliness and accuracy standpoint. The notification of the downgrade should be handled as an update rather than a formal opportunity for the performance indicator.

The notification associated with a PAR is counted separately: e. g., an event triggering a GE classification would represent a total of 4 opportunities: 1 for classification of the GE, 1 for notification of the GE to the State and/or local government authorities, 1 for development of a PAR and 1 for notification of the PAR. All PAR notifications resulting in a Recommendation of Evacuation or Shelter, whether default or not, should be counted as an opportunity for the drill/exercise performance indicator.

If PARs at the SAE are in the site Emergency Plan they could be counted as opportunities. However, this would only be appropriate where assessment and decision making is involved in development of the PAR. Automatic PARs with little or no assessment required would not be an appropriate contributor to the PI. PARs limited to livestock or crops and no-PAR-necessary decisions are also not appropriate.

Dose assessment and PAR development are expected to be made promptly following indications that the conditions have reached a threshold in accordance with the licensee’s PAR scheme. The 15 minute goal from data availability is a reasonable period of time to develop or expand a PAR. Plant conditions, meteorological data, field monitoring data, and/or radiation monitor data should provide sufficient information to determine the need to change PARs. If radiation monitor readings provide sufficient data for assessments, it is not appropriate to wait for field monitoring to become available to confirm the need to expand the PAR. The 15 minute goal should not be interpreted as providing a grace period in which the licensee may attempt to restore conditions and avoid making the PAR recommendation.

If a licensee has identified in its scenario objectives that Protective Action Guidelines (PAGs) will be exceeded beyond the 10 mile plume exposure pathway emergency planning zone (EPZ) boundary, then this would constitute a PI opportunity. In addition, there is a DEP PI opportunity associated with the timeliness of the notification of the PAR to offsite agencies. Essential to understanding that these DEP PI opportunities exist is the need to realize that it is a regulatory requirement for a licensee to develop and communicate a PAR when EPA PAG doses may be exceeded beyond the 10 mile plume exposure pathway EPZ. However, the licensee always has the latitude to identify which DEP PI opportunities will be included in the PI statistics prior to the exercise. Thus, a licensee may choose to not include a PAR beyond the 10-mile EPZ as a DEP PI statistic due to its ad hoc nature.

If a licensee discovers after the fact (greater than 15 minutes) that an event or condition had existed which exceeded an EAL, but no emergency had been declared and the EAL is no longer exceeded at the time of discovery, the following applies:

  • If the indication of the event was not available to the operator, the event should not be evaluated for PI purposes.
  • If the indication of the event was available to the operator but not recognized, it should be considered an unsuccessful classification opportunity.
  • In either case described above, notification should be performed in accordance with NUREG-1022 and not be evaluated as a notification opportunity.

Data Example


EMERGENCY RESPONSE ORGANIZATION DRILL PARTICIPATION

Purpose This indicator tracks the participation of ERO members assigned to fill Key Positions in performance enhancing experiences, and through linkage to the DEP indicator ensures that the risk significant aspects of classification, notification, and PAR development are evaluated and included in the PI process. This indicator measures the percentage of ERO members assigned to fill Key Positions who have participated recently in performance-enhancing experiences such as drills, exercises, or in an actual event.

Indicator Definition The percentage of ERO members assigned to fill Key Positions that have participated in a drill, exercise, or actual event during the previous eight quarters, as measured on the last calendar day of the quarter.

Data Reporting Elements The following data are required to calculate this indicator and are reported:

  • total number of ERO members assigned to fill Key Positions
  • total number of ERO members assigned to fill Key Positions that have participated in a drill, exercise, or actual event in the previous eight quarters

The indicator is calculated and reported quarterly, based on participation over the previous eight quarters (see clarifying notes).

The participation indicator may include participation in a facility that supports multiple units.

Calculation The site indicator is calculated as follows:


Definition of Terms Key Positions are defined below

  • Control Room
  • Shift Manager (Emergency Director) - Supervision of reactor operations, responsible for classification, notification, and determination of protective action recommendations
  • Shift Communicator - provides initial offsite (state/local) notification
  • Technical Support Center
  • Senior Manager - Management of plant operations/corporate resources
  • Key Operations Support
  • Key Radiological Controls - Radiological effluent and environs monitoring, assessment, and dose projections
  • Key TSC Communicator- provides offsite (state/local) notification
  • Key Technical Support
  • Emergency Operations Facility
  • Senior Manager - Management of corporate resources
  • Key Protective Measures - Radiological effluent and environs monitoring, assessment, and dose projections
  • Key EOF Communicator- provides offsite (state/local) notification
  • Operational Support Center
  • Key OSC Operations Manager
  • Assigned: Those ERO personnel filling Key Positions listed on the licensee duty roster on the last day of the quarter of the reporting period.

Clarifying Notes When the performance of Key Positions includes classification, notification, or PAR development opportunities, the success rate of these opportunities must contribute to Drill/Exercise Performance (DEP) statistics for participation of those Key Positions to contribute to ERO Drill Participation. Participation drill credit before being assigned to the ERO may be counted for these Key Positions once the individual is assigned to the ERO as long as the success rate for the opportunities contributes to Drill/Exercise (DEP) statistics.

The licensee may designate drills as not contributing to DEP and, if the drill provides a performance enhancing experience as described herein, those Key Positions that do not involve classification, notification or PARs may be given credit for ERO Drill Participation. Additionally, the licensee may designate elements of the drills not contributing to DEP (e.g., classifications will not contribute but notifications will contribute to DEP.) In this case, the participation of all Key Positions, except those associated with the non-contributing elements, may contribute to ERO Drill Participation. Participation drill credit before being assigned to the ERO may be counted for the Key Positions not contributing to DEP if the drill provides a performance enhancing experience as described herein. The licensee must document such designations in advance of drill performance and make these records available for NRC inspection.

In order for an opportunity to be considered a performance enhancing experience for a Key Communicator, the opportunity must include demonstration of the ability to perform a notification of the emergency classification level to required agencies. Documentation of the opportunity and its evaluation/critique is to be comprehensive enough to allow an Inspector to reasonably reach the same conclusion as the licensee as to the adequacy of the performing enhancing experience.

Option for Emergency Response Organizations with Common Facilities

If an ERO member in a Key Position supports multiple units (at one or more sites) and demonstrates similar skill sets during a performance-enhancing experience, participation credit may be granted for all sites supported.

Negative performance credit as well as positive performance credit will be assigned to all units.

Similarity of Skill Sets

Skill sets are considered similar when the procedures, processes and protocols involved accomplish the same task or goal. Examples of similar skill sets are provided below.

Classification

Classification of Emergencies are similar when Emergency Action Level procedures, processes and protocols used by the ERO members in the Key Position are essentially the same (for example all units would use NEI 99-01 or in the case where a unit may be an advanced passive light water reactor it would be acceptable to utilize NEI 99-01 for existing technology and NEI 07-01 for passive technology). Training for key ERO members performing this function is to include unit-specific and/or technology differences relating to Initiating Conditions/Emergency Action Levels (e.g., ISFSI, unique hazards, design considerations, etc.).

Protective Action Recommendations (PARs)

Protective Action Recommendations, when developed with the same protective action strategies, are similar provided that the procedures, processes and protocols for the development of the protective action recommendations are essentially the same. For example:

  • Logic flow charts may differ (e.g., because of population differences among the sites), but should serve the same purpose and be used in the same way.
  • Protective Action Zones may differ, but the process used to identify the action taken for the zones is the same.
  • Implementation of potassium iodide (KI) strategies may differ based on the implementation strategies of responsible authorities at the State and/or Local level, but the procedures, processes and protocols used to determine if KI is warranted should be the same.
  • PAR development discussion strategies should be the same for each site supported by the common facility.

Dose Assessment

Dose assessment is similar when methodologies, applicable computer programs, and models are the same across sites and/or unit technologies served by the common facility. Definitions of what constitutes a radiological release during a classified emergency are the same. Training for key ERO members performing this function must include unit-specific differences in effluent monitors and release pathways, local meteorological regimes and topography impacts and how these differences impact the dose assessment.

Emergency Notifications

The emergency communicator functions are similar when procedures, processes and protocols are performed utilizing a similar emergency notification form design and content. Emergency communicators will be trained on all notification procedures, processes and protocol differences including, but not limited to, offsite contacts, form content, methods and equipment.

Link to Drill and Exercise Performance

Lessons learned (positive and negative) are shared to ensure that the benefits of the performance enhancing experience of the key ERO member(s) are applied across all units. Corrective actions from the performance of key ERO members performing DEP activities are shared with and applied to all key ERO members of all units. Similarly, corrective actions associated with common facility Key ERO member performance (e.g. training or qualification gaps, procedure deficiencies, equipment issues) are applied across all units corrective action programs. DEP opportunities performed shall be credited to all units, in addition to the unit participating in the drill or exercise.

Records

Lesson plans, rosters, records, etc., are available for NRC inspection.

Credit can be granted to Key Positions for ERO Participation for a Security related Drill or Exercise as long as the Key Positions are observed evaluating the need to upgrade to the next higher classification level and/or evaluating the need to change protective action recommendations. Key TSC Communicator and Key EOF Communicator may be granted participation credit as long as the Key Position performs a minimum of one offsite (state/local) update notification. If an individual participates in more than one Security-related Drill/Exercise in a three year period, only one of the Security-related Drills/Exercise can be credited. A station cannot run more than one credited Security-related Drill/Exercise in any consecutive 4 quarter period. Objective evidence shall be documented to demonstrate the above requirements were met.

Evaluated simulator training evolutions that contribute to Drill/Exercise Performance indicator statistics may be considered as opportunities for ERO Drill Participation. The scenarios must at least contain a formally assessed classification and the results must be included in DEP statistics. However, there is no intent to disrupt ongoing operator qualification programs. Appropriate operator training evolutions should be included in this indicator only when Emergency Preparedness aspects are consistent with training goals.

If an ERO member filling a Key Position has participated in more than one drill during the eight quarter evaluation period, the most recent participation should be used in the Indicator statistics.

If a change occurs in the number of ERO members filling Key Positions, this change should be reflected in both the numerator and denominator of the indicator calculation.

If a person is assigned to more than one Key Position, it is expected that the person be counted in the denominator for each position and in the numerator only for drill participation that addresses each position. Where the skill set is similar, a single drill might be counted as participation in both positions.

Assigning a single member to multiple Key Positions and then only counting the performance for one Key Position could mask the ability or proficiency of the remaining Key Positions. The concern is that an ERO member having multiple Key Positions may never have a performance enhancing experience for all of them, yet credit for participation will be given when any one of the multiple Key Positions is performed; particularly, if more than one ERO position is assigned to perform the same Key Position.

ERO participation should be counted for each Key Position, even when multiple Key Positions are assigned to the same ERO member. In the case where a utility has assigned two or more Key Positions to a single ERO member, each Key Position must be counted in the denominator for that ERO member and credit given in the numerator when the ERO member performs each Key Position.

Similarly, ERO members need not individually perform an opportunity of classification, notification, or PAR development in order to receive ERO Drill Participation credit. The evaluation of the DEP opportunities is a crew evaluation for the entire Emergency Response Organization. ERO members may receive credit for the drill if their participation is a meaningful opportunity to gain proficiency in their ERO function.

When an ERO member changes from one Key Position to a different Key Position with a skill set similar to the old one, the last drill/exercise participation may count. If the skill set for the new position is significantly different from the old position then the previous participation would not count.

Participation may be as a participant, mentor, coach, evaluator, or controller, but not as an observer. Multiple assignees to a given Key Position could take credit for the same drill if their participation is a meaningful opportunity to gain proficiency.

Drills performed by an individual before being assigned to a Key Position in the ERO may be counted once the individual is assigned to the ERO as long as the performance enhancing experience(s) contributes to the Drill/Exercise (DEP) metric. The meaning of “drills” in this usage is intended to include performance enhancing experiences (exercises, functional drills, simulator drills, table top drills, mini drills, etc.) that reasonably simulate the interactions between appropriate centers and/or individuals that would be expected to occur during emergencies. For example, control room interaction with offsite agencies could be simulated by instructors or OSC interaction could be simulated by a control cell simulating the TSC functions, and damage control teams.

In general, a drill does not have to include all ERO facilities to be counted in this indicator. A drill is of adequate scope if it reasonably simulates the interaction between one or more of the following facilities, as would be expected to occur during emergencies:

  • the control room,
  • the Technical Support Center (TSC),
  • the Operations Support Center,
  • the Emergency Operations Facility (EOF),
  • field monitoring teams,
  • damage control teams, and
  • Offsite governmental authorities.

The licensee need not develop new scenarios for each drill or each team. However, it is expected that the licensee will maintain a reasonable level of confidentiality so as to ensure the drill is a performance enhancing experience. A reasonable level of confidentiality means that some scenario information could be inadvertently revealed and the drill remain a valid performance enhancing experience. It is expected that the licensee will remove from drill performance statistics any opportunities considered to be compromised. There are many processes for the maintenance of scenario confidentiality that are generally successful. Examples may include confidentiality statements on the signed attendance sheets and spoken admonitions by drill controllers. Examples of practices that may challenge scenario confidentiality include drill controllers or evaluators or mentors, who have scenario knowledge becoming participants in subsequent uses of the same scenarios and use of scenario reviewers as participants.

All individuals qualified to fill the Control Room Shift Manager/ Emergency Director position that actually might fill the position should be included in this indicator.

The communicator is the Key Position that fills out the notification form, seeks approval and usually communicates the information to offsite agencies. Performance of these duties is assessed for accuracy and timeliness and contributes to the DEP PI. Senior managers who do not perform these duties should not be considered communicators even though they approve the form and may supervise the work of the communicator. However, there are cases where the senior manager actually collects the data for the form, fills it out, approves it and then communicates it or hands it off to a phone talker. Where this is the case, the senior manager is also the communicator and the phone talker need not be tracked. The communicator is not expected to be just a phone talker who is not tasked with filling out the form. There is no intent to track a large number of shift communicators or personnel who are just phone talkers.



Data Example


ALERT AND NOTIFICATION SYSTEM RELIABILITY Purpose This indicator monitors the reliability of the offsite Alert and Notification System (ANS), a critical link for alerting and notifying the public of the need to take protective actions. It provides the percentage of the sirens that are capable of performing their safety function based on regularly scheduled tests.

Indicator Definition The percentage of ANS sirens that are capable of performing their function, as measured by periodic siren testing in the previous 12 months.

Periodic tests are the regularly scheduled tests (documented in the licensee’s test plan or guidelines) that are conducted to actually test the ability of the sirens to perform their function (e.g., silent, growl, siren sound test). Tests performed for maintenance purposes should not be counted in the performance indicator database. Actions that could affect the as found condition of sirens prior to testing are not allowed.


Data Reporting Elements The following data are reported: (see clarifying notes)

  • the total number of ANS siren-tests during the previous quarter
  • the number of successful ANS siren-tests during the previous quarter

Calculation The site value for this indicator is calculated as follows:


Definition of Terms Siren-Tests: the number of sirens times the number of times they are tested. For example, if 100 sirens are tested 3 times in the quarter, there are 300 siren-tests.

Successful siren-tests are the sum of sirens that performed their function when tested. For example, if 100 sirens are tested three times in the quarter and the results of the three tests are: first test, 90 performed their function; second test, 100 performed their function; third test, 80 performed their function. There were 270 successful siren-tests. Clarifying Notes The purpose of the ANS PI is to provide a uniform industry reporting approach and is not intended to replace the FEMA Alert and Notification reporting requirement at this time.

For those sites that do not have sirens, the performance of the licensee’s alert and notification system will be evaluated through the NRC baseline inspection program. A site that does not have sirens does not report data for this indicator.

If a siren is out of service for maintenance or is inoperable at the time a regularly scheduled test is conducted, then it counts as both a siren test and a siren failure. Regularly scheduled tests missed for reasons other than siren unavailability (e.g., out of service for planned maintenance or repair) should be considered non opportunities. The failure to perform a regularly scheduled test should be noted in the comment field. Additionally, if sirens are not available for operation because of intentional actions to disable them, and the area is deemed uninhabitable by State and/or Local agencies, the siren(s) in question are not required to be counted in the numerator or denominator of the Performance Indicator for testing throughout the event. The conditions causing the suspension of testing, its duration and restoration are to be noted in the comment field for the indicator.

For plants where scheduled siren tests are initiated by local or state governments, if a scheduled test is not performed either intentionally or accidentally, the missed test is not considered as valid test opportunities. Missed test occurrences should be entered in the plant’s corrective action program.

If a siren failure is determined to be due only to testing equipment, and subsequent testing shows the siren to be operable (verified by telemetry or simultaneous local verification) without any corrective action having been performed, the siren test should be considered a success. Maintenance records should be complete enough to support such determinations and validation during NRC inspection.

A licensee may change ANS test methodology at any time consistent with regulatory guidance. For the purposes of this performance indicator, only the testing methodology in effect on the first day of the quarter shall be used for that quarter. Neither successes nor failures beyond the testing methodology at the beginning of the quarter will be counted in the PI. (No actual siren activation data results shall be included in licensees’ ANS PI data.) Any change in test methodology shall be reported as part of the ANS Reliability Performance Indicator effective the start of the next quarterly reporting period. Changes should be noted in the comment field.

Siren systems may be designed with equipment redundancy, multiple signals or feedback capability. It may be possible for sirens to be activated from multiple control stations or signals. If the use of redundant control stations or multiple signals is in approved procedures and is part of the actual system activation process then activation from either control station or any signal should be considered a success. A failure of both systems would only be considered one failure, whereas the success of either system would be considered a success. If the redundant control station is not normally attended, requires setup or initialization, it may not be considered as part of the regularly scheduled test. Specifically, if the station is only made ready for the purpose of siren tests it should not be considered as part of the regularly scheduled test.

Actions specifically taken to improve the performance of a scheduled test are not appropriate. The test results should indicate the actual as-found condition of the ANS. Such practices will result in an inaccurate indication of ANS reliability.

Examples of actions that are NOT allowed and DO affect the as found conditions of sirens (not an all-inclusive list):

o Preceding test with an unscheduled test with the sole purpose to validate the siren is functional.

o Prior to a scheduled test, adjustment or calibration of siren system activation equipment that was not scheduled to support post maintenance testing.

o Prior to a scheduled test, testing siren system activation equipment or an individual siren(s) unless the equipment is suspected damaged from adverse weather, vandalism, vehicular strikes, etc.

o Prior to a scheduled test, testing siren system activation equipment or an individual siren(s) unless the equipment is suspected as being non-functional as a result of a computer hardware or software failure, radio tower failure, cut phone line, etc.

However, in no case should response preclude the timely correction of ANS problems and subsequent post-maintenance testing, or the execution of a comprehensive preventive maintenance program.

Testing opportunities that will be included in the ANS performance indicator are required to be defined in licensee ANS procedures. These are typically: bi-weekly, monthly quarterly and annual tests. The site specific ANS design and testing document approved by FEMA is a reference for the appropriate types of test, however licensees may perform tests in addition to what is discussed in the FEMA report.

Examples of actions that ARE allowed and do not affect the as found conditions of sirens (not an all-inclusive list):

o Regardless of the time, an unscheduled diagnostic test and subsequent maintenance and repair followed by post maintenance testing after any event that causes actual or suspected damage, such as:

1. Severe/inclement weather (high winds, lightning, ice, etc.), 2. Suspected or actual vandalism, 3. Physical damage from impact (vehicle, tree limbs, etc.), 4. Computer hardware and software failures, 5. Damaged communication cables or phone lines. 6. Problems identified by established routine use of the siren feedback systems.

o Scheduled polling tests for the purpose of system monitoring to optimize system availability and functionality.


If a siren is out of service for scheduled planned refurbishment or overhaul maintenance performed in accordance with an established program, or for scheduled equipment upgrades, the siren need not be counted as a siren test or a siren failure. However, sirens that are out of service due to unplanned corrective maintenance would continue to be counted as failures. Unplanned corrective maintenance is a measure of program reliability. The exclusion of a siren due to temporary unavailability during planned maintenance/upgrade activities is acceptable due to the level of control placed on scheduled maintenance/upgrade activities. It is not the intent to create a disincentive to performing maintenance/upgrades to ensure the ANS performs at its peak reliability.

As part of a refurbishment or overhaul plan, it is expected that each utility would communicate to the appropriate state and/or local agencies the specific sirens to be worked and ensure that a functioning backup method of public alerting would be in-place. The acceptable timeframe for allowing a siren to remain out of service for system refurbishment or overhaul maintenance should be coordinated with the state and local agencies. Based on the impact to their organization, these timeframes should be specified in upgrade or system improvement implementation plans and/or maintenance procedures. Deviations from these plans and/or procedures would constitute unplanned unavailability and would be included in the PI.

Siren testing conducted at redundant control stations, such as county EOCs that are staffed during an emergency by an individual capable of activating the sirens, may be credited provided the redundant control station is in an approved facility as documented in the FEMA ANS design report. Data Example


2.5 OCCUPATIONAL RADIATION SAFETY CORNERSTONE

The objectives of this cornerstone are to:

(1) keep occupational dose to individual workers below the limits specified in 10 CFR Part 20 Subpart C; and

(2) use, to the extent practical, procedures and engineering controls based upon sound radiation protection principles to achieve occupational doses that are as low as is reasonably achievable (ALARA) as specified in 10 CFR 20.1101(b).

There is one indicator for this cornerstone:

  • Occupational Exposure Control Effectiveness

OCCUPATIONAL EXPOSURE CONTROL EFFECTIVENESS Purpose The purpose of this performance indicator is to address the first objective of the occupational radiation safety cornerstone. The indicator monitors the control of access to and work activities within radiologically-significant areas of the plant and occurrences involving degradation or failure of radiation safety barriers that result in readily-identifiable unintended dose.

The indicator includes dose-rate and dose criteria that are risk-informed, in that the indicator encompasses events that might represent a substantial potential for exposure in excess of regulatory limits. The performance indicator also is considered “leading” because the indicator:

  • encompasses less-significant occurrences that represent precursors to events that might represent a substantial potential for exposure in excess of regulatory limits, based on industry experience; and
  • Employs dose criteria that are set at small fractions of applicable dose limits (e.g., the criteria are generally at or below the levels at which dose monitoring is required in regulation).

Indicator Definition The performance indicator for this cornerstone is the sum of the following:

  • Technical specification high radiation area (>1 rem per hour) occurrences
  • Very high radiation area occurrences
  • Unintended exposure occurrences


Data Reporting Elements The data listed below are reported for each site. For multiple unit sites, an occurrence at one unit is reported identically as an input for each unit. However, the occurrence is only counted once against the site-wide threshold value.

  • The number of technical specification high radiation area (>1 rem per hour) occurrences during the previous quarter
  • The number of very high radiation area occurrences during the previous quarter
  • The number of unintended exposure occurrences during the previous quarter

Calculation The indicator is determined by summing the reported number of occurrences for each of the three data elements during the previous 4 quarters.

Definition of Terms Technical Specification High Radiation Area (>1 rem per hour) Occurrence - A nonconformance (or concurrent nonconformances) with technical specifications or comparable requirements in 10 CFR 20 applicable to technical specification high radiation areas (>1 rem per hour) that results in the loss of radiological control over access or work activities within the respective high-radiation area (>1 rem per hour). For high radiation areas (>1 rem per hour), this PI does not include nonconformance with licensee-initiated controls that are beyond what is required by technical specifications and the comparable provisions in 10 CFR Part 20.

Technical specification high radiation areas, commonly referred to as locked high radiation areas, include any area, accessible to individuals, in which radiation levels from radiation sources external to the body are in excess of 1 rem (10 mSv) per 1 hour at 30 centimeters from the radiation source or 30 centimeters from any surface that the radiation penetrates, and excludes very high radiation areas. Technical specification high radiation areas, in which radiation levels from radiation sources external to the body are less than or equal to 1 rem (10 mSv) per 1 hour at 30 centimeters from the radiation source or 30 centimeters from any surface that the radiation penetrates, are excluded from this performance indicator.

  • “Radiological control over access to technical specification high radiation areas” refers to measures that provide assurance that inadvertent entry into the technical specification high radiation areas by unauthorized personnel will be prevented.
  • “Radiological control over work activities” refers to measures that provide assurance that dose to workers performing tasks in the area is monitored and controlled.

Examples of occurrences that would be counted against this indicator include:

  • Failure to post an area as required by technical specifications,
  • Failure to secure an area against unauthorized access,
  • Failure to provide a means of personnel dose monitoring or control required by technical specifications,
  • Failure to maintain administrative control over a key to a barrier lock as required by technical specifications,
  • An occurrence involving unauthorized or unmonitored entry into an area, or
  • Nonconformance with a requirement of an RWP (as specified in the licensee’s technical specifications) that results in a loss of control of access to or work within a technical specification high radiation area.

Examples of occurrences that are not counted include the following:

  • Situations involving areas in which dose rates are less than or equal to 1 rem per hour,
  • Occurrences associated with isolated equipment failures. This might include, for example, discovery of a burnt-out light, where flashing lights are used as a technical specification control for access, or a failure of a lock, hinge, or mounting bolts, when a barrier is checked or tested.
  • Nonconformance with an RWP requirement that does not result in a loss of control of access to or work within a technical specification high radiation area (e.g., signing in on the wrong RWP, but having received the pre-job brief and implemented all of the access work control requirements of the correct RWP).

Very High Radiation Area Occurrence - A nonconformance (or concurrent nonconformances) with 10 CFR 20 and licensee procedural requirements that results in the loss of radiological control over access to or work activities within a very high radiation area. “Very high radiation area” is defined as any area accessible to individuals, in which radiation levels from radiation sources external to the body could result in an individual receiving an absorbed dose in excess of 500 rads (5 grays) in 1 hour at 1 meter from a radiation source or 1 meter from any surface that the radiation penetrates.

  • “Radiological control over access to very high radiation areas” refers to measures to ensure that an individual is not able to gain unauthorized or inadvertent access to very high radiation areas.
  • “Radiological control over work activities” refers to measures that provide assurance that dose to workers performing tasks in the area is monitored and controlled.

Unintended Exposure Occurrence - A single occurrence of degradation or failure of one or more radiation safety barriers that results in unintended occupational exposure(s), as defined below.

Following are examples of an occurrence of degradation or failure of a radiation safety barrier included within this indicator:

  • failure to identify and post a radiological area
  • failure to implement required physical controls over access to a radiological area
  • failure to survey and identify radiological conditions
  • failure to train or instruct workers on radiological conditions and radiological work controls
  • failure to implement radiological work controls (e.g., as part of a radiation work permit)

An occurrence of the degradation or failure of one or more radiation safety barriers is only counted under this indicator if the occurrence resulted in unintended occupational exposure(s) equal to or exceeding any of the dose criteria specified in the table below. The dose criteria were selected to serve as “screening criteria,” only for the purpose of determining whether an occurrence of degradation or failure of a radiation safety barrier should be counted under this indicator. The dose criteria should not be taken to represent levels of dose that are “risk-significant.” In fact, the dose criteria selected for screening purposes in this indicator are generally at or below dose levels that are required by regulation to be monitored or to be routinely reported to the NRC as occupational dose records.

Table: Dose Values Used as Screening Criteria to Identify an Unintended Exposure Occurrence in the Occupational Exposure Control Effectiveness PI 2% of the stochastic limit in 10 CFR 20.1201 on total effective dose equivalent. The 2% value is 0.1 rem. 10 % of the non-stochastic limits in 10 CFR 20.1201. The 10% values are as follows: 5 rem the sum of the deep-dose equivalent and the committed dose equivalent to any individual organ or tissue 1.5 rem the lens dose equivalent to the lens of the eye 5 rem the shallow-dose equivalent to the skin or any extremity, other than dose received from a discrete radioactive particle (DRP) 20% of the limits in 10 CFR 20.1207 and 20.1208 on dose to minors and declared pregnant women. The 20% value is 0.1 rem.

“Unintended exposure” refers to exposure that results in dose in excess of the administrative guideline(s) set by a licensee as part of their radiological controls for access or entry into a radiological area. Administrative dose guidelines may be established:

  • within radiation work permits, procedures, or other documents,
  • via the use of alarm setpoints for personnel dose monitoring devices, or
  • by other means, as specified by the licensee.

It is incumbent upon the licensee to specify the method(s) being used to administratively control dose. An administrative dose guideline set by the licensee is not a regulatory limit and does not, in itself, constitute a regulatory requirement. A revision to an administrative dose guideline(s) during job performance is acceptable (with regard to this PI) if conducted in accordance with plant procedures or programs.

If a specific type of exposure was not anticipated or specifically included as part of job planning or controls, the full amount of the dose resulting from that type of exposure should be considered as “unintended” in making a comparison with the respective criteria in the PI. For example, this might include Committed Effective Dose Equivalent (CEDE), Committed Dose Equivalent (CDE), or Shallow Dose Equivalent (SDE).


Clarifying Notes An occurrence (or concurrent occurrences) that potentially meet the definition of more than one element of the performance indicator will only be counted once. In other words, an occurrence (or concurrent occurrences) will not be double-counted (or triple-counted) against the performance indicator. If two or more individuals are exposed in a single occurrence, the occurrence is only counted once.

Radiography work conducted at a plant under another licensee’s 10 CFR Part 34 license is generally outside the scope of this PI. However, if a Part 50 licensee opts to establish additional radiological controls under its own program consistent with technical specifications or comparable provisions in 10 CFR Part 20, then a non-conformance with such additional controls or unintended dose resulting from the non-conformance shall be evaluated under the criteria in the PI.


Data Example


2.6 PUBLIC RADIATION SAFETY CORNERSTONE

RETS/ODCM RADIOLOGICAL EFFLUENT OCCURRENCE Purpose To assess the performance of the radiological effluent control program.

Indicator Definition Radiological effluent release occurrences per site that exceed the values listed below:

Radiological effluent releases in excess of the following values: Liquid Effluents Whole Body 1.5 mrem/qtr Organ 5 mrem/qtr Gaseous Effluents Gamma Dose 5 mrads/qtr Beta Dose 10 mrads/qtr Organ Doses from I-131, I-133, H-3 & Particulates 7.5 mrems/qtr

Note: (1) Values are derived from the Radiological Effluent Technical Specifications (RETS) or similar reporting provisions in the Offsite Dose Calculation Manual (ODCM), if applicable RETS have been moved to the ODCM in accordance with Generic Letter 89-01. (2) The dose values are applied on a per reactor unit basis in accordance with the RETS/ODCM. (3) For multiple unit sites, allocation of dose on a per reactor unit basis from releases made via common discharge points is to be calculated in accordance with the methodology specified in the ODCM.

Data Reporting Elements Number of RETS/ODCM Radiological Effluent Occurrences each quarter involving assessed dose in excess of the indicator effluent values.

Calculation Number of RETS/ODCM Radiological Effluent Occurrences per site in the previous four quarters.

Definition of Terms A RETS/ODCM Radiological Effluent Occurrence is defined as a release that exceeds any or all of the five identified values outlined in the above table. These are the whole body and organ dose values for liquid effluents and the gamma dose, beta dose, and organ dose values for gaseous effluents.

Clarifying Notes The following conditions do not count against the RETS/ODCM Radiological Effluent Occurrence:

  • Liquid or gaseous monitor operability issues
  • Liquid or gaseous releases in excess of RETS/ODCM concentration or instantaneous dose-rate values
  • Liquid or gaseous releases without treatment but that do not exceed values in the table

Not all effluent sample (e.g., composite sample analysis) results are required to be finalized at the time of submitting the quarterly PI reports. Therefore, the reports should be based upon the best-available data. If subsequently available data indicates that the number of occurrences for this PI is different than that reported, then the report should be revised, along with an explanation regarding the basis for the revision.

Data Example



2.7 SECURITY CORNERSTONE

The performance indicator for this cornerstone was selected to provide baseline and trend information needed to evaluate each licensee’s physical protection system. The regulatory purpose is to provide high assurance that this system will function to protect against the design basis threat of radiological sabotage as defined in 10 CFR Part 73. As a surrogate to any engineered physical security protection system, posted security officers provide compensation when a portion of the system is unavailable to perform its intended function. The performance indicator value is not an indication that the protection afforded by the plant’s physical security organization is less than required by the regulatory requirements.

There is one performance indicator for the physical protection system. The performance indicator is assessed against established thresholds using the data and methodology as established in this guideline. The NRC baseline inspections will validate and verify the testing requirements for each system to assure performance standards and testing periodicity are appropriate to provide valid data.

Performance Indicator The only security performance indicator is the Protected Area Security Equipment Performance Index.

This indicator serves as a measure of unavailability of security equipment to perform its intended function. When compensatory measures are employed because a segment of equipment is unavailable (i.e.,not adequately performing its intended function), there is no security vulnerability but there is an indication that something needs to be fixed. The PI also provides trend indications for evaluation of the effectiveness of the maintenance process, and also provides a method of monitoring equipment degradation as a result of aging that might adversely impact reliability. Maintenance considerations for protected area and vital area portals are appropriately and sufficiently covered by the inspection program.


Protected Area (PA) Security Equipment Performance Index Purpose: Operability of the PA security system is necessary to detect and assess safeguards events and to provide the first line of the defense-in-depth physical protection of the plant perimeter. In the event of an attempted encroachment, the intrusion detection system identifies the existence of the threat, the barriers provide a delay to the person(s) posing the threat and the alarm assessment system is used to determine the magnitude of the threat. The PI is used to monitor the unavailability of PA intrusion detection systems and alarm assessment systems to perform their intended function.

Indicator Definition: PA Security equipment performance is measured by an index that compares the amount of the time CCTVs and IDS are unavailable, as measured by compensatory hours, to the total hours in the period. A normalization factor is used to take into account site variability in the size and complexity of the systems.

Data Reporting Elements: Report the following site data for the previous quarter for each unit:

  • Compensatory hours, CCTVs: The hours (expressed to the nearest tenth of an hour) expended in posting a security officer as required compensation for camera(s) unavailability because of degradation or defects.
  • Compensatory hours, IDS: The hours (expressed to the nearest tenth of an hour) expended in posting a security officer as required compensation for IDS unavailability because of degradation or defects.
  • CCTV Normalization factor: The number of CCTVs divided by 30. If there are 30 or fewer CCTVs, a normalization factor of 1 should be used.
  • IDS Normalization factor: The number of physical security zones divided by 20. If there are 20 or fewer zones, a normalization factor of 1 should be used.

Calculation

The performance indicator is calculated using values reported for the previous four quarters. The calculation involves averaging the results of the following two equations.

IDS Unavailability Index =

CCTV Unavailability Index =

Indicator Value =

Definition of Terms Intrusion detection system (IDS) - E-fields, microwave fields, etc. CCTV - The closed circuit television cameras that support the IDS. Normalization factors - Two factors are used to compensate for larger than nominal size sites.  IDS Normalization Factor: Using a nominal number of physical security zones across the industry, the normalization factor for IDS is twenty. If a site has twenty or fewer intrusion detection zones, the normalization factor will be 1. If a site has more zones than 20, the factor is the total number of site zones divided by 20 (e.g., 50  20 = 2.5).  CCTV Normalization Factor: Using a nominal number of perimeter cameras across the industry, the normalization factor for cameras is 30. If a site has thirty or fewer perimeter cameras, the normalization factor is 1. If a site has more than 30 perimeter cameras, the factor is the total number of perimeter cameras divided by 30 (e.g., 50  30 = 1.7). Note: The normalization factors are general approximations and may be modified as experience in the pilot program dictates.

Compensatory measures: Measures used to meet physical security requirements when the required equipment is unavailable. Protected Area protection is not diminished by the use of compensatory measures for equipment unavailability.

Compensatory man-hours: The man-hours (expressed to the nearest tenth of an hour) that compensatory measures are in place (posted) to address a degradation in the IDS and CCTV systems. When a portion of the system becomes unavailable—incapable of performing its intended function—and requires posting of compensatory measures, the compensatory man-hour clock is started. The period of time ends when the cause of the degraded state has been repaired, tested, and system declared operable.

If a zone is posted for a degraded IDS and a CCTV camera goes out in the same posted area, the hours for the posting of the IDS will not be double counted. However, if the IDS problem is corrected and no longer requires compensatory posting but the camera requires posting, the hours will start to count for the CCTV category.

Equipment unavailability: When the system has been posted because of a degraded condition (unavailability), the compensatory hours are counted in the PI calculation. If the degradation is caused by environmental conditions, preventive maintenance or scheduled system upgrade, the compensatory hours are not counted in the PI calculation. However, if the equipment is degraded after preventive maintenance or periodic testing, compensatory posting would be required and the compensatory hours would count. Compensatory hours stop being counted when the equipment deficiency has been corrected, equipment tested and declared back in service.

Clarifying Notes Compensatory posting:

  • The posting for this PI is only for the protected area perimeter, not vital area doors or other places where such posting may be required.
  • Postings for IDS segments for false alarms in excess of security program limits would be counted in the PI. In the absence of a false alarm limit in the security program, qualified individuals can disposition the condition and determine whether compensatory posting is required.
  • Some postings are the result of non-equipment failures, which may be the result of test/maintenance conditions. For example, in a situation where a part of the IDS is taken out-of-service to check a condition for false alarms not in excess of security program false alarm limits, no compensatory hours would be counted. If the equipment is determined to have malfunctioned, it is not operable and maintenance/repair is required, the hours would count.
  • Compensatory hours expended to address simultaneous equipment problems (IDS & CCTV) are counted beginning with the initial piece of equipment that required compensatory hours. When this first piece of equipment is returned to service and no longer requires compensatory measures, the second covered piece of equipment carries the hours. If one IDS zone is required to be covered by more than one compensatory post, the total man-hours of compensatory action are to be counted. If multiple IDS zones are covered by one compensatory post, the man-hours are only counted once.
  • IDS equipment issues that do not require compensatory hours would not be counted.
  • Compensatory man-hours for a failed Pan-Tilt-Zoom (PTZ) camera count for the PI only if the PTZ is either being used as a CCTV or is substituting for a failed CCTV.
  • The PI metric is based on expended compensatory hours and starts when the IDS or CCTV is actually posted. There are no "fault exposure hours" or other consideration beyond the actual physical compensatory posting. Also, this indicator only uses compensatory man-hours to provide an indication of CCTV or IDS unavailability. If a PTZ camera or other non-personnel (no expended portion of a compensatory man-hour) item is used as the compensatory measure, it is not counted for this PI.
  • In a situation where security persons are already in place at continuously manned remote location security booths around the perimeter of the site and there is a need to provide compensatory coverage for the loss of IDS equipment, security persons already in these booths can fulfill this function. If they are used to perform the compensatory function, the hours are included in the PI. The man-hours for all persons required to provide compensation are counted. If more persons are assigned than required, only the required compensatory man-hours would be counted.
  • Compensatory hours for this PI cover hours expended in posting a security officer as required as compensation for IDS and/or CCTV unavailability because of a degradation or defect. If other problems (e.g., security computer or multiplexer) result in compensatory postings because the IDS/CCTV is no longer capable of performing its intended safeguards function, the hours would count. Equipment malfunctions that do not require compensatory posting are not included in this PI.
  • If an ancillary system is needed to support proper operability of IDS or CCTV and it fails, and the supported system does not operate as intended, the hours would count. For example, a CCTV camera requires sufficient lighting to perform its function so that such a lighting failure would result in compensatory hours counted for this PI.

Data reporting: For this performance indicator, rounding may be performed as desired provided it is consistent and the reporting hours are expressed to the nearest tenth of an hour. Information supporting performance indicators is reported on a per unit basis. For performance indicators that reflect site conditions (IDS or CCTV), this requires that the information be repeated for each unit on the site. The criterion for data reporting is from the time the failure or deficiency is identified to the time it is placed back in service.

Degradation: Required system, equipment, or component is no longer available or capable of performing its Intended Function.

Extreme environmental conditions: Compensatory hours do not count for extreme environmental conditions beyond the design specifications of the system, including severe storms, heavy fog, heavy snowfall, and sun glare that renders the IDS or CCTV temporarily inoperable. If after the environmental condition clears, the zone remains unavailable, despite reasonable recovery efforts, the compensatory hours would not begin to be counted until technically feasible corrective action could be completed. For example, a hurricane decimates a portion of the perimeter IDS and certain necessary components have to be obtained from the factory. Any restoration delay would be independent of the licensee’s maintenance capability and therefore would not be counted in the indicator.

Other naturally occurring conditions that are beyond the control of the licensee, such as damage or nuisance alarms from animals are not counted.

Independent Spent Fuel Storage Installations (ISFSIs): This indicator does not include protective measures associated with such installations.

Intended function: The ability of a component to detect the presence of an individual or display an image as intended by manufacturer’s equipment design capability and as described in the Physical Security Plan .

Operational support: E-fields or equivalent that are taken out of service to support plant operations and are not equipment failures but are compensatorily posted do not count for this PI.

Scheduled equipment upgrade:

  • In the situation where system degradation results in a condition that cannot be corrected under the normal maintenance program (e.g., engineering evaluation specifies the need for a system/component modification or upgrade), and the system requires compensatory posting, the compensatory hours stop being counted toward the PI for those conditions addressed within the scope of the modification after such an evaluation has been made and the station has formally approved an upgrade with descriptive information about the upgrade plan including scope of the project, anticipated schedule, and expected expenditures. This formally initiated upgrade is the result of established work practices to design, fund, procure, install and test the project. A note should be made in the comment section of the PI submittal that the compensatory hours are being excluded under this provision. Compensatory hour counting resumes when the upgrade is complete and operating as intended as determined by site requirements for sign-off. Reasonableness should be applied with respect to a justifiable length of time the compensatory hours are excluded from the PI.
  • For the case where there are a few particularly troubling zones that result in formal initiation of an entire system upgrade for all zones, counting compensatory hours would stop only for zones out of service for the upgrade. However, if subsequent failures would have been prevented by the planned upgrade those would also be excluded from the count. This exclusion applies regardless of whether the failures are in a zone that precipitated the upgrade action or not, as long as they are in a zone that will be affected by the upgrade, and the upgrade would have prevented the failure.

Preventive maintenance:

  • Scheduled preventive maintenance (PM) on system/equipment/component to include probability and/or operability testing. Includes activities necessary to keep the system at the required functional level. Planned plant support activities are considered PM.
  • If during preventive maintenance or testing, a camera does not function correctly, and can be compensated for by means other than posting an officer, no compensatory man-hours are counted.
  • Predictive maintenance is treated as preventive maintenance. Since the equipment has not failed and remains capable of performing its intended security function, any maintenance performed in advance of its actual failure is preventive. It is not the intent to create a disincentive to performing maintenance to ensure the security systems perform at their peak reliability and capability.
  • Scheduled system upgrade: Activity to improve, upgrade or enhance system performance, as appropriate, in order to be more effective in its reliability or capability.


Data Example




[This page left intentionally blank]

APPENDIX A Acronyms & Abbreviations

AC Alternating (Electrical) Current AFW Auxiliary Feedwater System ALARA As Low As Reasonably Achievable ANS Alert & Notification System AOT Allowed Outage Time AOV Air Operated Valve ATWS Anticipated Transient Without Scram BWR Boiling Water Reactor CCF Common Cause Failure CCW Component Cooling Water CDE Consolidated Data Entry CDF Core Damage Frequency CFR Code of Federal Regulations CCTV Closed Circuit Television DC Direct (Electrical) Current DE & AEs Drills, Exercises and Actual Events EAC Emergency AC EAL Emergency Action Levels EDG Emergency Diesel Generator EOF Emergency Operations Facility EFW Emergency Feedwater ERO Emergency Response Organization ESF Engineered Safety Features FAQ Frequently Asked Question FEMA Federal Emergency Management Agency FSAR Final Safety Analysis Report FV Fussel-Vesely FWCI Feedwater Coolant Injection IC Isolation Condenser IDS Intrusion Detection System ISFSI Independent Spent Fuel Storage Installation HOV Hydraulic Operated Valve HPCI High Pressure Coolant Injection HPCS High Pressure Core Spray HPSI High Pressure Safety Injection HVAC Heating, Ventilation and Air Conditioning INPO Institute of Nuclear Power Operations LER Licensee Event Report LPCI Low Pressure Coolant Injection LPSI Low Pressure Safety Injection LOCA Loss of Coolant Accident MD Motor Driven MOV Motor Operated Valve MSIV Main Steam Isolation Valve MSPI Mitigating Systems Performance Index N/A Not Applicable NEI Nuclear Energy Institute NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System ODCM Offsite Dose Calculation Manual OSC Operations Support Center PA Protected Area PARs Protective Action Recommendations PI Performance Indicator PLE Performance Limit Exceeded PRA Probabilistic Risk Analysis PSA Probabilistic Safety Assessment PORV Power Operated Relief Valve PWR Pressurized Water Reactor RETS Radiological Effluent Technical Specifications RCIC Reactor Core Isolation Cooling RCS Reactor Coolant System RHR Residual Heat Removal ROP Reactor Oversight Process RWST Refueling Water Storage Tank SOV Solenoid Operated Valve SPAR Standardized Plant Analysis Risk SSFF Safety System Functional Failure SSU Safety System Unavailability SWS Service Water System TD Turbine Driven TSC Technical Support Center UAI Unavailability Index URI Unreliability Index USwC Unplanned Scrams with Complications

APPENDIX B STRUCTURE AND FORMAT OF NRC PERFORMANCE INDICATOR DATA FILES

Performance indicator data files submitted to the NRC as part of the Regulatory Oversight Process should conform to the structure and format identified below. The INPO CDE software automatically produces files with the structure and format outlined below.

File Naming Convention Each NRC PI data file should be named according to the following convention. The name should contain the unit docket number, underscore, the date and time of creation and (if a change file) a “C” to indicate that the file is a change report. A file extension of .txt is used to indicate a text file.

Example: 05000399_20000103151710.txt

In the above example, the report file is for a plant with a docket number of 05000399 and the file was created on January 3, 2000 at 10 seconds after 3:17 p.m. The absence of a C at the end of the file name indicates that the file is a quarterly data report.

General Structure Each line of the report begins with a left bracket (e.g., “[“) and ends with a right bracket (e.g., “]”). Individual items of information on a line (elements) are separated by a vertical “pipe” (e.g., “|”).

Each file begins with [BOF] as the first line and [EOF] as the last line. These indicate the beginning and end of the data file. The file may also contain one or more “buffer” lines at the end of the file to minimize the potential for file corruption. The second line of the file contains the unit docket number and the date and time of file creation (e.g., [05000399|1/2/2000 14:20:32]). Performance indicator information is contained beginning with line 3 through the next to last line (last line is [EOF]). The information contained on each line of performance indicator information consists of the performance indicator ID, applicable quarter/year (month/year for Barrier Integrity indicators), comments, and each performance indicator data element. Table B-1 provides a description of the data elements and order for each line of performance indicator data in a report file.

Example: [IE01|3Q1998|Comments here|2|2400]

In the above example, the line contains performance indicator data for Unplanned Scrams per 7000 Critical Hours (IE01), during the 3rd quarter of 1998. The applicable comment text is “Comments here”. The data elements identify that (see Table B-1) there were 2 unplanned automatic and manual scrams while critical and there were 2400 hours of critical operation during the quarter.

TABLE B-1 – PI DATA ELEMENTS IN NRC DATA REPORT Performance Indicator Data Element Number Description General Comment 1 Performance Indicator Flag (i.e., GEN) 2 Report quarter and year (e.g., 1Q2000) 3 Comment text Unplanned Scrams per 7,000 Critical Hours 1 Performance Indicator Flag (i.e., IE01) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Number of unplanned automatic and manual scrams while critical in the reporting quarter 5 Number of hours of critical operation in the reporting quarter Unplanned Power Changes per 7,000 Critical Hours 1 Performance Indicator Flag (i.e., IE03) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Number of unplanned power changes, excluding scrams, during the reporting quarter 5 Number of hours of critical operation in the reporting quarter Unplanned Scrams with Complications 1 Performance Indicator Flag (i.e., IE04) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Number of unplanned scrams with complications during the reporting quarter Safety System Functional Failures 1 Performance Indicator Flag (i.e., MS05) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Number of safety system functional failures during the reporting quarter Mitigating Systems Performance Index (MSPI)– Emergency AC Power Systems 1 Performance Indicator Flag (i.e., MS06) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 MSPI Calculated Value

5 Unavailability Index

6 Unreliability Index

7 Performance Limit ExceededError! Bookmark not defined.

Mitigating Systems Performance Index (MSPI)- High Pressure Injection Systems 1 Performance Indicator Flag (i.e., MS07) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 MSPI Calculated Value 5 Unavailability Index 6 Unreliability Index 7 Performance Limit ExceededError! Bookmark not defined.

Mitigating Systems Performance Index (MSPI)– Heat Removal Systems 1 Performance Indicator Flag (i.e., MS08) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 MSPI Calculated Value 5 Unavailability Index 6 Unreliability Index 7 Performance Limit ExceededError! Bookmark not defined.

Mitigating Systems Performance Index (MSPI)– Residual Heat Removal Systems 1 Performance Indicator Flag (i.e., MS09) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 MSPI Calculated Value 5 Unavailability Index 6 Unreliability Index 7 Performance Limit ExceededError! Bookmark not defined.

Mitigating Systems Performance Index (MSPI)– Cooling Water Systems 1 Performance Indicator Flag (i.e., MS10) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 MSPI Calculated Value 5 Unavailability Index 6 Unreliability Index 7 Performance Limit ExceededError! Bookmark not defined.

Reactor Coolant System Activity (RCSA) 1 Performance Indicator Flag (i.e., BI01) 2 Month and year (e.g., 3/2000) 3 Comment text 4 Maximum calculated RCS activity, in micro curies per gram dose equivalent Iodine 131, as required by technical specifications, for reporting month 5 Technical Specification limit for RCS activity in micro curies per gram does equivalent Iodine 131 Reactor Coolant System Leakage (RCSL) 1 Performance Indicator Flag (i.e., BI02) 2 Month and year (e.g., 3/2000) 3 Comment text 4 Maximum RCS Identified Leakage calculation for reporting month in gpm 5 Technical Specification limit for RCS Identified Leakage in gpm Emergency Response Organization Drill/Exercise Performance 1 Performance Indicator Flag (i.e., EP01) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Number of drill, exercise and actual event opportunities performed timely and accurately during the reporting quarter 5 Number of drill, exercise and actual event opportunities during the reporting quarter Emergency Response Organization (ERO) Drill Participation 1 Performance Indicator Flag (i.e.,EP02) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Total Key ERO members that have participated in a drill, exercise, or actual event in the previous 8 quarters

5 Total number of Key ERO personnel at end of reporting quarter Alert & Notification System Reliability 1 Performance Indicator Flag (i.e., EP03) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Total number of successful ANS siren-tests during the reporting quarter 5 Total number of ANS sirens tested during the reporting quarter

Occupational Exposure Control Effectiveness 1 Performance Indicator Flag (i.e., OR01) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Number of technical specification high radiation area occurrences during the reporting quarter 5 Number of very high radiation area occurrences during the reporting quarter 6 The number of unintended exposure occurrences during the reporting quarter RETS/ODCM Radiological Effluent Indicator 1 Performance Indicator Flag (i.e., PR01) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 Number of RETS/ODCM occurrences in the quarter Protected Area Security Equipment Performance Index 1 Performance Indicator Flag (i.e., PP01) 2 Quarter and year (e.g., 1Q2000) 3 Comment text 4 IDS Compensatory Hours in the quarter 5 CCTV Compensatory Hours in the quarter 6 IDS Normalization Factor 7 CCTV Normalization Factor


APPENDIX C

Background Information and Cornerstone Development

INTRODUCTION This section discusses the overall objectives and basis for the performance indicators used for each of the seven cornerstone areas. A more in-depth discussion of the background behind each of the performance indicators identified in the main report may be found in SECY 99-07. INITIATING EVENTS CORNERSTONE GENERAL DESCRIPTION The objective of this cornerstone is to limit the frequency of those events that upset plant stability and challenge critical safety functions, during shutdown as well as power operations. When such an event occurs in conjunction with equipment and human failures, a reactor accident may occur. Licensees can therefore reduce the likelihood of a reactor accident by maintaining a low frequency of these initiating events. Such events include reactor trips due to turbine trip, loss of feedwater, loss of offsite power, and other reactor transients. There are a few key attributes of licensee performance that determine the frequency of initiating events at a plant. PERFORMANCE INDICATORS PRAs have shown that risk is often determined by initiating events of low frequency, rather than those that occur with a relatively higher frequency. Such low-frequency, high-risk events have been considered in selecting the PIs for this cornerstone. All of the PIs used in this cornerstone are counts of either initiating events, or transients that could lead to initiating events (see Table 2 in the main body of NEI 99-02). They have face validity for their intended use because they are quantifiable, have a logical relationship to safety performance expectations, are meaningful, and the data are readily available. The PIs by themselves are not necessarily related to risk. They are however, the first step in a sequence which could, in conjunction with equipment failures, human errors, and off-normal plant configurations, result in a nuclear reactor accident. They also provide indication of problems that, if uncorrected, increase the risk of an accident. In most cases, where PIs are suitable for identifying problems, they are sufficient as well, since problems that are not severe enough to cause an initiating event (and therefore result in a PI count) are of low risk significance. In those cases, no baseline inspection is required (the exception is shutdown configuration control, for which supplemental baseline inspections is necessary). MITIGATING SYSTEMS CORNERSTONE GENERAL DESCRIPTION The objective of this cornerstone is to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage). When such an event occurs in conjunction with equipment and human failures, a reactor accident may result. Licensees therefore reduce the likelihood of reactor accidents by enhancing the availability and reliability of mitigating systems. Mitigating systems include those systems associated with safety injection, residual heat removal, cooling water support systems, and emergency AC power. This cornerstone includes mitigating systems that respond to both operating and shutdown events. PERFORMANCE INDICATORS While safety systems and components are generally thought of as those that are designed for design-basis accidents, not all mitigating systems have the same risk importance. PRAs have shown that risk is often influenced not only by front-line mitigating systems, but also by support systems and equipment. Such systems and equipment, both safety- and non-safety-related, have been considered in selecting the PIs for this cornerstone. The PIs are all direct counts of either mitigating system availability or reliability or surrogates of mitigating system performance. They have face validity for their intended use, because they are quantifiable, have a logical relationship to safety performance expectations, are meaningful, and the data are readily available. Not all aspects of licensee performance can be monitored by PIs. Risk-significant areas not covered by PIs will be assessed through inspection. BARRIER INTEGRITY CORNERSTONE GENERAL DESCRIPTION The purpose of this cornerstone is to provide reasonable assurance that the physical design barriers (fuel cladding, reactor coolant system, and containment) protect the public from radionuclide releases caused by accidents or events. These barriers play an important role in supporting the NRC Strategic Plan goal for nuclear reactor safety, “Prevent radiation related deaths or illnesses due to civilian nuclear reactors.” The defense in depth provided by the physical design barriers which comprise this cornerstone allow achievement of the reactor safety goal. PERFORMANCE INDICATORS The performance indicators for this cornerstone cover two of the three physical design barriers. The first barrier is the fuel cladding. Maintaining the integrity of this barrier prevents the release of radioactive fission products to the reactor coolant system, the second barrier. Maintaining the integrity of the reactor coolant system reduces the likelihood of loss of coolant accident initiating events and prevents the release of radioactive fission products to the containment atmosphere in transients and other events. Performance indicators for reactor coolant system activity and reactor coolant system leakage monitor the integrity of the first two physical design barriers. Even if significant quantities of radionuclides are released into the containment atmosphere, maintaining the integrity of the third barrier, the containment, will limit radioactive releases to the environment and limit the threat to the public health and safety. The integrity of the containment barrier is ensured through the inspection process.

Therefore, there are three desired results associated with the barrier integrity cornerstone. These are to maintain the functionality of the fuel cladding, the reactor coolant system, and the containment. EMERGENCY PREPAREDNESS CORNERSTONE GENERAL DESCRIPTION Emergency Preparedness (EP) is the final barrier in the defense in depth approach to safety that NRC regulations provide for ensuring the adequate protection of the public health and safety. Emergency Preparedness is a fundamental cornerstone of the Reactor Safety Strategic Performance Area. 10 CFR Part 50.47 and Appendix E to Part 50 define the requirements of an EP program and a licensee commits to implementation of these requirements through an Emergency Plan (the Plan). The performance indicators for this cornerstone are designed to ensure that the licensee is capable of implementing adequate measures to protect the public health and safety in the event of a radiological emergency. PERFORMANCE INDICATORS Compliance of EP programs with regulation is assessed through observation of response to simulated emergencies and through routine inspection of onsite programs. Demonstration exercises involving onsite and offsite programs, form the key observational tool used to support, on a continuing basis, the reasonable assurance finding that adequate protective measures can and will be taken in the event of a radiological emergency. This is especially true for the most risk significant facets of the EP program. This being the case, the PIs for onsite EP draw significantly from performance during simulated emergencies and actual declared emergencies, but are supplemented by direct NRC inspection and inspection of licensee self-assessment. NRC assessment of the adequacy of offsite EP will rely (as it does currently) on regular FEMA evaluations. OCCUPATIONAL EXPOSURE CORNERSTONE GENERAL DESCRIPTION This cornerstone includes the attributes and the bases for adequately protecting the health and safety of workers involved with exposure to radiation from licensed and unlicensed radioactive material during routine operations at civilian nuclear reactors. The desired result is the adequate protection of worker health and safety from this exposure. The cornerstone uses as its bases the occupational dose limits specified in 10 CFR 20 Subpart C and the operating principle of maintaining worker exposure “as low as reasonably achievable (ALARA)” in accordance with 10 CFR 20.1101. These radiation protection criteria are based upon the assumptions that a linear relationship, without threshold, exists between dose and the probability of stochastic health effects (radiological risk); the severity of each type of stochastic health effect is independent of dose; and non-stochastic radiation-induced health effects can be prevented by limiting exposures below thresholds for their induction. Thus, 10 CFR Part 20 requires occupational doses to be maintained ALARA with the exposure limits defined in 10 CFR 20 Subpart C constituting the maximum allowable radiological risk. Industry experience has shown that the occurrences of uncontrolled occupational exposure that potentially could result in an individual exceeding a dose limit have been low frequency events. These potential overexposure incidents are associated with radiation fields exceeding 1000 millirem per hour (mrem/hr) and have involved the loss of one or more radiation protection controls (barriers) established to manage and control worker exposure. The probability of undesirable health effects to workers can be maintained within acceptable levels by controlling occupational exposures to radiation and radioactive materials to prevent regulatory overexposures and by implementing an aggressive and effective ALARA program to monitor, control and minimize worker dose. PERFORMANCE INDICATORS A combined performance indicator is used to assess licensee performance in controlling worker doses during work activities associated with high radiation fields or elevated airborne radioactivity areas. The PI was selected based upon its ability to provide an objective measure of an uncontrolled measurable worker exposure or a loss of access controls for areas having radiation fields exceeding 1000 millirem per hour (mrem/hr). The data for the PI are currently being collected by most licensees in their corrective action programs. The PI either directly measures the occurrence of unanticipated and uncontrolled dose exceeding a percentage of the regulatory limits or identifies the failure of barriers established to prevent unauthorized entry into those areas having dose rates exceeding 1000 mrem/hr. The indicator may identify declining performance in procedural guidance, training, radiological monitoring, and in exposure and contamination control prior to exceeding a regulatory dose limit. The effectiveness of the licensee’s assessment and corrective action program is considered a cross-cutting issue and is addressed elsewhere. PUBLIC EXPOSURE CORNERSTONE GENERAL DESCRIPTION This cornerstone includes the attributes and the bases for adequately protecting public health and safety from exposure to radioactive material released into the public domain as a result of routine civilian nuclear reactor operations. The desired result is the adequate protection of public health and safety from this exposure. These releases include routine gaseous and liquid radioactive effluent discharges, the inadvertent release of solid contaminated materials, and the offsite transport of radioactive materials and wastes. The cornerstone uses as its bases, the dose limits for individual members of the public specified in 10 CFR 20, Subpart D; design objectives detailed in Appendix I to 10 CFR Part 50 which defines what doses to members of the public from effluent releases are “as low as reasonably achievable” (ALARA); and the exposure and contamination limits for transportation activities detailed in 10 CFR Part 71 and associated Department of Transportation (DOT) regulations. These radiation protection standards require doses to the public be maintained ALARA with the regulatory limits constituting the maximum allowable radiological risk based on the linear relationship between dose received and the probability of adverse health effects. PERFORMANCE INDICATORS One PI for the radioactive effluent release program has been initially developed to monitor for inaccurate or increasing projected offsite doses. The effluent radiological occurrence (ERO) PI does not evaluate performance of the radiological environmental monitoring program (REMP) which will be assessed through the routine baseline inspection. For transportation activities, the infrequent occurrences of elevated radiation or contamination limits in the public domain from this measurement area precluded identification of a corresponding indicator. A second PI has been proposed for future use to monitor the inadvertent release of potentially contaminated materials which could result in a measurable dose to a member of the public. These indicators will provide partial assessments of licensee radioactive effluent monitoring and offsite material release activities and were selected to identify decreasing performance prior to exceeding public regulatory dose limits. SECURITY CORNERSTONE GENERAL DESCRIPTION This cornerstone addresses the attributes and establishes the basis to provide assurance that the physical protection system can protect against the design basis threat of radiological sabotage as defined in 10 CFR 73.1(a). The key attributes in this cornerstone are based on the defense in depth concept and are intended to provide protection against both external and internal threats. To date, there have been no attempted assaults with the intent to commit radiological sabotage and, although there has been no PRA work done in the area of safeguards, it is assumed that there exists a small probability of an attempt to commit radiological sabotage. Although radiological sabotage is assumed to be a small probability, it is also assumed to be risk significant since a successful sabotage attempt could result in initiating an event with the potential for disabling of the safety systems necessary to mitigate the consequences of the event with substantial consequence to public health and safety. An effective security program decreases the risk to public health and safety associated with an attempt to commit radiological sabotage. PERFORMANCE INDICATORS One performance indicator is used to assess licensee performance in this cornerstone.

The performance of the physical protection system will be measured by the percent of the time all components (barriers, alarms and assessment aids) in the systems are available and capable of performing their intended function. When systems are not available and capable of performing their intended function, compensatory measures must be implemented. Compensatory measures are considered acceptable pending equipment being returned to service, but historically have been found to degrade over time. The degradation of compensatory measures over time, along with the additional costs associated with implementation of compensatory measures provides the incentive for timely maintenance/I&C support to return equipment to service. The percent of time equipment is available and capable of performing its intended function will provide data on the effectiveness of the maintenance process and also provide a method of monitoring equipment degradation as a result of aging that could adversely impact on reliability.


[This page left intentionally blank.]

APPENDIX D

Plant-Specific Design Issues

This appendix provides additional guidance on plant-specific Frequently Asked Questions and identifies resolutions to performance indicator reporting issues that are specific to individual plant designs. Refer to Appendix E for guidance on the process for submitting an FAQ.

Plant-specific Issues

The NEI 99-02 guidance was written to accommodate situations anticipated to arise at a typical nuclear power plant. However, uncommon plant designs or unique conditions may exist that have not been anticipated. In these cases, licensees should first apply the guidance as written to determine the impact on the indicators. Then, if the licensee believes that there are unique circumstances sufficient to warrant an exception to the guidance as written, the licensee should submit a Frequently Asked Question to NEI for consideration at a public meeting with the NRC. If the FAQ is approved, the issue will be included in Appendix D of this document as a plant-specific issue.

Some provisions in NEI 99-02 may differ from the design, programs, or procedures of a particular plant. Examples include (1) the overlapping Emergency Planning Zones at Kewaunee and Point Beach and (2) actions to address storm-driven debris on intake structures.

In evaluating each request for a plant-specific exception, this forum will take into consideration factors related to the particular issue.

Kewaunee and Point Beach

Issue: The Kewaunee and Point Beach sites have overlapping Emergency Planning Zones (EPZ). We report siren data to the Federal Emergency Management Agency (FEMA) grouped by criterion other than entire EPZs (such as along county lines). May we report siren data for the PIs in the same fashion to eliminate confusion and prevent 'double reporting' of sirens that exist in both EPZs? Kewaunee and Point Beach share a portion of EPZs and responsibility for the sirens has been divided along the county line that runs between the two sites. FEMA has accepted this, and so far the NRC has accepted this informally.

Resolution: The purpose of the Alert and Notification System Reliability PI is to indicate the licensee’s ability to maintain risk-significant EP equipment. In this unique case, each neighboring plant maintains sirens in a different county. Although the EPZ is shared, the plants do not share the same site. In this case, it is appropriate for the licensees to report the sirens they are responsible for. The NRC Web site display of information for each site will contain a footnote recognizing this shared EPZ responsibility.

North Anna and Surry Continue to report PP01 in accordance with the current guidance in NEI 99-02.

Grand Gulf

Issue: Of the 43 sirens associated with our Alert Notification System, two of the sirens are located in flood plain areas. During periods of high river water, the areas associated with these sirens are inaccessible to personnel and are uninhabitable. During periods of high water, the electrical power to the entire area and the sirens is turned off. The frequency and duration of this occurrence varies based upon river conditions but has occurred every year for the past five years and lasts an average of two months on each occasion.

Assuming the sirens located in the flood plain areas are operable prior to the flooded and uninhabitable conditions, would these sirens be required to be included in the performance indicator during flooded conditions?

Resolution: If sirens are not available for operation due to high flood water conditions and the area is deemed inaccessible and uninhabitable by State and/or Local agencies, the siren(s) in question will not be counted in the numerator or denominator of the Performance Indicator for that testing period.

Diablo Canyon Units 1 and 2

Issue: At Diablo Canyon (DC), intrusion of marine debris (kelp and other marine vegetation) at the circulating water intake structures can occur and, under extreme storm conditions result in high differential pressure across the circulating water traveling screens, loss of circulating water pumps and loss of condenser. Over the past several years, DC has taken significant steps, including changes in operating strategy as well as equipment enhancements, to reduce the vulnerability of the plant to this phenomenon. DC has also taken efforts to minimize kelp, however environmental restrictions on kelp removal and the infeasibility of removing (and maintaining removal of) extensive marine growth for several miles around the plant prevent them from eliminating the source if the storm-driven debris. To minimize the challenge to the plant under storm conditions which could likely result in loss of both circulating water pumps, DC procedurally reduces power to 25% power or less. From this power level, the plant can be safely shut down by control rod motion and use of atmospheric dump valves without the need for a reactor trip.

Is this anticipatory plant shutdown in response to an external event, where DC has taken all reasonable actions within environmental constraints to minimize debris quantity and impact, able to be excluded from being counted under IE01 and IE02?

Resolution: In consideration of the intent of the performance indicators and the extensive actions taken by PG&E to reduce the plant challenge associated with shutdowns in response to severe storm-initiated debris loading, the following interpretation will be applied to Diablo Canyon. A controlled shutdown from reduced power (less than 25%), which is performed in conjunction with securing of the circulating water pumps to protect the associated traveling screens from damage due to excessive debris loading under severe storm conditions, will not be considered a "scram." If, however, the actions taken in response to excessive debris loading result in the initiation of a reactor trip (manual or automatic), the event would require counting under both the Unplanned Scrams (IE01) and Scrams with a Loss of Normal Heat Removal (IE02) indicators.

Diablo Canyon

Issue: The response to PI FAQ #158 states “Anticipatory power changes greater than 20% in response to expected problems (such as accumulation of marine debris and biological contaminants in certain seasons) which are proceduralized but cannot be predicted greater than 72 hours in advance may not need to be counted if they are not reactive to the sudden discovery of off-normal conditions.” Due to its location on the Pacific coast, Diablo Canyon is subject to kelp/debris intrusion at the circulating water intake structure under extreme storm conditions. If the rate of debris intrusion is sufficiently high, the traveling screens at the intake of the main condenser circulating water pumps (CWPs) become overwhelmed. This results in high differential pressure across the screens and necessitates a shutdown of the affected CWP(s) to prevent damage to the screens. To minimize the challenge to the plant should a shutdown of the CWP(s) be necessary in order to protect the circulating water screens, the following operating strategy has been adopted:

  • If a storm of sufficient intensity is predicted, reactor power is procedurally curtailed to 50% in anticipation of the potential need to shut down one of the two operating CWPs. Although the plant could remain at 100% power, this anticipatory action is taken to avoid a reactor trip in the event that intake conditions necessitate securing a CWP. One CWP is fully capable of supporting plant operation at 50% power.
  • If one CWP must be secured based on adverse traveling screen/condenser differential pressure, the procedure directs operators to immediately reduce power to less than 25% in anticipation of the potential need to secure the remaining CWP. Although plant operation at 50% power could continue indefinitely with one CWP, this anticipatory action is taken to avoid a reactor trip in the event that intake conditions necessitate securing the remaining CWP. Reactor shutdown below 25% power is within the capability of the control rods, being driven in at the maximum rate, in conjunction with operation of the atmospheric dump valves.
  • Should traveling screen differential pressure remain high and cavitation of the remaining CWP is imminent/occurring, the CWP is shutdown and a controlled reactor shutdown is initiated. Based on anticipatory actions taken as described above, it is expected that a reactor trip would be avoided under these circumstances.

How should each of the above power reductions (i.e., 100% to 50%, 50% to 25%, and 25% to reactor shutdown) count under the Unplanned Power Changes PI?

Resolution: Anticipatory power reductions, from 100% to 50% and from 50% to less than 25%, that result from high swells and ocean debris are proceduralized and cannot be predicted 72 hours in advance. Neither of these anticipatory power reductions would count under the Unplanned Power Changes PI. However, a power shutdown from less than 25% that is initiated on loss of the main condenser (i.e., shutdown of the only running CWP) would count as an unplanned power change since such a reduction is forced and can therefore not be considered anticipatory.

D.C. Cook

Issue: The definition for the Reactor Coolant System (RCS) Leakage performance indicator is "The maximum RCS Identified Leakage in gallons per minute each month per the technical specification limit and expressed as a percentage of the technical specification limit."

Cook Nuclear Plant Unit 1 and 2 report Identified Leakage since the Technical Specifications have a limit for Identified Leakage with no limit for Total Leakage. Plant procedures for RCS leakage calculation requires RCS leakage into collection tanks to be counted as Unidentified Leakage due to non-RCS sources directed to the collection tanks. All calculated leakage is considered Unidentified until the leakage reaches an administrative limit at which point an evaluation is performed to identify the leakage and calculate the leak rate. Consequently, Identified Leakage is unchanged until the administrative limit is reached. This does not allow for trending allowed RCS Leakage. The procedural requirements will remain in place until plant modifications can be made to remove the non-RCS sources from the drain collection tanks. What alternative method should be used to trend allowed RCS leakage for the Barrier Integrity Cornerstone?

Resolution: Report the maximum RCS Total Leakage calculated in gallons per minute each month per the plant procedures instead of the calculated Identified Leakage. This value will be compared to and expressed as a percentage of the combined Technical Specification Limits for Identified and Unidentified Leakage. This reporting is considered acceptable to provide consistency in reporting for plants with the described plant configuration.

Nine Mile Point

Issue: Some plants are designed to have a residual transfer of the non-safety electrical buses from the generator to an off-site power source when the turbine trip is caused by a generator protective feature. The residual transfer automatically trips large electrical loads to prevent damaging plant equipment during re-energization of the switchgear. These large loads include the reactor feedwater pumps, reactor recirculation pumps, and condensate booster pumps. After the residual transfer is completed the operators can manually restart the pumps from the control room. The turbine trip will result in a reactor scram. Should the trip of the reactor feedwater pumps be counted as a scram with a loss of normal heat removal?

Resolution: No. In this instance, the electrical transfer scheme performed as designed following a scram and the residual transfer. In addition the pumps can be started from the control room. Therefore, this would not count as a scram with a loss of normal heat removal.

Point Beach

Issue: On June 27th, Point Beach Unit 2 was manually scrammed, in accordance with Abnormal Operating Procedure AOP 13A, "Circulating Water System Malfunction," and power was reduced on Point Beach Unit 1 by greater than 20% (from 100% to 79%) due to reduced water level in the pump bay attributable to an influx of small forage fish (alewives). The large influx of fish created a high differential water level across the traveling screens and ultimately failure of shear pins for the screen drive system, leading to a rapid drop in bay level. The plant knows when the alewife spawning and hatching seasons occur and the effects of Lake Michigan temperature fluctuations on the route of alewife schools. It was aware of the presence of large schools at other Lake Michigan plants this spring and discussed those events and the potential of them occurring at Point Beach at the morning staff meetings. During the thirty years of plant operation, there have been a few instances where a large number of fish entered the plant circulating water system.

High alewife populations coupled with seasonal variations, lake conditions and wind conditions created the situation that resulted in the downpower on June 27th. Point Beach staff believes that these are uncontrollable environmental conditions. Plant procedures are in place which direct actions when the water level in the pump bay decreases. However, it is not possible to predict the exact time of an influx of schooling fish nor the massive population of fish that arrived in the pump bay. Page 17 of NEI 99-02 Revision 1 states, "Anticipated power changes greater than 20% in response to expected problems (such as accumulation of marine debris and biological contaminants in certain seasons) which are proceduralized but cannot be predicted greater than 72 hours in advance may not need to be counted if they are not reactive to the sudden discovery of off-normal conditions." Would this situation count as an unplanned power change?

Resolution: No. The influx of alewives was expected as evidenced by the discussion of events at other plants on Lake Michigan but was not predictable greater than 72 hours in advance due to the variables involved. Large schools of alewives are a result of environmental and aquatic conditions that occur in certain seasons. The response to the drop in bay level is proceduralized.

Quad Cities

Issue:1) At Quad Cities, load reductions in excess of 20% during hot weather are sometimes necessary if the limits of the NPDES Permit limit would be exceeded. Actual initiation of a power change is not predictable 72 hrs in advance, as actions are not taken until temperatures actually reach predefined levels. Would these power changes be counted? 2) Power reductions are sometimes necessary during summer hot weather and/or lowered river level conditions when conducting standard condenser flow reversal evolutions. The load reduction timing is not predictable 72 hrs in advance as the accumulation of Mississippi River debris/silt drives the actual initiation of each evolution. The main condenser system design allows for cleaning by flow reversal, which is procedurally controlled to assure sufficient vacuum is maintained. It is sometimes necessary, due to high inlet temperatures, to reduce power more than 20% to meet procedural requirements during the flow reversal evolution. These conditions are similar to those previously described in FAQ 158. Would these power changes be counted for this indicator?

Resolution: 1) No. 2) No. Power changes in excess of 20% for the purposes of condenser flow reversal are not counted as an unplanned power change.


River Bend Station

Issue: River Bend Station (RBS) seeks clarification of BI-02 information contained in NEI 99-02 guidance, specifically page 80, lines 36 and 37 “Only calculations of RCS leakage that are computed in accordance with the calculational methodology requirements of the Technical Specifications are counted in this indicator.” NEI 99-02, Revision 2 states that the purpose for the Reactor Coolant System (RCS) Leakage Indicator is to monitor the integrity of the reactor coolant system pressure boundary. To do this, the indicator uses the identified leakage as a percentage of the technical specification allowable identified leakage. Moreover, the definition provided is “the maximum RCS identified leakage in gallons per minute each month per technical specifications and expressed as a percentage of the technical specification limit.” The RBS Technical Specification (TS) states “Verify RCS unidentified LEAKAGE, total LEAKAGE, and unidentified LEAKAGE increase are within limits (12 hour frequency).” RBS accomplishes this surveillance requirement using an approved station procedure that requires the leakage values from the 0100 and 1300 calculation be used as the leakage “of record” for the purpose of satisfying the TS surveillance requirement. These two data points are then used in the population of data subject to selection for performance indicator calculation each quarter (highest monthly value is used). The RBS approved TS method for determining RCS leakage uses programmable controller generated points for total RCS leakage. The RBS’ programmable controller calculates the average total leakage for the previous 24 hours and prints a report giving the leakage rate into each sump it monitors, showing the last four calculations to indicate a trend and printing the total unidentified LEAKAGE, total identified LEAKAGE, their sum, and the 24 hour average. The programmable controller will print this report any time an alarm value is exceeded. The printout can be ordered manually or can be automatic on a 1 or 8 hour basis. While the equipment is capable of generating leakage values at any frequency, the equipment generates hourly values that are summarized in a daily report. The RBS’ TS Bases states “In conjunction with alarms and other administrative controls, a 12 hour Frequency for this Surveillance is appropriate for identifying changes in LEAKAGE and for tracking required trends.” The Licensee provides that NEI 99-02 requires only the calculations performed to accomplish the approved TS surveillance using the station procedure be counted in the RCS leakage indicator. In this case, the surveillance procedure captures and records the 0100 and 1300 RCS leakage values to satisfy the TS surveillance requirements. The NRC Resident has taken the position that all hourly values from the daily report should be used for the RCS leakage performance indicator determination, even though they are not required by the station surveillance procedure. The Resident maintains that all hourly values use the same method as the 0100 and 1300 values and should be included in the leakage determination. Is the Licensee interpretation of NEI 99-02 correct?

Resolution: All calculations of RCS leakage that are computed in accordance with the calculational methodology requirements of the Technical Specifications are counted in this indicator. Since the River Bend Station leakage calculation is an average of the previous 24 hourly leakage rates which are calculated in accordance with the technical specification methodology, it is acceptable for River Bend Station to include only those calculations that are performed to meet the technical specifications surveillance requirement when determining the highest monthly values for reporting. The ROP Working Group is forming a task force to review this performance indicator based on industry practices.

Catawba

Issue: Catawba Nuclear Station has 89 sirens in their 10-mile EPZ; 68 of these are located in York County. Duke Power's siren testing program includes a full cycle test for performance indicator purposes once each calendar quarter. On Tuesday, September 7, 2004, York County sounded the sirens in their county's portion of the EPZ to alert the public of the need to take protective actions for a Tornado Warning. Catawba is uncertain whether to include the results of the actual activation in their ANS PI statistics. The definition in NEI 99-02 does not address actual siren activations. In contrast, the Drill/Exercise Performance (DEP) Indicator requires that actual events be included in the PI. Should the performance during the actual siren activation be included in the Alert and Notification System (ANS) Performance Indicator Data?

Resolution: For this instance, Catawba may include the results of the September 7, 2004 actual siren activations in their ANS PI data. However, for all future instances, no actual siren activation data results shall be included in licensees' ANS PI data.

Fitzpatrick

Issue: Frazil icing is a condition that is known to occur in northern climates, under certain environmental conditions involving clear nights, open water, and low air temperatures. Under these conditions the surface of the water will experience a super-cooling effect. The super-cooling allows the formation of small crystals of ice, frazil ice. Strong winds also play a part in the formation of frazil ice in lakes. The strong winds mix the super-cooled water and the entrained frazil crystals, which have little buoyancy, to the depths of the lake. The submerged frazil crystals can then form slushy irregular masses below the surface. The crystals will also adhere to any submerged surface regardless of shape that is less than 32°F.

In order to prevent the adherence of frazil ice crystals to the intake structure bars and ensure maintenance of the ultimate heat sink, the bars of the intake structure are continuously heated. Surveillance tests conducted before and after the event confirmed the operability of the intake structure deicing heaters. While heating assists in preventing formation of frazil ice crystals directly on the bars of the intake structure, the irregular slushy masses discussed above can be drawn to the intake structure in quantities that reduce flow to the intake canal. If the flow to the intake canal is restricted in this manner, then the circulating (lake) water flow must be reduced, to allow frazil ice formations to clear. This water flow reduction necessitates a reduction of reactor power.

The plant put procedural controls in place to monitor the potential for frazil ice formation during periods of high susceptibility. A surveillance test requires evaluating the potential for frazil ice formation during the winter months, when intake temperature is less than 33°F. In support of the surveillance test, the Chemistry Department developed a test procedure for assessing the potential for frazil ice formation. An abnormal operating procedure was developed to mitigate the consequences of an event should frazil icing reduce the flow through the intake structure. During the overnight hours between March 2, and March 3 the environmental conditions were conducive to the formation of frazil ice. Chemistry notified Operations that the potential for frazil icing was very high. Operators were briefed on this condition, the very high potential for frazil ice formation, and the need to closely monitor intake level.

When indications showed a lowering intake canal level with no other abnormalities indicated, operations entered the appropriate abnormal operating procedure and reduced power from 100% to approximately 30% so that circulating water pumps could be secured, thereby reducing flow through the intake structure heated bars, to slow the formation or accumulation of frazil ice and allow melting and break-up of the ice already formed.

As noted above NEI 99-02 Revision 3, in discussing down-powers that are initiated in response to environmental conditions states “The circumstances of each situation are different and should be identified to the NRC in a FAQ so that a determination can be made concerning whether the power change should be counted.”

Does the transient meet the conditions for the environmental exception to reporting Unplanned Power changes of greater than 20% RTP?

Resolution: Yes, the downpower was caused by environmental conditions, beyond the control of the licensee, which could not be predicted greater than 72 hours in advance. Procedures, specific to frazil ice, were in place to address this expected condition. In lieu of additional FAQ submittals, this response may be applied by the licensee to future similar instances of frazil ice formation.

Turkey Point

Issue 1: For the MSPI truncation requirements, three methods were provided whereby licensees could demonstrate sufficient convergence for PRA model acceptability for MSPI. If a licensee is unable to demonstrate either: (1) a truncation level of 7 orders of magnitude below the baseline CDF or (2) that Birnbaum values converge within 80% for event with Birnbaum values >1E-6 or (3) that CDF has converged within 5% when using the approach detailed in section F.6.

What if a licensee, due to limitations with their PRA can “come close” but not meet either of these requirements?

Is our approach described in the MSPI basis document excerpted below acceptable, given that the 5% guideline is exceeded by only 0.2%, and that we cannot reduce the increase in CDF due to the last decade decrease in truncation further due to hardware/software limitations?

What should be done in the future when model updates may result in a different degree of compliance with the truncation guidelines, e.g., the increase in CDF due to the last decade decrease in truncation is, say, now 6% instead of 5.2%?

NEI 99-02 Guidance needing interpretation (include page and line citation):

Appendix F, Sections F.6, page F-48, which states: “The truncation level used for the method described in this section should be sufficient to provide a converged value of CDF. CDF is considered converged when decreasing the truncation level by a decade results in a change in CDF of less than 5%”

Event or circumstances requiring guidance interpretation:

As documented in the Turkey Point MSPI Basis document, due to limitations with Turkey Point’s PRA they were only able to achieve a truncation of 3E-11 per year, and the increase in CDF due to the last decade decrease in truncation is 5.2%, only slightly greater than the 5% guideline.

Turkey Point’s Basis Document states in part:

“…The baseline CDF is 4.07E-6 per year, quantified at truncation of 1.0E-11 per year. This truncation is about five-and-a-half orders of magnitude below the baseline CDF. Attempts to quantify at lower truncations failed due to hardware/software limitations; therefore, the "7 orders of magnitude less than the baseline CDF" criterion defined in the first paragraph of Appendix F, Sections 1.3.1 and 2.3.1 cannot be met. However, an alternative is described in the second paragraph of these sections. For all MSPI basic events with a Birnbaum importance of greater than 1E-6, If the ratio of the Birnbaum importances calculated at one decade above The lowest truncation (for our case, 1E-10 per year) to their Respective importances calculated at the lowest truncation (for our case, 1E-11 Per year) is greater than 0.8, then the baseline CDF cutset file at the Lowest truncation can be used to generate the MSPI Birnbaum importances.

Turkey Point meets this criterion for all but a few of the MSPI basic events with a Birnbaum importance of greater than 1E-6. The Birnbaum importances for these basic events were calculated using the alternative described in Section 6 of Appendix F. This alternative allows the user to calculate the Birnbaum importances by regenerating cutsets provided the truncation level is "sufficient to provide a converged value of CDF. CDF is considered to be converged when decreasing the truncation level by a decade results in a change in CDF of less than 5%."

For Turkey Point, at 1E-11 per year, the increase in the baseline CDF due to the last decade decrease in truncation is 4.1%, meeting this criterion. However, when the Birnbaum calculations were attempted at a truncation of 1E-11 per year, the runs failed due to hardware/software limitations. This was most likely due to the fact that many more cutsets were being generated due to the quantification of the model with an important component out of service. However, the quantification of these Birnbaum importances via regeneration was possible at a truncation level of 3E-11 per year. This is the truncation that was used to calculate the Birnbaum importances for the few basic events in the MSPI calculation that did not meet the “0.8” criterion. Birnbaum importance is not input into the MSPI calculation, FV importance is, and the Birnbaum importance is calculated using the FV, the basic event probability (p), and the baseline CDF. The FV for these basic events was calculated using the formula below.

FV = B*p / CDF(baseline)

The MSPI calculation takes the FVs calculated in this manner, divides them by their respective basic event probabilities, and multiplies the results by the baseline CDF input to the MSPI calculation, which is the CDF baseline calculated at a truncation of 1E-11 per year. This will effectively apply a "correction factor" to the Birnbaum equal to the ratio of the baseline CDF calculated at a truncation of 1E-11 per year and the baseline CDF calculated at a truncation of 3E-11 per year. This correction Factor should serve to allay any concerns over using a slightly higher truncation level for quantification of the Birnbaum importances for these basic events. Further, at a truncation of 3E-11 per year, the increase in CDF due to the last decade decrease in truncation is 5.2%, just slightly greater than the 5% guideline."

Issue 2: The Turkey Point High Head Safety Injection (HHSI) design is different than the description provided in Appendix F for Train Determination. Therefore, there is no system-specific guidance for HHSI which is applicable to the HHSI system at Turkey Point.

At Turkey Point, each unit (Unit 3 and Unit 4) has two HHSI pumps. The Unit 3 and Unit 4 HHSI pumps start on an SI signal from either unit, and all of them feed the stricken unit. Should the Turkey Point reporting model be revised to address the four train approach?

Resolution 1: It is acknowledged that there may be limitations with PRA software modeling such that a few licensees may not meet the explicit guidance limits for truncation and convergence.

In such cases, the licensee shall submit a FAQ and present the details of their analyses. Approval will be on a case by case basis. For Turkey Point, their model was able to approach 5.2% (vice 5%) convergence and that is considered sufficient for the purposes of MSPI calculation.

Resolution 2: Yes. In order to ensure accurate reporting, add the opposite-unit HHSI pump trains for unavailability monitoring for each unit, and the opposite-unit HHSI pumps for reliability monitoring for each unit. Although the opposite-unit HHSI pumps are cooled by the opposite-unit component cooling water (CCW) pumps, they should not be added as they are already monitored for their associated unit, and their Birnbaum importances for the opposite-unit are several orders of magnitude less than their Birnbaum importances for their own unit.

Prairie Island and Surry Stations

Issue: Prairie Island has two diesel-driven service water pumps that are monitored under MSPI. Surry has 3 diesel-driven service water pumps that are monitored under MSPI. There is no industry prior information associated with this component type on Table 4 on page F-37

Resolution: Due to insufficient industry data upon which to develop a separate set of parameters for this component type, an existing component type should be chosen. Given that the failures for this type of pump are expected to be dominated by the driver rather than the pump, the diesel-driven AFW pump component type should be used.

San Onofre

Issue: During March 2006, the San Onofre Nuclear Generating Station (SONGS) completed the MSPI Basis Document. The MSPI Basis Document contained a calculation of the FV/UA values for the CCW and SWC systems. The FV/UA values were derived by assuming that Train A is constantly running for the entire year and therefore all unavailability would be assigned to the non-running Train B. The resultant FV/UA value for Train B was then conservatively applied to both Train A and Train B without averaging.

Since the system is symmetric in importance, what should have occurred is that the FV/UA values should have been calculated for each train and averaged since each train is run approximately 50% of the time. This would be equivalent to calculating each train’s FV/UA value assuming the other train is running and then multiplying each train’s FV/UA value by an “operating factor” – the percentage of time the respective train is actually the running train (approximately 50% in this case) – and then averaging the two (Train A and Train B) FV/UA values.

In summary, an error was made in application of the NEI 99-02R4, Section F.1.3.4 guidance.

Resolution: The SONGS misapplication of the guidance in NEI 99-02R4 regarding the treatment of FV/UA due to the modeling asymmetries of the SSC systems were discussed with the NRC at the May 18 Reactor Oversight Process Task Force public meeting. It was concluded that the MSPI Basis Document of April 1, 2006 was in error and requires correction to reflect the train averaging of section F 1.3.4 prior to submittal of the 2Q06 data on July 21, 2006.

Oyster Creek

Issue: An intake structure sea grassing event occurred on 8/6/2005 resulting in an abnormal low level in the north side of the intake structure and a subsequent unplanned downpower from 100% power to approximately 41% power for a duration of approximately 40 hours. The event was reported as Unplanned, excluded per NEI 99-02.

Oyster Creek had been maintaining the intake structure in a summer seasonal readiness condition that was consistent with conditions in previous summer seasons. Appropriate preventive maintenance had been performed on the intake traveling screens. Daily flushing of the screen wash headers and periodic header cleaning had been instituted, in accordance with plant procedures and monitoring practices for summer readiness. These were expected conditions that the plant is forced to deal with during summer seasons. However, this event involved larger amounts of submerged sea grass than had been seen in the past.

Higher than normal levels of grass were experienced between 2300 hours on August 6, 2005 and 0235 hours on August 6, 2006 at the intake structure. At approximately 0235 hours the Control Room received a report from the operator at the intake that intake level on the north side of the intake structure downstream of the screens was at < 1.4 psig as sensed by the bubbler indicator. This equates to a level of <-2.0 ft Mean Sea Level (MSL) and required entry into Abnormal Operating Procedure ABN-32, Abnormal Intake Level. This required more frequent grass removal from intake structure components. Backwashing, raking and screen cleaning were in progress prior to the event, in accordance with plant procedures. At approximately 0305 hours, an unexpected large influx of submerged sea grass (Gracilaria) entered the North Side of the intake structure resulting in a collapse of the Trash grates. The grass loading caused each screen’s shear pin on the #1, 2, & 3 screens to break, as designed to provide a measure of protection for the intake structure. The three screens on the South Side of the intake structure were not affected during the entire event. Water level downstream of the screens on the North Side lowered due to operation of #1 and #2 Circulating Water Pumps, #1 New Radwaste Service Water Pump and #1 Service Water Pump. The Control Room Unit Operator was informed by the Shift Manager at the intake that level on the North Side of the intake was 0 psig on the bubbler gage at the Screen Wash Control Panel (which corresponds to -5.13’ Mean Sea Level). This level exceeded the Alert threshold for EAL HA3. At 0330 hours Emergency Service Water (ESW) System 1 pumps were declared inoperable and Technical Specification LCO 3.4.C.3. (7-day clock) was entered. The sudden, unexpected, large influx of submerged grass impacted the North Side of the Intake Structure resulting in a collapse of the Trash grates and the #1, 2 & 3 Intake Screen shear pins had broken. The Trash Rake was caught in #1 Bay. The shear pin for #1 Screen was replaced but sheared immediately. Both the 1-1 and the 1-2 Main Circulating Water Pumps were secured due to the low intake level resulting in pump cavitation, which required the power reduction to approximately 40%.

Resolution: The downpower that is described in this FAQ does count. The facility has not developed a specific procedure to proactively monitor for environmental conditions that would lead to sea grass intrusion, to direct proactive actions to take before the intrusion, and actions to take to mitigate an actual intrusion that are appropriate for the station and incorporate lessons learned. Development and use of a such a procedure in the future, instead of standing orders, may provide the basis for a future FAQ allowing excluding a downpower >20% for this PI.

No change to PI guidance is needed.

Calvert Cliffs

Issue: Anticipated power changes greater than 20% in response to expected environmental problems (such as accumulation of marine debris, biological contaminants, or frazil icing) which are proceduralized but cannot be predicted greater than 72 hours in advance may not need to be counted unless they are reactive to the sudden discovery of off normal conditions… . The licensee is expected to take reasonable steps to prevent intrusion of marine or other biological growth from causing power reductions… The circumstances of each situation are different and should be identified to the NRC in a FAQ so that a determination can be made concerning whether the power change should be counted.’

During summer months, under certain environmental conditions, Calvert Cliffs can experience instances of significant marine life impingements which can cause high differential pressure across our Circulating Water (bay water) System traveling screens, restricting flow capability of our Circulating Water (CW) pumps which could ultimately result in a plant derate or trip due to being unable to maintain sufficient condenser vacuum.

In anticipation of these potential marine life impingement conditions, the site has proceduralized actions to be taken within an Abnormal Operating Procedure (AOP). The actions to be taken in these circumstances include placing travel screens in manual mode of operation and using the intake aerator and fire hoses to disperse the fish population. Although instances of biological blockages are expected, neither the time of nor the severity of the intrusions can be predicted. During July 2006 the site had been periodically dealing with instances of jellyfish intrusions which had challenged maintaining sufficient CW flow, but had not been severe enough to threaten plant full power operation. On July 7, 2006 the site experienced a severe jellyfish intrusion and implemented the applicable AOP. This time the actions were unable to ensure sufficient CW flow to maintain Unit 1 at 100% power and a rapid power reduction was initiated on Unit 1, which ultimately reduced power to 40%. When the jellyfish intrusion was controlled, sufficient CW flow was restored, and power was restored to 100%. Given that the circumstances of this jellyfish intrusion was beyond the control of the plant, and that appropriate site actions have been proceduralized, should this event be exempted from counting as an unplanned power change? In addition, can this exemption be applied to future, similar marine life impingements at Calvert Cliffs, where the site carries out the approved actions designed to counter act these conditions, without submittal of future FAQs?

Resolution: The downpower that is described in this FAQ does count. The facility has not developed a specific procedure to proactively monitor for environmental conditions that would lead to jelly fish intrusion, to direct proactive actions to take before the intrusion, and actions to take to mitigate an actual intrusion that are appropriate for the station and incorporate lessons learned: e.g.: staging equipment, assigning additional personnel or watches, implementing finer mesh screen use, use of hose spray to ward off jelly fish. Development and use of a such a procedure in the future, may provide the basis for a future FAQ allowing excluding a downpower >20% for this PI.

No change to PI guidance is needed.

Point Beach

Issue: Point Beach is upgrading the Unit 1 and Unit 2 auxiliary feedwater systems (AF) during the second quarter of 2011 with Unit 2 being completed during the spring outage and Unit 1 while the plant is on line. The current AF design has two motor-driven AF pumps that are shared between the two units. In the current configuration, the operating unit has planned unavailability during the other unit’s refueling outage. After the upgrade modifications are completed, the AF system will have one new motor-driven pump dedicated to each unit and will no longer have planned unavailability during the other unit’s refueling outage. The new pumps will be the same model casing as the old pumps, but will have a different impeller, resulting in a higher flow rate, and will be powered by 4160V versus 480V. The preventive maintenance activities for the new pumps and associated monitored valves will be essentially the same as those for the existing pumps and associated monitored valves. The change will reduce the number of motor-driven AF trains from two to one per unit and will change the Point Beach generic common cause failure adjustment value from 1.25 to 1.0 in NEI 99-02, Appendix F, Table 7.

The refueling outage is scheduled to be completed during the second quarter of 2011. As the units will be putting the new AF pumps and associated monitored valves in service during the middle of a quarter, the device records in CDE will be updated upon entry into MODE 4 ascending for Unit 2 and when the new AF pump and associated monitored valves are placed in service for Unit 1. However, CDE and the MSPI Basis Document will not be updated until the end of the second quarter to reflect the new PRA and the new train definitions.

The completion of the modification during the middle of a quarter will result in the inability to implement all of the guidance in NEI 99-02 related to reporting of data in CDE. The goal is to provide a second quarter MSPI submittal for AF that accurately reflects the actual availability and reliability of the existing and new AF system configurations and implements the guidance of NEI 99-02 as much as reasonable. However, as CDE does not support the submittal of split data and does not allow PRA model changes mid-quarter, an MSPI result for MS08, Heat Removal Systems, reflecting second quarter 2011 AF system unavailability and reliability would not be representative of the new system and would not provide meaningful results. Therefore, exemptions from NEI 99-02 reporting guidance are requested for Point Beach based upon the system design changes being implemented in the second quarter of 2011.

Resolution: Point Beach may have a one-time exemption from the reporting guidance on Page 2, Lines 15 23, of NEI 99-02, Revision 6. The 2Q2011 MS08 PI will be characterized as “Insufficient Data to Calculate PI,” as indicated by:


on the NRC’s “ROP Performance Indicators Summary” Web site because (1) the results will not be representative of the current PRA and MSPI Basis Document for that quarter and (2) the data reflecting the actual plant configuration cannot be processed in CDE software. A comment shall be added to the CDE submittal file explaining the basis for this characterization, which will include that the modification was installed mid-quarter, CDE is not capable of processing a “data split” within the same quarter, CDE does not allow mid-quarter PRA model changes, and an MSPI result for MS08, Heat Removal Systems, reflecting 2Q2011 AF system unavailability and reliability would not be representative of the new system nor provide meaningful results.

AF unavailability and reliability data will be reported to the NRC for 2Q2011. The data will be used for assessing MS08 data for subsequent quarters.

Because the new pumps and associated monitored valves will be similar to the existing pumps and associated monitored valves, Point Beach will determine the baseline unavailability data (nominally 2002-2004) for the new trains by using the unavailability data for the existing trains, removing the unavailability that was reported when the other unit was in an outage, and averaging the data over three years. With respect to historical unavailability data, because the new pumps and associated monitored valves will be similar to the existing pumps and associated monitored valves, Point Beach will determine the past three years of historical unavailability for the new trains by using the data for the existing trains, removing the unavailability taken when the other unit was in an outage, and averaging the data over three years. Point Beach will also update the MSPI basis document at the end of 2Q2011 to reflect the modification’s impact on system and train boundaries.

With respect to reliability data, Point Beach will update the device records and associated reliability data in CDE at the time the new pumps and associated monitored valves are placed in service and will update the MSPI basis document at the end of 2Q2011 to reflect the modification’s impact on monitored component boundaries. The most recent three years of reliability data for the currently installed pumps will serve as the reliability data for the new pumps because of their similar design and function

It is acceptable to revise the HRS/MDP Standby generic common cause failure adjustment value from 1.25 to 1.00, which will take effect upon the implementation of the modification, in NEI 99-02, Revision 6, Appendix F, Table 7.

Fort Calhoun

Issue: Under normal circumstances and in accordance with the Fort Calhoun Radiological Emergency Response Plan, section E, sirens are tested bi-weekly for functionality via Emergency Planning Test (EPT) EPT-1 (Alert Notification System Silent Test), quarterly via EPT-2 (Alert Notification System Growl Test), and annually via EPT-3 (Alert Notification System Complete Cycle Test).

Current flooding along the Missouri River and within the 10-mile EPZ has resulted in several sirens being [deliberately] disabled by disconnecting AC power due to rising river levels. These flooding conditions do not only affect the operability/functionality of the sirens, but have also resulted in power disconnections for and evacuation of residents in the areas for which these sirens provide coverage. Additionally, backup route-alerting is still available for any remaining affected residents as verified through local and state governments.

In accordance with NEI 99-02, Revision 6 (Regulatory Assessment Performance Indicator Guideline), page 57 concerning siren testing states “Regularly scheduled tests missed for reasons other than siren unavailability (e.g., out of service for planned maintenance or repair) should be considered non opportunities.” This evaluation and exemption was applied to the sirens that have been removed from service due to flooding.

These sirens were removed from service intentionally and will remain out of service for an extended period of time; therefore they will not be counted in the performance indicator for Alert and Notification System Reliability. For all EPTs conducted on sirens during the time period when power has been removed from the siren due to flooding, the number of sirens tested will only be those that have normal power available.

Resolution: If sirens are not available for operation due to high flood water conditions, and the area is deemed inaccessible and uninhabitable by State and/or Local agencies, the siren(s) in question will not be counted in the numerator or denominator of the Performance Indicator for that testing period.



APPENDIX E FREQUENTLY ASKED QUESTIONS

Purpose

The Frequently Asked Question (FAQ) process is the mechanism for resolving interpretation issues with NEI 99-02. FAQs and responses are posted on the NRC Website (www.nrc.gov/NRR/OVERSIGHT/ASSESS/index.html) and INPO’s Consolidated Data Entry webpage. Approved FAQs represent NRC approved interpretations of performance indicator guidance and should be treated as an extension of NEI 99-02.

There are several reasons for submitting an FAQ:

1. To clarify the guidance when the licensee and NRC regional staff do not agree on the meaning or application of the guidance to a particular situation. 2. To provide guidance for a class of plants whose design or system functions differ from that described in the guidance. 3. To request an exemption from the guidance for plant-specific circumstances, such as design features, procedures, or unique conditions. 4. When recommended in NEI 99-02, such as in response to unplanned power changes due to environmental conditions.

Proposed changes to the guidance are not a reason to submit an FAQ. A formal process exists for changing the guidance, which usually includes analysis and piloting before being implemented. White papers that are submitted for guidance changes, if approved by the Industry/NRC working group, are converted into an FAQ for use and inclusion in the next revision of NEI 99-02. In some circumstances, while reviewing an FAQ, the Industry/NRC working group may determine that a change in the guidance is necessary.

The FAQ process is not the arena in which to resolve interpretation issues with any other NRC regulatory documents. In addition, the FAQ process is not used to make licensing or engineering decisions.

Process

1. Issue identification

Either the licensee or the NRC may identify the need for an interpretation of the guidance. FAQs should be submitted as soon as possible, but generally no later than the quarter following identification of the issue requiring interpretation. Once the licensee and resident inspector or region have identified an issue on which there is either disagreement or where both parties agree that guidance clarification is necessary, an FAQ should be submitted as soon as possible. The FAQ should be provided to the ROP Task Force by the next scheduled ROP Task Force meeting, if practical, but no later than its subsequent meeting. The ROP Task Force should submit the FAQ to the ROP Working Group by the following month’s meeting, if practical. If both the resident inspector and licensee agree that the issue is complex and more time is required (e.g., to complete a causal evaluation, obtain a vendor report, perform a simulator run, etc.), the FAQ submittal may be delayed until the issue is sufficiently understood.

The licensee submits the FAQ by email to pihelp@nei.org. The email should include “FAQ” as part of the subject line and should provide the name and phone number of a contact person. If the licensee is not sure how to interpret a situation and the quarterly report is due, an FAQ should be submitted and a comment in the PI comment field would be appropriate. If the licensee has reasonable confidence that its position will be accepted, it is under no obligation to report the information (e.g., unavailability). Conversely, if the licensee is not confident that it will succeed in its FAQ, the information should be included in the submitted data. In either case, the report can be amended, if required, at a later date.

2. Expeditiousness, Completeness and Factual Agreement

In order for the performance indicators to be a timely element of the ROP, it is incumbent on NRC and the licensee to work expeditiously and cooperatively, sharing concerns, questions and data in order that the issue can be resolved quickly. Where possible, agreement should be achieved prior to submittal of the FAQ on the factual elements of the FAQ, e.g., the engineering, maintenance, or operational situation. The FAQ must describe the situation clearly and concisely and must be complete and accurate in all respects. If agreement cannot be reached on the wording of the FAQ, NRC will provide its alternate view to the licensee for inclusion in the FAQ.

3. FAQ Format

See Figure E-1 for the format for submitting an FAQ. It is important to provide contact information and whether the FAQ should be considered generic to all plants, or only specific to the licensee submitting the FAQ. In most cases the FAQ will become effective as soon as possible; however, the licensee can recommend an effective date. The question section of the FAQ includes the specific wording of the guidance which needs to be interpreted, the circumstances involved, and the specific question. All relevant information should be included and should be as complete as possible. Incomplete or omitted information will delay the resolution of the FAQ. The licensee also provides a proposed response to the FAQ. The response should answer the question and provide the reasoning for the answer. (There must not be any new information presented in the response that was not already discussed in the question.) The NRC may or may not opt to request that the FAQ include an alternative response. Finally, the FAQ may include proposed wording to revise the guidance in the next revision.

4. Screening of licensee FAQs

Typically, FAQs are forwarded to and reviewed by NEI. New FAQs should be submitted at least one week prior to the ROP meeting, revisions to previously accepted FAQs can be submitted at any time. NEI may request that the FAQ be revised. After acceptance by NEI, the FAQ is reviewed by the industry’s ROP Task Force (Formerly SPATF). Additional wording may be suggested to the licensee. In some cases, the task force may believe the FAQ is without merit and may recommend that the FAQ be withdrawn. An accepted FAQ is entered in the FAQ log which includes all unresolved FAQs. All open FAQs and the log are forwarded to NRC and the task force members approximately one week prior to the (approximately) monthly ROP meeting between the task force and NRC or as soon as reasonably practical.

5. Public Meeting Discussions of FAQs

The FAQ log is reviewed at each monthly ROP meeting, and the Industry/NRC working group is responsible for achieving a consensus response, if possible. In most cases, the licensee is expected to present and explain the details of its FAQ. Licensee and resident/regional NRC staff are usually available (at the meeting or by teleconferencing) to respond to questions posed by the Industry/NRC) working group. The new FAQ is introduced by the licensee to ensure the working group understands the issues, but discussion of the FAQ may be referred to the next meeting if participants have not had an opportunity to research the issues involved. The FAQ will be discussed in detail, until all of the facts have been resolved and consensus has been reached on the response. The FAQ will then be considered “Tentatively Approved,” and typically one additional month will be allowed for reconsideration. At the following meeting the FAQ becomes “Final.” Typically, an FAQ is introduced one month; the facts are discussed for two or three months and a tentative decision reached; and it goes final the following month.

In cases where minor changes are necessary after final or tentative approval has occurred, the changes can be made if representatives from both industry and NRC concur on the final wording prior to FAQ issuance on the NRC website.

In some limited cases (involving an issue with no contention and where exigent resolution is needed), it is possible for the ROP working group to reach immediate consensus and take the FAQ to Final; however, this will generally be an exception.

6. Withdrawal of FAQs

A licensee may withdraw an FAQ after it has been accepted by the joint ROP Working Group. Withdrawals must occur during an ROP Working Group meeting. However, the ROP Working Group should further discuss and decide if a guidance issue exists in NEI 99-02 that requires additional clarification. If additional clarification is needed then the original FAQ should be revised to become a generic FAQ. In many cases, there are lessons learned from the resources expended by the ROP Working Group that should be captured. In those cases, the FAQ will be entered in the FAQ log as a generic FAQ. If there is disagreement between the staff and industry, both positions should be articulated in the FAQ. These withdrawn FAQs should be considered as historical and are not considered to be part of NEI 99-02. Although they do not establish precedent, they do offer insights into perspectives of both industry and NRC staff and, as such, can inform future decisions to submit an FAQ.

7. Appeal Process

Once the facts and circumstances are agreed upon, if consensus cannot be reached after two consecutive working group meetings, the FAQ will be referred to the NRC Director of the Division of Inspection & Regional Support (DIRS). The director will conduct a public meeting at which both the licensee and NRC will present their positions as well as respond to any questions from the director. The director then will make the determination. Any additional appeal to higher management is outside of this process and is solely at the licensee’s discretion and initiative.

8. Promulgation and Effective Date of FAQs

Once approved by NRC, the accepted response will be posted on the NRC Website and is treated as an extension of this guideline.

For the licensee that submitted the FAQ, the FAQ is effective when the event occurred. Unless otherwise directed in an FAQ response, for other licensees, FAQs are to be applied to the data submittal for the quarter following the one in which the FAQ was posted and beyond. For example, an FAQ with a posting date of 9/30/2009 would apply to 4th quarter 2009 PI data, submitted in January 2010 and subsequent data submittals. However, an FAQ with a posting date of 10/1/2009 would apply on a forward fit basis to first quarter 2010 PI data submitted in April 2010. Licensees are encouraged to check the NRC Web site frequently, particularly at the end of the reporting period, for FAQs that may have applicability for their sites.

At the time of a revision of NEI 99-02, active FAQs will be reviewed for inclusion in the text. These FAQs will then be placed in an “archived” file. Archived FAQs are for historical purposes and are not considered to be part of NEI 99-02.

FAQ TEMPLATE


Plant: _________________________ Date of Event: _________________________ Submittal Date: _________________________ Licensee Contact: _________________________ Tel/email: __________________ NRC Contact: _________________________ Tel/email: __________________

Performance Indicator:

Site-Specific FAQ (see Appendix D)? (__)Yes or (__) No

FAQ to become effective (__) when approved or (other date) ____________

Question Section NEI 99-02 Guidance needing interpretation (include page and line citation):


Event or circumstances requiring guidance interpretation:


If licensee and NRC resident/region do not agree on the facts and circumstances, explain:


Potentially relevant FAQs:


Response Section Proposed Resolution of FAQ:


If appropriate, provide proposed rewording of guidance for inclusion in next revision:


PRA update required to implement this FAQ?

MSPI Basis Document update required to implement this FAQ?



Figure E-1


APPENDIX F METHODOLOGIES FOR COMPUTING THE UNAVAILABILITY INDEX, THE UNRELIABILITY INDEX AND COMPONENT PERFORMANCE LIMITS

This appendix provides the details of three calculations: the System Unavailability Index, the System Unreliability Index, and component performance limits.

F 1. SYSTEM UNAVAILABILITY INDEX (UAI) DUE TO TRAIN UNAVAILABILITY

Unavailability is monitored at the train/segment level for the purpose of calculating UAI. The process for calculation of the System Unavailability Index has three major steps:

  • Identification of system trains/segments
  • Collection of plant data
  • Calculation of UAI

The first of these steps is performed for the initial setup of the index calculation if there are significant changes to plant configuration or at the licensee’s discretion. The second step has some parts that are performed initially and then only performed again when a revision to the plant-specific PRA is made or changes are made to the normal preventive maintenance practices. Other parts of the calculation are performed periodically to obtain the data elements reported to the NRC. This section provides the detailed guidance for the calculation of UAI.

F 1.1. IDENTIFICATION OF SYSTEM TRAINS/SEGMENTS

The identification of system trains/segments is accomplished in two steps:

  • Determine the system boundaries
  • Identify the trains/segments within the system boundary

The use of simplified P&IDs can be used to document the results of this step and will also facilitate the completion of the directions in section F2.1.1 later in this document.

F 1.1.1. MONITORED FUNCTIONS AND SYSTEM BOUNDARIES

The first step in the identification of system trains is to define the monitored functions and system boundaries. Include all components within the system boundary that are required to satisfy the monitored functions of the system.

The cooling water support system is calculated separately in MSPIError! Bookmark not defined.; however, trains/segments of other support systems (e.g., HVAC room coolers, DC power, instrument air, etc.) that may be needed to satisfy a monitored function are not monitored in MSPI for unavailability if the components within those trains/segments are not included within the boundary of a monitored train/segment or the supported system.

Additional guidance for determining the impact on availability and unreliability from unmonitored component failures can be found in Section F.2.2.2.

The monitored functions of the system are those functions in section F5 of this appendix that have been determined to be risk-significant functions per NUMARC 93-01 and are reflected in the PRAError! Bookmark not defined.. If none of the functions listed in Section F5 for a system are determined to be risk significant, then:

  • If only one function is listed for a system, then this function is the monitored function (for example, CE NSSS designs use the Containment Spray system for RHR but this system is redundant to the containment coolers and may not be risk significant. The Containment Spray system would be monitored.)
  • If multiple functions are listed for a system, the most risk significant function is the monitored function for the system. Use the Birnbaum Importance values to determine which function is most risk significant.

For fluid systems the boundary should extend from and include the water source (e.g., tanks, sumps, etc.) to the injection point (e.g., RCS, Steam Generators). For example, high-pressure injection may have both an injection mode with suction from the refueling water storage tank and a recirculation mode with suction from the containment sump. For Emergency AC systems, the system consists of all class 1E generators at the station (for multi-unit sites, see Unit Crosstie Capability below).

Additional system specific guidance on system boundaries can be found in Section 5 titled “Additional Guidance for Specific Systems” at the end of this appendix.

Some common conditions that may occur are discussed below.

System Interface Boundaries
For water connections from systems that provide cooling water to a single component in a monitored system, the final connecting valve is included in the boundary of the frontline system rather than the cooling water system. For example, for service water that provides cooling to support an AFW pump, only the final valve in the service water system that supplies the cooling water to the AFW system is included in the AFW system scope. This same valve is not included in the cooling water support system scope. The equivalent valve in the return path, if present, will also be included in the frontline system boundary.

The impact of room cooling or other related HVAC supports is excluded from the system/train boundary. Unavailability of these systems/components is not counted as unavailability of a monitored system/train. The only exception to this is EDG ventilation systems that have a shared function of both providing room cooling/ventilation that also provide a flow path for EDG combustion or exhaust. In these cases, unavailability of components that result in unavailability of an EDG due to not having a combustion or exhaust flow path is included in EDG unavailability.

For control functions and electrical power, the system/train boundary includes all system dedicated relays, controllers, and contactors that support the monitored system functions, and all dedicated voltage supply breakers (both motive and control power) and their associated control circuits (relay contacts for normally auto actuated components, control board switches for normally operator actuated components). If a relay, breaker, or contactor exists solely to support the operation of a monitored train/segment, it should be considered part of the train’s/segment’s boundary. If a relay, breaker, or contactor supports multiple trains/segments, it should not be considered as part of the monitored train’s/segment’s boundary. For turbine driven pumps, the system/train boundary includes the associated control system (relay contacts for normally auto actuated components, control board switches for normally operator actuated components), the control valve, and its voltage supply breaker. Failure or unavailability of components outside of the system/train boundary is not counted as unavailability of the impacted system/train.

Water Sources and Inventory
Water tanks are not considered to be monitored components. As such, they do not contribute to URI. However, since tanks can be in the train/segment boundary, periods of insufficient water inventory contribute to UAI if they result in loss of the monitored train/segment function for the required mission time. If additional water sources are required to satisfy train/segment mission times, only the connecting active valve from the additional water source is considered as a monitored component for calculating URI. If there are valves in the primary water source that must change state to permit use of the additional water source, these valves are considered monitored and should be included in UAI for the system.
Unit Cross-Tie Capability
At multiple unit sites cross ties between systems frequently exist between units. For example at a two unit site, the Unit 1 Emergency Diesel Generators may be able to be connected to the Unit 2 electrical bus through cross tie breakers. In this case the Unit 1 EAC system boundary would end at the cross tie breaker in Unit 1 that is closed to establish the cross-tie. The similar breaker in Unit 2 would be the system boundary for the Unit 2 EAC system. Similarly, for fluid systems the fluid system boundary would end at the valve that is opened to establish the cross-tie.
Common Components
Some components in a system may be common to more than one system/train/segment, in which case the unavailability of a common component is included in all affected systems/trains/segments.

F 1.1.2. Identification of Trains within the System

Each monitored system shall then be divided into trains/segments to facilitate the monitoring of unavailability.

A train consists of a group of components that together provide the monitored functions of the system described in the “additional guidance for specific mitigating systems”. The number of trains in a system is generally determined as follows:

  • For systems that provide cooling of fluids, the number of trains is determined by the number of parallel heat exchangers, or the number of parallel pumps, or the minimum number of parallel flow paths, whichever is fewer.
  • For emergency AC power systems the number of trains is the number of class 1E emergency (diesel, gas turbine, or hydroelectric) generators at the station that are installed to power shutdown loads in the event of a loss of off-site power. (For example, this does not include the diesel generator dedicated to the BWR HPCS system, which is included in the scope of the HPCS system.)

Some components or flow paths may be included in the scope of more than one train. For example, one set of flow regulating valves and isolation valves in a three-pump, two-steam generator system are included in the motor-driven pump train with which they are electrically associated, but they are also included (along with the redundant set of valves) in the turbine-driven pump train. In these instances, the effects of unavailability of the valves should be reported in all affected trains. Similarly, when two trains provide flow to a common header, the effect of isolation or flow regulating valve failures in paths connected to the header should be considered in both trains.

Additional system specific guidance on train definition can be found in Section F5 titled “Additional Guidance for Specific Systems” at the end of this appendix.

Additional guidance is provided below for the following specific circumstances that are commonly encountered:

  • Cooling Water Support Systems and Trains
  • Swing Trains and Components Shared Between Units
  • Maintenance Trains and Installed Spares
  • Trains or Segments that Cannot Be Removed from Service.

Cooling Water Support Systems and Trains'

The cooling water function is typically accomplished by multiple systems, such as service water and component cooling water. A separate value for UAI will be calculated for each of the systems in this indicator and then they will be added together to calculate an overall UAI value.

In addition, cooling water systems are frequently not configured in discrete trains. In this case, the system should be divided into logical segments and each segment treated as a train. This approach is also valid for other fluid systems that are not configured in obvious trains. The way these functions are modeled in the plant-specific PRA will determine a logical approach for train/segment determination. For example, if the PRA modeled separate pump and line segments (such as suction and discharge headers), then the number of pumps and line segments would be the number of trains.

Unit Swing trains and components shared between units

Swing trains/components are trains/components that can be aligned to any unit. To be credited as such, their swing capability must be modeled in the PRA to provide an appropriate Fussell-Vesely value.

Installed Spares

An "installed spare" is a component (or set of components) that is used as a replacement for other equipment to allow for the removal of equipment from service for preventive or corrective maintenance without impacting the operability of trains available to achieve the monitored function of the system. To be an "installed spare," a component must not be needed for any train of the system to perform the monitored function. A typical installed spare configuration is a two train system with a third pump that can be aligned to either train (both from a power and flow perspective), but is normally not aligned and when it is not aligned receives no auto start signal. In a two train system where each train has two 100% capacity pumps that are both normally aligned, the pumps are not considered installed spares, but are redundant components within that train.

Unavailability of an installed spare is not monitored unless the system is monitored in segments, rather than trains. Trains in a system with an installed spare are not considered to be unavailable when the installed spare is aligned to that train. In the example above, a train would be considered to be unavailable if neither the normal component nor the spare component is aligned to the train.

Trains or Segments that Cannot Be Removed from Service

In some normally operating systems (e.g. Cooling Water Systems), there may exist trains or segments of the system that cannot physically be removed from service while the plant is operating at power for the following reasons:

  • Directly causes a plant trip
  • Procedures direct a plant trip
  • Technical Specifications requires immediate shutdown (LCO 3.0.3)

These should be documented in the Basis Document and not included in unavailability monitoring.

F 1.2. Collection of Plant Data

Plant data for the UAI portion of the index includes:

  • Actual train total unavailability (planned and unplanned) data for the most recent 12 quarter period collected on a quarterly basis,
  • Plant-specific baseline planned unavailability, and
  • Generic baseline unplanned unavailability.

Each of these data inputs to UAI will be discussed in the following sections.

F 1.2.1. ACTUAL TRAIN/SEGMENT UNAVAILABILITY

The Consolidated Data Entry (CDE) inputs for this parameter are Train Planned Unavailable Hours and Train Unplanned Unavailable Hours. Critical hours are derived from reactor startup and shutdown occurrences. The actual calculation of Train Unavailability is performed by CDE.

Train/Segment Unavailability
Train/Segment unavailability is the ratio of the hours the train/segment was unavailable to perform its monitored functions due to planned or unplanned maintenance or test during the previous 12 quarters while critical to the number of critical hours during the previous 12 quarters.
Train/Segment unavailable hours
The hours the train/segment was not able to perform its monitored function while critical. Fault exposure hours are not included; unavailable hours are counted only for the time required to recover the train’s/segment’s monitored functions. In all cases, a train/segment that is considered to be OPERABLE is also considered to be available. Trains/segments that are not OPERABLE must be returned to service in order to be considered available. Unavailability must be by train/segment; do not use average unavailability for each train/segment because trains/segments may have unequal risk weights.
Return to Service
Return to service is the transition from unavailable to available. A train/segment is “returned to service” when the following conditions are met: clearance tags have been removed, the train/segment has been aligned and prepared for operation, (e.g., valve line-up complete, system filled and vented), further adjustment of associated equipment is not required or expected as the result of the unavailability period, and operators concur that the train/segment is able to perform its expected functions. For standby equipment, automatic functions are aligned or can be promptly restored by an operator consistent with the requirements for crediting operator recovery stated later in this section.
Planned unavailable hours
These hours include time a train or segment is removed from service for a reason other than equipment failure or human error. Examples of activities included in planned unavailable hours are preventive maintenance, testing, equipment modification, or any other time equipment is electively removed from service to correct a degraded condition that had not resulted in loss of function. When used in the calculation of UAI, if the planned unavailable hours are less than the baseline planned unavailable hours, the planned unavailable hours will be set equal to the baseline value.
Unplanned unavailable hours
These hours include elapsed time between the discovery and the restoration to service of an equipment failure or human error (such as a misalignment) that makes the train/segment unavailable. Time of discovery of a failed monitored component is when the licensee determines that a failure has occurred or when an evaluation determines that the train would not have been able to perform its monitored function(s). In any case where a monitored component has been declared inoperable due to a degraded condition, if the component is considered available, there must be a documented basis for that determination, otherwise a failure will be assumed and unplanned unavailability would accrue. If the component is degraded but considered operable, timeliness of completing additional evaluations would be addressed through the inspection process. Unavailable hours to correct discovered conditions that render a monitored train/segment incapable of performing its monitored function are counted as unplanned unavailable hours. An example of this is a condition discovered by an operator on rounds, such as an obvious oil leak, that was determined to have resulted in the equipment being non-functional even though no demand or failure actually occurred. Unavailability due to mis-positioning of components that renders a train incapable of performing its monitored functions is included in unplanned unavailability for the time required to recover the monitored function.
No Cascading of Unavailability
The failure or unavailability of an SSC that is not within the boundary of the monitored MSPIError! Bookmark not defined. system that it supports does not cause the supported monitored system to accrue unavailability. Although such a failure or condition may require a monitored train or segment of the supported system to be declared inoperable, the monitored train or segment of the supported system would not accrue unavailability. If the monitored component of the supported system is rendered non-functional through tag out or physical plant conditions (other than as discussed below), then unavailable time should be accrued for the monitored train or segment of the supported system. Otherwise, unavailability is not accrued.

Plants will sometimes disable the autostart of a supported monitored system when its support system is out of service. For example, a diesel generator may have the start function inhibited when the service water system that provides diesel generator cooling is removed from service. This is done for the purposes of equipment protection. This could be accomplished by putting a supported system’s monitored component in "maintenance" mode or by pulling the control fuses of the supported component. If no maintenance is being performed on a component that’s within a supported system’s monitored train/segment, and the supported system’s train/segment is only unavailable because of a monitored support system being out of service, no unavailability should be reported for the supported system’s train/segment. If, however, maintenance is performed on the supported system’s monitored train/segment, then the unavailability must be counted.

For example, if an Emergency Service Water train/segment (i.e., a monitored support system train/segment) is unavailable, and the autostart of the associated High Pressure Safety Injection (HPSI) pump (a monitored supported system) is disabled, there is no unavailability to be reported for the HPSI pump; however, the ESW train/segment does accrue unavailability. If a maintenance task to collect a lube oil sample is performed with no additional tag out, no unavailability has to be reported for the HPSI pump. If however, the sample required an additional tag out that would make the HPSI pump unavailable, then the time that the additional tag out was in place must be reported as planned unavailable hours for the HPSI pump.

Additional guidance on the following topics for counting train unavailable hours is provided below.

  • Short Duration Unavailability
  • Credit for Operator Recovery Actions to Restore the Monitored Function

Short Duration Unavailability

Trains are generally considered to be available during periodic system or equipment realignments to swap components or flow paths as part of normal operations. Evolutions or surveillance tests that result in less than 15 minutes of unavailable hours per train/segment at a time need not be counted as unavailable hours. Licensees should compile a list of surveillances or evolutions that meet this criterion and have it available for inspector review. The intent is to minimize unnecessary burden of data collection, documentation, and verification because these short durations have insignificant risk impact.

Credit for Operator Recovery Actions to Restore the Monitored Functions

1. During testing, operational alignment or return to service:

Unavailability of a monitored function during testing, operational alignment or return to service need not be included if the test or operational alignment configuration is automatically overridden by a valid starting signal, or the function can be promptly restored either by an operator in the control room or by a designated operator stationed locally for that purpose. Restoration actions must be contained in a written procedure , must be uncomplicated (a single action or a few actions), must be capable of being restored in time to satisfy PRA success criteria, and must not require diagnosis or repair. Credit for a designated local operator can be taken only if the operator is positioned at the proper location throughout the duration of the test or operational alignment for the purpose of restoration of the train should a valid demand occur. The intent of this paragraph is to allow licensees to take credit for restoration actions that are virtually certain to be successful (i.e., probability nearly equal to 1) during accident conditions.

The individual performing the restoration function can be the person conducting the test or operational alignment and must be in communication with the control room. Credit can also be taken for an operator in the main control room provided the operator is in close proximity to restore the equipment when needed. Normal staffing for the test or operational alignment may satisfy the requirement for a designated operator, depending on work assignments. In all cases, the staffing must be considered in advance and an operator identified to perform the restoration actions independent of other control room actions that may be required.

Under stressful, chaotic conditions, otherwise simple multiple actions may not be accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and landing wires; or clearing tags). In addition, some manual operations of systems designed to operate automatically, such as manually controlling HPCI turbine to establish and control injection flow, are not virtually certain to be successful. These situations should be resolved on a case-by-case basis through the FAQ process.

2. During maintenance

Unavailability of a monitored function during maintenance need not be included if the monitored function can be promptly restored either by an operator in the control room or by a designated operator (see footnote 1 below) stationed locally for that purpose. Restoration actions must be contained in an approved procedure, must be uncomplicated (a single action or a few actions), must be capable of being restored in time to satisfy PRA success criteria and must not require diagnosis or repair. Credit for a designated local operator can be taken only if the operator is positioned at a proper location throughout the duration of the maintenance activity for the purpose of restoration of the train should a valid demand occur. The intent of this paragraph is to allow licensees to take credit for restoration of monitored functions that are virtually certain to be successful (i.e., probability nearly equal to 1).

The individual performing the restoration function can be the person performing the maintenance and must be in communication with the control room. Credit can also be taken for an operator in the main control room provided the operator is in close proximity to restore the equipment when needed. Normal staffing for the maintenance activity may satisfy the requirement for a designated1 operator, depending on work assignments. In all cases, the staffing must be considered in advance and an operator identified to perform the restoration actions independent of other control room actions that may be required.

Under stressful chaotic conditions otherwise simple multiple actions may not be accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and landing wires, or clearing tags). These situations should be resolved on a case-by-case basis through the FAQ process.

3. During degraded conditions

In accordance with current regulatory guidance, licensees may credit limited operator actions to determine that degraded equipment remains operable in accordance with Technical Specifications. If a train/segment is determined to be operable, then it is also available. Beyond this, no credit is allowed for operator actions during degraded conditions that render the train/segment unavailable to perform its monitored functions.

Counting Unavailability when Planned and Unplanned Maintenance are Performed in the Same Work Window

All maintenance performed in the work window should be classified with the classification for which the work window was entered. For example, if the initial work window was caused by unplanned maintenance then the duration of the entire work window would be classified as unplanned even if some additional planned maintenance were added that extended the work window. Another example is if a planned maintenance work window results in adding additional unplanned work due to a discovered condition during the maintenance, the entire work window duration would be classified as planned maintenance.

F 1.2.2. PLANT-SPECIFIC BASELINE PLANNED UNAVAILABILITY

The initial baseline planned unavailability is based on actual plant-specific values for the period 2002 through 2004. (Plant-specific values of the most recent data are used so that the indicator accurately reflects deviation from expected planned maintenance.) These values may change if the plant maintenance philosophy is substantially changed with respect to on-line maintenance or preventive maintenance. In these cases, the planned unavailability baseline value should be adjusted to reflect the current maintenance practices, including low frequency maintenance evolutions.

Prior to implementation of an adjustment to the planned unavailability baseline value, the impact of the adjusted values on all MSPI PRA inputs should be assessed. A change to the PRA model and associated changes to the MSPI PRA inputs values is required prior to changing the baseline unavailability if ∆CDF > 1E-8, where:

∆CDFbaseline = ∑(ΔUAi * Birnbaumi) ΔUAi = UAcurrent – UAbaseline for segment i UAcurrent = proposed unavailability (expressed as a probability) to be used as the new baseline UAbaseline = the base unavailability (expressed as a probability) for 2002 – 2004 Birnbaumi = Birnbaum value of segment i

The following changes are considered a “change in plant maintenance philosophy:”

  • A change in frequency or scope of a current preventative maintenance activity or surveillance test.
  • The addition of a new preventative maintenance activity or surveillance test.
  • The occurrence of a periodic maintenance activity at a higher or lower frequency during a three year data window (e.g., a maintenance overhaul that occurs once every 24 months will occur twice two-thirds of the time and once one-third of the time). If the unavailability hours required for the additional maintenance activity are included in the PRA modeled unavailability, the baseline unavailability can be changed without further assessment.
  • Planned maintenance activities that occur less than once every three years (e.g., five- or 10-year overhauls). If the unavailability hours required for the additional maintenance activity are included in the PRA-modeled unavailability, the baseline unavailability can be changed without further assessment.
  • The performance of maintenance in response to a condition-based preventive maintenance activity.
  • Performance of an on-line modification that has been determined to be consistent with the unavailability values contained in the PRA in that the PRA includes unavailability hours for the proposed modification, and current maintenance and testing programs; and the hours in the MSPI UA baseline do not reflect this total unavailability.

The following changes are not considered a “change in plant maintenance philosophy:”

  • The performance of maintenance in response to a degraded condition (even when it is taken out of service to address the degraded condition) unless this action is in response to a condition-based preventive maintenance activity.
  • Planned maintenance activity that exceeds its planned duration.
  • The performance of an online modification that does not meet the change in plant maintenance philosophy online modification criterion.

Note: Condition-based maintenance consists of periodic preventive maintenance tasks or online monitoring of the health or condition of a component (e.g., vibration analysis, oil analysis, MOVAT) and predefined acceptance criteria where corrective action is to be taken on exceeding these criteria. Condition-based maintenance does not include discovery of a degraded condition as a result of actions that are outside of the maintenance programs.

Some significant maintenance evolutions, such as EDG overhauls, are performed at an interval greater than the three year monitoring period (5 or 10 year intervals). The baseline planned unavailability should be revised as necessary in the basis document during the quarter prior to the planned maintenance evolution and then removed after twelve quarters. A comment should be placed in the comment field of the quarterly report to identify a substantial change in planned unavailability. The comments automatically generated by CDE when PRA coefficients are changed do not fulfill this requirement. The plant must generate a plant-specific comment that describes what was changed. The baseline value of planned unavailability is changed at the discretion of the licensee to ensure the baseline is consistent with the current maintenance philosophy of the plant. Revised values will be used in the calculation the quarter following the basis document revision.

To determine the initial value of planned unavailability:

1) Record the total train unavailable hours reported under the Reactor Oversight Process for 2002-2004.
2) Subtract any fault exposure hours still included in the 2002-2004 period.
3) Subtract unplanned unavailable hours.
4) Add any on-line overhaul hours and any other planned unavailability previously excluded under SSU in accordance with NEI 99-02, but not excluded under the MSPI. Short duration unavailability, for example, would not be added back in because it is excluded under both SSU and MSPI.
5) Add any planned unavailable hours for functions monitored under MSPI which were not monitored under SSU in NEI 99-02.
6) Subtract any unavailable hours reported when the reactor was not critical.
7) Subtract hours cascaded onto monitored systems by support systems. (However, do not subtract any hours already subtracted in the above steps.)
8) Divide the hours derived from steps 1-7 above by the total critical hours during 2002-2004. This is the baseline planned unavailability.

Support cooling planned unavailability baseline data is based on plant-specific maintenance rule unavailability for years 2002-2004. Maintenance Rule practices do not typically differentiate planned from unplanned unavailability. However, best efforts will be made to differentiate planned and unplanned unavailability during this time period.


F 1.2.3. GENERIC BASELINE UNPLANNED UNAVAILABILITY

The unplanned unavailability values are contained in Table 1 and remain fixed. They are based on ROP PI industry data from 1999 through 2001. (Most baseline data used in PIs come from the 1995-1997 time period. However, in this case, the 1999-2001 ROP data are preferable, because the ROP data breaks out systems separately. Some of the industry 1995-1997 INPO data combine systems, such as HPCI and RCIC, and do not include PWR RHR. It is important to note that the data for the two periods is very similar.)

Table 1. Historical Unplanned Unavailability Train Values (Based on ROP Industry-wide Data for 1999 through 2001) SYSTEM UNPLANNED UNAVAILABILITY/TRAIN EAC * 1.7 E-03 PWR HPSI 6.1 E-04 PWR AFW (TD) 9.1 E-04 PWR AFW (MD) 6.9 E-04 PWR AFW (DieselD) 7.6 E-04 PWR (except CE) RHR 4.2 E-04 CE RHR 1.1 E-03 BWR HPCI** 3.3 E-03 BWR HPCS 5.4 E-04 BWR FWCI Use plant-specific Maintenance Rule data for 2002-2004 BWR RCIC 2.9 E-03 BWR IC 1.4E-03 BWR RHR 1.2 E-03 Support Cooling Use plant-specific Maintenance Rule data for 2002-2004

* Oconee to use EAC plant-specific Maintenance Rule data for 2002-2004
    • Oyster Creek to use Core Spray plant-specific Maintenance Rule data for 2002-2004

Generic Baseline Unplanned Unavailability for Front Line systems divided into segments for unavailability monitoring If a front line system is divided into segments rather than trains, the following approach is followed for determining the generic unplanned unavailability:

1. Determine the number of trains used for SSU unavailability reporting that was in use prior to MSPI.
2. Multiply the appropriate value from Table 1 by the number of trains determined in (1).
3. Take the result and distribute it among the MSPI segments, such that the sum is equal to (2) for the whole MSPI system.

Unplanned unavailability baseline data for the support cooling systems should be developed from plant-specific Maintenance Rule data from the period 2002-2004. Maintenance Rule practices do not typically differentiate planned from unplanned unavailability. However, best efforts will be made to differentiate planned and unplanned unavailability during this time period. NOTE: The sum of planned and unplanned unavailability cannot exceed the total unavailability.

F 1.3. CALCULATION OF UAI

The specific formula for the calculation of UAI is provided in this section. Each term in the formula will be defined individually and specific guidance provided for the calculation of each term in the equation. Required inputs to the INPO Consolidated Data Entry (CDE) System will be identified.

Calculation of System UAI due to train/segment unavailability is as follows:

	Eq. 1

where the summation is over the number of trains/segments (n) and UAIt is the unavailability index for a train/segment. Calculation of UAIt for each train/segment due to actual train/segment unavailability is as follows:

, 	Eq. 2

where: CDFp is the plant-specific Core Damage Frequency, FVUAp is the train/segment-specific Fussell-Vesely value for unavailability, UAP is the plant-specific PRAError! Bookmark not defined. value of unavailability for the train/segment, UAt is the actual unavailability of train/segment t, defined as:

and, determined in section 1.2.1 UABLt is the historical baseline unavailability value for the train/segment (sum of planned unavailability determined in section 1.2.2 and unplanned unavailability in section 1.2.3)

A method for calculation of the quantities in equation 2 from importance measures calculated using cutsets from an existing PRA solution is discussed in sections F 1.3.1 through F 1.3.3.

An alternate approach, based on re-quantification of the PRA model, and calculation of the importance measures from first principles is also an acceptable method. Guidance on this alternate method is contained in section F6 of this appendix. A plant using this alternate approach should use the guidance in section F6 and skip sections F 1.3.1 through F 1.3.3.

F 1.3.1. TRUNCATION LEVELS

The values of importance measures calculated using an existing cutset solution are influenced by the truncation level of the solution. The truncation level chosen for the solution should be 7 orders of magnitude less than the baseline CDF for the alternative defined in sections F 1.3.2 and F 1.3.3.

As an alternative to using this truncation level, the following sensitivity study may be performed to establish the acceptability of a higher (e.g. 6 orders of magnitude) truncation level.

1. Solve the model at the truncation level you intend to use (e.g. 6 orders of magnitude below the baseline CDF). 2. Identify the limiting Birnbaum value for each train/component (this is the case 1 value). 3. Solve the model again with a truncation 10 times larger (e.g. 5 orders of magnitude below the baseline CDF). 4. Identify the limiting Birnbaum value for each train/component (this is the case 2 value. For each component with Birnbaum-case 1 greater than 1.0E-06 calculate the ratio [(Birnbaum-case 2)/(Birnbaum-case 1)]. 5. If the value for the calculated ratio is greater than 0.8 for all components with Birnbaum-case 1 value greater than 1.0E-06, then the case 1 truncation level may be used for this analysis.

This process may need to be repeated several times with successively lower truncation levels to achieve acceptable results.

F 1.3.2. CALCULATION OF CORE DAMAGE FREQUENCY (CDFP) The Core Damage Frequency is a CDE input value. The required value is the internal events, average maintenance, at power value. Internal flooding and external events, including internal fire are not included in this calculated value. All inputs to this indicator from the PRA are calculated from the internal events model only.

F 1.3.3. CALCULATION OF [FV/UA]MAX FOR EACH TRAIN

FV and UA are separate CDEError! Bookmark not defined. input values. Equation 2 includes a term that is the ratio of a Fussell-Vesely importance value divided by the related unavailability or probability. This ratio is calculated for each train/segment in the system and both the FV and UA are CDE inputs. (It may be recognized that the quantity [FV/UA] multiplied by the CDF is the Birnbaum importance measure, which is used in section 2.3.3.)

Calculation of these quantities is generally complex, but in the specific application used here, can be greatly simplified.

The simplifying feature of this application is that only those components (or the associated basic events) that can make a train unavailable are considered in the performance index. A simplifying assumption is made that components within a train that can each make the train unavailable are logically equivalent and the ratio FV/UA is a constant value for any basic event in that train. It can also be shown that for a given component or train represented by multiple basic events, the ratio of the two values for the component or train is equal to the ratio of values for any basic event within the train. Or:

Thus, the process for determining the value of this ratio for any train/segment is to identify a basic event that fails the train, determine the probability for the event, determine the associated FV value for the event and then calculate the ratio.

The set of basic events to be considered for use in this section will obviously include any test and maintenance (T&M) events applicable to the train/segment under consideration. Basic events that represent failure on demand that are logically equivalent to the test and maintenance events should also be considered. (Note that many PRAs use logic that does not allow T&M events for multiple trains to appear in the same cutset because this condition is prohibited by Technical specifications. For PRAs that use this approach, failure on demand events will not be logically equivalent to the T&M events, and only the T&M events should be considered.) Failure to run events and valve transfer open/close events should not be considered as they are often not logically equivalent to test and maintenance events. Use the basic event from this set that results in the largest ratio (hence the maximum notation on the bracket) to minimize the effects of truncation on the calculation. If all events for the train/segment have been truncated, either a lower truncation value or the method provided in section F.6 should be used.

Some systems have multiple modes of operation, such as PWR HPSI systems that operate in injection as well as recirculation modes. In these systems all monitored components are not logically equivalent; unavailability of the pump may fail all operating modes while unavailability of the sump suction valves may only fail the recirculation mode. In cases such as these, if unavailability events exist separately for the components within a train, the appropriate ratio to use is the maximum.

F 1.3.4. CORRECTIONS TO FV/UA RATIO

Treatment of PRA Modeling Asymmetries In systems with rotated normally running pumps (e. g. cooling water systems), the PRAError! Bookmark not defined. models may assume one pump is always running and another is in standby. For example, a service water system may have two 100% capacity pumps in one train, an A and B pump. In practice the A and B pumps are rotated and each one is the running pump 50% of the time. In the PRA model however, the A pump is assumed to be always running and the B pump is always assumed to be in standby. This will result in one pump appearing to be more important than the other when they are, in fact, of equal importance. This asymmetry in importance is driven by the assumption in the PRA, not the design of the plant.

In the case where the system is known to be symmetric in importance, for calculation of UAI, the importance measures for each train, or segment, should be averaged and the average applied to each train or segment. Care should be taken when applying this method to be sure the system is actually symmetric.

If the system is not symmetric and the capability exists to specify a specific alignment in the PRAError! Bookmark not defined. model, the model should be solved in each specific alignment and the importance measures for the different alignments combined by a weighted average based on the estimated time each specific alignment is used in the plant.

Cooling Water and Service Water System [FV/UA]max Values Component Cooling Water Systems (CCW) and Service Water Systems (SWS) at some nuclear stations contribute to risk in two ways. First, the systems provide cooling to equipment used for the mitigation of events and second, the failures (and unavailability) in the systems may also result in the initiation of an event. The contribution to risk from failures to provide cooling to other plant equipment is modeled directly through dependencies in the PRA model. However, the contribution due to event initiation is treated in four general ways in current PRAs:

1) The use of linked initiating event fault trees for these systems with the same basic event names used in the initiator and mitigation trees. 2) The use of linked initiating event fault trees for these systems with different basic event names used in the initiator and mitigation trees. 3) Fault tree solutions are generated for these systems external to the PRA and the calculated value is used in the PRA as a point estimate 4) A point estimate value is generated for the initiator using industry and plant-specific event data and used in the PRAError! Bookmark not defined.. Each of these methods is discussed below.

Modeling Method 1 If a PRA uses the first modeling option, then the FV values calculated will reflect the total contribution to risk for a component in the system. No additional correction to the FV values is required.

Modeling Methods 2 and 3 The corrected ratio may be calculated as described for modeling method 4 or by the method described below.

If a linked initiating event fault tree with different basic events used in the initiator and mitigation trees is the modeling approach taken, or fault tree solutions are generated for these systems external to the PRA and the calculated value is used in the PRA as a point estimate, then the corrected ratio is given by:

.

In this expression the summation is taken over all system initiators i that involve component n, where FVc is the Fussell-Vesely for component C as calculated from the PRA Model. This does not include any contribution from initiating events, UAc is the basic event probability used in computing FVc; i.e. in the system response models, IEm,n(qn) is the system initiator frequency of initiating event m when the component n unreliability basic event is qn. The event chosen in the initiator tree should represent the same failure mode for the component as the event chosen for UAc, IEm,n(1) is as above but qn=1, IEm,n(0) is as above but qn=0 and FViem is the Fussell-Vesely importance contribution for the initiating event m to the CDF. Since FV and UA are separate CDE inputs, use UAc and calculate FV from


Modeling Method 4 If a point estimate value is generated for the initiator using industry and plant-specific event data and used in the PRA, then the corrected [FV/UA]MAX for a component C is calculated from the expression:


Where: FVc is the Fussell-Vesely for CDF for component C as calculated from the PRA Model. This does not include any contribution from initiating events.

FVie is the Fussell-Vesely contribution for the initiating event in question (e.g. loss of service water).

FVsc is the Fussell-Vesely within the system fault tree only for component C (i.e. the ratio of the sum of the cut sets in the fault tree solution in which that component appears to the overall system failure probability). Note that this may require the construction of a “satellite” system fault tree to arrive at an exact or approximate value for FVsc depending on the support system fault tree logic.

UAc is the basic event probability used in computing FVc, i.e., in the system response models.

FV and UA are separate CDEError! Bookmark not defined. input values.

F 2. SYSTEM UNRELIABILITY INDEX (URI) DUE TO COMPONENT UNRELIABILITY

Calculation of the URI is performed in three major steps:

  • Identification of the monitored components for each system,
  • Collection of plant data, and
  • Calculation of the URI.

Only the most risk significant components in each system are monitored to minimize the burden for each utility. It is expected that most, if not all the components identified for monitoring are already being monitored for failure reporting to INPO and are also monitored in accordance with the maintenance rule.

F 2.1. IDENTIFY MONITORED COMPONENTS=

Monitored Component: A component whose failure to change state or remain running renders the train incapable of performing its monitored functions. In addition, all pumps and diesels in the monitored systems are included as monitored components.

The identification of monitored components involves the use of the system boundaries and success criteria, identification of the components to be monitored within the system boundary and the scope definition for each component. Note that the system boundary defined in section 1.1.1 defines the scope of equipment monitored for unavailability. Only selected components within this boundary are chosen for unreliability monitoring. The first step in identifying these selected components is to identify the system success criteria.

F 2.1.1. SUCCESS CRITERIA

The system boundaries and monitored functions developed in section F 1.1.1 should be used to complete the steps in the following section.

For each system, the monitored functions shall be identified. Success criteria used in the PRA shall then be identified for these functions.


If the licensee has chosen to use design basis success criteria in the PRA, it is not required to separately document them other than to indicate that is what was used. If success criteria from the PRA are different from the design basis, then the specific differences from the design basis success criteria shall be documented in the basis document. If success criteria for a system vary by function or initiator, the most restrictive set will be used for the MSPI. Success criteria related to ATWS need not be considered. PRAError! Bookmark not defined. analyses (e.g. operator action timing requirements) are sometimes based on thermal-hydraulic calculations that account for the best estimate physical capability of a system. These calculations should not be confused with calculations that are intended to establish system success criteria. For example a pump’s flow input for PRA thermal-hydraulic calculations may be based on its actual pump curve showing 12,000 gpm at runout while the design basis minimum flow for the pump is 10,000 gpm. The 10,000 gpm value should be used for determination of success or failure of the pump for this indicator. This prevents the scenario of a component or system being operable per Technical Specifications and design basis requirements but unavailable or failed under this indicator.


Examples of plant-specific performance factors that should be used to identify the required capability of the train/system to meet the monitored functions are provided below.

  • Actuation

o Time o Auto/manual o Multiple or sequential

  • Success requirements

o Numbers of components or trains o Flows o Pressures o Heat exchange rates o Temperatures o Tank water level

  • Other mission requirements

o Run time o State/configuration changes during mission

  • Accident environment from internal events

o Pressure, temperature, humidity

  • Operational factors

o Procedures o Human actions o Training o Available externalities (e.g., power supplies, special equipment, etc.)

F 2.1.2. SELECTION OF COMPONENTS For unreliability, use the following process for determining those components that should be monitored. These steps should be applied in the order listed.

1) INCLUDE all pumps (except EDG fuel oil transfer pumps, which are part of the EDG super-component) and emergency power generators. 2) Identify all AOVs, SOVs, HOVs and MOVs that change state to achieve the monitored functions for the system as potential monitored components. Solenoid and Hydraulic valves identified for potential monitoring are only those in the process flow path of a fluid system. Solenoid valves that provide air to AOVs are considered part of the AOV. Hydraulic valves that are control valves for turbine driven pumps are considered part of the pump and are not monitored separately. Check valves and manual valves are not included in the index. a. INCLUDE those valves from the list of valves from step 2 whose failure alone can fail a train/segment. The success criteria used to identify these valves are those identified in the previous section. (See Figure F-5) b. INCLUDE redundant valves from the list of valves from step 2 within a multi-train system, whether in series or parallel, where the failure of both valves would prevent all trains/segments in the system from performing a monitored function. The success criteria used to identify these valves are those identified in the previous section.(See Figure F-5) 3) INCLUDE components that cross tie monitored systems between units (i.e. Electrical Breakers and Valves) if they are modeled in the PRA. 4) EXCLUDE those valves and breakers from steps 2 and 3 above whose Birnbaum importance, (See section F 2.3.5) as calculated in this appendix (including adjustment for support system initiator, if applicable, and common cause), is less than 1.0E-06. This rule is applied at the discretion of the individual plant. A balance should be considered in applying this rule between the goal to minimize the number of components monitored and having a large enough set of components to have an adequate data pool. If a decision is made to exclude some valves based on low Birnbaum values, but not all, to ensure an adequate data pool, then the valves eliminated from monitoring shall be those with the smallest Birnbaum values. Symmetric valves in different trains should be all eliminated or all retained.

F 2.1.3. DEFINITION OF COMPONENT BOUNDARIES

Table 2 defines the boundaries of components, and Figures F-1, F-2, F-3 and F-4 provide examples of typical component boundaries as described in Table 2.

Table 2. Component Boundary Definition

Component Component boundary Diesel Generators The diesel generator boundary includes the generator body, generator actuator, lubrication system (local), fuel system (local), fuel oil transfer pumps/valves, cooling components (local), startup air system receiver, exhaust and combustion air system, dedicated diesel battery (which is not part of the normal DC distribution system), individual diesel generator control system, cooling water isolation valves, circuit breaker for supply to safeguard buses and their associated control circuit (relay contacts for normally auto actuated components, control board switches for normally operator actuated components*). Motor-Driven Pumps The pump boundary includes the pump body, motor/actuator, lubrication system, cooling components of the pump seals, the voltage supply breaker, and its associated control circuit (relay contacts for normally auto actuated components, control board switches for normally operator actuated components*). Turbine-Driven Pumps The turbine-driven pump boundary includes the pump body, turbine/actuator, lubrication system (including pump), extractions, turbo-pump seal, cooling components, and associated control system (relay contacts for normally auto actuated components, control board switches for normally operator actuated components*) including the control valve. Motor-Operated Valves The valve boundary includes the valve body, motor/actuator, the voltage supply breaker (both motive and control power) and its associated control circuit (relay contacts for normally auto actuated components, control board switches for normally operator actuated components*). Solenoid Operated Valves The valve boundary includes the valve body, the operator, the supply breaker (both power and control) or fuse and its associated control circuit (relay contacts for normally auto actuated components, control board switches for normally operator actuated components*). Hydraulic Operated Valves The valve boundary includes the valve body, the hydraulic operator, associated local hydraulic system, associated solenoid operated valves, the power supply breaker or fuse for the solenoid valve, and its associated control circuit (relay contacts for normally auto actuated components, control board switches for normally operator actuated components*). Air-Operated Valves The valve boundary includes the valve body, the air operator, associated solenoid-operated valve, the power supply breaker or fuse for the solenoid valve, and its associated control circuit (relay contacts for normally auto actuated components, control board switches for normally operator actuated components.*)

  • Note: If the control circuit for any normally auto actuated component includes the control board switch and a failure of the control board switch prevents auto actuation of the component, it is considered to be a failure of the control circuit within the component boundary.

For control and motive power, supporting components as described in INPO 98-01 should be included in the monitored component boundary. In other words, if the relay, breaker or contactor exists solely to support the operation of the monitored component, it should be considered part of the component boundary. If a relay, breaker or contactor supports multiple components, it should not be considered as part of the monitored component boundary. If a relay/switch supports operation of several monitored components, failure of relay/switch would not be considered an MSPI failure. However, failure of individual contacts on the relay/switch, which each support a single monitored component, would be considered a failure of the monitored component.

Example 1: If a limit switch in an MOV fails to make-up, which fails an interlock and prevents a monitored pump from starting, and the limit switch has no other function, a failure to start should be assigned to the pump. If the limit switch prevents both the pump and another monitored valve from functioning, no MPSI failures would be assigned.

Example 2: If a relay prevents an MOV from closing and the relay performs no other function, an MOV failure would be assigned, assuming failure to close is a monitored function of the valve. If the MOV also has a limit switch interlocked with another monitored component, the presence of the limit switch should not be interpreted as the relay having multiple functions to preclude assigning a failure. If, in addition to the relay failure, there were a separate failure of the limit switch, both an MOV and pump failure would be assigned.

Example 3: If a relay/switch supports operation of several monitored components, failure of relay/switch would not be considered an MSPI failure. However, failure of individual contacts on the relay, which each support a single monitored component, would be considered a failure of the monitored component.

If a system is designed to auto start, and a control circuit failure results in the monitored component not being capable of auto starting (whatever component actually fails) it is a failure to start. If a system is designed to auto start, and a manual start fails, it is not an MSPI failure unless the auto start feature would also have been affected (discovered condition). Control switches (either in the control room or local) that provide the primary means for actuating a component are monitored as part of the component it actuates.

Each plant will determine its monitored components and have them available for NRC inspection.

F 2.2. COLLECTION OF PLANT DATA

Plant data for the URI includes:

  • Demands and run hours
  • Failures

F 2.2.1. DEMANDS AND RUN HOURS

There are two methods that can be used to calculate the number of demands and run hours for use in the URI. These two methods are use of actual demands and run hours and estimated demands and run hours. Best judgment should be used to define each category of demands. But strict segregation of demands between each category is not as important as the validity of total number of demands and run hours.

For MSPI monitored components, the duty cycle (demand or run hour) categories shown in Table 3 are reported to CDE to support the URI derivation.

Table 3. Required Duty Cycle Categories by Component Type

Component Type Duty Cycle Categories Required All valves and circuit breakers Demands All pumps Demands Run Hours All Emergency Power Generators (both diesel and hydro electric) Start Demands Load Run Demands Run Hours Demands (including start demands for the emergency power generators) are defined as any requirements for the component to successfully start (pumps and emergency power generators) or open or close (valves and circuit breakers). Exclude post maintenance test demands, unless in case of a failure, the cause of the failure was independent of the maintenance performed. In this case the demand may be counted as well as the failure. Post maintenance tests are tests performed following maintenance but prior to declaring the train/component operable, consistent with Maintenance Rule implementation. Some monitored valves will include a throttle function as well as open and close functions. One should not include every throttle movement of a valve as a counted demand. Only the initial movement of the valve should be counted as a demand. Demands for valves that do not provide a controlling function are based on a full duty cycle.

Load run demands (emergency power generators only) are defined as any requirements for the output breaker to close given that the generator has successfully started and reached rated speed and voltage. Exclude post maintenance test load run demands, unless in case of a failure, the cause of the failure was independent of the maintenance performed. In this case, the load run demand should be counted, depending on whether the actual or estimated demand method will be used, as well as the failure.

Run hours (pumps and emergency power generators only) are defined as the time the component is operating. For pumps, run hours include the first hour of operation of the component. For emergency diesel generators, exclude all hours before the output breaker is closed (or hours when the emergency diesel generator is run unloaded) and the first hour after the breaker is closed (the first hour of operation after the breaker is closed is considered part of the load/run demand). Failures during shutdown of an emergency generation after the output breaker is opened are included as a failure to run. Exclude post maintenance test run hours, unless in case of a failure, the cause of the failure was independent of the maintenance performed. In this case, the run hours may be counted as well as the failure. Pumps that remain running for operational reasons following the completion of post-maintenance testing, accrue run hours from the time the pump was declared operable. Table 4. Duty Cycle Data Types

Type Definition Actual ESF (ESF Nontest Actual in CDE) Any demands or run hours incurred as a result of a valid ESF signal. Operational/Alignment (Operational Nontest in CDE) Any demands or run hours incurred supporting normal plant operations not associated with test activities or as a result of a valid ESF signal. Test Any demands or run hours incurred supporting test activities. Normally return to service tests and test for which a component is not expected to fully cycle (e.g., bumps for rotation checks after pump maintenance) are not included.

For each type of duty cycle data, the three data types defined in Table 4 are reported to CDE.

Best judgment should be used to define each type of demand or run hour data, but strict segregation of data between types is not as important as the validity of the total number (ESF nontest + operational nontest + test). The duty cycle data category types may be reported as either actual or estimated data. Since valid ESF signals are essentially random in frequency, actual ESF demands (start demands, load run demands, and run hours) are always reported as actual data. Operational/Alignment and test data, however, can be reasonably estimated based on plant scheduled test frequencies and operating history. Therefore, either or both operational/alignment and test data may be reported as estimated data if so designated in the unit’s MSPI basis document. Optionally, either or both operational/alignment and test data may be reported as actual data if so designated in the unit’s MSPI basis document. An actual ESF demand (also start demand, load run demand, or run hour) is any condition that results in valid actuation, manual or automatic, of any of the MSPI systems due to actual or perceived plant conditions requiring the actuation. These conditions should be counted in MSPI as actual ESF demands except when: 1) The actuation resulted from and was part of a pre-planned sequence during testing or reactor operation; or 2) The actuation was invalid; or 3) Occurred while the system was properly removed from service; or 4) Occurred after the safety function had been already completed. Valid actuations are those actuations that result from "valid signals" or from intentional manual initiation, unless it is part of a preplanned test. Valid signals are those signals that are initiated in response to actual plant conditions or parameters satisfying the requirements for initiation of the safety function of the system. They do not include those which are the result of other signals. Invalid actuations are, by definition, those that do not meet the criteria for being valid. Thus, invalid actuations include actuations that are not the result of valid signals and are not intentional manual actuations. For preplanned actuations, operation of a system as part of a planned test or operational evolution should not be counted in MSPI as actual ESF demands, but rather as operational/alignment or test demands. Preplanned actuations are those which are expected to actually occur due to preplanned activities covered by procedures. Such actuations are those for which a procedural step or other appropriate documentation indicates the specific actuation is actually expected to occur. Control room personnel are aware of the specific signal generation before its occurrence or indication in the control room. However, if during the test or evolution, the system actuates in a way that is not part of the planned evolution, that actuation should be counted. Actual ESF demands occur when the setpoints for automatic safety system actuation are met or exceeded and usually include the actuation of multiple trains and systems. Automatic actuation of standby trains on a failure of a running train should not be considered as an actual ESF demand. Actuations caused by operator error, maintenance errors, etc. that are not due to actual plant requirements should be considered as “invalid” actuations and not counted in MSPIError! Bookmark not defined. as actual ESF demands. CDE will use the actual ESF data, the actual/estimated operational data, and the actual/estimated test data to derive a total number of demands (start demand, load run demands, and run hours as required) for each MSPI monitored component for use in the URI derivation for the applicable MSPI system. Reporting of Actual Data: Actual data is a count of the number of demands, start demands, load run demands, and run hours occurring in the specific month (or quarter prior to April 2006). For the reporting of Actual demands, Table 5 shows the requirements for data to be reported each month if actual demands will be reported (or quarter prior to April 2006), for all actual ESF, operational/alignment, and test duty cycle data.

Reporting of Estimated Data: Estimated demands and run hours can be derived based on the number of times a procedure or maintenance activity is performed, or based on the historical data over an operating cycle or more. Table 6 shows the requirements for estimated data to be reported to CDE.

Estimated data are not reported to CDE on a periodic (monthly or quarterly) basis, rather, they are entered initially, typically for the period of a refueling cycle (e.g., 48 demands in 24 months) then updated as required. An update is required if a change to the basis for the estimate results in a >25% change in the estimate of the total (operational/alignment + test) value for a group of components within an MSPI system. For example, a single MOV in a system may have its estimated demands change by greater than 25%, but revised estimates are not required unless the total number of estimated demands for all MOVs in the system changes by >25%. The new estimate will be used in the calculation the quarter following the input of the updated estimates into CDE.


Table 5. Required Reporting by Component Type (Actual Demands Commitment)

Component Type Report Each Month (or Quarter Prior to April 2006) All valves and circuit breakers Actual ESF Demands Actual Operational/Alignment Demands Actual Test Demands All pumps Actual ESF Demands Actual Operational/Alignment Demands Actual Test Demands

Actual ESF Run Hours Actual Operational/Alignment Run Hours Actual Test Run Hours All Emergency Power Generators (both diesel and hydroelectric) Actual ESF Start Demands Actual Operational/Alignment Start Demands Actual Test Start Demands

Actual ESF Load Run Demands Actual Operational/Alignment Load Run Demands Actual Test Load Run Demands

Actual ESF Run Hours Actual Operational/Alignment Run Hours Actual Test Run Hours

Table 6. Required Reporting by Component Type (Estimated Data Commitment)

Component Type Report All valves and circuit breakers Actual ESF Demands1 Estimated Operational/Alignment Demands Estimated Test Demands All pumps Actual ESF Demands1 Estimated Operational/Alignment Demands Estimated Test Demands

Actual ESF Run Hours1 Estimated Operational /Alignment Run Hours Estimated Test Run Hours All Emergency Power Generators (both diesel and hydro electric) Actual ESF Start Demands1 Estimated Operational /Alignment Start Demands Estimated Test Start Demands

Actual ESF Load Run Demands1 Estimated Operational/Alignment Load Run Demands Estimated Test Load Run Demands

Actual ESF Run Hours1 Estimated Operational /Alignment Run Hours Estimated Test Run Hours Note 1 for Table 6: For plants that have elected to use estimated test and operational/alignment demands and run hours, the reporting of ESF demands and run hours should be either “zero” or the actual demands/run hours.” If there were no actual ESF demands and run hours for the quarter, a "zero" must be entered into CDEError! Bookmark not defined. for actual ESF demands and run hours.


F 2.2.2. FAILURES In general, a failure of a component for the MSPI is any circumstance when the component is not in a condition to meet the performance requirements defined by the PRA success criteria or mission time for the functions monitored under the MSPI. For emergency power generators, the mission time for failure determinations should be the maximum mission time considered in the PRA model (generally 24 hours), even if a shorter mission time is used for input into CDE. Note that a run failure that occurs beyond the mission time after the emergency power generator or pump is started is still counted as a MSPI failure. This accounts for the time during which the component was in an unknown condition when it would have been unable to run for a full mission time. In addition, such failures are included in the data used to generate the baseline failure rates.

Failures for the MSPI are not necessarily equivalent to failures in the maintenance rule. Specifically, the MSPI failure determination does not depend on whether a failure is maintenance preventable. Additionally, the functions monitored for the MSPI are normally a subset of those monitored for the maintenance rule.

Emergency power generator failure to start: A failure to start includes those failures up to the point when the emergency power generator output breaker has received a signal to close. Exclude post maintenance tests (PMTs), unless the cause of failure was independent of the maintenance performed. Include all failures that result from a non-PMT demand following return to service. If a PMT failure occurs following return to service and was caused by the maintenance activity, then this failure is excluded and the train, during the period from the completion of the maintenance activity to the declaration of return to service, is counted as unavailable. (See the emergency power generator failure to run definition for treatment of fuel oil transfer pump/valve failures. )

Emergency power generator failure to load/run: Given that the emergency power generator has successfully started and the output breaker has received a signal to close, a failure of the generator output breaker to close or a failure to run/operate for one hour after breaker closure. The emergency power generator does not have to be fully loaded to count the failure. Failure to load/run also includes failures of the emergency power generator output breaker to re-close following a grid disturbance if the emergency power generator was running paralleled to the grid, provided breaker closure is required by plant design. Exclude post maintenance tests, unless the cause of failure was independent of the maintenance performed. Include all failures that result from a non-PMT demand following return to service. If a PMT failure occurs following return to service and was caused by the maintenance activity, then this failure is excluded and the train, during the period from the completion of the maintenance activity to the declaration of return to service, is counted as unavailable.

Emergency power generator failure to run: A failure after the emergency power generator has successfully started, the output breaker has closed and the generator has run for an hour after the breaker has closed. The generator does not have to be fully loaded to count the failure. Exclude post maintenance tests, unless the cause of failure was independent of the maintenance performed. Failures of the EDG fuel oil transfer pump(s)/valve(s) are considered to be EDG failures to run if the failure of the EDG fuel oil transfer pump/valve results in the failure of the EDG to be able to run for 24 hours (e.g., no redundant transfer pump/valve is available , or the redundant pump/valve is disabled in a manner preventing it from performing its intended function). Regardless of when the fuel oil transfer pump/valve(s) fails, this counts as a run failure. In the case where a fuel oil transfer pump/valve(s) failure results in more than one EDG to not be able to run for 24 hours, a failure is counted for each affected EDG. Include all failures that result from a non-PMT demand following return to service. If a PMT failure occurs following return to service and was caused by the maintenance activity, then this failure is excluded and the train, during the period from the completion of the maintenance activity to the declaration of return to service, is counted as unavailable.)

Pump failure on demand: A failure to start and run for at least one hour is counted as failure on demand. Exclude post maintenance tests, unless the cause of failure was independent of the maintenance performed. Include all failures that result from a non-PMT demand following return to service. If a PMT failure occurs following return to service and was caused by the maintenance activity, then this failure is excluded and the train, during the period from the completion of the maintenance activity to the declaration of return to service, is counted as unavailable.

Pump failure to run: Given that it has successfully started and run for an hour, a failure of a pump to run/operate. Exclude post maintenance tests, unless the cause of failure was independent of the maintenance performed. Include all failures that result from a non-PMT demand following return to service. If a PMT failure occurs following return to service and was caused by the maintenance activity, then this failure is excluded and the train, during the period from the completion of the maintenance activity to the declaration of return to service, is counted as unavailable.

Valve failure on demand: A failure to transfer to the required monitored state (open, close, or throttle to the desired position as applicable) is counted as failure on demand. Exclude post maintenance tests, unless the cause of failure was independent of the maintenance performed. Include all failures that result from a non-PMT demand following return to service. If a PMT failure occurs following return to service and was caused by the maintenance activity, then this failure is excluded and the train, during the period from the completion of the maintenance activity to the declaration of return to service, is counted as unavailable.

Breaker failure on demand: A failure to transfer to the required monitored state (open or close as applicable) is counted as failure on demand. Exclude post maintenance tests, unless the cause of failure was independent of the maintenance performed. Include all failures that result from a non-PMT demand following return to service. If a PMT failure occurs following return to service and was caused by the maintenance activity, then this failure is excluded and the train, during the period from the completion of the maintenance activity to the declaration of return to service, is counted as unavailable.

Treatment of Demand and Run Failures Failures of monitored components on demand or failures to run, either actual or test are included in unreliability. Failures on demand or failures to run while not critical are included unless an evaluation determines the failure would not have affected the ability of the component to perform it’s monitored at power function.

Human errors/component trips, inadvertent actuations or unplanned unavailability introduced as part of a test or maintenance activity are not indicative of the reliability of the equipment had the activity not been performed, and should NOT be counted as failures as long as they are immediately revealed and promptly reported to the control room.

This applies to human errors which result in tripping an MSPI component that:

1. Occur while the MSPI train/segment is considered available; 2. Do not result in actual equipment damage; 3. Are immediately revealed through clear and unambiguous indication; 4. Are promptly reported to the control room without delay prior to the performance of corrective actions, and; 5. Are clearly associated with a test or maintenance activity such that the failure sequence would not have occurred and cannot occur if the test or maintenance activity was not being performed.

Unplanned unavailability should be counted from the time of the event until the equipment is returned to service.

Latent failures (failures that existed prior to the maintenance) that are discovered as part of maintenance or test activity are considered failures.

Treatment of Failures Discovered During Post Maintenance Tests Failures identified during post maintenance tests (PMT) are not counted unless the cause of the failure was independent of the maintenance performed. The maintenance scope of work includes the activities required to be performed to conduct the maintenance, including support activities, the actual maintenance activities, and the activities required for restoration of the monitored component(s) to their available and operable conditions. This includes, but is not limited to, typical tasks such as scaffolding erection and removal, coatings applications, insulation removal and installation, rigging activities, health physics activities, interference removal and restoration, as required to support and perform the required maintenance activity. Support activities may be planned, scheduled and implemented on separate work orders from the work order for the monitored component(s). System or component failures introduced during the scope of work are not indicative of the reliability of the equipment, since they would not have occurred had the maintenance activity not been performed. In addition, the potential exists that components or devices not included in the direct scope of work may be affected by the ongoing activities. Such failures are not counted providing:

  • They are identified during or prior to the post-maintenance testing and are corrected prior to the component(s) being returned to operable status,
  • The repair is documented in a work package
  • The critical components not directly in the scope of work, but that have the potential to be affected by the maintenance activity, are noted by means such as cautions in the procedures, inclusion in the pre-job briefings, protection by signs, placards or padding, and
  • The licensee uses the corrective action program to document the basis for the determination that the cause of the failure was dependent on the maintenance performed. This determination must establish a clear relationship between the maintenance performed and the failure.

Treatment of Discovered Conditions that Result in the Inability to Perform a Monitored Function Discovered conditions of monitored components (conditions within the component boundaries defined in section F 2.1.3) that render a monitored component incapable of performing its monitored function are included in unreliability as a failure, even though no actual failure on demand or while running existed. This treatment accounts for the amount of time that the condition existed prior to discovery, when the component was in an unknown failed state.

In accordance with current regulatory guidance, licensees may credit limited operator actions to determine that degraded equipment remains operable in accordance with Technical Specifications. If a component is determined to be operable, then no failure is counted. Beyond this, no credit is allowed for operator actions during degraded conditions that render the component unable to perform its monitored function.

Conditions that render a monitored component incapable of performing its monitored function that are immediately annunciated in the control room without an actual demand occurring are a special case of a discovered condition. In this instance the discovery of the condition is coincident with the failure. This condition is applicable to normally energized control circuits that are associated with monitored components, which annunciate on loss of power to the control circuit. For this circumstance there is no time when the component is in an unknown failed state. In this instance appropriate train unavailable hours will be accounted for, but no additional failure will be counted.

For other discovered conditions where the discovery of the condition is not coincident with the failure, the appropriate failure mode must be accounted for in the following manner:

  • For valves and breakers a demand failure would be assumed and included. An additional demand may also be counted.
  • For pumps and emergency power generators, if the discovered condition would have prevented a successful start, a start failure is included, but there would be no run time hours or run failure. An additional demand may also be counted.
  • For emergency power generators, if it was determined that the generator would start, but would fail to load (e.g. a condition associated with the output breaker), a load/run failure would be assumed and included. An additional start demand and load/run demand may also be counted.
  • For pumps and emergency power generators, if it was determined that the pump/generator would start and load run, but would fail sometime prior to completing its mission time, a run failure would be assumed. A start demand and a load/run demand would also be assumed and included. The evaluated failure time may be included in run hours.

For a running component that is secured from operation due to observed degraded performance, but prior to failure, then a run failure shall be assumed unless evaluation of the condition shows that the component would have continued to operate for the mission time starting from the time the component was secured.

Unplanned unavailability would accrue in all instances from the time of discovery or annunciation consistent with the definition in section F 1.2.1.

Loss of monitored function(s) is assumed to have occurred if the established success criteria have not been met. If subsequent analysis identifies additional margin for the success criterion, future impacts on URI or UAI for degraded conditions may be determined based on the new criterion. However, the current quarter’s URI and UAI must be based on the success criteria of record at the time the degraded condition is discovered. If the new success criteria causes a revision to the PRA affecting the numerical results (i.e. CDF and FV), then the change must be included in the PRA model and the appropriate new values calculated and incorporated in the MSPI Basis Document prior to use in the calculation of URI and UAI. If the change in success criteria has no effect on the numerical results of the PRA (representing only a change in margin) then only the MSPI Basis Document need be revised prior to using the revised success criteria.

If the degraded condition is not addressed by any of the pre-defined success criteria, an engineering evaluation to determine the impact of the degraded condition on the monitored function(s) should be completed and documented. The use of component failure analysis, circuit analysis, or event investigations is acceptable. Engineering judgment may be used in conjunction with analytical techniques to determine the impact of the degraded condition on the monitored function. The engineering evaluation should be completed as soon as practical. If it cannot be completed in time to support submission of the PI report for the current quarter, a preliminary determination should be reported and the comment field shall note that an evaluation is pending. The evaluation must be completed in time to accurately account for unavailability/unreliability in the next quarterly report. Exceptions to this guidance are expected to be rare and will be treated on a case-by-case basis. Licensees should identify these situations to the resident inspector.

Failures and Discovered Conditions of Non-Monitored Structures, Systems, and Components (SSC) Unmonitored components within a monitored train/segment boundary do not contribute to unreliability. If an unmonitored component within a monitored train/segment fails, unreliability is not accrued if the unmonitored component does not cause an actual demand and/or actual failure of a monitored component within the monitored train/segment. If the unmonitored component causes a monitored component within the monitored train/segment to actually fail when demanded, then the monitored component demand and failure are counted for unreliability. The failure of an unmonitored component within a monitored train/segment can cause unavailability of that train/segment to be counted if the train/segment is rendered unavailable.

Unmonitored components outside a monitored train/segment boundary do not contribute to unreliability of monitored components or to unavailability of the monitored train/segment. If an unmonitored component outside a monitored train/segment fails, unreliability is not accrued regardless whether the unmonitored component causes an actual demand and/or actual failure of a monitored component. The failure of an unmonitored component outside a monitored train/segment cannot cause unavailability of that train/segment to be counted.

For example, a manual suction isolation valve (an unmonitored component within the train boundary) is left closed, which would have caused a pump to fail. The closed valve would not be counted as a failure of the pump, nor would unavailability be accrued. Any mis-positioning of the valve that caused the train to be unavailable would be counted as unavailability from the time of discovery. The significance of the mis-positioned valve prior to discovery would be addressed through the inspection process. (Note, however, in the above example, if the shut manual suction isolation valve resulted in an actual pump failure, the pump failure would be counted as a demand and failure of the pump and unplanned unavailability would be counted against the appropriate train/segment.)


F 2.3. CALCULATION OF URI Unreliability is monitored at the component level and calculated at the system level. URI is proportional to the weighted difference between the plant-specific component unreliability and the industry average unreliability. The Birnbaum importance is the weighting factor. Calculation of system URI due to this difference in component unreliability is as follows:

	Eq. 3

Where the summation is over the number of monitored components (m) in the system, and:

BDj, BLj and BRj are the Birnbaum importance measures for the failure modes fail on demand, fail to load and fail to run respectively,

URDBC, URLBC, and URRBC are Bayesian corrected plant-specific values of unreliability for the failure modes fail on demand, fail to load and fail to run respectively, and

URDBL, URLBL, and URRBL are Baseline values of unreliability for the failure modes fail on demand, fail to load and fail to run respectively. The Birnbaum importance for each specific component failure mode is defined as

		Eq. 4

Where, CDFp is the plant-specific internal events, at power, core damage frequency, FVURc is the component and failure mode specific Fussell-Vesely value for unreliability, URPc is the plant-specific PRA value of component and failure mode unreliability,

Failure modes defined for each component type are provided below. There may be several basic events in a PRA that correspond to each of these failure modes used to collect plant-specific data. These failure modes are used to define how the actual failures in the plant are categorized.

Valves and Breakers: Fail on Demand (Open/Close) Pumps: Fail on Demand (Start) Fail to Run Emergency Diesel Generators: Fail on Demand (Start) Fail to Load/Run Fail to Run A method for calculation of the quantities in equation 3 and 4 from importance measures calculated using cutsets from an existing PRA solution is discussed in sections F 2.3.1 through F 2.3.3.

An alternate approach, based on re-quantification of the PRA model, and calculation of the importance measures from first principles is also an acceptable method. Guidance on this alternate method is contained in section F6 of this appendix. A plant using this alternate approach should use the guidance in section F6 and skip sections F 2.3.1 through F 2.3.3.

F 2.3.1. TRUNCATION LEVELS

The values of importance measures calculated using an existing cutset solution are influenced by the truncation level of the solution. The truncation level chosen for the solution should be 7 orders of magnitude less than the baseline CDF for the alternative defined in sections F 2.3.2 and F 2.3.3.

As an alternative to using this truncation level, the following sensitivity study may be performed to establish the acceptability of a higher (e.g. 6 orders of magnitude) truncation level.

1. Solve the model at the truncation level you intend to use. (e.g. 6 orders of magnitude below the baseline CDF) 2. Identify the limiting Birnbaum value for each component. (this is the case 1 value) 3. Solve the model again with a truncation 10 times larger (e.g.. 5 orders of magnitude below the baseline CDF) 4. Identify the limiting Birnbaum value for each component. (this is the case 2 value) 5. For each component with Birnbaum-case 1 greater than 1.0E-06 calculate the ratio [(Birnbaum-case 2)/(Birnbaum-case 1)] 6. If the value for the calculated ratio is greater than 0.8 for all components with Birnbaum-case 1 value greater than 1.0E-06, then the case 1 truncation level may be used for this analysis.

This process may need to be repeated several times with successively lower truncation levels to achieve acceptable results.

F 2.3.2. CALCULATION OF CORE DAMAGE FREQUENCY (CDFP) The Core Damage Frequency is a CDE input value. The required value is the internal events average maintenance at power value. Internal flooding and external events, including internal fires are not included in this calculated value. In general, all inputs to this indicator from the PRA are calculated from the internal events model only.

F 2.3.3. CALCULATION OF [FV/UR]MAX The FV, UR and common cause adjustment values developed in this section are separate CDE input values.

Equation 4 includes a term that is the ratio of a Fussell-Vesely importance value divided by the related unreliability. The calculation of this ratio is performed in a similar manner to the ratio calculated for UAI, except that the ratio is calculated for each monitored component. One additional factor needs to be accounted for in the unreliability ratio that was not needed in the unavailability ratio, the contribution to the ratio from common cause failure events. The discussion in this section will start with the calculation of the initial ratio and then proceed with directions for adjusting this value to account for the cooling water initiator contribution, as in the unavailability index, and then the common cause correction.

It can be shown that for a given component represented by multiple basic events, the ratio of the two values for the component is equal to the ratio of values for any basic event representing the component. Or,


as long as the basic events under consideration are logically equivalent.

Note that the constant value may be different for the unreliability ratio and the unavailability ratio because the two types of events are frequently not logically equivalent. For example recovery actions may be modeled in the PRA for one but not the other. This ratio may also be different for fail on demand and fail to run events for the same component. This is particularly true for cooling water pumps that have a trip initiation function as well as a mitigation function.

There are two options for determining the initial value of this ratio: The first option is to identify one maximum ratio that will be used for all applicable failure modes for the component. The second option is to identify a separate ratio for each failure mode for the component. These two options will be discussed next.

Option 1 Identify one maximum ratio that will be used for all applicable failure modes for the component. The process for determining a single value of this ratio for all failure modes of a component is to identify all basic events that fail the monitored function of the component (excluding common cause events and test and maintenance events). It is typical, given the component scope definitions in Table 2, that there will be several plant components modeled separately in the plant PRA that make up the MSPI component definition. For example, it is common that in modeling an MOV, the actuation relay for the MOV and the power supply breaker for the MOV are separate components in the plant PRA. Ensure that the basic events related to all of these individual components are considered when choosing the appropriate [FV/UR] ratio.

Determine the failure probabilities for the events, determine the associated FV values for the events and then calculate the ratios, [FV/UR]ind, where the subscript refers to independent failures. Choose from this list the basic event for the component and its associated FV value that results in the largest [FV/UR] ratio. This will typically be the event with the largest failure probability to minimize the effects of truncation on the calculation. If all events for the component have been truncated, either a lower truncation value or the method provided in Section F.6 should be used.

Option 2 Identify a separate ratio for each failure mode for the component The process for determining a ratio value for each failure mode proceeds similarly by first identifying all basic events related to each monitored function of the component. After this step, each basic event must be associated with one of the specific defined failure modes for the component. Proceed as in option 1 to find the values that result in the largest ratio for each failure mode for the component. In this option the CDE inputs will include FV and UR values for each failure mode of the component.

F 2.3.4. CORRECTIONS TO FV/UR RATIO

Treatment of PRA Modeling Asymmetries In systems with rotated normally running pumps (e. g. cooling water systems), the PRA models may assume one pump is always the running and another is in standby. For example, a service water system may have two 100% capacity pumps in one train, an A and B pump. In practice the A and B pumps are rotated and each one is the running pump 50% of the time. In the PRA model however, the A pump is assumed to be always running and the B pump is always in assumed to be in standby. This will result in one pump appearing to be more important than the other when they are, in fact, of equal importance. This asymmetry in importance is driven by the assumption in the PRA, not the design of the plant.

When this is encountered, the importance measures may be used as they are calculated from the PRA model for the component importance used in the calculation of URI. Although these are not actually the correct importance values, the method used to calculate URI will still provide the correct result because the same value of unreliability is used for each component as a result of the data being pooled. Note that this is different from the treatment of importance in the calculation of UAI.

Cooling Water and Service Water System [FV/UR]ind Values Ensure that the correction term in this section is applied prior to the calculation of the common cause correction in the next section. Component Cooling Water Systems (CCW) and Service Water Systems (SWS) at some nuclear stations contribute to risk in two ways. First, the systems provide cooling to equipment used for the mitigation of events and second, the failures in the systems may also result in the initiation of an event. Depending on the manner in which the initiator contribution is treated in the PRA, it may be necessary to apply a correction to the FV/UR ratio calculated in the section above. The correction must be applied to each FV/UR ratio used for this index. If the option to use separate ratios for each component failure mode was used in the section above then this correction is calculated for each failure mode of the component.

The contribution to risk from failures to provide cooling to other plant equipment is modeled directly through dependencies in the PRA model. However, the contribution due to event initiation is treated in four general ways in current PRAs: 1) The use of linked initiating event fault trees for these systems with the same basic events used in the initiator and mitigation trees. 2) The use of linked initiating event fault trees for these systems with different basic events used in the initiator and mitigation trees. 3) Fault tree solutions are generated for these systems external to the PRA and the calculated value is used in the PRA as a point estimate 4) A point estimate value is generated for the initiator using industry and plant-specific event data and used in the PRA.

Each of these methods is discussed below.

Modeling Method 1 If a PRA uses the first modeling option, then the FV values calculated will reflect the total contribution to risk for a component in the system. No additional correction to the FV values is required.

Modeling Methods 2 and 3 The corrected ratio may be calculated as described for modeling method 4 or by the method described below.

If a linked initiating event fault tree with different basic events used in the initiator and mitigation trees is the modeling approach taken, or fault tree solutions are generated for these systems external to the PRA and the calculated value is used in the PRA as a point estimate, then the corrected ratio is given by:

.

In this expression the summation is taken over all system initiators i that involve component n, where FVc is the Fussell-Vesely for component C as calculated from the PRA Model. This does not include any contribution from initiating events, URc is the basic event unreliability used in computing FVc; i.e. in the system response models, IEm,n(qn) is the system initiator frequency of initiating event m when the component n unreliability basic event is qn. The event chosen in the initiator tree should represent the same failure mode for the component as the event chosen for URc, IEm,n(1) is as above but qn=1, IEm,n(0) is as above but qn=0 and FViem is the Fussell-Vesely importance contribution for the initiating event m to the CDF.

Since FV and UR are separate CDE inputs, use URc and calculate FV from


Modeling Method 4 If a point estimate value is generated for the initiator using industry and plant-specific event data and used in the PRA, then the corrected [FV/UR]MAX for a component C is calculated from the expression:


Where: FVc is the Fussell-Vesely for CDF for component C as calculated from the PRA Model. This does not include any contribution from initiating events. FVie is the Fussell-Vesely contribution for the initiating event in question (e.g. loss of service water). FVsc is the Fussell-Vesely within the system fault tree only for component C (i.e. the ratio of the sum of the cut sets in the fault tree solution in which that component appears to the overall system failure probability). Note that this may require the construction of a “satellite” system fault tree to arrive at an exact or approximate value for FVsc depending on the support system fault tree logic. URc is the basic event unreliability used in computing FVc; i.e., in the system response models.

FV and UR are separate CDE input values.

Including the Effect of Common Cause in [FV/UR]max Be sure that the correction factors from the previous section are applied prior to the common cause correction factor being calculated.

Changes in the independent failure probability of an SSC imply a proportional change in the common cause failure probability, even though no actual common cause failures have occurred. The impact of this effect on URI is considered by including a multiplicative adjustment to the [FV/UR]ind ratio developed in the section above. This multiplicative factor (A) is entered into CDE as “CCF.”

Two methods are provided for including this effect, a simple generic approach that uses bounding generic adjustment values and a more accurate plant-specific method that uses values derived from the plant-specific PRA. Different methods can be used for different systems. However, within an MSPI system, either the generic or plant-specific method must be used for all components in the system, not a combination of different methods. For the cooling water system, different methods may be used for the subsystems that make up the cooling water system. For example, component cooling water and service water may use different methods.

The common cause correction factor is only applied to components within a system and does not include cross system (such as between the BWR HPCI and RCIC systems) common cause. If there is only one component within a component type within the system, the adjustment value is 1.0. Also, if all components within a component type are required for success, then the adjustment value is 1.0.

Generic CCF Adjustment Values Generic values have been developed for monitored components that are subject to common cause failure. The correction factor is used as a multiplier on the [FV/UR] ratio for each component in the common cause group. This method may be used for simplicity and is recommended for components that are less significant contributors to the URI (e.g. [FV/UR] is small). The multipliers are provided in Table 7.

The EDG is a “super-component” that includes valves, pumps and breakers within the super-component boundary. The EDG generic adjustment value should be applied to the EDG “super-component” even if the specific event used for the [FV/UR] ratio for the EDG is a valve or breaker failure.

Table 7. Generic CCF Adjustment Values

	EPS	HPI	HRS/	RHR

EDG MDP Running or Alternating+ MDP Standby MDP Standby TDP ** MDP Standby Arkansas 1 1.25 2 1 1 1 1.5 Arkansas 2 1.25 1 2 1 1 1.5 Beaver Valley 1 1.25 2 1 1.25 1 1.5 Beaver Valley 2 1.25 2 1 1.25 1 1.5 Braidwood 1 & 2 3 1.25 1.25 1 1 1.5 Browns Ferry 1, 2 & 3 1.25 1 1 1 1 3









Brunswick 1 & 2 1.25 1 1 1 1 3 Byron 1 & 2 3 1.25 1.25 1 1 1.5 Callaway 1.25 1.25 1.25 1.25 1 1.5 Calvert Cliffs 1 & 2 1.25 1 2 1.25 1.5 1.5 Catawba 1 & 2 1.25 1.25 1.25 1.25 1 1.5 Clinton 1 1.25 1 1 1 1 1.5 Columbia Nuclear 1.25 1 1 1 1 1.5 Comanche Peak 1 & 2 1.25 1.25 1.25 1.25 1 1.5 Cook 1 & 2 1.25 1.25 1.25 1.25 1 1.5 Cooper Station 1.25 1 1 1 1 3 Crystal River 3 1.25 2 1 1 1 1.5 Davis-Besse 1.25 1.25 1.25 1 1.5 1.5 Diablo Canyon 1 & 2 2 1.25 1.25 1.25 1 1.5 Dresden 2 & 3 1.25 3 1 1 1 3 Duane Arnold 1.25 1 1 1 1 3 Farley 1 & 2 2 2 1 1.25 1 1.5 Fermi 2 1.25 1 1 1 1 3 Fitzpatrick 3 1 1 1 1 3 Fort Calhoun 1.25 1 2 1 1 1.5 Ginna 1.25 1 2 1.25 1 1.5 Grand Gulf 1.25 1 1 1 1 1.5 Harris 1.25 2 1 1.25 1 1.5 Hatch 1 & 2 2 1 1 1 1 3 Hope Creek 1.25 1 1 1 1 1.5 Indian Point 2 1.25 1 2 1.25 1 1.5 Indian Point 3 1.25 1 2 1.25 1 1.5 Kewaunee 1.25 1 1.25 1.25 1 1.5 LaSalle 1 & 2 1.25 1 1 1 1 1.5 Limerick 1 & 2 3 1 1 1 1 3 McGuire 1 & 2 1.25 1.25 1.25 1.25 1 1.5 Millstone 2 1.25 1 2 1.25 1 1.5 Millstone 3 1.25 2 1.25 1.25 1 1.5 Monticello 1.25 1 1 1 1 3 Nine Mile Point 1 1.25 3 1 1 1 3 Nine Mile Point 2 1.25 1 1 1 1 1.5 North Anna 1 & 2 1.25 2 1 1.25 1 1.5 Oconee 1, 2 & 3 3 * 2 1 1.25 1 1.5 Oyster Creek 1.25 1 3 1 1 3 Palisades 1.25 1 1.25 1.25 1 1.5 Palo Verde 1, 2 & 3 1.25 1 1.25 1.25 1 1.5 Peach Bottom 2 & 3 1.25 1 1 1 1 3 Perry 1.25 1 1 1 1 1.5 Pilgrim 1.25 1 1 1 1 3 Point Beach 1 & 2 1.25 1 1.25 1 1 1.5 Prairie Island 1 & 2 1.25 1 1.25 1 1 1.5 Quad Cities 1 & 2 1.25 1 1 1 1 3 River Bend 1.25 1 1 1 1 1.5 Robinson 2 1.25 1 1.25 1.25 1 1.5 Salem 1 & 2 1.25 1.25 1.25 1.25 1 1.5 San Onofre 2 & 3 1.25 1 2 1.25 1 1.5 Seabrook 1.25 1.25 1.25 1 1 1.5 Sequoyah 1 & 2 1.25 1.25 1.25 1.25 1 1.5 South Texas 1 & 2 2 1 2 2 1 1.5 St. Lucie 1 1.25 1 1.25 1.25 1 1.5 St. Lucie 2 1.25 1 1.25 1.25 1 1.5 Summer 1.25 2 1 1.25 1 1.5 Surry 1 & 2 1.25 2 1 1.25 1 1.5 Susquehanna 1 & 2 3 1 1 1 1 3 Three Mile Island 1 1.25 2 1 1.25 1 1.5 Turkey Point 3 & 4 1.25 1 3 1 3 1.5 Vermont Yankee 1.25 1 1 1 1 3 Vogtle 1 & 2 1.25 1.25 1.25 1.25 1 1.5 Waterford 3 1.25 1 2 1.25 1 1.5 Watts Bar 1 1.25 1.25 1.25 1.25 1 1.5 Wolf Creek 1.25 1.25 1.25 1.25 1 1.5

  • hydroelectric units ** as applicable

+ Alternating pumps are redundant pumps where one pump is normally running, that are operationally rotated on a periodic basis.

  	SWS	CCW	All	All

MDP Running or Alternating MDP Standby DDP ** MDP Running or Alternating MDP Standby MOVs and Breakers AOVs, SOVs, HOVs All Plants 3 1.5 1.25 1.5 2 2 1.5

    • as applicable


Plant-specific Common Cause Adjustment The plant-specific correction factor should be calculated for each FV/UR ratio that is used in the index. If the option to use a different ratio for each failure mode of a component is used, then the ratio is calculated for each failure mode. The general form of a plant-specific common cause adjustment factor is given by the equation:

.	Eq. 5

Where: n = is the number of components in a common cause group, FVi = the FV for independent failure of component i, and FVcc = the FV for the common cause failure of components in the group.

In the expression above, the FVi are the values for the specific failure mode for the component group that was chosen because it resulted in the maximum [FV/UR] ratio. The FVcc is the FV that corresponds to all combinations of common cause events for that group of components for the same specific failure mode. Note that the FVcc may be a sum of individual FVcc values that represent different combinations of component failures in a common cause group.

For cooling water systems that have an initiator contribution, the FV values used should be from the non-initiator part of the model.

For example consider again a plant with three one hundred percent capacity emergency diesel generators. In this example, three failure modes for the EDG are modeled in the PRA, fail to start (FTS), fail to load (FTL) and fail to run (FTR). Common cause events exist for each of the three failure modes of the EDG in the following combinations: 1) Failure of all three EDGs, 2) Failure of EDG-A and EDG-B, 3) Failure of EDG-A and EDG-C, 4) Failure of EDG-B and EDG-C. This results in a total of 12 common cause events.

Assume the maximum [FV/UR] resulted from the FTS failure mode, then the FVcc used in equation 5 would be the sum of the four common cause FTS events for the combinations listed above.

It is recognized that there is significant variation in the methods used to model common cause. It is common that the 12 individual common cause events described above are combined into a fewer number of events in many PRAs. Correct application of the plant-specific method would, in this case, require the decomposition of the combined events and their related FV values into the individual parts. This can be accomplished by application of the following proportionality:

	Eq. 6

Returning to the example above, assume that common cause was modeled in the PRA by combining all failure modes for each specific combination of equipment modeled. Thus there would be four common cause events corresponding to the four possible equipment groupings listed above, but each of the common cause events would include the three failure modes FTS, FTL and FTR. Again, assume the FTS independent failure mode is the event that resulted in the maximum [FV/UR] ratio. The FVcc value to be used would be determined by determining the FTS contribution for each of the four common cause events. In the case of the event representing failure of all three EDGs this would be determined from

.

Where, FVFTSABC = the FV for the FTS failure mode and the failure of all three EDGs FVABC = the event from the PRA representing the failure of all three EDGs due to all failure modes URFTSABC = the failure probability for a FTS of all three EDGs, and URABC = the failure probability for all failure modes for the failure of all three EDGs.

After this same calculation was performed for the remaining three common cause events, the value for FVCC to be used in equation 5 would then be calculated from:


This value is used in equation 5 to determine the value of A. The final quantity used in equation 4 is given by:


In this case the individual values on the right hand side of the equation above are input to CDE.

F 2.3.5. BIRNBAUM IMPORTANCE One of the rules used for determining the valves and circuit breakers to be monitored in this performance indicator permitted the exclusion of valves and circuit breakers with a Birnbaum importance less than 1.0E-06. To apply this screening rule the Birnbaum importance is calculated from the values derived in this section as:

B = CDF*A*[FV/UR]ind = CDF*[FV/UR]max

Ensure that the support system initiator correction (if applicable) and the common cause correction are included in the Birnbaum value used to exclude components from monitoring.


F 2.3.6. CALCULATION OF URDBC , URLBC AND URRBC Equation 3 includes the three quantities URDBC , URLBC and URRBC which are the Bayesian corrected plant-specific values of unreliability for the failure modes fail on demand, fail to load/run and fail to run respectively. This section discusses the calculation of these values. As discussed in section F 2.3 failure modes considered for each component type are provided below.

Valves and Breakers: Fail on Demand (Open/Close) Pumps: Fail on Demand (Start) Fail to Run Emergency Diesel Generators: Fail on Demand (Start) Fail to Load/Run Fail to Run

URDBC is calculated as follows.

.	Eq. 7

where in this expression: Nd is the total number of failures on demand during the previous 12 quarters, D is the total number of demands during the previous 12 quarters determined in section 2.2.1 The values a and b are parameters of the industry prior, derived from industry experience (see Table 8).

In the calculation of equation 7 the numbers of demands and failures is the sum of all demands and failures for similar components within each system. Do not sum across units for a multi-unit plant. For example, for a plant with two trains of Emergency Diesel Generators, the demands and failures for both trains would be added together for one evaluation of equation 7 which would be used for both trains of EDGs.

URLBC is calculated as follows.

.	Eq. 8

where in this expression: Nl is the total number of failures to load (applicable to EDG only) during the previous 12 quarters, D is the total number of load demands during the previous 12 quarters determined in section 2.2.1 The values a and b are parameters of the industry prior, derived from industry experience (see Table 4).

In the calculation of equation 8 the numbers of demands and failures is the sum of all demands and failures for similar components within each system.

URRBC is calculated as follows.

	Eq. 9

where: Nr is the total number of failures to run during the previous 12 quarters (determined in section 2.2.2), Tr is the total number of run hours during the previous 12 quarters (determined in section 2.2.1) Tm is the mission time for the component based on plant-specific PRA model assumptions. For EDGs, the mission time associated with the Failure To Run Basic Event with the highest Birnbaum value is to be used. For all other equipment, where there is more than one mission time for different initiating events or sequences (e.g., turbine-driven AFW pump for loss of offsite power with recovery versus loss of Feedwater), the longest mission time is to be used. and a and b are parameters of the industry prior, derived from industry experience (see Table 4).


In the calculation of equation 9 the numbers of demands and run hours is the sum of all run hours and failures for similar components within each system. Do not sum across units for a multi-unit plant, unless the system is shared between multiple units. For example, a plant with two trains of Emergency Diesel Generators, the run hours and failures for both trains would be added together for one evaluation of equation 9 which would be used for both trains of EDGs.  

F 2.3.7. BASELINE UNRELIABILITY VALUES

The baseline values for unreliability are contained in Table 8 and remain fixed.

Table 8. Industry Priors and Parameters for Unreliability

Component Failure Mode a a b a Industry MeanValue b URBLC Circuit Breaker Fail to open (or close) 4.99E-1 6.23E+2 8.00E-4 Hydraulic-operated valve Fail to open (or close) 4.98E-1 4.98E+2 1.00E-3 Motor-operated valve Fail to open (or close) 4.99E-1 7.12E+2 7.00E-4 Solenoid-operated valve Fail to open (or close) 4.98E-1 4.98E+2 1.00E-3 Air-operated valve Fail to open (or close) 4.98E-1 4.98E+2 1.00E-3 Motor-driven pump, standby Fail to start 4.97E-1 2.61E+2 1.90E-3

Fail to run 5.00E-1 1.00E+4 5.00E-5 Motor-driven pump, running or alternating Fail to start 4.98E-1 4.98E+2 1.00E-3

Fail to run 5.00E-1 1.00E+5 5.00E-6 Turbine-driven pump, AFWS Fail to start 4.85E-1 5.33E+1 9.00E-3

Fail to run 5.00E-1 2.50E+3 2.00E-4 Turbine-driven pump, HPCI or RCIC Fail to start 4.78E-1 3.63E+1 1.30E-2

Fail to run 5.00E-1 2.50E+3 2.00E-4 Diesel-driven pump, AFWS Fail to start 4.80E-1 3.95E+1 1.20E-2

Fail to run 5.00E-1 2.50E+3 2.00E-4 Emergency diesel generator Fail to start 4.92E-1 9.79E+1 5.00E-3

Fail to load/run 4.95E-1 1.64E+2 3.00E-3

Fail to run 5.00E-1 6.25E+2 8.00E-4

a. A constrained, non-informative prior is assumed. For failure to run events, a = 0.5 and b = (a)/(mean rate). For failure upon demand events, a is a function of the mean probability:

Mean Probability a 0.0 to 0.0025 0.50 >0.0025 to 0.010 0.49 >0.010 to 0.016 0.48 >0.016 to 0.023 0.47 >0.023 to 0.027 0.46

Then b = (a)(1.0 - mean probability)/(mean probability).

b. Failure to run events occurring within the first hour of operation are included within the failure to start failure mode. Failure to run events occurring after the first hour of operation (after the first hour following closure of the load breaker for emergency power generators) are included within the failure to run failure mode.

F 3. ESTABLISHING STATISTICAL SIGNIFICANCE

This performance indicator establishes an acceptable level of performance for the monitored systems that is reflected in the baseline reliability values in Table 4. Plant-specific differences from this acceptable performance are interpreted in the context of the risk significance of the difference from the acceptable performance level. It is expected that a system that is performing at an acceptable performance level will see variations in performance over the monitoring period. For example a system may, on average, see three failures in a three year period at the accepted level of reliability. It is expected, due to normal performance variation, that this system will sometimes experience two or four failures in a three year period. It is not appropriate that a system should be placed in a white performance band due to expected variation in measured performance. This problem is most noticeable for risk sensitive systems that have few demands in the three year monitoring period.

This problem is resolved by applying a limit of 5.0E-07 to the magnitude of the most significant failure in a system. This ensures that one failure beyond the expected number of failures alone cannot result in MSPI > 1.0E-06. A MSPI > 1.0E-06 will still be a possible result if there is significant system unavailability, or failures in other components in the system.

This limit on the maximum value of the most significant failure in a system is only applied if the MSPI value calculated without the application of the limit is less than or equal to 1.0E-05. This calculation will be performed by the CDE software; no additional input values are required.

F 4. CALCULATION OF SYSTEM COMPONENT PERFORMANCE LIMITS The mitigating systems chosen to be monitored are generally the most important systems in nuclear power stations. However, in some cases the system may not be as important at a specific station. This is generally due to specific features at a plant, such as diverse methods of achieving the same function as the monitored system. In these cases a significant degradation in performance could occur before the risk significance reached a point where the MSPI would cross the white boundary. In cases such as this it is not likely that the performance degradation would be limited to that one system and may well involve cross cutting issues that would potentially affect the performance of other mitigating systems. A performance based criterion for determining declining performance is used as an additional decision criterion for determining that performance of a mitigating system has degraded to the white band. This decision is based on deviation of system performance from expected performance. The decision criterion was developed such that a system is placed in the white performance band when there is high confidence that system performance has degraded even though MSPI ≤ 1.0E-06.

The criterion is applied to each component type in a system. If the number of failures in a 36 month period for a component type exceeds a performance based limit, then the system is considered to be performing at a white level, regardless of the MSPI calculated value. The performance based limit is calculated in two steps: 1. Determine the expected number of failures for a component type and 2. Calculate the performance limit from this value. The expected number of failures is calculated from the relation

Where: Nd is the number of demands p is the probability of failure on demand, from Table 8 (URLBC).  is the failure rate, from Table 8 (URLBC) Tr is the runtime of the component

This value is used in the following expression to determine the maximum number of failures:


If the actual number of failures (Fa) of a similar group of components (components that are grouped for the purpose of pooling data) within a system in a 36 month period exceeds Fm, then the system is placed in the white performance band or the level dictated by the MSPI calculation if the MSPI calculation is > 1E-5.

This calculation will be performed by the CDE software, no additional input values are required.

F 5. ADDITIONAL GUIDANCE FOR SPECIFIC SYSTEMS This section identifies the potential monitored functions for each system and describes typical system scopes and train determinations.

Emergency AC Power Systems

Scope The function monitored for the emergency AC power system is the ability of the emergency generators to provide AC power to the class 1E buses following a loss of off-site power. The emergency AC power system is typically comprised of two or more independent emergency generators that provide AC power to class 1E buses following a loss of off-site power. The emergency generator dedicated to providing AC power to the high pressure core spray system in BWRs is not within the scope of emergency AC power.

The EDG component boundary includes the generator body, generator actuator, lubrication system (local), fuel system (local or day tank and fuel oil transfer pumps/valves ), cooling components (local), startup air system receiver, exhaust and combustion air system, dedicated diesel battery (which is not part of the normal DC distribution system), individual diesel generator control system, cooling water isolation valves, circuit breaker for supply to safeguard buses and their associated control circuit. Air compressors are not part of the EDG component boundary.

The fuel oil transfer pumps required to meet the PRA mission time are within the EDG component boundary, but are not considered to be a separate monitored component for reliability monitoring in the EDG system. Additionally they are monitored for contribution to train unavailability if the fuel oil transfer pump(s) is (are) required to meet the EDG mission time (as specified in Section F.2.2.2 and as defined in the MSPI Definition of Terms section). (See also the EDG Failure-to-Run definition in Section F.2.2.2 as revised by FAQ 11-08.)

Emergency generators that are not safety grade, or that serve a backup role only (e.g., an alternate AC power source), are not included in the performance reporting.

Train Determination The number of emergency AC power system trains for a unit is equal to the number of class 1E emergency generators that are available to power safe-shutdown loads in the event of a loss of off-site power for that unit. There are three typical configurations for EDGs at a multi-unit station: 1. EDGs dedicated to only one unit. 2. One or more EDGs are available to “swing” to either unit 3. All EDGs can supply all units For configuration 1, the number of trains for a unit is equal to the number of EDGs dedicated to the unit. For configuration 2, the number of trains for a unit is equal to the number of dedicated EDGs for that unit plus the number of “swing” EDGs available to that unit (i.e., The “swing” EDGs are included in the train count for each unit). For configuration 3, the number of trains is equal to the number of EDGs.

Clarifying Notes

An EDG is not considered to have failed due to any of the following events:

  • spurious operation of a trip that would be bypassed in a loss of offsite power event
  • malfunction of equipment that is not required to operate during a loss of offsite power event (e.g., circuitry used to synchronize the EDG with off-site power sources)
  • failure to start because a redundant portion of the starting system was intentionally disabled for test purposes, if followed by a successful start with the starting system in its normal alignment


BWR High Pressure Injection Systems

(High Pressure Coolant Injection, High Pressure Core Spray, and Feedwater Coolant Injection)

Scope These systems function at high pressure to maintain reactor coolant inventory and to remove decay heat.

The function monitored for the indicator is the ability of the monitored system to take suction from the suppression pool (and from the condensate storage tank, if required to meet the PRA success criteria and mission times) and inject into the reactor vessel. . The mitigation of ATWS events with a high pressure injection system is not considered a function to be monitored by the MSPI. (Note, however, that the FV values will include ATWS events).

Plants should monitor either the high-pressure coolant injection (HPCI), the high-pressure core spray (HPCS), or the feedwater coolant injection (FWCI) system, whichever is installed. The turbine and governor and associated piping and valves for turbine steam supply and exhaust are within the scope of the HPCI system. The flow path for the steam supply to a turbine driven pump is included from the steam source (main steam lines) to the pump turbine. The motor driven pump for HPCS and FWCI are in scope along with any valves that must change state such as low flow valves in FWCI. Valves in the feedwater line are not considered within the scope of these systems because they are normally open during operation and do not need to change state for these systems to operate. However waterside valves up to the feedwater line are in scope if they need to change state such as the HPCI injection valve.

The emergency generator dedicated to providing AC power to the high-pressure core spray system is included in the scope of the HPCS. The HPCS system typically includes a "water leg" pump to prevent water hammer in the HPCS piping to the reactor vessel. The "water leg" pump and valves in the "water leg" pump flow path are ancillary components and are not included in the scope of the HPCS system. Unavailability is not included while critical if the system is below steam pressure specified in technical specifications at which the system can be operated.

Oyster Creek For Oyster Creek the design does not include any high pressure injection system beyond the normal feedwater system. For the BWR high pressure injection system, Oyster Creek will monitor the Core Spray system, a low pressure injection system.

Train Determination The HPCI and HPCS systems are considered single-train systems. The booster pump and other small pumps are ancillary components not used in determining the number of trains. The effect of these pumps on system performance is included in the system indicator to the extent their failure detracts from the ability of the system to perform its monitored function. For the FWCI system, the number of trains is determined by the number of feedwater pumps. The number of condensate and feedwater booster pumps are not used to determine the number of trains. It is recommended that the DG that provides dedicated power to the HPCS system be monitored as a separate “train” (or segment) for unavailability as the risk importance of the DG is different than the fluid parts of the system.

Reactor Core Isolation Cooling (or Isolation Condenser)

Scope This system functions at high pressure to remove decay heat. The RCIC system also functions to maintain reactor coolant inventory.

The function monitored for the indicator is the ability of the RCIC system to cool the reactor vessel core and provide makeup water by taking suction from the suppression pool (and from the condensate storage tank, if required to meet the PRA success criteria and mission times) and inject into the reactor vessel

The Reactor Core Isolation Cooling (RCIC) system turbine, governor, and associated piping and valves for steam supply and exhaust are within the scope of the RCIC system. Valves in the feedwater line are not considered within the scope of the RCIC system because they are normally open during operation and do not have to change state for RCIC to perform its function.

The function monitored for the Isolation Condenser is the ability to cool the reactor by transferring heat from the reactor to the Isolation Condenser water volume. The Isolation Condenser and inlet valves are within the scope of Isolation Condenser system along with the connecting active valve for isolation condenser makeup. Unavailability is not included while critical if the system is below steam pressure specified in technical specifications at which the system can be operated.

Train Determination The RCIC system is considered a single-train system. The condensate and vacuum pumps are ancillary components not used in determining the number of trains. The effect of these pumps on RCIC performance is included in the system indicator to the extent that a component failure results in an inability of the system to perform its monitored function.

For Isolation Condensers, a train is a flow path from the reactor to the isolation condenser back to the reactor. The connecting active valve for isolation condenser makeup is included in the train.

BWR Residual Heat Removal Systems

Scope The function monitored for the BWR residual heat removal (RHR) system is the ability of the RHR system to provide suppression pool cooling. The pumps, heat exchangers, and associated piping and valves for this function are included in the scope of the RHR system. If an RHR system has pumps that do not perform a heat removal function (e.g. cannot connect to a heat exchanger, dedicated LPCI pumps) they are not included in the scope of this indicator.


Train Determination The number of trains in the RHR system is determined as follows. If the number of heat exchangers and pumps is the same, the number of heat exchangers determines the number of trains. If the number of heat exchangers and pumps are different, the number of trains should be that used by the PRA model. Typically this would be two pumps and one heat exchanger forming a train where the train is unavailable only if both pumps are unavailable, or two pumps and one heat exchanger forming two trains with the heat exchanger as a shared component where a train is unavailable if a pump is unavailable and both trains are unavailable if the heat exchanger is unavailable.

PWR High Pressure Safety Injection Systems

Scope These systems are used primarily to maintain reactor coolant inventory at high RCS pressures following a loss of reactor coolant. HPSI system operation involves transferring an initial supply of water from the refueling water storage tank (RWST) to cold leg piping of the reactor coolant system. Once the RWST inventory is depleted, recirculation of water from the reactor building emergency sump is required. The function monitored for HPSI is the ability of a HPSI train to take a suction from the primary water source (typically, a borated water tank), or from the containment emergency sump, and inject into the reactor coolant system.

The scope includes the pumps and associated piping and valves from both the refueling water storage tank and from the containment sump to the pumps, and from the pumps into the reactor coolant system piping. For plants where the high-pressure injection pump takes suction from the residual heat removal pumps, the residual heat removal pump discharge header isolation valve to the HPSI pump suction is included in the scope of HPSI system. Some components may be included in the scope of more than one train. For example, cold-leg injection lines may be fed from a common header that is supplied by both HPSI trains. In these cases, the effects of testing or component failures in an injection line should be reported in both trains.

Train Determination In general, the number of HPSI system trains is defined by the number of high head injection paths that provide cold-leg and/or hot-leg injection capability, as applicable.

For Babcock and Wilcox (B&W) reactors, the design features centrifugal multi-stage pumps used for high pressure injection (about 2,500 psig) and no hot-leg injection path. Recirculation from the containment sump requires lining up the HPI pump suctions to the Low-Pressure Injection (LPI) pump discharges for adequate NPSH. This is typically a two-train system, with an installed spare pump (depending on plant-specific design) that can be aligned to either train.

For two-loop Westinghouse plants, the pumps operate at a lower pressure (about 1600 psig) and there may be a hot-leg injection path in addition to a cold-leg injection path (both are included as a part of the train).

For Westinghouse three-loop plants, the design features three centrifugal pumps that operate at high pressure (about 2500 psig), a cold-leg injection path through the BIT (with two trains of redundant valves), an alternate cold-leg injection path, and two hot-leg injection paths. One of the pumps is considered an installed spare. Recirculation is provided by taking suction from the RHR pump discharges. A train consists of a pump, the pump suction valves and boron injection tank (BIT) injection line valves electrically associated with the pump, and the associated hot-leg injection path. The alternate cold-leg injection path is required for recirculation, and should be included in the train with which its isolation valve is electrically associated. This represents a two-train HPSI system.

For Four-loop Westinghouse plants, the design features two centrifugal pumps that operate at high pressure (about 2500 psig), two centrifugal pumps that operate at an intermediate pressure (about 1600 psig), a BIT injection path (with two trains of injection valves), a cold-leg safety injection path, and two hot-leg injection paths. Recirculation is provided by taking suction from the RHR pump discharges. Each of two high pressure trains is comprised of a high pressure centrifugal pump, the pump suction valves and BIT valves that are electrically associated with the pump. Each of two intermediate pressure trains is comprised of the safety injection pump, the suction valves and the hot-leg injection valves electrically associated with the pump. The cold-leg safety injection path can be fed with either safety injection pump, thus it should be associated with both intermediate pressure trains. This HPSI system is considered a four-train system for monitoring purposes.

For Combustion Engineering (CE) plants, the design features two or three centrifugal pumps that operate at intermediate pressure (about 1300 psig) and provide flow to four cold-leg injection paths or two hot-leg injection paths. In most designs, the HPSI pumps take suction directly from the containment sump for recirculation. In these cases, the sump suction valves are included within the scope of the HPSI system. This is a two-train system (two trains of combined cold-leg and hot-leg injection capability). One of the three pumps is typically an installed spare that can be aligned to either train or only to one of the trains (depending on plant-specific design).

PWR Auxiliary Feedwater Systems

Scope The function of the AFW system is to provide decay heat removal via the steam generators to cool down and depressurize the reactor coolant system following a reactor trip. The mitigation of ATWS events with the AFW system is not considered a function to be monitored by the MSPI. (Note, however, that the FV values will include ATWS events).

The function monitored for the indicator is the ability of the AFW system to autostart, take a suction from a water source (typically, the condensate storage tank and if required to meet the PRA success criteria and mission time, from an alternate source) and to inject into at least one steam generator.

The scope of the auxiliary feedwater (AFW) or emergency feedwater (EFW) systems includes the pumps, the condensate storage tank (CST), the components in the flow paths between the pumps and CST, and, if required, the valve(s) that connect the alternative water source to the auxiliary feedwater system. The flow path for the steam supply to a turbine driven pump is included from the steam source (main steam lines) to the pump turbine. Pumps included in the Technical Specifications (subject to a Limiting Condition for Operation) are included in the scope of this indicator. Some initiating events, such as a feedwater line break, may require isolation of AFW flow to the affected steam generator to prevent flow diversion from the unaffected steam generator. This function should be considered a monitored function if it is required.

Train Determination The number of trains is determined primarily by the number of parallel pumps. For example, a system with three pumps is defined as a three-train system, whether it feeds two, three, or four injection lines, and regardless of the flow capacity of the pumps. Some components may be included in the scope of more than one train. For example, one set of flow regulating valves and isolation valves in a three-pump, two-steam generator system are included in the motor-driven pump train with which they are electrically associated, but they are also included (along with the redundant set of valves) in the turbine-driven pump train. In these instances, the effects of testing or failure of the valves should be reported in both affected trains. Similarly, when two trains provide flow to a common header, the effect of isolation or flow regulating valve failures in paths connected to the header should be considered in both trains.

PWR Residual Heat Removal System

Scope The function monitored for the PWR residual heat removal (RHR) system is the long term decay heat removal function to mitigate those transients that cannot rely on the steam generators alone for decay heat removal. These typically include the low-pressure injection function and the recirculation mode used to cool and recirculate water from the containment sump following depletion of RWST inventory to provide decay heat removal. The pumps, heat exchangers, and associated piping and valves for those functions are included in the scope of the RHR system. Containment spray function should be included if it provides a risk significant decay heat removal function. Containment spray systems that only provide containment pressure control are not included.

CE Designed NSSS CE ECCS designs differ from the description above. CE designs run all ECCS pumps during the injection phase (Containment Spray (CS), High Pressure Safety Injection (HPSI), and Low Pressure Safety Injection (LPSI)), and on Recirculation Actuation Signal (RAS), the LPSI pumps are automatically shutdown, and the suction of the HPSI and CS pumps is shifted to the containment sump. The HPSI pumps then provide the recirculation phase core injection, and the CS pumps by drawing inventory out of the sump, cooling it in heat exchangers, and spraying the cooled water into containment, support the core injection inventory cooling.

For the RHR function the CE plant design uses HPSI to take a suction from the sump, CS to cool the fluid, and HPSI to inject at low pressure into the RCS. Due to these design differences, CE plants with this design should monitor this function in the following manner. The two containment spray pumps and associated coolers should be counted as two trains of RHR providing the recirculation cooling. Therefore, for the CE designed plants two trains should be monitored, as follows:

  • Train 1 (recirculation mode) Consisting of the "A" containment spray pump, the required spray pump heat exchanger and associated flow path valves.
  • Train 2 (recirculation mode) Consisting of the "B" containment spray pump, the required spray pump heat exchanger and associated flow path valves.

Surry, North Anna and Beaver Valley Unit 1 The at power RHR function, is provided by two 100% low head safety injection pumps taking suction from the containment sump and injecting to the RCS at low pressure and with the heat exchanger function (containment sump water cooling) provided by four 50% containment recirculation spray system pumps and heat exchangers. The RHR Performance Indicator should be calculated as follows. The low head safety injection and recirculation spray pumps and associated coolers should be counted as two trains of RHR providing the recirculation cooling, function as follows:

  • “A” train consisting of the “A” LHSI pump, associated MOVS and the required “A” train recirculation spray pumps heat exchangers, and MOVS.
  • “B” train consisting of the “B” LHSI pump, associated MOVS and the required “B” train recirculation spray pumps, heat exchangers, and MOVS.

Beaver Valley Unit 2 The at power RHR function, is provided by two 100% containment recirculation spray pumps taking suction from the containment sump, and injecting to the RCS at low pressure. The heat exchanger function is provided by two 100% capacity containment recirculation spray system heat exchangers, one per train. The RHR Performance Indicator should be calculated as follows. The two containment recirculation spray pumps and associated coolers should be counted as two trains of RHR providing the recirculation cooling. Two trains should be monitored as follows:

  • Train 1 (recirculation mode) Consisting of the containment recirculation spray pump associated MOVS and the required recirculation spray pump heat exchanger and MOVS.
  • Train 2 (recirculation mode) Consisting of containment recirculation spray pump associated MOVS and the required recirculation spray pump heat exchanger, and MOVS.

Train Determination The number of trains in the RHR system is determined by the number of parallel RHR heat exchangers. Some components are used to provide more than one function of RHR. If a component cannot perform as designed, rendering its associated train incapable of meeting one of the monitored functions, then the train is considered to be failed. Unavailable hours would be reported as a result of the component failure.

Cooling Water Support System

Scope The functions monitored for the cooling water support system are those functions that are necessary (i.e. Technical Specification-required) to provide for direct cooling of the components in monitored trains or segments of systems supported by the cooling water system. It does not include indirect cooling provided by room coolers or other HVAC features.

Systems that provide this function typically include service water and component cooling water or their cooling water equivalents. Service water systems are typically open “raw water” systems that use natural sources of water such as rivers, lakes, or oceans. Component cooling water systems are typically closed “clean water” systems.

Pumps, valves, heat exchangers and line segments that are necessary to provide cooling to monitored trains or segments of system(s) supported by the cooling water system are included within the cooling water system boundary up to, but not including, the isolation valve(s) that connects the cooling water system to components in a single monitored train or segment of the supported system. This isolation valve is included within the boundary of the monitored train or segment of the supported system. The last valve(s) that provides cooling to SSCs in more than one monitored train or segment of supported system(s) is included within the boundary of the cooling water system. All valves (e.g., manual isolation valves or motor operated valves) in a cooling water line to a single monitored train or segment of a supported system are included within the boundary of the monitored train or segment of the supported system. Figure F-6 depicts this concept and the treatment of multiple isolation valves. The SSCs outside the dashed boxes are included within the boundary of the cooling water system. The SSCs within the dashed boxes are included within the boundaries of the supported systems.

Valves in the cooling water support system that must close to ensure sufficient cooling to the other monitored system components to meet risk significant functions are included in the system boundary.

If a cooling water system provides cooling to only one monitored system, then it should be included in the scope of that monitored system. Systems that are dedicated to cooling RHR heat exchangers only are included in the cooling water support system scope.

Train Determination The number of trains in the Cooling Water Support System will vary considerably from plant to plant. The way these functions are modeled in the plant-specific PRA will determine a logical approach for train determination. For example, if the PRA modeled separate pump and line segments, then the number of pumps and line segments would be the number of trains.

Clarifying Notes Service water pump strainers, cyclone separators, and traveling screens are not considered to be monitored components and are therefore not part of URI. However, clogging of strainers and screens that render the train unavailable to perform its monitored cooling function (which includes the mission times) are included in UAI. Note, however, if the service water pumps fail due to a problem with the strainers, cyclone separators, or traveling screens, the failure is included in the URI.


F 6. CALCULATION OF THE BIRNBAUM IMPORTANCE BY REQUANTIFICATION This section provides an alternative to the method outlined in sections F 1.3.1-F 1.3.3 and F 2.3.1-F 2.3.3. If the method outlined in this section is used, the calculations outlined in sections F 1.3.1-F 1.3.3 and F 2.3.1-F 2.3.3 are not applicable. The truncation level used for the method described in this section should be sufficient to provide a converged value of CDF. CDF is considered to be converged when decreasing the truncation level by a decade results in a change in CDF of less than 5%. The Birnbaum importance measure can be calculated from:

or

Where CDF1 is the Core Damage Frequency with the failure probability for the component (any representative basic event) set to one, CDF0 is the Core Damage Frequency with the failure probability for the component (any representative basic event) set to zero, CDFB is the Base Case Core Damage Frequency, and p is the failure probability of the representative basic event. As a special case, if the component is truncated from the base case then

and


With the Birnbaum importance calculated directly by re-quantification, the CDE input values must be calculated from this quantity.

The CDF value input to CDE for this method is the value of CDFB from the baseline quantification.

The value of UA or UR is taken from the representative basic event (p) used in the quantification above. The FV value is then calculated from the expression

.


Figure F-1

  • The Fuel Oil Transfer Pump(s)/Valve(s) are included in the EDG Component Boundary. See Section 5 for monitoring requirements. 

Figure F-4

Figure F-5




Figure F-6



APPENDIX G MSPI Basis Document Development


To implement the Mitigating Systems Performance Index (MSPI), Licensees will develop a plant-specific basis document that documents the information and assumptions used to calculate the Reactor Oversight Program (ROP) MSPI. This basis document is necessary to support the NRC inspection process, and to record the assumptions and data used in developing the MSPI on each site. A summary of any changes to the basis document are noted in the comment section of the quarterly data submission to the NRC.

The Basis document will have two major sections. The first described below will document the information used in developing the MSPI. The second section will document the conformance of the plant specific PRA to the requirements that are outlined in this appendix.

G 1. MSPI Data

The basis document provides a separate section for each monitored system as defined in Section 2.2 of NEI 99-02. The section for each monitored system contains the following subsections:

G 1.1 System Boundaries

This section contains a description of the boundaries for each train of the monitored system. A plant drawing or figure (training type figure) should be included and marked adequately (i.e., highlighted trains) to show the boundaries. The guidance for determining the boundaries is provided in Appendix F, Section 1.1 of NEI 99-02.

G 1.2 Risk Significant Functions

This section lists the risk significant functions for each train of the monitored system. Risk Significant Functions are defined in section 2.2 of NEI 99-02. Additional detail is given in Appendix F, Section 1.1.1 and Section 5 “Additional Guidance for Specific Systems”. A single list for the system may be used as long as any differences between trains are clearly identified. This section may also be combined with the section on Success Criteria if a combination of information into a table format is desired. If none of the functions for the system are considered risk significant, identify the monitored function as defined in section F 1.1.1

G 1.3 Success Criteria This section documents the success criteria as defined in Section 2.2 of NEI 99-02 for each of the identified monitored functions for the system. Additional detail is given in Appendix F, Section 2.1.1. The criteria used are the documented PRA success criteria.

  • If the licensee has chosen to use design basis success criteria in the PRA, then provide a statement in this section that states the PRA uses design basis success criteria.
  • If success criteria from the PRA are different from the design basis, then the specific differences from the design basis success criteria shall be documented in this section. Provide the actual values used to characterize success such as: The time required in the PRA for the EDG to successfully reach rated speed and voltage is 15 seconds.

Where there are different success criteria for different monitored functions or different success criteria for different initiators within a monitored function, all should be recorded and the most restrictive shown as the one used, with the exception of ATWS-related success criteria which are not in the scope of MSPI.

G 1.4 Mission Time

This section documents the risk significant mission time, as defined in Section 2.3.6 of Appendix F, for each of the identified monitored functions identified for the system. The following specific information should be included in support of the EDG mission time if a value less than 24 hours is used:

  • EDG Mission Time with highest Birnbaum
  • Basic Event and Description (basis for Birnbaum)
  • Other Emergency Power Failure to Run Basic Events, Descriptions, mission time and Birnbaums (those not selected)
  • Method for reduced mission time (e.g., Convolution, Multiple Discrete LOOP (Loss of Offsite Power) Initiating Events, Other)
  • Loss of Offsite Power (LOOP) Initiating Events, Description and Frequency
  • Basis for LOOP Frequency (Industry/NRC Reference)
  • Basis for LOOP Non-recovery Failure (Industry/NRC Reference)
  • Credit for Emergency Power Repair (Yes/No)
  • If repair credited, failure probability of repair and basis

G 1.5 Monitored Components

This section documents the selection of monitored components as defined in Appendix F, Section 2.1.2 of NEI 99-02 in each train of the monitored system. A listing of all monitored pumps, breakers and emergency power generators should be included in this section. A listing of AOVs, HOVs , SOVs and MOVs that change state to achieve the monitored functions should be provided as potential monitored components. The basis for excluding valves and breakers in this list from monitoring should be provided. Component boundaries as described in Appendix F, Section 2.1.3 of NEI 99-02 should be included where appropriate.

G 1.6 Basis for Demands/Run Hours (estimate or actual)

The determination of reliability largely relies on the values of demands, run hours and failures of components to develop a failure rate. This section documents how the licensee will determine the demands on a component. Several methods may be used.

  • Actual counting of demands/run hours during the reporting period
  • An estimate of demands/run hours based on the number of times a procedure or other activities are performed plus either actual ESF demands/run hours or “zero” ESF demands/run hours
  • An estimate based on historical data over a year or more averaged for a quarterly average plus either actual ESF demands/run hours or “zero” ESF demands/run hours

The method used, either actual or estimated values, shall be stated. If estimates are used for test or operational demands or run hours then the process used for developing the estimates shall be described and estimated values documented. If the estimates are based on performance of procedures, list the procedures and the frequencies of performance that were used to develop the estimates.

G 1.7 Short Duration Unavailability

This section provides a list of any periodic surveillances or evolutions of less than 15 minutes of unavailability that the licensee does not include in train unavailability. The intent is to minimize unnecessary burden of data collection, documentation, and verification because these short durations have insignificant risk impact.

G 1.8 PRA Information used in the MSPI

G 1.8.1 Unavailability FV and UA

This section includes a table or spreadsheet that lists the basic events for unavailability for each train of the monitored systems. This listing should include the probability, FV, and FV/probability ratio and text description of the basic event or component ID. An example format is provided as Table 1 at the end of this appendix. If the event chosen to represent the train is not the event that results in the largest ratio, provide information that describes the basis for the choice of the specific event that was used.

G 1.8.1.1 Unavailability Baseline Data

This section includes the baseline unavailability data by train for each monitored system. The discussion should include the basis for the baseline values used. The detailed basis for the baseline data may be included in an appendix to the MSPI Basis Document if desired.

The basis document should include the specific values for the planned and unplanned unavailability baseline values that are used for each train or segment in the system.

G 1.8.1.2 Treatment of Support System Initiator(s)

This section documents whether the cooling water systems are an initiator or not. This section provides a description of how the plant will include the support system initiator(s) as described in Appendix F of NEI 99-02. If an analysis is performed for a plant-specific value, the calculation must be documented in accordance with plant processes and referred to here. The results should also be included in this section. A sample table format for presenting the results of a plant-specific calculation for those plants that do not explicitly model the effect on the initiating event contribution to risk is shown in Table 4 at the end of this appendix.

G 1.8.2 Unreliability FV and UR

There are two options described in Appendix F for the selection of FV and UR values, the selected option should be identified in this section. This section also includes a table or spreadsheet that lists the PRA information for each monitored component. This listing should include the Component ID, event probability, FV, the common cause adjustment factor and FV/probability ratio and text description of the basic event or component ID. An example format is provided as Table 2 at the end of this appendix. If individual failure mode ratios (vice the maximum ratio) will be used in the calculation of MSPI, then each failure mode for each component will be listed in the table.

A separate table should be provided in an appendix to the basis document that provides the complete set of basic events for each component. An example of this for one component is shown in Table 3 at the end of this appendix. Only the basic event chosen for the MSPI calculation requires completion of all table entries.

G 1.8.2.1 Treatment of Support System Initiator(s)

This section documents whether the cooling water systems are an initiator or not. This section provides a description of how the plant will include the support system initiator(s) as described in Appendix F of NEI 99-02. If an analysis is performed for a plant-specific value, the calculation must be documented in accordance with plant processes and referred to here. The results should also be included in this section. A sample table format for presenting the results of a plant-specific calculation for those plants that do not explicitly model the effect on the initiating event contribution to risk is shown in Table 4 at the end of this appendix.

G 1.8.2.2 Calculation of Common Cause Factor

This section contains the description of how the plant will determine the common cause factor as described in Appendix F of NEI 99-02. If an analysis is performed for a plant-specific value, the calculation must be documented in accordance with plant processes and referred to here. The results should also be included in this section.


G 1.9 Assumptions

This section documents any specific assumptions made in determination of the MSPI information that may need to be documented. Causes for documentation in this section could be special methods of counting hours or runtimes based on plant-specific designs or processes, or other instances not clearly covered by the guidance in NEI 99-02.

G 2. PRA Requirements

G 2.1 Discussion The MSPI application can be considered a Phase 2 application under the NRC’s phased approach to PRA quality. The MSPI is an index that is based on internal initiating events, full-power PRA, for which the ASME Standard has been written. The Standard has been endorsed by the staff in RG 1.200, which has been issued for trial use.

Licensees should assure that their PRA is of sufficient technical adequacy to support the MSPI application by one of the following alternatives:

G 2.1.1 Alternative A (Consistent with MSPI PRA Task Group recommendations)

a) Resolve the peer review Facts and Observations (F&Os) for the plant PRA that are classified as being in category A or B, or document the basis for a determination that any open A or B F&Os will not significantly impact the MSPI calculation. Open A or B F&Os are significant if collectively their resolution impacts any Birnbaum values used in MSPI by more than a factor of 3. Appropriate sensitivity studies may be performed to quantify the impact. If an open A or B F&O cannot be resolved by April 1, 2006 and significantly impacts the MSPI calculation, a modified Birnbaum value equal to a factor of 3 times the median Birnbaum value from the associated cross comparison group for pumps/diesels and 3 times the plant values for valves/breakers should be used in the MSPI calculation at the index, system or component level, as appropriate, until the F&O is resolved.

And

b) Perform a self assessment using the NEI-00-02 process as modified by Appendix B of RG 1.200 for the ASME PRA Standard supporting level requirements identified by the MSPI PRA task group and resolve any identified issues or document the basis for a determination that any open issues will not significantly impact the MSPI calculation. Identified issues are considered significant if they impact any Birnbaum values used in MSPI by more than a factor of 3. Appropriate sensitivity studies may be performed to quantify the impact. If an identified issue cannot be resolved by April 1, 2006 and significantly impacts the MSPI calculation, a modified Birnbaum value equal to a factor of 3 times the median Birnbaum value from the associated cross comparison group for pumps/diesels and 3 times the plant value for valves/breakers should be used in the MSPI calculation at the index, system or component level, as appropriate, until the issue is resolved.

G 2.1.2 Alternative B (Consistent with RG 1.174 guidance)

a) Resolve the peer review Facts and Observations (F&Os) for the plant PRA that are classified as being in category A or B, or document the basis for a determination that any open A or B F&Os will not significantly impact the MSPI calculation. Open A or B F&Os are significant if collectively their resolution impacts any Birnbaum values used in MSPI by more than a factor of 3. Appropriate sensitivity studies may be performed to quantify the impact. If an open A or B F&O cannot be resolved by April 1, 2006 and significantly impacts the MSPI calculation, a modified Birnbaum value equal to a factor of 3 times the median Birnbaum value from the associated cross comparison group for pumps/diesels and 3 times the plant values for valves/breakers should be used in the MSPI calculation at the index, system or component level, as appropriate, until the F&O is resolved.


And

b) Disposition any candidate outlier issues identified by the industry PRA cross comparison activity. The disposition of candidate outlier issues can be accomplished by:

  • Correcting or updating the PRA model;
  • Demonstrating that outlier identification was due to valid design or PRA modeling methods; or
  • Using a modified Birnbaum value equal to a factor of 3 times the median value from the associated cross comparison group for pumps/diesels and 3 times the plant value for valves/breakers until the PRA model is corrected or updated.


G 2.2 PRA MSPI Documentation Requirements

A. Licensees should provide a summary of their PRA models to include the following: 1. Approved version and date used to develop MSPI data 2. Plant base CDF for MSPI 3. Truncation level used to develop MSPI data

B. Licensees should document the technical adequacy of their PRA models, including: 1. Justification for any open category A or B F&Os that will not be resolved prior to April 1, 2006. 2. Justification for any open issues from: a. the self-assessment performed for the supporting requirements (SR) identified in Table 5, taking into consideration Appendix B of RG 1.200 (trial), with particular attention to the notes in Table 4 of the MSPI PRA task group report. -- OR -- b. identification of any candidate outliers for the plant from the group cross-comparison studies.


C. Licensees should document in their PRA archival documentation:

1. A description of the resolution of the A and B category F&Os identified by the peer review team. 2. Technical bases for the PRA.


G 3. TABLES

Table G 1 Unavailability Data HPSI (one table per system) Train Basic Event Name Basic Event Description Basic Event Probability (UAP) Basic Event FVUAP 1 FVUAP/UAP A 1SIAP02----MP6CM HPSI Pump A Unavailable Due to Mntc 3.20E-03 3.19E-03 9.97E-01 B 1SIBP02----MP6CM HPSI Pump B Unavailable Due to Mntc 3.20E-03 3.85E-03 1.20E+00 1. Adjusted for IEF correction if used

Table G 2 – AFW System Monitored Component PRA Information Component Basic Event Description Basic Event Probability (URPC) Basic Event FVURC [FV/UR]ind CC Adjustment Factor (A) CC Adjustment Used Adjusted Birnbaum 1MAFAP01 1AFASYS----AFACM Train A Auxiliary Feedwater Pump Fails to Start 2.75E-03 2.33E-02 8.49E+00 1 Generic 1.1E-04 1MAFBP01 1AFBP01----MPAFS Train B Auxiliary Feedwater Pump Fails to Start 6.73E-04 4.44E-02 6.59E+01 1.25 Generic 1.1E-03 1MAFNP01 1AFNSYS----AFNCM Train N Auxiliary Feedwater Pump Fails to Start 1.05E-03 1.10E-02 1.05E+01 1.25 Generic 1.7E-04 1JCTAHV0001 1CTAHV001--MV-FO CST to AFW Pump N Supply Valve HV1 Fails to Open (Local Fault) 3.17E-03 2.48E-02 7.83E+00 2 Generic 2.0E-04 1JCTAHV0004 1CTAHV004--MV-FO CST to AFW Pump N Supply Valve HV4 Fails to Open (Local Fault) 3.17E-03 2.48E-02 7.83E+00 2 Generic 2.0E-04


Table G 3 - Unreliability Data (one table per monitored component) Component Name and ID: HPSI Pump B - 1SIBP02 Basic Event Name Basic Event Description Basic Event Probability (URPC) Basic Event FVURC 1 [FV/UR]ind Common Cause Adjustment Factor (CCF) Common Cause Adjustment Generic or Plant-specific Adjusted Birnbaum 1SIBP02---XCYXOR HPSI Pump B Fails to Start Due to Override Contact Failure 6.81E-04 7.71E-04 1.13E+00 3.0 Generic 5.0E-05 1SIBP02----MPAFS HPSI Pump B Fails to Start (Local Fault) 6.73E-04 7.62E-04 1.13E+00 1SIBP02----MP-FR HPSI Pump B Fails to Run 4.80E-04 5.33E-04 1.11E+00 1SABHP-K125RXAFT HPSI Pump B Fails to Start Due to K125 Failure 3.27E-04 3.56E-04 1.09E+00 1SIBP02----CB0CM HPSI Pump B Circuit Breaker (PBB-S04E) Unavailable Due to Mntc 2.20E-04 2.32E-04 1.05E+00 1SIBP02----CBBFT HPSI Pump B Circuit Breaker (PBB-S04E) Fails to Close (Local Fault) 2.04E-04 2.14E-04 1.05E+00 1. Adjusted for IEF correction if used

Table G 4 Cooling Water Support System FV Calculation Results (one table per train/component/failure mode) FVa (or FVc) FVie FVsa (orFVsc) UA (or UR) Calculated FV (per appendix F) (result is put in Basic Event column of table 1 or table 2 as appropriate)


TABLE G 5. ASME PRA Standard Supporting Requirements Requiring Self-Assessment

1Supporting Requirement Comments

IE-A4 Focus on plant-specific initiators and special initiators, especially loss of DC bus, Loss of AC bus, or Loss of room cooling type initiators IE-A7 Category I in general. However, precursors to losses of cooling water systems in particular, e.g., from fouling of intake structures, may indicate potential failure mechanisms to be taken into account in the system analysis (IE-C6, 7, 8, 9) IE-A9 Category II for plants that choose fault trees to model support systems. Watch for initiating event frequencies that are substantially (e.g., more than 3 times) below generic values. IE-C1 Focus on loss of offsite power (LOOP) frequency as a function of duration IE-C2 Focus on LOOP and medium and small LOCA frequencies including stuck open PORVs IE-C6 For plants that choose fault trees for support systems, attention to loss of cooling systems initiators. IE-C9 Category II for plants that choose fault trees for support systems. Pay attention to initiating event frequencies that are substantially (i.e., more than 3 times) below generic values AS-A3 Focus on credit for alternate sources, e.g., gas turbines, CRD, fire water, SW cross-tie, recovery of FW AS-A4 Focus on credit for alternate sources, e.g., gas turbines, CRD, fire water, SW cross-tie, recovery of FW AS-A5 Focus on credit for alternate sources, e.g., gas turbines, CRD, fire water, SW cross-tie, recovery of FW AS-A9 Category II for MSPI systems and components and for systems such as CRD, fire water, SW cross-tie, recovery of FW AS-A10 Category II in particular for alternate systems where the operator actions may be significantly different, e.g., more complex, more time limited. AS-B3 Focus on credit for injection post-venting (NPSH issues, environmental survivability, etc.) AS-B6 Focus on (a) time phasing in LOOP/SBO sequences, including battery depletion, and (c) adequacy of CRD as an adequate injection source. SC-A4 Focus on modeling of shared systems and cross-ties in multi-unit sites SC-B1 Focus on proper application of the computer codes for T/H calculations, especially for LOCA, IORV, SORV, and F&B scenarios. SC-C1 Category II SY-A4 Category II for MSPI systems and components

SY-A11 Focus on (d) modeling of shared systems SY-A20 Focus on credit for alternate injection systems, alternate seal cooling SY-B1 Should include EDG, AFW, HPI, RHR CCFs SY-B5 Focus on dependencies of support systems (especially cooling water systems) to the initiating events SY-B9 Focus on credit for injection post-venting (NPSH issues, environmental survivability, etc.) SY-B15 Focus on credit for injection post-venting (NPSH issues, environmental survivability, etc.) HR-E1 Focus on credit for cross ties, depressurization, use of alternate sources, venting, core cooling recovery, initiation of F&B HR-E2 Focus on credit for cross ties, depressurization, use of alternate sources, venting, core cooling recovery, initiation of F&B HR-G1 Category II , though Category I for the critical HEPs would produce a more sensitive MSPI (i.e., fewer failures to change a color)

HR-G2 Focus on credit for cross ties, depressurization, use of alternate sources, venting, core cooling recovery, initiation of F&B HR-G3 Category I. See note on HR-G1. Attention to credit for cross ties, depressurization, use of alternate sources, venting, core cooling recovery, initiation of F&B HR-G5 Category II. See note on HR-G1. HR-H2 Focus on credit for cross ties, depressurization, use of alternate sources, venting, core cooling recovery, initiation of F&B HR-H3 The use of some systems may be treated as a recovery action in a PRA, even though the system may be addressed in the same procedure as a human action modeled in the accident sequence model (e.g., recovery of feedwater may be addressed in the same procedure as feed and bleed). Neglecting the cognitive dependency can significantly decrease the significance of the sequence. DA-B1 Focus on service condition (clean vs. untreated water) for SW systems DA-C1 Focus on LOOP recovery DA-C15 Focus on recovery from LOSP and loss of SW events DA-D1 For BWRs with isolation condenser, focus on the likelihood of a stuck open SRV QU-B2 Truncation limits should be chosen to be appropriate for F-V calculations. QU-B3 This is an MSPI implementation concern and should be addressed in the guidance document. Truncation limits should be chosen to be appropriate for F-V calculations. QU-D3 Understanding the differences between plant models, particularly as they affect the MSPI, is important for the proposed approach to the identification of outliers recommended by the task group. QU-D5 Category II for those who have used fault tree models to address support system initiators. QU-E4 Category II for the issues that directly affect the MSPI



[This page left intentionally blank.]

APPENDIX H USwC Basis Document

The USwC PI will monitor the following six conditions that either have the potential to complicate the operators’ scram response actions or involve the unavailability of or inability to recover main feedwater during the scram response.

1. Reactivity Control 2. Pressure Control (BWRs)/Turbine Trip (PWRs) 3. Power available to Emergency Busses 4. Need to actuate emergency injection sources 5. Availability of Main Feedwater 6. Utilization of scram recovery Emergency Operating Procedures (EOPs)

Since the complicating conditions are not the same for Pressurized Water Reactors (PWRs) versus Boiling Water Reactors (BWRs), a separate flow chart for each type has been developed. If any one of the conditions in the appropriate flow chart is met the condition must be counted as a USwC event.

H 1 PWR Flowchart Basis Discussion

H 1.1 Did two or more control rods fail to fully insert?

This question is designed to verify that the Reactor did actually trip. As long as a plant uses the EOP questions to verify that the reactor tripped without entering a “response not obtained” or “contingency actions” requirement this question should be answered as “No”. Some specific examples from plant EOPs are provided below.

Some CE plant EOPs use the following checks:

  • Check that reactor power is dropping.
  • Check that start-up rate is negative.
  • Check that no more than one full strength CEA is NOT inserted.

If the operations staff determines that one of these questions is not satisfied then they must perform a contingency action. The requirement to perform that contingency action would be considered as a complication for the Unplanned Scrams with Complications metric.

Some Westinghouse plant EOPs verify the following items:

  • Verify Reactor Trip

o Rod bottom lights – LIT o Reactor trip and bypass breakers – OPEN o Neutron flux - LOWERING

If the operations staff determines that one of these questions is not satisfied then they must perform a response not obtained action. The requirement to perform that contingency action would be considered as a complication for the Unplanned Scrams with Complications metric. There is an exception in this question for Westinghouse plants using the question structure given in this example. A single rod bottom light not lit would be acceptable in the Unplanned Scrams with Complications metric even though it would require a response not obtained action. This exception is allowed to make the metric consistent between vendor procedures, also the reactor analysis allows for the single most reactive control rod to be stuck in the full out position.

Some B&W plants EOPs verify the following:
  • Verify Alternate Rod Insertion and reactor power dropping

If the operations staff determines that this question is not satisfied then they must perform a contingency action. The requirement to perform that contingency action would be considered as a complication for the Unplanned Scrams with Complications metric. There is an exception in this question for B & W plants using the question structure given in this example. A single rod not fully inserted would be acceptable in the Unplanned Scrams with Complications metric even though it would require a contingency action. This exception is allowed to make the metric consistent between vendor procedures, also the reactor analysis allows for the single most reactive control rod to be stack in the full out position

H 1.2 Did the turbine fail to trip?

This question is designed to verify that the Turbine did actually trip. As long as a plant uses the EOP questions to verify that the turbine tripped without entering a “response not obtained” or “contingency actions” requirement this question should be answered as “No”. There is one exemption to this step that allows an Operator to use the manual turbine trip handswitch/pushbutton as an acceptable alternative. The simplicity of the action and the fact that Operators are specifically trained on this action provide the basis for this exception. It is NOT an acceptable alternative for the Operators to close individual governor or throttle valves, main steam isolation valves, or secure hydraulic control pumps. The failure of a generator output breaker to trip with the turbine is considered as a complication. Any actions beyond the use of one handswitch/pushbutton would need to be considered as a complication for this question. For reactor trips that occur prior to the turbine being placed in service or “latched” this specific question should be answered as “No” since the turbine is already tripped. Some specific examples from plant EOPs are provided below:

Some CE plant EOPs use the following checks:

  • Check that the main turbine is tripped
  • Check that the main generator output breakers are open

The use of the contingency action to manually trip the turbine is an acceptable alternative. Performance of any other contingency actions would require answering this question as “Yes”.

Some Westinghouse plant EOPs verify the following items:

  • Verify all turbine throttle valves – CLOSED
  • Main generator output breaker - OPEN

The use of the contingency action to manually trip the turbine is an acceptable alternative. Performance of any other response not obtained actions would require answering this question as “Yes”.

Some B&W plant EOPs verify the following:

  • Verify turbine throttle and governor valve closed

The use of the contingency action to manually trip the turbine is an acceptable alternative. Performance of any other contingency actions would require answering this question as “Yes”.

H 1.3 Was power lost to any ESF bus?

Most EOP versions check that power is available in response to the reactor trip. This question is designed to verify that electric power was available after the reactor trip. As long as a plant uses the EOP questions to verify that power was available without entering a “response not obtained” or “contingency actions” requirement this question should be answered as “No”. There is an exemption to this step that allows an Operator to manually restore power within 10 minutes as an acceptable alternative. The exception is limited to those actions necessary to close a breaker from the main control board. Actions requiring access to the back of the control boards or any other remote location would require answering this question as “Yes”. It is acceptable to manipulate more than one switch, such as a sync switch, in the process of restoring power to the bus. It is acceptable to close more than one breaker. It is acceptable to restore power from the emergency AC source, such as diesel generators, or from off-site power. This exception is allowed since most EOPs are configured to check that power is available to at least one of the safety busses which will satisfy plant safety concerns. If power is not available to at least one safety bus most EOPs will direct transition to another EOP to mitigate this condition. The additional operator action to restore power to additional busses has been discussed and considered acceptable as long as it can be completed within the time limitations of 10 minutes (chosen to limit the complexity) and the constraints of switch operation from the main control board. Any actions beyond these would need to be considered as a complication for this question. Because of the wide variation in power distribution designs, voltage, and nomenclature across the PWR fleet, no specific EOP examples are given here.


H 1.4 Was a Safety Injection signal received?

This question is designed to verify that the plant conditions are stable and do not require the actuation of the emergency injection system (safety injection for Westinghouse plants, SIAS for CE). Plant conditions that result from a loss of inventory or loss of pressure control in the RCS or Steam Generator (SG) would likely require actuation of the emergency injection systems and would be considered a complication. Conversely, plant conditions following the reactor trip that do not result in a safety injection actuation would not be considered as complications. An exception to this is the existence of a severe steam generator tube leak. In those limited circumstances where a steam generator tube leak exists that is severe enough to require a reactor trip but can be controlled by starting additional inventory control pumps that are not normally running during normal power operations without initiating a safety injection signal should result in a “Yes” answer and considered as a complication. A small steam generator tube leak where inventory can be maintained using the already running inventory control pumps would NOT be considered as complicated even if the reactor was tripped. Those instances where a safety injection was not required by actual plants conditions but occurred due to operator error, spurious actuations, or set-point error should be considered as complications and this question answered as “Yes”.

H 1.5 Was Main Feedwater unavailable or not recoverable using approved plant procedures during the scram response?

This section of the indicator is a holdover from the Scrams with Loss of Normal Heat Removal indicator which the USwC indicator replaced. Since all PWR designs have an emergency Feedwater system that operates if necessary, the availability of the normal or main Feedwater systems as a backup in emergency situations can be important for managing risk following a reactor scram. This portion of the indicator is designed to assess that backup availability or ability to recover main feedwater as directed by approved plant procedures (e.g., the EOPs) on a loss of all emergency Feedwater.

It is not necessary for the main Feedwater system to continue operating following a reactor trip. Some plants, by design, have certain features to prevent main feedwater from continued operation or from allowing it to be restarted unless certain criteria are met. Since some plant designs do not include electric-driven main Feedwater pumps (steam-driven pumps only), it may not be possible to restart main Feedwater pumps without a critical reactor. Additionally, some other plant designs have interlocks in place and signals that prevent feeding the steam generators with main Feedwater unless reactor coolant temperature is greater than the no-load average temperature. In both cases, these plants may be justified in answering this question as “No” if Main Feedwater is free from damage or failure that can prevent it from performing its intended function and is available for use.

Licensees should rely on the material condition availability of the equipment to reach the decision for this question. Condenser vacuum, cooling water, and steam pressure values should be evaluated based on the requirements to operate the pumps and may be lower than normal if procedures allow pump operation at that lower value. As long as these support systems are able to be restarted (if not running) to support main feedwater restart within the estimated 30-minute timeframe they can be considered as available. These requirements apply until the completion or exit of the scram response.

The availability of steam dumps to the condenser does NOT enter into this indicator at all. Use of atmospheric steam dumps following the reactor trip is acceptable for any duration.

Loss of one feed pump does not cause a loss of main feedwater. Only one is needed to remove residual heat after a trip. As long as at least one pump can still operate and provide Feedwater to the minimum number of steam generators required by the EOPs to satisfy the heat sink criteria, main feedwater should be considered available.

The failure in a closed position of a feedwater isolation valve to a steam generator is a loss of feed to that one steam generator. As long as the main feedwater system is able to feed the minimum number of steam generators required by the EOPs to satisfy the heat sink criteria, the loss of ability to feed other steam generators should not be considered a loss of feedwater. Isolation of the feedwater regulating or isolation valves does not constitute a loss of feedwater if nothing prevents them from being reopened in accordance with procedures.

A Steam Generator Isolation Signal or Feedwater Isolation Signal does not constitute a loss of main feedwater as long as it can be cleared and feedwater restarted. If the isolation signal was caused by a high steam generator level, the 30 minute estimate for restart timeframe should start once the high level isolation signal has cleared.

The estimated 30-minute timeframe for restart of main Feedwater was chosen based on restarting from a hot and filled condition. Since this timeframe will not be measured directly it should be an estimation developed based on the material condition of the plants systems following the reactor trip. If no abnormal material conditions exist the 30 minutes should be met. If plant procedures and design would require more than 30 minutes even if all systems were hot and the material condition of the plants systems following the reactor trip were normal, that routine time should be used in the evaluation of this question, provided SG dry-out cannot occur on an uncomplicated trip if the time is longer than 30 minutes. The judgment of the on-shift licensed SRO during the reactor trip should be used in determining if this timeframe was met.

H 1.6 Was the scram response procedure unable to be completed without entering another EOP?

When a scram occurs plant operators enter the EOPs to respond to the condition. In the case of a routine scram the procedure entered will be exited fairly rapidly after verifying that the reactor is shutdown, excessive cooling is not in progress, electric power is available, and reactor coolant pressures and temperatures are at expected values and controlled. Once these verifications are done and the plant conditions are considered “stable” operators may exit the initial procedure to another procedure that will stabilize and prepare the remainder of the plant for transition to the normal operating procedures. The plant could then be maintained in Hot Standby, to perform a controlled normal cool down, or to begin the restart process. The criteria in this question is used to verify there were no other conditions that developed during the stabilization of the plant in the scram response that required re-entry into the EOPs or transition to a follow on EOP.

There are some EOPs that are used specifically at the operator discretion and are not required to be used. In the Westinghouse EOP suite these are Yellow Path functional restoration procedures and the re-diagnosis procedures. These procedures typically verify that the operator is taking the correct action (re-diagnosis) or the stabilization of some minor plant parameters (Yellow path). Use of these procedures is an allowed exception to this step. The transition out of these procedures to an EOP different from the current procedure in effect, i.e. a new procedure or the base procedure, would count as a complication.

H 2 PWR Case Studies

H 2.1 PWR Case Study 1

At approximately 100% steady state reactor power, Control Room operators initiated a manual reactor trip as a result of indications that multiple Control Rods (CRs) had dropped into the reactor core. All Reactor Trip (RT) breakers opened but all rod bottom lights did not illuminate. Rod Cluster Control Assemblies (RCCA) L7, J13, F6, F10, K10, C5, and C13 were not considered fully inserted because the rod bottom lights for these RCCAs did not illuminate. The Plant Information Computer System indicated all RCCAs were fully inserted. In accordance with plant procedures, operators re-initiated a manual RT. Operations verified the reactor was tripped and all RCCAs were fully inserted.

Prior to the event all CRs were withdrawn from the reactor core and in Automatic, both Main Boiler Feedwater Pumps (MBFPs) were in service, the Auxiliary Feedwater Pumps (AFWPs) were in standby, the EDGs were in standby, and off-site power was in service. At 1435 hours, indicated reactor power decreased from approximately 99.87% to 50% (based on the Nuclear Instrumentation System power range neutron flux monitors) as a result of 12 CRs dropping into the core. Of the twelve CRs that dropped into the core, four (4) CRs (M-12, M-4, D-12, and D-4) went from 223 steps to 150 steps out and eight (8) control rods (N-13, L-13, N-5, N-3, E-3, C-3, C13, and C-11) went from 223 steps out to 0 steps. Reactivity control is achieved by a combination of 53 CRs [29 RCCAs are in control banks (CB) and 24 in shutdown banks (SDBs)] and chemical shim (boric acid). The CRs are divided into 1) a shutdown (SD) group comprised of two SDBs of eight rod clusters each and two SDBs of four rod clusters each, and 2) a control group comprised of four CBs containing eight, four, eight, and nine rod clusters.

After the manual RT, seven (7) rod bottom lights for CR SDB A, Rod L7, SDB 3, Rod J12, SDB D, Rods F6, F10, K10, CB A, Rod C5, and CB C, Rod C13 did not illuminate. All other reactivity indications were normal. As a result of the manual RT, the Main Turbine-Generator tripped, and the AFWPs automatically started. The EDGs did not start as off-site power remained in service. An alarm for low pressurizer pressure annunciated as a result of a reduction of the RCS pressure to the normal trip setpoint (1985 psig). The decrease in pressure was due to the negative reactivity from the initial rod insertion. All primary safety systems functioned properly. Unexpected responses included: both MBFP suction relief valves lifted (reset at approximately 1458 hours), a "Not in Sync" alarm was received for the 24 Static Inverter (adjusted and cleared), and a low oil level alarm on upper reservoir was received for the 23 Reactor Coolant Pump (RCP). Power for the rod control system is distributed to five power cabinets from two motor-generator sets connected in parallel through two series of Reactor Trip Breakers (RTBs). The ac power distribution lines downstream of the RTBs are routed above the power cabinets through a fully enclosed three-phase, four wire plug-in, bus duct assembly.

The ac power to each cabinet is carried by the bus duct assembly through three plug-in fused disconnect switches for the stationary, movable and lift coil circuits of the mechanisms associated with that cabinet. During the investigation of the event the disconnect switch (JSI on top of rod control power cabinet (CAB) lAC was discovered to be open. Opening the disconnect switch caused loss of power to the stationary coils for twelve (12) CRs. The switch that was placed in the open position was for power cabinet lAC which controls the rods for CB A, Group 1, CB C, Group 1, and SDB A, Group 1. Loss of power to these CRs caused the rods to drop into the reactor core per design. Four (4) CRs partially inserted (223 steps in to 150 steps). CR power cabinet (lAC) disconnect switch was inadvertently bumped open by a contractor erecting scaffolding around the CR power cabinets in the cable spreading room of the Control Building (NA). The disconnect switch to rod control power cabinet lAC was re-closed. An assessment of the condition by reactor engineering concluded that power was removed from the CR stationary gripper coils when the disconnect switch was opened. When no motion is demanded and rods are stationary, current is sent to the coils, which keeps the grippers engaged on the CR. The CR system sensed the power loss condition and transmitted a high current order to the movable gripper coils which had not lost their power. The movable gripper coils were able to catch four of the CRs as they were falling but did not catch the remaining CRs in the other CR groups. The cause of the failure of seven (7) rod bottom lights to illuminate after the dropped rod event was due to failed light bistables.

In answering the questions for this indicator, some additional information beyond that gathered for the LER will be required. In this case the usage history of the EOPs will be required. For this example consider that there were no additional EOPs used beyond the normal procedures.

1. Did two or more control rods fail to fully insert?

Did control rods that are required to move on a reactor trip fully insert into the core as evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an example for some PWRs using rod bottom light indications, if more than one-rod bottom light is not illuminated, this question must be answered "Yes." The basis of this step is to determine if additional actions are required by the operators as a result of the failure of all rods to insert. Additional actions, such as emergency boration, pose a complication beyond the normal scram response that this metric is attempting the measure. It is allowable to have one control rod not fully inserted since core protection design accounts for one control rod remaining fully withdrawn from the core on a reactor trip. This question must be evaluated using the criteria contained in the plant EOP used to verify that control rods inserted. During performance of this step of the EOP the licensee staff would not need to apply the “Response Not Obtained” actions. Other means not specified in the EOPs are not allowed for this metric.

Answer: YES. This question should be answered as “YES” and the trip counted as a Scram with Complications since the rod bottom lights did not indicate fully inserted control rods. If the EOP allows the use of the plant computer indications instead of rod bottom lights this question should be answered as “NO.” To qualify the plant computer indication must not be considered as a “Response Not Obtained” step but rather as a listed normal indication.

2. Did the turbine fail to trip?

Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To be a successful trip, steam flow to the main turbine must have been isolated by the turbine trip logic actuated by the reactor trip signal, or by operator action from a single switch or pushbutton. The allowance of operator action to trip the turbine is based on the operation of the turbine trip logic from the operator action if directed by the EOP. Operator action to close valves or secure pumps to trip the turbine beyond use of a single turbine trip switch would count in this indicator as a failure to trip and a complication beyond the normal reactor trip response. Trips that occur prior to the turbine being placed in service or “latched” should have this question answered as “No”.

c

Answer: NO. The turbine tripped per design,

3. Was power lost to any ESF bus?

During a reactor trip or during the period operators are responding to a reactor trip using reactor trip response procedures, was power lost to any ESF bus that was not restored automatically by the Emergency Alternating Current (EAC) power system and remained de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from the main control board is allowed as an acceptable action to satisfy this metric. This question is looking for a loss of power at any time for any duration where the bus was not energized/re-energized within 10 minutes. The bus must have:

  • remained energized until the scram response procedure was exited, or
  • been re-energized automatically by the plant EAC power system (i.e., EDG), or
  • been re-energized from normal or emergency sources by an operator closing a breaker from the main control board.

The question applies to all ESF busses (switchgear, load centers, motor control centers and DC busses). This does NOT apply to 120-volt power panels. It is expected that operator action to re-energize an ESF bus would not take longer than 10 minutes.

Answer: NO. Emergency diesels were not required to start. Offsite power remained available throughout the trip response. All ESF busses remained energized throughout the trip response.

4. Was a Safety Injection signal received?

Was a Safety Injection signal generated either manually or automatically during the reactor trip response? The questions purpose is to determine if the operator had to respond to an abnormal condition that required a safety injection or respond to the actuation of additional equipment that would not normally actuate on an uncomplicated scram. This question would include any condition that challenged Reactor Coolant System (RCS) inventory, pressure, or temperature severely enough to require a safety injection. A severe steam generator tube leak that would require a manual reactor trip because it was beyond the capacity of the normal at power running charging system should be counted even if a safety injection was not used since additional charging pumps would be required to be started.

Answer: NO. No SI signal was required or received.

5. Was Main Feedwater unavailable or not recoverable using approved plant procedures during the scram response?

If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be restarted during the reactor scram response? The consideration for this question is whether Main Feedwater could be used to feed the steam generators if necessary. The qualifier of “not recoverable using approved plant procedures” will allow a licensee to answer “No” to this question if there is no physical equipment restraint to prevent the operations staff from starting the necessary equipment, aligning the required systems, or satisfying required logic using plant procedures approved for use and in place prior to the reactor scram occurring.

The operations staff must be able to start and operate the required equipment using normal alignments and approved emergency, normal and off-normal operating procedures to feed the minimum number of steam generators required by the EOPs to satisfy the heat sink criteria. Manual operation of controllers/equipment, even if normally automatic, is allowed if addressed by procedure. Situations that require maintenance or repair activities or non-proceduralized operating alignments require an answer of “Yes.” Additionally, the restoration of Feedwater must be capable of feeding the Steam Generators in a reasonable period of time. Operations should be able to start a Main Feedwater pump and start feeding Steam Generators with the Main Feedwater System within about 30 minutes from the time it was recognized that Main Feedwater was needed. During startup conditions where Main Feedwater was not placed in service prior to the scram this question would not be considered and should be skipped. If design features or procedural prohibitions prevent restarting Main Feedwater this question should be answered as “No”.

Answer: NO. Main feedwater pumps were available and the feedwater system could have been operated to supply feedwater to all steam generators.

6. Was the scram response procedure unable to be completed without entering another EOP?

The response to the scram must be completed without transitioning to an additional EOP after entering the scram response procedure (e.g., ES01 for Westinghouse). This step is used to determine if the scram was uncomplicated by counting if additional procedures beyond the normal scram response required entry after the scram. A plant exiting the normal scram response procedure without using another EOP would answer this step as “No”. The discretionary use of the lowest level Function Restoration Guideline (Yellow Path) by the operations staff is an approved exception to this requirement. Use of the Re-diagnosis Procedure by Operations is acceptable unless a transition to another EOP is required.

Answer: NO. The reactor trip response procedures were completed without re-entering another EOP.

H 2.2 PWR Case Study 2

At 100% steady state reactor power, Operators manually tripped the reactor as a result of oscillating Feedwater (FW) flow and SG level with flow perturbations and FW pipe movement in the Auxiliary FW (AFW) Pump Building. Prior to the transient, while operating at 100% reactor power, with SG level control in AUTO, 22 SG Narrow Range (NR) level records show two cycles of level changes of approximately 2% and correction in automatic with no operator action. Subsequently, operators observed 22 SG NR level starting to decrease from a normal value of 49% to 30% with a deviation alarm annunciating at 44%. CR operators observed oscillating FW flow and erratic behavior of the 22 Main FW regulating valve FCV-427. Operators entered Abnormal Operating Procedure 2AOP-FW-1 and placed the FW regulating valve (FCV-427) in manual and attempted to increase FW flow in 22 SG without success. Excessive FW flow oscillations continued. Operators then opened low flow bypass valve FCV-427L to increase SG level which started 22 SG level increasing at a level of 30%. At approximately 35% SG level valve FCV- 427L was returned to closed. A Nuclear Plant Operator (NPO) in the AFW Pump Building reported to the control room loud noises due to flow perturbations and pipe movement. Based on plant conditions, the Control Room Supervisor (CRS) directed a manual reactor trip. All control rods fully inserted and all primary systems functioned properly. The 22 FW regulating valve FCV-427 failed to fully close. Operators initiated FW isolation by closing FW motor operated isolation valves (MOV) BFD-5-1 and BFD-90-1. A 22 SG high level trip was actuated at 73% SG level, initiating automatic closure of the Main FW Pump motor operated discharge valves (BFD-2-21 and BFD-2-22), Main FW and Low Flow FW regulating and isolation valves, and trip of the turbine driven Main FW Pumps. The plant was stabilized in hot standby with decay heat being removed by the main condenser. Offsite power remained available and therefore the EDGs did not start. The AFW System automatically started as a result of a SG low level normally experienced on trips from full power. FW regulating valve FCV-427 is a Copes-Vulcan globe valve with Copes-Vulcan actuator Model D-1000-160. The valve has a positioner to perform its modulating function and 3 solenoids attached to the actuator for fast closure. CR operators observed the rod bottom lights, RT First Out Annunciator (Manual Trip). The plant was stabilized in hot standby with decay heat being released to the main condenser through the steam dump valves. A post transient evaluation was performed. A non-intrusive inspection was performed of the remaining FW regulating valves (FCV-417, FCV-437, FCV-447) to verify that their valve cages had not unthreaded from the valve body webs. The verification was done by obtaining the maximum stroke capability of the FCVs and relating that to a point at which the valve stem is connected into the actuator yoke (Measurements of the FCVs exposed stem threads and actuator posts were compared to the available actuator travel). These measurements provided reasonable assurance that the remaining FCV cages were properly threaded into their body webs. Following plant shutdown a walk down was performed of the four (4) FW lines inside containment and FW and AFW piping outside containment for any impacts of the FW flow perturbations. There were no indications of excessive movement or damage to the insulation, supports or piping above the 95 foot elevation of containment nor was there any observed signs of excessive movements, support damage, support impacts/scarring, or insulation damage on FW lines to SG-21, SG-22, SG-23, SG-24 on any containment elevations. For FW and AFW piping outside containment, no piping or support damage was evident due to pipe movements from the flow perturbations. FW piping inside and outside containment showed some light powder insulation dust on the floor indicative of pipe vibration.

In answering the questions for this indicator, some additional information beyond that gathered for the LER will be required. In this case the usage history of the EOPs will be required. For this example consider that there were no additional EOPs used beyond the normal procedures.

1. Did two or more control rods fail to fully insert?

Did control rods that are required to move on a reactor trip fully insert into the core as evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an example for some PWRs using rod bottom light indications, if more than one-rod bottom light is not illuminated, this question must be answered "Yes." The basis of this step is to determine if additional actions are required by the operators as a result of the failure of all rods to insert. Additional actions, such as emergency boration, pose a complication beyond the normal scram response that this metric is attempting the measure. It is allowable to have one control rod not fully inserted since core protection design accounts for one control rod remaining fully withdrawn from the core on a reactor trip. This question must be evaluated using the criteria contained in the plant EOP used to verify that control rods inserted. During performance of this step of the EOP the licensee staff would not need to apply the “Response Not Obtained” actions. Other means not specified in the EOPs are not allowed for this metric.

Answer: NO. All control rods fully inserted as indicated by the rod bottom lights.

2. Did the turbine fail to trip?

Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To be a successful trip, steam flow to the main turbine must have been isolated by the turbine trip logic actuated by the reactor trip signal, or by operator action from a single switch or pushbutton. The allowance of operator action to trip the turbine is based on the operation of the turbine trip logic from the operator action if directed by the EOP. Operator action to close valves or secure pumps to trip the turbine beyond use of a single turbine trip switch would count in this indicator as a failure to trip and a complication beyond the normal reactor trip response. Trips that occur prior to the turbine being placed in service or “latched” should have this question answered as “No”.

Answer: NO. The turbine tripped per design,

3. Was power lost to any ESF bus?

During a reactor trip or during the period operators are responding to a reactor trip using reactor trip response procedures, was power lost to any ESF bus that was not restored automatically by the Emergency Alternating Current (EAC) power system and remained de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from the main control board is allowed as an acceptable action to satisfy this metric. This question is looking for a loss of power at any time for any duration where the bus was not energized/re-energized within 10 minutes. The bus must have:

  • remained energized until the scram response procedure was exited, or
  • been re-energized automatically by the plant EAC power system (i.e., EDG), or
  • been re-energized from normal or emergency sources by an operator closing a breaker from the main control board.

The question applies to all ESF busses (switchgear, load centers, motor control centers and DC busses). This does NOT apply to 120-volt power panels. It is expected that operator action to re-energize an ESF bus would not take longer than 10 minutes.

Answer: NO. Emergency diesels were not required to start. Offsite power remained available throughout the trip response. All ESF busses remained energized throughout the trip response.

4. Was a Safety Injection signal received?

Was a Safety Injection signal generated either manually or automatically during the reactor trip response? The questions purpose is to determine if the operator had to respond to an abnormal condition that required a safety injection or respond to the actuation of additional equipment that would not normally actuate on an uncomplicated scram. This question would include any condition that challenged Reactor Coolant System (RCS) inventory, pressure, or temperature severely enough to require a safety injection. A severe steam generator tube leak that would require a manual reactor trip because it was beyond the capacity of the normal at power running charging system should be counted even if a safety injection was not used since additional charging pumps would be required to be started.

Answer: NO. No SI signal was required or received.

5. Was Main Feedwater unavailable or not recoverable using approved plant procedures during the scram response?

If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be restarted during the reactor scram response? The consideration for this question is whether Main Feedwater could be used to feed the steam generators if necessary. The qualifier of “not recoverable using approved plant procedures” will allow a licensee to answer “No” to this question if there is no physical equipment restraint to prevent the operations staff from starting the necessary equipment, aligning the required systems, or satisfying required logic using plant procedures approved for use and in place prior to the reactor scram occurring.

The operations staff must be able to start and operate the required equipment using normal alignments and approved emergency, normal and off-normal operating procedures to feed the minimum number of steam generators required by the EOPs to satisfy the heat sink criteria. Manual operation of controllers/equipment, even if normally automatic, is allowed if addressed by procedure. Situations that require maintenance or repair activities or non-proceduralized operating alignments require an answer of “Yes.” Additionally, the restoration of Feedwater must be capable of feeding the Steam Generators in a reasonable period of time. Operations should be able to start a Main Feedwater pump and start feeding Steam Generators with the Main Feedwater System within about 30 minutes from the time it was recognized that Main Feedwater was needed. During startup conditions where Main Feedwater was not placed in service prior to the scram this question would not be considered and should be skipped. If design features or procedural prohibitions prevent restarting Main Feedwater this question should be answered as “No”.

Answer: NO. Main FW was the cause of the manual reactor trip: one of four feed regulating valves (FRV-447) was unavailable for FW addition to SGs. FW pumps were available to be restarted and three FW loops could have been operated to supply FW to 3 of 4 SGs.

6. Was the scram response procedure unable to be completed without entering another EOP?

The response to the scram must be completed without transitioning to an additional EOP after entering the scram response procedure (e.g., ES01 for Westinghouse). This step is used to determine if the scram was uncomplicated by counting if additional procedures beyond the normal scram response required entry after the scram. A plant exiting the normal scram response procedure without using another EOP would answer this step as “No”. The discretionary use of the lowest level Function Restoration Guideline (Yellow Path) by the operations staff is an approved exception to this requirement. Use of the Re-diagnosis Procedure by Operations is acceptable unless a transition to another EOP is required.

Answer: NO. The reactor trip response procedures were completed without re-entering another EOP.

H 2.3 PWR Case Study 3

The An automatic reactor trip was initiated due to a low reactor coolant flow condition following a trip of the 'B' Reactor Coolant Pump (RCP) motor. The RCP trip was initiated by a current imbalance sensed by the motor's protective relay. The current imbalance was a result of a transmission system disturbance. At the time of the event, the plant was operating in Mode 1 (Hot Full Power) at 100 percent power. The system disturbance was initiated by a transmission line fault within a neighboring electric cooperative's transmission system. Due to a defective electrical connection within the electric cooperative's protective relaying scheme, the transmission line breakers protecting the affected line did not receive a trip signal to clear the fault. Since the breaker failure relaying scheme utilized the same circuitry containing the defective electrical connection, breaker failure logic was not initiated to trip the next breakers upstream of the transmission line fault. In addition, there was no redundant line relaying or local backup relaying on the substation transformer. As a result, the fault was not properly cleared from the electric cooperative's transmission system. For approximately the next eight minutes, multiple subsequent faults were introduced onto the system as the transmission line incurred damage and fell to the ground over an approximate distance of six miles. Ultimately, the fault condition was cleared following the failure of the distribution system transformer supplying the faulted transmission line. Approximately one minute into the event, the "B" RCP tripped due to a motor current imbalance, which resulted from the transmission system disturbance. The automatic reactor trip was initiated for a low reactor coolant flow condition due to the RCP trip. Shortly after the reactor trip, the three remaining RCPs and all main condenser circulating water pumps also tripped because of motor current imbalance. Due to the tripping of all RCPs, the pressurizer spray system was unavailable. Additionally, the tripping of all main condenser circulating water pumps affected the ability to use the main condenser as a heat sink. This resulted in reliance on the atmospheric steam dumps causing reactor coolant system average temperature (RCS Tavg) to increase from 557 to 562 degrees F. The combination of establishing natural circulation due to the loss of all RCPs and increasing RCS Tavg, caused a pressurizer in-surge raising RCS pressure to the pressurizer power-operated relief valve (PORV) set point. Prior to re-establishing the pressurizer spray system, both PORVs momentarily lifted once, relieving RCS pressure to the pressurizer relief tank. RCPs were restored approximately 32 minutes after initiation of the event. During this entire event, all safety-related and non safety-related systems and components functioned in accordance with design.

In answering the questions for this indicator, some additional information beyond that gathered for the LER will be required. In this case the usage history of the EOPs will be required. For this example consider that there were no additional EOPs used beyond the normal procedures.

1. Did two or more control rods fail to fully insert?

Did control rods that are required to move on a reactor trip fully insert into the core as evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an example for some PWRs using rod bottom light indications, if more than one-rod bottom light is not illuminated, this question must be answered "Yes." The basis of this step is to determine if additional actions are required by the operators as a result of the failure of all rods to insert. Additional actions, such as emergency boration, pose a complication beyond the normal scram response that this metric is attempting the measure. It is allowable to have one control rod not fully inserted since core protection design accounts for one control rod remaining fully withdrawn from the core on a reactor trip. This question must be evaluated using the criteria contained in the plant EOP used to verify that control rods inserted. During performance of this step of the EOP the licensee staff would not need to apply the “Response Not Obtained” actions. Other means not specified in the EOPs are not allowed for this metric.

Answer: NO. All control rods fully inserted as indicated by rod bottom lights.

2. Did the turbine fail to trip?

Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To be a successful trip, steam flow to the main turbine must have been isolated by the turbine trip logic actuated by the reactor trip signal, or by operator action from a single switch or pushbutton. The allowance of operator action to trip the turbine is based on the operation of the turbine trip logic from the operator action if directed by the EOP. Operator action to close valves or secure pumps to trip the turbine beyond use of a single turbine trip switch would count in this indicator as a failure to trip and a complication beyond the normal reactor trip response. Trips that occur prior to the turbine being placed in service or “latched” should have this question answered as “No”.

Answer: NO. The turbine tripped per design.

3. Was power lost to any ESF bus?

During a reactor trip or during the period operators are responding to a reactor trip using reactor trip response procedures, was power lost to any ESF bus that was not restored automatically by the Emergency Alternating Current (EAC) power system and remained de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from the main control board is allowed as an acceptable action to satisfy this metric. This question is looking for a loss of power at any time for any duration where the bus was not energized/re-energized within 10 minutes. The bus must have:

  • remained energized until the scram response procedure was exited, or
  • been re-energized automatically by the plant EAC power system (i.e., EDG), or
  • been re-energized from normal or emergency sources by an operator closing a breaker from the main control board.

The question applies to all ESF busses (switchgear, load centers, motor control centers and DC busses). This does NOT apply to 120-volt power panels. It is expected that operator action to re-energize an ESF bus would not take longer than 10 minutes.

Answer: NO. All ESF busses remained energized throughout the trip response.

4. Was a Safety Injection signal received?

Was a Safety Injection signal generated either manually or automatically during the reactor trip response? The questions purpose is to determine if the operator had to respond to an abnormal condition that required a safety injection or respond to the actuation of additional equipment that would not normally actuate on an uncomplicated scram. This question would include any condition that challenged Reactor Coolant System (RCS) inventory, pressure, or temperature severely enough to require a safety injection. A severe steam generator tube leak that would require a manual reactor trip because it was beyond the capacity of the normal at power running charging system should be counted even if a safety injection was not used since additional charging pumps would be required to be started.

Answer: NO. No SI signal was required or received.

5. Was Main Feedwater unavailable or not recoverable using approved plant procedures during the scram response?

If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be restarted during the reactor scram response? The consideration for this question is whether Main Feedwater could be used to feed the steam generators if necessary. The qualifier of “not recoverable using approved plant procedures” will allow a licensee to answer “No” to this question if there is no physical equipment restraint to prevent the operations staff from starting the necessary equipment, aligning the required systems, or satisfying required logic using plant procedures approved for use and in place prior to the reactor scram occurring.

The operations staff must be able to start and operate the required equipment using normal alignments and approved emergency, normal and off-normal operating procedures to feed the minimum number of steam generators required by the EOPs to satisfy the heat sink criteria. Manual operation of controllers/equipment, even if normally automatic, is allowed if addressed by procedure. Situations that require maintenance or repair activities or non-proceduralized operating alignments require an answer of “Yes.” Additionally, the restoration of Feedwater must be capable of feeding the Steam Generators in a reasonable period of time. Operations should be able to start a Main Feedwater pump and start feeding Steam Generators with the Main Feedwater System within about 30 minutes. During startup conditions where Main Feedwater was not placed in service prior to the scram this question would not be considered and should be skipped. If design features or procedural prohibitions prevent restarting Main Feedwater this question should be answered as “No”.

Answer: YES. The loss of power resulted in a complete loss of circulating water and the ability of main feedwater pump turbines to exhaust to the condenser. This question could be answered as “NO” if circulating water, condenser vacuum, and main feedwater could be restored within the 30 minute timeframe, or if an electric driven main feedwater pump was available that did not required condenser vacuum to feed steam generators.

6. Was the scram response procedure unable to be completed without entering another EOP?

The response to the scram must be completed without transitioning to an additional EOP after entering the scram response procedure (e.g., ES01 for Westinghouse). This step is used to determine if the scram was uncomplicated by counting if additional procedures beyond the normal scram response required entry after the scram. A plant exiting the normal scram response procedure without using another EOP would answer this step as “No”. The discretionary use of the lowest level Function Restoration Guideline (Yellow Path) by the operations staff is an approved exception to this requirement. Use of the Re-diagnosis Procedure by Operations is acceptable unless a transition to another EOP is required.

Answer: NO. The reactor trip response procedures were completed without re-entering another EOP.

H 3 BWR Flowchart Basis Discussion

H 3.1 Did an RPS actuation fail to indicate / establish a shutdown rod pattern for a cold clean core?

The purpose of this question is to verify that the reactor actually tripped and had sufficient indication for operations to verify the trip. As long as a plant uses the EOP questions to verify that the reactor tripped without entering the level/pressure control leg of the EOPs, the response to this question should be “No”.

The generic BWROG EPG/SAG Revision 2 Appendix B statement is offered as an example:

Any control rod that cannot be determined to be inserted to or beyond position [02 (Maximum Subcritical Banked Withdrawal Position)] and it has not been determined that the reactor will remain shutdown under all conditions without boron, enter Level/Power Control.

For example:. Are all control rods inserted to or beyond position 02 (if no then this is a yes for this PI)? Will the reactor remain subcritical under all conditions without boron (if no then this is a “Yes” for this PI)?

For example:. All rods not fully inserted; and, the reactor will not remain shutdown under all conditions without boron then enter level/pressure control (if yes then this is a “Yes” for this PI).

H 3.2 Was pressure control unable to be established following the initial transient?

This question is designed to verify the ability to transfer reactor energy to the environment using the normal pressure control system. The initial cycling of SRVs is typical for some transients in which there was no failure of the normal pressure control system. Initial operation of the SRVs is not indicative of pressure control problems with the normal pressure control system. Therefore, cycling may occur post-trip until the pressure is controlled. Any subsequent cycling after pressure has been controlled would result in a “YES” answer. Some plant designs also may have a setpoint setdown of SRVs which would open additional SRVs and reduce reactor pressure below the normal SRV closing setpoint. Any additional opening of SRVs to control reactor pressure either automatically or manually indicates the inability of the normal pressure control system to operate properly. Stuck open SRV(s) bypass the normal pressure control system and would result in a “YES” for this PI.

For example: A turbine trip occurs and SRVs open to control reactor pressure. The setpoint setdown actuates and reduces reactor pressure from a normal 1025 psig to 930 psig. Following closure of SRVs reactor pressure increases due to decay heat and bypass valves open. This question would be answered “NO”.

For example: A pressure controller failure occurs with scram on high reactor pressure. The SRVs open to control reactor pressure. The setpoint setdown actuates and reduces reactor pressure from a normal 1025 psig to 930 psig. Following closure of SRVs reactor pressure increases due to decay heat and SRVs open again to control reactor pressure. The operator takes manual control of bypass valves and opens the bypass valves to maintain reactor pressure. This question would be answered “YES”. The yes answer is a result of SRVs opening after pressure control was established from the initial transient.

For example: The pressure controller failure occurs with scram on high reactor pressure. The SRVs open to control reactor pressure. Setpoint setdown actuates and reduces reactor pressure from a normal 1025 psig to 930 psig. Following closure of SRVs reactor pressure does not increase because the scram occurred with low decay heat load and Main Steam Line drains were open. This question would be answered “NO”.

H 3.3 Was power lost to any Class 1E Emergency / ESF bus?

Plants with a dedicated High Pressure Core Spray (HPCS) bus do not count the HPCS ESF bus in this PI.

The purpose of this question is to verify that electric power was available after the reactor trip. Loss of electrical power may result in other criteria being met in this PI. This question deals only with electrical power. Should electrical power be maintained or restored within the allowed 10 minutes, the response to this question should be ”No”. There is an exemption to this step that permits an Operator to manually restore power within 10 minutes as an acceptable alternative. The exception is limited to those actions necessary to close a breaker(s) or switch(es) from the main control board. Actions requiring access to the back of the control boards or any other remote location would require answering this question as “Yes”. It is acceptable to manipulate more than one switch, such as a sync switch, in the process of restoring power to the bus. It is acceptable to close more than one breaker. It is acceptable to restore power from the emergency AC source, such as the diesel generators, or from off-site power. The additional operator action to restore power to additional buses has been discussed and considered acceptable as long as it can be completed within the time limitations of 10 minutes (chosen to limit the complexity) and the constraints of breaker or switch operation from the main control board. Any actions beyond these would need to be considered as a complication for this question. Because of the wide variation in power distribution designs, voltage, and nomenclature in various plant designs no specific examples are given here. There is an exception for a plant designed with a dedicated High Pressure Core Spray Pump (HPCS) ESF bus. If a plant has a dedicated (only provides power to HPCS equipment) then the HPCS ESF bus does not have to be considered in this question. This would be similar to a scram with a loss of HPCI which in of itself would not count in this PI.

H 3.4 Was a Level 1 Injection signal received?

The consideration of this question is whether or not the operator had to respond to abnormal conditions that required a low pressure safety injection or if the operator had to respond to the actuation of additional equipment that would not normally actuate on an uncomplicated scram. For some plant designs some events result in a high pressure injection signal on vessel level. Automatic or manual initiation of low pressure ECCS indicates the inability of high pressure systems to operate properly or that a significant leak has occurred. Alternately, the question would be plants that do not have a separate high pressure ECCS level signal from their Low level ECCS signal an allowance is made to deviate from this question and answer “Yes” if the system injected.

H 3.5 Was Main Feedwater not available or not recoverable using approved plant procedures during the scram response?

If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be restarted during the reactor scram response? The consideration for this question is whether Main Feedwater could be used to feed the reactor vessel if necessary. The qualifier of “not recoverable using approved plant procedures” will allow a licensee to answer “NO” to this question if there is no physical equipment restraint to prevent the operations staff from starting the necessary equipment, aligning the required systems, or satisfying required logic circuitry using plant procedures approved for use that were in place prior to the scram occurring.

The operations staff must be able to start and operate the required equipment using normal alignments and approved emergency, normal and off-normal operating procedures. Manual operation of controllers/equipment, even if normally automatic, is allowed if addressed by procedure. Situations that require maintenance or repair activities or non-proceduralized operating alignments will not satisfy this question. Additionally, the restoration of Main Feedwater must be capable of being restored to provide feedwater to the reactor vessel in a reasonable period of time. Operations should be able to start a Main Feedwater pump and start feeding the reactor vessel with the Main Feedwater System within about 30 minutes from the time it was recognized that Main Feedwater was needed. During startup conditions where Main Feedwater was not placed in service prior to the scram, this question would not be considered, and should be skipped.

H 3.6 Following initial transient, did stabilization of reactor pressure/level and drywell pressure meet the entry conditions for EOPs?

Since BWR designs have an emergency high pressure system that operates automatically between a vessel-high and vessel-low level, it is not necessary for the Main Feedwater System to continue operating following a reactor trip. However, failure of the Main Feedwater System to be available is considered to be risk significant enough to require a “Yes” response for this PI. To be considered available, the system must be free from damage or failure that would prohibit restart of the system. Therefore, there is some reliance on the material condition or availability of the equipment to reach the decision for this question. Condenser vacuum, cooling water, and steam pressure values should be evaluated based on the requirements to operate the pump and may be lower than normal if procedures allow pump operation at that lower value.

The estimated 30-minute timeframe for restart of Main Feedwater was chosen based on restarting from a hot condition with adequate reactor water level. Since this timeframe will not be measured directly, it should be an estimation developed based on the material condition of the plants systems following the reactor trip. If no abnormal material conditions exist, the 30 minutes should be capable of being met. If plant procedures and design would require more than 30 minutes, even if all systems were hot and the material condition of the systems following the reactor trip were normal, a routine time should be used in the evaluation of this question. The judgment of an on-shift licensed SRO should be used in determining if this timeframe is met.

When a scram occurs plant operators will enter the EOPs to respond to the condition. In the case of a routine scram the procedure entered will be exited fairly rapidly after verifying that the reactor is shutdown, excessive cooling is not in progress, electric power is available, and reactor coolant pressures and temperatures are at expected values and controlled. Once these verifications are done and the plant conditions considered “stable” (see guidance in the Definition of Terms section under scram response) operators will exit the initial procedure to another procedure that will stabilize and prepare the remainder of the plant for transition for the use of normal operating procedures. The plant would then be ready be maintained in Hot Standby, to perform a controlled normal cool down, or to begin the restart process. The criteria in this question is used to verify that there were no other conditions that developed during the stabilization of the plant in the scram response related vessel parameters that required continued operation in the EOPs or re-entry into the EOPs or transition to a follow-on EOP. Maintaining operation in EOPs that are not related to vessel and drywell parameters do not count in this PI.

For example: Suppression Pool level high or low require entry into an EOP on Containment Control. Meeting EOP entry conditions for this EOP do not count in this PI.

H 4 BWR Case Studies

H 4.1 BWR Case Study 1

A plant experienced an automatic reactor scram as a result of a breaker tripping due to a ground fault on the 34.5kv bus work downstream of the Service Transformer. Loss of service transformer resulted in the loss of power to 2 of 4 balance of plant main busses and one of 3 ESF busses. Emergency Diesel Generator Division 1 started on a loss of power and connected to the ESF bus.

The Main Generator tripped on reverse power and the turbine bypass valves opened to control pressure. No SRVs opened during this event.

Both RPS actuation systems actuated, although for different reasons. The “A” RPS system actuated on loss of power to the Balance of Plant (BOP) (power to RPS “A” MG set) bus since it was powered from a service transformer. With the accompanying loss of power to the condensate/feedwater system components, the “B” RPS system actuated on low reactor water level of 11.4 inches. All control rods inserted to 00 position.

Reactor water level dropped to approximately -75 inches on wide range level instrumentation before the High Pressure Core Spray (HPCS) and Reactor Core Isolation Cooling (RCIC) systems initiated at -41.6 and restored level to the EOP specified band. Level control was transferred to the startup level controller and both HPCS and RCIC were secured.

Primary, secondary, and drywell isolations occurred as designed at -41.6 inches along with the start of the Division III (HPCS) diesel.

A walk down of the switchyard following the reactor scram discovered that a raccoon had entered the service transformer area and caused the ground fault.

Prior to the scram power was 100% with both main feedwater pumps in service.

Feedwater was unavailable to control level.

Vessel level was restored to the EOP level band (+11.4 inches [low level scram setpoint] to +53.5 inches [high level feedpump trip setpoint]) without any additional scram signals. Drywell pressure was not affected noticeably by this event.

1. Did RPS actuation fail to indicate/establish a shutdown rod pattern for a cold clean core. Answer: “No”. As indicated Alternate Rod Insertion was not indicated or required. Alternate yes / no answers as examples: Answer: “No”. While all rods did not fully insert, reactor engineering, using an approved procedure, ran a computer calculation that determined the reactor would remain shutdown under cold clean conditions. Answer: “Yes”. All rods did not insert, reactor engineering could not be contacted so operations entered the ATWS leg of EOPs. Subsequent calculation by reactor engineering determined the reactor would remain shutdown under cold clean conditions. Answer: “Yes”. All rods failed to fully insert. 2. Was pressure control unable to be established following initial transient? Answer: “No”. The Main Turbine did not trip as a result of the switchyard transient. The turbine did eventually trip on reverse power at which time the turbine bypass valves operated to control reactor pressure. Alternate yes / no answers as examples. Answer: “No”. The main turbine tripped resulting in opening of one or more SRVs. Following the initial opening of the SRVs, the main turbine bypass valves opened to control pressure. Answer: “Yes”. The main turbine tripped resulting in opening of all 20 SRVs. As a result of pressure controller problems operations subsequently manually opened an additional SRV to control reactor pressure. Answer: “Yes”. The main turbine tripped and as a result of loss of condenser vacuum, one or more SRVs were used to control reactor pressure. 3. Was power lost to any class 1E Emergency/ESF bus? Answer: “No”. While an ESF bus (Division I) did lose power, the EDG started and restored power to the ESF bus. Alternate yes / no answers as examples. Answer: “No”. Power was lost to an ESF bus. The EDG was out of service and power was restored by closing an alternate feed breaker from the control room. Answer: “Yes”. Power was lost to an ESF bus. The EDG was out of service. Power was restored to the ESF bus by resetting a lockout in the back panels and closing the breaker from the control room. 4. Was a level 1 Injection signal received? Answer: “No”. Vessel level did decrease to approximately -75 inches resulting in the automatic start of RCIC and HPCS. However, for this plant Level 1 is -150.3 inches. Alternate yes / no answers as examples, Answer: “No”. HPCS and RCIC failed to start/run. Level dropped to -110 inches but was stabilized by use of Control Rod Drive (CRD) pumps. Answer: “Yes”. HPCS and RCIC failed to start/run. Vessel level decreased to near 150.3 inches and operators manually initiated low pressure. 5. Was main feedwater unavailable or not recoverable using approved plant procedures during the scram response? Answer: “No”. While some of the condensate system pumps lost power resulting in both feedwater pumps tripping, the feedwater system was restored by use of normal procedures. Feedwater was restored, and RCIC/HPCS was secured. Alternate yes / no answers as examples Answer: “No”. Level was restored by RCIC. A condensate and condensate booster pump remained operating. While both feedwater pumps tripped there were no known issues with either pump that would prevent restarting if needed. Answer: “Yes”. Level was restored by RCIC. A condensate and condensate booster pump remained operating. Both feedwater pumps tripped and problems with condenser vacuum prevented restart of the feedpumps if they had been needed. 6. Following initial transient did stabilization of reactor pressure/level and drywell pressure meet the entry conditions for EOPs? Answer: “No”. Following the initial event, reactor pressure was controlled by the turbine pressure control system to less than the high reactor pressure entry condition of 1064.7 psig [reactor high pressure scram setpoint]. Vessel level was restored to the EOP level band (+11.4 inches[low level scram setpoint] to +53.5 inches [high level feedpump trip setpoint]) without any additional scram signals. Drywell pressure was not affected noticeably by this event. Alternate yes / no answers as examples. Answer: “No”. Following the initial event, reactor pressure was controlled by the turbine pressure control system to less than the high reactor pressure entry condition of 1064.7 psig [reactor high pressure scram setpoint]. Vessel level was restored to the EOP level band (+11.4 inches [low level scram setpoint] to +53.5 inches [high level feedpump trip setpoint]) without any additional scram signals. The vessel was overfed twice, resulting in a high level trip of the feedpump. However, when level decreased to less than the high level trip setpoint, the feed pump was restored to operation by procedure. Drywell pressure was not affected noticeably by this event. Answer: “Yes”. Following the initial event, reactor pressure was controlled by the turbine pressure control system to less than the high reactor pressure entry condition of 1064.7 psig [reactor high pressure scram setpoint]. Vessel level was restored to the EOP level band (+11.4 inches[low level scram setpoint] to +53.5 inches [high level feedpump trip setpoint]) but startup level control valve problems resulted in an additional low level scram signal. H 4.2 BWR Case Study 2

A plant received an automatic scram on a Turbine Control Valve Fast Closure as a result of a load reject. The initiating event for the automatic scram was closure of a 500 kV disconnect which was open for maintenance. High winds contributed to the disconnect closing and contacting the energized bus. The pressure exerted by the wind on the disconnect blades overcame the spring counterbalance of the disconnect switch. Additionally, the “Open” position lock bracket on the motor operator was broken. A low impedance ground fault was created through the installed maintenance grounds. The fault resulted in actuation of the Service Transformer differential lockout and the West 500 kV buss differential lockout. Breakers opened as designed due to the Service transformer lockouts and the West Bus lockouts. This resulted in the loss of one of the 2 service transformers and all plant busses normally powered from this transformer, including safety related busses Division 2 and 3 which were powered from the service transformer. The Division 2 & 3 EDGs subsequently started and appropriately re-energized the ESF buses. Within 3-5 cycles of the ground fault, breakers opened at a nearby substation de-energizing the remaining 500 kV incoming power to the switchyard. This left the main generator supplying power to some of the in-house loads including Balance of Plant and Division I Safety Related Bus (ESF Division I) The load reject relays then actuated producing a Turbine Control Valve Fast Closure (TCV/FC) signal and a subsequent reactor scram. Approximately 4 seconds later the turbine speed increased to 1900 rpm and generator output frequency increased to 63.5 Hz. Subsequently, the turbine tripped as the generator remained excited and the turbine-generator began coasting down into an under-frequency condition. Generator output voltage remained constant. As the turbine coasted down an under frequency condition occurred resulting in the turbine output breaker opening. This resulted in loss of the Division 1 ESF bus as well as loss of the 2nd service transformer and all remaining balance of plant loads about 2-3 minutes following the initial scram. In summary the loss of power to the plant BOP, which resulted in loss of Feedwater and normal pressure control, occurred in stages over several minutes, but still within the initial transient. The ESF buses also lost power but were restored automatically by the D/Gs.

1. Did RPS actuation fail to indicate/establish a shutdown rod pattern for a cold clean core? Answer: “No”. Alternate Rod Insertion was not indicated or required. 2. Was pressure control unable to be established following initial transient? Answer: “Yes”. While SRVs open once on the load reject and steam pressure decreased as the turbine coasted down, the loss of all balance of plant power several minutes later when the main generator tripped, resulted in loss of pressurized fluid for the hydraulic bypass valves. This resulted in the use of the SRVs to control reactor pressure following the initial scram. Additionally, the loss of the balance of plant power resulted in loss of main condenser cooling which prevented use of the main condenser as a heat sink. 3. Was power lost to any class 1E Emergency/ESF bus? Answer: “No”. While all ESF busses lost power the EDGs started and restored power automatically to the ESF busses. 4. Was a level 1 Injection signal received? Answer: “No”. Vessel level did drop to about -42 inches resulting in auto start of RCIC. The level 1setpoint is -150.3 inches. 5. Was main feedwater unavailable or not recoverable using approved plant procedures during the scram response? Answer: “Yes”. The loss of balance of plant power after several minutes resulted in loss of all condensate and condensate booster pumps as well as loss of power to condensate and feedwater valves, preventing the use of feedwater to control level. Level was controlled by RCIC. 6. Following initial transient did stabilization of reactor pressure/level and drywell pressure meet the entry conditions for EOPs? Answer: “No”. Following the initial event, reactor pressure was controlled by the SRVs to maintain the reactor pressure below the EOP entry setpoint of 1067.5 psig [reactor high pressure scram setpoint]. The vessel level was restored to the EOP level band (+11.4 inches[low level scram setpoint] to + 53.5 inches [high level feedpump trip setpoint]) by use of RCIC with one additional scram signal on high level Drywell pressure did increase slightly as a result of loss of cooling but never exceeded the EOP setpoint of 1.23 psig. The EOP for containment control was entered as a result of high suppression pool level due to swell from the heat/mass addition from the operation of systems (e.g.RCIC, SRVs).


Template:NEI-Nav