Text

NUMARC 93-01 REVISION 4

NUCLEAR ENERGY INSTITUTE

INDUSTRY GUIDELINE FOR MONITORING THE EFFECTIVENESS OF MAINTENANCE AT NUCLEAR POWER PLANTS

December 2010 ACKNOWLEDGMENTS

This guidance document, Industry Guide line for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants , NUMARC 93-01, was developed by the NUMARC Maintenance Working Group, Ad Hoc Advisory Committees for the

Implementation of the Maintenance Rule, and an Ad Hoc Advisory Committee (AHAC) for the Verification and Validation of the Industry Maintenance Guideline.

We appreciate the direct participation of the many utilities who contributed to the

initial development of the guideline and the participation of the balance of the

industry who reviewed and submitted comments to improve the document clarity

and consistency. The dedicated and timely effort of the many AHAC participants, including their management's support of the effort, is greatly appreciated.

NUMARC also wishes to express its appreciation to the Institute of Nuclear Power

Operations (INPO), and the Electric Power Research Institute (EPRI) who devoted

considerable time and resources to the development and verification and validation

of the industry maintenance guideline.

Revision 4 of this document was developed with the assistance of the NEI

Maintenance Rule Task Force. This task force was formed in 2008 to evaluate potential changes to the guideline necessary to improve implementation of the rule

throughout the industry.

NOTICE

Neither the Nuclear Energy Institute, nor any of its employees, members, supporting organizations, contractors or consultants make any warranty, expressed

or implied, or assume any legal responsib ility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information

apparatus, method, or process disclosed in th is report or that such may not infringe privately owned rights.

i FOREWORD

On July 10, 1991, the NRC published in the Federal Register (56 Fed. Reg. 31324)

its final Maintenance Rule entitled, "Requi rements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." In the Supplementary Information

published with the notice, the Commission stated that it, "believes that

effectiveness of maintenance must be assessed on an ongoing basis in a manner

which ensures that the desired result, reasonable assurance that key structures, systems, and components (SSCs) are capable of performing their intended function, is consistently achieved."

The importance of proper maintenance to safe and reliable nuclear plant operation

has long been recognized by the nuclear utility industry and the Nuclear Regulatory Commission (NRC). The industry, since 1982, has placed increased emphasis on

improving maintenance because of its importance in improving overall plant

performance. The industry recognizes th at good maintenance is good business and is not an option, but a necessity. Thro ughout this period, senior industry management has continued to assure the NRC of its complete commitment to the

goal of improved safety and reliability through better maintenance. This

commitment to better maintenance is reflected in the efforts of the individual

nuclear utilities, the Institute of Nuclear Power Operations (INPO), the Electric

Power Research Institute (EPRI), the Nuclear Management and Resources Council (NUMARC), the four Vendor Owners' Groups and others. This commitment has

resulted in improved maintenance facilit ies, enhanced training of maintenance personnel, increased emphasis on good maintenance work practices and use of

procedures, better technical guidance, and tracking of equipment performance. It

also includes the formation of special indu stry centers to assist with maintenance-related issues and applications (e.g., the Nuclear Maintenance Assistance Center).

The industry's efforts have resulted in significant progress in improved maintenance that is demonstrated by ma ny U.S. plants attaining world-class performance by all measurements, including industry overall performance

indicators, and NRC inspections and reports.

This industry guideline has been developed to assist the industry in implementing the final Maintenance Rule and to build on the significant progress, programs and facilities established to improve maintenance. The guideline provides a process for

deciding which of the many structures, systems, and components that make up a commercial nuclear power plant are within the scope of the Maintenance Rule. It

then describes the process of establishing plant-specific risk significant and

performance criteria to be used to decide if goals need to be established for specific

structures, systems, trains and components covered by the Maintenance Rule that FOREWORD (continued) ii do not meet their performance criteria. It should be recognized that establishing performance criteria can be interpreted as establishing goals. However, as used in

this guideline, the approach is to first establish an acceptable set of performance

criteria and monitor the structures, systems, and components against those criteria.

This is an ongoing activity. If performance criteria are not met, then goals are

established to bring about the necessary improvements in performance. It is

important to note that the word "goal" as used in this guideline is used only where performance criteria are not being met. This provides the necessary focus at all

levels within the utility where additional attention is needed.

The industry and the NRC recognize that effective maintenance provides

reasonable assurance that key structures, systems, and components are capable of

performing their intended function. The guideline provides focus on maintenance

activities and manpower use to assure the performance of safety functions by maximizing the use of proven existing in dustry and individual plant maintenance programs and minimizing the dilution of critical resources to modify maintenance programs when established performance criteria are being met.

The Nuclear Regulatory Commission issued a final rulemaking, modifying the

maintenance rule, on July 19, 1999 (64 Fed. Reg. 38551). This rulemaking

established requirements under paragraph (a)(4) for the assessment and

management of risk associated with maintenance activities, and clarified the

applicability of the maintenance rule to all modes of plant operation. NUMARC 93-

01 was substantially modified to reflect this rulemaking in Revision 3 . Revision 4 of NUMARC 93-01 provides enhanced clarity regarding scoping non-safety related

Systems, Structures and Components based on their use in Emergency Operating

Procedures, gives guidance on consideration of fire risk in (a)(4) risk assessments, and provides enhanced consistency in unavailability monitoring between the

Maintenance Rule and Reactor Oversight process by providing clarification to the

definition for monitoring of short term unavailability resulting from periodic system

or equipment realignments.

iii EXECUTIVE

SUMMARY

This Executive Summary provides a brief review of the key elements of this

guideline and describes the overall process for implementation. The Foreword to

this guideline provides a perspective on the purpose and intent of the guideline.

The Industry Guideline Implementation Logic Diagram (Figure 1) describes the process for implementing the Maintenance Rule. The numbers to the upper right of

the activity or decision on the logic diagram correspond to the section in the

guideline where the topic is discussed.

Utilities are required to identify safety-related and nonsafety-related plant

structures, systems, and components as described by (b)(1) and (b)(2) of the Maintenance Rule

1. For structures, systems, and components not within the scope of the Maintenance Rule, each utility should continue existing maintenance

programs.

As of July 10, 1996, the implementation date of the Maintenance Rule, all SSCs

that are within the scope of the Maintena nce Rule will have been placed in (a)(2) and be part of the preventive maintenance pr ogram. To be placed in (a)(2), the SSC will have been determined to have acceptable performance. In addition, those SSCs with unacceptable performance will be placed in (a)(1) 2 with goals established.

This determination is made by considering the risk significance as well as the

performance of the structures, systems, and components against plant-specific

performance criteria. Specific performance criteria are established for those

structures, systems, and components that are either risk significant or standby mode 3; the balance are monitored against the overall plant level performance criteria. The high pressure coolant injectio n system is an example of a system that is in a standby mode during normal plant operations and is expected to perform its

safety function on demand. It should be recognized that the performance of the

1 The text of the Maintenance Rule is included in this guideline as Appendix A and the methodology for selecting SSCs to be included within the scope of the rule is further described in Section 8.0 of this guideline.

2 As used in this guideline, (a)(1), (a)(2), (a)(3), (a)(4), (b)(1), or (b)(2) refer to the paragraphs included in 10 CFR 50.65.

3 Refer to the Appendix B definition and examples of standby systems and trains.

EXECUTIVE

SUMMARY

(continued) iv support systems (e.g., HVAC) may have a direct impact on the primary system's performance (e.g., availability).

The process addressing (a)(1) includes est ablishing goals for structures, systems, trains, or components that have not demonstrated acceptable performance. It

should be noted that the key parameter is performance.

Risk significant structures, systems, and components should be identified by using an Individual Plant Examination 4 , a Probabilistic Risk Assessment, critical safety functions (e.g., inventory), or other processes, provided they are systematic and

documented.

The performance of structures, systems, or components that are determined to not

meet the performance criteria established by a utility shall be subjected to goal

setting and monitoring that leads to acceptable performance. For those structures, systems, trains, or components requiring goal setting, it is expected that many goals will be set at the system level. In addition, train and component level goals should

be established (Section 9.0) when determined appropriate by the utility.

Performance of structures, systems, trains, or components against established goals

will be monitored until it is determined that the goals have been achieved and

performance can be addressed in (a)(2).

Structures, systems, and components within the scope of the Maintenance Rule

whose performance is currently determined to be acceptable will be assessed to

assure that acceptable performance is sustained (Section 10.0).

Although goals are established and monitored as part of (a)(1), the preventive

maintenance and performance monitoring activities are part of (a)(2) and apply to

the structures, systems, and components that are within the scope of the

Maintenance Rule.

Prior to performance of maintenance activities, an assessment of the risk associated

with the activity shall be performed, an d the results of this assessment used to manage the risk impact. The scope SSCs subject to the risk assessment may be limited through a risk-informed evaluation process. Risk management is

accomplished through definition of action levels and use of risk management

actions. These actions are specific to a given maintenance activity, and may vary

4 As used in this guideline the scope of IPE includes both internal and external events.

EXECUTIVE

SUMMARY

(continued) v depending on the magnitude and duration of the risk impact, the nature of the activity, and other factors. (Section 11.0).

Periodic performance assessment and monitoring will be implemented through

utility specific programs that include, as appropriate, event cause determination ,

corrective action, consideration of industry operating experience, and trending (Section 12.0).

Sufficient data and information will be collected and retained so that the

effectiveness of maintenance and monitori ng efforts can be determined (Section 13.0).

vi vii TABLE OF CONTENTS

1.0 INTRODUCTION

1

2.0 PURPOSE

AND SCOPE 1

3.0 RESPONSIBILITY

2

4.0 APPLICABILITY

3

5.0 DEFINITIONS

3

6.0 GENERAL

REQUIREMENTS 3

7.0 UTILIZATION

OF EXISTING PROGRAMS 4

8.0 METHODOLOGY

TO SELECT PLANT STRUCTURES, SYSTEMS 4 AND COMPONENTS 8.1 Reference 4

8.2 Guidance

5

8.2.1 Selection

of Plant SSCs 5 8.2.1.1 Safety-Related SSCs 6 8.2.1.2 Nonsafety-Related SSCs that Mitigate Accidents or Transients 7 8.3.1.3 Nonsafety-Related SSCs that are used in Emergency Operating Procedures 8 8.3.1.4 Nonsafety-Related SSCs Whose Failure Prevents Safety-Related SSCs from Fulfilling Their Safety-Related Functions 9 8.3.1.5 Nonsafety-Related SSCs Whose Failure Causes Scrams or Actuates Safety Systems 10 8.3.1.6 SSCs Outside the Scope of the Maintenance Rule 12

9.0 ESABLISHING

RISK AND PERFORMANCE CRITERIA/GOAL SETTING AND MONITORING 14

9.1 Reference

14

9.2 Guidance

14

9.3 Determining

the SSCs Covered by (a)(1) 15 9.3.1 Establishing Risk Significant Criteria 15 9.3.1.1 Risk Reduction Worth 18 Table of Contents (continued) viii 9.3.1.2 Core Damage Frequency Contribution 19 9.3.1.3 Risk Achievement Worth 19

9.3.2 Performance

Criteria for Evaluating SSCs 20

9.3.3 Evaluating

SSCs Against Risk Significant and Performance Criteria 24 9.3.4 Determining Whether an SSC Level Goal is Required 26 9.4 Goal Setting and Monitoring 26 9.4.1 Goal Setting 27 9.4.1.1 System Level 27 9.4.1.2 Train Level 28 9.4.1.3 Component Level 28 9.4.1.4 Structure Level 28

9.4.2 Monitoring

29 9.4.2.1 Monitoring System Level Goals 30 9.4.2.1 Monitoring Train Level Goals 30 9.4.2.1 Monitoring Component Level Goals 30 9.4.2.1 Monitoring Structure Level Goals 30

9.4.3 Dispositioning

of SSCs from (a)(1) to (a)(2) 31

9.4.4 Unacceptable

Performance or Failure Cause Determination And Dispositioning SSCs from (a)(2) to (a)(1) 31 9.4.5 Maintenance Preventable Functional Failures (MPFFs) 33

10.0 SSCs SUBJECT TO EFFECTIVE PREVENTIVE MAINTENANCE PROGRAMS 36 10.1 Reference 36 10.2 Guidance 36 10.2.1 Performance of Applicable Preventive Maintenance Activities 37

10.2.1.1 Periodic Maintenance, Inspection, and Testing 37 10.2.1.2 Predictive Maintenance, Inspection, and Testing 37 10.2.1.3 Performance Trending 38 10.2.2 Ongoing Maintenance Effectiveness Evaluation 38 10.2.3 Monitoring the Condition of Structures 38

11.0 ASSESSMENT OF RISK RESULTING FROM PERFORMANCE OF MAINTENANCE ACTIVITIES 41 11.1 Reference 41 Table of Contents (continued) ix 11.2 Background 41 11.3 Guidance 41 11.3.1 Assessment Process, Control, and Responsibilities 42 11.3.2 General Guidance for the Assessment 42 11.3.3 Scope of Assessment for Power Operating Conditions 44 11.3.4 Assessment Methods for Power Operating Conditions 46 11.3.4.1 Quantitative Considerations 46 11.3.4.2 Qualitative Considerations 46 11.3.5 Scope of Assessment for Shutdown Conditions 48 11.3.6 Assessment Methods for Shutdown Conditions 49 11.3.6.1 Decay Heat Removal Capability 50 11.3.6.2 Inventory Control 51 11.3.6.3 Power Availability 51 11.3.6.4 Reactivity Control 52 11.3.6.5 Containment - Primary (PWR)/Secondary (BWR) 52 11.3.7 Managing Risk 53 11.3.7.1 Establishing Action Thresholds - Qualitative 54 11.3.7.2 Establishing Action Thresholds - Quantitative 55 11.3.7.3 Risk Management Actions 57 11.3.8 Regulatory Treatment of Compensatory Measures 58 11.3.9 Documentation 59

12.0 PERIODIC MAINTENANCE EFFECTIVENESS ASSESSMENTS 60 12.1 Reference 60 12.2 Guidance 60 12.2.1 Review of Goals (a)(1) 60 12.2.2 Review of SSC Performance (a)(2) 60 12.2.3 Review of Effectiveness of Corrective Actions 61 12.2.4 Optimizing Availability and Reliability for SSCs 61

13.0 DOCUMENTATION 64 13.1 General 64 13.2 Documentation of SSC Selection Process 64 13.2.1 Maintenance Rule Scoping 64 13.3 Documentation of (a)(1) Activities 64 13.3 Documentation of (a)(2) Activities 65 13.4 Documentation of Periodic Assessment 65 x LIST OF ILLUSTRATIONS

Figure .................................................................................................................... Page

1. Industry Guideline Implem entation Logic Diagram ......................................... vii

1

1.0 INTRODUCTION

On July 10, 1991, the final Maintenance Rule, "Requirements for Monitoring the Effectiveness of Maintenance at Nuclea r Power Plants," was published by the Nuclear Regulatory Commission (NRC) in the Federal Register (56 Fed. Reg. 31324)

as 10 CFR 50.65. The Maintenance Rule will become effective July 10, 1996, thereby requiring full implementation by that date. The basis for proceeding to

issue the Maintenance Rule as well as expectations for its implementation is

described in the Supplementary Information that accompanied the notice. The

Commission indicated that it is important for the NRC to have a regulatory

framework in place that would provide a mechanism for evaluating the overall

continuing effectiveness of licensees ma intenance programs. The NRC's overall objective is that structures, systems, and components of nuclear power plants be

maintained so that plant equipment will perform its intended function when

required. The Maintenance Rule (see Appendix A) is characterized as a

performance-based rule providing focus on results rather than programmatic adequacy.

The Nuclear Regulatory Commission issued a final rulemaking, modifying the

maintenance rule, on July 19, 1999 (64 Fed. Reg. 38551). This rulemaking

established requirements under paragraph (a)(4) for the assessment and

management of risk associated with maintenance activities, and clarified the

applicability of the maintenance rule to all modes of plant operation.

2.0 PURPOSE

AND SCOPE

This guideline describes an acceptable approach to meet the Maintenance Rule.

However, utilities may elect other suitable methods or approaches for

implementation. This guideline does not address the many industry programs that have been put in place to upgrade maintenance and may be used when

implementing the Maintenance Rule. For example, work planning and scheduling, preventive and corrective maintenance, maintenance procedures, training, post

maintenance testing, work history, cause determination methods and other

maintenance related programs are not discussed.

The major elements of this guideline include:

Selecting the structures, systems, and components (SSCs) 5 within the scope of the Maintenance Rule;

Establishing and applying risk significant criteria;

Establishing and applying performance criteria;

Goal setting and monitoring of applicable SSCs to ensure plant and system functions are reliably maintained and to demonstrate the effectiveness of

maintenance activities;

Assessing and managing the risk resultin g from the performance of maintenance activities;

Performing the periodic assessment of performance; and

Documentation needed to support implementation of the Maintenance Rule.

This guideline provides a process for deci ding which of the many SSCs that make up a commercial nuclear power plant are included within the scope of the

Maintenance Rule. It then describes the process of establishing plant-specific risk

significant and performance criteria to be used to decide if goals need to be

established for specific SSCs covered by the Maintenance Rule. It should be

recognized that establishing performance criteria can be interpreted as establishing

goals. However, as used in this guideline, the approach is to first establish an

acceptable set of performance criteria and monitor the performance. If performance

criteria are not met, then goals are established to bring about the necessary

improvements in performance. The word "goal" as used in these guidelines is used

only where performance criteria are not being met. This provides the necessary

focus at all levels within the utility where additional attention is needed. In most

situations the goal will be identical to the performance criteria that the SSC's

historical performance does not meet. Although goals are set and monitored as part

of (a)(1), the preventive maintenance and performance monitoring activities are

part of (a)(2) and apply to SSCs that are within the scope of the Maintenance Rule.

3.0 RESPONSIBILITY

5 As used in this guideline, SSCs can mean "structures, systems, and components," or "structures, systems, or components," depending on use. Where the guideline discusses the need to establish goals and monitoring, SSCs will include, as applicable, "structures, systems, trains, and/or components."

Each utility will implement a plant-specific program to meet the intent of the

Maintenance Rule. The purpose of this guideline is to assist in developing and

implementing plant-specific programs. This guideline provides flexibility for

individual utility implementation.

4.0 APPLICABILITY

This guideline is applicable to utilities holding an operating license issued in

accordance with 10 CFR 50.21(b) and 50.22

Periodically, as a result of design changes, modifications to the plant occur that may affect the maintenance program. These ch anges should be reviewed to assure the maintenance program is appropriately adjust ed in areas such as risk significance, goal setting, and performance monitoring.

5.0 DEFINITIONS

The definitions in Appendix B of this guideline are provided to promote consistent

interpretation of the Maintenance Rule. The terms are defined to the extent

possible in accordance with existing industry usage.

6.0 GENERAL

REQUIREMENTS

The Maintenance Rule issued on July 10, 1991, requires that licensees:

"...shall monitor the performance or condition of structures, systems, or components, against

licensee-established goals, in a manner sufficient to provide reasonable assurance

that such structures, systems, and components, as defined in paragraph (b), are

capable of fulfilling their intended functions. Such goals shall be established

commensurate with safety and, where prac tical, take into account industry-wide operating experience. When the performance or condition of a structure, system, or

component does not meet established goals, appropriate corrective action shall be

taken.

(2)Monitoring as specified in paragraph (a)(1) of this section is not required where it has been demonstrated that the performance or condition of a structure, system, or

component is being effectively controlled through the performance of appropriate

preventive maintenance, such that the structure, system, or component remains capable of performing its intended function.

(3)Performance and condition monitoring activities and associated goals and

preventive maintenance activities shall be evaluated at least every refueling cycle

provided the interval between evaluations does not exceed 24 months. The

evaluation shall be conducted, taking in to account, where practical, industry-wide operating experience. Adjustments shall be made where necessary to ensure that the objective of preventing failures of st ructures, systems, and components through maintenance is appropriately balanced against the objective of minimizing

unavailability of structures, systems, and components due to monitoring or

preventive maintenance. In performing monitoring and preventive maintenance activities, an assessment of the total plant equipment that is out of service should

be taken into account to determine the ov erall effect on performance of safety functions."

7.0 UTILIZATION

OF EXISTING PROGRAMS

Utilities can utilize their existing progra m results to support the demonstration that SSC performance is being effectively controlled through preventive

maintenance. If performance monitoring indicates that SSC performance is

unacceptable, then the cause determination (Section 9.4.4) performed when SSC

performance is unacceptable should correct any equipment or program deficiency.

Goals (including corrective action) set to monitor the effectiveness of changes in preventive maintenance programs should include the results of the affected program(s) where appropriate.

This guideline is intended to maximize the use of existing industry programs, studies, initiatives and data bases.

8.0 METHODOLOGY

TO SELECT PLANT STRUCTURES, SYSTEMS, AND COMPONENTS

8.1 Reference

10 CFR 50.65

(b)The scope of the monitoring program spec ified in paragraph (a)(1) of this section shall include safety-related and nonsafety related structures, systems, and

components, as follows:

(1)Safety-related structures, systems, or components that are relied upon to remain

functional during and following design basis events to ensure the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and

maintain it in a safe shutdown condition, and the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposure

comparable to the 10 CFR part 100 guidelines.

(2)Nonsafety-related structures, systems, or components:

(i)That are relied upon to mitigate accidents or transients or are used in plant

emergency operating procedures (EOPs); or

(ii)Whose failure could prevent safety-rel ated structures, systems, and components from fulfilling their safety-related function; or

(iii)Whose failure could cause a reactor scram or actuation of a safety-related

system.

8.2 Guidance

8.2.1 Selection

of Plant SSCs

The utility must first determine which SSCs are within the scope of the

Maintenance Rule by applying the screening criteria below and as presented in

Figure 1.

For the purposes of this guideline, a system is any collection of equipment that is

configured and operated to serve some spec ific plant function (e.g., provides water to the steam generators, spray water into the containment, inject water into the primary system), as defined by the terminology of each utility (e.g., auxiliary feedwater system, containment spray system, high pressure coolant injection system).

The scope of the Maintenance Rule, as defined in 10 CFR 50.65(b), is limited to

SSCs that directly affect plant operations, regardless of what organization actually performs the maintenance activities. For example, electrical distribution equipment

out to the first inter-tie with the offsite di stribution system should be considered for comparison with §50.65(b), and thereafter, possible inclusion under the scope of the

Maintenance Rule. Thus, equipment in the switchyard, regardless of its geographical location, is potentially wi thin the scope of the Maintenance Rule.

Safety systems may perform not only safety functions but also other functions that have no safety significance. For example, the system may be used to transfer water from one part of the plant to another as we ll as provide additional safety functions.

The safety functions of SSCs are a ddressed by the Maintenance Rule.

It is necessary to identify and document the functions for both safety and nonsafety SSCs that causes the SSCs to be within th e scope of the Maintenance Rule. There are two basic areas where this information is needed. First, the function which the

system or structure provides is needed so all failures can be evaluated against those functional aspects. Not all failures that cause loss of some function are functional

failures under the maintenance rule becaus e, for systems with multiple design functions, the function lost may not be within the scope of the maintenance rule, and further, components not required to meet this function that causes the system

to be within the scope of the rule may be excluded unless they meet another scoping

criterion. Secondly, when removing SSCs from service, it is important to be aware of what function is being lost so the impact of removing multiple equipment from

service can be determined.

As an alternative approach, licensees may use a functional basis to determine which

SSCs must be monitored within the scope of the rule. That is, the licensee may

determine all the functions performed by the SSCs and include within the scope of

the maintenance rule only those function s, and the associated SSCs that fulfill those functions, that meet the scoping criteria of the rule.

EXAMPLES 6 OF SSCs THAT ARE WITHIN THE SCOPE OF THE MAINTENANCE RULE BUT CONTAIN COMPONENTS OR

FUNCTIONS THAT ARE NOT RELATED TO SAFETY AND MAY BE

OUTSIDE THE SCOPE OF THE MAINTENANCE RULE

• CHEMICAL VOLUME AND CONTROL SYSTEMS (CVCS)*

SAFETY FUNCTION-HIGH HEAD INJECTION NONSAFETY FUNCTION-PRIMARY LOOP CLEANUP

• EMERGENCY CORE COOLING SYSTEM SAFETY FUNCTION-HIGH PRESSURE INJECTION NONSAFETY FUNCTION-FILL SAFETY INJECTION ACCUMULATORS

• SEE APPENDIX D FOR ADDITIONAL DETAILS

8.2.1.1 Safety-Related SSCs

Are the safety-related SSCs relied upon to remain functional during and following design basis events to ensure:

The integrity of the reactor coolant pressure boundary; or

The capability to shutdown the reactor and maintain it in a safe shutdown condition; or

The capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposure comparable to 10 CFR Part 100 Guidelines?

6 All examples are for illustration purposes only and may not be true for a specific plant. Each utility should examine its own plant for specific applicability.

EXAMPLES OF AVAILABLE INFORMATION SOURCES OF SAFETY-

RELATED SSCs

• FINAL SAFETY ANALYSIS REPORT (FSAR)

• Q-LIST

• MASTER EQUIPMENT LIST

A yes answer to any of the above will identify that the SSCs are within the scope of

the Maintenance Rule.

8.2.1.2 Nonsafety-Related SSCs that Mitigate Accidents or Transients

Are the nonsafety-related SSCs relied upon to mitigate accidents or transients?

This step requires utilities to determine which nonsafety SSCs are needed to

mitigate accidents or transients as descri bed in the plant's Final Safety Analysis Report (FSAR).

EXAMPLES OF NONSAFETY SSCs THAT ARE USED IN FSAR

ANALYSIS TO MITIGATE ACCIDENTS

• CONDENSATE STORAGE TANK (SUPPLY TO AUXILIARY FEEDWATER)

• FIRE SUPPRESSION SYSTEM

• BORIC ACID TRANSFER SYSTEM USED FOR EMERGENCY BORATION AND MAKE-UP TO THE REFUELING WATER

STORAGE TANK

A yes answer will identify that the SSCs are within the scope of the Maintenance

Rule.

8.2.1.3 Nonsafety-Related SSCs that are used in Emergency Operating Procedures

Are the nonsafety-related SSCs used in plant Emergency Operating Procedures (EOPs)?

• Nonsafety-related SSCs that are necessary to be in the Maintenance Rule scope by this paragraph are those explicitly used in the EOPs that provide a mitigating function.

• SSCs used in plant EOPs are required for mitigation of the event/symptom that necessitated entry into the EOP.

• Severe Accident Management Guidelines (SAMGs) are not considered to be EOPs. Equipment described only in SAMGs would not be in scope of the

Maintenance Rule unless otherwise required by paragraph 50.65(b).

• Equipment used in support of 10 CFR 50.54(hh)(2) (Loss of Large Areas) would not be in scope of the Maintenance Rule unless otherwise required by paragraph

50.65(b).

• Only those SSCs under licensee control need be included in the Maintenance Rule scope.

• When the EOPs direct the user to another procedure, the associated SSCs required to perform the EOP mitigating function are included in the scope of the Maintenance Rule.

• SSCs whose use are implied and are necessary to perform the EOP steps in the necessary response times, such as emergency lighting or communication SSCs are included in the

scope of the Maintenance Rule.

• Since the Maintenance Rule is a performance-based regulation, licensees have the flexibility to add or remove SSCs from the scope of 10 CFR 50.65(b) if an adequate

technical basis exists for including or excluding the SSC in question.

For clarity and universal understanding regarding these scoping criteria, the following

definitions are offered:

Explicitly used means those SSCs specifically called out in the EOP by tag identification or noun name that provide a mitigating function, and includes those SSCs required to

support the explicitly used SSCs even though they are not called out in the EOP. For example, all SSCs associated with an instrument loop supporting a control room instrument that is specifically called out in the EOP are considered explicitly used.

Implied use means those SSCs not specifically called out in the EOP, but are understood to be essential for successful completion of the associated mitigating EOP step, although they may not directly address or mitigate the event.

Mitigate or Mitigating means actions or steps taken to lessen the severity or the adverse consequences of the event/symptom that necessitated entry into the EOP.

8.2.1.4 Nonsafety-Related SSCs Whose Failure Prevents Safety-Related SSCs from Fulfilling their Safety-Related Function

Will the failure of nonsafety-related SSCs prevent safety-related SSCs from fulfilling their safety-related function?

This step requires that each utility investigate the systems and system

interdependencies to determine failure modes of nonsafety-related SSCs that will

directly affect safety-related functions.

As used in this section of the guideline, the term "directly" applies to nonsafety-

related SSCs:

Whose failure prevents a safety function from being fulfilled; or

Whose failure as a support SSC prevents a safety function from being fulfilled.

A yes answer identifies that the nonsafety-related SSCs are within the scope of the

Maintenance Rule.

A utility should rely on actual plant-specific and industrywide operating experience, prior engineering evaluations such as PRA, IPE, IPEEE, environmental

qualification (EQ), and 10 CFR 50 Appendix R analyses.

Industrywide operating experience is reviewed 7 for plant-specific applicability and, where appropriate, is included in utility specific programs and procedures. It is

appropriate to use this information to the extent practical to preclude unacceptable

performance experienced in the industry fr om being repeated. An event that has occurred at a similarly configured plant should be considered for applicability to the

reviewing utility.

The determination of hypothetical failures that could result from system

interdependencies but have not previously been experienced is not required.

Failures subsequent to implementation of this guideline shall be addressed in the determination of cause, corrective action, and performance monitoring as described

in Sections 8.0, 9.0 and 10.0.

7 The review of industry operating experience for scoping should include two refueling cycles or thirty-six months back from July 10, 1996.

EXAMPLES OF NONSAFETY-RELATED SSCs WHOSE FAILURE

PREVENTS SAFETY-RELATED SSCs FROM FULFILLING THEIR

SAFETY-RELATED FUNCTION

• A NONSAFETY-RELATED INSTRUMENT AIR SYSTEM THAT OPENS CONTAINMENT ISOLATION VALVES FOR PURGE AND

VENT

• A NONSAFETY-RELATED FIRE DAMPER IN STANDBY GAS TREATMENT SYSTEM WHOSE FAILURE WOULD IMPAIR AIR

FLOW

• IN SOME CASES THE CONDENSA TE STORAGE TANK IS NOT SAFETY-RELATED BUT IS A SOURCE OF WATER FOR ECCS

• FAILURE OF A NONSAFETY SYSTEM FLUID BOUNDARY CAUSING LOSS OF A SAFETY SYST EM FUNCTION (e.g., HEATING SYSTEM PIPING OVER A SAFETY-RELATED ELECTRICAL PANEL) 8.2.1.5 Nonsafety-Related SSCs Whose Failure Causes a Reactor Scram or Actuates Safety Systems

Has failure of the nonsafety related SSCs caused a reactor SCRAM or actuation of

safety related systems at your plant or a plant of similar design?

This step requires utilities to determine, on the basis of utility specific and

industrywide operating experience, those nonsafety related SSCs whose failure

caused a reactor scram or actuation of a safety related system.

A yes answer identifies that the SSCs are within the scope of the Maintenance

Rule.

A utility should rely on actual plant-specific and industrywide operating experience, prior engineering evaluations such as PRA, IPE, IPEEE, environmental

qualification (EQ), and 10 CFR 50 Appendix R analyses.

Industrywide operating experience is reviewed 8 for plant-specific applicability and, where appropriate, is included in utility specific programs and procedures. It is

appropriate to use this information to the extent practical to preclude unacceptable

performance experienced in the industry fr om being repeated. An event that has occurred at a similarly configured plant should be considered for applicability to the

reviewing utility.

The determination of hypothetical failures that could result from system

interdependencies but have not been previously experienced is not required.

Failures subsequent to implementation of this guideline shall be addressed in the determination of cause, corrective action, and performance monitoring as described

in Sections 8.0, 9.0 and 10.0.

In summary, licensees should consider the following SSCs to be within the scope of the rule:

1. SSCs whose failure has caused a reactor scram or actuation of a safety-related

system at their site.

2. SSCs whose failure has caused a reactor scram or actuation of a safety-related

system at a site with a similar configuration.

3. SSCs identified in the licensee's analys is (e.g., FSAR, IPE) whose failure would cause a reactor scram or actuation of a safety-related system.

A licensee may exclude SSCs that meet criteria 2 or 3 if they have demonstrated by

analysis (e.g., FSAR, IPE) and by operational experience that the design or

configuration of an SSC is fault-tolerant through redundancy or installed standby spares such that a reactor scram or actuation of a safety-related system is

implausible.

8 See footnote 7.

EXAMPLES OF FSAR NONSAFETY-RELATED COMPONENT

TRANSIENT INITIATORS

• TURBINE TRIPS

• LOSS OF FEEDWATER

• LOSS OF INSTRUMENT AIR EXAMPLES OF NONSAFETY-RELATED SSCs WHOSE FAILURE CAN

CAUSE A TRIP

• TURBINE/GENERATOR

• NON-ESF BUSSES THAT POWER REACTOR COOLANT PUMPS

• ROD CONTROL SYSTEM SUCH TH AT MULTIPLE RODS DROP INTO THE CORE EXAMPLE OF NONSAFETY-RELATED SSCs WHOSE FAILURE CAN

CAUSE ACTUATION OF A SAFETY SYSTEM

• RADIATION MONITOR (e.g., ISOLATES CONTROL ROOM VENTILATION) 8.2.1.6 SSCs Outside the Scope of the Maintenance Rule

SSCs that do not meet the above criteria are outside the scope of the Maintenance

Rule. These SSCs will continue to have appropriate maintenance activities

performed on them. For these SSCs, the degree of maintenance attention will be

dependent upon factors such as the conseq uence of SSC failure on power production and economic importance.

EXAMPLES OF CATEGORIES OF EQUIPMENT THAT ARE

OUTSIDE THE SCOPE OF THE MAINTENANCE RULE UNLESS

THEY MEET THE GUIDANCE OF P ARAGRAPHS 8.2.1.2, 8.2.1.3, 8.2.1.4 or 8.2.1.5

• FIRE PROTECTION SSCs FIRE PROTECTION SSCs THAT ARE IDENTIFIED UNDER 10 CFR PART 50, APPENDIX R REQUIREMENTS

ARE NONSAFETY-RELATED AND THEREFORE ARE NOT INCLUDED WITHIN THE SCOPE OF THE MAINTENANCE

RULE.

• SEISMIC CLASS II SSCs INSTALLED IN PROXIMITY WITH SEISMIC CLASS I SSCs SEISMIC CLASS II SSCs ARE NOT INCLUDED WITHIN THE SCOPE OF THE MAINTENANCE RULE.

• SECURITY SSCs THE SSCs USED FOR THE SECURITY OF NUCLEAR POWER PLANTS ARE NONSAFETY AND THEIR

MAINTENANCE PROVISIONS ARE ADDRESSED

SEPARATELY UNDER THE REQUIREMENTS OF 10 CFR

PART 73. SECURITY SSCs ARE NOT INCLUDED WITHIN

THE SCOPE OF THE MAINTENANCE RULE.

• EMERGENCY FACILITIES DESCRIBED IN THE EMERGENCY PLAN EXAMPLES INCLUDE THE TECHNICAL SUPPORT CENTER (TSC), OPERATIONS SUPPORT CENTER (OSC),

AND OTHER EMERGENCY OPERATING FACILITIES (EOFs).

9.0 ESTABLISHING

RISK AND PERFORMANCE CRITERIA/GOAL SETTING AND MONITORING

9.1 Reference

10 CFR 50.65 (a)(1)

Each holder of an operating license under §§ 50.21 (b) or 50.22 shall monitor the

performance or condition of structures, systems, and components against licensee

established goals, in a manner sufficient to provide reasonable assurance that such

structures, systems, and components, as defined in paragraph (b), are capable of

fulfilling their intended functions. Such goals shall be established commensurate

with safety and, where practical, take into account industry-wide operating experience. When the performance or condition of a structure, system, or

component does not meet established goals, appropriate corrective action shall be

taken.

9.2 Guidance

Once the selection of those SSCs determined to be within the scope of the

Maintenance Rule (Section 8.0) has been co mpleted, it is then necessary to establish risk significant and performance 9 criteria to initially determine which SSCs must have goals established and monitoring activities performed in accordance with (a)(1). For SSCs that do not meet performance criteria, a cause determination is

performed and if appropriate goals are established commensurate with an SSCs

safety significance and performance.

Monitoring the performance of the SSCs against established goals is intended to provide reasonable assurance that the SSCs

are proceeding to acceptable performance.

All SSCs determined to be within the scop e of the Maintenance Rule are subject to an effective PM program as indicated by (a)(2) (see Section 10.0). SSCs that are within the scope of (a)(2) could be included in the formal PM program, be inherently reliable (e.g., visual inspection during walkdowns to meet licensee requirements that already exist), or be allowed to run to failure (provide little or no contribution

to system safety function). When SSCs in (a)(2) do not perform acceptably, they are evaluated to determine the need for goal setting and monitoring under the

requirements of (a)(1). The number of SSCs monitored under the requirements of (a)(1) can vary greatly due to factors unrelated to the quality of a licensee's

9.See definition.

maintenance program; therefore, the number of SSCs monitored under the requirements of (a)(1) should not be used as an indicator of the quality of a

licensee's maintenance program.

9.3 Determining

the SSCs Covered by (a)(1)

This section explains how to determine which SSCs that are under the scope of the

Maintenance Rule will have goals and monitoring established in accordance with (a)(1). Establishing both risk significan t criteria (Section 9.3.1) and performance criteria (Section 9.3.2) is necessary to provide a standard to measure the

performance of SSCs (Section 9.3.3).

9.3.1 Establishing

Risk Significant Criteria

Risk significant criteria should be established to determine which of the SSCs are

risk significant. Risk significant criteria should be developed using any of the

following methods:

Individual Plant Examination (IPE),

Plant-specific Probabilistic Risk Assessment (PRA),

Critical safety functions (e.g., vessel inventory control) system performance review, Other appropriately documented processes.

10 Utilities may find the following sources pr ovide useful data for monitoring risk significant SSC performance:

Preventive Maintenance (PM) program results, Evaluation of industrywide operating experience, or

Generic failure data.

Most of the methods described below identi fy risk significant SSCs with respect to core damage. It is equally important to id entify as risk significant those SSCs that prevent containment failure or bypass that could result in an unacceptable release.

Examples might include the containment spray system, containment cooling

system, and valves that provide the boundary between the reactor coolant system

and low pressure systems located outside containment.

10 The following NUREGs describe other processes that could be used for this purpose: NUREG/CR-5424, "Eliciting and Analyzing Expert Judgment"; and NUREG/CR-4962, PLG-0533, "Methods for the Elicitation and Use of Expert Opinion in Risk Assessment."

Examples of risk determination methods are described in NUREG/CR-5695, "A

Process for Risk-Focused Maintenance." Other methods that can assist a utility in

identifying risk significant SSCs and enable appropriate maintenance prioritization

and goal setting are included in: NUREG/CR-4550, "Analysis of Core Damage

Frequency"; NUREG/CR-3385, "Measures of Risk Importance"; NUREG/CR-5692, "Generic Risk Insights for General Electric Boiling Water Reactors"; and

NUREG/CR-5637, "Generic Risk Insights for Westinghouse and Combustion

Engineering Pressurized Water Reactors". In addition, the PSA Application Guide, EPRI Report TR-105396(a) could be used as a reference source for establishing SSC

risk significance.

Work done to date on symptom-based emergency operating procedures as well as

IPE vulnerability assessments may be used to establish risk significant criteria to

screen SSCs, and to select those SSCs requ ired to fulfill a critical safety function.

An SSC could be risk significant for one failure mode and non risk significant for

others. An example of an SSC that is ri sk significant for one failure mode and non-risk significant for another is as follows

Blowdown valves on steam generators perform a safety function to close on isolation. However, the open position function

is to maintain water chemistry which is a nonsafety function. Additionally, many SSCs that are functionally important in modes other than power operation, such as

shutdown, may be identified by some no rmally employed analysis methods (e.g., Engineering Analysis, IPE/PRA, etc.). These should be determined by an

assessment of their functional importance in other modes and a review of events

and failures that have occurred during these modes.

Entry into a Technical Specification Limiting Condition for Operation, although

important, is not necessarily risk significant.

Risk significant SSCs can be either safety-related or nonsafety-related. There are

risk significant systems that are in a standby mode and when called upon to

perform a safety function, are required to be available and reliable (e.g., high

pressure coolant injection).

Another methodology that could be used to establish risk significance is a reliability

approach to maintenance. Plants which have completed reliability based

maintenance assessments for any systems that are risk significant could find data that supports the determination of SSCs necessary to perform critical safety functions. These reliability assessments should indicate that functional importance

is considered for all plant modes, plant failure experience has been reviewed and summarized, and potential failures have been identified and their likelihood considered. A reliability based maintenance approach can also provide the basis for a preventive maintenance activity, including component monitoring.

Risk significant SSCs may be determined in accordance with a PRA similar to that

used in response to GL 88-20, "Individual Plant Examination for Severe Accident

Vulnerabilities." The assumptions developed for GL 88-20 could also be used in the

calculation of the total contribution to core damage frequency (CDF) and 10 CFR

Part 100 type releases as a basis for est ablishing plant-specific risk significant criteria.

If a utility selects a method based on PRA to establish risk significance, it should

begin the process by assembling a panel of individuals experienced with the plant

PRA and with operations and maintenance. The panel should utilize their expertise

and PRA insights to develop the final list of risk significant systems. NUREG/CR-

5424 or NUREG/CR-4962 may be used as a guideline in structuring the panel. The

panel should review input from all three specific risk importance calculational

methods listed and described in Sections 9.

3.1.1, 9.3.1.2 and 9.3.1.3 in making its judgment regarding risk significant systems.

It should be noted that each of these methods will identify a different set of SSCs based upon differing concepts of

importance. Each method is useful in pr oviding insights into risk significant SSC selection, and all of them should be used in the decision making process.

Many currently used PRA software pack ages provide information on Fussell-Veseley Importance and Risk Reduction Importance. Not all software includes

techniques that utilize accident sequence failure combinations (cut sets) and some

adaptation of the software may be required to appropriately establish risk

significant SSCs.

Utilities may use additional sensitivity methods (i. e., Birnbaum, Fussell-Veseley, etc.) if they have been performed and are readily available. The use of additional computer software is not required if the three methods (RRW, RAW, 90% CDF)

have been performed. If additional sensitivity methods are used an acceptable

criteria (i.e., threshold) should be developed or the expert panel could use the

unprocessed information as a basis for determining risk significance.

The use of an expert panel would compensate for the limitations of PRA

implementation approaches resulting from the PRA structure (e.g., model

assumptions, treatment of support systems, level of definition of cut sets, cut set truncation, shadowing effect of very large (high frequency) cut sets, and inclusion of

repair or restoration of failed equipment) and limitations in the meanings of the

importance measures.

If desired by the utility, the expert panel may be used for additional functions. The expert panel, or a similarly-established utility group could provide assistance in

identifying SSCs that should have goals established, review the periodic

assessment, or provide insight on other elements of the maintenance rule.

9.3.1.1 Risk Reduction Worth The following are two alternative methods for applying Risk Reduction Worth 11 techniques in the identification of risk significant SSCs. The two methods are

similar, but the first normalizes the Risk Reduction Worth by the sum of all

maintenance related Risk Reduction Worths, while the second uses Risk Reduction

Worth compared to overall Core Damage Frequency.

Method A: An SSC would probably be considered risk significant if its Risk

Reduction Importance Measure contributes to at least 99.0 percent of the

cumulative Risk Reduction Importance's.

Specifically, risk significant SSCs can be identified by performing the following sequential steps:

Calculate the Risk Reduction Worth for the individual SSCs and rank in decreasing order.

Eliminate Risk Reduction Worths that are not specifically related to maintenance (e.g., operator error and external or initiating events).

Normalize the individual SSC Risk Reduction Worths by the sum of all the Risk Reduction Worths related to maintenance. These are the Risk Reduction

Importance Measures for the individual SSCs, ranked by their contribution and expressed as a percentage.

SSCs that cumulatively account for about 99.0 percent of the sum of Risk Reduction Importance's related to maintena nce should be provided to the expert panel as an input in risk determination.

Method B: Risk Reduction Worth may be used directly to identify risk significant

SSCs. An SSC would probably be considered risk significant if its Risk Reduction

Worth exceeds 0.5 percent of the overall Core Damage Frequency (Risk Reduction

11 Risk Reduction Worth is the decrease in risk if the SSC is assumed to be perfectly reliable for all failure modes (e.g., failure to start and failure to run). NUREG/CR-3385, "Measures of Risk Importance and their Applications."

Worth >1.005). These may be identified by performing the following sequential steps:

Calculate the Risk Reduction Worth for the individual SSCs and rank in decreasing order.

Eliminate Risk Reduction Worths that are not specifically related to maintenance (e.g., operator error and external or initiating events).

SSCs whose Risk Reduction Worth is > 0.5 percent of the overall Core Damage Frequency should be provided to the expert panel as an input in risk

determination.

9.3.1.2 Core Damage Frequency Contribution

An SSC would probably be considered risk significant if it is included in cut sets

that, when ranked in decreasing order, cumulatively account for about 90 percent of

the Core Damage Frequency.

Specifically, risk significant SSCs can be identified by performing the following sequential steps:

Identify the cut sets that account for about 90 percent of the overall Core Damage Frequency.

Eliminate cut sets that are not related to maintenance (e.g., operator error and external or initiating events).

SSCs that remain should be provided to the expert panel as an input in risk determination.

9.3.1.3 Risk Achievement Worth

An SSC would probably be considered risk significant if its Risk Achievement Worth 12 shows at least a doubling of the overall Core Damage Frequency and should be provided to the expert panel as an input in risk determination.

9.3.2 Performance

Criteria for Evaluating SSCs

Performance criteria for evaluating SSCs ar e necessary to identify the standard against which performance is to be measured. Criteria are established to provide a

basis for determining satisfactory performance and the need for goal setting. The

actual performance criteria used should be SSC availability, reliability, or condition.

The performance criteria could be quantified to a single value or range of values.

For example, if a utility wanted to maintain an availability of 95 percent for a

particular system because that was the assumption used in the PRA, then the 95 percent value would be the performance criteria. If the performance criteria are not

met, then a goal could be set at a value equal to or greater than 95 percent.

Additionally, an example of condition as a performance criteria would be a case in

which a utility wanted to maintain the wall thickness of a piping system to comply

with the ASME code requirements. The utility would establish some acceptable

value for wall thickness and monitor by ultrasonic testing or other means.

If performance criteria are not met, the basis for the criteria should be reviewed to

determine if goal setting is required and the appropriate goal value established. It

should be recognized that while goals and performance criteria may have the same

value and units, goals are only established under (a)(1) where performance criteria

are not being met and are meant to provide reasonable assurance that the SSCs are

proceeding to acceptable performance.

Specific performance criteria are established for all risk significant SSCs and for

non-risk significant SSCs that are in a standby (not normally operating) mode.

Standby systems (either risk significant or non risk significant and safety-related or

nonsafety-related) may only affect a plant level criteria if they fail to perform in

response to an actual demand signal. This means that a standby system could be

failed but its inability to perform its intended function is not known until it is

required to perform in response to a de mand signal or during testing (e.g., a surveillance test to determine operability). The mode in which most standby

12 Risk Achievement Worth is the increase in risk if the SSC is assumed to be failed for all failure modes (e.g., failure to start and failure to run). NUREG/CR-3385, "Measures of Risk Importance and their Applications."

system failures are observed is during test ing. Because plant transients occur less frequently, failure on demand provides mi nimal information. For this reason, a plant level criteria is not a good indicator or measurement of performance.

The performance criteria for a standby system can be qualitatively stated as "initiates upon demand and performs its intended function." The reliability of a

standby system to satisfy both criteria can be quantitatively established as

calculated in PRA methodology.

Plant level performance criteria are established for all remaining non-risk

significant normally operating SSCs. However, there may be some non-risk

significant SSCs whose performance cannot be practically monitored by plant-level

criteria. Should this occur, other performance criteria should be established, as

appropriate (e.g., repetitions of safety f unction failures attributable to the same maintenance-related cause).

All risk significant SSCs determined to have acceptable performance are placed in (a)(2) and monitored against performance criteria established for risk significant

SSCs. An example of the process is as follows:

SSC is determined to be in scope of Maintenance Rule;

SSC is determined to be risk significant;

SSC performance criteria are established (e.g., the criteria could be an acceptable level of reliability and availability/unavailability as appropriate.);

SSC performance is determined to meet the established criteria; and

SSC performance is monitored under (a)(2) against performance criteria established for risk significant SSCs.

Those non-risk significant SSCs that are in standby and have acceptable

performance are also addressed under (a)(2) and may be monitored by evaluating

surveillance performance.

Risk significant SSCs and non-risk significant SSCs that are in standby that are

determined to have unacceptable performance, as defined in Section 9.3.4, are

addressed under (a)(1), have goals established, and performance monitored to those

goals.

Remaining non-risk significant SSCs (those normally operating) are addressed under (a)(2) and performance is monitored against plant level criteria. In the event

a plant level performance criteria is not met, a cause determination will be

conducted to determine whether the failure of a SSC within the scope of the

maintenance rule was responsible and, if so , whether this failure was an MPFF. In this case, the utility may address the SSC under (a)(1) and establish a goal and

monitor performance to that goal or continue to address performance under (a)(2)

after taking corrective action. The performance criteria selected should monitor

what included it in the scope of the ma intenance rule. For example, automatic reactor scrams may be established as the performance criteria that is to be

monitored to demonstrate the effectiveness of preventive maintenance for a given

system.

If the function of the scoped system is lost and it causes a scram, the cause

determination has to be completed to determine if it is an MPFF. If it is, the MPFF

has to be tracked. If a second scram occurs that is caused by the same failure (i.e., repetitive) or a plant-level performance criteria is not met, a goal has to be

established; it may be established at the train or component level. However, failures that do not cause a scram or actuatio n of a safety system do not have to be tracked.

For example, Plant A has two 50 percent capacity circulating water pumps that provide cooling to the condenser. Plant B has three 50 percent capacity circulating

water pumps. Assuming loss of circulating wa ter caused both reactors to scram, the system is within maintenance rule scope for both Plant A and Plant B. If Plant A

losses one pump it causes the plant to scra

m. However, if Plant B experiences the loss of one pump, it does not cause a scram. Plant A is required to do a cause

determination to determine if it involves an MPFF. If it does, the failure that

caused the loss of the function that caused the unit to scram must be tracked. Plant

B may elect to do a cause determination but it is not required because a plant scram

did not occur. In addition, if Plant B expe riences a second failure of the same type several weeks later and the unit does not scram, it is not a repetitive failure.

Neither failure on Plant B has to be addressed under the maintenance rule because

(1) the failure that occurred did not cause a loss of the function (i. e., total loss of cooling water that causes a scram) that sc oped it within the maintenance rule and (2) the plant-level performance criteria (i. e., unplanned reactor scrams per 7000

hours critical) was not affected.

Overall plant level performance criteria are broad based and are supported by many

SSCs that could be either safety or nonsafety-related. Since equipment

performance is a major contributor to meeting plant level performance criteria, it

can be useful in determining maintenance program effectiveness.

Plant level performance criteria should include, the following:

13 Unplanned reactor scrams per 7000 hours0.081 days <br />1.944 hours <br />0.0116 weeks <br />0.00266 months <br /> critical;

Unplanned safety system actuations; or

Unplanned capability loss factor

Other performance criteria may include indicators similar to those recognized by

the NRC, industry organizations, or established by the utility to monitor SSCs that

cannot be practically monitored by plant-level performance criteria.

Each utility should evaluate its own situation when determining the quantitative

value for its individual plant level performance criteria. The determination of the

quantitative value will be influenced by different factors, including such things as

design, operating history, age of the plant, and previous plant performance.

Specific risk significant SSC performance criteria should consider plant-specific

performance and, where practical, industrywide operating experience. Performance

criteria for risk significant SSCs should be established to assure that reliability and availability assumptions used in the plant-specific PRA, IPE, IPEEE, or other risk

determining analysis are maintained or ad justed when determined necessary by the utility.

When establishing performance criteria for non-risk significant standby systems,

surveillance and actual system demands sh ould be reviewed. Failures resulting from surveillances and valid system actuat ions should be evaluated in accordance with Section 9.4.4.

13 The terms that follow are defined in Appendix B.

9.3.3 Evaluating

SSCs Against Risk Significant and Performance Criteria After establishing SSCs that are within the scope of the Maintenance Rule and

establishing the risk significant and performance criteria, the next step is to

evaluate the SSCs against the criteria. Th ere are two phases in this evaluation.

In the first phase, SSCs are evaluated against the risk criteria (Section 9.3.1) to

determine those SSCs that are risk significant. For those SSCs that are risk

significant, the associated SSC specific performance criteria is established (Section

9.3.2). For those SSCs that are not risk significant but are standby systems, the

SSC specific performance criteria is established (Section 9.3.2). For the remaining

SSCs, the overall plant performance criteria applies.

The second phase is to evaluate the specific SSCs against the established

performance criteria using historical plant data, and industry data where

applicable, to determine if the SSCs met the performance criteria. The historical

data used to determine the performance of SSC s consists of that data for a period of at least two fuel cycles or 36 months, whichever is less. If the SSC does not meet

the established performance criteria, a cause determination is performed (Section

9.4.4) to determine if the unacceptable performance was maintenance preventable (Section 9.4.5). If the unacceptable performance was not maintenance preventable, the SSC is placed in (a)(2) and addressed in the preventive maintenance program.

If the corrective action has resolved the issue, the SSC is placed in (a)(2). If it is determined that an acceptable trend in performance is not demonstrated or the

corrective action has not corrected the problem (Section 9.4.5), the SSC is placed in (a)(1) and a goal is set (Section 9.3.4) for that SSC. If the trend of performance

indicates that the cause determination and corrective actions are effective, monitoring should be continued until the goal is achieved.

If the SSC is determined to be inherently reliable, then it is not necessary to place

the SSC in (a)(1) and establish goals. As used here, an inherently reliable SSC is one that, without preventive maintenance, has high reliability (e.g., jet shields, raceways). The need to place an SSC under (a)(1) and establish goals may arise if

the inherently reliable SSC has experience d a failure. In such cases, the SSC cannot be considered inherently reliable.

SSCs that provide little or no contribution to system safety function could be allowed to run to failure (i.e., perfor m corrective maintenance rather than preventive maintenance) and are addressed by (a)(2).

As of July 10, 1996, the implementation date of the Maintenance Rule, all SSCs that are within the scope of the Maintena nce Rule will have been placed in (a)(2) and be part of the preventive maintenanc e program. In addition, those SSCs with unacceptable performance will be placed in (a)(1) with goals established.

After full implementation on July 10, 1996, those SSCs that have goals established

will be monitored (Section 9.4.2) using current plant data to determine if the goal is

being met and if the SSC can be placed in (a)(2).

For new plants with no operating history, the evaluation can be performed as follows. The utility can place appropriate SSCs under paragraph (a)(1) of the

maintenance rule, establish goals and monitor those goals until an acceptable

performance history has been determined. For SSCs not designated (a) (1) the

utility could utilize the performance history during pre-operational testing and base

SSC performance dispositioning on indust ry peer experience (e.g., NSSS plant of similar design). Several determinations should be made including the following:

• Design is similar enough to establish a baseline of performance.

• Preventive maintenance programs of comparable plants are effective and the new plant has a basis for comparison.

• Corrective action and cause determination methodology are effectively implemented to identify and correct deficiencies.

• Operating experience is shared between the comparable and new plant.

• Process has been established at the new plant to evaluate lessons learned from the comparable plant.

For existing plants that have been shut do wn for extended periods (i. e., longer than one operating cycle), the evaluation should take into account existing equipment operating history to the maximum extent possible. However, where such data is not

available or is out of date, the utility should use information from sources described

above for new construction.

9.3.4 Determining

Whether an SSC Level Goal is Required

If any of the following conditions exist, a goal should be established at the

appropriate level (i.e., structure, system, train, or component):

A maintenance preventable functional failure (MPFF) caused an overall plant performance criteria to be exceeded (reference Section 9.4.5); or

A MPFF caused a risk significant or non-risk significant SSC performance criteria not to be met; or

A second MPFF (same cause) occurs following the initial MPFF and implementation of corrective action.

If the system or train level performance criteria or goal was not met as a result of a

component's MPFF, then the situation should be reviewed to determine if a goal

should be established for the component. If the cause of the component failure has

been identified and the necessary correctio ns made (e.g., replacement, redesign), a goal may not be needed unless it is a repetitive MPFF.

9.4 Goal Setting and Monitoring

Goals are established to bring about the necessary improvements in performance.

When establishing goals, a utility should consider various goal setting criteria such

as existing industry indicators, industry codes and standards, failure rates, duty cycles, and performance related data. In addition to the assumptions made in and results of reliability approaches to mainte nance, the assumptions in or results of IPEs/PRAs should also be considered when establishing goals. In addition, analytical techniques (e.g., system unavailability modeling) may be considered for

developing goals. When selecting a goal, the data should be collected over a

sufficient length of time to minimize the effects of a random event.

Monitoring should consist of periodica lly gathering, trending, and evaluating information pertinent to the performance, and/or availability of the SSCs and

comparing the results with the established goals and performance criteria to verify

that the goals are being met. Results of monitoring (including (a)(1) and (a)(2) activities) should be analyzed in timely manner to assure that appropriate action is

taken.

Regulations and utility commitments (e.g., Emergency Diesel Generator docketed

reliability targets in response to the Station Blackout Rule, 10 CFR 50.63) provide a

baseline for testing and surveillance activities of some SSCs under the scope of the Maintenance Rule. Additional testing and surveillance activities could be necessary if SSC performance is unacceptable. The Maintenance Rule results could also

provide the basis for reduced testing and surveillance. The basis for technical

specification, licensing commitments, and other regulation may be appropriately

used for goal setting. Typical exampl es of such regulations or licensee commitments include:

1. Surveillance test and inspections performed in accordance with Section XI of the ASME code as required by 10 CFR 50.55a.

2. Reactor pressure vessel material surveillance tests conducted in accordance with Appendix H of 10 CFR Part 50.

3. Containment leakage tests performed in accordance with Appendix J of 10 CFR Part 50.

4. Component surveillance or testing required by plant technical specifications.

5. Fire protection equipment tested and main tained in accordance with Appendix R of 10 CFR Part 50.

6. Tests and inspections performed in response to NRC bulletins, generic letters, or information notices.

9.4.1 Goal Setting

Goals can be set at the structure, system, train, or component level, and for

aggregates of these where appropriate. In some cases the utility may elect to

establish thresholds which would provide indication of improved performance

toward the ultimate goal. A quantitative value for a goal or threshold may be

established on the basis of judgment resulting from an appropriately documented

review of performance criteria (see Section 9.3.1). When setting a goal the utility

should take into account, where practica l, industry-wide operating experience.

9.4.1.1 System Level

For those SSCs requiring goal setting, it is expected that many goals will be

established at the system level. Where system level goals are to be established, system availability could be used as the monitored parameter. Unavailability times for systems that support (e.g., service wa ter, HVAC, etc.) many systems can be accounted for by charging the time to the support system that has failed and not the individual systems. Conversely, the unavailability times could be charged to both the support system (i.e., service water) and the supported system (i.e., diesel generator). The important factor is to ensure that the cause determination and

corrective action are effective and properly respond to correcting the problem

regardless of how the unavailability times are counted. A consistent approach is

needed so that the performance criteria can be monitored and tracked.

Due to plant-specific redundancy and diversity, an SSC failure does not necessarily cause a loss of safety function but could result in system or train performance that is unacceptable.

9.4.1.2 Train Level

Risk significant systems and standby systems that have redundant trains should

have goals established for the individual trains. The goal could be based on the

availability desired or assumed in the PRA analysis. Train level goals provide a

method to address degraded performance of a single train even though the system

function is still available. The train level goal should be set consistent with PRA or

other methods of risk determination assumptions. Other alternative goal setting

could consider the possibility of the best performing train to be unavailable and the

safety function reliability potentially reduced.

9.4.1.3 Component Level

When component level goals are determined to be necessary, they should be

established based upon the component's contribution to a system not meeting its

performance criteria or a system level goal. Candidates for component goals could

include classes of components with unacceptable performance, components which

have caused trips or are directly associated with the causes of challenges to safety systems, and those components which have failed causing the performance level or

a goal at the system or train level to be missed. Careful review and analysis should

be performed prior to establishing component goals to ensure that the number of

component goals is manageable and not overly complex.

9.4.1.4 Structure Level

It is expected that most structures will be addressed as required by (a)(2) of the Maintenance Rule. The condition of all structures within the scope of the rule

should be assessed periodically; the approp riate frequency of the assessments would be commensurate with the safety significance of the structure and its condition.

Licensees should evaluate the results of these assessments to determine the extent and rate of any degradation, and deficiencies should be corrected in a timely

manner commensurate with their safety significance, their complexity, and other

regulatory requirements. In those cases where it is determined that a structure must have a goal established, the goal could be based on, for example, limits for cracking, corrosion, erosion, settlement, deflection, or other condition criteria.

A structure should be monitored in accordance with Paragraph (a)(1) if degradation

is to the extent that the structure may not meet its design basis, or if the structure

has degraded to the extent that, if the degradation were allowed to continue

uncorrected until the next normally-scheduled assessment, the structure may not

meet its design basis.

9.4.2 Monitoring

Monitoring will be performed to determine if maintenance results in acceptable

performance.

If the plant specific safety analysis (i.e., FSAR) or PRA used to address a regulatory issue (e.g., IPEs) takes credit for any existi ng components in the system/train, then those components supporting that function should be monitored under the

maintenance rule. If credit is not taken, they could be considered installed spare

components which do not require monitoring under the maintenance rule.

Monitoring SSCs against specific established goals should be conducted in a manner

that provides a means of recognizing performance trends. Where functional failures

result in the inability to meet performance criteria and could result in the loss of an

intended maintenance rule function, monitoring should be predictive, when

appropriate, in order to provide timely wa rning. Monitoring should also provide a means for determining the effectiveness of previous corrective actions.

Monitoring should appropriately consider the following factors:

Existing plant specific or industry pe rformance monitoring such as technical specification surveillances, O&M Code, plant daily tours, ISI/IST and Appendix

J test programs, inspections and tests;

Establishing a practical monitoring process (i.e., should not require extensive analytical modeling or excessive data collection) that is capable of detecting

changes in SSC performance; and

Establishing a baseline to which the goals are monitored.

The monitoring frequency to meet established goals can vary, but may be initially

established as that currently required by existing surveillance requirements or other surveillance type monitoring currently being performed. Frequency of

monitoring is also dependent upon the goal established and the availability of plant-

specific or industry data. It may be either time directed, or based on performance.

The frequency of monitoring should be ad justed, if necessary, to allow for early detection and timely correction of negative trends.

Data could be collected from existing sources (e.g., surveillances, Appendix J requirements, ISI/IST, work order tracking) that are relevant to the goal being

monitored. The type and quality of the data being collected and trended is very important in that it will ultimately determine if goals are being met. The analysis and evaluation of the collected data shou ld be timely so that, where necessary, corrective action can be taken.

9.4.2.1 Monitoring System Level Goals

The object of monitoring at the system level is to evaluate the performance of the

system against established goals to proceed from the present status of not meeting

a performance criteria toward a level of acceptable performance. Some examples of

parameters monitored at the system level include availability, reliability, and

failure rate. Systems should be monitore d utilizing existing surveillance procedures provided that the data collected using these procedures addresses the specific

system goal(s).

9.4.2.2 Monitoring Train Level Goals

Monitoring train level performance against established goals should consist of

gathering availability or failure data and evaluating the results. The review and analysis of this data will provide a basis on where improvements are needed and

also confirm when corrective actions have been effective. Individual train

performance should be compared to each other or against the average train

performance.

9.4.2.3 Monitoring Component Level Goals

Should it be determined that a component requires goal setting, component

monitoring could include performance charac teristic data (e.g., flow, pressure, pump head, temperatures, vibration, current, hysteresis) that can be used to determine

performance of the component. Monitoring could also be done using non-destructive

examination analysis (e.g., oil or grease, vibration, ultrasonic, infrared, thermographic, eddy current, acoustics, and electric continuity). Information could

include surveillance test results that the utility already performs or industry failure

rate data.

9.4.2.4 Monitoring Structure Level Goals

Should it be determined that a structure requires goal setting, that goal should be

monitored to assure that the goal is being or will be met. Such structures might

include the reactor containment, foundations for important components such as

turbines, pumps and heat exchangers, as well as structures whose degradation or

failure could significantly compromise the function of other SSCs covered by the Maintenance Rule. Examples of monitoring include non-destructive examination, visual inspection, vibration, deflection, thickness, corrosion, or other monitoring

methods as appropriate.

9.4.3 Dispositioning

of SSCs from (a)(1) to (a)(2)

A goal may be determined to have been met, and monitoring of SSC performance

against specific goals may be discontinued if any of the following criteria are

satisfied:

Performance is acceptable for three surveillance periods where the surveillance periodicity is equal to or less than a six month interval;

Performance is acceptable for two successive surveillances where the surveillance periodicity is greater than six months but no greater than two fuel

cycles; or

An approved and documented technical assessment assures the cause is known and corrected and thus monitoring against goals is unnecessary.

If any of these conditions are met, the SSC may be returned to the provisions of (a)(2).

9.4.4 Unacceptable

Performance or Failure Cause Determination and Dispositioning SSCs from (a)(2) to (a)(1)

A cause determination of appropriate depth will be required for the following

conditions:

A goal not being met;

A performance criteria not being met;

The results of the cause determination may identify that establishing a goal is

required for the following two conditions:

A functional failure of a risk significant SSC, even if the goal or performance criteria is met; or

A repetitive MPFF of any SSC within the scope of the Maintenance Rule, even if the goal or performance criteria is met.

During initial implementation of the Ma intenance Rule, repetitive failures that have occurred in the previous two operating and refueling cycles should be

considered. After the initial rule implementation, utilities should establish an

appropriate review cycle for repetitive MPFFs (e.g., during the periodic review, during the next maintenance or test of th e same function, or in accordance with Section 9.4.3).

The cause determination should identify the cause of the failure or unacceptable

performance, and whether the failure was a MPFF (Section 9.4.5). It should

identify any corrective action to preclude recurrence, and make a determination as

to whether or not the SSC requires (a)(1) goal setting and monitoring (Section 9.3.4).

There are numerous techniques available to the utility industry that could be used

to determine if the failure is a MPFF. In some cases this determination is a simple

assessment of an obvious cause. In other cases the determination may require a

rigorous and formal root cause analysis in accordance with a methodology that

exists in the industry. Any of these would be satisfactory provided they result in identification and correction of the problem.

Cause determination and corrective action should reinforce achieving the

performance criteria or goals that are monitored, and may also determine whether

the performance criteria or goal itself should be modified. A decision as to whether

SSCs should have performance or goals monitored should be made. The

determination to allow failure may be an acceptable one. For example, a decision to

replace a failed component that provides little or no contribution to safety function

rather than performance of a preventive maintenance activity may reduce exposure, contamination, and cost without impacting safety (see Section 10.2). Once the

cause determination and corrective actions have been completed, the performance

should continue to be monitored and periodically evaluated until the performance

criteria or goal is achieved.

The cause determination should address failure significance, the circumstances surrounding the failure, the characteristics of the failure, and whether the failure is isolated or has generic or common cause implications (refer to NUREG/CR 4780, "Procedures for Treating Common Cause Failures in Safety and Reliability

Studies," EPRI NP 5613). The circumstances surrounding the failure may indicate

that the SSC failed because of adverse operating conditions (e.g., operating a valve

dry, over-pressurization of system) or fa ilure of another component which caused the SSC failure. The results of cause determination should be documented for

failures of SSCs under the scope of the Maintenance Rule (Section 13).

9.4.5 Maintenance

Preventable Functional Failures (MPFFs)

A maintenance preventable functional failure 14 is an unintended event or condition such that a SSC within the scope of the rule is not capable of performing its intended function and that should have been prevented by the performance of

appropriate maintenance actions by the utility. Under certain conditions, a SSC

may be considered to be incapable of performing its intended function if it is out of

specified adjustment or not within specified tolerances.

The cause determination should establish whether the failure was a MPFF. It will

be necessary to then determine if a goal should be established on any SSC which

experiences a MPFF (Section 9.3.4). If the SSC failure was not a MPFF, then the

utility should continue to perform the appropriate maintenance on the SSC.

If a utility determines that a modification is not cost effective and decides not to

make a change then any subsequent failure may not be a maintenance preventable

functional failure. The decision to not make a design change/modification would

include an evaluation of the consequences of future failures and consideration of

whether run-to-failure or degraded performance (i.e., performs corrective

maintenance rather than preventive maintenance) is an acceptable condition (NUMARC 93-01, Section 9.3.3). Additional preventive maintenance or inspection

activities may be necessary to compensate for the deficient design. If the utility

augments the preventive maintenance program to compensate for a design

deficiency, the activity is within the sc ope of the maintenance rule and future failures could be MPFFs. Then a maintenance preventable functional failure would

occur if the utility did not maintain the SSC in the original state (i. e., design

condition).

14 See Appendix B for definitions of initial and repetitive MPFFs.

EXAMPLES OF MPFFs

NOTE: "FUNCTIONAL" HAS BEEN ADDED TO PROVIDE EMPHASIS

ON ASSURING SAFETY FUNCTION AL PERFORMANCE (INCLUDING FAILURES THAT CAUSE SCRAMS)

RATHER THAN ADDRESSING A DEFICIENCY THAT DOES NOT AFFECT A SAFETY FUNCTION

• FAILURES DUE TO THE IMPLEMENTATION OF INCORRECT MAINTENANCE PROCEDURES.

• FAILURES DUE TO INCORRECT IMPLEMENTATION OF CORRECT MAINTENANCE PROCEDURES.

• FAILURES DUE TO INCORRECT IMPLEMENTATION OF MAINTENANCE PERFORMED WITHOUT PROCEDURES

CONSIDERED WITHIN THE SKILL OF THE CRAFT.

• FAILURES OF THE SAME KIND OCCURRING AT A UTILITY THAT HAVE OCCURRED IN INDUSTRY AS DEFINED BY INDUSTRY-

WIDE OPERATING EXPERIENCE THAT COULD HAVE BEEN

PRECLUDED BY AN APPROPRIATE AND TIMELY MAINTENANCE

ACTIVITY.

• FAILURES THAT OCCUR DUE TO THE FAILURE TO PERFORM MAINTENANCE ACTIVITIES THAT ARE NORMAL AND

APPROPRIATE TO THE EQUIPMENT FUNCTION AND

IMPORTANCE. EXAMPLES IN CLUDE FAILURE TO LUBRICATE WITH THE APPROPRIATE MATERIALS AT APPROPRIATE

FREQUENCIES, FAILURE TO ROTATE EQUIPMENT THAT IS IN A STANDBY MODE FOR LONG PERIODS.

EXAMPLES THAT ARE NOT MPFFs

• INITIAL FAILURES DUE TO ORIGINAL EQUIPMENT MANUFACTURER (OEM) DESIGN AND MANUFACTURING

INADEQUACIES INCLUDING INIT IAL ELECTRONIC PIECE PART EARLY FAILURES.

• INITIAL FAILURES DUE TO DESIGN INADEQUACIES IN SELECTING OR APPLYING COMMERCIAL OR "OFF THE SHELF" DESIGNED EQUIPMENT.

• INITIAL FAILURES DUE TO INHERENT MATERIAL DEFECTS.

• FAILURES DUE TO OPERATIO NAL ERRORS NOT ASSOCIATED WITH MAINTENANCE AND EXTERNAL OR INITIATING EVENTS.

• IF THE FAILURE THAT CAUSED AN MPFF RECURS DURING POST MAINTENANCE TESTING BUT BEFORE RETURNING THE

SSCs TO SERVICE, IT COULD BE INDICATIVE OF

UNACCEPTABLE CORRECTIVE ACTIONS BUT IS NOT

CONSIDERED AN ADDITIONAL MPFF.

• INTENTIONALLY RUN TO FAILURE (SECTION 9.3.3).

10.0 SSCs SUBJECT TO EFFECTIVE PREVENTIVE MAINTENANCE PROGRAMS 10.1 Reference

10 CFR 50.65 (a)(2)

Monitoring as specified in paragraph (a)(1) of this section is not required where it

has been demonstrated that the performance or condition of a structure, system, or

component is being effectively controlled through the performance of appropriate

preventive maintenance, such that the structure, system, or component remains capable of performing its intended function.

10.2 Guidance

The methodology for implementing the Maintenance Rule by demonstrating

maintenance program effectiveness or inhere nt reliability in lieu of SSC goal setting is shown on the Industry Guideline Impl ementation Logic Diagram (Figure 1).

Although goals are set and monitored as pa rt of (a)(1), the preventive maintenance (PM) and performance monitoring activities are part of (a)(2) and apply to all SSCs that are within the scope of the Maintenance Rule. SSCs that are within the scope

of (a)(2) could be included in the formal PM program, be inherently reliable (e.g., visual inspection during walkdowns to meet licensee requirements that already

exist), or be allowed to run to failure (provide little or no contribution to system

safety function).

An effective preventive maintenance prog ram is one which will achieve the desired results of minimizing component failures and increasing or maintaining SSC

performance. The individual maintenance program elements (training, procedures,

cause determination, etc.) are focused and directed toward achieving effective

maintenance through appropriate use of resources.

If it can not be demonstrated that the performance of a SSC is being effectively

controlled through a PM program, then it is necessary to establish a goal and

monitor the SSC's performance against the goal.

If the SSC is determined to be inherently reliable, then it is not necessary to place

the SSC in (a)(1) and establish a goal. As used here, an inherently reliable SSC is

one that, without preventive maintenance, has high reliability (Section 9.3.3).

SSCs that provide little or no contribution to system safety function, therefore could be allowed to run to failure (i.e., perf orm corrective maintenance rather than preventive maintenance) and are addressed by (a)(2).

10.2.1 Performance of Applicable Preventive Maintenance Activities

Several methods are available to the industry for determining applicable and

effective preventive maintenance activities to ensure satisfactory performance of SSCs. It is not the intention of this guideline to identify these programmatic methods of determining applicable maintenance activities. Sound preventive

maintenance activities include, but are not limited to, the following elements:

Periodic maintenance, inspection, and testing;

Predictive maintenance, inspection, and testing;

Trending of appropriate failures.

10.2.1.1 Periodic Maintenance, Inspection, and Testing

Periodic maintenance, inspection, and testing activities are accomplished on a

routine basis (typically based on operating hours or calendar time) and include

activities such as external inspections, alignments or calibrations, internal inspections, overhauls, and component or equipment replacement. Lubrication, filter changes, and teardown are some examples of activities included in periodic

maintenance.

10.2.1.2 Predictive Maintenance, Inspection, and Testing

Predictive maintenance activities, including performance monitoring, are generally

non-intrusive and can normally be performed with the equipment operating.

Vibration analysis (includes spectral analysis), bearing temperature monitoring, lube oil analysis (ferrography), infrared surveys (thermography), and motor voltage and current checks are some examples of activities included in predictive

maintenance. The data obtained from predictive maintenance activities are used to

trend and monitor equipment performance so that planned maintenance can be

performed prior to equipment failure.

10.2.1.3 Performance Trending

Performance should be trended against established performance criteria so that

adverse trends can be identified. When adverse trends are identified, appropriate

corrective action should be promptly initiated. The utility's historical data, when

combined with industry operating experience, operating logs and records, and

station performance monitoring data, can be useful in analyzing trends and failures

in equipment performance and making adjustments to the preventive maintenance

program.

10.2.2 Ongoing Maintenance Effectiveness Evaluation

Ensuring satisfactory performance of risk significant and standby SSCs requires an ongoing assessment against the utility's performance criteria (Section 9.3.3). The

results of this assessment should provide for feedback and adjustment of

maintenance activities such that MPFFs are addressed. MPFFs that are repetitive

or risk significant must be investigated and the cause determined (Section 9.4.4).

When performance is determined to require improvement, the utility should

implement the appropriate corrective actions in a timely manner.

The objective of monitoring plant level performance criteria is to focus attention on

the aggregate performance of many of the operating SSCs covered by the scope of

the Maintenance Rule that are not individually risk significant.

There are no individual SSC performance criteria included in the plant level

performance criteria. The SSCs that support plant level performance criteria are

included in the preventive maintenanc e program covered under (a)(2) of the Maintenance Rule. A failure of an individual SSC may not result in unacceptable

performance and may not affect a plant level performance criteria. The utility may

elect to establish a goal for the SSC that failed. If plant level performance criteria

were not met because of a MPFF, then the SSC should be considered for disposition

to (a)(1). See Sections 9.3.3 and 9.4 for elements to be considered.

This section is not intended to exclude a periodic review of preventive maintenance

activities in addition to the ongoing review to monitor maintenance effectiveness.

10.2.3 Monitoring the Condition of Structures Structures can be monitored using performance criteria under (a)(2) (or goals under (a)(1)) of the maintenance rule. These performance criteria (or goals) can be

established to monitor either performance or condition. For example, certain

structures such as the primary containment can be monitored through the performance of established testing requirements such as those contained in 10 CFR 50, Appendix J. Other structures such as reactor buildings, auxiliary buildings, and cooling towers, may be more amenable to condition monitoring similar to that

performed as part of the inservice inspecti on (ISI) activities required by the ASME codes. Other condition monitoring activities could include such activities as

monitoring of corrosion, settlement, roof leak age, concrete cracking, etc. Monitoring of structures should be given the same prio rity as mechanical and electrical systems and components.

Utilities should establish performance criteria and goals under the maintenance

rule which take credit for, and if necessa ry build upon, the existing monitoring activities.

Monitoring of structures, like systems and components, should be predictive in

nature and provide early warning of degradation. The baseline condition of plant

structures should be established to facilitate condition monitoring activities.

Although not required by regulations, NUREG 1522, "Assessment of Safety-Related Structures in Nuclear Power Plants" provides additional information on the subject.

11.0 ASSESSMENT OF RISK RESULTING FROM PERFORMANCE OF MAINTENANCE ACTIVITIES 11.1 Reference

10 CFR 50.65(a)(4)

Before performing maintenance activities (including but not limited to surveillance, post-maintenance testing, and corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed

maintenance activities. The scope of the assessment may be limited to those

structures, systems, and components that a risk-informed evaluation process has

shown to be significant to public health and safety.

11.2 Background

Maintenance activities must be performed to provide the level of plant equipment

reliability necessary for safety, and shou ld be carefully managed to achieve a balance between the benefits and potential impacts on safety, reliability and

availability.

The benefits of well managed maintenance conducted during power operations

include increased system and unit availability, reduction of equipment and system

deficiencies that could impact operations, more focused attention during periods

when fewer activities are competing for spec ialized resources, and reduction of work scope during outages. In addition, many maintenance activities may be performed

during power operation with a smaller net risk impact than during outage

conditions, particularly for systems whose performance is most important during

shutdown, or for which greater functional redundancy is available during power

operations.

11.3 Guidance

This section provides guidance for the development of an approach to assess and

manage the risk impact expected to re sult from performance of maintenance activities. Assessing the risk means usin g a risk-informed process to evaluate the overall contribution to risk of the planned maintenance activities. Managing the

risk means providing plant personnel with proper awareness of the risk, and taking actions as appropriate to control the risk.

The assessment is required for maintenance activities performed during power

operations or during shutdown. Performance of maintenance during power operations should be planned and scheduled to properly control out-of-service time of systems or equipment. Planning and scheduling of maintenance activities during

shutdown should consider their impact on performance of key shutdown safety functions.

11.3.1 Assessment Process, Control, and Responsibilities

The process for conducting the assessment an d using the result of the assessment in plant decisionmaking should be proceduralized. The procedures should denote

responsibilities for conduct and use of the assessment, and should specify the plant

functional organizations and personnel involved, including, as appropriate, operations, engineering, and risk assessment (PSA) personnel. The procedures

should denote responsibilities and proce ss for conducting the assessment for cases when the plant configuration is not covered by the normal assessment tool.

11.3.2 General Guidance for the Assessment - Power Operations and

Shutdown

1. Power Operating conditions are defined as plant modes other than hot shutdown, cold shutdown, refueling, or defueled. Section 11.3.3 describes the

scope of SSCs subject to the assessment during power operations. Section 11.3.5

describes the scope of SSCs subject to the assessment during shutdown.

2. The assessment method may use quantitative approaches, qualitative approaches, or blended methods. In ge neral, the assessment should consider:

• Technical specifications requirements

• The degree of redundancy available for performance of the safety function(s) served by the out-of-service SSC

• The duration of the out-of-service or testing condition

• The likelihood of an initiating event or accident that would require the performance of the affected safety function.

• The likelihood that the maintenance activity will significantly increase the frequency of a risk-significant initiating event (e.g., by an order of magnitude or more as determined by each licensee, consistent with its obligation to

manage maintenance-related risk).

• Component and system dependencies that are affected.

• Significant performance issues for the in-service redundant SSCs

3. The assessment may also consider the following factors, if desired:

• the risk impact of performing the main tenance during shutdown with respect to performing the maintenance at power.

• the impact of transition risk if the maintenance activity would require a shutdown that would otherwise not be necessary

4. The assessments may be predetermined or performed on an as-needed basis.

5. The degree of depth and rigor used in assessing and managing risk should be commensurate with the complexity of the planned configuration.

6. Performance of maintenance may involve alterations to the facility or procedures for the duration of the maintenance acti vity. Examples of these alterations include jumpering terminals, lifting leads, placing temporary lead shielding on

pipes and equipment, removal of barriers, and use of temporary blocks, bypasses, scaffolding and supports.

The assessment should include consideration of the impact of these alterations on plant safety functions.

[Note: If, during power operation conditions, the temporary alteration

associated with maintenance is expected to be in effect for greater than 90 days, the temporary alteration should be scr eened, and if necessary, evaluated under 10 CFR 50.59 prior to implementation.]

7. The assessment may take into account wh ether the out-of-service SSCs could be promptly restored to service if the need arose due to emergent conditions. This

would apply to surveillance testing, or to the situation where the maintenance

activity has been planned in such a manne r to allow for prompt restoration. In these cases, the assessment may consider the time necessary for restoration of

the SSC's function, with respect to the time at which performance of the function

would be needed. [Note the definition of "unavailability" in Appendix B applies

to monitoring of SSC unavailability to comply with other paragraphs of the

maintenance rule, and is not intended for direct applicability to the

configuration assessment.]

8. Emergent conditions may result in the need for action prior to conduct of the assessment, or could change the conditions of a previously performed

assessment. Examples include plant configuration or mode changes, additional SSCs out of service due to failures, or si gnificant changes in external conditions (weather, offsite power availability). Th e following guidance applies to this situation:

• The safety assessment should be perfor med (or re-evaluated) to address the changed plant conditions on a reasonable schedule commensurate with the

safety significance of the condition.

Based on the results of the assessment, ongoing or planned maintenance activities may need to be suspended or

rescheduled, and SSCs may need to be returned to service.

• Performance (or re-evaluation) of the assessment should not interfere with, or delay, the operator and/or maintenance crew from taking timely actions to

restore the equipment to service or take compensatory actions.

• If the plant configuration is restored prior to conducting or re-evaluating the assessment, the assessment need not be conducted, or re-evaluated if already

performed.

11.3.3 Scope of Assessment for Power Operating Conditions 10 CFR 50.65(a)(4) states "The scope of the Systems, Structures and Components (SSCs) to be addressed by the assessment may be limited to those SSCs that a risk-informed evaluation process has shown to be significant to public health and safety". Thus, the scope of SSCs subject to the (a)(4) assessment provision may not include all SSCs that meet sections (b

)(1) and (b)(2) maintenance rule scoping criteria.

The probabilistic safety assessment (PSA) provides an appropriate mechanism to define the assessment scope, as the PSA scope is developed with consideration of

dependencies and support systems, and, th rough definition of top events, cutsets, and recovery actions, includes those SSCs that could, in combination with other SSCs, result in significant risk impacts.

Thus, the (a)(4) assessment scope may be limited to the following scope of SSCs:

1. Those SSCs included in the scope of the plant's level one, internal events PSA, and;

2. SSCs in addition to the above that have been determined to be high safety significant (risk significant) through the process described in Section 9.3 of this

document.

The PSA used to define the (a)(4) assessment scope should have the following characteristics:

• The PSA should reasonably 15 reflect the as-built plant, and the plant operating practices.

• The PSA should include both front-line/support system dependencies and support system/support system dependen cies, to the extent that these inter-system dependencies would have a significant effect on the key plant safety

functions. The licensee should evaluate whether these dependencies are

adequately modeled in the PSA. PSA peer review information may be used to

facilitate this evaluation. If the modeling of inter-system dependencies is

determined to be inadequate, the licensee should either revise the PSA to

address the inter-system dependencies, or add the SSCs to the (a)(4) assessment scope.

• A PSA is typically modeled at the component level, whereas the concern of the (a)(4) assessments is the safety functi on of a system that the component supports. Thus the phrase "SSCs modeled in the PSA" should be interpreted as identifying the systems, trains, or portions of systems/trains whose functions are

necessary to mitigate initiating events included in the high level logic structure of the PSA model, rather than the individual components. Appendix E provides

information on PSA attributes, and further detail on methods to evaluate the

PSA with regard to its use in defining the (a)(4) scope.

• SSCs within the plant PSA scope may be evaluated and determined to have low safety significance regardless of plant configuration. These SSCs need not be included in the scope of the (a)(4) assessm ents. The expert panel may be used to facilitate these determinations.

• If the plant PSA includes level two considerations (containment performance, release frequency), the scope of the (a)(4) assessment may optionally include the scope of the level two PSA. Otherwise, inclusion within the assessment scope of

SSCs important to containment performance may be covered by inclusion of high

safety significant SSCs as discussed in item 2 above. Section 9.3.1 of this

document discusses the importance of containment performance as a

consideration in identifying risk signif icant (high safety significant) SSCs.

15 Reasonably means that a difference between the as-built plant and its description in the PSA is such that a difference could realistically result in the incorrect assessment or management of maintenance-related risk.

• The scope of hazard groups to be considered for assessment during power operating conditions includes internal events, internal floods, and internal fires, licensees need not consider other hazard groups, except as noted in Section

11.3.4.2.

11.3.3.1 Scope of Assessment for Fire Risk

In addressing the scoping associated with fire risk for power operating conditions, the following guidance is provided:

Maintenance activities can impact fire risk. In particular, the following activities

could have risk impacts:

1. Performance of maintenance activities with potential to cause a fire (e.g., welding, use of cutting and grinding tools, transient combustibles, etc)

2. Removal of fire detection or suppression equipment from service

3. Removal or impairment of fire barriers (e.g., opening of fire doors to facilitate maintenance, removal of protective barriers on cable trays or

conduit, etc)

4. Removal of equipment important to core damage mitigation from service

Each plant is required to maintain a fire protection program, pursuant to 10 CFR

50.48 or Part 50, Appendix R. The programs, as implemented through NRC

guidance documents, directly address the risk management aspects of items 1

through 3 above, and no additional action is warranted under §50.65(a)(4) for these

items. Concerning item 4, the discussion below concerns the scope of the assessment

for fire risk.

The identification of important equipment for mitigating core damage resulting

from fire initiating events can come from one of two sources:

First, each plant is required by 10 CFR 50.48 or Appendix R to identify one

train of safe shutdown capability free of fire damage, such that the plant can be safely shutdown in the event of a fi re. The magnitude of the fire is based on analysis of combustible loadings in the areas of concern. Some plants

maintain this requirement through adequate separation between redundant

trains of safe shutdown equipment, such that a single fire could not render

both trains incapable of performing their safe shutdown function. Other

plants, lacking adequate train separation, need to protect one train of

equipment through fire barriers. While fire protection regulations require

compensatory measures for the temporary removal of these barriers, they do not address the removal from service of the protected equipment for maintenance activities.

Second, each plant has also performed either a screening analysis (e.g. Fire

Induced Vulnerability Evaluation, or FIVE), or a fire PRA, to examine fire

risks relative to the Individual Plant Examination for External Events (IPEEE). These analyses may identify additional equipment (beyond the safe shutdown path discussed above) that is us eful for mitigating the risk of a fire, or may identify alternative safe shutdo wn pathways. There are some plants that have fire PRAs (or integrated PRAs) such that fire risk can be quantified and addressed in the same manner as inte rnal events risk. In many cases, however, the analyses performed for the IPEEE and fire PRAs may not

provide quantitative fire risk information that can be directly compared to

the internal events PRA model on a quantitative basis. Thus, it is

recommended that those plants use their fire risk analyses qualitatively, rather than quantitatively, in assessing and managing risk for §50.65(a)(4);

further, it is notable that the qualitative approach is fully acceptable

regardless of the state of a plant's fire risk analyses.

Guidance: Each plant should use the above-selected source of information

to identify equipment within the existing (a)(4) scope that is found to have

appreciable impact on core damage mitigation for fire initiators. This

scope of equipment will be a subset of the overall (a)(4) scope, and the fire

risk implications need only be considered for equipment falling in this specific scope.

Since safe shutdown is oriented to assuring adequate core cooling, it is generally likely that equipment important to internal events core damage mitigation may also

be important for fire risk.

Some fire scenarios have no success path s available. Examples may include some main control room (MCR) fires or severe fires in electrical equipment rooms. For

these scenarios, there are essentially no impacts of removing equipment from

service. These fire scenarios are almost always risk significant, but are generally

not impacted by on-line maintenance. It is recommended that these scenarios be

screened from further consideration.

11.3.4 Assessment Methods for Power Operating Conditions

Removal from service of a single structure, system, train or component, is

adequately covered by existing Technical Specifications requirements, including the treatment of dependent components. Thus, the assessment for removal from service of a single SSC for the planned amount of time (e.g., the Technical

Specifications allowed out-of-service time, or a commensurate time considering

unavailability performance criteria for a non-Technical Specification high safety

significant SSC), may be limited to the consideration of unusual external conditions

that are present or imminent (e.g., severe weather, offsite power instability).

Simultaneous removal from service of mult iple SSCs requires that an assessment be performed using quantitative, qualitative, or blended (quantitative and

qualitative) methods. Sections 11.3.4.1 and 11.3.4.2 provide guidance regarding quantitative and qualitative considerations, respectively.

11.3.4.1 Quantitative Considerations

1. The assessment process may be performed by a tool or method that considers quantitative insights from the PSA. This can take the form of using the PSA

model, or using a safety monitor, matrix, or pre-analyzed list derived from the

PSA insights. In order to properly support the conduct of the assessment, the

PSA must have certain attributes, and it must reasonably reflect the plant

configuration. Appendix E provides information on PSA attributes. Section

11.3.7.2 provides guidance on various approaches for using the output of a

quantitative assessment to manage risk.

2. If the PSA is modeled at a level that does not directly reflect the SSC to be removed from service (e.g., the RPS system, diesel generator, etc. have each been modeled as a "single component" in the PSA), the assessment should include

consideration of the impact of the out of service SSC on the safety function of the modeled component. SSCs are considered to support the safety function if the

SSC is significant to the success path for function of the train or system (e.g., primary pump, or valve in primary flowpath). However, if the SSC removed

from service does not contribute significantly to the train or system safety

function (e.g., indicator light, alarm, drain valve), the SSC would not be considered to support the safety function.

11.3.4.2 Qualitative Considerations

1. The assessment may be performed by a qu alitative approach, by addressing the impact of the maintenance activity upon key safety functions, as follows:

• Identify key safety functions affected by the SSC planned for removal from service.

• Consider the degree to which removing the SSC from service will impact the key safety functions.

• Consider degree of redundancy, duration of out-of-service condition, and appropriate compensatory measures, contingencies, or protective actions that

could be taken if appropriate for the activity under consideration.

2. For power operation, key plant safety functions are those that ensure the integrity of the reactor coolant pressure boundary, ensure the capability to shut

down and maintain the reactor in a safe shutdown condition, and ensure the capability to prevent or mitigate the consequences of accidents that could result

in potentially significant offsite exposures.

Examples of these power operation key safety functions are:

• Containment Integrity (Containment Isolation, Containment Pressure and Temperature Control);

• Reactivity Control;

• Reactor Coolant Heat Removal; and

• Reactor Coolant Inventory Control.

3. The key safety functions are achieved by using systems or combinations of systems. The configuration assessment should consider whether the

maintenance activity would:

• Have a significant impact on the performance of a key safety function, considering the remaining degree of redundancy for trains or systems

supporting the key safety function, and considering the likelihood of an

initiating event

• Involve a significant potential to cause a scram or safety system actuation

• Result in significant complications to recovery efforts.

4. The assessment should consider plant systems supporting the affected key safety functions, and trains supporting these plant systems.

5. Qualitative considerations may also be ne cessary to address external events, and SSCs not in the scope of the level one, in ternal events PSA (e.g., included in the assessment scope because of expert panel considerations).

6. The assessment may need to include consideration of actions which could affect the ability of the containment to perform its function as a fission product barrier.

With regard to containment performance, the assessment should consider:

• Whether new containment bypass conditions are created, or the probability of containment bypass conditions is increased;

• Whether new containment penetration failures that can lead to loss of containment isolation are created; and.

• If maintenance is performed on SSCs of the containment heat removal system (or SSCs upon which this function is dependent), whether redundant

containment heat removal trains should be available.

7. External event considerations involve the potential impacts of weather or other external conditions relative to the proposed maintenance evolution. For the

purposes of the assessment, weather, external flooding, and other external impacts need to be considered if such conditions are imminent or have a high

probability of occurring during the planne d out-of-service duration. An example where these considerations are appropriate would be the long-term removal of

exterior doors, hazard barriers, or floor plugs.

8. Internal flooding considerations (from internal or external sources) should be addressed if pertinent. The assessment should consider the potential for

maintenance activities to cause internal flood hazards, and, for maintenance

activities to expose SSCs to flood hazards in a manner that degrades their

capability to perform key safety functions.

11.3.4.3 Fire Risk Assessment Considerations

In addressing the assessment of fire risk for power operating conditions, the

following guidance is provided:

With regard to item 4 from Section 11.3.3.1, removal of mitigation equipment from

service, the §50.65(a)(4) program should in clude consideration of these risks with respect to fire, as they are not covered by existing fire protection regulations and can have a risk impact.

General Guidance: The plant personnel responsible for activities relative to fire protection and §50.65(a)(4) should communicate and maintain

awareness of their respective risk management actions such that an

integrated perspective of these activities is maintained. (See further

discussion on risk management actions below).

Guidance: Include consideration of the implications of fire risks when

removing equipment from service that is known from existing plant

specific evaluations to have appreciable impact on mitigation of core

damage due to fire initiators. This is generally a qualitative evaluation, but quantitative approaches may be optionally used by plants that are

capable of such evaluations (see below for further discussion of limitations

on use of quantitative techniques).

Guidance: For plants that meet §50.48/Appendix R by protecting one train

of safe shutdown equipment through fire barriers, the overall risk

significance (internal events and fire) may be greater for the protected

train than for the redundant, non protected train of the same system, and

the licensee should consider this.

Maintenance activities on the protected train should consider this greater risk, and

appropriate risk assessment and management actions should be taken.

11.3.5 Scope of Assessment for Shutdown Conditions

The scope of the Systems, Structures and Components (SSCs) to be addressed by

the assessment for shutdown conditions are those SSCs necessary to support the following shutdown key safety functions (from Section 4 of NUMARC 91-06):

• Decay heat removal capability

• Inventory Control

• Power Availability

• Reactivity control

• Containment (primary/secondary)

The shutdown key safety functions are achieved by using systems or combinations

of systems. The shutdown assessment need not be performed for SSCs whose functionality is not necessary during shutdown modes, unless these SSCs are considered for establishment of backup success paths or compensatory measures.

11.3.6 Assessment Methods for Shutdown Conditions

NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management, Section 4.0, provides a complete discussion of shutdown safety considerations with

respect to maintaining key shutdown safety functions, and should be considered in developing an assessment process that meets the requirements of 10 CFR

50.65(a)(4).

Performance of the safety assessment for s hutdown conditions generally involves a qualitative assessment with regard to key safety functions, and follows the same general process described in Section 11.3.4.2 above. (Those plants that have

performed shutdown PSAs can use these PSAs as an input to their shutdown

assessment methods.) However, some considerations differ from those associated

with the at-power assessment. These include:

1. The scope of initiators to be considered in the assessment for shutdown conditions is limited to internal events.

2. The shutdown assessment is typically fo cused on SSCs "available to perform a function" versus SSCs "out of service" in the case of power operations. Due to

decreased equipment redundancies during outage conditions, the outage

planning and control process may involve consideration of contingencies and

backup methods to achieve the key safety functions, as well as measures that

can reduce both the likelihood and consequences of adverse events.

3. Assessments for shutdown maintenance ac tivities need to take into account plant conditions and multiple SSCs out-of-service that impact the shutdown key

safety functions. The shutdown asse ssment is a component of an effective outage planning and control process.

4. Maintenance activities that do not necessarily remove the SSC from service may still impact plant configuration and impact key safety functions. Examples

could include:

• A valve manipulation that involves the potential for a single failure to create a draindown path affecting the inventory control key safety

function

• A switchyard circuit breaker operation that involves the potential for a single failure to affect availability of AC power.

Because of the special considerations of shutdown assessments, additional guidance is provided below with respect to each key safety function:

11.3.6.1 Decay Heat Removal Capability

Assessments for maintenance activities affecting the DHR system should consider

that other systems and components can be used to remove decay heat depending on

a variety of factors, including the plant configuration, availability of other key

safety systems and components, and the ability of operators to diagnose and

respond properly to an event. For exa mple, assessment of maintenance activities that impact the decay heat removal key safety function should consider:

• initial magnitude of decay heat

• time to boiling

• time to core uncovery

• time to containment closure (PWR)

• initial RCS water inventory condition (e.g., filled, reduced, mid-loop, refueling canal filled, reactor cavity flooded, etc.)

• RCS configurations (e.g., open/closed, nozzle dams installed or loop isolation valves closed, steam generator manw ays on/off, vent paths available, temporary covers or thimble tube pl ugs installed, main steam line plugs installed, etc.)

• natural circulation capability with heat transfer to steam generator shell side (PWR)

If the fuel is offloaded to the spent fuel pool during the refueling outage, the decay heat removal function is shifted from the RCS to the spent fuel pool. Assessments

for maintenance activities should reflect appropriate planning and contingencies to

address loss of SFP cooling.

11.3.6.2 Inventory Control

Assessments for maintenance activities sh ould address the potential for creating inventory loss flowpaths. For example,

• For BWRs, maintenance activities associ ated with the main steam lines (e.g., safety/relief valve removal, automatic de pressurization system testing, main steam isolation valve maintenance, etc.) can create a drain down path for the

reactor cavity and fuel pool. This potential is significantly mitigated through

the use of main steam plugs.

• For BWRs, there are potential inventory loss paths through the DHR system to the suppression pool when DHR is aligned for shutdown cooling.

• For PWRs, assessments for maintenance activities during reduced inventory operations are especially important. Reduced inventory operation occurs

when the water level in the reactor vessel is lower than 3 feet below the

reactor vessel flange

• A special case of reduced inventory operation for PWRs is mid-loop operation, which occurs when the RCS water level is below the top of the hot legs at

their junction with the reactor vessel. Similar conditions can exist when the

reactor vessel is isolated from steam generators by closed loop isolation

valves or nozzle dams with the reactor vessel head installed or prior to filling

the reactor cavity. Upon loss of DHR under these conditions, coolant boiling

and core uncovery can occur if decay heat removal is not restored or provided

by some alternate means. In addition, during mid-loop operation, DHR can

be lost by poor RCS level control or by an increase in DHR flow (either of

which can ingest air into the DHR pump).

11.3.6.3 Power Availability Assessments should consider the impact of maintenance activities on availability of electrical power. Electrical power is required during shutdown conditions to

maintain cooling to the reactor core and spent fuel pool, to transfer decay heat to

the heat sink, to achieve containment closure when needed, and to support other

important functions.

• Assessments for maintenance activities involving AC power sources and distribution systems should address providing defense in depth that is commensurate with the plant operating mode or configuration.

• Assessments for maintenance activities involving the switchyard and transformer yard should consider the impact on offsite power availability.

• AC and DC instrumentation and control power is required to support systems that provide key safety functions duri ng shutdown. As such, maintenance activities affecting power sources, invert ers, or distribution systems should consider their functionality as an important element in providing appropriate

defense in depth.

11.3.6.4 Reactivity Control The main aspect of this key safety function involves maintaining adequate

shutdown margin in the RCS and the sp ent fuel pool. For PWRs, maintenance activities involving addition of water to the RCS or the refueling water storage tank

have the potential to result in boron dilution. During periods of cold weather, RCS

temperatures can also decrease below the minimum value assumed in the shutdown

margin calculation.

11.3.6.5 Containment - Primary (PWR)/Secondary(BWR)

Maintenance activities involving the need for open containment should include

evaluation of the capability to achieve containment closure in sufficient time to

mitigate potential fission product release. This time is dependent on a number of

factors, including the decay heat level and the amount of RCS inventory available.

For BWRs, technical specifications may require secondary containment to be closed under certain conditions, such as during fuel handling and operations with a potential to drain the vessel.

In addition to the guidance in NUMARC 91-06, for plants which obtain license amendments to utilize shutdown safety administrative controls in lieu of Technical Specification requirements on primary or secondary containment operability and ventilation system operability during fuel ha ndling or core alterations, the following guidelines should be included in the a ssessment of systems removed from service:

• During fuel handling/core alterations, ventilation system and radiation monitor availability (as defined in NUMARC 91-06) should be assessed, with respect to filtration and monitoring of releases from the fuel. Following shutdown, radioactivity in the RCS decays fairly rapidly. The basis of the Technical Specification operability amendment is the reduction in doses due to such decay. The goal of maintaining ventilation system and radiation monitor availability is to reduce doses ev en further below that provided by the natural decay, and to avoid unmonitored releases.

• A single normal or contingency method to promptly close primary or secondary containment penetrations should be developed. Such prompt methods need not completely block the penetration or be capable of resisting pressure. The purpose is to enable ventilation systems to draw the release from a postulated fuel handling accident in the proper direction such that it can be treated and monitored.

11.3.7 Managing Risk

The assessment provides insights regardin g the risk-significance of maintenance activities. The process for managing risk involves using the result of the assessment in plant decisionmaking to control the ov erall risk impact. This is accomplished through careful planning, scheduling, coordinating, monitoring, and adjusting of

maintenance activities.

The objective of risk management is to control the temporary and aggregate risk

increases from maintenance activities such that the plant's average baseline risk is maintained within a minimal range. This is accomplished by using the result of the (a)(4) assessment to plan and schedule main tenance such that the risk increases are limited, and to take additional actions beyond routine work controls to address

situations where the temporary risk increase is above a certain threshold. These

thresholds may be set on the basis of qualitative considerations (example -

remaining mitigation capability), quantitative considerations (example - temporary

increase in core damage frequency), or blended approaches using both qualitative

and quantitative insights

Management of risk involves consideration of temporary risk increases, as well as

aggregate risk impacts. (Aggregate risk is the collected risk impact. Cumulative risk is successive addition of accumulated risk impacts.) Aggregate risk impacts are controlled to a degree through maintenance rule requirements to establish and meet

SSC performance criteria. These requirements include consideration of the risk

significance of SSCs in establishing performance goals. Plants that routinely enter

the risk management action thresholds should consider measures to assess the aggregate risk with respect to its estima ted impact on the average baseline risk.

This could be accomplished through a periodic assessment of previous out-of-service

conditions. Such an assessment may involve a quantitative computation of

cumulative risks or may involve a qualit ative assessment of the risk management approach employed and the actual tempo rary risk impacts observed. When permanent changes are made to the maintenance planning and control process that

would result in increased component unavailability, the impact of these changes on

the average baseline risk should be evaluated with respect to the permanent change

guidelines discussed in NRC Regulatory Guide 1.174.

The PSA provides valuable insights for risk management, because it realistically

assesses the relationship of events an d systems. Risk management can be effectively accomplished by making use of qu alitative insights from the PSA, rather than sole reliance on quantitative information. Removing equipment from service

may alter the significance of various risk contributors from those of the baseline

PSA. Specific configurations can result in increased importance of certain initiating

events, or of systems or equipment used for mitigation of accidents. Evaluation of a specific configuration can identify "low order" cutsets or sequences, which are

accident sequences that may not be important in the baseline analysis but become

important for a specific configuration. These considerations are important to risk

management.

The most fundamental risk management action is planning and sequencing of the

maintenance activities taking into account the insights provided by the assessment.

In conjunction with scheduling the sequence of activities, additional risk

management actions may be undertaken that have the effect of reducing the

temporary risk increase as determined by the assessment. Since many of the risk management actions address non-quantifiable factors, it is not expected that the

risk reduction achieved by their use would necessarily be quantified. The

assessment provides the basis for consideration of their use. The following sections

discuss the establishment of thresholds for the use of risk management actions.

11.3.7.1 Establishing action thresholds based on qualitative considerations

The risk management action thresholds may be established qualitatively by

considering the performance of key safety functions, or the remaining mitigation

capability, given the out-of-service SSCs. Qualitative methods to establish risk

management actions would generally be ne cessary to address SSCs not modeled in the PSA, and assessments for shutdown conditions. However, the use of qualitative

methods is not limited to these applications, and is an acceptable approach for

establishing risk management actions fo r (a)(4) assessments in general. This approach typically involves considerat ion of the following factors from the assessment:

• Duration of out-of-service condition, with longer duration resulting in increased exposure time to initiating events

• The type and frequency of initiating events that are mitigated by the out-of-service SSC, considering the sequences for which the SSC would normally

serve a safety function

• The impact, if significant, of the mainte nance activity on the initiating event frequencies

• The number of remaining success paths (redundant systems, trains, operator actions, recovery actions) available to mitigate the initiating events

• The likelihood of proper function of the remaining success paths

The above factors can be used as the basis for establishment of a matrix or list of

configurations and attendant risk management actions.

11.3.7.2 Establishing action thresholds based on quantitative

considerations

The thresholds for risk management actions may be established quantitatively by

considering the magnitude of increase of the core damage frequency (and/or large

early release frequency) for the maintenance configuration. This is defined as the

incremental CDF, or incremental LERF.

The incremental CDF is the difference in the "configuration-specific" CDF and the

baseline (or the zero maintenance) CDF.

The configuration-specific CDF is the annualized risk rate with the unavailabilitie s of the out-of-service SSCs set to one.

The configuration-specific CDF may also consider the zero maintenance model (i.e.,

the unavailability of the out-of-service SSC(s) is set to one, and the maintenance

unavailability of the remaining SSCs is set to zero). This more closely reflects the

actual configuration of the plant during the maintenance activity.

Plants should consider factors of dura tion in setting the risk management thresholds. This may be either the duration of a particular out-of-service condition, or a specific defined work interval (e.g. shift, week, etc). The product of the

incremental CDF (or LERF) and duration is expressed as a probability (e.g.,

incremental core damage probability - ICDP, incremental large early release

probability - ILERP).

The EPRI PSA Applications Guide (EP RI TR-105396), section 4.2.3, includes guidance for evaluation of temporary risk increases through consideration of the

configuration-specific CDF, as well as the ICDP and ILERP. When combined with

the other elements of the maintenance rule, and other quantitative or qualitative

measures as necessary to control cumulative risk increases, this guidance provides one acceptable alternative for (a)(4) implem entation. The guidance is as follows:

1. The configuration-specific CDF should be considered in evaluating the risk impact of the planned maintenance configuration. Maintenance configurations

with a configuration-specific CDF in excess of 10

-3/year should be carefully considered before voluntarily entering such conditions. If such conditions are

entered, it should be for very short peri ods of time and only with a clear detailed understanding of which events cause the risk level.

2. ICDP and ILERP, for a specific planned configuration, may be considered as follows with respect to establishing risk management actions:

ICDP ILERP

> 10-5 - configuration should not normally be entered

voluntarily

> 10-6 10-6 5 - assess non quantifiable factors - establish risk management

actions 10-7 6 < 10 normal work controls < 10

-7 Another acceptable approach would be to construct a similar table using ICDF and

ILERF, expressed as either an absolute quantity or as a relative increase from the

plant's baseline CDF and LERF.

Due to differences in plant type and design, there is acknowledged variability in

baseline core damage frequency and large early release frequency. Further, there is

variability in containment performance that may impact the relationship between

baseline core damage frequency and baseline large early release frequency for a

given plant or class of plants. Therefore, determination of the appropriate method

or combination of methods as discussed above, and the corresponding quantitative

risk management action thresholds, are plant-unique activities.

11.3.7.3 Establishing Fire Risk Management Action Thresholds Guidance: Each plant should develop a process for implementing risk

management actions related to fire risk impacts of equipment identified

above.

For determination of the threshold for risk management actions, any of the

following approaches, or a comparable approach, may be considered:

1. Establish an adjustment factor to th e internal events ICDP (Section 11.3.7.2),

or Raise the risk management action threshold by one level.

The appropriate adjustment factor can be determined by risk personnel using

insights from screening evaluations or fire PRAs performed for the IPEEE, or

fire PRAs that contain conservative modeling assumptions. This adjustment

factor should take into account the num ber of safe shutdown paths available.

2. Use the following table to determine the need for risk management actions specific to fire risk when fire risk mitigation equipment is taken out of

service. As the risk from internal events is evaluated under current (a)(4) programs, this table only addresses incre mental risk from fire events and it is not appropriate to utilize the information below to aggregate risk from fire

and internal events. This table may be used in addition to the existing

guidance in NUMARC 93-01 (i.e., this table is specific to fire risk and does

not address other contributors). Background information on the development

of this table may be found in EPRI Report 1012948, Methodology for Fire

Configuration Risk Management Final Report, December 2005 Number of Core Damage Avoidance Success Paths Available 1 or More Success Paths Available No Success Paths Available Duration of Unavailability Duration of Unavailability <3d 3-30d >30d <3d 3-30d >30d Normal Controls Risk Mgmt. Normal Control Risk Mgmt. Avoid Config.

3. Quantifying the fire risk and internal events risk for the purpose of calculating the ICDP (limited applic ability - see Sections 11.3.3.1 and 11.3.4.3 above).

11.3.7.4 Risk Management Actions

Determination of the appropriate actions to control risk for a maintenance activity

is specific to the particular activity, its impact on risk, and the practical means

available to control the risk. Actions, similar to the examples shown below, may be

used singularly or in combinations. Other actions may be taken that are not listed

in the examples.

Normal work controls would be employed for configurations having nominal risk significance. This means that the normal plant work control processes are followed

for the maintenance activity, and that no additional actions to address risk management actions are necessary.

Risk management actions should be considered for configurations that result in a minimal increase from the plant's baseline risk. As discussed previously, the

benefits of these actions are generally not quantifiable. These actions are aimed at

providing increased risk awareness of appropriate plant personnel, providing more

rigorous planning and control of the activity, and taking measures to control the

duration of the increased risk, and the ma gnitude of the increased risk. Examples of risk management actions are as follows:

1. Actions to provide increased risk awareness and control:

• Discuss planned maintenance activity with operating shift and obtain operator awareness and approval of planned evolution.

• Conduct pre-job briefing of maintenance personnel, emphasizing risk aspects of planned maintenance evolution.

• Request the system engineer to be present for the maintenance activity, or for applicable portions of the activity.

• Obtain plant management approval of the proposed activity.

2. Actions to reduce duration of maintenance activity:

• Pre-stage parts and materials.

• Walk-down tagout and maintenance activity prior to conducting maintenance.

• Conduct training on mockups to familiarize maintenance personnel with the activity.

• Perform maintenance around the clock.

• Establish contingency plan to restore out-of-service equipment rapidly if needed.

3. Actions to minimize magnitude of risk increase:

• Minimize other work in areas that could affect initiators [e.g., RPS equipment areas, switchyard, D/G rooms, switchgear rooms] to decrease the

frequency of initiating events that are mitigated by the safety function served by the out-of-service SSC

• Minimize other work in areas that could affect other redundant systems

[e.g., HPCI/RCIC rooms, auxiliary feedwate r pump rooms], such that there is enhanced likelihood of the availability of the safety functions at issue served by the SSCs in those areas.

• Establish alternate success paths for performance of the safety function of the out-of-service SSC (note: equipment used to establish these alternate

success paths need not necessarily be within the overall scope of the maintenance rule).

• Establish other compensatory measures.

4. A final action threshold should be established such that risk significant configurations are not normally entered voluntarily.

11.3.7.5 Fire Risk Management Actions If the above evaluation indicates risk management actions are appropriate, the

following actions should be considered:

1. Primary action: Coordinate activities within the plant that could involve increased fire risk with those maintenance activities involving removal

from service of mitigation equipment important for fire risk. This

involves coordination of fire protection personnel with maintenance rule (a)(4) personnel. Based on this coor dination, evaluate appropriate risk management actions as discussed in Section 11.3.7.3.

2. Additional risk management actions specific to fire could include:

• Re-scheduling activities that involve increased fire likelihood in fire areas where the out of service core damage mitigation equipment

would be relied upon in the event of a fire

• Increased fire watches in fire areas where the out of service core damage mitigation equipment would be relied upon in the event of a

fire

• Confirm the availability of an alternate success path for safe shutdown should it be needed. These could include alternative success paths

excluded from design basis evaluations (e.g., Bleed & Feed Cooling (PWRs), Containment Venting (BWRs))

11.3.8 Regulatory Treatment of Compensatory Measures

Use of compensatory measures is discussed in several sections of this guideline.

These measures may be employed, either prior to or during maintenance activities, to mitigate risk impacts. The following guidance discusses the applicability of 10

CFR 50.65 (a)(4) and 10 CFR 50.59 to the est ablishment of compensatory measures.

There are two circumstances of interest:

1. The compensatory measure is established to address a degraded or nonconforming condition, and will be in effect for a time period prior to conduct

of maintenance to restore the SSC's condition. Per NRC Generic Letter 91-18, Revision 1 (and NEI 96-07, Revision 1), the compensatory measure should be

reviewed under 10 CFR 50.59. Since the compensatory measure is in effect prior to performance of the maintenance activity, no assessment is required under 10

CFR 50.65 (a)(4).

2. The compensatory measure is established as a risk management action to reduce the risk impact during a planned maintenance activity. The 50.65 (a)(4) assessment should be performed to support the conduct of the corrective

maintenance, and those compensatory measures that will be in effect during

performance of the maintenance activity. The compensatory measures would be

expected to reduce the overall risk of the maintenance activity; however, the impact of the measures on plant safety f unctions should be considered as part of the (a)(4) evaluation. Since the compensatory measures are associated with

maintenance activities, no review is required under 10 CFR 50.59, unless the

measures are expected to be in effect during power operation for greater than 90

days.

11.3.9 Documentation

The following are guidelines for documentation of the safety assessment:

1. The purpose of this paragraph of the maintenance rule is to assess impacts on plant risk or key safety functions due to maintenance activities. This

purpose should be effected through establishment of plant procedures that

address process, responsibilities, and decision approach. It may also be appropriate to include a reference to the appropriate procedures that govern

planning and scheduling of maintenance or outage activities. The process

itself should be documented.

2. The normal work control process suffices as a record that the assessment was performed. It is not necessary to do cument the basis of each assessment for removal of equipment from service as long as the process is followed.

12.0 PERIODIC MAINTENANCE EFFECTIVENESS ASSESSMENTS

12.1 Reference

10 CFR 50.65 (a)(3)

Performance and condition monitoring activities and associated goals and

preventive maintenance activities shall be evaluated at least every refueling cycle

provided that the interval between evaluations does not exceed 24 months. The evaluation shall take into account, where practical, industry-wide operating experience. Adjustment shall be made wher e necessary to ensure that the objective of preventing failures of structures, sy stems, and components through maintenance is appropriately balanced against the objective of minimizing unavailability of

structures, systems, and components due to monitoring or preventive maintenance.

12.2 Guidance

Periodic assessments shall be performed to establish the effectiveness of

maintenance actions. These assessments sh all take into account, where practical, industrywide operating experience. The asse ssment consists of several activities to assure an effective maintenance program and to identify necessary adjustments that should be made to the progra

m. The periodic assessments, cause determination, monitoring, and other activities associated with the Maintenance

Rule provide an opportunity to feedback lessons learned into the process. The

following describes some of the activities that should be performed.

12.2.1 Review of Goals (a)(1)

On a periodic basis goals established under (a)(1) of the Maintenance Rule shall be

reviewed. The review should include an evaluation of the performance of the

applicable SSCs against their respective goals and should also evaluate each goal

for its continued applicability. To redisposition SSCs from (a)(1) to (a)(2), see

Section 9.4.3.

12.2.2 Review of SSC Performance (a)(2)

On a periodic basis, SSC performance related to plant level criteria should be

assessed to determine maintenance effe ctiveness. The assessment should determine if performance is acceptable. If performance is not acceptable, the cause

should be determined and corrective action implemented.

For SSCs that are being monitored under (a)(2), the periodic assessment should include a review of the performance against the established criteria. To

redisposition SSCs from (a)(2) to (a)(1), see Section 9.4.4.

Where appropriate, industrywide operating experience should be reviewed to

identify potential problems that are applic able to the plant. Applicable industry problems should be evaluated and compa red with the existing maintenance and monitoring activities. Where appropriate, adjustments should be made to the

existing programs.

12.2.3 Review of Effectiveness of Corrective Actions

As part of the periodic review, corrective actions taken as a result of ongoing

maintenance activities or goal setting sh ould be evaluated to ensure action was initiated when appropriate and the action(s) taken resulted in improved

performance of the SSC. Corrective actions that should be reviewed include the

following:

Actions to ensure that SSC performance meets goals established by requirements of (a)(1);

Actions taken as a result of cause determination as required in Section 9.3.3 or 10.2.2; and

Status of problem resolution, if any, identified during the previous periodic assessment.

12.2.4 Optimizing Availability and Reliability for SSCs

For risk significant SSCs adjustments shall be made, where necessary, to maintenance activities to ensure that the objective of preventing failures is appropriately balanced against the objective of assuring acceptable SSC

availability. For operating non-risk significant SSCs, it is acceptable to measure

SSC performance against overall plant performance criteria and for standby

systems to measure performance against specific criteria.

The intent is to optimize availability and reliability of the safety functions by

properly managing the occurrence of SSC s being out of service for preventive maintenance activities. This optimization could be achieved by any of the following:

Ensuring that appropriate preventive maintenance is performed to meet availability objectives as stated in plant risk analysis, FSAR, or other reliability

approaches to maintenance;

Allocating preventive maintenance to applicable tasks commensurate with anticipated performance improvement (e.g., pump vibration analysis instead of

teardown);

Reviewing to determine that availability of SSCs has been acceptable;

Focusing maintenance resources on preventi ng those failure modes that affect a safety function ; or

Scheduling, as necessary, the amount, type, or frequency of preventive maintenance to appropriately limit the time out of service.

The emergency diesel generator can be used as an example of optimizing reliability

and availability, (a)(3) and as an example of transitioning between the rule

requirements specified in (a)(1) and (a)(2) as follows:

If the Emergency Diesel Generator failed to meet its established performance

criteria (Section 9.3.3), a cause determination would be made as described in

Section 9.4.4 of this guideline. Examples of performance criteria may include the

target reliability value (i.e., 0.95 or 0.975) at a level established in a utility's

documented commitment from the Station Blackout Rule (SBO) and unavailability

that, if adopted as a performance criteria, would not alter the conclusions reached

in the utility IPE/PRA.

If a need for goal setting as described in Section 9.4 is indicated, an appropriate

goal should be established and monitored as indicated in (a)(1) until such time as

the goal(s) are achieved and monitoring can be resumed under (a)(2) as described in

Section 9.4.3. Monitoring under (a)(1) could be achieved by use of exceedance

trigger values as described in Appendix D of NUMARC 87-00, Revision 1, dated

August 1991, Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors , excluding those values indicated under paragraph D.2.4.4 (Problem EDG).

The periodic assessment can be performed mo re frequently than the refueling cycle (e.g., on an annual basis).

The periodic assessment does not have to be performed at any specific time during

the refueling cycle as long as it is performed at least one time during the refueling cycle, and the interval between assessments does not exceed 24 months. This would allow utility's at multiple unit sites to perform the assessment at the same time

even though the refueling cycles for the units are staggered.

The requirements for performing the peri odic assessment can be satisfied through the use of ongoing assessments combined with a higher level summary assessment performed at least once per refueling cycle not to exceed 24 months between

evaluations.

The periodic assessment is intended to eval uate the effectiveness of (a)(1) and (a)(2) activities including goals that have been established, monitoring of those

established goals, cause determinations and corrective actions, and the

effectiveness of preventive maintenance (including performance criteria). The periodic assessment may at the utilities option include the balancing of availability

and reliability, effectiveness of the process for removal of equipment from service, and any other maintenance rule elements that would demonstrate the effectiveness

of maintenance.

13.0 DOCUMENTATION

13.1 General

Documentation developed for implementation of this guideline is not subject to the

utility quality assurance program unless the documentation used has been

previously defined as within the scope of the quality assurance program. This documentation should be available for internal and external review but is not

required to be submitted to the NRC.

13.2 Documentation of SSC Selection Process

The SSCs that are identified for consideration under the provisions of the

Maintenance Rule and the criteria for inclusion shall be documented. SSC listings, functional descriptions, Piping and Instru ment Diagrams (P&IDs), flow diagrams, or other appropriate documents should be used for this purpose.

13.2.1 Maintenance Rule Scoping

The following items from the initial scoping effort should be documented:

SSCs in scope and their function;

Performance criteria;

The SSCs placed in (a)(1) and the basis for placement, the goals established, and the basis for the goals; and

The SSCs placed in (a)(2) and the basis for (a)(2) placement.

Periodically, as a result of design changes, modifications to the plant occur that may affect the maintenance program. These ch anges should be reviewed to assure the maintenance program is appropriately adjust ed in areas such as risk significance, goal setting, and performance monitoring.

13.3 Documentation of (a)(1) Activities

Performance against established goals and cause determination results should be

documented. Changes to goals including those instances when goals have been

effective and the performance of the SSC ha s been improved to the point where the SSC can be moved to (a)(2) should be documented. Monitoring and trending activities and actions taken as a result of these activities should also be documented.

13.4 Documentation of (a)(2) Activities

Activities associated with the preventive maintenance program should be

documented consistent with appropriate utility administrative procedures. For

example, results of repairs, tests, insp ections, or other maintenance activities should be documented in accordance with plant specific procedures. The results of

cause determination for repetitive or other SSC failures that are the result of

MPFFs should be documented. Documentation of SSCs subject to ASME O&M

Code testing should be maintained. Evaluation of performance against plant level

performance criteria (Section 12.2.2) shall be documented. Adverse trends will be

identified and those SSCs affecting the trend will be investigated and, where

appropriate, corrective action taken.

13.5 Documentation of Periodic Assessment

The periodic assessment described above should be documented. Appropriate

details or summaries of results should be available on the following topics.

The results of monitoring activities for SSCs considered under (a)(1). The documentation should include the results of goals that were met;

Evaluation of performance criteria or goals that were not met, along with the cause determinations and associated corrective actions taken;

Corrective actions for (a)(1) and (a

)(2) that were not effective;

A summary of SSCs redispositioned fr om (a)(2) to (a)(1), and the basis;

A summary of SSCs redispositioned fr om (a)(1) to (a)(2), and the basis;

Identify changes to maintenance activities that result in improving the relationship of availability and preventive maintenance.

APPENDIX A THE NRC MAINTENANCE RULE

A-1 APPENDIX A THE MAINTENANCE RULE 2.A new § 50.65 is added to read as follows: (Modified July 19, 1999)

§ 50.65 Requirements for monitoring the effectiveness of maintenance at nuclear

power plants.

The requirements of this section are applicable during all conditions of plant

operation, including normal shutdown conditions.

(a)(1) Each holder of an operating license under §§ 50.21(b) or 50.22 shall monitor

the performance or condition of structures, systems, or components, against

licensee-established goals, in a manner sufficient to provide reasonable assurance

that such structures, systems, and components, as defined in paragraph (b), are

capable of fulfilling their intended functions. Such goals shall be established

commensurate with safety and, where prac tical, take into account industrywide operating experience. When the performance or condition of a structure, system or

component does not meet established goals, appropriate corrective action shall be

taken.

(2) Monitoring as specified in paragraph (a

)(1) of this section is not required where it has been demonstrated that the performance or condition of a structure, system, or component is being effectively controlled through the performance of appropriate

preventive maintenance, such that the structure, system, or component remains capable of performing its intended function.

(3) Performance and condition monitoring activities and associated goals and

preventive maintenance activities shall be evaluated at least every refueling cycle

provided the interval between evaluations does not exceed 24 months. The evaluation shall take into account, where practical, industrywide operating experience. Adjustments shall be made where necessary to ensure that the objective of preventing failures of stru ctures, systems, and components through maintenance is appropriately balanced against the objective of minimizing

unavailability of structures, systems, and components due to monitoring or

preventive maintenance

A-2 (4) Before performing maintenance activities (including but not limited to surveillance, post-maintenance testing, and corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities. The scope of the assessment may be limited to those

structures, systems, and components that a risk-informed evaluation process has shown to be significant to public health and safety.

(b) The scope of the monitoring program sp ecified in paragraph (a)(1) of this section shall include safety-related and nonsafety related structures, systems, and

components, as follows:

(1)Safety-related structures, systems, or components that are relied upon to remain

functional during and following design basis events to ensure the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and

maintain it in a safe shutdown condition, and the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposure

comparable to the 10 CFR part 100 guidelines.

(2)Nonsafety related structures, systems, or components:

(i)That are relied upon to mitigate accidents or transients or are used in plant

emergency operating procedures (EOPs); or

(ii)Whose failure could prevent safety-rel ated structures, systems, and components from fulfilling their safety-related function; or

(iii)Whose failure could cause a reactor scram or actuation of a safety-related

system.

APPENDIX B MAINTENANCE GUIDELINE DEFINITIONS

B-1 APPENDIX B MAINTENANCE GUIDELINE DEFINITIONS Availability:

The time that a SSC is capable of performing its intended function as a fraction of

the total time that the intended function may be demanded. The numerical

complement of unavailability.

Cut Sets:

Accident sequence failure combinations.

Function:

As used in this guideline the scoped functi on is that attribute (e.g., safety related, mitigates accidents, causes a scram, etc.)

that included the SSC within the scope of the maintenance rule. For example, some units scope the condenser vacuum

system under the maintenance rule because its total failure caused a scram and not the design function of pulling a vacuum on the condenser.

Industrywide Operating Experience (including NRC and vendor):

Information included in NRC, industry, and vendor equipment information that are

applicable and available to the nuclear industry with the intent of minimizing

adverse plant conditions or situations through shared experiences.

Maintenance:

The aggregate of those functions required to preserve or restore safety, reliability, and availability of plant structures, systems, and components. Maintenance

includes not only activities traditionally associated with identifying and correcting

actual or potential degraded conditions, i.e., repair, surveillance, diagnostic

examinations, and preventive measures; but extends to all supporting functions for the conduct of these activities. (Source:

Federal Register Vol. 53, No. 56, Wednesday, March 23, 1988, Rules and Regulations/ Page 9340).

B-2 Maintenance, Preventive:

Predictive, periodic, and planned maintenance actions taken prior to SSC failure to

maintain the SSC within design operating conditions by controlling degradation or

failure.

Maintenance Preventable Functional Failure (MPFF)- Initial and

Repetitive

An MPFF is the failure of an SSC (structure, system, train, or component) within

the scope of the Maintenance Rule to perform its intended function (i.e., the

function performed by the SSC that required its inclusion within the scope of the

rule), where the cause of the failure of the SSC is attributable to a maintenance-related activity. The maintenance-related activity is intended in the broad sense of

maintenance as defined above.

The loss of function can be either direct, i.e., the SSC that performs the function

fails to perform its intended function or indirect, i.e., the SSC fails to perform its intended function as a result of the failure of another SSC (either safety related or nonsafety related).

An initial MPFF is the first occurrence for a particular SSC for which the failure

results in a loss of function that is attributable to a maintenance related cause. An

initial MPFF is a failure that would have been avoided by a maintenance activity

that has not been otherwise evaluated as an acceptable result (i.e., allowed to run to failure due to an acceptable risk).

A "repetitive" MPFF is the subsequent loss of function (as defined above) that is

attributable to the same maintenance rela ted cause that has previously occurred (e.g., an MOV fails to close because a spri ng pack was installed improperly -- the next time this MOV fails to close because the spring pack is installed improperly:

the MPFF is repetitive and the previous corrective action did not preclude

recurrence). A second or subsequent loss of function that results from a different

maintenance related cause is not considered a repetitive MPFF (e.g., an MOV

initially fails to close because a spring pack was installed improperly -- the next time it fails to close, its failure to close is because a set screw was improperly

installed: the MPFF is not repetitive).

B-3 During initial implementation of the Ma intenance Rule, repetitive failures that have occurred in the previous two operating and refueling cycles should be

considered. After the initial rule implementation, utilities should establish an

appropriate review cycle for repetitive MPFFs (i.e., during the periodic review, during the next maintenance or test of th e same function, or in accordance with Section 9.4.3).

Monitoring Performance:

Continuous or periodic tests, inspections, measurement or trending of the

performance or physical characteristics of an SSC to indicate current or future

performance and the potential for failure. Monitoring is frequently conducted on a

non-intrusive basis. Examples of preventive maintenance actions may include

operator rounds, engineering walkdowns, and management inspections.

Operating System:

An operating system is one that is required to perform its intended function

continuously to sustain power operation or shutdown conditions.

The system function may be achieved through the use of redundant trains (i.e. two

redundant independent trains each with a motor driven pump capable of delivering

100% capacity to each train). In this case, either train using either pump will be

capable of performing the system function.

Normal operation would be with one train operating and one train in standby (not

operating). The train in standby (not operating) would normally be capable of

starting and providing the system function if the train that was in operation failed.

In this case, if the function of the operating train is lost, and the standby (non-

operating) train starts and maintains the system function with no perturbation of

plant operation, then there is no loss of system function. The performance criteria

for this type of system should include both the operational and standby (not

operating) performance characteristics as applicable.

In the case where a system with redundant trains has a diverse system (i.e. a steam

driven pump and piping, valves, etc.) that will perform the same function, it is possible to lose both trains of the redundant system and still maintain system B-4 function with the diverse system. Performance criteria should be established for the diverse system based on its individual performance taking into account its

diverse method of performing the required function, its unique configuration and

any other functions related that it performs as related to the Maintenance Rule.

Performance:

Performance when used in the context for criteria and monitoring would include

availability and reliability and/or condition as appropriate. To the maximum extent

possible both availability and reliability should be used since that provides the

maximum assurance that performance is being monitored. There are instances (i.e., reactor coolant system, electrical load centers, certain standby equipment, etc.)

where availability does not provide a meaningful measure of performance and

should not be captured. The condition of structures is more appropriate to monitor

than the reliability or availability. The monitoring of individual components (e.g.,

unacceptable performance) when setting goals may include the monitoring of

condition. Condition typically includes vibration, flow, temperature and other

similar parameters.

Reliability:

A measure of the expectation (assuming that the SSC is available) that the SSC will perform its function upon demand at any future instant in time. The monitoring of

performance and any resulting MPFFs is an indicator of reliability.

Risk:

Risk encompasses what can happen (scenario), its likelihood (probability), and its

level of damage (consequences).

Risk Significant SSCs:

Those SSCs that are significant contributors to risk as determined by PRA/IPE or

other methods.

B-5 Standby System or Train

A standby system or train is one that is not operating and only performs its

intended function when initiated by either an automatic or manual demand signal.

Some of these systems perform a function that may be required intermittently

during power operations (e.g., a process sy stem used to adjust or correct water chemistry). Although not continuously operating the system or one of its trains

must be able to actuate on a manual or automatic signal and be able to perform its

intended function as required. Since the system or train is in the standby mode, it

will most frequently be determined as operable/inoperable during operability (surveillance) testing, although if designed to actuate automatically, it could fail on

demand. Based on experience and the re ason for performing surveillance testing the best way to measure the performance of the standby system is based on the

results of performance on demand (both an automatic response to a valid signal and as a result of surveillance testing). Exampl es of standby systems of this type would be the hydrogen recombiner system and the containment spray system.

Other systems and their associated trains may be configured in a standby mode

during power operation but during an outage are normally operating (e.g., RHR).

Performance monitoring should consider the system function during all plant

modes.

System A collection of equipment that is configured and operated to serve some specific

plant function(s) (e.g., provides water to th e steam generators, sprays water into the containment, injects water into the primary system), as defined by the terminology

of each utility (e.g., auxiliary feedwater system, containment spray system, high pressure coolant injection system). The system definition should generally be consistent with the system definition in the FSAR or PRA analysis.

Train A collection of equipment that is configured and operated to serve some specific

plant safety function and may be a sub-set of a system. The utility can utilize the

FSAR or PRA analysis to better define the intended configuration and function(s).

B-6 Unavailability, SSC (for purposes of availability or reliability calculation):

Note: This definition of unavailability is not intended for direct applicability to the

configuration assessment required by 10 CFR 50.65(a)(4).

Unavailability is defined as follows:

planned unavailable hours + unplanned unavailable hours required operational hours*

Unavailability is considered in two cases:

1) Maintenance activities

Equipment out of service (e.g. tagged out) for corrective or preventive

maintenance is considered unavailable. Support system unavailability may

be counted against either the support system, or the front line systems

served by the support system.

The treatment of support system unavailability for the maintenance rule should be consistent with its

treatment in the plant PSA. Performance criteria should be established

consistent with whichever treatment is chosen.

2) Testing SSCs out of service for testing are considered unavailable, unless the test

configuration is automatically overridden by a valid starting signal, or the

function can be promptly restored either by an operator in the control room or

by a dedicated operator stationed locally for that purpose. Restoration

actions must be contained in a written procedure, must be uncomplicated (a

single action or a few simple actions), and must not require diagnosis or

repair. Credit for a dedicated local operator can be taken only if (s)he is

positioned at the proper location throug hout the duration of the test for the purpose of restoration of the train should a valid demand occur. The intent of

this paragraph is to allow licensees to take credit for restoration actions that

are virtually certain to be successful (i.e., probability nearly equal to 1)

during accident conditions.

B-7

• Required operational hours are the number of hours that the SSC serves a safety function. The safety function (and the need to count required hours), may be

necessary at all times, or may be dependen t on reactor mode, criticality, fuel in the reactor vessel, or other factors. The degree of redundancy for SSCs

performing a safety function may vary based on factors as described above, and

the determination of required operational hours may take this into account.

However, determination of required operational hours should include

consideration that an SSC may be used for establishment of backup success paths

or compensatory measures. Required operational hours may include times

beyond those for which SSC operability is required by Technical Specifications.

Unavailability, Short Duration

Trains are considered to be available during periodic system or equipment realignments to swap components or flow paths as part of normal operations.

Evolutions or surveillance tests that result in less than 15 minutes of unavailable

hours per train at a time need not be counted as unavailable hours. Licensees

should compile a list of surveillances or evolutions that meet this criterion and

have it available for inspector review. The intent is to minimize unnecessary

burden of data collection, documentation and verification because these short

durations have insignificant risk impact.

Unplanned Scrams per 7,000 Hours Critical

This indicator measures the rate of scrams per year of operation at power and

provides an indication of initiating event frequency; it is defined as the number of unplanned scrams during the previous four quarters, both manual and automatic, while critical per 7,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />. Unplanned scrams result in thermal/hydraulic

transients in plant systems.

Unplanned Capability Loss Factor:

Unplanned capability loss factor is the percentage of maximum energy generation

that a plant is not capable of supplying to the electrical grid because of unplanned

energy losses (such as unplanned shutdowns, forced outages, outage extensions or

load reductions). Energy losses are considered unplanned if they are not scheduled

at least four weeks in advance.

B-8 Unplanned Safety System Actuations

Unplanned safety system actuations include unplanned emergency core cooling

system actuations or emergency AC power system actuations due to loss of power to

a safeguards bus.

APPENDIX C MAINTENANCE GUIDELINE ACRONYMS

C-1 CFR Code of Federal Regulation

EOP Emergency Operating Procedures

FSAR Final Safety Analysis Report

IPE Individual Plant Evaluations

ISI Inservice Inspection

IST Inservice Testing

MPFF Maintenance Preventable Functional Failures

NRC Nuclear Regulatory Commission

NUMARC Nuclear Management and Resources Council

P&ID Piping and Instrument Diagrams

PRA Probabilistic Risk Assessment

PSA Probabilistic Safety Assessment (term used interchangeably with

above)

APPENDIX D EXAMPLE OF A SYSTEM WITH BOTH SAFETY AND NONSAFETY FUNCTIONS - CVCS E-1 APPENDIX D EXAMPLE OF A SYSTEM WITH BOTH SAFETY AND NONSAFETY

FUNCTIONS - CVCS

Note: This example is for illustration purp oses only and is not intended to be definitive for any given plant. Each utility should examine its own design and

operation for applicability.

The typical Chemical and Volume Control System (CVCS), shown in the attached

figure, has many functions such as: adjust the concentration of boric acid, maintain water inventory, provide seal water to the reactor coolant pump seals, process

reactor coolant effluent for reuse, maintain proper chemistry concentration, and

provide water for high pressure safety inject ion. Clearly, the high pressure safety injection function of the CVCS is encompassed by the description in (b)(1) of 10 CFR

50.65 and therefore, within the scope of the rule. Other components and functions

of the CVCS such as the regenerative heat exchanger, the letdown heat exchanger, the mixed bed demineralizers, the volume control tank and their associated valves

and control systems which function to maintain inventory, process coolant and

maintain chemistry, do not generally have safety functions. These portions of the CVCS do not typically meet the descriptions in (b)(1) or (2) of 10 CFR 50.65 and

would not be considered within the scope of the rule. Components within these

portions of the CVCS, however, may fit the de scriptions in (b)(1) or (b)(2). Examples of this would be the volume control tank isolation valves which close to align the

system for high pressure injection and the various valves which also serve as containment isolation valves. Other portions of the CVCS would need to be

examined closely to determine whether they meet the descriptions in (b)(1) or (b)(2).

For example, the seal injection portion of CVCS may be within the scope if the

reactor coolant pumps are relied upon in transients or EOPs, or if the failure of seal

injection could cause a scram or actuation of a safety-related system.

E-1

APPENDIX E PSA attributes:

E-1 APPENDIX E PSA attributes:

The PSA used for the (a)(4) assessment is important for two aspects:

1. Determination of scope of SSCs to which the assessment applies

2. Evaluation of risk impact of the maintenance configuration (or as the basis for the risk monitor, matrix, or other tool), if the assessment is performed

quantitatively.

The PSA model should include the following characteristics, or, if not, its

limitations for use in supporting the assessment should be compensated for by

additional qualitative evaluation. The EPRI PSA Applications Guide (EPRI TR-

105396) discusses considerations regarding PSA attributes, maintenance, and use

in decisionmaking. This guidance should be considered in determining the degree

of confidence that can be placed in the use of the PSA for the assessment, and

whether additional qualitative considerations should be brought to bear:

1. The PSA should address internal initiating events.

2. The PSA should provide level one insights (contribution to core damage frequency).

3. The PSA is not required to be expanded to quantitatively address containment performance (level 2), external events, or conditions other than power operation.

Use of such an expanded PSA is an option.

4. The PSA should be reviewed periodically and updated as necessary to provide reasonable representation of the current plant design.

5. The PSA should include consideration of support systems and dependencies for SSCs that impact plant risk. NEI document 00-02, "Probabilistic Risk

Assessment Peer Review Process Guidance" includes additional information for

evaluation of the correct treatment of these attributes in a PSA.