NUMARC 93-01
Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants
- Rev 4A: April 2011 https://www.nrc.gov/docs/ML1111/ML11116A198.pdf
text
REVISION 4A
NUCLEAR ENERGY INSTITUTE
INDUSTRY GUIDELINE FOR MONITORING
THE EFFECTIVENESS OF MAINTENANCE AT
NUCLEAR POWER PLANTS
April 2011
ACKNOWLEDGMENTS
This guidance document, Industry Guideline for Monitoring the Effectiveness of
Maintenance at Nuclear Power Plants, NUMARC 93-01, was developed by the
NUMARC Maintenance Working Group, Ad Hoc Advisory Committees for the
Implementation of the Maintenance Rule, and an Ad Hoc Advisory Committee
(AHAC) for the Verification and Validation of the Industry Maintenance Guideline.
We appreciate the direct participation of the many utilities who contributed to the
initial development of the guideline and the participation of the balance of the
industry who reviewed and submitted comments to improve the document clarity
and consistency. The dedicated and timely effort of the many AHAC participants,
including their management's support of the effort, is greatly appreciated.
NUMARC also wishes to express its appreciation to the Institute of Nuclear Power
Operations (INPO), and the Electric Power Research Institute (EPRI) who devoted
considerable time and resources to the development and verification and validation
of the industry maintenance guideline.
Revision 4 of this document was developed with the assistance of the NEI
Maintenance Rule Task Force. This task force was formed in 2008 to evaluate
potential changes to the guideline necessary to improve implementation of the rule
throughout the industry.
NOTICE
Neither the Nuclear Energy Institute, nor any of its employees, members,
supporting organizations, contractors or consultants make any warranty, expressed
or implied, or assume any legal responsibility for the accuracy or completeness of, or
assume any liability for damages resulting from any use of, any information
apparatus, method, or process disclosed in this report or that such may not infringe
privately owned rights.
i
FOREWORD
On July 10, 1991, the NRC published in the Federal Register (56 Fed. Reg. 31324)
its final Maintenance Rule entitled, "Requirements for Monitoring the Effectiveness
of Maintenance at Nuclear Power Plants." In the Supplementary Information
published with the notice, the Commission stated that it, "believes that
effectiveness of maintenance must be assessed on an ongoing basis in a manner
which ensures that the desired result, reasonable assurance that key structures,
systems, and components (SSCs) are capable of performing their intended function,
is consistently achieved."
The importance of proper maintenance to safe and reliable nuclear plant operation
has long been recognized by the nuclear utility industry and the Nuclear Regulatory
Commission (NRC). The industry, since 1982, has placed increased emphasis on
improving maintenance because of its importance in improving overall plant
performance. The industry recognizes that good maintenance is good business and
is not an option, but a necessity. Throughout this period, senior industry
management has continued to assure the NRC of its complete commitment to the
goal of improved safety and reliability through better maintenance. This
commitment to better maintenance is reflected in the efforts of the individual
nuclear utilities, the Institute of Nuclear Power Operations (INPO), the Electric
Power Research Institute (EPRI), the Nuclear Management and Resources Council
(NUMARC), the four Vendor Owners' Groups and others. This commitment has
resulted in improved maintenance facilities, enhanced training of maintenance
personnel, increased emphasis on good maintenance work practices and use of
procedures, better technical guidance, and tracking of equipment performance. It
also includes the formation of special industry centers to assist with maintenancerelated issues and applications (e.g., the Nuclear Maintenance Assistance Center).
The industry's efforts have resulted in significant progress in improved
maintenance that is demonstrated by many U.S. plants attaining world-class
performance by all measurements, including industry overall performance
indicators, and NRC inspections and reports.
This industry guideline has been developed to assist the industry in implementing
the final Maintenance Rule and to build on the significant progress, programs and
facilities established to improve maintenance. The guideline provides a process for
deciding which of the many structures, systems, and components that make up a
commercial nuclear power plant are within the scope of the Maintenance Rule. It
then describes the process of establishing plant-specific risk significant and
performance criteria to be used to decide if goals need to be established for specific
structures, systems, trains and components covered by the Maintenance Rule that
FOREWORD (continued)
ii
do not meet their performance criteria. It should be recognized that establishing
performance criteria can be interpreted as establishing goals. However, as used in
this guideline, the approach is to first establish an acceptable set of performance
criteria and monitor the structures, systems, and components against those criteria.
This is an ongoing activity. If performance criteria are not met, then goals are
established to bring about the necessary improvements in performance. It is
important to note that the word "goal" as used in this guideline is used only where
performance criteria are not being met. This provides the necessary focus at all
levels within the utility where additional attention is needed.
The industry and the NRC recognize that effective maintenance provides
reasonable assurance that key structures, systems, and components are capable of
performing their intended function. The guideline provides focus on maintenance
activities and manpower use to assure the performance of safety functions by
maximizing the use of proven existing industry and individual plant maintenance
programs and minimizing the dilution of critical resources to modify maintenance
programs when established performance criteria are being met.
The Nuclear Regulatory Commission issued a final rulemaking, modifying the
maintenance rule, on July 19, 1999 (64 Fed. Reg. 38551). This rulemaking
established requirements under paragraph (a)(4) for the assessment and
management of risk associated with maintenance activities, and clarified the
applicability of the maintenance rule to all modes of plant operation. NUMARC 93-
01 was substantially modified to reflect this rulemaking in Revision 3 . Revision 4 of
NUMARC 93-01 provides enhanced clarity regarding scoping non-safety related
Systems, Structures and Components based on their use in Emergency Operating
Procedures, gives guidance on consideration of fire risk in (a)(4) risk assessments,
and provides enhanced consistency in unavailability monitoring between the
Maintenance Rule and Reactor Oversight process by providing clarification to the
definition for monitoring of short term unavailability resulting from periodic system
or equipment realignments.
iii
EXECUTIVE SUMMARY
This Executive Summary provides a brief review of the key elements of this
guideline and describes the overall process for implementation. The Foreword to
this guideline provides a perspective on the purpose and intent of the guideline.
The Industry Guideline Implementation Logic Diagram (Figure 1) describes the
process for implementing the Maintenance Rule. The numbers to the upper right of
the activity or decision on the logic diagram correspond to the section in the
guideline where the topic is discussed.
Utilities are required to identify safety-related and nonsafety-related plant
structures, systems, and components as described by (b)(1) and (b)(2) of the
Maintenance Rule1. For structures, systems, and components not within the scope
of the Maintenance Rule, each utility should continue existing maintenance
programs.
As of July 10, 1996, the implementation date of the Maintenance Rule, all SSCs
that are within the scope of the Maintenance Rule will have been placed in (a)(2)
and be part of the preventive maintenance program. To be placed in (a)(2), the SSC
will have been determined to have acceptable performance. In addition, those SSCs
with unacceptable performance will be placed in (a)(1)2 with goals established.
This determination is made by considering the risk significance as well as the
performance of the structures, systems, and components against plant-specific
performance criteria. Specific performance criteria are established for those
structures, systems, and components that are either risk significant or standby
mode3; the balance are monitored against the overall plant level performance
criteria. The high pressure coolant injection system is an example of a system that
is in a standby mode during normal plant operations and is expected to perform its
safety function on demand. It should be recognized that the performance of the
1 The text of the Maintenance Rule is included in this guideline as Appendix A and the methodology for
selecting SSCs to be included within the scope of the rule is further described in Section 8.0 of this
guideline.
2 As used in this guideline, (a)(1), (a)(2), (a)(3), (a)(4), (b)(1), or (b)(2) refer to the paragraphs included
in 10 CFR 50.65.
3 Refer to the Appendix B definition and examples of standby systems and trains.
EXECUTIVE SUMMARY (continued)
iv
support systems (e.g., HVAC) may have a direct impact on the primary system's
performance (e.g., availability).
The process addressing (a)(1) includes establishing goals for structures, systems,
trains, or components that have not demonstrated acceptable performance. It
should be noted that the key parameter is performance.
Risk significant structures, systems, and components should be identified by using
an Individual Plant Examination4, a Probabilistic Risk Assessment, critical safety
functions (e.g., inventory), or other processes, provided they are systematic and
documented.
The performance of structures, systems, or components that are determined to not
meet the performance criteria established by a utility shall be subjected to goal
setting and monitoring that leads to acceptable performance. For those structures,
systems, trains, or components requiring goal setting, it is expected that many goals
will be set at the system level. In addition, train and component level goals should
be established (Section 9.0) when determined appropriate by the utility.
Performance of structures, systems, trains, or components against established goals
will be monitored until it is determined that the goals have been achieved and
performance can be addressed in (a)(2).
Structures, systems, and components within the scope of the Maintenance Rule
whose performance is currently determined to be acceptable will be assessed to
assure that acceptable performance is sustained (Section 10.0).
Although goals are established and monitored as part of (a)(1), the preventive
maintenance and performance monitoring activities are part of (a)(2) and apply to
the structures, systems, and components that are within the scope of the
Maintenance Rule.
Prior to performance of maintenance activities, an assessment of the risk associated
with the activity shall be performed, and the results of this assessment used to
manage the risk impact. The scope SSCs subject to the risk assessment may be
limited through a risk-informed evaluation process. Risk management is
accomplished through definition of action levels and use of risk management
actions. These actions are specific to a given maintenance activity, and may vary
4 As used in this guideline the scope of IPE includes both internal and external events.
EXECUTIVE SUMMARY (continued)
v
depending on the magnitude and duration of the risk impact, the nature of the
activity, and other factors. (Section 11.0).
Periodic performance assessment and monitoring will be implemented through
utility specific programs that include, as appropriate, event cause determination ,
corrective action, consideration of industry operating experience, and trending
(Section 12.0).
Sufficient data and information will be collected and retained so that the
effectiveness of maintenance and monitoring efforts can be determined (Section
13.0).
vi
vii
TABLE OF CONTENTS
1.0 INTRODUCTION 1
2.0 PURPOSE AND SCOPE 1
3.0 RESPONSIBILITY 2
4.0 APPLICABILITY 3
5.0 DEFINITIONS 3
6.0 GENERAL REQUIREMENTS 3
7.0 UTILIZATION OF EXISTING PROGRAMS 4
8.0 METHODOLOGY TO SELECT PLANT STRUCTURES, SYSTEMS 4
AND COMPONENTS
8.1 Reference 4
8.2 Guidance 5
8.2.1 Selection of Plant SSCs 5
8.2.1.1 Safety-Related SSCs 6
8.2.1.2 Nonsafety-Related SSCs that Mitigate
Accidents or Transients 7
8.3.1.3 Nonsafety-Related SSCs that are used in
Emergency Operating Procedures 8
8.3.1.4 Nonsafety-Related SSCs Whose Failure
Prevents Safety-Related SSCs from
Fulfilling Their Safety-Related Functions 9
8.3.1.5 Nonsafety-Related SSCs Whose Failure
Causes Scrams or Actuates Safety Systems 10
8.3.1.6 SSCs Outside the Scope of the Maintenance
Rule 12
9.0 ESABLISHING RISK AND PERFORMANCE CRITERIA/GOAL
SETTING AND MONITORING 14
9.1 Reference 14
9.2 Guidance 14
9.3 Determining the SSCs Covered by (a)(1) 15
9.3.1 Establishing Risk Significant Criteria 15
9.3.1.1 Risk Reduction Worth 18
Table of Contents (continued)
viii
9.3.1.2 Core Damage Frequency Contribution 19
9.3.1.3 Risk Achievement Worth 19
9.3.2 Performance Criteria for Evaluating SSCs 20
9.3.3 Evaluating SSCs Against Risk Significant and
Performance Criteria 24
9.3.4 Determining Whether an SSC Level Goal is Required 26
9.4 Goal Setting and Monitoring 26
9.4.1 Goal Setting 27
9.4.1.1 System Level 27
9.4.1.2 Train Level 28
9.4.1.3 Component Level 28
9.4.1.4 Structure Level 28
9.4.2 Monitoring 29
9.4.2.1 Monitoring System Level Goals 30
9.4.2.1 Monitoring Train Level Goals 30
9.4.2.1 Monitoring Component Level Goals 30
9.4.2.1 Monitoring Structure Level Goals 30
9.4.3 Dispositioning of SSCs from (a)(1) to (a)(2) 31
9.4.4 Unacceptable Performance or Failure Cause Determination
And Dispositioning SSCs from (a)(2) to (a)(1) 31
9.4.5 Maintenance Preventable Functional Failures (MPFFs) 33
10.0 SSCs SUBJECT TO EFFECTIVE PREVENTIVE MAINTENANCE
PROGRAMS 36
10.1 Reference 36
10.2 Guidance 36
10.2.1 Performance of Applicable Preventive Maintenance
Activities 37
10.2.1.1 Periodic Maintenance, Inspection, and
Testing 37
10.2.1.2 Predictive Maintenance, Inspection, and
Testing 37
10.2.1.3 Performance Trending 38
10.2.2 Ongoing Maintenance Effectiveness Evaluation 38
10.2.3 Monitoring the Condition of Structures 38
11.0 ASSESSMENT OF RISK RESULTING FROM PERFORMANCE OF
MAINTENANCE ACTIVITIES 41
11.1 Reference 41
Table of Contents (continued)
ix
11.2 Background 41
11.3 Guidance 41
11.3.1 Assessment Process, Control, and Responsibilities 42
11.3.2 General Guidance for the Assessment 42
11.3.3 Scope of Assessment for Power Operating Conditions 44
11.3.4 Assessment Methods for Power Operating Conditions 46
11.3.4.1 Quantitative Considerations 46
11.3.4.2 Qualitative Considerations 46
11.3.5 Scope of Assessment for Shutdown Conditions 48
11.3.6 Assessment Methods for Shutdown Conditions 49
11.3.6.1 Decay Heat Removal Capability 50
11.3.6.2 Inventory Control 51
11.3.6.3 Power Availability 51
11.3.6.4 Reactivity Control 52
11.3.6.5 Containment – Primary (PWR)/Secondary (BWR) 52
11.3.7 Managing Risk 53
11.3.7.1 Establishing Action Thresholds – Qualitative 54
11.3.7.2 Establishing Action Thresholds – Quantitative 55
11.3.7.3 Risk Management Actions 57
11.3.8 Regulatory Treatment of Compensatory Measures 58
11.3.9 Documentation 59
12.0 PERIODIC MAINTENANCE EFFECTIVENESS ASSESSMENTS 60
12.1 Reference 60
12.2 Guidance 60
12.2.1 Review of Goals (a)(1) 60
12.2.2 Review of SSC Performance (a)(2) 60
12.2.3 Review of Effectiveness of Corrective Actions 61
12.2.4 Optimizing Availability and Reliability for SSCs 61
13.0 DOCUMENTATION 64
13.1 General 64
13.2 Documentation of SSC Selection Process 64
13.2.1 Maintenance Rule Scoping 64
13.3 Documentation of (a)(1) Activities 64
13.3 Documentation of (a)(2) Activities 65
13.4 Documentation of Periodic Assessment
65
x
LIST OF ILLUSTRATIONS
Figure .................................................................................................................... Page
1. Industry Guideline Implementation Logic Diagram ......................................... vii
1
1.0 INTRODUCTION
On July 10, 1991, the final Maintenance Rule, "Requirements for Monitoring the
Effectiveness of Maintenance at Nuclear Power Plants," was published by the
Nuclear Regulatory Commission (NRC) in the Federal Register (56 Fed. Reg. 31324)
as 10 CFR 50.65. The Maintenance Rule will become effective July 10, 1996,
thereby requiring full implementation by that date. The basis for proceeding to
issue the Maintenance Rule as well as expectations for its implementation is
described in the Supplementary Information that accompanied the notice. The
Commission indicated that it is important for the NRC to have a regulatory
framework in place that would provide a mechanism for evaluating the overall
continuing effectiveness of licensees maintenance programs. The NRC's overall
objective is that structures, systems, and components of nuclear power plants be
maintained so that plant equipment will perform its intended function when
required. The Maintenance Rule (see Appendix A) is characterized as a
performance-based rule providing focus on results rather than programmatic
adequacy.
The Nuclear Regulatory Commission issued a final rulemaking, modifying the
maintenance rule, on July 19, 1999 (64 Fed. Reg. 38551). This rulemaking
established requirements under paragraph (a)(4) for the assessment and
management of risk associated with maintenance activities, and clarified the
applicability of the maintenance rule to all modes of plant operation.
2.0 PURPOSE AND SCOPE
This guideline describes an acceptable approach to meet the Maintenance Rule.
However, utilities may elect other suitable methods or approaches for
implementation. This guideline does not address the many industry programs that
have been put in place to upgrade maintenance and may be used when
implementing the Maintenance Rule. For example, work planning and scheduling,
preventive and corrective maintenance, maintenance procedures, training, post
maintenance testing, work history, cause determination methods and other
maintenance related programs are not discussed.
The major elements of this guideline include:
-2-
y Selecting the structures, systems, and components (SSCs)5 within the scope of
the Maintenance Rule;
y Establishing and applying risk significant criteria;
y Establishing and applying performance criteria;
y Goal setting and monitoring of applicable SSCs to ensure plant and system
functions are reliably maintained and to demonstrate the effectiveness of
maintenance activities;
y Assessing and managing the risk resulting from the performance of maintenance
activities;
y Performing the periodic assessment of performance; and
y Documentation needed to support implementation of the Maintenance Rule.
This guideline provides a process for deciding which of the many SSCs that make
up a commercial nuclear power plant are included within the scope of the
Maintenance Rule. It then describes the process of establishing plant-specific risk
significant and performance criteria to be used to decide if goals need to be
established for specific SSCs covered by the Maintenance Rule. It should be
recognized that establishing performance criteria can be interpreted as establishing
goals. However, as used in this guideline, the approach is to first establish an
acceptable set of performance criteria and monitor the performance. If performance
criteria are not met, then goals are established to bring about the necessary
improvements in performance. The word "goal" as used in these guidelines is used
only where performance criteria are not being met. This provides the necessary
focus at all levels within the utility where additional attention is needed. In most
situations the goal will be identical to the performance criteria that the SSC's
historical performance does not meet. Although goals are set and monitored as part
of (a)(1), the preventive maintenance and performance monitoring activities are
part of (a)(2) and apply to SSCs that are within the scope of the Maintenance Rule.
3.0 RESPONSIBILITY
5 As used in this guideline, SSCs can mean "structures, systems, and components," or "structures,
systems, or components," depending on use. Where the guideline discusses the need to establish goals
and monitoring, SSCs will include, as applicable, "structures, systems, trains, and/or components."
-3-
Each utility will implement a plant-specific program to meet the intent of the
Maintenance Rule. The purpose of this guideline is to assist in developing and
implementing plant-specific programs. This guideline provides flexibility for
individual utility implementation.
4.0 APPLICABILITY
This guideline is applicable to utilities holding an operating license issued in
accordance with 10 CFR 50.21(b) and 50.22
Periodically, as a result of design changes, modifications to the plant occur that may
affect the maintenance program. These changes should be reviewed to assure the
maintenance program is appropriately adjusted in areas such as risk significance,
goal setting, and performance monitoring.
5.0 DEFINITIONS
The definitions in Appendix B of this guideline are provided to promote consistent
interpretation of the Maintenance Rule. The terms are defined to the extent
possible in accordance with existing industry usage.
6.0 GENERAL REQUIREMENTS
The Maintenance Rule issued on July 10, 1991, requires that licensees: "...shall
monitor the performance or condition of structures, systems, or components, against
licensee-established goals, in a manner sufficient to provide reasonable assurance
that such structures, systems, and components, as defined in paragraph (b), are
capable of fulfilling their intended functions. Such goals shall be established
commensurate with safety and, where practical, take into account industry-wide
operating experience. When the performance or condition of a structure, system, or
component does not meet established goals, appropriate corrective action shall be
taken.
-4-
(2)Monitoring as specified in paragraph (a)(1) of this section is not required where it
has been demonstrated that the performance or condition of a structure, system, or
component is being effectively controlled through the performance of appropriate
preventive maintenance, such that the structure, system, or component remains
capable of performing its intended function.
(3)Performance and condition monitoring activities and associated goals and
preventive maintenance activities shall be evaluated at least every refueling cycle
provided the interval between evaluations does not exceed 24 months. The
evaluation shall be conducted, taking into account, where practical, industry-wide
operating experience. Adjustments shall be made where necessary to ensure that
the objective of preventing failures of structures, systems, and components through
maintenance is appropriately balanced against the objective of minimizing
unavailability of structures, systems, and components due to monitoring or
preventive maintenance. In performing monitoring and preventive maintenance
activities, an assessment of the total plant equipment that is out of service should
be taken into account to determine the overall effect on performance of safety
functions."
7.0 UTILIZATION OF EXISTING PROGRAMS
Utilities can utilize their existing program results to support the demonstration
that SSC performance is being effectively controlled through preventive
maintenance. If performance monitoring indicates that SSC performance is
unacceptable, then the cause determination (Section 9.4.4) performed when SSC
performance is unacceptable should correct any equipment or program deficiency.
Goals (including corrective action) set to monitor the effectiveness of changes in
preventive maintenance programs should include the results of the affected
program(s) where appropriate.
This guideline is intended to maximize the use of existing industry programs,
studies, initiatives and data bases.
-5-
8.0 METHODOLOGY TO SELECT PLANT STRUCTURES, SYSTEMS,
AND COMPONENTS
8.1 Reference
(b)The scope of the monitoring program specified in paragraph (a)(1) of this section
shall include safety-related and nonsafety related structures, systems, and
components, as follows:
(1)Safety-related structures, systems, or components that are relied upon to remain
functional during and following design basis events to ensure the integrity of the
reactor coolant pressure boundary, the capability to shut down the reactor and
maintain it in a safe shutdown condition, and the capability to prevent or mitigate
the consequences of accidents that could result in potential offsite exposure
comparable to the 10 CFR part 100 guidelines.
(2)Nonsafety-related structures, systems, or components:
(i)That are relied upon to mitigate accidents or transients or are used in plant
emergency operating procedures (EOPs); or
(ii)Whose failure could prevent safety-related structures, systems, and components
from fulfilling their safety-related function; or
(iii)Whose failure could cause a reactor scram or actuation of a safety-related
system.
8.2 Guidance
8.2.1 Selection of Plant SSCs
The utility must first determine which SSCs are within the scope of the
Maintenance Rule by applying the screening criteria below and as presented in
Figure 1.
For the purposes of this guideline, a system is any collection of equipment that is
configured and operated to serve some specific plant function (e.g., provides water
to the steam generators, spray water into the containment, inject water into the
primary system), as defined by the terminology of each utility (e.g., auxiliary
-6-
feedwater system, containment spray system, high pressure coolant injection
system).
The scope of the Maintenance Rule, as defined in 10 CFR 50.65(b), is limited to
SSCs that directly affect plant operations, regardless of what organization actually
performs the maintenance activities. For example, electrical distribution equipment
out to the first inter-tie with the offsite distribution system should be considered for
comparison with §50.65(b), and thereafter, possible inclusion under the scope of the
Maintenance Rule. Thus, equipment in the switchyard, regardless of its
geographical location, is potentially within the scope of the Maintenance Rule.
Safety systems may perform not only safety functions but also other functions that
have no safety significance. For example, the system may be used to transfer water
from one part of the plant to another as well as provide additional safety functions.
The safety functions of SSCs are addressed by the Maintenance Rule.
It is necessary to identify and document the functions for both safety and nonsafety
SSCs that causes the SSCs to be within the scope of the Maintenance Rule. There
are two basic areas where this information is needed. First, the function which the
system or structure provides is needed so all failures can be evaluated against those
functional aspects. Not all failures that cause loss of some function are functional
failures under the maintenance rule because, for systems with multiple design
functions, the function lost may not be within the scope of the maintenance rule,
and further, components not required to meet this function that causes the system
to be within the scope of the rule may be excluded unless they meet another scoping
criterion. Secondly, when removing SSCs from service, it is important to be aware of
what function is being lost so the impact of removing multiple equipment from
service can be determined.
As an alternative approach, licensees may use a functional basis to determine which
SSCs must be monitored within the scope of the rule. That is, the licensee may
determine all the functions performed by the SSCs and include within the scope of
the maintenance rule only those functions, and the associated SSCs that fulfill
those functions, that meet the scoping criteria of the rule.
-7-
EXAMPLES6OF SSCs THAT ARE WITHIN THE SCOPE OF THE
MAINTENANCE RULE BUT CONTAIN COMPONENTS OR
FUNCTIONS THAT ARE NOT RELATED TO SAFETY AND MAY BE
OUTSIDE THE SCOPE OF THE MAINTENANCE RULE
• CHEMICAL VOLUME AND CONTROL SYSTEMS (CVCS)*
−SAFETY FUNCTION-HIGH HEAD INJECTION
−NONSAFETY FUNCTION-PRIMARY LOOP
CLEANUP
• EMERGENCY CORE COOLING SYSTEM
−SAFETY FUNCTION-HIGH PRESSURE INJECTION
−NONSAFETY FUNCTION-FILL SAFETY INJECTION
- SEE APPENDIX D FOR ADDITIONAL DETAILS
8.2.1.1 Safety-Related SSCs
Are the safety-related SSCs relied upon to remain functional during and following
design basis events to ensure:
y The integrity of the reactor coolant pressure boundary; or
y The capability to shutdown the reactor and maintain it in a safe shutdown
condition; or
y The capability to prevent or mitigate the consequences of accidents that could
result in potential offsite exposure comparable to 10 CFR Part 100 Guidelines?
6 All examples are for illustration purposes only and may not be true for a specific plant. Each utility
should examine its own plant for specific applicability.
-8-
EXAMPLES OF AVAILABLE INFORMATION SOURCES OF SAFETYRELATED SSCs
• FINAL SAFETY ANALYSIS REPORT (FSAR)
• Q-LIST
• MASTER EQUIPMENT LIST
A yes answer to any of the above will identify that the SSCs are within the scope of
the Maintenance Rule.
8.2.1.2 Nonsafety-Related SSCs that Mitigate Accidents or Transients
Are the nonsafety-related SSCs relied upon to mitigate accidents or transients?
This step requires utilities to determine which nonsafety SSCs are needed to
mitigate accidents or transients as described in the plant's Final Safety Analysis
Report (FSAR).
EXAMPLES OF NONSAFETY SSCs THAT ARE USED IN FSAR
ANALYSIS TO MITIGATE ACCIDENTS
• CONDENSATE STORAGE TANK (SUPPLY TO AUXILIARY
• FIRE SUPPRESSION SYSTEM
• BORIC ACID TRANSFER SYSTEM USED FOR EMERGENCY
BORATION AND MAKE-UP TO THE REFUELING WATER
STORAGE TANK
A yes answer will identify that the SSCs are within the scope of the Maintenance
Rule.
-9-
8.2.1.3 Nonsafety-Related SSCs that are used in Emergency Operating
Procedures
Are the nonsafety-related SSCs used in plant Emergency Operating Procedures
(EOPs)?
• Nonsafety-related SSCs that are necessary to be in the Maintenance Rule scope by this
paragraph are those explicitly used in the EOPs that provide a mitigating function.
• SSCs used in plant EOPs are required for mitigation of the event/symptom that
necessitated entry into the EOP.
• Severe Accident Management Guidelines (SAMGs) are not considered to be
EOPs. Equipment described only in SAMGs would not be in scope of the
Maintenance Rule unless otherwise required by paragraph 50.65(b).
• Equipment used in support of 10 CFR 50.54(hh)(2) (Loss of Large Areas) would
not be in scope of the Maintenance Rule unless otherwise required by paragraph
50.65(b).
• Only those SSCs under licensee control need be included in the Maintenance Rule
scope.
• When the EOPs direct the user to another procedure, the associated SSCs required to
perform the EOP mitigating function are included in the scope of the Maintenance Rule.
• SSCs whose use are implied and are necessary to perform the EOP steps in the necessary
response times, such as emergency lighting or communication SSCs are included in the
scope of the Maintenance Rule.
• Since the Maintenance Rule is a performance-based regulation, licensees have the
flexibility to add or remove SSCs from the scope of 10 CFR 50.65(b) if an adequate
technical basis exists for including or excluding the SSC in question.
For clarity and universal understanding regarding these scoping criteria, the following
definitions are offered:
Explicitly used means those SSCs specifically called out in the EOP by tag identification
or noun name that provide a mitigating function, and includes those SSCs required to
support the explicitly used SSCs even though they are not called out in the EOP. For
example, all SSCs associated with an instrument loop supporting a control room
instrument that is specifically called out in the EOP are considered explicitly used.
Implied use means those SSCs not specifically called out in the EOP, but are understood
to be essential for successful completion of the associated mitigating EOP step, although
they may not directly address or mitigate the event.
-10-
Mitigate or Mitigating means actions or steps taken to lessen the severity or the adverse
consequences of the event/symptom that necessitated entry into the EOP.
8.2.1.4 Nonsafety-Related SSCs Whose Failure Prevents SafetyRelated SSCs from Fulfilling their Safety-Related Function
Will the failure of nonsafety-related SSCs prevent safety-related SSCs from
fulfilling their safety-related function?
This step requires that each utility investigate the systems and system
interdependencies to determine failure modes of nonsafety-related SSCs that will
directly affect safety-related functions.
As used in this section of the guideline, the term "directly" applies to nonsafetyrelated SSCs:
y Whose failure prevents a safety function from being fulfilled; or
y Whose failure as a support SSC prevents a safety function from being fulfilled.
A yes answer identifies that the nonsafety-related SSCs are within the scope of the
Maintenance Rule.
A utility should rely on actual plant-specific and industrywide operating experience,
prior engineering evaluations such as PRA, IPE, IPEEE, environmental
qualification (EQ), and 10 CFR 50 Appendix R analyses.
Industrywide operating experience is reviewed7 for plant-specific applicability and,
where appropriate, is included in utility specific programs and procedures. It is
appropriate to use this information to the extent practical to preclude unacceptable
performance experienced in the industry from being repeated. An event that has
occurred at a similarly configured plant should be considered for applicability to the
reviewing utility.
The determination of hypothetical failures that could result from system
interdependencies but have not previously been experienced is not required.
Failures subsequent to implementation of this guideline shall be addressed in the
determination of cause, corrective action, and performance monitoring as described
in Sections 8.0, 9.0 and 10.0.
7 The review of industry operating experience for scoping should include two refueling cycles or thirtysix months back from July 10, 1996.
-11-
EXAMPLES OF NONSAFETY-RELATED SSCs WHOSE FAILURE
PREVENTS SAFETY-RELATED SSCs FROM FULFILLING THEIR
SAFETY-RELATED FUNCTION
• A NONSAFETY-RELATED INSTRUMENT AIR SYSTEM THAT
OPENS CONTAINMENT ISOLATION VALVES FOR PURGE AND
VENT
• A NONSAFETY-RELATED FIRE DAMPER IN STANDBY GAS
TREATMENT SYSTEM WHOSE FAILURE WOULD IMPAIR AIR
FLOW
• IN SOME CASES THE CONDENSATE STORAGE TANK IS NOT
SAFETY-RELATED BUT IS A SOURCE OF WATER FOR ECCS
• FAILURE OF A NONSAFETY SYSTEM FLUID BOUNDARY
CAUSING LOSS OF A SAFETY SYSTEM FUNCTION (e.g., HEATING
SYSTEM PIPING OVER A SAFETY-RELATED ELECTRICAL PANEL)
8.2.1.5 Nonsafety-Related SSCs Whose Failure Causes a Reactor
Scram or Actuates Safety Systems
Has failure of the nonsafety related SSCs caused a reactor SCRAM or actuation of
safety related systems at your plant or a plant of similar design?
This step requires utilities to determine, on the basis of utility specific and
industrywide operating experience, those nonsafety related SSCs whose failure
caused a reactor scram or actuation of a safety related system.
A yes answer identifies that the SSCs are within the scope of the Maintenance
Rule.
A utility should rely on actual plant-specific and industrywide operating experience,
prior engineering evaluations such as PRA, IPE, IPEEE, environmental
qualification (EQ), and 10 CFR 50 Appendix R analyses.
-12-
Industrywide operating experience is reviewed8 for plant-specific applicability and,
where appropriate, is included in utility specific programs and procedures. It is
appropriate to use this information to the extent practical to preclude unacceptable
performance experienced in the industry from being repeated. An event that has
occurred at a similarly configured plant should be considered for applicability to the
reviewing utility.
The determination of hypothetical failures that could result from system
interdependencies but have not been previously experienced is not required.
Failures subsequent to implementation of this guideline shall be addressed in the
determination of cause, corrective action, and performance monitoring as described
in Sections 8.0, 9.0 and 10.0.
In summary, licensees should consider the following SSCs to be within the scope of
the rule:
1. SSCs whose failure has caused a reactor scram or actuation of a safety-related
system at their site.
2. SSCs whose failure has caused a reactor scram or actuation of a safety-related
system at a site with a similar configuration.
3. SSCs identified in the licensee’s analysis (e.g., FSAR, IPE) whose failure would
cause a reactor scram or actuation of a safety-related system.
A licensee may exclude SSCs that meet criteria 2 or 3 if they have demonstrated by
analysis (e.g., FSAR, IPE) and by operational experience that the design or
configuration of an SSC is fault-tolerant through redundancy or installed standby
spares such that a reactor scram or actuation of a safety-related system is
implausible.
8 See footnote 7.
-13-
EXAMPLES OF FSAR NONSAFETY-RELATED COMPONENT
TRANSIENT INITIATORS
• TURBINE TRIPS
• LOSS OF FEEDWATER
• LOSS OF INSTRUMENT AIR
EXAMPLES OF NONSAFETY-RELATED SSCs WHOSE FAILURE CAN
CAUSE A TRIP
• TURBINE/GENERATOR
• NON-ESF BUSSES THAT POWER REACTOR COOLANT PUMPS
• ROD CONTROL SYSTEM SUCH THAT MULTIPLE RODS DROP
INTO THE CORE
EXAMPLE OF NONSAFETY-RELATED SSCs WHOSE FAILURE CAN
CAUSE ACTUATION OF A SAFETY SYSTEM
• RADIATION MONITOR (e.g., ISOLATES CONTROL ROOM
VENTILATION)
8.2.1.6 SSCs Outside the Scope of the Maintenance Rule
SSCs that do not meet the above criteria are outside the scope of the Maintenance
Rule. These SSCs will continue to have appropriate maintenance activities
performed on them. For these SSCs, the degree of maintenance attention will be
dependent upon factors such as the consequence of SSC failure on power production
and economic importance.
-14-
EXAMPLES OF CATEGORIES OF EQUIPMENT THAT ARE
OUTSIDE THE SCOPE OF THE MAINTENANCE RULE UNLESS
THEY MEET THE GUIDANCE OF PARAGRAPHS 8.2.1.2, 8.2.1.3,
8.2.1.4 or 8.2.1.5
• FIRE PROTECTION SSCs
−FIRE PROTECTION SSCs THAT ARE IDENTIFIED
UNDER 10 CFR PART 50, APPENDIX R REQUIREMENTS
ARE NONSAFETY-RELATED AND THEREFORE ARE NOT
INCLUDED WITHIN THE SCOPE OF THE MAINTENANCE
RULE.
• SEISMIC CLASS II SSCs INSTALLED IN PROXIMITY WITH
SEISMIC CLASS I SSCs
−SEISMIC CLASS II SSCs ARE NOT INCLUDED WITHIN
THE SCOPE OF THE MAINTENANCE RULE.
• SECURITY SSCs
−THE SSCs USED FOR THE SECURITY OF NUCLEAR
POWER PLANTS ARE NONSAFETY AND THEIR
MAINTENANCE PROVISIONS ARE ADDRESSED
SEPARATELY UNDER THE REQUIREMENTS OF 10 CFR
PART 73. SECURITY SSCs ARE NOT INCLUDED WITHIN
THE SCOPE OF THE MAINTENANCE RULE.
• EMERGENCY FACILITIES DESCRIBED IN THE
−EXAMPLES INCLUDE THE TECHNICAL SUPPORT
CENTER (TSC), OPERATIONS SUPPORT CENTER (OSC),
AND OTHER EMERGENCY OPERATING FACILITIES
(EOFs).
-15-
9.0 ESTABLISHING RISK AND PERFORMANCE CRITERIA/GOAL
SETTING AND MONITORING
9.1 Reference
Each holder of an operating license under §§ 50.21 (b) or 50.22 shall monitor the
performance or condition of structures, systems, and components against licensee
established goals, in a manner sufficient to provide reasonable assurance that such
structures, systems, and components, as defined in paragraph (b), are capable of
fulfilling their intended functions. Such goals shall be established commensurate
with safety and, where practical, take into account industry-wide operating
experience. When the performance or condition of a structure, system, or
component does not meet established goals, appropriate corrective action shall be
taken.
9.2 Guidance
Once the selection of those SSCs determined to be within the scope of the
Maintenance Rule (Section 8.0) has been completed, it is then necessary to establish
risk significant and performance9 criteria to initially determine which SSCs must
have goals established and monitoring activities performed in accordance with
(a)(1). For SSCs that do not meet performance criteria, a cause determination is
performed and if appropriate goals are established commensurate with an SSCs
safety significance and performance. Monitoring the performance of the SSCs
against established goals is intended to provide reasonable assurance that the SSCs
are proceeding to acceptable performance.
All SSCs determined to be within the scope of the Maintenance Rule are subject to
an effective PM program as indicated by (a)(2) (see Section 10.0). SSCs that are
within the scope of (a)(2) could be included in the formal PM program, be inherently
reliable (e.g., visual inspection during walkdowns to meet licensee requirements
that already exist), or be allowed to run to failure (provide little or no contribution
to system safety function). When SSCs in (a)(2) do not perform acceptably, they are
evaluated to determine the need for goal setting and monitoring under the
requirements of (a)(1). The number of SSCs monitored under the requirements of
(a)(1) can vary greatly due to factors unrelated to the quality of a licensee’s
9.See definition.
-16-
maintenance program; therefore, the number of SSCs monitored under the
requirements of (a)(1) should not be used as an indicator of the quality of a
licensee’s maintenance program.
-17-
9.3 Determining the SSCs Covered by (a)(1)
This section explains how to determine which SSCs that are under the scope of the
Maintenance Rule will have goals and monitoring established in accordance with
(a)(1). Establishing both risk significant criteria (Section 9.3.1) and performance
criteria (Section 9.3.2) is necessary to provide a standard to measure the
performance of SSCs (Section 9.3.3).
9.3.1 Establishing Risk Significant Criteria
Risk significant criteria should be established to determine which of the SSCs are
risk significant. Risk significant criteria should be developed using any of the
following methods:
y Individual Plant Examination (IPE),
y Plant-specific Probabilistic Risk Assessment (PRA),
y Critical safety functions (e.g., vessel inventory control) system performance
review,
y Other appropriately documented processes.10
Utilities may find the following sources provide useful data for monitoring risk
significant SSC performance:
y Preventive Maintenance (PM) program results,
y Evaluation of industrywide operating experience, or
y Generic failure data.
Most of the methods described below identify risk significant SSCs with respect to
core damage. It is equally important to identify as risk significant those SSCs that
prevent containment failure or bypass that could result in an unacceptable release.
Examples might include the containment spray system, containment cooling
system, and valves that provide the boundary between the reactor coolant system
and low pressure systems located outside containment.
10 The following NUREGs describe other processes that could be used for this purpose: NUREG/CR5424, "Eliciting and Analyzing Expert Judgment"; and NUREG/CR-4962, PLG-0533, "Methods for the
Elicitation and Use of Expert Opinion in Risk Assessment."
-18-
Examples of risk determination methods are described in NUREG/CR-5695, "A
Process for Risk-Focused Maintenance." Other methods that can assist a utility in
identifying risk significant SSCs and enable appropriate maintenance prioritization
and goal setting are included in: NUREG/CR-4550, "Analysis of Core Damage
Frequency"; NUREG/CR-3385, "Measures of Risk Importance"; NUREG/CR-5692,
"Generic Risk Insights for General Electric Boiling Water Reactors"; and
NUREG/CR-5637, "Generic Risk Insights for Westinghouse and Combustion
Engineering Pressurized Water Reactors". In addition, the PSA Application Guide,
EPRI Report TR-105396(a) could be used as a reference source for establishing SSC
risk significance.
Work done to date on symptom-based emergency operating procedures as well as
IPE vulnerability assessments may be used to establish risk significant criteria to
screen SSCs, and to select those SSCs required to fulfill a critical safety function.
An SSC could be risk significant for one failure mode and non risk significant for
others. An example of an SSC that is risk significant for one failure mode and nonrisk significant for another is as follows: Blowdown valves on steam generators
perform a safety function to close on isolation. However, the open position function
is to maintain water chemistry which is a nonsafety function. Additionally, many
SSCs that are functionally important in modes other than power operation, such as
shutdown, may be identified by some normally employed analysis methods (e.g.,
Engineering Analysis, IPE/PRA, etc.). These should be determined by an
assessment of their functional importance in other modes and a review of events
and failures that have occurred during these modes.
Entry into a Technical Specification Limiting Condition for Operation, although
important, is not necessarily risk significant.
Risk significant SSCs can be either safety-related or nonsafety-related. There are
risk significant systems that are in a standby mode and when called upon to
perform a safety function, are required to be available and reliable (e.g., high
pressure coolant injection).
Another methodology that could be used to establish risk significance is a reliability
approach to maintenance. Plants which have completed reliability based
maintenance assessments for any systems that are risk significant could find data
that supports the determination of SSCs necessary to perform critical safety
functions. These reliability assessments should indicate that functional importance
is considered for all plant modes, plant failure experience has been reviewed and
summarized, and potential failures have been identified and their likelihood
-19-
considered. A reliability based maintenance approach can also provide the basis for
a preventive maintenance activity, including component monitoring.
Risk significant SSCs may be determined in accordance with a PRA similar to that
used in response to GL 88-20, "Individual Plant Examination for Severe Accident
Vulnerabilities." The assumptions developed for GL 88-20 could also be used in the
calculation of the total contribution to core damage frequency (CDF) and 10 CFR Part 100 type releases as a basis for establishing plant-specific risk significant
criteria.
If a utility selects a method based on PRA to establish risk significance, it should
begin the process by assembling a panel of individuals experienced with the plant
PRA and with operations and maintenance. The panel should utilize their expertise
and PRA insights to develop the final list of risk significant systems. NUREG/CR5424 or NUREG/CR-4962 may be used as a guideline in structuring the panel. The
panel should review input from all three specific risk importance calculational
methods listed and described in Sections 9.3.1.1, 9.3.1.2 and 9.3.1.3 in making its
judgment regarding risk significant systems. It should be noted that each of these
methods will identify a different set of SSCs based upon differing concepts of
importance. Each method is useful in providing insights into risk significant SSC
selection, and all of them should be used in the decision making process.
Many currently used PRA software packages provide information on FussellVeseley Importance and Risk Reduction Importance. Not all software includes
techniques that utilize accident sequence failure combinations (cut sets) and some
adaptation of the software may be required to appropriately establish risk
significant SSCs.
Utilities may use additional sensitivity methods (i. e., Birnbaum, Fussell-Veseley,
etc.) if they have been performed and are readily available. The use of additional
computer software is not required if the three methods (RRW, RAW, 90% CDF)
have been performed. If additional sensitivity methods are used an acceptable
criteria (i.e., threshold) should be developed or the expert panel could use the
unprocessed information as a basis for determining risk significance.
The use of an expert panel would compensate for the limitations of PRA
implementation approaches resulting from the PRA structure (e.g., model
assumptions, treatment of support systems, level of definition of cut sets, cut set
truncation, shadowing effect of very large (high frequency) cut sets, and inclusion of
repair or restoration of failed equipment) and limitations in the meanings of the
importance measures.
-20-
If desired by the utility, the expert panel may be used for additional functions. The
expert panel, or a similarly-established utility group could provide assistance in
identifying SSCs that should have goals established, review the periodic
assessment, or provide insight on other elements of the maintenance rule.
9.3.1.1 Risk Reduction Worth
The following are two alternative methods for applying Risk Reduction Worth11
techniques in the identification of risk significant SSCs. The two methods are
similar, but the first normalizes the Risk Reduction Worth by the sum of all
maintenance related Risk Reduction Worths, while the second uses Risk Reduction
Worth compared to overall Core Damage Frequency.
Method A: An SSC would probably be considered risk significant if its Risk
Reduction Importance Measure contributes to at least 99.0 percent of the
cumulative Risk Reduction Importance’s.
Specifically, risk significant SSCs can be identified by performing the following
sequential steps:
y Calculate the Risk Reduction Worth for the individual SSCs and rank in
decreasing order.
y Eliminate Risk Reduction Worths that are not specifically related to
maintenance (e.g., operator error and external or initiating events).
y Normalize the individual SSC Risk Reduction Worths by the sum of all the Risk
Reduction Worths related to maintenance. These are the Risk Reduction
Importance Measures for the individual SSCs, ranked by their contribution and
expressed as a percentage.
y SSCs that cumulatively account for about 99.0 percent of the sum of Risk
Reduction Importance’s related to maintenance should be provided to the expert
panel as an input in risk determination.
Method B: Risk Reduction Worth may be used directly to identify risk significant
SSCs. An SSC would probably be considered risk significant if its Risk Reduction
Worth exceeds 0.5 percent of the overall Core Damage Frequency (Risk Reduction
11 Risk Reduction Worth is the decrease in risk if the SSC is assumed to be perfectly reliable for all
failure modes (e.g., failure to start and failure to run). NUREG/CR-3385, "Measures of Risk Importance
and their Applications."
-21-
Worth >1.005). These may be identified by performing the following sequential
steps:
y Calculate the Risk Reduction Worth for the individual SSCs and rank in
decreasing order.
y Eliminate Risk Reduction Worths that are not specifically related to
maintenance (e.g., operator error and external or initiating events).
y SSCs whose Risk Reduction Worth is > 0.5 percent of the overall Core Damage
Frequency should be provided to the expert panel as an input in risk
determination.
9.3.1.2 Core Damage Frequency Contribution
An SSC would probably be considered risk significant if it is included in cut sets
that, when ranked in decreasing order, cumulatively account for about 90 percent of
the Core Damage Frequency.
Specifically, risk significant SSCs can be identified by performing the following
sequential steps:
y Identify the cut sets that account for about 90 percent of the overall Core
Damage Frequency.
y Eliminate cut sets that are not related to maintenance (e.g., operator error and
external or initiating events).
y SSCs that remain should be provided to the expert panel as an input in risk
determination.
-22-
9.3.1.3 Risk Achievement Worth
An SSC would probably be considered risk significant if its Risk Achievement
Worth12 shows at least a doubling of the overall Core Damage Frequency and
should be provided to the expert panel as an input in risk determination.
9.3.2 Performance Criteria for Evaluating SSCs
Performance criteria for evaluating SSCs are necessary to identify the standard
against which performance is to be measured. Criteria are established to provide a
basis for determining satisfactory performance and the need for goal setting. The
actual performance criteria used should be SSC availability, reliability, or condition.
The performance criteria could be quantified to a single value or range of values.
For example, if a utility wanted to maintain an availability of 95 percent for a
particular system because that was the assumption used in the PRA, then the 95
percent value would be the performance criteria. If the performance criteria are not
met, then a goal could be set at a value equal to or greater than 95 percent.
Additionally, an example of condition as a performance criteria would be a case in
which a utility wanted to maintain the wall thickness of a piping system to comply
with the ASME code requirements. The utility would establish some acceptable
value for wall thickness and monitor by ultrasonic testing or other means.
If performance criteria are not met, the basis for the criteria should be reviewed to
determine if goal setting is required and the appropriate goal value established. It
should be recognized that while goals and performance criteria may have the same
value and units, goals are only established under (a)(1) where performance criteria
are not being met and are meant to provide reasonable assurance that the SSCs are
proceeding to acceptable performance.
Specific performance criteria are established for all risk significant SSCs and for
non-risk significant SSCs that are in a standby (not normally operating) mode.
Standby systems (either risk significant or non risk significant and safety-related or
nonsafety-related) may only affect a plant level criteria if they fail to perform in
response to an actual demand signal. This means that a standby system could be
failed but its inability to perform its intended function is not known until it is
required to perform in response to a demand signal or during testing (e.g., a
surveillance test to determine operability). The mode in which most standby
12 Risk Achievement Worth is the increase in risk if the SSC is assumed to be failed for all failure
modes (e.g., failure to start and failure to run). NUREG/CR-3385, "Measures of Risk Importance and
their Applications."
-23-
system failures are observed is during testing. Because plant transients occur less
frequently, failure on demand provides minimal information. For this reason, a
plant level criteria is not a good indicator or measurement of performance.
The performance criteria for a standby system can be qualitatively stated as
"initiates upon demand and performs its intended function." The reliability of a
standby system to satisfy both criteria can be quantitatively established as
calculated in PRA methodology.
Plant level performance criteria are established for all remaining non-risk
significant normally operating SSCs. However, there may be some non-risk
significant SSCs whose performance cannot be practically monitored by plant-level
criteria. Should this occur, other performance criteria should be established, as
appropriate (e.g., repetitions of safety function failures attributable to the same
maintenance-related cause).
All risk significant SSCs determined to have acceptable performance are placed in
(a)(2) and monitored against performance criteria established for risk significant
SSCs. An example of the process is as follows:
y SSC is determined to be in scope of Maintenance Rule;
y SSC is determined to be risk significant;
y SSC performance criteria are established (e.g., the criteria could be an
acceptable level of reliability and availability/unavailability as appropriate.);
y SSC performance is determined to meet the established criteria; and
y SSC performance is monitored under (a)(2) against performance criteria
established for risk significant SSCs.
Those non-risk significant SSCs that are in standby and have acceptable
performance are also addressed under (a)(2) and may be monitored by evaluating
surveillance performance.
Risk significant SSCs and non-risk significant SSCs that are in standby that are
determined to have unacceptable performance, as defined in Section 9.3.4, are
addressed under (a)(1), have goals established, and performance monitored to those
goals.
-24-
Remaining non-risk significant SSCs (those normally operating) are addressed
under (a)(2) and performance is monitored against plant level criteria. In the event
a plant level performance criteria is not met, a cause determination will be
conducted to determine whether the failure of a SSC within the scope of the
maintenance rule was responsible and, if so, whether this failure was an MPFF. In
this case, the utility may address the SSC under (a)(1) and establish a goal and
monitor performance to that goal or continue to address performance under (a)(2)
after taking corrective action. The performance criteria selected should monitor
what included it in the scope of the maintenance rule. For example, automatic reactor scrams may be established as the performance criteria that is to be
monitored to demonstrate the effectiveness of preventive maintenance for a given
system.
If the function of the scoped system is lost and it causes a scram, the cause
determination has to be completed to determine if it is an MPFF. If it is, the MPFF
has to be tracked. If a second scram occurs that is caused by the same failure (i.e.,
repetitive) or a plant-level performance criteria is not met, a goal has to be
established; it may be established at the train or component level. However,
failures that do not cause a scram or actuation of a safety system do not have to be
tracked.
For example, Plant A has two 50 percent capacity circulating water pumps that
provide cooling to the condenser. Plant B has three 50 percent capacity circulating
water pumps. Assuming loss of circulating water caused both reactors to scram, the
system is within maintenance rule scope for both Plant A and Plant B. If Plant A
losses one pump it causes the plant to scram. However, if Plant B experiences the
loss of one pump, it does not cause a scram. Plant A is required to do a cause
determination to determine if it involves an MPFF. If it does, the failure that
caused the loss of the function that caused the unit to scram must be tracked. Plant
B may elect to do a cause determination but it is not required because a plant scram
did not occur. In addition, if Plant B experiences a second failure of the same type
several weeks later and the unit does not scram, it is not a repetitive failure.
Neither failure on Plant B has to be addressed under the maintenance rule because
(1) the failure that occurred did not cause a loss of the function (i. e., total loss of
cooling water that causes a scram) that scoped it within the maintenance rule and
(2) the plant-level performance criteria (i. e., unplanned reactor scrams per 7000
hours critical) was not affected.
Overall plant level performance criteria are broad based and are supported by many
SSCs that could be either safety or nonsafety-related. Since equipment
performance is a major contributor to meeting plant level performance criteria, it
can be useful in determining maintenance program effectiveness.
-25-
Plant level performance criteria should include, the following:13
y Unplanned reactor scrams per 7000 hours0.081 days <br />1.944 hours <br />0.0116 weeks <br />0.00266 months <br /> critical;
y Unplanned safety system actuations; or
y Unplanned capability loss factor
Other performance criteria may include indicators similar to those recognized by
the NRC, industry organizations, or established by the utility to monitor SSCs that
cannot be practically monitored by plant-level performance criteria.
Each utility should evaluate its own situation when determining the quantitative
value for its individual plant level performance criteria. The determination of the
quantitative value will be influenced by different factors, including such things as
design, operating history, age of the plant, and previous plant performance.
Specific risk significant SSC performance criteria should consider plant-specific
performance and, where practical, industrywide operating experience. Performance
criteria for risk significant SSCs should be established to assure that reliability and
availability assumptions used in the plant-specific PRA, IPE, IPEEE, or other risk
determining analysis are maintained or adjusted when determined necessary by the
utility.
When establishing performance criteria for non-risk significant standby systems,
surveillance and actual system demands should be reviewed. Failures resulting
from surveillances and valid system actuations should be evaluated in accordance
with Section 9.4.4.
13 The terms that follow are defined in Appendix B.
-26-
nce Criteria
9.3.3 Evaluating SSCs Against Risk Significant and
Performa
After establishing SSCs that are within the scope of the Maintenance Rule and
establishing the risk significant and performance criteria, the next step is to
evaluate the SSCs against the criteria. There are two phases in this evaluation.
In the first phase, SSCs are evaluated against the risk criteria (Section 9.3.1) to
determine those SSCs that are risk significant. For those SSCs that are risk
significant, the associated SSC specific performance criteria is established (Section
9.3.2). For those SSCs that are not risk significant but are standby systems, the
SSC specific performance criteria is established (Section 9.3.2). For the remaining
SSCs, the overall plant performance criteria applies.
The second phase is to evaluate the specific SSCs against the established
performance criteria using historical plant data, and industry data where
applicable, to determine if the SSCs met the performance criteria. The historical
data used to determine the performance of SSCs consists of that data for a period of
at least two fuel cycles or 36 months, whichever is less. If the SSC does not meet
the established performance criteria, a cause determination is performed (Section
9.4.4) to determine if the unacceptable performance was maintenance preventable
(Section 9.4.5). If the unacceptable performance was not maintenance preventable,
the SSC is placed in (a)(2) and addressed in the preventive maintenance program.
If the corrective action has resolved the issue, the SSC is placed in (a)(2). If it is
determined that an acceptable trend in performance is not demonstrated or the
corrective action has not corrected the problem (Section 9.4.5), the SSC is placed in
(a)(1) and a goal is set (Section 9.3.4) for that SSC. If the trend of performance
indicates that the cause determination and corrective actions are effective,
monitoring should be continued until the goal is achieved.
If the SSC is determined to be inherently reliable, then it is not necessary to place
the SSC in (a)(1) and establish goals. As used here, an inherently reliable SSC is
one that, without preventive maintenance, has high reliability (e.g., jet shields,
raceways). The need to place an SSC under (a)(1) and establish goals may arise if
the inherently reliable SSC has experienced a failure. In such cases, the SSC
cannot be considered inherently reliable.
SSCs that provide little or no contribution to system safety function could be
allowed to run to failure (i.e., perform corrective maintenance rather than
preventive maintenance) and are addressed by (a)(2).
-27-
As of July 10, 1996, the implementation date of the Maintenance Rule, all SSCs
that are within the scope of the Maintenance Rule will have been placed in (a)(2)
and be part of the preventive maintenance program. In addition, those SSCs with
unacceptable performance will be placed in (a)(1) with goals established.
After full implementation on July 10, 1996, those SSCs that have goals established
will be monitored (Section 9.4.2) using current plant data to determine if the goal is
being met and if the SSC can be placed in (a)(2).
For new plants with no operating history, the evaluation can be performed as
follows. The utility can place appropriate SSCs under paragraph (a)(1) of the
maintenance rule, establish goals and monitor those goals until an acceptable
performance history has been determined. For SSCs not designated (a) (1) the
utility could utilize the performance history during pre-operational testing and base
SSC performance dispositioning on industry peer experience (e.g., NSSS plant of
similar design). Several determinations should be made including the following:
• Design is similar enough to establish a baseline of performance.
• Preventive maintenance programs of comparable plants are effective and the
new plant has a basis for comparison.
• Corrective action and cause determination methodology are effectively
implemented to identify and correct deficiencies.
• Operating experience is shared between the comparable and new plant.
• Process has been established at the new plant to evaluate lessons learned
from the comparable plant.
For existing plants that have been shut down for extended periods (i. e., longer than
one operating cycle), the evaluation should take into account existing equipment
operating history to the maximum extent possible. However, where such data is not
available or is out of date, the utility should use information from sources described
above for new construction.
-28-
9.3.4 Determining Whether an SSC Level Goal is Required
If any of the following conditions exist, a goal should be established at the
appropriate level (i.e., structure, system, train, or component):
y A maintenance preventable functional failure (MPFF) caused an overall plant
performance criteria to be exceeded (reference Section 9.4.5); or
y A MPFF caused a risk significant or non-risk significant SSC performance
criteria not to be met; or
y A second MPFF (same cause) occurs following the initial MPFF and
implementation of corrective action.
If the system or train level performance criteria or goal was not met as a result of a
component's MPFF, then the situation should be reviewed to determine if a goal
should be established for the component. If the cause of the component failure has
been identified and the necessary corrections made (e.g., replacement, redesign), a
goal may not be needed unless it is a repetitive MPFF.
9.4 Goal Setting and Monitoring
Goals are established to bring about the necessary improvements in performance.
When establishing goals, a utility should consider various goal setting criteria such
as existing industry indicators, industry codes and standards, failure rates, duty
cycles, and performance related data. In addition to the assumptions made in and
results of reliability approaches to maintenance, the assumptions in or results of
IPEs/PRAs should also be considered when establishing goals. In addition,
analytical techniques (e.g., system unavailability modeling) may be considered for
developing goals. When selecting a goal, the data should be collected over a
sufficient length of time to minimize the effects of a random event.
Monitoring should consist of periodically gathering, trending, and evaluating
information pertinent to the performance, and/or availability of the SSCs and
comparing the results with the established goals and performance criteria to verify
that the goals are being met. Results of monitoring (including (a)(1) and (a)(2)
activities) should be analyzed in timely manner to assure that appropriate action is
taken.
Regulations and utility commitments (e.g., Emergency Diesel Generator docketed
reliability targets in response to the Station Blackout Rule, 10 CFR 50.63) provide a
baseline for testing and surveillance activities of some SSCs under the scope of the
-29-
Maintenance Rule. Additional testing and surveillance activities could be necessary
if SSC performance is unacceptable. The Maintenance Rule results could also
provide the basis for reduced testing and surveillance. The basis for technical
specification, licensing commitments, and other regulation may be appropriately
used for goal setting. Typical examples of such regulations or licensee
commitments include:
1. Surveillance test and inspections performed in accordance with Section XI of the
ASME code as required by 10 CFR 50.55a.
2. Reactor pressure vessel material surveillance tests conducted in accordance with
Appendix H of 10 CFR Part 50.
3. Containment leakage tests performed in accordance with Appendix J of 10 CFR Part 50.
4. Component surveillance or testing required by plant technical specifications.
5. Fire protection equipment tested and maintained in accordance with Appendix R
of 10 CFR Part 50.
6. Tests and inspections performed in response to NRC bulletins, generic letters, or
information notices.
9.4.1 Goal Setting
Goals can be set at the structure, system, train, or component level, and for
aggregates of these where appropriate. In some cases the utility may elect to
establish thresholds which would provide indication of improved performance
toward the ultimate goal. A quantitative value for a goal or threshold may be
established on the basis of judgment resulting from an appropriately documented
review of performance criteria (see Section 9.3.1). When setting a goal the utility
should take into account, where practical, industry-wide operating experience.
9.4.1.1 System Level
For those SSCs requiring goal setting, it is expected that many goals will be
established at the system level. Where system level goals are to be established,
system availability could be used as the monitored parameter. Unavailability times
for systems that support (e.g., service water, HVAC, etc.) many systems can be
accounted for by charging the time to the support system that has failed and not the
individual systems. Conversely, the unavailability times could be charged to both
-30-
the support system (i.e., service water) and the supported system (i.e., diesel
generator). The important factor is to ensure that the cause determination and
corrective action are effective and properly respond to correcting the problem
regardless of how the unavailability times are counted. A consistent approach is
needed so that the performance criteria can be monitored and tracked. Due to
plant-specific redundancy and diversity, an SSC failure does not necessarily cause a
loss of safety function but could result in system or train performance that is
unacceptable.
9.4.1.2 Train Level
Risk significant systems and standby systems that have redundant trains should
have goals established for the individual trains. The goal could be based on the
availability desired or assumed in the PRA analysis. Train level goals provide a
method to address degraded performance of a single train even though the system
function is still available. The train level goal should be set consistent with PRA or
other methods of risk determination assumptions. Other alternative goal setting
could consider the possibility of the best performing train to be unavailable and the
safety function reliability potentially reduced.
9.4.1.3 Component Level
When component level goals are determined to be necessary, they should be
established based upon the component's contribution to a system not meeting its
performance criteria or a system level goal. Candidates for component goals could
include classes of components with unacceptable performance, components which
have caused trips or are directly associated with the causes of challenges to safety
systems, and those components which have failed causing the performance level or
a goal at the system or train level to be missed. Careful review and analysis should
be performed prior to establishing component goals to ensure that the number of
component goals is manageable and not overly complex.
9.4.1.4 Structure Level
It is expected that most structures will be addressed as required by (a)(2) of the
Maintenance Rule. The condition of all structures within the scope of the rule
should be assessed periodically; the appropriate frequency of the assessments would
be commensurate with the safety significance of the structure and its condition.
Licensees should evaluate the results of these assessments to determine the extent
and rate of any degradation, and deficiencies should be corrected in a timely
manner commensurate with their safety significance, their complexity, and other
regulatory requirements. In those cases where it is determined that a structure
-31-
must have a goal established, the goal could be based on, for example, limits for
cracking, corrosion, erosion, settlement, deflection, or other condition criteria.
A structure should be monitored in accordance with Paragraph (a)(1) if degradation
is to the extent that the structure may not meet its design basis, or if the structure
has degraded to the extent that, if the degradation were allowed to continue
uncorrected until the next normally-scheduled assessment, the structure may not
meet its design basis.
-32-
9.4.2 Monitoring
Monitoring will be performed to determine if maintenance results in acceptable
performance.
If the plant specific safety analysis (i.e., FSAR) or PRA used to address a regulatory
issue (e.g., IPEs) takes credit for any existing components in the system/train, then
those components supporting that function should be monitored under the
maintenance rule. If credit is not taken, they could be considered installed spare
components which do not require monitoring under the maintenance rule.
Monitoring SSCs against specific established goals should be conducted in a manner
that provides a means of recognizing performance trends. Where functional failures
result in the inability to meet performance criteria and could result in the loss of an
intended maintenance rule function, monitoring should be predictive, when
appropriate, in order to provide timely warning. Monitoring should also provide a
means for determining the effectiveness of previous corrective actions.
Monitoring should appropriately consider the following factors:
y Existing plant specific or industry performance monitoring such as technical
specification surveillances, O&M Code, plant daily tours, ISI/IST and Appendix
J test programs, inspections and tests;
y Establishing a practical monitoring process (i.e., should not require extensive
analytical modeling or excessive data collection) that is capable of detecting
changes in SSC performance; and
y Establishing a baseline to which the goals are monitored.
The monitoring frequency to meet established goals can vary, but may be initially
established as that currently required by existing surveillance requirements or
other surveillance type monitoring currently being performed. Frequency of
monitoring is also dependent upon the goal established and the availability of plantspecific or industry data. It may be either time directed, or based on performance.
The frequency of monitoring should be adjusted, if necessary, to allow for early
detection and timely correction of negative trends.
Data could be collected from existing sources (e.g., surveillances, Appendix J
requirements, ISI/IST, work order tracking) that are relevant to the goal being
monitored. The type and quality of the data being collected and trended is very
-33-
important in that it will ultimately determine if goals are being met. The analysis
and evaluation of the collected data should be timely so that, where necessary,
corrective action can be taken.
9.4.2.1 Monitoring System Level Goals
The object of monitoring at the system level is to evaluate the performance of the
system against established goals to proceed from the present status of not meeting
a performance criteria toward a level of acceptable performance. Some examples of
parameters monitored at the system level include availability, reliability, and
failure rate. Systems should be monitored utilizing existing surveillance procedures
provided that the data collected using these procedures addresses the specific
system goal(s).
9.4.2.2 Monitoring Train Level Goals
Monitoring train level performance against established goals should consist of
gathering availability or failure data and evaluating the results. The review and
analysis of this data will provide a basis on where improvements are needed and
also confirm when corrective actions have been effective. Individual train
performance should be compared to each other or against the average train
performance.
9.4.2.3 Monitoring Component Level Goals
Should it be determined that a component requires goal setting, component
monitoring could include performance characteristic data (e.g., flow, pressure, pump
head, temperatures, vibration, current, hysteresis) that can be used to determine
performance of the component. Monitoring could also be done using non-destructive
examination analysis (e.g., oil or grease, vibration, ultrasonic, infrared,
thermographic, eddy current, acoustics, and electric continuity). Information could
include surveillance test results that the utility already performs or industry failure
rate data.
9.4.2.4 Monitoring Structure Level Goals
Should it be determined that a structure requires goal setting, that goal should be
monitored to assure that the goal is being or will be met. Such structures might
include the reactor containment, foundations for important components such as
turbines, pumps and heat exchangers, as well as structures whose degradation or
failure could significantly compromise the function of other SSCs covered by the
-34-
Maintenance Rule. Examples of monitoring include non-destructive examination,
visual inspection, vibration, deflection, thickness, corrosion, or other monitoring
methods as appropriate.
9.4.3 Dispositioning of SSCs from (a)(1) to (a)(2)
A goal may be determined to have been met, and monitoring of SSC performance
against specific goals may be discontinued if any of the following criteria are
satisfied:
y Performance is acceptable for three surveillance periods where the surveillance
periodicity is equal to or less than a six month interval;
y Performance is acceptable for two successive surveillances where the
surveillance periodicity is greater than six months but no greater than two fuel
cycles; or
y An approved and documented technical assessment assures the cause is known
and corrected and thus monitoring against goals is unnecessary.
If any of these conditions are met, the SSC may be returned to the provisions of
(a)(2).
9.4.4 Unacceptable Performance or Failure Cause Determination
and Dispositioning SSCs from (a)(2) to (a)(1)
A cause determination of appropriate depth will be required for the following
conditions:
y A goal not being met;
y A performance criteria not being met;
The results of the cause determination may identify that establishing a goal is
required for the following two conditions:
y A functional failure of a risk significant SSC, even if the goal or performance
criteria is met; or
y A repetitive MPFF of any SSC within the scope of the Maintenance Rule, even if
the goal or performance criteria is met.
-35-
During initial implementation of the Maintenance Rule, repetitive failures that
have occurred in the previous two operating and refueling cycles should be
considered. After the initial rule implementation, utilities should establish an
appropriate review cycle for repetitive MPFFs (e.g., during the periodic review,
during the next maintenance or test of the same function, or in accordance with
Section 9.4.3).
The cause determination should identify the cause of the failure or unacceptable
performance, and whether the failure was a MPFF (Section 9.4.5). It should
identify any corrective action to preclude recurrence, and make a determination as
to whether or not the SSC requires (a)(1) goal setting and monitoring
(Section 9.3.4).
There are numerous techniques available to the utility industry that could be used
to determine if the failure is a MPFF. In some cases this determination is a simple
assessment of an obvious cause. In other cases the determination may require a
rigorous and formal root cause analysis in accordance with a methodology that
exists in the industry. Any of these would be satisfactory provided they result in
identification and correction of the problem.
Cause determination and corrective action should reinforce achieving the
performance criteria or goals that are monitored, and may also determine whether
the performance criteria or goal itself should be modified. A decision as to whether
SSCs should have performance or goals monitored should be made. The
determination to allow failure may be an acceptable one. For example, a decision to
replace a failed component that provides little or no contribution to safety function
rather than performance of a preventive maintenance activity may reduce exposure,
contamination, and cost without impacting safety (see Section 10.2). Once the
cause determination and corrective actions have been completed, the performance
should continue to be monitored and periodically evaluated until the performance
criteria or goal is achieved.
The cause determination should address failure significance, the circumstances
surrounding the failure, the characteristics of the failure, and whether the failure is
isolated or has generic or common cause implications (refer to NUREG/CR 4780,
"Procedures for Treating Common Cause Failures in Safety and Reliability
Studies," EPRI NP 5613). The circumstances surrounding the failure may indicate
that the SSC failed because of adverse operating conditions (e.g., operating a valve
dry, over-pressurization of system) or failure of another component which caused
the SSC failure. The results of cause determination should be documented for
failures of SSCs under the scope of the Maintenance Rule (Section 13).
-36-
FFs)
9.4.5 Maintenance Preventable Functional Failures (MP
A maintenance preventable functional failure14 is an unintended event or condition
such that a SSC within the scope of the rule is not capable of performing its
intended function and that should have been prevented by the performance of
appropriate maintenance actions by the utility. Under certain conditions, a SSC
may be considered to be incapable of performing its intended function if it is out of
specified adjustment or not within specified tolerances.
The cause determination should establish whether the failure was a MPFF. It will
be necessary to then determine if a goal should be established on any SSC which
experiences a MPFF (Section 9.3.4). If the SSC failure was not a MPFF, then the
utility should continue to perform the appropriate maintenance on the SSC.
If a utility determines that a modification is not cost effective and decides not to
make a change then any subsequent failure may not be a maintenance preventable
functional failure. The decision to not make a design change/modification would
include an evaluation of the consequences of future failures and consideration of
whether run-to-failure or degraded performance (i.e., performs corrective
maintenance rather than preventive maintenance) is an acceptable condition
(NUMARC 93-01, Section 9.3.3). Additional preventive maintenance or inspection
activities may be necessary to compensate for the deficient design. If the utility
augments the preventive maintenance program to compensate for a design
deficiency, the activity is within the scope of the maintenance rule and future
failures could be MPFFs. Then a maintenance preventable functional failure would
occur if the utility did not maintain the SSC in the original state (i. e., design
condition).
14 See Appendix B for definitions of initial and repetitive MPFFs.
-37-
EXAMPLES OF MPFFs
NOTE: "FUNCTIONAL" HAS BEEN ADDED TO PROVIDE EMPHASIS
ON ASSURING SAFETY FUNCTIONAL PERFORMANCE (INCLUDING
FAILURES THAT CAUSE SCRAMS) RATHER THAN ADDRESSING A
DEFICIENCY THAT DOES NOT AFFECT A SAFETY FUNCTION
• FAILURES DUE TO THE IMPLEMENTATION OF INCORRECT
MAINTENANCE PROCEDURES.
• FAILURES DUE TO INCORRECT IMPLEMENTATION OF CORRECT
MAINTENANCE PROCEDURES.
• FAILURES DUE TO INCORRECT IMPLEMENTATION OF
MAINTENANCE PERFORMED WITHOUT PROCEDURES
CONSIDERED WITHIN THE SKILL OF THE CRAFT.
• FAILURES OF THE SAME KIND OCCURRING AT A UTILITY THAT
HAVE OCCURRED IN INDUSTRY AS DEFINED BY INDUSTRYWIDE OPERATING EXPERIENCE THAT COULD HAVE BEEN
PRECLUDED BY AN APPROPRIATE AND TIMELY MAINTENANCE
ACTIVITY.
• FAILURES THAT OCCUR DUE TO THE FAILURE TO PERFORM
MAINTENANCE ACTIVITIES THAT ARE NORMAL AND
APPROPRIATE TO THE EQUIPMENT FUNCTION AND
IMPORTANCE. EXAMPLES INCLUDE FAILURE TO LUBRICATE
WITH THE APPROPRIATE MATERIALS AT APPROPRIATE
FREQUENCIES, FAILURE TO ROTATE EQUIPMENT THAT IS IN A
STANDBY MODE FOR LONG PERIODS.
-38-
EXAMPLES THAT ARE NOT MPFFs
• INITIAL FAILURES DUE TO ORIGINAL EQUIPMENT
MANUFACTURER (OEM) DESIGN AND MANUFACTURING
INADEQUACIES INCLUDING INITIAL ELECTRONIC PIECE PART
EARLY FAILURES.
• INITIAL FAILURES DUE TO DESIGN INADEQUACIES IN
SELECTING OR APPLYING COMMERCIAL OR "OFF THE SHELF"
DESIGNED EQUIPMENT.
• INITIAL FAILURES DUE TO INHERENT MATERIAL DEFECTS.
• FAILURES DUE TO OPERATIONAL ERRORS NOT ASSOCIATED
WITH MAINTENANCE AND EXTERNAL OR INITIATING EVENTS.
• IF THE FAILURE THAT CAUSED AN MPFF RECURS DURING
POST MAINTENANCE TESTING BUT BEFORE RETURNING THE
SSCs TO SERVICE, IT COULD BE INDICATIVE OF
UNACCEPTABLE CORRECTIVE ACTIONS BUT IS NOT
CONSIDERED AN ADDITIONAL MPFF.
• INTENTIONALLY RUN TO FAILURE (SECTION 9.3.3).
-39-
10.0 SSCs SUBJECT TO EFFECTIVE PREVENTIVE MAINTENANCE
PROGRAMS
10.1 Reference
Monitoring as specified in paragraph (a)(1) of this section is not required where it
has been demonstrated that the performance or condition of a structure, system, or
component is being effectively controlled through the performance of appropriate
preventive maintenance, such that the structure, system, or component remains
capable of performing its intended function.
10.2 Guidance
The methodology for implementing the Maintenance Rule by demonstrating
maintenance program effectiveness or inherent reliability in lieu of SSC goal setting
is shown on the Industry Guideline Implementation Logic Diagram (Figure 1).
Although goals are set and monitored as part of (a)(1), the preventive maintenance
(PM) and performance monitoring activities are part of (a)(2) and apply to all SSCs
that are within the scope of the Maintenance Rule. SSCs that are within the scope
of (a)(2) could be included in the formal PM program, be inherently reliable (e.g.,
visual inspection during walkdowns to meet licensee requirements that already
exist), or be allowed to run to failure (provide little or no contribution to system
safety function).
An effective preventive maintenance program is one which will achieve the desired
results of minimizing component failures and increasing or maintaining SSC
performance. The individual maintenance program elements (training, procedures,
cause determination, etc.) are focused and directed toward achieving effective
maintenance through appropriate use of resources.
If it can not be demonstrated that the performance of a SSC is being effectively
controlled through a PM program, then it is necessary to establish a goal and
monitor the SSC's performance against the goal.
If the SSC is determined to be inherently reliable, then it is not necessary to place
the SSC in (a)(1) and establish a goal. As used here, an inherently reliable SSC is
one that, without preventive maintenance, has high reliability (Section 9.3.3).
-40-
SSCs that provide little or no contribution to system safety function, therefore could
be allowed to run to failure (i.e., perform corrective maintenance rather than
preventive maintenance) and are addressed by (a)(2).
10.2.1 Performance of Applicable Preventive Maintenance Activities
Several methods are available to the industry for determining applicable and
effective preventive maintenance activities to ensure satisfactory performance of
SSCs. It is not the intention of this guideline to identify these programmatic
methods of determining applicable maintenance activities. Sound preventive
maintenance activities include, but are not limited to, the following elements:
y Periodic maintenance, inspection, and testing;
y Predictive maintenance, inspection, and testing;
y Trending of appropriate failures.
10.2.1.1 Periodic Maintenance, Inspection, and Testing
Periodic maintenance, inspection, and testing activities are accomplished on a
routine basis (typically based on operating hours or calendar time) and include
activities such as external inspections, alignments or calibrations, internal
inspections, overhauls, and component or equipment replacement. Lubrication,
filter changes, and teardown are some examples of activities included in periodic
maintenance.
10.2.1.2 Predictive Maintenance, Inspection, and Testing
Predictive maintenance activities, including performance monitoring, are generally
non-intrusive and can normally be performed with the equipment operating.
Vibration analysis (includes spectral analysis), bearing temperature monitoring,
lube oil analysis (ferrography), infrared surveys (thermography), and motor voltage
and current checks are some examples of activities included in predictive
maintenance. The data obtained from predictive maintenance activities are used to
trend and monitor equipment performance so that planned maintenance can be
performed prior to equipment failure.
-41-
10.2.1.3 Performance Trending
Performance should be trended against established performance criteria so that
adverse trends can be identified. When adverse trends are identified, appropriate
corrective action should be promptly initiated. The utility's historical data, when
combined with industry operating experience, operating logs and records, and
station performance monitoring data, can be useful in analyzing trends and failures
in equipment performance and making adjustments to the preventive maintenance
program.
10.2.2 Ongoing Maintenance Effectiveness Evaluation
Ensuring satisfactory performance of risk significant and standby SSCs requires an
ongoing assessment against the utility's performance criteria (Section 9.3.3). The
results of this assessment should provide for feedback and adjustment of
maintenance activities such that MPFFs are addressed. MPFFs that are repetitive
or risk significant must be investigated and the cause determined (Section 9.4.4).
When performance is determined to require improvement, the utility should
implement the appropriate corrective actions in a timely manner.
The objective of monitoring plant level performance criteria is to focus attention on
the aggregate performance of many of the operating SSCs covered by the scope of
the Maintenance Rule that are not individually risk significant.
There are no individual SSC performance criteria included in the plant level
performance criteria. The SSCs that support plant level performance criteria are
included in the preventive maintenance program covered under (a)(2) of the
Maintenance Rule. A failure of an individual SSC may not result in unacceptable
performance and may not affect a plant level performance criteria. The utility may
elect to establish a goal for the SSC that failed. If plant level performance criteria
were not met because of a MPFF, then the SSC should be considered for disposition
to (a)(1). See Sections 9.3.3 and 9.4 for elements to be considered.
This section is not intended to exclude a periodic review of preventive maintenance
activities in addition to the ongoing review to monitor maintenance effectiveness.
10.2.3 Monitoring the Condition of Structures
Structures can be monitored using performance criteria under (a)(2) (or goals under
(a)(1)) of the maintenance rule. These performance criteria (or goals) can be
established to monitor either performance or condition. For example, certain
structures such as the primary containment can be monitored through the
-42-
performance of established testing requirements such as those contained in 10 CFR 50, Appendix J. Other structures such as reactor buildings, auxiliary buildings, and
cooling towers, may be more amenable to condition monitoring similar to that
performed as part of the inservice inspection (ISI) activities required by the ASME
codes. Other condition monitoring activities could include such activities as
monitoring of corrosion, settlement, roof leakage, concrete cracking, etc. Monitoring
of structures should be given the same priority as mechanical and electrical systems
and components.
Utilities should establish performance criteria and goals under the maintenance
rule which take credit for, and if necessary build upon, the existing monitoring
activities.
Monitoring of structures, like systems and components, should be predictive in
nature and provide early warning of degradation. The baseline condition of plant
structures should be established to facilitate condition monitoring activities.
Although not required by regulations, NUREG 1522, “Assessment of Safety-Related
Structures in Nuclear Power Plants” provides additional information on the subject.
-43-
11.0 ASSESSMENT OF RISK RESULTING FROM PERFORMANCE OF
MAINTENANCE ACTIVITIES
11.1 Reference
Before performing maintenance activities (including but not limited to surveillance,
post-maintenance testing, and corrective and preventive maintenance), the licensee
shall assess and manage the increase in risk that may result from the proposed
maintenance activities. The scope of the assessment may be limited to those
structures, systems, and components that a risk-informed evaluation process has
shown to be significant to public health and safety.
11.2 Background
Maintenance activities must be performed to provide the level of plant equipment
reliability necessary for safety, and should be carefully managed to achieve a
balance between the benefits and potential impacts on safety, reliability and
availability.
The benefits of well managed maintenance conducted during power operations
include increased system and unit availability, reduction of equipment and system
deficiencies that could impact operations, more focused attention during periods
when fewer activities are competing for specialized resources, and reduction of work
scope during outages. In addition, many maintenance activities may be performed
during power operation with a smaller net risk impact than during outage
conditions, particularly for systems whose performance is most important during
shutdown, or for which greater functional redundancy is available during power
operations.
11.3 Guidance
This section provides guidance for the development of an approach to assess and
manage the risk impact expected to result from performance of maintenance
activities. Assessing the risk means using a risk-informed process to evaluate the
overall contribution to risk of the planned maintenance activities. Managing the
risk means providing plant personnel with proper awareness of the risk, and taking
actions as appropriate to control the risk.
The assessment is required for maintenance activities performed during power
operations or during shutdown. Performance of maintenance during power
-44-
operations should be planned and scheduled to properly control out-of-service time
of systems or equipment. Planning and scheduling of maintenance activities during
shutdown should consider their impact on performance of key shutdown safety
functions.
11.3.1 Assessment Process, Control, and Responsibilities
The process for conducting the assessment and using the result of the assessment in
plant decisionmaking should be proceduralized. The procedures should denote
responsibilities for conduct and use of the assessment, and should specify the plant
functional organizations and personnel involved, including, as appropriate,
operations, engineering, and risk assessment (PSA) personnel. The procedures
should denote responsibilities and process for conducting the assessment for cases
when the plant configuration is not covered by the normal assessment tool.
11.3.2 General Guidance for the Assessment - Power Operations and
Shutdown
1. Power Operating conditions are defined as plant modes other than hot
shutdown, cold shutdown, refueling, or defueled. Section 11.3.3 describes the
scope of SSCs subject to the assessment during power operations. Section 11.3.5
describes the scope of SSCs subject to the assessment during shutdown.
2. The assessment method may use quantitative approaches, qualitative
approaches, or blended methods. In general, the assessment should consider:
• Technical specifications requirements
• The degree of redundancy available for performance of the safety function(s)
served by the out-of-service SSC
• The duration of the out-of-service or testing condition
• The likelihood of an initiating event or accident that would require the
performance of the affected safety function.
• The likelihood that the maintenance activity will significantly increase the
frequency of a risk-significant initiating event (e.g., by an order of magnitude
or more as determined by each licensee, consistent with its obligation to
manage maintenance-related risk).
• Component and system dependencies that are affected.
-45-
• Significant performance issues for the in-service redundant SSCs
3. The assessment may also consider the following factors, if desired:
• the risk impact of performing the maintenance during shutdown with respect
to performing the maintenance at power.
• the impact of transition risk if the maintenance activity would require a
shutdown that would otherwise not be necessary
4. The assessments may be predetermined or performed on an as-needed basis.
5. The degree of depth and rigor used in assessing and managing risk should be
commensurate with the complexity of the planned configuration.
6. Performance of maintenance may involve alterations to the facility or procedures
for the duration of the maintenance activity. Examples of these alterations
include jumpering terminals, lifting leads, placing temporary lead shielding on
pipes and equipment, removal of barriers, and use of temporary blocks,
bypasses, scaffolding and supports. The assessment should include
consideration of the impact of these alterations on plant safety functions.
[Note: If, during power operation conditions, the temporary alteration
associated with maintenance is expected to be in effect for greater than 90 days,
the temporary alteration should be screened, and if necessary, evaluated under
10 CFR 50.59 prior to implementation.]
7. The assessment may take into account whether the out-of-service SSCs could be
promptly restored to service if the need arose due to emergent conditions. This
would apply to surveillance testing, or to the situation where the maintenance
activity has been planned in such a manner to allow for prompt restoration. In
these cases, the assessment may consider the time necessary for restoration of
the SSC’s function, with respect to the time at which performance of the function
would be needed. [Note the definition of “unavailability” in Appendix B applies
to monitoring of SSC unavailability to comply with other paragraphs of the
maintenance rule, and is not intended for direct applicability to the
configuration assessment.]
8. Emergent conditions may result in the need for action prior to conduct of the
assessment, or could change the conditions of a previously performed
assessment. Examples include plant configuration or mode changes, additional
-46-
SSCs out of service due to failures, or significant changes in external conditions
(weather, offsite power availability). The following guidance applies to this
situation:
• The safety assessment should be performed (or re-evaluated) to address the
changed plant conditions on a reasonable schedule commensurate with the
safety significance of the condition. Based on the results of the assessment,
ongoing or planned maintenance activities may need to be suspended or
rescheduled, and SSCs may need to be returned to service.
• Performance (or re-evaluation) of the assessment should not interfere with,
or delay, the operator and/or maintenance crew from taking timely actions to
restore the equipment to service or take compensatory actions.
• If the plant configuration is restored prior to conducting or re-evaluating the
assessment, the assessment need not be conducted, or re-evaluated if already
performed.
11.3.3 Scope of Assessment for Power Operating Conditions
10 CFR 50.65(a)(4) states “The scope of the Systems, Structures and Components
(SSCs) to be addressed by the assessment may be limited to those SSCs that a riskinformed evaluation process has shown to be significant to public health and
safety”. Thus, the scope of SSCs subject to the (a)(4) assessment provision may not
include all SSCs that meet sections (b)(1) and (b)(2) maintenance rule scoping
criteria.
The probabilistic safety assessment (PSA) provides an appropriate mechanism to
define the assessment scope, as the PSA scope is developed with consideration of
dependencies and support systems, and, through definition of top events, cutsets,
and recovery actions, includes those SSCs that could, in combination with other
SSCs, result in significant risk impacts. Thus, the (a)(4) assessment scope may be
limited to the following scope of SSCs:
1. Those SSCs included in the scope of the plant’s level one, internal events PSA,
and;
2. SSCs in addition to the above that have been determined to be high safety
significant (risk significant) through the process described in Section 9.3 of this
document.
-47-
The PSA used to define the (a)(4) assessment scope should have the following
characteristics:
• The PSA should reasonably15 reflect the as-built plant, and the plant operating
practices.
• The PSA should include both front-line/support system dependencies and
support system/support system dependencies, to the extent that these intersystem dependencies would have a significant effect on the key plant safety
functions. The licensee should evaluate whether these dependencies are
adequately modeled in the PSA. PSA peer review information may be used to
facilitate this evaluation. If the modeling of inter-system dependencies is
determined to be inadequate, the licensee should either revise the PSA to
address the inter-system dependencies, or add the SSCs to the (a)(4) assessment
scope.
• A PSA is typically modeled at the component level, whereas the concern of the
(a)(4) assessments is the safety function of a system that the component
supports. Thus the phrase “SSCs modeled in the PSA” should be interpreted as
identifying the systems, trains, or portions of systems/trains whose functions are
necessary to mitigate initiating events included in the high level logic structure
of the PSA model, rather than the individual components. Appendix E provides
information on PSA attributes, and further detail on methods to evaluate the
PSA with regard to its use in defining the (a)(4) scope.
• SSCs within the plant PSA scope may be evaluated and determined to have low
safety significance regardless of plant configuration. These SSCs need not be
included in the scope of the (a)(4) assessments. The expert panel may be used to
facilitate these determinations.
• If the plant PSA includes level two considerations (containment performance,
release frequency), the scope of the (a)(4) assessment may optionally include the
scope of the level two PSA. Otherwise, inclusion within the assessment scope of
SSCs important to containment performance may be covered by inclusion of high
safety significant SSCs as discussed in item 2 above. Section 9.3.1 of this
document discusses the importance of containment performance as a
consideration in identifying risk significant (high safety significant) SSCs.
15 Reasonably means that a difference between the as-built plant and its description in the PSA is
such that a difference could realistically result in the incorrect assessment or management of
maintenance-related risk.
-48-
• The scope of hazard groups to be considered for assessment during power
operating conditions includes internal events, internal floods, and internal fires,
licensees need not consider other hazard groups, except as noted in Section
11.3.4.2.
11.3.3.1 Scope of Assessment for Fire Risk
In addressing the scoping associated with fire risk for power operating conditions,
the following guidance is provided:
Maintenance activities can impact fire risk. In particular, the following activities
could have risk impacts:
1. Performance of maintenance activities with potential to cause a fire (e.g.,
welding, use of cutting and grinding tools, transient combustibles, etc)
2. Removal of fire detection or suppression equipment from service
3. Removal or impairment of fire barriers (e.g., opening of fire doors to
facilitate maintenance, removal of protective barriers on cable trays or
conduit, etc)
4. Removal of equipment important to core damage mitigation from service
Each plant is required to maintain a fire protection program, pursuant to 10 CFR 50.48 or Part 50, Appendix R. The programs, as implemented through NRC
guidance documents, directly address the risk management aspects of items 1
through 3 above, and no additional action is warranted under §50.65(a)(4) for these
items. Concerning item 4, the discussion below concerns the scope of the assessment
for fire risk.
The identification of important equipment for mitigating core damage resulting
from fire initiating events can come from one of two sources:
First, each plant is required by 10 CFR 50.48 or Appendix R to identify one
train of safe shutdown capability free of fire damage, such that the plant can
be safely shutdown in the event of a fire. The magnitude of the fire is based
on analysis of combustible loadings in the areas of concern. Some plants
maintain this requirement through adequate separation between redundant
trains of safe shutdown equipment, such that a single fire could not render
both trains incapable of performing their safe shutdown function. Other
plants, lacking adequate train separation, need to protect one train of
equipment through fire barriers. While fire protection regulations require
compensatory measures for the temporary removal of these barriers, they do
-49-
not address the removal from service of the protected equipment for
maintenance activities.
Second, each plant has also performed either a screening analysis (e.g. Fire
Induced Vulnerability Evaluation, or FIVE), or a fire PRA, to examine fire
risks relative to the Individual Plant Examination for External Events
(IPEEE). These analyses may identify additional equipment (beyond the safe
shutdown path discussed above) that is useful for mitigating the risk of a fire,
or may identify alternative safe shutdown pathways. There are some plants
that have fire PRAs (or integrated PRAs) such that fire risk can be quantified
and addressed in the same manner as internal events risk. In many cases,
however, the analyses performed for the IPEEE and fire PRAs may not
provide quantitative fire risk information that can be directly compared to
the internal events PRA model on a quantitative basis. Thus, it is
recommended that those plants use their fire risk analyses qualitatively,
rather than quantitatively, in assessing and managing risk for §50.65(a)(4);
further, it is notable that the qualitative approach is fully acceptable
regardless of the state of a plant’s fire risk analyses.
Guidance: Each plant should use the above-selected source of information
to identify equipment within the existing (a)(4) scope that is found to have
appreciable impact on core damage mitigation for fire initiators. This
scope of equipment will be a subset of the overall (a)(4) scope, and the fire
risk implications need only be considered for equipment falling in this
specific scope.
Since safe shutdown is oriented to assuring adequate core cooling, it is generally
likely that equipment important to internal events core damage mitigation may also
be important for fire risk.
Some fire scenarios have no success paths available. Examples may include some
main control room (MCR) fires or severe fires in electrical equipment rooms. For
these scenarios, there are essentially no impacts of removing equipment from
service. These fire scenarios are almost always risk significant, but are generally
not impacted by on-line maintenance. It is recommended that these scenarios be
screened from further consideration.
11.3.4 Assessment Methods for Power Operating Conditions
Removal from service of a single structure, system, train or component, is
adequately covered by existing Technical Specifications requirements, including the
-50-
treatment of dependent components. Thus, the assessment for removal from
service of a single SSC for the planned amount of time (e.g., the Technical
Specifications allowed out-of-service time, or a commensurate time considering
unavailability performance criteria for a non-Technical Specification high safety
significant SSC), may be limited to the consideration of unusual external conditions
that are present or imminent (e.g., severe weather, offsite power instability).
Simultaneous removal from service of multiple SSCs requires that an assessment
be performed using quantitative, qualitative, or blended (quantitative and
qualitative) methods. Sections 11.3.4.1 and 11.3.4.2 provide guidance regarding
quantitative and qualitative considerations, respectively.
11.3.4.1 Quantitative Considerations
1. The assessment process may be performed by a tool or method that considers
quantitative insights from the PSA. This can take the form of using the PSA
model, or using a safety monitor, matrix, or pre-analyzed list derived from the
PSA insights. In order to properly support the conduct of the assessment, the
PSA must have certain attributes, and it must reasonably reflect the plant
configuration. Appendix E provides information on PSA attributes. Section
11.3.7.2 provides guidance on various approaches for using the output of a
quantitative assessment to manage risk.
2. If the PSA is modeled at a level that does not directly reflect the SSC to be
removed from service (e.g., the RPS system, diesel generator, etc. have each been
modeled as a “single component” in the PSA), the assessment should include
consideration of the impact of the out of service SSC on the safety function of the
modeled component. SSCs are considered to support the safety function if the
SSC is significant to the success path for function of the train or system (e.g.,
primary pump, or valve in primary flowpath). However, if the SSC removed
from service does not contribute significantly to the train or system safety
function (e.g., indicator light, alarm, drain valve), the SSC would not be
considered to support the safety function.
11.3.4.2 Qualitative Considerations
1. The assessment may be performed by a qualitative approach, by addressing the
impact of the maintenance activity upon key safety functions, as follows:
• Identify key safety functions affected by the SSC planned for removal from
service.
-51-
• Consider the degree to which removing the SSC from service will impact the
key safety functions.
• Consider degree of redundancy, duration of out-of-service condition, and
appropriate compensatory measures, contingencies, or protective actions that
could be taken if appropriate for the activity under consideration.
2. For power operation, key plant safety functions are those that ensure the
integrity of the reactor coolant pressure boundary, ensure the capability to shut
down and maintain the reactor in a safe shutdown condition, and ensure the
capability to prevent or mitigate the consequences of accidents that could result
in potentially significant offsite exposures.
Examples of these power operation key safety functions are:
• Containment Integrity (Containment Isolation, Containment Pressure
and Temperature Control);
• Reactivity Control;
• Reactor Coolant Heat Removal; and
• Reactor Coolant Inventory Control.
3. The key safety functions are achieved by using systems or combinations of
systems. The configuration assessment should consider whether the
maintenance activity would:
• Have a significant impact on the performance of a key safety function,
considering the remaining degree of redundancy for trains or systems
supporting the key safety function, and considering the likelihood of an
initiating event
• Involve a significant potential to cause a scram or safety system actuation
• Result in significant complications to recovery efforts.
4. The assessment should consider plant systems supporting the affected key
safety functions, and trains supporting these plant systems.
-52-
5. Qualitative considerations may also be necessary to address external events, and
SSCs not in the scope of the level one, internal events PSA (e.g., included in the
assessment scope because of expert panel considerations).
6. The assessment may need to include consideration of actions which could affect
the ability of the containment to perform its function as a fission product barrier.
With regard to containment performance, the assessment should consider:
• Whether new containment bypass conditions are created, or the probability of
containment bypass conditions is increased;
• Whether new containment penetration failures that can lead to loss of
containment isolation are created; and.
• If maintenance is performed on SSCs of the containment heat removal
system (or SSCs upon which this function is dependent), whether redundant
containment heat removal trains should be available.
7. External event considerations involve the potential impacts of weather or other
external conditions relative to the proposed maintenance evolution. For the
purposes of the assessment, weather, external flooding, and other external
impacts need to be considered if such conditions are imminent or have a high
probability of occurring during the planned out-of-service duration. An example
where these considerations are appropriate would be the long-term removal of
exterior doors, hazard barriers, or floor plugs.
8. Internal flooding considerations (from internal or external sources) should be
addressed if pertinent. The assessment should consider the potential for
maintenance activities to cause internal flood hazards, and, for maintenance
activities to expose SSCs to flood hazards in a manner that degrades their
capability to perform key safety functions.
11.3.4.3 Fire Risk Assessment Considerations
In addressing the assessment of fire risk for power operating conditions, the
following guidance is provided:
With regard to item 4 from Section 11.3.3.1, removal of mitigation equipment from
service, the §50.65(a)(4) program should include consideration of these risks with
respect to fire, as they are not covered by existing fire protection regulations and
can have a risk impact.
-53-
General Guidance: The plant personnel responsible for activities relative
to fire protection and §50.65(a)(4) should communicate and maintain
awareness of their respective risk management actions such that an
integrated perspective of these activities is maintained. (See further
discussion on risk management actions in Section 11.3.7.5).
Guidance: Include consideration of the implications of fire risks when
removing equipment from service that is known from existing plant
specific evaluations to have appreciable impact on mitigation of core
damage due to fire initiators. This is generally a qualitative evaluation,
but quantitative approaches may be optionally used by plants that are
capable of such evaluations (see Section 11.3.7.3 for further discussion of
limitations on use of quantitative techniques).
Guidance: For plants that meet §50.48/Appendix R by protecting one train
of safe shutdown equipment through fire barriers, the overall risk
significance (internal events and fire) may be greater for the protected
train than for the redundant, non protected train of the same system, and
the licensee should consider this.
Maintenance activities on the protected train should consider this greater risk, and
appropriate risk assessment and management actions should be taken.
11.3.5 Scope of Assessment for Shutdown Conditions
The scope of the Systems, Structures and Components (SSCs) to be addressed by
the assessment for shutdown conditions are those SSCs necessary to support the
following shutdown key safety functions (from Section 4 of NUMARC 91-06):
• Decay heat removal capability
• Inventory Control
• Power Availability
• Reactivity control
• Containment (primary/secondary)
The shutdown key safety functions are achieved by using systems or combinations
of systems. The shutdown assessment need not be performed for SSCs whose
-54-
functionality is not necessary during shutdown modes, unless these SSCs are
considered for establishment of backup success paths or compensatory measures.
11.3.6 Assessment Methods for Shutdown Conditions
NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management,
Section 4.0, provides a complete discussion of shutdown safety considerations with
respect to maintaining key shutdown safety functions, and should be considered in
developing an assessment process that meets the requirements of 10 CFR 50.65(a)(4).
Performance of the safety assessment for shutdown conditions generally involves a
qualitative assessment with regard to key safety functions, and follows the same
general process described in Section 11.3.4.2 above. (Those plants that have
performed shutdown PSAs can use these PSAs as an input to their shutdown
assessment methods.) However, some considerations differ from those associated
with the at-power assessment. These include:
1. The scope of initiators to be considered in the assessment for shutdown
conditions is limited to internal events, except as noted in item 5 below.
2. The shutdown assessment is typically focused on SSCs “available to perform a
function” versus SSCs “out of service” in the case of power operations. Due to
decreased equipment redundancies during outage conditions, the outage
planning and control process may involve consideration of contingencies and
backup methods to achieve the key safety functions, as well as measures that
can reduce both the likelihood and consequences of adverse events.
3. Assessments for shutdown maintenance activities need to take into account
plant conditions and multiple SSCs out-of-service that impact the shutdown key
safety functions. The shutdown assessment is a component of an effective
outage planning and control process.
4. Maintenance activities that do not necessarily remove the SSC from service may
still impact plant configuration and impact key safety functions. Examples
could include:
• A valve manipulation that involves the potential for a single failure to create
a draindown path affecting the inventory control key safety function
• A switchyard circuit breaker operation that involves the potential for a single
failure to affect availability of AC power.
-55-
5. External event considerations involve the potential impacts of weather or other
external conditions relative to the proposed maintenance evolution. For the
purposes of the assessment, weather, external flooding, and other external
impacts need to be considered if such conditions are imminent or have a high
probability of occurring during the planned out-of-service duration. An example
where these considerations are appropriate would be the long-term removal of
exterior doors, hazard barriers, or floor plugs.
Because of the special considerations of shutdown assessments, additional guidance
is provided below with respect to each key safety function:
11.3.6.1 Decay Heat Removal Capability
Assessments for maintenance activities affecting the DHR system should consider
that other systems and components can be used to remove decay heat depending on
a variety of factors, including the plant configuration, availability of other key
safety systems and components, and the ability of operators to diagnose and
respond properly to an event. For example, assessment of maintenance activities
that impact the decay heat removal key safety function should consider:
- initial magnitude of decay heat
- time to boiling
- time to core uncovery
- time to containment closure (PWR)
- initial RCS water inventory condition (e.g., filled, reduced, mid-loop, refueling
canal filled, reactor cavity flooded, etc.)
- RCS configurations (e.g., open/closed, nozzle dams installed or loop isolation
valves closed, steam generator manways on/off, vent paths available,
temporary covers or thimble tube plugs installed, main steam line plugs
installed, etc.)
- natural circulation capability with heat transfer to steam generator shell side
(PWR)
If the fuel is offloaded to the spent fuel pool during the refueling outage, the decay
heat removal function is shifted from the RCS to the spent fuel pool. Assessments
-56-
for maintenance activities should reflect appropriate planning and contingencies to
address loss of SFP cooling.
11.3.6.2 Inventory Control
Assessments for maintenance activities should address the potential for creating
inventory loss flowpaths. For example,
- For BWRs, maintenance activities associated with the main steam lines (e.g.,
safety/relief valve removal, automatic depressurization system testing, main
steam isolation valve maintenance, etc.) can create a drain down path for the
reactor cavity and fuel pool. This potential is significantly mitigated through
the use of main steam plugs.
to the suppression pool when DHR is aligned for shutdown cooling.
- For PWRs, assessments for maintenance activities during reduced inventory
operations are especially important. Reduced inventory operation occurs
when the water level in the reactor vessel is lower than 3 feet below the
reactor vessel flange
- A special case of reduced inventory operation for PWRs is mid-loop operation,
which occurs when the RCS water level is below the top of the hot legs at
their junction with the reactor vessel. Similar conditions can exist when the
reactor vessel is isolated from steam generators by closed loop isolation
valves or nozzle dams with the reactor vessel head installed or prior to filling
the reactor cavity. Upon loss of DHR under these conditions, coolant boiling
and core uncovery can occur if decay heat removal is not restored or provided
by some alternate means. In addition, during mid-loop operation, DHR can
be lost by poor RCS level control or by an increase in DHR flow (either of
which can ingest air into the DHR pump).
11.3.6.3 Power Availability
Assessments should consider the impact of maintenance activities on availability of
electrical power. Electrical power is required during shutdown conditions to
maintain cooling to the reactor core and spent fuel pool, to transfer decay heat to
the heat sink, to achieve containment closure when needed, and to support other
important functions.
-57-
• Assessments for maintenance activities involving AC power sources and
distribution systems should address providing defense in depth that is
commensurate with the plant operating mode or configuration.
• Assessments for maintenance activities involving the switchyard and
transformer yard should consider the impact on offsite power availability.
• AC and DC instrumentation and control power is required to support systems
that provide key safety functions during shutdown. As such, maintenance
activities affecting power sources, inverters, or distribution systems should
consider their functionality as an important element in providing appropriate
defense in depth.
11.3.6.4 Reactivity Control
The main aspect of this key safety function involves maintaining adequate
shutdown margin in the RCS and the spent fuel pool. For PWRs, maintenance
activities involving addition of water to the RCS or the refueling water storage tank
have the potential to result in boron dilution. During periods of cold weather, RCS
temperatures can also decrease below the minimum value assumed in the shutdown
margin calculation.
11.3.6.5 Containment - Primary (PWR)/Secondary(BWR)
Maintenance activities involving the need for open containment should include
evaluation of the capability to achieve containment closure in sufficient time to
mitigate potential fission product release. This time is dependent on a number of
factors, including the decay heat level and the amount of RCS inventory available.
For BWRs, technical specifications may require secondary containment to be closed
under certain conditions, such as during fuel handling and operations with a
potential to drain the vessel.
In addition to the guidance in NUMARC 91-06, for plants which obtain license
amendments to utilize shutdown safety administrative controls in lieu of Technical
Specification requirements on primary or secondary containment operability and
ventilation system operability during fuel handling or core alterations, the following
guidelines should be included in the assessment of systems removed from service:
• During fuel handling/core alterations, ventilation system and radiation monitor
availability (as defined in NUMARC 91-06) should be assessed, with respect to
filtration and monitoring of releases from the fuel. Following shutdown,
-58-
radioactivity in the RCS decays fairly rapidly. The basis of the Technical
Specification operability amendment is the reduction in doses due to such decay.
The goal of maintaining ventilation system and radiation monitor availability is
to reduce doses even further below that provided by the natural decay, and to
avoid unmonitored releases.
• A single normal or contingency method to promptly close primary or secondary
containment penetrations should be developed. Such prompt methods need not
completely block the penetration or be capable of resisting pressure. The
purpose is to enable ventilation systems to draw the release from a postulated
fuel handling accident in the proper direction such that it can be treated and
monitored.
11.3.7 Managing Risk
The assessment provides insights regarding the risk-significance of maintenance
activities. The process for managing risk involves using the result of the assessment
in plant decisionmaking to control the overall risk impact. This is accomplished
through careful planning, scheduling, coordinating, monitoring, and adjusting of
maintenance activities.
The objective of risk management is to control the temporary and aggregate risk
increases from maintenance activities such that the plant’s average baseline risk is
maintained within a minimal range. This is accomplished by using the result of the
(a)(4) assessment to plan and schedule maintenance such that the risk increases are
limited, and to take additional actions beyond routine work controls to address
situations where the temporary risk increase is above a certain threshold. These
thresholds may be set on the basis of qualitative considerations (example –
remaining mitigation capability), quantitative considerations (example – temporary
increase in core damage frequency), or blended approaches using both qualitative
and quantitative insights
Management of risk involves consideration of temporary risk increases, as well as
aggregate risk impacts. (Aggregate risk is the collected risk impact. Cumulative
risk is successive addition of accumulated risk impacts.) Aggregate risk impacts are
controlled to a degree through maintenance rule requirements to establish and meet
SSC performance criteria. These requirements include consideration of the risk
significance of SSCs in establishing performance goals. Plants that routinely enter
the risk management action thresholds should consider measures to assess the
aggregate risk with respect to its estimated impact on the average baseline risk.
This could be accomplished through a periodic assessment of previous out-of-service
conditions. Such an assessment may involve a quantitative computation of
-59-
cumulative risks or may involve a qualitative assessment of the risk management
approach employed and the actual temporary risk impacts observed. When
permanent changes are made to the maintenance planning and control process that
would result in increased component unavailability, the impact of these changes on
the average baseline risk should be evaluated with respect to the permanent change
guidelines discussed in NRC Regulatory Guide 1.174.
The PSA provides valuable insights for risk management, because it realistically
assesses the relationship of events and systems. Risk management can be
effectively accomplished by making use of qualitative insights from the PSA, rather
than sole reliance on quantitative information. Removing equipment from service
may alter the significance of various risk contributors from those of the baseline
PSA. Specific configurations can result in increased importance of certain initiating
events, or of systems or equipment used for mitigation of accidents. Evaluation of a
specific configuration can identify “low order” cutsets or sequences, which are
accident sequences that may not be important in the baseline analysis but become
important for a specific configuration. These considerations are important to risk
management.
The most fundamental risk management action is planning and sequencing of the
maintenance activities taking into account the insights provided by the assessment.
In conjunction with scheduling the sequence of activities, additional risk
management actions may be undertaken that have the effect of reducing the
temporary risk increase as determined by the assessment. Since many of the risk
management actions address non-quantifiable factors, it is not expected that the
risk reduction achieved by their use would necessarily be quantified. The
assessment provides the basis for consideration of their use. The following sections
discuss the establishment of thresholds for the use of risk management actions.
11.3.7.1 Establishing action thresholds based on qualitative considerations
The risk management action thresholds may be established qualitatively by
considering the performance of key safety functions, or the remaining mitigation
capability, given the out-of-service SSCs. Qualitative methods to establish risk
management actions would generally be necessary to address SSCs not modeled in
the PSA, and assessments for shutdown conditions. However, the use of qualitative
methods is not limited to these applications, and is an acceptable approach for
establishing risk management actions for (a)(4) assessments in general. This
approach typically involves consideration of the following factors from the
assessment:
-60-
• Duration of out-of-service condition, with longer duration resulting in
increased exposure time to initiating events
• The type and frequency of initiating events that are mitigated by the out-ofservice SSC, considering the sequences for which the SSC would normally
serve a safety function
• The impact, if significant, of the maintenance activity on the initiating event
frequencies
• The number of remaining success paths (redundant systems, trains, operator
actions, recovery actions) available to mitigate the initiating events
• The likelihood of proper function of the remaining success paths
The above factors can be used as the basis for establishment of a matrix or list of
configurations and attendant risk management actions.
11.3.7.2 Establishing action thresholds based on quantitative
considerations
The thresholds for risk management actions may be established quantitatively by
considering the magnitude of increase of the core damage frequency (and/or large
early release frequency) for the maintenance configuration. This is defined as the
incremental CDF, or incremental LERF.
The incremental CDF is the difference in the “configuration-specific” CDF and the
baseline (or the zero maintenance) CDF. The configuration-specific CDF is the
annualized risk rate with the unavailabilities of the out-of-service SSCs set to one.
The configuration-specific CDF may also consider the zero maintenance model (i.e.,
the unavailability of the out-of-service SSC(s) is set to one, and the maintenance
unavailability of the remaining SSCs is set to zero). This more closely reflects the
actual configuration of the plant during the maintenance activity.
Plants should consider factors of duration in setting the risk management
thresholds. This may be either the duration of a particular out-of-service condition,
or a specific defined work interval (e.g. shift, week, etc). The product of the
incremental CDF (or LERF) and duration is expressed as a probability (e.g.,
incremental core damage probability – ICDP, incremental large early release
probability – ILERP).
-61-
The EPRI PSA Applications Guide (EPRI TR-105396), section 4.2.3, includes
guidance for evaluation of temporary risk increases through consideration of the
configuration-specific CDF, as well as the ICDP and ILERP. When combined with
the other elements of the maintenance rule, and other quantitative or qualitative
measures as necessary to control cumulative risk increases, this guidance provides
one acceptable alternative for (a)(4) implementation. The guidance is as follows:
1. The configuration-specific CDF should be considered in evaluating the risk
impact of the planned maintenance configuration. Maintenance configurations
with a configuration-specific CDF in excess of 10-3/year should be carefully
considered before voluntarily entering such conditions. If such conditions are
entered, it should be for very short periods of time and only with a clear detailed
understanding of which events cause the risk level.
2. ICDP and ILERP, for a specific planned configuration, may be considered as
follows with respect to establishing risk management actions:
> 10-5 - configuration should not
normally be entered
voluntarily
> 10-6
10-6 - 10-5 - assess non quantifiable factors
- establish risk management
actions
10-7 - 10-6
< 10-6 - normal work controls < 10-7
Another acceptable approach would be to construct a similar table using ICDF and
ILERF, expressed as either an absolute quantity or as a relative increase from the
plant’s baseline CDF and LERF.
Due to differences in plant type and design, there is acknowledged variability in
baseline core damage frequency and large early release frequency. Further, there is
variability in containment performance that may impact the relationship between
baseline core damage frequency and baseline large early release frequency for a
given plant or class of plants. Therefore, determination of the appropriate method
or combination of methods as discussed above, and the corresponding quantitative
risk management action thresholds, are plant-unique activities.
11.3.7.3 Establishing Fire Risk Management Action Thresholds
-62-
Guidance: Each plant should develop a process for implementing risk
management actions related to fire risk impacts of equipment identified
above.
For determination of the threshold for risk management actions, any of the
following approaches, or a comparable approach, may be considered:
1. Establish an adjustment factor to the internal events ICDP (Section 11.3.7.2),
or
Raise the risk management action threshold by one level.
The appropriate adjustment factor can be determined by risk personnel using
insights from screening evaluations or fire PRAs performed for the IPEEE, or
fire PRAs that contain conservative modeling assumptions. This adjustment
factor should take into account the number of safe shutdown paths available.
2. Use the following table to determine the need for risk management actions
specific to fire risk when fire risk mitigation equipment is taken out of
service. As the risk from internal events is evaluated under current (a)(4)
programs, this table only addresses incremental risk from fire events and it
is not appropriate to utilize the information below to aggregate risk from fire
and internal events. This table may be used in addition to the existing
guidance in NUMARC 93-01 (i.e., this table is specific to fire risk and does
not address other contributors). Background information on the development
of this table may be found in EPRI Report 1012948, Methodology for Fire
Configuration Risk Management Final Report, December 2005
Number of Core Damage Avoidance Success Paths Available
1 or More Success Paths Available No Success Paths Available
Duration of Unavailability Duration of Unavailability
<3d 3-30d >30d <3d 3-30d >30d
Normal Controls Risk
Mgmt.
Normal
Control
Risk
Mgmt.
Avoid
Config.
3. Quantifying the fire risk and internal events risk for the purpose of
calculating the ICDP (limited applicability – see Sections 11.3.3.1 and
11.3.4.3 above).
-63-
11.3.7.4 Risk Management Actions
Determination of the appropriate actions to control risk for a maintenance activity
is specific to the particular activity, its impact on risk, and the practical means
available to control the risk. Actions, similar to the examples shown below, may be
used singularly or in combinations. Other actions may be taken that are not listed
in the examples.
Normal work controls would be employed for configurations having nominal risk
significance. This means that the normal plant work control processes are followed
for the maintenance activity, and that no additional actions to address risk
management actions are necessary.
Risk management actions should be considered for configurations that result in
a minimal increase from the plant’s baseline risk. As discussed previously, the
benefits of these actions are generally not quantifiable. These actions are aimed at
providing increased risk awareness of appropriate plant personnel, providing more
rigorous planning and control of the activity, and taking measures to control the
duration of the increased risk, and the magnitude of the increased risk. Examples
of risk management actions are as follows:
1. Actions to provide increased risk awareness and control:
• Discuss planned maintenance activity with operating shift and obtain operator
awareness and approval of planned evolution.
• Conduct pre-job briefing of maintenance personnel, emphasizing risk aspects of
planned maintenance evolution.
• Request the system engineer to be present for the maintenance activity, or for
applicable portions of the activity.
• Obtain plant management approval of the proposed activity.
2. Actions to reduce duration of maintenance activity:
• Pre-stage parts and materials.
• Walk-down tagout and maintenance activity prior to conducting
maintenance.
-64-
• Conduct training on mockups to familiarize maintenance personnel with the
activity.
• Perform maintenance around the clock.
• Establish contingency plan to restore out-of-service equipment rapidly if needed.
3. Actions to minimize magnitude of risk increase:
• Minimize other work in areas that could affect initiators [e.g., RPS
equipment areas, switchyard, D/G rooms, switchgear rooms] to decrease the
frequency of initiating events that are mitigated by the safety function served
by the out-of-service SSC
• Minimize other work in areas that could affect other redundant systems
[e.g., HPCI/RCIC rooms, auxiliary feedwater pump rooms], such that there is
enhanced likelihood of the availability of the safety functions at issue served
by the SSCs in those areas.
• Establish alternate success paths for performance of the safety function of
the out-of-service SSC (note: equipment used to establish these alternate
success paths need not necessarily be within the overall scope of the
maintenance rule).
• Establish other compensatory measures.
4. A final action threshold should be established such that risk significant
configurations are not normally entered voluntarily.
11.3.7.5 Fire Risk Management Actions
If the evaluation described in Section 11.3.7.3 indicates risk management
actions are appropriate, the following actions should be considered:
1. Primary action: Coordinate activities within the plant that could involve
increased fire risk with those maintenance activities involving removal
from service of mitigation equipment important for fire risk. This
involves coordination of fire protection personnel with maintenance rule
(a)(4) personnel. Based on this coordination, evaluate appropriate risk
management actions as discussed in Section 11.3.7.4.
2. Additional risk management actions specific to fire could include:
-65-
• Re-scheduling activities that involve increased fire likelihood in fire
areas where the out of service core damage mitigation equipment
would be relied upon in the event of a fire
• Increased fire watches in fire areas where the out of service core
damage mitigation equipment would be relied upon in the event of a
fire
• Confirm the availability of an alternate success path for safe shutdown
should it be needed. These could include alternative success paths
excluded from design basis evaluations (e.g., Bleed & Feed Cooling
(PWRs), Containment Venting (BWRs))
11.3.8 Regulatory Treatment of Compensatory Measures
Use of compensatory measures is discussed in several sections of this guideline.
These measures may be employed, either prior to or during maintenance activities,
to mitigate risk impacts. The following guidance discusses the applicability of 10 CFR 50.65 (a)(4) and 10 CFR 50.59 to the establishment of compensatory measures.
There are two circumstances of interest:
1. The compensatory measure is established to address a degraded or
nonconforming condition, and will be in effect for a time period prior to conduct
of maintenance to restore the SSC’s condition. Per NRC Generic Letter 91-18,
Revision 1 (and NEI 96-07, Revision 1), the compensatory measure should be
reviewed under 10 CFR 50.59. Since the compensatory measure is in effect prior
to performance of the maintenance activity, no assessment is required under 10 CFR 50.65 (a)(4).
2. The compensatory measure is established as a risk management action to reduce
the risk impact during a planned maintenance activity. The 50.65 (a)(4)
assessment should be performed to support the conduct of the corrective
maintenance, and those compensatory measures that will be in effect during
performance of the maintenance activity. The compensatory measures would be
expected to reduce the overall risk of the maintenance activity; however, the
impact of the measures on plant safety functions should be considered as part of
the (a)(4) evaluation. Since the compensatory measures are associated with
maintenance activities, no review is required under 10 CFR 50.59, unless the
measures are expected to be in effect during power operation for greater than 90
days.
-66-
11.3.9 Documentation
The following are guidelines for documentation of the safety assessment:
1. The purpose of this paragraph of the maintenance rule is to assess impacts
on plant risk or key safety functions due to maintenance activities. This
purpose should be effected through establishment of plant procedures that
address process, responsibilities, and decision approach. It may also be
appropriate to include a reference to the appropriate procedures that govern
planning and scheduling of maintenance or outage activities. The process
itself should be documented.
2. The normal work control process suffices as a record that the assessment was
performed. It is not necessary to document the basis of each assessment for
removal of equipment from service as long as the process is followed.
-67-
12.0 PERIODIC MAINTENANCE EFFECTIVENESS ASSESSMENTS
12.1 Reference
Performance and condition monitoring activities and associated goals and
preventive maintenance activities shall be evaluated at least every refueling cycle
provided that the interval between evaluations does not exceed 24 months. The
evaluation shall take into account, where practical, industry-wide operating
experience. Adjustment shall be made where necessary to ensure that the objective
of preventing failures of structures, systems, and components through maintenance
is appropriately balanced against the objective of minimizing unavailability of
structures, systems, and components due to monitoring or preventive maintenance.
12.2 Guidance
Periodic assessments shall be performed to establish the effectiveness of
maintenance actions. These assessments shall take into account, where practical,
industrywide operating experience. The assessment consists of several activities to
assure an effective maintenance program and to identify necessary adjustments
that should be made to the program. The periodic assessments, cause
determination, monitoring, and other activities associated with the Maintenance
Rule provide an opportunity to feedback lessons learned into the process. The
following describes some of the activities that should be performed.
12.2.1 Review of Goals (a)(1)
On a periodic basis goals established under (a)(1) of the Maintenance Rule shall be
reviewed. The review should include an evaluation of the performance of the
applicable SSCs against their respective goals and should also evaluate each goal
for its continued applicability. To redisposition SSCs from (a)(1) to (a)(2), see
Section 9.4.3.
12.2.2 Review of SSC Performance (a)(2)
On a periodic basis, SSC performance related to plant level criteria should be
assessed to determine maintenance effectiveness. The assessment should
determine if performance is acceptable. If performance is not acceptable, the cause
should be determined and corrective action implemented.
-68-
For SSCs that are being monitored under (a)(2), the periodic assessment should
include a review of the performance against the established criteria. To
redisposition SSCs from (a)(2) to (a)(1), see Section 9.4.4.
Where appropriate, industrywide operating experience should be reviewed to
identify potential problems that are applicable to the plant. Applicable industry
problems should be evaluated and compared with the existing maintenance and
monitoring activities. Where appropriate, adjustments should be made to the
existing programs.
12.2.3 Review of Effectiveness of Corrective Actions
As part of the periodic review, corrective actions taken as a result of ongoing
maintenance activities or goal setting should be evaluated to ensure action was
initiated when appropriate and the action(s) taken resulted in improved
performance of the SSC. Corrective actions that should be reviewed include the
following:
y Actions to ensure that SSC performance meets goals established by
requirements of (a)(1);
y Actions taken as a result of cause determination as required in Section 9.3.3 or
10.2.2; and
y Status of problem resolution, if any, identified during the previous periodic
assessment.
12.2.4 Optimizing Availability and Reliability for SSCs
For risk significant SSCs adjustments shall be made, where necessary, to
maintenance activities to ensure that the objective of preventing failures is
appropriately balanced against the objective of assuring acceptable SSC
availability. For operating non-risk significant SSCs, it is acceptable to measure
SSC performance against overall plant performance criteria and for standby
systems to measure performance against specific criteria.
The intent is to optimize availability and reliability of the safety functions by
properly managing the occurrence of SSCs being out of service for preventive
maintenance activities. This optimization could be achieved by any of the following:
-69-
y Ensuring that appropriate preventive maintenance is performed to meet
availability objectives as stated in plant risk analysis, FSAR, or other reliability
approaches to maintenance;
y Allocating preventive maintenance to applicable tasks commensurate with
anticipated performance improvement (e.g., pump vibration analysis instead of
teardown);
y Reviewing to determine that availability of SSCs has been acceptable;
y Focusing maintenance resources on preventing those failure modes that affect a
safety function ; or
y Scheduling, as necessary, the amount, type, or frequency of preventive
maintenance to appropriately limit the time out of service.
The emergency diesel generator can be used as an example of optimizing reliability
and availability, (a)(3) and as an example of transitioning between the rule
requirements specified in (a)(1) and (a)(2) as follows:
If the Emergency Diesel Generator failed to meet its established performance
criteria (Section 9.3.3), a cause determination would be made as described in
Section 9.4.4 of this guideline. Examples of performance criteria may include the
target reliability value (i.e., 0.95 or 0.975) at a level established in a utility's
documented commitment from the Station Blackout Rule (SBO) and unavailability
that, if adopted as a performance criteria, would not alter the conclusions reached
in the utility IPE/PRA.
If a need for goal setting as described in Section 9.4 is indicated, an appropriate
goal should be established and monitored as indicated in (a)(1) until such time as
the goal(s) are achieved and monitoring can be resumed under (a)(2) as described in
Section 9.4.3. Monitoring under (a)(1) could be achieved by use of exceedance
trigger values as described in Appendix D of NUMARC 87-00, Revision 1, dated
August 1991, Guidelines and Technical Bases for NUMARC Initiatives Addressing
Station Blackout at Light Water Reactors, excluding those values indicated under
paragraph D.2.4.4 (Problem EDG).
The periodic assessment can be performed more frequently than the refueling cycle
(e.g., on an annual basis).
The periodic assessment does not have to be performed at any specific time during
the refueling cycle as long as it is performed at least one time during the refueling
-70-
cycle, and the interval between assessments does not exceed 24 months. This would
allow utility’s at multiple unit sites to perform the assessment at the same time
even though the refueling cycles for the units are staggered.
The requirements for performing the periodic assessment can be satisfied through
the use of ongoing assessments combined with a higher level summary assessment
performed at least once per refueling cycle not to exceed 24 months between
evaluations.
The periodic assessment is intended to evaluate the effectiveness of (a)(1) and (a)(2)
activities including goals that have been established, monitoring of those
established goals, cause determinations and corrective actions, and the
effectiveness of preventive maintenance (including performance criteria). The
periodic assessment may at the utilities option include the balancing of availability
and reliability, effectiveness of the process for removal of equipment from service,
and any other maintenance rule elements that would demonstrate the effectiveness
of maintenance.
-71-
13.0 DOCUMENTATION
13.1 General
Documentation developed for implementation of this guideline is not subject to the
utility quality assurance program unless the documentation used has been
previously defined as within the scope of the quality assurance program. This
documentation should be available for internal and external review but is not
required to be submitted to the NRC.
13.2 Documentation of SSC Selection Process
The SSCs that are identified for consideration under the provisions of the
Maintenance Rule and the criteria for inclusion shall be documented. SSC listings,
functional descriptions, Piping and Instrument Diagrams (P&IDs), flow diagrams,
or other appropriate documents should be used for this purpose.
13.2.1 Maintenance Rule Scoping
The following items from the initial scoping effort should be documented:
y SSCs in scope and their function;
y Performance criteria;
y The SSCs placed in (a)(1) and the basis for placement, the goals established, and
the basis for the goals; and
y The SSCs placed in (a)(2) and the basis for (a)(2) placement.
Periodically, as a result of design changes, modifications to the plant occur that may
affect the maintenance program. These changes should be reviewed to assure the
maintenance program is appropriately adjusted in areas such as risk significance,
goal setting, and performance monitoring.
13.3 Documentation of (a)(1) Activities
Performance against established goals and cause determination results should be
documented. Changes to goals including those instances when goals have been
effective and the performance of the SSC has been improved to the point where the
SSC can be moved to (a)(2) should be documented. Monitoring and trending
-72-
activities and actions taken as a result of these activities should also be
documented.
13.4 Documentation of (a)(2) Activities
Activities associated with the preventive maintenance program should be
documented consistent with appropriate utility administrative procedures. For
example, results of repairs, tests, inspections, or other maintenance activities
should be documented in accordance with plant specific procedures. The results of
cause determination for repetitive or other SSC failures that are the result of
MPFFs should be documented. Documentation of SSCs subject to ASME O&M
Code testing should be maintained. Evaluation of performance against plant level
performance criteria (Section 12.2.2) shall be documented. Adverse trends will be
identified and those SSCs affecting the trend will be investigated and, where
appropriate, corrective action taken.
13.5 Documentation of Periodic Assessment
The periodic assessment described above should be documented. Appropriate
details or summaries of results should be available on the following topics.
y The results of monitoring activities for SSCs considered under (a)(1). The
documentation should include the results of goals that were met;
y Evaluation of performance criteria or goals that were not met, along with the
cause determinations and associated corrective actions taken;
y Corrective actions for (a)(1) and (a)(2) that were not effective;
y A summary of SSCs redispositioned from (a)(2) to (a)(1), and the basis;
y A summary of SSCs redispositioned from (a)(1) to (a)(2), and the basis;
y Identify changes to maintenance activities that result in improving the
relationship of availability and preventive maintenance.
APPENDIX A
THE NRC MAINTENANCE RULE
A-1
APPENDIX A
THE MAINTENANCE RULE
2.A new § 50.65 is added to read as follows: (Modified July 19, 1999)
§ 50.65 Requirements for monitoring the effectiveness of maintenance at nuclear
power plants.
The requirements of this section are applicable during all conditions of plant
operation, including normal shutdown conditions.
(a)(1) Each holder of an operating license under §§ 50.21(b) or 50.22 shall monitor
the performance or condition of structures, systems, or components, against
licensee-established goals, in a manner sufficient to provide reasonable assurance
that such structures, systems, and components, as defined in paragraph (b), are
capable of fulfilling their intended functions. Such goals shall be established
commensurate with safety and, where practical, take into account industrywide
operating experience. When the performance or condition of a structure, system or
component does not meet established goals, appropriate corrective action shall be
taken.
(2) Monitoring as specified in paragraph (a)(1) of this section is not required where
it has been demonstrated that the performance or condition of a structure, system,
or component is being effectively controlled through the performance of appropriate
preventive maintenance, such that the structure, system, or component remains
capable of performing its intended function.
(3) Performance and condition monitoring activities and associated goals and
preventive maintenance activities shall be evaluated at least every refueling cycle
provided the interval between evaluations does not exceed 24 months. The
evaluation shall take into account, where practical, industrywide operating
experience. Adjustments shall be made where necessary to ensure that the
objective of preventing failures of structures, systems, and components through
maintenance is appropriately balanced against the objective of minimizing
unavailability of structures, systems, and components due to monitoring or
preventive maintenance
A-2
(4) Before performing maintenance activities (including but not limited to
surveillance, post-maintenance testing, and corrective and preventive maintenance),
the licensee shall assess and manage the increase in risk that may result from the
proposed maintenance activities. The scope of the assessment may be limited to those
structures, systems, and components that a risk-informed evaluation process has
shown to be significant to public health and safety.
(b) The scope of the monitoring program specified in paragraph (a)(1) of this section
shall include safety-related and nonsafety related structures, systems, and
components, as follows:
(1)Safety-related structures, systems, or components that are relied upon to remain
functional during and following design basis events to ensure the integrity of the
reactor coolant pressure boundary, the capability to shut down the reactor and
maintain it in a safe shutdown condition, and the capability to prevent or mitigate
the consequences of accidents that could result in potential offsite exposure
comparable to the 10 CFR part 100 guidelines.
(2)Nonsafety related structures, systems, or components:
(i)That are relied upon to mitigate accidents or transients or are used in plant
emergency operating procedures (EOPs); or
(ii)Whose failure could prevent safety-related structures, systems, and components
from fulfilling their safety-related function; or
(iii)Whose failure could cause a reactor scram or actuation of a safety-related
system.
APPENDIX B
MAINTENANCE GUIDELINE DEFINITIONS
B-1
APPENDIX B
MAINTENANCE GUIDELINE DEFINITIONS
Availability:
The time that a SSC is capable of performing its intended function as a fraction of
the total time that the intended function may be demanded. The numerical
complement of unavailability.
Cut Sets:
Accident sequence failure combinations.
Function:
As used in this guideline the scoped function is that attribute (e.g., safety related,
mitigates accidents, causes a scram, etc.) that included the SSC within the scope of
the maintenance rule. For example, some units scope the condenser vacuum
system under the maintenance rule because its total failure caused a scram and not
the design function of pulling a vacuum on the condenser.
Industrywide Operating Experience (including NRC and vendor):
Information included in NRC, industry, and vendor equipment information that are
applicable and available to the nuclear industry with the intent of minimizing
adverse plant conditions or situations through shared experiences.
Maintenance:
The aggregate of those functions required to preserve or restore safety, reliability,
and availability of plant structures, systems, and components. Maintenance
includes not only activities traditionally associated with identifying and correcting
actual or potential degraded conditions, i.e., repair, surveillance, diagnostic
examinations, and preventive measures; but extends to all supporting functions for
the conduct of these activities. (Source: Federal Register Vol. 53, No. 56,
Wednesday, March 23, 1988, Rules and Regulations/ Page 9340).
B-2
Maintenance, Preventive:
Predictive, periodic, and planned maintenance actions taken prior to SSC failure to
maintain the SSC within design operating conditions by controlling degradation or
failure.
Maintenance Preventable Functional Failure (MPFF)- Initial and
Repetitive
An MPFF is the failure of an SSC (structure, system, train, or component) within
the scope of the Maintenance Rule to perform its intended function (i.e., the
function performed by the SSC that required its inclusion within the scope of the
rule), where the cause of the failure of the SSC is attributable to a maintenancerelated activity. The maintenance-related activity is intended in the broad sense of
maintenance as defined above.
The loss of function can be either direct, i.e., the SSC that performs the function
fails to perform its intended function or indirect, i.e., the SSC fails to perform its
intended function as a result of the failure of another SSC (either safety related or
nonsafety related).
An initial MPFF is the first occurrence for a particular SSC for which the failure
results in a loss of function that is attributable to a maintenance related cause. An
initial MPFF is a failure that would have been avoided by a maintenance activity
that has not been otherwise evaluated as an acceptable result (i.e., allowed to run to
failure due to an acceptable risk).
A "repetitive" MPFF is the subsequent loss of function (as defined above) that is
attributable to the same maintenance related cause that has previously occurred
(e.g., an MOV fails to close because a spring pack was installed improperly -- the
next time this MOV fails to close because the spring pack is installed improperly:
the MPFF is repetitive and the previous corrective action did not preclude
recurrence). A second or subsequent loss of function that results from a different
maintenance related cause is not considered a repetitive MPFF (e.g., an MOV
initially fails to close because a spring pack was installed improperly -- the next
time it fails to close, its failure to close is because a set screw was improperly
installed: the MPFF is not repetitive).
B-3
During initial implementation of the Maintenance Rule, repetitive failures that
have occurred in the previous two operating and refueling cycles should be
considered. After the initial rule implementation, utilities should establish an
appropriate review cycle for repetitive MPFFs (i.e., during the periodic review,
during the next maintenance or test of the same function, or in accordance with
Section 9.4.3).
Monitoring Performance:
Continuous or periodic tests, inspections, measurement or trending of the
performance or physical characteristics of an SSC to indicate current or future
performance and the potential for failure. Monitoring is frequently conducted on a
non-intrusive basis. Examples of preventive maintenance actions may include
operator rounds, engineering walkdowns, and management inspections.
Operating System:
An operating system is one that is required to perform its intended function
continuously to sustain power operation or shutdown conditions.
The system function may be achieved through the use of redundant trains (i.e. two
redundant independent trains each with a motor driven pump capable of delivering
100% capacity to each train). In this case, either train using either pump will be
capable of performing the system function.
Normal operation would be with one train operating and one train in standby (not
operating). The train in standby (not operating) would normally be capable of
starting and providing the system function if the train that was in operation failed.
In this case, if the function of the operating train is lost, and the standby (nonoperating) train starts and maintains the system function with no perturbation of
plant operation, then there is no loss of system function. The performance criteria
for this type of system should include both the operational and standby (not
operating) performance characteristics as applicable.
In the case where a system with redundant trains has a diverse system (i.e. a steam
driven pump and piping, valves, etc.) that will perform the same function, it is
possible to lose both trains of the redundant system and still maintain system
B-4
function with the diverse system. Performance criteria should be established for
the diverse system based on its individual performance taking into account its
diverse method of performing the required function, its unique configuration and
any other functions related that it performs as related to the Maintenance Rule.
Performance:
Performance when used in the context for criteria and monitoring would include
availability and reliability and/or condition as appropriate. To the maximum extent
possible both availability and reliability should be used since that provides the
maximum assurance that performance is being monitored. There are instances
(i.e., reactor coolant system, electrical load centers, certain standby equipment, etc.)
where availability does not provide a meaningful measure of performance and
should not be captured. The condition of structures is more appropriate to monitor
than the reliability or availability. The monitoring of individual components (e.g.,
unacceptable performance) when setting goals may include the monitoring of
condition. Condition typically includes vibration, flow, temperature and other
similar parameters.
Reliability:
A measure of the expectation (assuming that the SSC is available) that the SSC will
perform its function upon demand at any future instant in time. The monitoring of
performance and any resulting MPFFs is an indicator of reliability.
Risk:
Risk encompasses what can happen (scenario), its likelihood (probability), and its
level of damage (consequences).
Risk Significant SSCs:
Those SSCs that are significant contributors to risk as determined by PRA/IPE or
other methods.
B-5
Standby System or Train
A standby system or train is one that is not operating and only performs its
intended function when initiated by either an automatic or manual demand signal.
Some of these systems perform a function that may be required intermittently
during power operations (e.g., a process system used to adjust or correct water
chemistry). Although not continuously operating the system or one of its trains
must be able to actuate on a manual or automatic signal and be able to perform its
intended function as required. Since the system or train is in the standby mode, it
will most frequently be determined as operable/inoperable during operability
(surveillance) testing, although if designed to actuate automatically, it could fail on
demand. Based on experience and the reason for performing surveillance testing
the best way to measure the performance of the standby system is based on the
results of performance on demand (both an automatic response to a valid signal and
as a result of surveillance testing). Examples of standby systems of this type would
be the hydrogen recombiner system and the containment spray system.
Other systems and their associated trains may be configured in a standby mode
during power operation but during an outage are normally operating (e.g., RHR).
Performance monitoring should consider the system function during all plant
modes.
System
A collection of equipment that is configured and operated to serve some specific
plant function(s) (e.g., provides water to the steam generators, sprays water into the
containment, injects water into the primary system), as defined by the terminology
of each utility (e.g., auxiliary feedwater system, containment spray system, high
pressure coolant injection system). The system definition should generally be
consistent with the system definition in the FSAR or PRA analysis.
Train
A collection of equipment that is configured and operated to serve some specific
plant safety function and may be a sub-set of a system. The utility can utilize the
FSAR or PRA analysis to better define the intended configuration and function(s).
B-6
Unavailability, SSC (for purposes of availability or reliability calculation):
Note: This definition of unavailability is not intended for direct applicability to the
configuration assessment required by 10 CFR 50.65(a)(4).
Unavailability is defined as follows:
planned unavailable hours + unplanned unavailable hours
required operational hours*
Unavailability is considered in two cases:
1) Maintenance activities
Equipment out of service (e.g. tagged out) for corrective or preventive
maintenance is considered unavailable. Support system unavailability may
be counted against either the support system, or the front line systems
served by the support system. The treatment of support system
unavailability for the maintenance rule should be consistent with its
treatment in the plant PSA. Performance criteria should be established
consistent with whichever treatment is chosen.
2) Testing
SSCs out of service for testing are considered unavailable, unless the test
configuration is automatically overridden by a valid starting signal, or the
function can be promptly restored either by an operator in the control room or
by a dedicated operator stationed locally for that purpose. Restoration
actions must be contained in a written procedure, must be uncomplicated (a
single action or a few simple actions), and must not require diagnosis or
repair. Credit for a dedicated local operator can be taken only if (s)he is
positioned at the proper location throughout the duration of the test for the
purpose of restoration of the train should a valid demand occur. The intent of
this paragraph is to allow licensees to take credit for restoration actions that
are virtually certain to be successful (i.e., probability nearly equal to 1)
during accident conditions.
B-7
- Required operational hours are the number of hours that the SSC serves a safety
function. The safety function (and the need to count required hours), may be
necessary at all times, or may be dependent on reactor mode, criticality, fuel in
the reactor vessel, or other factors. The degree of redundancy for SSCs
performing a safety function may vary based on factors as described above, and
the determination of required operational hours may take this into account.
However, determination of required operational hours should include
consideration that an SSC may be used for establishment of backup success paths
or compensatory measures. Required operational hours may include times
beyond those for which SSC operability is required by Technical Specifications.
Unavailability, Short Duration
Trains are considered to be available during periodic system or equipment
realignments to swap components or flow paths as part of normal operations.
Evolutions or surveillance tests that result in less than 15 minutes of unavailable
hours per train at a time need not be counted as unavailable hours. Licensees
should compile a list of surveillances or evolutions that meet this criterion and
have it available for inspector review. The intent is to minimize unnecessary
burden of data collection, documentation and verification because these short
durations have insignificant risk impact.
Unplanned Scrams per 7,000 Hours Critical
This indicator measures the rate of scrams per year of operation at power and
provides an indication of initiating event frequency; it is defined as the number of
unplanned scrams during the previous four quarters, both manual and automatic,
while critical per 7,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />. Unplanned scrams result in thermal/hydraulic
transients in plant systems.
Unplanned Capability Loss Factor:
Unplanned capability loss factor is the percentage of maximum energy generation
that a plant is not capable of supplying to the electrical grid because of unplanned
energy losses (such as unplanned shutdowns, forced outages, outage extensions or
load reductions). Energy losses are considered unplanned if they are not scheduled
at least four weeks in advance.
B-8
Unplanned Safety System Actuations
Unplanned safety system actuations include unplanned emergency core cooling
system actuations or emergency AC power system actuations due to loss of power to
a safeguards bus.
APPENDIX C
MAINTENANCE GUIDELINE ACRONYMS
C-1
CFR Code of Federal Regulation
EOP Emergency Operating Procedures
FSAR Final Safety Analysis Report
IPE Individual Plant Evaluations
ISI Inservice Inspection
IST Inservice Testing
MPFF Maintenance Preventable Functional Failures
NRC Nuclear Regulatory Commission
NUMARC Nuclear Management and Resources Council
P&ID Piping and Instrument Diagrams
PRA Probabilistic Risk Assessment
PSA Probabilistic Safety Assessment (term used interchangeably with
above)
APPENDIX D
EXAMPLE OF A SYSTEM WITH BOTH SAFETY AND
NONSAFETY FUNCTIONS - CVCS
E-1
APPENDIX D
EXAMPLE OF A SYSTEM WITH BOTH SAFETY AND NONSAFETY
FUNCTIONS - CVCS
Note: This example is for illustration purposes only and is not intended to be
definitive for any given plant. Each utility should examine its own design and
operation for applicability.
The typical Chemical and Volume Control System (CVCS), shown in the attached
figure, has many functions such as: adjust the concentration of boric acid, maintain
water inventory, provide seal water to the reactor coolant pump seals, process
reactor coolant effluent for reuse, maintain proper chemistry concentration, and
provide water for high pressure safety injection. Clearly, the high pressure safety
injection function of the CVCS is encompassed by the description in (b)(1) of 10 CFR 50.65 and therefore, within the scope of the rule. Other components and functions
of the CVCS such as the regenerative heat exchanger, the letdown heat exchanger,
the mixed bed demineralizers, the volume control tank and their associated valves
and control systems which function to maintain inventory, process coolant and
maintain chemistry, do not generally have safety functions. These portions of the
CVCS do not typically meet the descriptions in (b)(1) or (2) of 10 CFR 50.65 and
would not be considered within the scope of the rule. Components within these
portions of the CVCS, however, may fit the descriptions in (b)(1) or (b)(2). Examples
of this would be the volume control tank isolation valves which close to align the
system for high pressure injection and the various valves which also serve as
containment isolation valves. Other portions of the CVCS would need to be
examined closely to determine whether they meet the descriptions in (b)(1) or (b)(2).
For example, the seal injection portion of CVCS may be within the scope if the
reactor coolant pumps are relied upon in transients or EOPs, or if the failure of seal
injection could cause a scram or actuation of a safety-related system.
E-1
APPENDIX E
PSA attributes:
E-1
APPENDIX E
PSA attributes:
The PSA used for the (a)(4) assessment is important for two aspects:
1. Determination of scope of SSCs to which the assessment applies
2. Evaluation of risk impact of the maintenance configuration (or as the basis
for the risk monitor, matrix, or other tool), if the assessment is performed
quantitatively.
The PSA model should include the following characteristics, or, if not, its
limitations for use in supporting the assessment should be compensated for by
additional qualitative evaluation. The EPRI PSA Applications Guide (EPRI TR105396) discusses considerations regarding PSA attributes, maintenance, and use
in decisionmaking. This guidance should be considered in determining the degree
of confidence that can be placed in the use of the PSA for the assessment, and
whether additional qualitative considerations should be brought to bear:
1. The PSA should address internal initiating events.
2. The PSA should provide level one insights (contribution to core damage
frequency).
3. The PSA is not required to be expanded to quantitatively address containment
performance (level 2), external events, or conditions other than power operation.
Use of such an expanded PSA is an option.
4. The PSA should be reviewed periodically and updated as necessary to provide
reasonable representation of the current plant design.
5. The PSA should include consideration of support systems and dependencies for
SSCs that impact plant risk. NEI document 00-02, “Probabilistic Risk
Assessment Peer Review Process Guidance” includes additional information for
evaluation of the correct treatment of these attributes in a PSA.