ML022410004: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(StriderTol Bot change)
 
Line 19: Line 19:
=Text=
=Text=
{{#Wiki_filter:Attachment 1
{{#Wiki_filter:Attachment 1
                                                                        RIS 2002-14
RIS 2002-14
Attachment 1, Section 2.2, Mitigating Systems Cornerstone, of NEI 99-02, Regulatory
Attachment 1, Section 2.2, Mitigating Systems Cornerstone, of NEI 99-02, Regulatory
Assessment Performance Indicator Guideline (Draft)
Assessment Performance Indicator Guideline (Draft)


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
1
  1
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 MITIGATING SYSTEM PERFORMANCE INDEX
   
3 Purpose
 
4 The purpose of the mitigating system performance index is to monitor the performance of
5 selected systems based on their ability to perform risk-significant functions as defined herein. It
6 is comprised of two elements - system unavailability and system unreliability. The index is used
1  
7 to determine the significance of performance issues for single demand failures and accumulated
MITIGATING SYSTEM PERFORMANCE INDEX  
8 unavailability. Due to the limitations of the index, the following conditions will rely upon the
2
9 inspection process for determining the significance of performance issues:
Purpose
10
3  
11 1. Multiple concurrent failures of components
The purpose of the mitigating system performance index is to monitor the performance of  
12 2. Common cause failures
4
13 3. Conditions not capable of being discovered during normal surveillance tests
selected systems based on their ability to perform risk-significant functions as defined herein. It  
14 4. Failures of non-active components
5
15
is comprised of two elements - system unavailability and system unreliability. The index is used  
16 Indicator Definition
6
17 Mitigating System Performance Index (MSPI) is the sum of changes in a simplified core damage
to determine the significance of performance issues for single demand failures and accumulated  
18 frequency evaluation resulting from changes in unavailability and unreliability relative to
7
19 baseline values.
unavailability. Due to the limitations of the index, the following conditions will rely upon the  
20
8
21 Unavailability is the ratio of the hours the train/system was unavailable to perform its risk-
inspection process for determining the significance of performance issues:  
22 significant functions due to planned and unplanned maintenance or test on active and non-active
9
23 components during the previous 12 quarters while critical to the number of critical hours during
24 the previous 12 quarters. (Fault exposure hours are not included; unavailable hours are counted
10  
25 only for the time required to recover the trains risk-significant functions.)
1. Multiple concurrent failures of components
26
11
27 Unreliability is the probability that the system would not perform its risk-significant functions
2. Common cause failures  
28 when called upon during the previous 12 quarters.
12
29
3. Conditions not capable of being discovered during normal surveillance tests  
30 Baseline values are the values for unavailability and unreliability against which current changes
13
31 in unavailability and unreliability are measured. See Appendix F for further details.
4. Failures of non-active components  
32
14
33 The MSPI is calculated separately for each of the following five systems for each reactor type.
34
15  
35 BWRs
Indicator Definition  
36 * emergency AC power system
16
37 * high pressure injection systems (high pressure coolant injection, high pressure core spray, or
Mitigating System Performance Index (MSPI) is the sum of changes in a simplified core damage  
38    feedwater coolant injection)
17
39 * heat removal systems (reactor core isolation cooling)
frequency evaluation resulting from changes in unavailability and unreliability relative to  
40 * residual heat removal system (or their equivalent function as described in the Additional
18
41    Guidance for Specific Systems section.)
baseline values.  
                                                      1
19
20  
  Unavailability is the ratio of the hours the train/system was unavailable to perform its risk-
21
significant functions due to planned and unplanned maintenance or test on active and non-active  
22
components during the previous 12 quarters while critical to the number of critical hours during  
23
the previous 12 quarters. (Fault exposure hours are not included; unavailable hours are counted  
24
only for the time required to recover the trains risk-significant functions.)
25
26  
Unreliability is the probability that the system would not perform its risk-significant functions  
27
when called upon during the previous 12 quarters.
28
29  
Baseline values are the values for unavailability and unreliability against which current changes  
30
in unavailability and unreliability are measured. See Appendix F for further details.
31
32  
The MSPI is calculated separately for each of the following five systems for each reactor type.  
33
34  
BWRs
35  
 emergency AC power system  
36
 high pressure injection systems (high pressure coolant injection, high pressure core spray, or  
37
feedwater coolant injection)  
38
 heat removal systems (reactor core isolation cooling)  
39
 residual heat removal system (or their equivalent function as described in the Additional  
40
Guidance for Specific Systems section.)  
41


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2
  1 *   cooling water support system (includes risk significant direct cooling functions provided by
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2    service water and component cooling water or their cooling water equivalents for the above
   
3    four monitored systems)
    
  4
5 PWRs
 cooling water support system (includes risk significant direct cooling functions provided by  
6 * emergency AC power system
1
7 * high pressure safety injection system
service water and component cooling water or their cooling water equivalents for the above  
8 * auxiliary feedwater system
2
9 * residual heat removal system (or their equivalent function as described in the Additional
four monitored systems)  
10    Guidance for Specific Systems section.)
3
11 * cooling water support system (includes risk significant direct cooling functions provided by
   
12    service water and component cooling water or their cooling water equivalents for the above
4  
13    four monitored systems)
PWRs
14
5  
15 Data Reporting Elements
 emergency AC power system  
16 The following data elements are reported for each system
6
17
 high pressure safety injection system  
18 *  Unavailability Index (UAI) due to unavailability for each monitored system
7
19 *  Unreliability Index (URI) due to unreliability for each monitored system
 auxiliary feedwater system  
20
8
21 During the pilot, the additional data elements necessary to calculate UAI and URI will be
 residual heat removal system (or their equivalent function as described in the Additional  
22 reported monthly for each system on an Excel spreadsheet. See Appendix F.
9
23
Guidance for Specific Systems section.)  
24
10
25 Calculation
 cooling water support system (includes risk significant direct cooling functions provided by  
26 The MSPI for each system is the sum of the UAI due to unavailability for the system plus URI
11
27 due to unreliability for the system during the previous twelve quarters.
service water and component cooling water or their cooling water equivalents for the above  
28
12
29 MSPI = UAI + URI.
four monitored systems)  
30
13
31 See Appendix F for the calculational methodology for UAI due to system unavailability and URI
32 due to system unreliability.
14  
33
Data Reporting Elements  
34 Definition of Terms
15
35 A train consists of a group of components that together provide the risk significant functions of
The following data elements are reported for each system
36 the system as explained in the additional guidance for specific mitigating systems. Fulfilling the
16
37 risk-significant function of the system may require one or more trains of a system to operate
38 simultaneously. The number of trains in a system is generally determined as follows:
17  
39
 Unavailability Index (UAI) due to unavailability for each monitored system  
40 *  for systems that provide cooling of fluids, the number of trains is determined by the number
18
41    of parallel heat exchangers, or the number of parallel pumps, or the minimum number of
 Unreliability Index (URI) due to unreliability for each monitored system  
42    parallel flow paths, whichever is fewer.
19
43
                                                    2
20  
During the pilot, the additional data elements necessary to calculate UAI and URI will be  
21
reported monthly for each system on an Excel spreadsheet. See Appendix F.  
22
23  
24  
Calculation
25  
The MSPI for each system is the sum of the UAI due to unavailability for the system plus URI  
26
due to unreliability for the system during the previous twelve quarters.  
27
28  
MSPI = UAI + URI.  
29
30  
See Appendix F for the calculational methodology for UAI due to system unavailability and URI  
31
due to system unreliability.  
32
33  
Definition of Terms  
34
A train consists of a group of components that together provide the risk significant functions of  
35
the system as explained in the additional guidance for specific mitigating systems. Fulfilling the  
36
risk-significant function of the system may require one or more trains of a system to operate  
37
simultaneously. The number of trains in a system is generally determined as follows:  
38
39  
 for systems that provide cooling of fluids, the number of trains is determined by the number  
40
of parallel heat exchangers, or the number of parallel pumps, or the minimum number of  
41
parallel flow paths, whichever is fewer.  
42
43  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
3
  1 *   for emergency AC power systems the number of trains is the number of class 1E emergency
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2    (diesel, gas turbine, or hydroelectric) generators at the station that are installed to power
   
3    shutdown loads in the event of a loss of off-site power. (This does not include the diesel
    
4    generator dedicated to the BWR HPCS system, which is included in the scope of the HPCS
5    system.)
 for emergency AC power systems the number of trains is the number of class 1E emergency  
  6
1
7 Risk Significant Functions: those at power functions, described in the Additional Guidance for
(diesel, gas turbine, or hydroelectric) generators at the station that are installed to power  
8 Specific Systems, that were determined to be risk-significant in accordance with NUMARC 93-
2
9 01, or NRC approved equivalents (e.g., the STP exemption request.) The system functions
shutdown loads in the event of a loss of off-site power. (This does not include the diesel  
10 described in the Additional Guidance for Specific Systems must be modeled in the plants
3
11 PRA/PSA. of risk-significant SSCs as modeled in the plant-specific PRA. Risk metrics for
generator dedicated to the BWR HPCS system, which is included in the scope of the HPCS  
12 identifying risk-significant functions are:
4
13
system.)  
14          Risk Achievement Worth > 2.0, or
5
15          Risk Reduction Worth >0.005, or
   
16          PRA cutsets that account for 90% of core damage frequency90% of core damage
6  
17          frequency accounted for.
Risk Significant Functions: those at power functions, described in the Additional Guidance for  
18
7
19 Risk-Significant Mission Times: The mission time modeled in the PRA for satisfying the risk-
Specific Systems, that were determined to be risk-significant in accordance with NUMARC 93-
20 significant function of reaching a stable plant condition where normal shutdown cooling is
8
21 sufficient. Note that PRA models typically analyze an event for 24 hours, which may exceed the
01, or NRC approved equivalents (e.g., the STP exemption request.) The system functions  
22 time needed for the risk-significant function captured in the MSPI. However, other intervals as
9
23 justified by analyses and modeled in the PRA may be used.
described in the Additional Guidance for Specific Systems must be modeled in the plants  
24
10
25 Success criteria are the plant specific values of parameters the train/system is required to achieve
PRA/PSA. of risk-significant SSCs as modeled in the plant-specific PRA. Risk metrics for  
26 to perform its risk-significant function. Default values of those parameters are the plants design
11
27 bases values unless other values are modeled in the PRA.
identifying risk-significant functions are:  
28
12
29 Clarifying Notes
30 Documentation
13  
31
Risk Achievement Worth > 2.0, or  
32 Each licensee will have the system boundaries, active components, risk-significant functions and
14
33 success criteria readily available for NRC inspection on site. Additionally, plant-specific
Risk Reduction Worth >0.005, or  
34 information used in Appendix F should also be readily available for inspection.
15
35
PRA cutsets that account for 90% of core damage frequency90% of core damage  
36 Success Criteria
16
37
frequency accounted for.  
38 Individual component capability must be evaluated against train/system level success criteria
17
39 (e.g., a valve stroke time may exceed an ASME requirement, but if the valve still strokes in time
40 to meet the PRA success criteria for the train/system, the component has not failed for the
18  
41 purposes of this indicator because the risk-significant train/system function is still satisfied).
Risk-Significant Mission Times: The mission time modeled in the PRA for satisfying the risk-
42 Important plant specific performance factors that can be used to identify the required capability
19
43 of the train/system to meet the risk-significant functions include, but are not limited to:
significant function of reaching a stable plant condition where normal shutdown cooling is  
44 * Actuation
20
45    o Time
sufficient. Note that PRA models typically analyze an event for 24 hours, which may exceed the  
                                                    3
21
time needed for the risk-significant function captured in the MSPI. However, other intervals as  
22
justified by analyses and modeled in the PRA may be used.  
23
24  
Success criteria are the plant specific values of parameters the train/system is required to achieve  
25
to perform its risk-significant function. Default values of those parameters are the plants design  
26
bases values unless other values are modeled in the PRA.  
27
28  
Clarifying Notes  
29
Documentation
30  
31  
Each licensee will have the system boundaries, active components, risk-significant functions and  
32
success criteria readily available for NRC inspection on site. Additionally, plant-specific  
33
information used in Appendix F should also be readily available for inspection.
34
35  
Success Criteria  
36
37  
Individual component capability must be evaluated against train/system level success criteria  
38
(e.g., a valve stroke time may exceed an ASME requirement, but if the valve still strokes in time  
39
to meet the PRA success criteria for the train/system, the component has not failed for the  
40
purposes of this indicator because the risk-significant train/system function is still satisfied).  
41
Important plant specific performance factors that can be used to identify the required capability  
42
of the train/system to meet the risk-significant functions include, but are not limited to:  
43
 Actuation
44  
o Time  
45


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
4
  1    o Auto/manual
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2    o Multiple or sequential
   
3 *  Success requirements
 
4    o Numbers of components or trains
5    o Flows
o Auto/manual  
6    o Pressures
1
7    o Heat exchange rates
o Multiple or sequential  
8    o Temperatures
2
9    o Tank water level
 Success requirements  
10 *  Other mission requirements
3
11    o Run time
o Numbers of components or trains  
12    o State/configuration changes during mission
4
13 *  Accident environment from internal events
o Flows  
14    o Pressure, temperature, humidity
5
15 *  Operational factors
o Pressures  
16    o Procedures
6
17    o Human actions
o Heat exchange rates  
18    o Training
7
19    o Available externalities (e.g., power supplies, special equipment, etc.)
o Temperatures  
20
8
21
o Tank water level  
22
9
23 System/Component Interface Boundaries
 Other mission requirements  
24
10
25 For active components that are supported by other components from both monitored and
o Run time  
26 unmonitored systems, the following general rules apply:
11
27
o State/configuration changes during mission  
28      *  For control and motive power, only the last relay, breaker or contactor necessary to
12
29          power or control the component is included in the active component boundary. For
 Accident environment from internal events  
30          example, if an ESFAS signal actuates a MOV, only the relay that receives the ESFAS
13
31          signal in the control circuitry for the MOV is in the MOV boundary. No other portions
o Pressure, temperature, humidity  
32          of the ESFAS are included.
14
33
 Operational factors  
34      *  For water connections from systems that provide cooling water to an active component,
15
35          only the final active connecting valve is included in the boundary. For example, for
o Procedures  
36          service water that provides cooling to support an AFW pump, only the final active valve
16
37          in the service water system that supplies the cooling water to the AFW system is
o Human actions  
38          included in the AFW system scope. This same valve is not included in the cooling water
17
39          support system scope.
o Training  
40
18
41 Water Sources and Inventory
o Available externalities (e.g., power supplies, special equipment, etc.)  
42
19
43 Water tanks are not considered to be active components. As such, they do not contribute to URI.
44 However, periods of insufficient water inventory contribute to UAI if they result in loss of the
20  
45 risk-significant train function for the required mission time. Water inventory can include
46 operator recovery actions for water make-up provided the actions can be taken in time to meet
21  
                                                    4
22  
System/Component Interface Boundaries  
23
24  
For active components that are supported by other components from both monitored and  
25
unmonitored systems, the following general rules apply:  
26
27  
 For control and motive power, only the last relay, breaker or contactor necessary to  
28
power or control the component is included in the active component boundary. For  
29
example, if an ESFAS signal actuates a MOV, only the relay that receives the ESFAS  
30
signal in the control circuitry for the MOV is in the MOV boundary. No other portions  
31
of the ESFAS are included.  
32
33  
 For water connections from systems that provide cooling water to an active component,  
34
only the final active connecting valve is included in the boundary. For example, for  
35
service water that provides cooling to support an AFW pump, only the final active valve  
36
in the service water system that supplies the cooling water to the AFW system is  
37
included in the AFW system scope. This same valve is not included in the cooling water  
38
support system scope.
39
40  
Water Sources and Inventory  
41
42  
Water tanks are not considered to be active components. As such, they do not contribute to URI.
43
However, periods of insufficient water inventory contribute to UAI if they result in loss of the  
44
risk-significant train function for the required mission time. Water inventory can include  
45
operator recovery actions for water make-up provided the actions can be taken in time to meet  
46


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
5
  1 the mission times and are modeled in the PRA. If additional water sources are required to satisfy
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 train mission times, only the connecting active valve from the additional water source is
   
3 considered as an active component for calculating URI. If there are valves in the primary water
 
4 source that must change state to permit use of the additional water source, these valves are
5 considered active and should be included in URI for the system.
the mission times and are modeled in the PRA. If additional water sources are required to satisfy  
  6
1
7 Monitored Systems
train mission times, only the connecting active valve from the additional water source is  
  8
2
9 Systems have been generically selected for this indicator based on their importance in preventing
considered as an active component for calculating URI. If there are valves in the primary water  
10 reactor core damage. The systems include the principal systems needed for maintaining reactor
3
11 coolant inventory following a loss of coolant accident, for decay heat removal following a
source that must change state to permit use of the additional water source, these valves are  
12 reactor trip or loss of main feedwater, and for providing emergency AC power following a loss
4
13 of plant off-site power. One risk-significant support function (cooling water support system) is
considered active and should be included in URI for the system.  
14 also monitored. The cooling water support system monitors the risk significant cooling functions
5
15 provided by service water and component cooling water, or their direct cooling water
   
16 equivalents, for the four front-line monitored systems. No support systems are to be cascaded
6  
17 onto the monitored systems, e.g., HVAC room coolers, DC power, instrument air, etc.
Monitored Systems  
18
7
19 Diverse Systems
   
20
8  
21 Except as specifically stated in the indicator definition and reporting guidance, no credit is given
Systems have been generically selected for this indicator based on their importance in preventing  
22 for the achievement of a risk-significant function by an unmonitored system in determining
9
23 unavailability or unreliability of the monitored systems.
reactor core damage. The systems include the principal systems needed for maintaining reactor  
24
10
25 Common Components
coolant inventory following a loss of coolant accident, for decay heat removal following a  
26
11
27 Some components in a system may be common to more than one train or system, in which case
reactor trip or loss of main feedwater, and for providing emergency AC power following a loss  
28 the unavailability/unreliability of a common component is included in all affected trains or
12
29 systems. (However, see Additional Guidance for Specific Systems for exceptions; for example,
of plant off-site power. One risk-significant support function (cooling water support system) is  
30 the PWR High Pressure Safety Injection System.)
13
31
also monitored. The cooling water support system monitors the risk significant cooling functions  
32 Short Duration Unavailability
14
33
provided by service water and component cooling water, or their direct cooling water  
34 Trains are generally considered to be available during periodic system or equipment
15
35 realignments to swap components or flow paths as part of normal operations. Evolutions or
equivalents, for the four front-line monitored systems. No support systems are to be cascaded  
36 surveillance tests that result in less than 15 minutes of unavailable hours per train at a time need
16
37 not be counted as unavailable hours. Licensees should compile a list of surveillances/evolutions
onto the monitored systems, e.g., HVAC room coolers, DC power, instrument air, etc.  
38 that meet this criterion and have it available for inspector review. In addition, equipment
17
39 misalignment or mispositioning which is corrected in less than 15 minutes need not be counted
40 as unavailable hours. The intent is to minimize unnecessary burden of data collection,
18  
41 documentation, and verification because these short durations have insignificant risk impact.
Diverse Systems  
42
19
43 If a licensee is required to take a component out of service for evaluation and corrective actions
44 for greater than 15 minutes (for example, related to a Part 21 Notification), the unavailable hours
20  
45 must be included.
Except as specifically stated in the indicator definition and reporting guidance, no credit is given  
46
21
                                                      5
for the achievement of a risk-significant function by an unmonitored system in determining  
22
unavailability or unreliability of the monitored systems.  
23
24  
Common Components  
25
26  
Some components in a system may be common to more than one train or system, in which case  
27
the unavailability/unreliability of a common component is included in all affected trains or  
28
systems. (However, see Additional Guidance for Specific Systems for exceptions; for example,  
29
the PWR High Pressure Safety Injection System.)  
30
31  
Short Duration Unavailability  
32
33  
Trains are generally considered to be available during periodic system or equipment  
34
realignments to swap components or flow paths as part of normal operations. Evolutions or  
35
surveillance tests that result in less than 15 minutes of unavailable hours per train at a time need  
36
not be counted as unavailable hours. Licensees should compile a list of surveillances/evolutions  
37
that meet this criterion and have it available for inspector review. In addition, equipment  
38
misalignment or mispositioning which is corrected in less than 15 minutes need not be counted  
39
as unavailable hours. The intent is to minimize unnecessary burden of data collection,  
40
documentation, and verification because these short durations have insignificant risk impact.  
41
42  
If a licensee is required to take a component out of service for evaluation and corrective actions  
43
for greater than 15 minutes (for example, related to a Part 21 Notification), the unavailable hours  
44
must be included.  
45
46  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
6
  1 Treatment of Demand /Run Failures and Degraded Conditions
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
  2
   
3    1. Treatment of Demand and Run Failures
 
4      Failures of active components (see Appendix F) on demand or failures to run, either
5      actual or test, while critical, are included in unreliability. Failures on demand or failures
Treatment of Demand /Run Failures and Degraded Conditions  
6      to run at any other timewith the reactor shutdown must be evaluated to determine if the
1
7      failure would have resulted in the train not being able to perform its risk-significant at
   
8      power functions, and must therefore be included in unreliability. Unavailable hours are
2  
9      included only for the time required to recover the trains risk-significant functions and
1. Treatment of Demand and Run Failures  
10      only when the reactor is critical.
3
11
Failures of active components (see Appendix F) on demand or failures to run, either  
12    2. Treatment of Degraded Conditions
4
13
actual or test, while critical, are included in unreliability.   Failures on demand or failures  
14          a) Capable of Being Discovered By Normal Surveillance Tests
5
15              Normal surveillance tests are those tests that are performed at a frequency of a
to run at any other timewith the reactor shutdown must be evaluated to determine if the  
16              refueling cycle or more frequently.
6
17
failure would have resulted in the train not being able to perform its risk-significant at  
18              Degraded conditions, even ifwhere no actual demand existed, that render an
7
19              active component incapable of performing its risk-significant functions are
power functions, and must therefore be included in unreliability. Unavailable hours are  
20              included in unreliability as a demand and a failure. The appropriate failure mode
8
21              must be accounted for. For example, for valves, a demand and a demand failure
included only for the time required to recover the trains risk-significant functions and  
22              would be assumed and included in URI. For pumps and diesels, if the degraded
9
23              condition would have prevented a successful start demand, a demand and a failure
only when the reactor is critical.  
24              is included in URI, but there would be no run time hours or run failures. If it was
10
25              determined that the pump/diesel would start and load run, but would fail
26              sometime during the 24 hour run test or its surveillance test equivalent, the
11  
27              evaluated failure time would be included in run hours and a run failure would be
2. Treatment of Degraded Conditions  
28              assumed. A start demand and start failure would not be included. If a running
12
29              component is secured from operation due to observed degraded performance, but
30              prior to failure, then a run failure shall be counted unless evaluation of the
13  
31              condition shows that the component would have continued to operate for the risk-
a) Capable of Being Discovered By Normal Surveillance Tests
32              significant mission time starting from the time the component was secured.
14
33              Unavailable hours are included for the time required to recover the risk-
Normal surveillance tests are those tests that are performed at a frequency of a  
34              significant function(s).
15
35
refueling cycle or more frequently.  
36              Degraded conditions, or actual unavailability due to mispositioning of non-active
16
37              components that render a train incapable of performing its risk-significant
38              functions are only included in unavailability for the time required to recover the
17  
39              risk-significant function(s).
Degraded conditions, even ifwhere no actual demand existed, that render an  
40
18
41              Loss of risk significant function(s) is assumed to have occurred if the established
active component incapable of performing its risk-significant functions are  
42              success criteria has not been met. If subsequent analysis identifies additional
19
43              margin for the success criterion, future impacts on URI or UAI for degraded
included in unreliability as a demand and a failure. The appropriate failure mode  
44              conditions may be determined based on the new criterion. However, URI and
20
45              UAI must be based on the success criteria of record at the time the degraded
must be accounted for. For example, for valves, a demand and a demand failure  
46              condition is discovered. If the degraded condition is not addressed by any of the
21
                                                    6
would be assumed and included in URI. For pumps and diesels, if the degraded  
22
condition would have prevented a successful start demand, a demand and a failure  
23
is included in URI, but there would be no run time hours or run failures. If it was  
24
determined that the pump/diesel would start and load run, but would fail  
25
sometime during the 24 hour run test or its surveillance test equivalent, the  
26
evaluated failure time would be included in run hours and a run failure would be  
27
assumed. A start demand and start failure would not be included. If a running  
28
component is secured from operation due to observed degraded performance, but  
29
prior to failure, then a run failure shall be counted unless evaluation of the  
30
condition shows that the component would have continued to operate for the risk-
31
significant mission time starting from the time the component was secured.  
32
Unavailable hours are included for the time required to recover the risk-
33
significant function(s).  
34
35  
Degraded conditions, or actual unavailability due to mispositioning of non-active  
36
components that render a train incapable of performing its risk-significant  
37
functions are only included in unavailability for the time required to recover the  
38
risk-significant function(s).
39
40  
Loss of risk significant function(s) is assumed to have occurred if the established  
41
success criteria has not been met. If subsequent analysis identifies additional  
42
margin for the success criterion, future impacts on URI or UAI for degraded  
43
conditions may be determined based on the new criterion. However, URI and  
44
UAI must be based on the success criteria of record at the time the degraded  
45
condition is discovered. If the degraded condition is not addressed by any of the  
46


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
7
  1                pre-defined success criteria, an engineering evaluation to determine the impact of
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2                the degraded condition on the risk-significant function(s) should be completed
   
3                and documented. The use of component failure analysis, circuit analysis, or event
 
4                investigations is acceptable. Engineering judgment may be used in conjunction
5                with analytical techniques to determine the impact of the degraded condition on
pre-defined success criteria, an engineering evaluation to determine the impact of  
6                the risk-significant function. The engineering evaluation should be completed as
1
7                soon as practicable. If it cannot be completed in time to support submission of the
the degraded condition on the risk-significant function(s) should be completed  
8                PI report for the current quarter, the comment field shall note that an evaluation is
2
9                pending. The evaluation must be completed in time to accurately account for
and documented. The use of component failure analysis, circuit analysis, or event  
10                unavailability/unreliability in the next quarterly report. Exceptions to this
3
11                guidance are expected to be rare and will be treated on a case-by-case basis.
investigations is acceptable. Engineering judgment may be used in conjunction  
12                Licensees should identify these situations to the resident inspector.
4
13
with analytical techniques to determine the impact of the degraded condition on  
14            b) Not Capable of Being Discovered by Normal Surveillance Tests
5
15                These failures or conditions are usually of longer exposure time. Since these
the risk-significant function. The engineering evaluation should be completed as  
16                failure modes have not been tested on a regular basis, it is inappropriate to include
6
17                them in the performance index statistics. These failures or conditions are subject
soon as practicable. If it cannot be completed in time to support submission of the  
18                to evaluation through the inspection process. Examples of this type are failures
7
19                due to pressure locking/thermal binding of isolation valves, blockages in lines not
PI report for the current quarter, the comment field shall note that an evaluation is  
20                regularly tested, or inadequate component sizing/settings under accident
8
21                conditions (not under normal test conditions). While not included in the
pending. The evaluation must be completed in time to accurately account for  
22                calculation of the index, they should be reported in the comment field of the PI
9
23                data submittal.
unavailability/unreliability in the next quarterly report. Exceptions to this  
24
10
25
guidance are expected to be rare and will be treated on a case-by-case basis.
26 Credit for Operator Recovery Actions to Restore the Risk-Significant Function
11
27
Licensees should identify these situations to the resident inspector.  
28 1. During testing or operational alignment:
12
29    Unavailability of a risk-significant function during testing or operational alignment need not
30    be included if the test configuration is automatically overridden by a valid starting signal, or
13  
31    the function can be promptly restored either by an operator in the control room or by a
b) Not Capable of Being Discovered by Normal Surveillance Tests  
32    designated operator1 stationed locally for that purpose. Restoration actions must be
14
33    contained in a written procedure2, must be uncomplicated (a single action or a few simple
These failures or conditions are usually of longer exposure time. Since these  
34    actions), must be capable of being restored in time to satisfy PRA success criteria and must
15
35    not require diagnosis or repair. Credit for a designated local operator can be taken only if
failure modes have not been tested on a regular basis, it is inappropriate to include  
36    (s)he is positioned at the proper location throughout the duration of the test for the purpose of
16
37    restoration of the train should a valid demand occur. The intent of this paragraph is to allow
them in the performance index statistics. These failures or conditions are subject  
38    licensees to take credit for restoration actions that are virtually certain to be successful (i.e.,
17
39    probability nearly equal to 1) during accident conditions.
to evaluation through the inspection process. Examples of this type are failures  
40
18
  1 Operator in this circumstance refers to any plant personnel qualified and designated to perform
due to pressure locking/thermal binding of isolation valves, blockages in lines not  
  the restoration function.
19
  2 Including restoration steps in an approved test procedure.
regularly tested, or inadequate component sizing/settings under accident  
                                                      7
20
conditions (not under normal test conditions). While not included in the  
21
calculation of the index, they should be reported in the comment field of the PI  
22
data submittal.  
23
24  
25  
Credit for Operator Recovery Actions to Restore the Risk-Significant Function  
26
27  
1. During testing or operational alignment:  
28
Unavailability of a risk-significant function during testing or operational alignment need not  
29
be included if the test configuration is automatically overridden by a valid starting signal, or  
30
the function can be promptly restored either by an operator in the control room or by a  
31
designated operator1 stationed locally for that purpose. Restoration actions must be  
32
contained in a written procedure2, must be uncomplicated (a single action or a few simple  
33
actions), must be capable of being restored in time to satisfy PRA success criteria and must  
34
not require diagnosis or repair. Credit for a designated local operator can be taken only if  
35
(s)he is positioned at the proper location throughout the duration of the test for the purpose of  
36
restoration of the train should a valid demand occur. The intent of this paragraph is to allow  
37
licensees to take credit for restoration actions that are virtually certain to be successful (i.e.,  
38
probability nearly equal to 1) during accident conditions.  
39
40  
                                           
1 Operator in this circumstance refers to any plant personnel qualified and designated to perform  
the restoration function.  
2 Including restoration steps in an approved test procedure.  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
8
  1    The individual performing the restoration function can be the person conducting the test and
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2    must be in communication with the control room. Credit can also be taken for an operator in
   
3    the main control room provided (s)he is in close proximity to restore the equipment when
 
4    needed. Normal staffing for the test may satisfy the requirement for a dedicated operator,
5    depending on work assignments. In all cases, the staffing must be considered in advance and
The individual performing the restoration function can be the person conducting the test and  
6    an operator identified to perform the restoration actions independent of other control room
1
7    actions that may be required.
must be in communication with the control room. Credit can also be taken for an operator in  
  8
2
9    Under stressful, chaotic conditions, otherwise simple multiple actions may not be
the main control room provided (s)he is in close proximity to restore the equipment when  
10    accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and
3
11    landing wires; or clearing tags). In addition, some manual operations of systems designed to
needed. Normal staffing for the test may satisfy the requirement for a dedicated operator,  
12    operate automatically, such as manually controlling HPCI turbine to establish and control
4
13    injection flow, are not virtually certain to be successful. These situations should be resolved
depending on work assignments. In all cases, the staffing must be considered in advance and  
14    on a case-by-case basis through the FAQ process.
5
15
an operator identified to perform the restoration actions independent of other control room  
16 2. During Maintenance
6
17    Unavailability of a risk-significant function during maintenance need not be included if the
actions that may be required.  
18    risk-significant function can be promptly restored either by an operator in the control room or
7
19    by a designated operator3 stationed locally for that purpose. Restoration actions must be
   
20    contained in a written procedure4, must be uncomplicated (a single action or a few simple
8  
21    actions), must be capable of being restored in time to satisfy PRA success criteria and must
Under stressful, chaotic conditions, otherwise simple multiple actions may not be  
22    not require diagnosis or repair. Credit for a designated local operator can be taken only if
9
23    (s)he is positioned at a proper location throughout the duration of the maintenance activity
accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and  
24    for the purpose of restoration of the train should a valid demand occur. The intent of this
10
25    paragraph is to allow licensees to take credit for restoration of risk-significant functions that
landing wires; or clearing tags). In addition, some manual operations of systems designed to  
26    are virtually certain to be successful (i.e., probability nearly equal to 1). The individual
11
27    performing the restoration function can be the person performing the maintenance and must
operate automatically, such as manually controlling HPCI turbine to establish and control  
28    be in communication with the control room. Credit can also be taken for an operator in the
12
29    main control room provided (s)he is in close proximity to restore the equipment when
injection flow, are not virtually certain to be successful. These situations should be resolved  
30    needed. Under stressful chaotic conditions otherwise simple multiple actions may not be
13
31    accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and
on a case-by-case basis through the FAQ process.  
32    landing wires, or clearing tags). These situations should be resolved on a case-by-case basis
14
33    through the FAQ process.
34
15  
35 3. Satisfying PRA success criteriaRisk Significant Mission Times
2. During Maintenance  
36    Risk significant operator actions to satisfy pre-determined train/system risk-significant
16
37    mission times can only be credited if they are modeled in the PRA.
Unavailability of a risk-significant function during maintenance need not be included if the  
38
17
39 Swing trains and components shared between units
risk-significant function can be promptly restored either by an operator in the control room or  
40
18
  3 Operator in this circumstance refers to any plant personnel qualified and designated to perform the
by a designated operator3 stationed locally for that purpose. Restoration actions must be  
  restoration function.
19
  4 Including restoration steps in an approved test procedure.
contained in a written procedure4, must be uncomplicated (a single action or a few simple  
                                                      8
20
actions), must be capable of being restored in time to satisfy PRA success criteria and must  
21
not require diagnosis or repair. Credit for a designated local operator can be taken only if  
22
(s)he is positioned at a proper location throughout the duration of the maintenance activity  
23
for the purpose of restoration of the train should a valid demand occur. The intent of this  
24
paragraph is to allow licensees to take credit for restoration of risk-significant functions that  
25
are virtually certain to be successful (i.e., probability nearly equal to 1). The individual  
26
performing the restoration function can be the person performing the maintenance and must  
27
be in communication with the control room. Credit can also be taken for an operator in the  
28
main control room provided (s)he is in close proximity to restore the equipment when  
29
needed. Under stressful chaotic conditions otherwise simple multiple actions may not be  
30
accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and  
31
landing wires, or clearing tags). These situations should be resolved on a case-by-case basis  
32
through the FAQ process.  
33
34  
3. Satisfying PRA success criteriaRisk Significant Mission Times  
35
Risk significant operator actions to satisfy pre-determined train/system risk-significant  
36
mission times can only be credited if they are modeled in the PRA.  
37
38  
Swing trains and components shared between units  
39
40  
                                           
3 Operator in this circumstance refers to any plant personnel qualified and designated to perform the  
restoration function.  
4 Including restoration steps in an approved test procedure.  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
9
  1 Swing trains/components are trains/components that can be aligned to any unit. To be credited
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 as such, their swing capability should be modeled in the PRA to provide an appropriate Fussell-
   
3 Vesely value.
 
  4
5 Unit Cross Tie Capability
Swing trains/components are trains/components that can be aligned to any unit. To be credited  
  6
1
7 Components that cross tie monitored systems between units should be considered active
as such, their swing capability should be modeled in the PRA to provide an appropriate Fussell-
8 components if they are modeled in the PRA and meet the active component criteria in Appendix
2
9 F. Such active components are counted in each units performance indicators.
Vesely value.  
10
3
11 Maintenance Trains and Installed Spares
   
12
4  
13 Some power plants have systems with extra trains to allow preventive maintenance to be carried
Unit Cross Tie Capability  
14 out with the unit at power without impacting the risk-significant function of the system. That is,
5
15 one of the remaining trains may fail, but the system can still perform its risk significant function.
   
16 To be a maintenance train, a train must not be needed to perform the systems risk significant
6  
17 function.
Components that cross tie monitored systems between units should be considered active  
18
7
19 An "installed spare" is a component (or set of components) that is used as a replacement for other
components if they are modeled in the PRA and meet the active component criteria in Appendix  
20 equipment to allow for the removal of equipment from service for preventive or corrective
8
21 maintenance without impacting the risk-significant function of the system. To be an "installed
F. Such active components are counted in each units performance indicators.  
22 spare," a component must not be needed for the system to perform the risk significant function.
9
23
24
10  
25 For unreliability, spare active components are included if they are modeled in the PRA.
Maintenance Trains and Installed Spares  
26 Unavailability of the spare component/train is only counted in the index if the spare is substituted
11
27 for a primary train/component. Unavailability is not monitored for a component/train when that
28 component/train has been replaced by an installed spare or maintenance train.
12  
29
Some power plants have systems with extra trains to allow preventive maintenance to be carried  
30 Use of Plant-Specific PRA and SPAR Models
13
31
out with the unit at power without impacting the risk-significant function of the system. That is,  
32 The MSPI is an approximation using some information from a plants actual PRA and is
14
33 intended as an indicator of system performance. Plant-specific PRAs and SPAR models cannot
one of the remaining trains may fail, but the system can still perform its risk significant function.
34 be used to question the outcome of the PIs computed in accordance with this guideline.
15
35
To be a maintenance train, a train must not be needed to perform the systems risk significant  
36 Maintenance Rule Performance Monitoring
16
37
function.  
38 It is the intent that NUMARC 93-01 be revised to require consistent unavailability and
17
39 unreliability data gathering as required by this guideline.
40
18  
                                                    9
An "installed spare" is a component (or set of components) that is used as a replacement for other  
19
equipment to allow for the removal of equipment from service for preventive or corrective  
20
maintenance without impacting the risk-significant function of the system. To be an "installed  
21
spare," a component must not be needed for the system to perform the risk significant function.  
22
23  
24  
For unreliability, spare active components are included if they are modeled in the PRA.
25
Unavailability of the spare component/train is only counted in the index if the spare is substituted  
26
for a primary train/component. Unavailability is not monitored for a component/train when that  
27
component/train has been replaced by an installed spare or maintenance train.  
28
29  
Use of Plant-Specific PRA and SPAR Models  
30
31  
The MSPI is an approximation using some information from a plants actual PRA and is  
32
intended as an indicator of system performance. Plant-specific PRAs and SPAR models cannot  
33
be used to question the outcome of the PIs computed in accordance with this guideline.  
34
35  
Maintenance Rule Performance Monitoring  
36
37  
It is the intent that NUMARC 93-01 be revised to require consistent unavailability and  
38
unreliability data gathering as required by this guideline.  
39
40  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
10
  1 ADDITIONAL GUIDANCE FOR SPECIFIC SYSTEMS
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 This guidance provides typical system scopes. Individual plants should include those systems
   
3 employed at their plant that are necessary to satisfy the specific risk-significant functions
 
4 described below and reflected in their PRAs.
5 Emergency AC Power Systems
ADDITIONAL GUIDANCE FOR SPECIFIC SYSTEMS  
6 Scope
1
7 The function monitored for the emergency AC power system is the ability of the emergency
This guidance provides typical system scopes. Individual plants should include those systems  
8 generators to provide AC power to the class 1E buses upon a loss of off-site power while the
2
9 reactor is critical, including post-accident conditions. The emergency AC power system is
employed at their plant that are necessary to satisfy the specific risk-significant functions  
10 typically comprised of two or more independent emergency generators that provide AC power to
3
11 class 1E buses following a loss of off-site power. The emergency generator dedicated to
described below and reflected in their PRAs.
12 providing AC power to the high pressure core spray system in BWRs is not within the scope of
4
13 emergency AC power.
Emergency AC Power Systems  
14
5
15 The electrical circuit breaker(s) that connect(s) an emergency generator to the class lE buses that
Scope
16 are normally served by that emergency generator are considered to be part of the emergency
6  
17 generator train.
The function monitored for the emergency AC power system is the ability of the emergency  
18
7
19 Emergency generators that are not safety grade, or that serve a backup role only (e.g., an
generators to provide AC power to the class 1E buses upon a loss of off-site power while the  
20 alternate AC power source), are not included in the performance reporting.
8
21
reactor is critical, including post-accident conditions. The emergency AC power system is  
22 Train Determination
9
23 The number of emergency AC power system trains for a unit is equal to the number of class 1E
typically comprised of two or more independent emergency generators that provide AC power to  
24 emergency generators that are available to power safe-shutdown loads in the event of a loss of
10
25 off-site power for that unit. There are three typical configurations for EDGs at a multi-unit
class 1E buses following a loss of off-site power. The emergency generator dedicated to  
26 station:
11
27
providing AC power to the high pressure core spray system in BWRs is not within the scope of  
28 1. EDGs dedicated to only one unit.
12
29 2. One or more EDGs are available to swing to either unit
emergency AC power.  
30 3. All EDGs can supply all units
13
31
32 For configuration 1, the number of trains for a unit is equal to the number of EDGs dedicated to
14  
33 the unit. For configuration 2, the number of trains for a unit is equal to the number of dedicated
The electrical circuit breaker(s) that connect(s) an emergency generator to the class lE buses that  
34 EDGs for that unit plus the number of swing EDGs available to that unit (i.e., The swing
15
35 EDGs are included in the train count for each unit). For configuration 3, the number of trains is
are normally served by that emergency generator are considered to be part of the emergency  
36 equal to the number of EDGs.
16
37
generator train.  
38 Clarifying Notes
17
39 The emergency diesel generators are not considered to be available during the following portions
40 of periodic surveillance tests unless recovery from the test configuration during accident
18  
41 conditions is virtually certain, as described in Credit for operator recovery actions during
Emergency generators that are not safety grade, or that serve a backup role only (e.g., an  
                                                    10
19
alternate AC power source), are not included in the performance reporting.  
20
21  
Train Determination  
22
The number of emergency AC power system trains for a unit is equal to the number of class 1E  
23
emergency generators that are available to power safe-shutdown loads in the event of a loss of  
24
off-site power for that unit. There are three typical configurations for EDGs at a multi-unit  
25
station:  
26
27  
1. EDGs dedicated to only one unit.  
28
2. One or more EDGs are available to swing to either unit
29
3. All EDGs can supply all units  
30
31  
For configuration 1, the number of trains for a unit is equal to the number of EDGs dedicated to  
32
the unit. For configuration 2, the number of trains for a unit is equal to the number of dedicated  
33
EDGs for that unit plus the number of swing EDGs available to that unit (i.e., The swing  
34
EDGs are included in the train count for each unit). For configuration 3, the number of trains is  
35
equal to the number of EDGs.  
36
37  
Clarifying Notes  
38
The emergency diesel generators are not considered to be available during the following portions  
39
of periodic surveillance tests unless recovery from the test configuration during accident  
40
conditions is virtually certain, as described in Credit for operator recovery actions during  
41


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
11
  1 testing, can be satisfied; or the duration of the condition is less than fifteen minutes per train at
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 one time:
   
  3
 
4 *    Load-run testing
5 *    Barring
testing, can be satisfied; or the duration of the condition is less than fifteen minutes per train at  
  6
1
7 An EDG is not considered to have failed due to any of the following events:
one time:  
  8
2
9 *    spurious operation of a trip that would be bypassed in a loss of offsite power event
   
10 *    malfunction of equipment that is not required to operate during a loss of offsite power event
3  
11      (e.g., circuitry used to synchronize the EDG with off-site power sources)
 Load-run testing
12 *    failure to start because a redundant portion of the starting system was intentionally disabled
4
13      for test purposes, if followed by a successful start with the starting system in its normal
 Barring
14     alignment
5  
15 Air compressors are not part of the EDG boundary. However, air receivers that provide starting
   
16 air for the diesel are included in the EDG boundary.
6  
17
An EDG is not considered to have failed due to any of the following events:  
18 If an EDG has a dedicated battery independent of the stations normal DC distribution system,
7
19 the dedicated battery is included in the EDG system boundary.
   
20
8  
21 If the EDG day tank is not sufficient to meet the EDG mission time, the fuel transfer function

22 should be modeled in the PRA. However, the fuel transfer pumps are not considered to be an
spurious operation of a trip that would be bypassed in a loss of offsite power event  
23 active component in the EDG system because they are considered to be a support system.
9
24

25
malfunction of equipment that is not required to operate during a loss of offsite power event  
26
10
27 BWR High Pressure Injection Systems
(e.g., circuitry used to synchronize the EDG with off-site power sources)  
28 (High Pressure Coolant Injection, High Pressure Core Spray, and Feedwater Coolant
11
29 Injection)
 failure to start because a redundant portion of the starting system was intentionally disabled  
30
12
31 Scope
for test purposes, if followed by a successful start with the starting system in its normal  
32 These systems function at high pressure to maintain reactor coolant inventory and to remove
13
33 decay heat following a small-break Loss of Coolant Accident (LOCA) event or a loss of main
alignment
34 feedwater event.
14  
35
Air compressors are not part of the EDG boundary. However, air receivers that provide starting  
36 The function monitored for the indicator is the ability of the monitored system to take suction
15
37 from the suppression pool (and from the condensate storage tank, if credited in the plants
air for the diesel are included in the EDG boundary.  
38 accident analysis) and inject into the reactor vessel.
16
39
40 Plants should monitor either the high-pressure coolant injection (HPCI), the high-pressure core
17  
41 spray (HPCS), or the feedwater coolant injection (FWCI) system, whichever is installed. The
If an EDG has a dedicated battery independent of the stations normal DC distribution system,  
42 turbine and governor (or motor-driven FWCI pumps), and associated piping and valves for
18
43 turbine steam supply and exhaust are within the scope of these systems. Valves in the feedwater
the dedicated battery is included in the EDG system boundary.  
44 line are not considered within the scope of these systems. The emergency generator dedicated to
19
                                                      11
20  
If the EDG day tank is not sufficient to meet the EDG mission time, the fuel transfer function  
21
should be modeled in the PRA. However, the fuel transfer pumps are not considered to be an  
22
active component in the EDG system because they are considered to be a support system.
23
24  
25  
26  
BWR High Pressure Injection Systems  
27
(High Pressure Coolant Injection, High Pressure Core Spray, and Feedwater Coolant  
28
Injection)  
29
30  
Scope
31  
These systems function at high pressure to maintain reactor coolant inventory and to remove  
32
decay heat following a small-break Loss of Coolant Accident (LOCA) event or a loss of main  
33
feedwater event.  
34
35  
The function monitored for the indicator is the ability of the monitored system to take suction  
36
from the suppression pool (and from the condensate storage tank, if credited in the plants  
37
accident analysis) and inject into the reactor vessel.  
38
39  
Plants should monitor either the high-pressure coolant injection (HPCI), the high-pressure core  
40
spray (HPCS), or the feedwater coolant injection (FWCI) system, whichever is installed. The  
41
turbine and governor (or motor-driven FWCI pumps), and associated piping and valves for  
42
turbine steam supply and exhaust are within the scope of these systems. Valves in the feedwater  
43
line are not considered within the scope of these systems. The emergency generator dedicated to  
44


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
12
  1 providing AC power to the high-pressure core spray system is included in the scope of the
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 HPCS. The HPCS system typically includes a "water leg" pump to prevent water hammer in the
   
3 HPCS piping to the reactor vessel. The "water leg" pump and valves in the "water leg" pump
 
4 flow path are ancillary components and are not included in the scope of the HPCS system.
5 Unavailability is not included while critical if the system is below steam pressure specified in
providing AC power to the high-pressure core spray system is included in the scope of the  
6 technical specifications at which the system can be operated.
1
  7
HPCS. The HPCS system typically includes a "water leg" pump to prevent water hammer in the  
8 Train Determination
2
9 The HPCI and HPCS systems are considered single-train systems. The booster pump and other
HPCS piping to the reactor vessel. The "water leg" pump and valves in the "water leg" pump  
10 small pumps are ancillary components not used in determining the number of trains. The effect
3
11 of these pumps on system performance is included in the system indicator to the extent their
flow path are ancillary components and are not included in the scope of the HPCS system.  
12 failure detracts from the ability of the system to perform its risk-significant function. For the
4
13 FWCI system, the number of trains is determined by the number of feedwater pumps. The
Unavailability is not included while critical if the system is below steam pressure specified in  
14 number of condensate and feedwater booster pumps are not used to determine the number of
5
15 trains.
technical specifications at which the system can be operated.  
16
6
17 BWR Heat Removal Systems
   
18 (Reactor Core Isolation Cooling or Isolation Condenser)
7  
19
Train Determination  
20 Scope
8
21 This system functions at high pressure to remove decay heat following a loss of main feedwater
The HPCI and HPCS systems are considered single-train systems. The booster pump and other  
22 event. The RCIC system also functions to maintain reactor coolant inventory following a very
9
23 small LOCA event.
small pumps are ancillary components not used in determining the number of trains. The effect  
24
10
25 The function monitored for the indicator is the ability of the RCIC system to cool the reactor
of these pumps on system performance is included in the system indicator to the extent their  
26 vessel core and provide makeup water by taking a suction from either the condensate storage
11
27 tank or the suppression pool and injecting at rated pressure and flow into the reactor vessel.
failure detracts from the ability of the system to perform its risk-significant function. For the  
28
12
29 The Reactor Core Isolation Cooling (RCIC) system turbine, governor, and associated piping and
FWCI system, the number of trains is determined by the number of feedwater pumps. The  
30 valves for steam supply and exhaust are within the scope of the RCIC system. Valves in the
13
31 feedwater line are not considered within the scope of the RCIC system. The Isolation Condenser
number of condensate and feedwater booster pumps are not used to determine the number of  
32 and inlet valves are within the scope of Isolation Condenser system. Unavailability is not
14
33 included while critical if the system is below steam pressure specified in technical specifications
trains.  
34 at which the system can be operated.
15
35
36
16  
37 Train Determination
BWR Heat Removal Systems
38 The RCIC system is considered a single-train system. The condensate and vacuum pumps are
17
39 ancillary components not used in determining the number of trains. The effect of these pumps on
(Reactor Core Isolation Cooling or Isolation Condenser)  
40 RCIC performance is included in the system indicator to the extent that a component failure
18
41 results in an inability of the system to perform its risk-significant function.
                                                      12
19  
Scope
20  
This system functions at high pressure to remove decay heat following a loss of main feedwater  
21
event. The RCIC system also functions to maintain reactor coolant inventory following a very  
22
small LOCA event.  
23
24  
The function monitored for the indicator is the ability of the RCIC system to cool the reactor  
25
vessel core and provide makeup water by taking a suction from either the condensate storage  
26
tank or the suppression pool and injecting at rated pressure and flow into the reactor vessel.  
27
28  
The Reactor Core Isolation Cooling (RCIC) system turbine, governor, and associated piping and  
29
valves for steam supply and exhaust are within the scope of the RCIC system. Valves in the  
30
feedwater line are not considered within the scope of the RCIC system. The Isolation Condenser  
31
and inlet valves are within the scope of Isolation Condenser system. Unavailability is not  
32
included while critical if the system is below steam pressure specified in technical specifications  
33
at which the system can be operated.  
34
35  
36  
Train Determination  
37
The RCIC system is considered a single-train system. The condensate and vacuum pumps are  
38
ancillary components not used in determining the number of trains. The effect of these pumps on  
39
RCIC performance is included in the system indicator to the extent that a component failure  
40
results in an inability of the system to perform its risk-significant function.  
41


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
13
  1
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 BWR Residual Heat Removal Systems
   
3 Scope
 
4 The functions monitored for the BWR residual heat removal (RHR) system are the ability of the
5 RHR system to remove heat from the suppression pool, provide low pressure coolant injection,
6 and provide post-accident decay heat removal. The pumps, heat exchangers, and associated
1  
7 piping and valves for those functions are included in the scope of the RHR system.
BWR Residual Heat Removal Systems  
  8
2
9 Train Determination
Scope
10 The number of trains in the RHR system is determined by the number of parallel RHR heat
3  
11 exchangers.
The functions monitored for the BWR residual heat removal (RHR) system are the ability of the  
12
4
13 PWR High Pressure Safety Injection Systems
RHR system to remove heat from the suppression pool, provide low pressure coolant injection,  
14 Scope
5
15 These systems are used primarily to maintain reactor coolant inventory at high pressures
and provide post-accident decay heat removal. The pumps, heat exchangers, and associated  
16 following a loss of reactor coolant. HPSI system operation following a small-break LOCA
6
17 involves transferring an initial supply of water from the refueling water storage tank (RWST) to
piping and valves for those functions are included in the scope of the RHR system.  
18 cold leg piping of the reactor coolant system. Once the RWST inventory is depleted,
7
19 recirculation of water from the reactor building emergency sump is required. The function
   
20 monitored for HPSI is the ability of a HPSI train to take a suction from the primary water source
8  
21 (typically, a borated water tank), or from the containment emergency sump, and inject into the
Train Determination  
22 reactor coolant system at rated flow and pressure.
9
23
The number of trains in the RHR system is determined by the number of parallel RHR heat  
24 The scope includes the pumps and associated piping and valves from both the refueling water
10
25 storage tank and from the containment sump to the pumps, and from the pumps into the reactor
exchangers.
26 coolant system piping. For plants where the high-pressure injection pump takes suction from the
11
27 residual heat removal pumps, the residual heat removal pump discharge header isolation valve to
28 the HPSI pump suction is included in the scope of HPSI system. Some components may be
12  
29 included in the scope of more than one train. For example, cold-leg injection lines may be fed
PWR High Pressure Safety Injection Systems  
30 from a common header that is supplied by both HPSI trains. In these cases, the effects of testing
13
31 or component failures in an injection line should be reported in both trains.
Scope
32
14  
33 Train Determination
These systems are used primarily to maintain reactor coolant inventory at high pressures  
34
15
35 In general, the number of HPSI system trains is defined by the number of high head injection
following a loss of reactor coolant. HPSI system operation following a small-break LOCA  
36 paths that provide cold-leg and/or hot-leg injection capability, as applicable.
16
37
involves transferring an initial supply of water from the refueling water storage tank (RWST) to  
38 For Babcock and Wilcox (B&W) reactors, the design features centrifugal pumps used for high
17
39 pressure injection (about 2,500 psig) and no hot-leg injection path. Recirculation from the
cold leg piping of the reactor coolant system. Once the RWST inventory is depleted,  
40 containment sump requires operation of pumps in the residual heat removal system. They are
18
                                                    13
recirculation of water from the reactor building emergency sump is required. The function  
19
monitored for HPSI is the ability of a HPSI train to take a suction from the primary water source  
20
(typically, a borated water tank), or from the containment emergency sump, and inject into the  
21
reactor coolant system at rated flow and pressure.  
22
23  
The scope includes the pumps and associated piping and valves from both the refueling water  
24
storage tank and from the containment sump to the pumps, and from the pumps into the reactor  
25
coolant system piping. For plants where the high-pressure injection pump takes suction from the  
26
residual heat removal pumps, the residual heat removal pump discharge header isolation valve to  
27
the HPSI pump suction is included in the scope of HPSI system. Some components may be  
28
included in the scope of more than one train. For example, cold-leg injection lines may be fed  
29
from a common header that is supplied by both HPSI trains. In these cases, the effects of testing  
30
or component failures in an injection line should be reported in both trains.  
31
32  
Train Determination  
33
34  
In general, the number of HPSI system trains is defined by the number of high head injection  
35
paths that provide cold-leg and/or hot-leg injection capability, as applicable.  
36
37  
For Babcock and Wilcox (B&W) reactors, the design features centrifugal pumps used for high  
38
pressure injection (about 2,500 psig) and no hot-leg injection path. Recirculation from the  
39
containment sump requires operation of pumps in the residual heat removal system. They are  
40


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
14
  1 typically a two-train system, with an installed spare pump (depending on plant-specific design)
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 that can be aligned to either train.
   
  3
 
4 For two-loop Westinghouse plants, the pumps operate at a lower pressure (about 1600 psig) and
5 there may be a hot-leg injection path in addition to a cold-leg injection path (both are included as
typically a two-train system, with an installed spare pump (depending on plant-specific design)  
6 a part of the train).
1
  7
that can be aligned to either train.  
8 For Combustion Engineering (CE) plants, the design features three centrifugal pumps that
2
9 operate at intermediate pressure (about 1300 psig) and provide flow to two cold-leg injection
   
10 paths or two hot-leg injection paths. In most designs, the HPSI pumps take suction directly from
3  
11 the containment sump for recirculation. In these cases, the sump suction valves are included
For two-loop Westinghouse plants, the pumps operate at a lower pressure (about 1600 psig) and  
12 within the scope of the HPSI system. This is a two-train system (two trains of combined cold-leg
4
13 and hot-leg injection capability). One of the three pumps is typically an installed spare that can
there may be a hot-leg injection path in addition to a cold-leg injection path (both are included as  
14 be aligned to either train or only to one of the trains (depending on plant-specific design).
5
15
a part of the train).  
16 For Westinghouse three-loop plants, the design features three centrifugal pumps that operate at
6
17 high pressure (about 2500 psig), a cold-leg injection path through the BIT (with two trains of
   
18 redundant valves), an alternate cold-leg injection path, and two hot-leg injection paths. One of
7  
19 the pumps is considered an installed spare. Recirculation is provided by taking suction from the
For Combustion Engineering (CE) plants, the design features three centrifugal pumps that  
20 RHR pump discharges. A train consists of a pump, the pump suction valves and boron injection
8
21 tank (BIT) injection line valves electrically associated with the pump, and the associated hot-leg
operate at intermediate pressure (about 1300 psig) and provide flow to two cold-leg injection  
22 injection path. The alternate cold-leg injection path is required for recirculation, and should be
9
23 included in the train with which its isolation valve is electrically associated. This represents a
paths or two hot-leg injection paths. In most designs, the HPSI pumps take suction directly from  
24 two-train HPSI system.
10
25
the containment sump for recirculation. In these cases, the sump suction valves are included  
26 For Four-loop Westinghouse plants, the design features two centrifugal pumps that operate at
11
27 high pressure (about 2500 psig), two centrifugal pumps that operate at an intermediate pressure
within the scope of the HPSI system. This is a two-train system (two trains of combined cold-leg  
28 (about 1600 psig), a BIT injection path (with two trains of injection valves), a cold-leg safety
12
29 injection path, and two hot-leg injection paths. Recirculation is provided by taking suction from
and hot-leg injection capability). One of the three pumps is typically an installed spare that can  
30 the RHR pump discharges. Each of two high pressure trains is comprised of a high pressure
13
31 centrifugal pump, the pump suction valves and BIT valves that are electrically associated with
be aligned to either train or only to one of the trains (depending on plant-specific design).  
32 the pump. Each of two intermediate pressure trains is comprised of the safety injection pump, the
14
33 suction valves and the hot-leg injection valves electrically associated with the pump. The cold-
34 leg safety injection path can be fed with either safety injection pump, thus it should be associated
15  
35 with both intermediate pressure trains. This HPSI system is considered a four-train system for
For Westinghouse three-loop plants, the design features three centrifugal pumps that operate at  
36 monitoring purposes.
16
37
high pressure (about 2500 psig), a cold-leg injection path through the BIT (with two trains of  
38
17
39
redundant valves), an alternate cold-leg injection path, and two hot-leg injection paths. One of  
40 PWR Auxiliary Feedwater Systems
18
41 Scope
the pumps is considered an installed spare. Recirculation is provided by taking suction from the  
42 The AFW system provides decay heat removal via the steam generators to cool down and
19
43 depressurize the reactor coolant system following a reactor trip. The AFW system is assumed to
RHR pump discharges. A train consists of a pump, the pump suction valves and boron injection  
44 be required for an extended period of operation during which the initial supply of water from the
20
45 condensate storage tank is depleted and water from an alternative water source (e.g., the service
tank (BIT) injection line valves electrically associated with the pump, and the associated hot-leg  
46 water system) is required. Therefore components in the flow paths from both of these water
21
                                                      14
injection path. The alternate cold-leg injection path is required for recirculation, and should be  
22
included in the train with which its isolation valve is electrically associated. This represents a  
23
two-train HPSI system.  
24
25  
For Four-loop Westinghouse plants, the design features two centrifugal pumps that operate at  
26
high pressure (about 2500 psig), two centrifugal pumps that operate at an intermediate pressure  
27
(about 1600 psig), a BIT injection path (with two trains of injection valves), a cold-leg safety  
28
injection path, and two hot-leg injection paths. Recirculation is provided by taking suction from  
29
the RHR pump discharges. Each of two high pressure trains is comprised of a high pressure  
30
centrifugal pump, the pump suction valves and BIT valves that are electrically associated with  
31
the pump. Each of two intermediate pressure trains is comprised of the safety injection pump, the  
32
suction valves and the hot-leg injection valves electrically associated with the pump. The cold-
33
leg safety injection path can be fed with either safety injection pump, thus it should be associated  
34
with both intermediate pressure trains. This HPSI system is considered a four-train system for  
35
monitoring purposes.  
36
37  
38  
39  
PWR Auxiliary Feedwater Systems  
40
Scope
41  
The AFW system provides decay heat removal via the steam generators to cool down and  
42
depressurize the reactor coolant system following a reactor trip. The AFW system is assumed to  
43
be required for an extended period of operation during which the initial supply of water from the  
44
condensate storage tank is depleted and water from an alternative water source (e.g., the service  
45
water system) is required. Therefore components in the flow paths from both of these water  
46


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
15
  1 sources are included; however, the alternative water source (e.g., service water system) is not
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 included.
   
  3
 
4 The function monitored for the indicator is the ability of the AFW system to take a suction from
5 the primary water source (typically, the condensate storage tank) or, if required, from an
sources are included; however, the alternative water source (e.g., service water system) is not  
6 emergency source (typically, a lake or river via the service water system) and inject into at least
1
7 one steam generator at rated flow and pressure.
included.  
  8
2
9 The scope of the auxiliary feedwater (AFW) or emergency feedwater (EFW) systems includes
   
10 the pumps and the components in the flow paths from the condensate storage tank and, if
3  
11 required, the valve(s) that connect the alternative water source to the auxiliary feedwater system.
The function monitored for the indicator is the ability of the AFW system to take a suction from  
12 Startup feedwater pumps are not included in the scope of this indicator.
4
13
the primary water source (typically, the condensate storage tank) or, if required, from an  
14 Train Determination
5
15 The number of trains is determined primarily by the number of parallel pumps. For example, a
emergency source (typically, a lake or river via the service water system) and inject into at least  
16 system with three pumps is defined as a three-train system, whether it feeds two, three, or four
6
17 injection lines, and regardless of the flow capacity of the pumps. Some components may be
one steam generator at rated flow and pressure.  
18 included in the scope of more than one train. For example, one set of flow regulating valves and
7
19 isolation valves in a three-pump, two-steam generator system are included in the motor-driven
   
20 pump train with which they are electrically associated, but they are also included (along with the
8  
21 redundant set of valves) in the turbine-driven pump train. In these instances, the effects of testing
The scope of the auxiliary feedwater (AFW) or emergency feedwater (EFW) systems includes  
22 or failure of the valves should be reported in both affected trains. Similarly, when two trains
9
23 provide flow to a common header, the effect of isolation or flow regulating valve failures in
the pumps and the components in the flow paths from the condensate storage tank and, if  
24 paths connected to the header should be considered in both trains.
10
25
required, the valve(s) that connect the alternative water source to the auxiliary feedwater system.  
26 PWR Residual Heat Removal System
11
27 Scope
Startup feedwater pumps are not included in the scope of this indicator.  
28 The functions monitored for the PWR residual heat removal (RHR) system are those that are
12
29 required to be available when the reactor is critical. These typically include the low-pressure
30 injection function (if risk-significant) and the post-accident recirculation mode used to cool and
13  
31 recirculate water from the containment sump following depletion of RWST inventory to provide
Train Determination  
32 post-accident decay heat removal. The pumps, heat exchangers, and associated piping and valves
14
33 for those functions are included in the scope of the RHR system. Containment spray function
The number of trains is determined primarily by the number of parallel pumps. For example, a  
34 should be included if it is identified in the PRA as a risk-significant post accident decay heat
15
35 removal function. Containment spray systems that only provide containment pressure control are
system with three pumps is defined as a three-train system, whether it feeds two, three, or four  
36 not included.
16
37
injection lines, and regardless of the flow capacity of the pumps. Some components may be  
38
17
39
included in the scope of more than one train. For example, one set of flow regulating valves and  
40 Train Determination
18
41 The number of trains in the RHR system is determined by the number of parallel RHR heat
isolation valves in a three-pump, two-steam generator system are included in the motor-driven  
42 exchangers. Some components are used to provide more than one function of RHR. If a
19
43 component cannot perform as designed, rendering its associated train incapable of meeting one
pump train with which they are electrically associated, but they are also included (along with the  
                                                    15
20
redundant set of valves) in the turbine-driven pump train. In these instances, the effects of testing  
21
or failure of the valves should be reported in both affected trains. Similarly, when two trains  
22
provide flow to a common header, the effect of isolation or flow regulating valve failures in  
23
paths connected to the header should be considered in both trains.  
24
25  
PWR Residual Heat Removal System  
26
Scope
27  
The functions monitored for the PWR residual heat removal (RHR) system are those that are  
28
required to be available when the reactor is critical. These typically include the low-pressure  
29
injection function (if risk-significant) and the post-accident recirculation mode used to cool and  
30
recirculate water from the containment sump following depletion of RWST inventory to provide  
31
post-accident decay heat removal. The pumps, heat exchangers, and associated piping and valves  
32
for those functions are included in the scope of the RHR system. Containment spray function  
33
should be included if it is identified in the PRA as a risk-significant post accident decay heat  
34
removal function. Containment spray systems that only provide containment pressure control are  
35
not included.  
36
37  
38  
39  
Train Determination  
40
The number of trains in the RHR system is determined by the number of parallel RHR heat  
41
exchangers. Some components are used to provide more than one function of RHR. If a  
42
component cannot perform as designed, rendering its associated train incapable of meeting one  
43


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
16
  1 of the risk-significant functions, then the train is considered to be failed. Unavailable hours
DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
2 would be reported as a result of the component failure.
   
3 Cooling Water Support System
 
4 Scope
5 The function of the cooling water support system is to provide for direct cooling of the
of the risk-significant functions, then the train is considered to be failed. Unavailable hours  
6 components in the other monitored systems. It does not include indirect cooling provided by
1
7 room coolers or other HVAC features.
would be reported as a result of the component failure.  
  8
2
9 Systems that provide this function typically include service water and component cooling water
Cooling Water Support System  
10 or their cooling water equivalents. Pumps, valves, heat exchangers and line segments that are
3
11 necessary to provide cooling to the other monitored systems are included in the system scope up
Scope
12 to, but not including, the last valve that connects the cooling water support system to the other
4  
13 monitored systems. This last valve is included in the other monitored system boundary.
The function of the cooling water support system is to provide for direct cooling of the  
14
5
15 Valves in the cooling water support system that must close to ensure sufficient cooling to the
components in the other monitored systems. It does not include indirect cooling provided by  
16 other monitored system components to meet risk significant functions are included in the system
6
17 boundary.
room coolers or other HVAC features.  
18
7
19
   
20
8  
21 Train Determination
Systems that provide this function typically include service water and component cooling water  
22 The number of trains in the Cooling Water Support System will vary considerably from plant to
9
23 plant. The way these functions are modeled in the plant-specific PRA will determine a logical
or their cooling water equivalents. Pumps, valves, heat exchangers and line segments that are  
24 approach for train determination. For example, if the PRA modeled separate pump and line
10
25 segments, then the number of pumps and line segments would be the number of trains.
necessary to provide cooling to the other monitored systems are included in the system scope up  
26
11
27 Clarifying Notes
to, but not including, the last valve that connects the cooling water support system to the other  
28 Service water pump strainers and traveling screens are not considered to be active components
12
29 and are therefore not part of URI. However, clogging of strainers and screens due to expected or
monitored systems. This last valve is included in the other monitored system boundary.  
30 routinely predictable environmental conditions that render the train unavailable to perform its
13
31 risk significant cooling function (which includes the risk-significant mission times)are included
32 in UAI.
14  
33
Valves in the cooling water support system that must close to ensure sufficient cooling to the  
34 Unpredictable extreme environmental conditions that render the train unavailable to perform its
15
35 risk significant cooling function should be addressed through the FAQ process to determine if
other monitored system components to meet risk significant functions are included in the system  
36 resulting unavailability should be included in UAI.
16
37
boundary.  
                                                      16
17
18  
19  
20  
Train Determination  
21
The number of trains in the Cooling Water Support System will vary considerably from plant to  
22
plant. The way these functions are modeled in the plant-specific PRA will determine a logical  
23
approach for train determination. For example, if the PRA modeled separate pump and line  
24
segments, then the number of pumps and line segments would be the number of trains.
25
26  
Clarifying Notes  
27
Service water pump strainers and traveling screens are not considered to be active components  
28
and are therefore not part of URI. However, clogging of strainers and screens due to expected or  
29
routinely predictable environmental conditions that render the train unavailable to perform its  
30
risk significant cooling function (which includes the risk-significant mission times)are included  
31
in UAI.  
32
33  
Unpredictable extreme environmental conditions that render the train unavailable to perform its  
34
risk significant cooling function should be addressed through the FAQ process to determine if  
35
resulting unavailability should be included in UAI.  
36
37  


                                                                        Attachment 2
Attachment 2
                                                                        RIS 2002-14
RIS 2002-14
NEI 99-02, Appendix F,  Methodologies For Computing the Unavailability Index, the
NEI 99-02, Appendix F,  Methodologies For Computing the Unavailability Index, the
Unreliability Index and Determining Performance Index Validity (Draft).
Unreliability Index and Determining Performance Index Validity (Draft).  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1                                         APPENDIX F
F-1  
  2
APPENDIX F  
3      METHODOLOGIES FOR COMPUTING THE UNAVAILABILITY
1
4        INDEX, THE UNRELIABILITY INDEX AND DETERMINING
   
5                          PERFORMANCE INDEX VALIDITY
2  
6 This appendix provides the details of three calculations, calculation of the System
METHODOLOGIES FOR COMPUTING THE UNAVAILABILITY  
7 Unavailability Index, the System Unreliability Index, and the criteria for determining
3
8 when the Mitigating System Performance Index is unsuitable for use as a performance
INDEX, THE UNRELIABILITY INDEX AND DETERMINING  
9 index.
4
10 System Unavailability Index (UAI) Due to Changes in Train Unavailability
PERFORMANCE INDEX VALIDITY  
11 Calculation of System UAI due to changes in train unavailability is as follows:
5
                      n
This appendix provides the details of three calculations, calculation of the System  
12          UAI = UAItj                                                                  Eq. 1
6
                    j =1
Unavailability Index, the System Unreliability Index, and the criteria for determining  
13 where the summation is over the number of trains (n) and UAIt is the unavailability index
7
14 for a train.
when the Mitigating System Performance Index is unsuitable for use as a performance  
15 Calculation of UAIt for each train due to changes in train unavailability is as follows:
8
                          é FVUAp
index.  
16          UAIt = CDFp          ú (UAt - UABLt ) ,                                     Eq. 2
9
                            UAp û max
System Unavailability Index (UAI) Due to Changes in Train Unavailability  
17 where:
10
18          CDFp is the plant-specific, internal events, at power Core Damage Frequency,
Calculation of System UAI due to changes in train unavailability is as follows:  
19          FVUAp is the train-specific Fussell-Vesely value for unavailability,
11
20          UAP is the plant-specific PRA value of unavailability for the train,
UAI 
21          UAt is the actual unavailability of train t, defined as:
UAItj
                        Unavailable hours during the previous 12 quarters while critical
j 1
22              UAt =
n
                                  Critical hours during the previous 12 quarters

23 and,
   
24          UABLt is the historical baseline unavailability value for the train determined
Eq. 1  
25          as described below.
12
26          UABLt is the sum of two elements: planned and unplanned unavailability. Planned
where the summation is over the number of trains (n) and UAIt is the unavailability index  
27          unavailability is the actual, plant-specific three-year total planned unavailability
13
28          for the train for the years 1999 through 2001 (see clarifying notes for details).
for a train.  
29          This period is chosen as the most representative of how the plant intends to
14
30          perform routine maintenance and surveillances at power. Unplanned
Calculation of UAIt for each train due to changes in train unavailability is as follows:
31          unavailability is the historical industry average for unplanned unavailability for
15
                                                  F-1
)
(
max
BLt
t
p
UAp
p
t
UA
UA
UA
FV
CDF
UAI






,
Eq. 2  
16
where:  
17
CDFp is the plant-specific, internal events, at power Core Damage Frequency,  
18
FVUAp is the train-specific Fussell-Vesely value for unavailability,  
19
UAP is the plant-specific PRA value of unavailability for the train,  
20
UAt is the actual unavailability of train t, defined as:  
21
quarters
12
previous
the
during
hours
Critical
critical
while
quarters
12
previous
the
during
hours
e
Unavailabl

t
UA
22
and,  
23
UABLt is the historical baseline unavailability value for the train determined  
24
as described below.  
25
UABLt is the sum of two elements: planned and unplanned unavailability. Planned  
26
unavailability is the actual, plant-specific three-year total planned unavailability  
27
for the train for the years 1999 through 2001 (see clarifying notes for details).
28
This period is chosen as the most representative of how the plant intends to  
29
perform routine maintenance and surveillances at power. Unplanned  
30
unavailability is the historical industry average for unplanned unavailability for  
31


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1        the years 1999 through 2001. See Table 1 for historical train values for
F-2
2        unplanned unavailability.
the years 1999 through 2001. See Table 1 for historical train values for  
3 Calculation of the quantity inside the square bracket in equation 2 will be discussed at the
1
4 end of the next section. See clarifying notes for calculation of UAI for cooling water
unplanned unavailability.  
5 support system.
2
  6
Calculation of the quantity inside the square bracket in equation 2 will be discussed at the  
7 System Unreliability Index (URI) Due to Changes in Component Unreliability
3
8 Unreliability is monitored at the component level and calculated at the system level.
end of the next section. See clarifying notes for calculation of UAI for cooling water  
9 Calculation of system URI due to changes in component unreliability is as follows:
4
                          m é FVURcj
support system.  
10        URI = CDFp              ú (URBcj - URBLcj )                                Eq. 3
5
                        j =1  URpcj û max
   
11 Where the summation is over the number of active components (m) in the system, and:
6  
12        CDFp is the plant-specific internal events, at power, core damage frequency,
System Unreliability Index (URI) Due to Changes in Component Unreliability  
13        FVURc is the component-specific Fussell-Vesely value for unreliability,
7
14        URPc is the plant-specific PRA value of component unreliability,
Unreliability is monitored at the component level and calculated at the system level.  
15        URBc is the Bayesian corrected component unreliability for the previous 12
8
16        quarters,
Calculation of system URI due to changes in component unreliability is as follows:
17 and
9
18        URBLc is the historical industry baseline calculated from unreliability mean values
)
19        for each monitored component in the system. The calculation is performed in a
(
20        manner similar to equation 4 below using the industry average values in Table 2.
1
21 Calculation of the quantity inside the square bracket in equation 3 will be discussed at the
max
22 end of this section.
BLcj
23 Component unreliability is calculated as follows.
Bcj
24        URBc = P D + lTm                                                              Eq 4
m
25 where:
j
26        PD is the component failure on demand probability calculated based on data
pcj
27        collected during the previous 12 quarters,
URcj
28        l is the component failure rate (per hour) for failure to run calculated based on
p
29        data collected during the previous 12 quarters,
UR
30 and
UR
31        Tm is the risk-significant mission time for the component based on plant specific
UR
32        PRA model assumptions. Add acceptable methodologies for determining mission
FV
33        time.
CDF
34                                               F-2
URI







 
Eq. 3  
10
Where the summation is over the number of active components (m) in the system, and:  
11
CDFp is the plant-specific internal events, at power, core damage frequency,  
12
FVURc is the component-specific Fussell-Vesely value for unreliability,  
13
URPc is the plant-specific PRA value of component unreliability,  
14
URBc is the Bayesian corrected component unreliability for the previous 12  
15
quarters,  
16
and
17  
URBLc is the historical industry baseline calculated from unreliability mean values  
18
for each monitored component in the system. The calculation is performed in a  
19
manner similar to equation 4 below using the industry average values in Table 2.  
20
Calculation of the quantity inside the square bracket in equation 3 will be discussed at the  
21
end of this section.  
22
Component unreliability is calculated as follows.  
23
URBc  PD  Tm
Eq 4  
24
where:  
25
PD is the component failure on demand probability calculated based on data  
26
collected during the previous 12 quarters,  
27
 is the component failure rate (per hour) for failure to run calculated based on  
28
data collected during the previous 12 quarters,  
29
and
30  
Tm is the risk-significant mission time for the component based on plant specific  
31
PRA model assumptions. Add acceptable methodologies for determining mission  
32
time.  
33
34  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1 NOTE:
F-3
2 For valves only the PD term applies
NOTE:  
3 For pumps PD + l Tm applies
1
4 For diesels PD start + PD load run + l Tm applies
For valves only the PD term applies  
  5
2
6 The first term on the right side of equation 4 is calculated as follows.1
For pumps PD +  Tm applies  
                    (Nd + a)
3
  7          PD =                                                                        Eq. 5
For diesels PD start +   PD load run +  Tm applies  
                  (a + b + D)
4
8 where:
   
9        Nd is the total number of failures on demand during the previous 12 quarters,
5  
10        D is the total number of demands during the previous 12 quarters (actual ESF
The first term on the right side of equation 4 is calculated as follows.1  
11        demands plus estimated test and estimated operational/alignment demands. An
6
12        update to the estimated demands is required if a change to the basis for the
PD 
13        estimated demands results in a >25% change in the estimate),
(Nd  a)
14 and
(a  b  D)  
15        a and b are parameters of the industry prior, derived from industry experience (see
Eq. 5  
16        Table 2).
7
17 In the calculation of equation 5 the numbers of demands and failures is the sum of all
where:  
18 demands and failures for similar components within each system. Do not sum across
8
19 units for a multi-unit plant. For example, for a plant with two trains of Emergency Diesel
Nd is the total number of failures on demand during the previous 12 quarters,  
20 Generators, the demands and failures for both trains would be added together for one
9
21 evaluation of PD which would be used for both trains of EDGs.
D is the total number of demands during the previous 12 quarters (actual ESF  
22 In the second term on the right side of equation 4, l is calculated as follows.
10
                (Nr + a)
demands plus estimated test and estimated operational/alignment demands. An  
23        l=                                                                            Eq. 6
11
                (T r + b)
update to the estimated demands is required if a change to the basis for the  
24 where:
12
25        Nr is the total number of failures to run during the previous 12 quarters,
estimated demands results in a >25% change in the estimate),  
26        Tr is the total number of run hours during the previous 12 quarters (actual ESF run
13
27        hours plus estimated test and estimated operational/alignment run hours. An
and
28        update to the estimated run hours is required if a change to the basis for the
14  
29        estimated hours results in a >25% change in the estimate).
a and b are parameters of the industry prior, derived from industry experience (see  
30 and
15
  1 Atwood, Corwin L., Constrained noninformative priors in risk assessment, Reliability
Table 2).  
  Engineering and System Safety, 53 (1996; 37-46)
16
                                                  F-3
In the calculation of equation 5 the numbers of demands and failures is the sum of all  
17
demands and failures for similar components within each system. Do not sum across  
18
units for a multi-unit plant. For example, for a plant with two trains of Emergency Diesel  
19
Generators, the demands and failures for both trains would be added together for one  
20
evaluation of PD which would be used for both trains of EDGs.  
21
In the second term on the right side of equation 4,  is calculated as follows.  
22
  (Nr  a)
(Tr  b) 
Eq. 6  
23
where:  
24
Nr is the total number of failures to run during the previous 12 quarters,  
25
Tr is the total number of run hours during the previous 12 quarters (actual ESF run  
26
hours plus estimated test and estimated operational/alignment run hours. An  
27
update to the estimated run hours is required if a change to the basis for the  
28
estimated hours results in a >25% change in the estimate).  
29
and
30  
                                           
1 Atwood, Corwin L., Constrained noninformative priors in risk assessment, Reliability  
Engineering and System Safety, 53 (1996; 37-46)  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1          a and b are parameters of the industry prior, derived from industry experience (see
F-4
2          Table 2).
a and b are parameters of the industry prior, derived from industry experience (see  
3 In the calculation of equation 6 the numbers of demands and run hours is the sum of all
1
4 run hours and failures for similar components within each system. Do not sum across
Table 2).  
5 units for a multi-unit plant. For example, a plant with two trains of Emergency Diesel
2
6 Generators, the run hours and failures for both trains would be added together for one
In the calculation of equation 6 the numbers of demands and run hours is the sum of all  
7 evaluation of l which would be used for both trains of EDGs.
3
8 Fussell-Vesely, Unavailability and Unreliability
run hours and failures for similar components within each system. Do not sum across  
9 Equations 2 and 3 include a term that is the ratio of a Fussell-Vesely importance value
4
10 divided by the related unreliability or unavailability. Calculation of these quantities is
units for a multi-unit plant. For example, a plant with two trains of Emergency Diesel  
11 generally complex, but in the specific application used here, can be greatly simplified.
5
12 The simplifying feature of this application is that only those components (or the
Generators, the run hours and failures for both trains would be added together for one  
13 associated basic events) that can fail a train are included in the performance index.
6
14 Components within a train that can each fail the train are logically equivalent and the
evaluation of  which would be used for both trains of EDGs.  
15 ratio FV/UR is a constant value for any basic event in that train. It can also be shown that
7
16 for a given component or train represented by multiple basic events, the ratio of the two
Fussell-Vesely, Unavailability and Unreliability  
17 values for the component or train is equal to the ratio of values for any basic event within
8
18 the train. Or:
Equations 2 and 3 include a term that is the ratio of a Fussell-Vesely importance value  
    FVbe FVURc FVt
9
19       =        =      = Constant
divided by the related unreliability or unavailability. Calculation of these quantities is  
    URbe URPc URt
10
20 and
generally complex, but in the specific application used here, can be greatly simplified.  
    FVbe FVUAp
11
21      =        = Constant
The simplifying feature of this application is that only those components (or the  
    UAbe    UAp
12
22 Note that the constant value may be different for the unreliability ratio and the
associated basic events) that can fail a train are included in the performance index.  
23 unavailability ratio because the two types of events are frequently not logically
13
24 equivalent. For example recovery actions may be modeled in the PRA for one but not the
Components within a train that can each fail the train are logically equivalent and the  
25 other.
14
26 Thus, the process for determining the value of this ratio for any component or train is to
ratio FV/UR is a constant value for any basic event in that train. It can also be shown that  
27 identify a basic event that fails the component or train, determine the failure probability
15
28 or unavailability for the event, determine the associated FV value for the event and then
for a given component or train represented by multiple basic events, the ratio of the two  
29 calculate the ratio. Use the basic event in the component or train with the largest failure
16
30 probability (hence the maximum notation on the bracket) to minimize the effects of
values for the component or train is equal to the ratio of values for any basic event within  
31 truncation on the calculation. Exclude common cause events, which are not within the
17
32 scope of this performance index
the train. Or:  
33 Some systems have multiple modes of operation, such as PWR HPSI systems that operate
18
34 in injection as well as recirculation modes. In these systems all active components are not
FVbe
35 logically equivalent, unavailability of the pump fails all operating modes while
URbe  FVURc
36 unavailability of the sump suction valves only fails the recirculation mode. In cases such
URPc  FVt
                                                F-4
URt  Constant
19  
and
20  
FVbe
UAbe  FVUAp
UAp  Constant  
21
Note that the constant value may be different for the unreliability ratio and the  
22
unavailability ratio because the two types of events are frequently not logically  
23
equivalent. For example recovery actions may be modeled in the PRA for one but not the  
24
other.  
25
Thus, the process for determining the value of this ratio for any component or train is to  
26
identify a basic event that fails the component or train, determine the failure probability  
27
or unavailability for the event, determine the associated FV value for the event and then  
28
calculate the ratio. Use the basic event in the component or train with the largest failure  
29
probability (hence the maximum notation on the bracket) to minimize the effects of  
30
truncation on the calculation. Exclude common cause events, which are not within the  
31
scope of this performance index  
32
Some systems have multiple modes of operation, such as PWR HPSI systems that operate  
33
in injection as well as recirculation modes. In these systems all active components are not  
34
logically equivalent, unavailability of the pump fails all operating modes while  
35
unavailability of the sump suction valves only fails the recirculation mode. In cases such  
36


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1 as these, if unavailability events exist separately for the components within a train, the
F-5
2 appropriate ratio to use is the maximum.
as these, if unavailability events exist separately for the components within a train, the  
3 Determination of systems for which the performance index is not valid
1
4 The performance index relies on the existing testing programs as the source of the data
appropriate ratio to use is the maximum.  
5 that is input to the calculations. Thus, the number of demands in the monitoring period is
2
6 based on the frequency of testing required by the current test programs. In most cases this
Determination of systems for which the performance index is not valid  
7 will provide a sufficient number of demands to result in a valid statistical result.
3
8 However, in some cases, the number of demands will be insufficient to resolve the
The performance index relies on the existing testing programs as the source of the data  
9 change in the performance index (1.0x10-6) that corresponds to movement from a green
4
10 performance to a white performance level. In these cases, one failure is the difference
that is input to the calculations. Thus, the number of demands in the monitoring period is  
11 between baseline performance and performance in the white performance band. The
5
12 performance index is not suitable for monitoring such systems and monitoring is
based on the frequency of testing required by the current test programs. In most cases this  
13 performed through the inspection process.
6
14 This section will define the method to be used to identify systems for which the
will provide a sufficient number of demands to result in a valid statistical result.  
15 performance index is not valid, and will not be used.
7
16 The criteria to be used to identify an invalid performance index is:
However, in some cases, the number of demands will be insufficient to resolve the  
17          If, for any failure mode for any component in a system, the risk increase
8
18          (DCDF) associated with the change in unreliability resulting from single
change in the performance index (1.0x10-6) that corresponds to movement from a green  
19          failure is larger than 1.0x10-6, then the performance index will be
9
20          considered invalid for that system.
performance to a white performance level. In these cases, one failure is the difference  
21 The increase in risk associated with a component failure is the sum of the contribution
10
22 from the decrease in calculated reliability as a result of the failure and the decrease in
between baseline performance and performance in the white performance band. The  
23 availability resulting from the time required to affect the repair of the failed component.
11
24 The change in CDF that results from a demand type failure is given by:
performance index is not suitable for monitoring such systems and monitoring is  
25
12
                                              FVURc       1   ü
performed through the inspection process.  
            MSPI = CDFp '                  í
13
                              N similar comp  URpc
This section will define the method to be used to identify systems for which the  
                                                      '          ý
14
                                                        a + b + D
performance index is not valid, and will not be used.  
26                                                                                        Eq. 7
15
                                      FVUAp TMean Repair
The criteria to be used to identify an invalid performance index is:  
                        + CDFp '              '
16
                                      UAp        TCR
If, for any failure mode for any component in a system, the risk increase  
27
17
28 Likewise, the change in CDF per run type failure is given by:
(CDF) associated with the change in unreliability resulting from single  
29
18
                                              FVURc    Tm ü
failure is larger than 1.0x10-6, then the performance index will be  
            MSPI = CDFp '                  í
19
                              N similar comp URpc
considered invalid for that system.  
                                                      '       ý
20
                                                        b + Tr
The increase in risk associated with a component failure is the sum of the contribution  
30                                                                                        Eq. 8
21
                                      FVUAp TMean Repair
from the decrease in calculated reliability as a result of the failure and the decrease in  
                        + CDFp '              '
22
                                      UAp        TCR
availability resulting from the time required to affect the repair of the failed component.  
                                                        F-5
23
The change in CDF that results from a demand type failure is given by:  
24
25  
CR
Mean
p
UAp
p
comp
similar
N
pc
URc
p
T
T
UA
FV
CDF
D
b
a
UR
FV
CDF
MSPI
Repair
        
         
1










 
Eq. 7  
26
27  
Likewise, the change in CDF per run type failure is given by:  
28
29  
CR
p
UAp
p
comp
similar
N
r
m
pc
URc
p
T
T
UA
FV
CDF
T
b
T
UR
FV
CDF
MSPI
Repair
Mean
   
        
         









 
Eq. 8  
30


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1 In these expressions, the variables are as defined earlier and additionally
F-6
2          TMR is the mean time to repair for the component
In these expressions, the variables are as defined earlier and additionally  
3 and
1
4          TCR is the number of critical hours in the monitoring period.
TMR is the mean time to repair for the component  
5 The summation in the equations is taken over all similar components within a system.
2
6 With multiple components of a given type in one system, the impact of the failure on
and
7 CDF is included in the increased unavailability of all components of that type due to
3  
8 pooling the demand and failure data.
TCR is the number of critical hours in the monitoring period.  
9 The mean time to repair can be estimate as one-half the Technical Specification Allowed
4
10 Outage Time for the component and the number of critical hours should correspond to the
The summation in the equations is taken over all similar components within a system.  
11 1999 - 2001 actual number of critical hours.
5
12 These equations are be used for all failure modes for each component in a system. If the
With multiple components of a given type in one system, the impact of the failure on  
13 resulting value of DCDF is greater than 1.0x10-6 for any failure mode of any component,
6
14 then the performance index for that system is not considered valid.
CDF is included in the increased unavailability of all components of that type due to  
15
7
16 Definitions
pooling the demand and failure data.  
17
8
18 Train Unavailability: Train unavailability is the ratio of the hours the train was
The mean time to repair can be estimate as one-half the Technical Specification Allowed  
19 unavailable to perform its risk-significant functions due to planned or unplanned
9
20 maintenance or test during the previous 12 quarters while critical to the number of critical
Outage Time for the component and the number of critical hours should correspond to the  
21 hours during the previous 12 quarters. (Fault exposure hours are not included;
10
22 unavailable hours are counted only for the time required to recover the trains risk-
1999 - 2001 actual number of critical hours.  
23 significant functions.)
11
24 Train unavailable hours: The hours the train was not able to perform its risk significant
These equations are be used for all failure modes for each component in a system. If the  
25 function due to maintenance, testing, equipment modification, electively removed from
12
26 service, corrective maintenance, or the elapsed time between the discovery and the
resulting value of CDF is greater than 1.0x10-6 for any failure mode of any component,  
27 restoration to service of an equipment failure or human error that makes the train
13
28 unavailable (such as a misalignment) while the reactor is critical.
then the performance index for that system is not considered valid.  
29 Fussell-Vesely (FV) Importance:
14
30 The Fussell-Vesely importance for a feature (component, sub-system, train, etc.) of a
31 system is representative of the fractional contribution that feature makes to the to the total
15  
32 risk of the system.
Definitions
33 The Fussell-Vesely importance of a basic event or group of basic events that represent a
16  
34 feature of a system is represented by:
              Ri
17  
35  FV = 1 -
Train Unavailability: Train unavailability is the ratio of the hours the train was  
              R0
18
                                                F-6
unavailable to perform its risk-significant functions due to planned or unplanned  
19
maintenance or test during the previous 12 quarters while critical to the number of critical  
20
hours during the previous 12 quarters. (Fault exposure hours are not included;  
21
unavailable hours are counted only for the time required to recover the trains risk-
22
significant functions.)  
23
Train unavailable hours: The hours the train was not able to perform its risk significant  
24
function due to maintenance, testing, equipment modification, electively removed from  
25
service, corrective maintenance, or the elapsed time between the discovery and the  
26
restoration to service of an equipment failure or human error that makes the train  
27
unavailable (such as a misalignment) while the reactor is critical.
28
Fussell-Vesely (FV) Importance:  
29
The Fussell-Vesely importance for a feature (component, sub-system, train, etc.) of a  
30
system is representative of the fractional contribution that feature makes to the to the total  
31
risk of the system.  
32
The Fussell-Vesely importance of a basic event or group of basic events that represent a  
33
feature of a system is represented by:  
34
0
1
R
R
FV
i


35


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
  1 Where:
F-7
2          R0 is the base (reference) case overall model risk,
Where:  
3          Ri is the decreased risk level with feature i completely reliable.
1  
4 In this expression, the second term on the right represents the fraction of the reference
R0 is the base (reference) case overall model risk,  
5 risk remaining assuming the feature of interest is perfect. Thus 1 minus the second term is
2
6 the fraction of the reference risk attributed to the feature of interest.
Ri is the decreased risk level with feature i completely reliable.  
7 The Fussell-Vesely importance is calculated according to the following equation:
3
                                UC
In this expression, the second term on the right represents the fraction of the reference  
                              j =1, n
4
                                      i j
risk remaining assuming the feature of interest is perfect. Thus 1 minus the second term is  
8                  FV = 1 -              ,
5
                                UC
the fraction of the reference risk attributed to the feature of interest.  
                              j =1, m
6
                                      0j
The Fussell-Vesely importance is calculated according to the following equation:  
9 where the denominator represents the union of m minimal cutsets C0 generated with the
7
10 reference (baseline) model, and the numerator represents the union of n minimal cutsets

11 Ci generated assuming events related to the feature are perfectly reliable, or their failure

12 probability is False.
m
13 Critical hours: The number of hours the reactor was critical during a specified period of
j
14 time.
j
15 Component Unreliability: Component unreliability is the probability that the component
n
16 would not perform its risk-significant functions when called upon during the previous 12
j
17 quarters.
j
18 Active Component: A component whose failure to change state renders the train incapable
i
19 of performing its risk-significant functions. In addition, all pumps and diesels in the
C
20 monitored systems are included as active components. (See clarifying notes.)
C
21 Manual Valve: A valve that can only be operated by a person. An MOV or AOV that is
FV
22 remotely operated by a person may be an active component.
,1
23 Start demand: Any demand for the component to successfully start to perform its risk-
0
24 significant functions, actual or test. (Exclude post maintenance tests, unless in case of a
,1
25 failure the cause of failure was independent of the maintenance performed.)
26 Post maintenance tests: Tests performed following maintenance but prior to declaring the
1
27 train/component operable, consistent with Maintenance Rule implementation.

28 Run demand: Any demand for the component, given that it has successfully started, to

29 run/operate for its mission time to perform its risk-significant functions. (Exclude post

30 maintenance tests, unless in case of a failure the cause of failure was independent of the

31 maintenance performed.)
,  
32 EDG failure to start: A failure to start includes those failures up to the point the EDG has
8
33 achieved rated speed and voltage. (Exclude post maintenance tests, unless the cause of
where the denominator represents the union of m minimal cutsets C0 generated with the  
34 failure was independent of the maintenance performed.)
9
                                                  F-7
reference (baseline) model, and the numerator represents the union of n minimal cutsets  
10
Ci generated assuming events related to the feature are perfectly reliable, or their failure  
11
probability is False.  
12
Critical hours: The number of hours the reactor was critical during a specified period of  
13
time.  
14
Component Unreliability: Component unreliability is the probability that the component  
15
would not perform its risk-significant functions when called upon during the previous 12  
16
quarters.  
17
Active Component: A component whose failure to change state renders the train incapable  
18
of performing its risk-significant functions. In addition, all pumps and diesels in the  
19
monitored systems are included as active components. (See clarifying notes.)  
20
Manual Valve: A valve that can only be operated by a person. An MOV or AOV that is  
21
remotely operated by a person may be an active component.  
22
Start demand: Any demand for the component to successfully start to perform its risk-
23
significant functions, actual or test. (Exclude post maintenance tests, unless in case of a  
24
failure the cause of failure was independent of the maintenance performed.)  
25
Post maintenance tests: Tests performed following maintenance but prior to declaring the  
26
train/component operable, consistent with Maintenance Rule implementation.  
27
Run demand: Any demand for the component, given that it has successfully started, to  
28
run/operate for its mission time to perform its risk-significant functions. (Exclude post  
29
maintenance tests, unless in case of a failure the cause of failure was independent of the  
30
maintenance performed.)  
31
EDG failure to start: A failure to start includes those failures up to the point the EDG has  
32
achieved rated speed and voltage. (Exclude post maintenance tests, unless the cause of  
33
failure was independent of the maintenance performed.)  
34


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1 EDG failure to load/run: Given that it has successfully started, a failure of the EDG
F-8
2 output breaker to close, loads successfully sequence and to run/operate for one hour to
EDG failure to load/run: Given that it has successfully started, a failure of the EDG  
3 perform its risk-significant functions. This failure mode is treated as a demand failure for
1
4 calculation purposes. (Exclude post maintenance tests, unless the cause of failure was
output breaker to close, loads successfully sequence and to run/operate for one hour to  
5 independent of the maintenance performed.)
2
6 EDG failure to run: Given that it has successfully started and loaded and run for an hour,
perform its risk-significant functions. This failure mode is treated as a demand failure for  
7 a failure of an EDG to run/operate. for its mission time to perform its risk-significant
3
8 functions. (Exclude post maintenance tests, unless the cause of failure was independent of
calculation purposes. (Exclude post maintenance tests, unless the cause of failure was  
9 the maintenance performed.)
4
10 Pump failure on demand: A failure to start and run for at least one hour is counted as
independent of the maintenance performed.)  
11 failure on demand. (Exclude post maintenance tests, unless the cause of failure was
5
12 independent of the maintenance performed.)
EDG failure to run: Given that it has successfully started and loaded and run for an hour,  
13 Pump failure to run: Given that it has successfully started and run for an hour, a failure of
6
14 a pump to run/operate. for its mission time to perform its risk-significant functions.
a failure of an EDG to run/operate. for its mission time to perform its risk-significant  
15 (Exclude post maintenance tests, unless the cause of failure was independent of the
7
16 maintenance performed.)
functions. (Exclude post maintenance tests, unless the cause of failure was independent of  
17 Valve failure on demand: A failure to open or close is counted as failure on demand.
8
18 (Exclude post maintenance tests, unless the cause of failure was independent of the
the maintenance performed.)  
19 maintenance performed.)
9
20 Clarifying Notes
Pump failure on demand: A failure to start and run for at least one hour is counted as  
21 Train Boundaries and Unavailable Hours
10
22 Include all components that are required to satisfy the risk-significant function of the
failure on demand. (Exclude post maintenance tests, unless the cause of failure was  
23 train. For example, high-pressure injection may have both an injection mode with
11
24 suction from the refueling water storage tank and a recirculation mode with suction from
independent of the maintenance performed.)  
25 the containment sump. Some components may be included in the scope of more than one
12
26 train. For example, one set of flow regulating valves and isolation valves in a three-pump,
Pump failure to run: Given that it has successfully started and run for an hour, a failure of  
27 two-steam generator system are included in the motor-driven pump train with which they
13
28 are electrically associated, but they are also included (along with the redundant set of
a pump to run/operate. for its mission time to perform its risk-significant functions.  
29 valves) in the turbine-driven pump train. In these instances, the effects of unavailability
14
30 of the valves should be reported in both affected trains. Similarly, when two trains
(Exclude post maintenance tests, unless the cause of failure was independent of the  
31 provide flow to a common header, the effect of isolation or flow regulating valve failures
15
32 in paths connected to the header should be considered in both trains
maintenance performed.)  
33 Cooling Water Support System Trains
16
34 The number of trains in the Cooling Water Support System will vary considerably from
Valve failure on demand: A failure to open or close is counted as failure on demand.  
35 plant to plant. The way these functions are modeled in the plant-specific PRA will
17
36 determine a logical approach for train determination. For example, if the PRA modeled
(Exclude post maintenance tests, unless the cause of failure was independent of the  
37 separate pump and line segments, then the number of pumps and line segments would be
18
38 the number of trains. A separate value for UAI and URI will be calculated for each of the
maintenance performed.)  
39 systems in this indicator and then they will be added together to calculate the MSPI.
19
                                                F-8
Clarifying Notes  
20
Train Boundaries and Unavailable Hours  
21
Include all components that are required to satisfy the risk-significant function of the  
22
train. For example, high-pressure injection may have both an injection mode with  
23
suction from the refueling water storage tank and a recirculation mode with suction from  
24
the containment sump. Some components may be included in the scope of more than one  
25
train. For example, one set of flow regulating valves and isolation valves in a three-pump,  
26
two-steam generator system are included in the motor-driven pump train with which they  
27
are electrically associated, but they are also included (along with the redundant set of  
28
valves) in the turbine-driven pump train. In these instances, the effects of unavailability  
29
of the valves should be reported in both affected trains. Similarly, when two trains  
30
provide flow to a common header, the effect of isolation or flow regulating valve failures  
31
in paths connected to the header should be considered in both trains  
32
Cooling Water Support System Trains  
33
The number of trains in the Cooling Water Support System will vary considerably from  
34
plant to plant. The way these functions are modeled in the plant-specific PRA will  
35
determine a logical approach for train determination. For example, if the PRA modeled  
36
separate pump and line segments, then the number of pumps and line segments would be  
37
the number of trains. A separate value for UAI and URI will be calculated for each of the  
38
systems in this indicator and then they will be added together to calculate the MSPI.  
39


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
  1
F-9
2 Active Components
   
3 For unreliability, use the following criteria for determining those components that should
1  
4 be monitored:
Active Components  
5 *  Components that are normally running or have to change state to achieve the risk
2
6    significant function will be included in the performance index. Active failures of
For unreliability, use the following criteria for determining those components that should  
7    check valves and manual valves are excluded from the performance index and will be
3
8    evaluated in the NRC inspection program.
be monitored:  
9 *  Redundant valves within a train are not included in the performance index. Only
4
10    those valves whose failure alone can fail a train will be included. The PRA success
 Components that are normally running or have to change state to achieve the risk  
11    criteria are to be used to identify these valves.
5
12 *  Redundant valves within a multi-train system, whether in series or parallel, where the
significant function will be included in the performance index. Active failures of  
13    failure of both valves would prevent all trains in the system from performing a risk-
6
14    significant function are included. (See Figure F-5)
check valves and manual valves are excluded from the performance index and will be  
15 *  All pumps and diesels are included in the performance index
7
16 Table 3 defines the boundaries of components, and Figures F-1, F-2, F-3 and F-4 provide
evaluated in the NRC inspection program.  
17 examples of typical component boundaries as described in Table 3. Each plant will
8
18 determine their system boundaries, active components, and support components, and
 Redundant valves within a train are not included in the performance index. Only  
19 have them available for NRC inspection.
9
20 Failures of Non-Active Components
those valves whose failure alone can fail a train will be included. The PRA success  
21 Failures of SSCs that are not included in the performance index will not be counted as a
10
22 failure or a demand. Failures of SSCs that cause an SSC within the scope of the
criteria are to be used to identify these valves.  
23 performance index to fail will not be counted as a failure or demand. An example could
11
24 be a manual suction isolation valve left closed which causes a pump to fail. This would
 Redundant valves within a multi-train system, whether in series or parallel, where the  
25 not be counted as a failure of the pump. Any mispositioning of the valve that caused the
12
26 train to be unavailable would be counted as unavailability from the time of discovery.
failure of both valves would prevent all trains in the system from performing a risk-
27 The significance of the mispositioned valve prior to discovery would be addressed
13
28 through the inspection process.
significant function are included. (See Figure F-5)  
29
14
30 Baseline Values
 All pumps and diesels are included in the performance index  
31 The baseline values for unreliability are contained in Table 2 and remain fixed.
15
32 The baseline values for unavailability include both plant-specific planned unavailability
Table 3 defines the boundaries of components, and Figures F-1, F-2, F-3 and F-4 provide  
33 values and unplanned unavailability values. The unplanned unavailability values are
16
34 contained in Table 1 and remain fixed. They are based on ROP PI industry data from
examples of typical component boundaries as described in Table 3. Each plant will  
35 1999 through 2001. (Most baseline data used in PIs come from the 1995-1997 time
17
36 period. However, in this case, the 1999-2001 ROP data are preferable, because the ROP
determine their system boundaries, active components, and support components, and  
37 data breaks out systems separately (some of the industry 1995-1997 INPO data combine
18
                                                  F-9
have them available for NRC inspection.  
19
Failures of Non-Active Components  
20
Failures of SSCs that are not included in the performance index will not be counted as a  
21
failure or a demand. Failures of SSCs that cause an SSC within the scope of the  
22
performance index to fail will not be counted as a failure or demand. An example could  
23
be a manual suction isolation valve left closed which causes a pump to fail. This would  
24
not be counted as a failure of the pump.   Any mispositioning of the valve that caused the  
25
train to be unavailable would be counted as unavailability from the time of discovery.  
26
The significance of the mispositioned valve prior to discovery would be addressed  
27
through the inspection process.  
28
29  
Baseline Values  
30
The baseline values for unreliability are contained in Table 2 and remain fixed.  
31
The baseline values for unavailability include both plant-specific planned unavailability  
32
values and unplanned unavailability values. The unplanned unavailability values are  
33
contained in Table 1 and remain fixed. They are based on ROP PI industry data from  
34
1999 through 2001. (Most baseline data used in PIs come from the 1995-1997 time  
35
period. However, in this case, the 1999-2001 ROP data are preferable, because the ROP  
36
data breaks out systems separately (some of the industry 1995-1997 INPO data combine  
37


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1 systems, such as HPCI and RCIC, and do not include PWR RHR). It is important to note
F-10
2 that the data for the two periods is very similar.)
systems, such as HPCI and RCIC, and do not include PWR RHR). It is important to note  
3 Support cooling baseline data is based on plant specific maintenance rule unplanned and
1
4 planned unavailability for years 1999 to 2001. (Maintenance rule data does not
that the data for the two periods is very similar.)  
5 distinguish between planned and unplanned unavailability. There is no ROP support
2
6 cooling data.)
Support cooling baseline data is based on plant specific maintenance rule unplanned and  
7 The baseline planned unavailability is based on actual plant-specific values for the period
3
8 1999 through 2001. These values are expected to remain fixed unless the plant
planned unavailability for years 1999 to 2001. (Maintenance rule data does not  
9 maintenance philosophy is substantially changed with respect to on-line maintenance or
4
10 preventive maintenance. In these cases, the planned unavailability baseline value can be
distinguish between planned and unplanned unavailability. There is no ROP support  
11 adjusted. A comment should be placed in the comment field of the quarterly report to
5
12 identify a substantial change in planned unavailability. To determine the planned
cooling data.)
13 unavailability:
6
14 1. Record the total train unavailable hours reported under the Reactor Oversight Process
The baseline planned unavailability is based on actual plant-specific values for the period  
15    for 1999 through 2001.
7
16 2. Subtract any fault exposure hours still included in the 1999-2001 period.
1999 through 2001. These values are expected to remain fixed unless the plant  
17 3. Subtract unplanned unavailable hours
8
18 4. Add any on-line overhaul hours and any other planned unavailability excluded in
maintenance philosophy is substantially changed with respect to on-line maintenance or  
19    accordance with NEI 99-02. 2
9
20 5. Add any planned unavailable hours for functions monitored under MSPI which were
preventive maintenance. In these cases, the planned unavailability baseline value can be  
21    not monitored under SSU in NEI 99-02.
10
22 6. Subtract any unavailable hours reported when the reactor was not critical.
adjusted. A comment should be placed in the comment field of the quarterly report to  
23 7. Subtract hours cascaded onto monitored systems by support systems.
11
24 8. Divide the hours derived from steps 1-6 above by the total critical hours during 1999-
identify a substantial change in planned unavailability. To determine the planned  
25    2001. This is the baseline planned unavailability
12
26 Baseline unavailability is the sum of planned unavailability from step 7 and unplanned
unavailability:  
27 unavailability from Table 1.
13
28
1. Record the total train unavailable hours reported under the Reactor Oversight Process  
29
14
  2 Note: The plant-specific PRA should model significant on-line overhaul hours.
for 1999 through 2001.  
                                                F-10
15
2. Subtract any fault exposure hours still included in the 1999-2001 period.  
16
3. Subtract unplanned unavailable hours
17
4. Add any on-line overhaul hours and any other planned unavailability excluded in  
18
accordance with NEI 99-02. 2  
19
5. Add any planned unavailable hours for functions monitored under MSPI which were  
20
not monitored under SSU in NEI 99-02.  
21
6. Subtract any unavailable hours reported when the reactor was not critical.  
22
7. Subtract hours cascaded onto monitored systems by support systems.  
23
8. Divide the hours derived from steps 1-6 above by the total critical hours during 1999-
24
2001. This is the baseline planned unavailability  
25
Baseline unavailability is the sum of planned unavailability from step 7 and unplanned  
26
unavailability from Table 1.  
27
28  
29  
                                           
2 Note: The plant-specific PRA should model significant on-line overhaul hours.  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1      Table 1. Historical Unplanned Maintenance Unavailability Train Values
F-11
2              (Based on ROP Industrywide Data for 1999 through 2001)
Table 1. Historical Unplanned Maintenance Unavailability Train Values  
3
1
4
(Based on ROP Industrywide Data for 1999 through 2001)  
  SYSTEM                         UNPLANNED UNAVAILABILITY/TRAIN
2
  EAC                           1.7 E-03
  PWR HPSI                       6.1 E-04
3  
  PWR AFW (TD)                   9.1 E-04
  PWR AFW (MD)                   6.9 E-04
4  
  PWR AFW (DieselD)             7.6 E-04
SYSTEM  
  PWR (except CE) RHR           4.2 E-04
UNPLANNED UNAVAILABILITY/TRAIN  
  CE RHR                         1.1 E-03
EAC  
  BWR HPCI                       3.3 E-03
1.7 E-03  
  BWR HPCS                       5.4 E-04
PWR HPSI  
  BWR RCIC                       2.9 E-03
6.1 E-04  
  BWR RHR                       1.2 E-03
PWR AFW (TD)  
  Support Cooling               No Data Available Use plant specific Maintenance
9.1 E-04  
                                Rule data for 1999-2001
PWR AFW (MD)  
5
6.9 E-04  
                                        F-11
PWR AFW (DieselD)  
7.6 E-04  
PWR (except CE) RHR  
4.2 E-04  
CE RHR  
1.1 E-03  
BWR HPCI  
3.3 E-03  
BWR HPCS  
5.4 E-04  
BWR RCIC  
2.9 E-03  
BWR RHR  
1.2 E-03  
Support Cooling  
No Data Available Use plant specific Maintenance  
Rule data for 1999-2001  
5  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1                Table 2. Industry Priors and Parameters for Unreliability
F-12
2
Table 2. Industry Priors and Parameters for Unreliability  
3
1
    Component           Failure       aa        ba      Industry           Source(s)
                        Mode                            Mean
2  
                                                        Value b
  Motor-operated     Fail to open   5.0E-1 2.4E+2   2.1E-3       NUREG/CR-5500, Vol.
3  
        valve        (or close)                                    4,7,8,9
Component  
  Air-operated       Fail to open   5.0E-1 2.5E+2   2.0E-3       NUREG/CR-4550, Vol. 1
Failure  
  valve              (or close)
Mode
  Motor-driven      Fail to start 5.0E-1 2.4E+2   2.1E-3       NUREG/CR-5500, Vol.
a a
  pump, standby                                                    1,8,9
b a
                    Fail to run   5.0E-1  5.0E+3h   1.0E-4/h     NUREG/CR-5500, Vol.
Industry  
                                                                    1,8,9
Mean 
  Motor-driven      Fail to start 4.9E-1 1.6E+2   3.0E-3       NUREG/CR-4550, Vol. 1
Value b
  pump, running
Source(s)  
  or alternating     Fail to run   5.0E-1  1.7E+4h   3.0E-5/h     NUREG/CR-4550, Vol. 1
  Turbine-driven    Fail to start 4.7E-1 2.4E+1   1.9E-2       NUREG/CR-5500, Vol. 1
Motor-operated  
  pump, AFWS
valve
                    Fail to run   5.0E-1  3.1E+2   1.6E-3/h     NUREG/CR-5500, Vol. 1
Fail to open  
  Turbine-driven    Fail to start 4.6E-1 1.7E+1   2.7E-2       NUREG/CR-5500, Vol.
(or close)
  pump, HPCI or                                                     4,7
5.0E-1  
  RCIC
2.4E+2  
                    Fail to run   5.0E-1  3.1E+2h   1.6E-3/h     NUREG/CR-5500, Vol.
2.1E-3  
                                                                    1,4,7
NUREG/CR-5500, Vol.  
  Diesel-driven      Fail to start 4.7E-1 2.4E+1   1.9E-2       NUREG/CR-5500, Vol. 1
4,7,8,9  
  pump, AFWS
Air-operated  
                    Fail to run   5.0E-1  6.3E+2h   8.0E-4/h     NUREG/CR-4550, Vol. 1
valve
  Emergency          Fail to start 4.8E-1 4.3E+1   1.1E-2       NUREG/CR-5500, Vol. 5
Fail to open  
  diesel generator
(or close)
                    Fail to       5.0E-1  2.9E+2   1.7E-3 c     NUREG/CR-5500, Vol. 5
5.0E-1  
                    load/run
2.5E+2  
                    Fail to run   5.0E-1  2.2E+3h   2.3E-4/h     NUREG/CR-5500, Vol. 5
2.0E-3  
4
NUREG/CR-4550, Vol. 1  
5
Fail to start  
                                          F-12
5.0E-1  
2.4E+2  
2.1E-3  
NUREG/CR-5500, Vol.  
1,8,9  
Motor-driven
pump, standby
Fail to run  
5.0E-1  
   
5.0E+3h  
1.0E-4/h  
NUREG/CR-5500, Vol.  
1,8,9  
Fail to start  
4.9E-1  
1.6E+2  
3.0E-3  
NUREG/CR-4550, Vol. 1  
Motor-driven
pump, running  
or alternating  
Fail to run  
5.0E-1  
   
1.7E+4h  
3.0E-5/h  
NUREG/CR-4550, Vol. 1  
Fail to start  
4.7E-1  
2.4E+1  
1.9E-2  
NUREG/CR-5500, Vol. 1  
Turbine-driven
pump, AFWS  
Fail to run  
5.0E-1  
   
3.1E+2  
1.6E-3/h  
NUREG/CR-5500, Vol. 1  
Fail to start  
4.6E-1  
1.7E+1  
2.7E-2  
NUREG/CR-5500, Vol.  
4,7
Turbine-driven
pump, HPCI or  
RCIC  
Fail to run  
5.0E-1  
   
3.1E+2h  
1.6E-3/h  
NUREG/CR-5500, Vol.  
1,4,7  
Fail to start  
4.7E-1  
2.4E+1  
1.9E-2  
NUREG/CR-5500, Vol. 1  
Diesel-driven
pump, AFWS  
Fail to run  
5.0E-1  
   
6.3E+2h  
8.0E-4/h  
NUREG/CR-4550, Vol. 1  
Fail to start  
4.8E-1  
4.3E+1  
1.1E-2  
NUREG/CR-5500, Vol. 5  
Fail to  
load/run
5.0E-1  
   
2.9E+2  
1.7E-3 c  
NUREG/CR-5500, Vol. 5  
Emergency
diesel generator
Fail to run  
5.0E-1  
   
2.2E+3h  
2.3E-4/h  
NUREG/CR-5500, Vol. 5  
4  
5  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1 a. A constrained, non-informative prior is assumed. For failure to run events, a = 0.5 and
F-13
2 b = (a)/(mean rate). For failure upon demand events, a is a function of the mean
a. A constrained, non-informative prior is assumed. For failure to run events, a = 0.5 and  
3 probability:
1
  4
b = (a)/(mean rate). For failure upon demand events, a is a function of the mean  
5                  Mean Probability                     a
2
6                  0.0 to 0.0025                       0.50
probability:  
7                  >0.0025 to 0.010                     0.49
3
8                  >0.010 to 0.016                     0.48
   
9                  >0.016 to 0.023                     0.47
4  
10                  >0.023 to 0.027                     0.46
Mean Probability  
11
12 Then b = (a)(1.0 - mean probability)/(mean probability).
13
a  
14 b. Failure to run events occurring within the first hour of operation are included within
5
15 the fail to start failure mode. Failure to run events occurring after the first hour of
0.0 to 0.0025
16 operation are included within the fail to run failure mode. Unless otherwise noted, the
17 mean failure probabilities and rates include the probability of non-recovery. Types of
18 allowable recovery are outlined in the clarifying notes, under Credit for Recovery
0.50  
19 Actions.
6
20
>0.0025 to 0.010  
21 c. Fail to load and run for one hour was calculated from the failure to run data in the
22 report indicated. The failure rate for 0.0 to 0.5 hour (3.3E-3/h) multiplied by 0.5 hour,
23 was added to the failure rate for 0.5 to 14 hours (2.3E-4/h) multiplied by 0.5 hour.
0.49  
                                                F-13
7
>0.010 to 0.016  
0.48  
8
>0.016 to 0.023  
0.47  
9
>0.023 to 0.027  
0.46  
10
11  
Then b = (a)(1.0 - mean probability)/(mean probability).  
12
13  
b. Failure to run events occurring within the first hour of operation are included within  
14
the fail to start failure mode. Failure to run events occurring after the first hour of  
15
operation are included within the fail to run failure mode. Unless otherwise noted, the  
16
mean failure probabilities and rates include the probability of non-recovery. Types of  
17
allowable recovery are outlined in the clarifying notes, under Credit for Recovery  
18
Actions.  
19
20  
c. Fail to load and run for one hour was calculated from the failure to run data in the  
21
report indicated. The failure rate for 0.0 to 0.5 hour (3.3E-3/h) multiplied by 0.5 hour,  
22
was added to the failure rate for 0.5 to 14 hours (2.3E-4/h) multiplied by 0.5 hour.
23


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
                        Table 3. Component Boundary Definition
F-14
  Component                               Component boundary
  Diesel       The diesel generator boundary includes the generator body, generator
Table 3. Component Boundary Definition  
  Generators  actuator, lubrication system (local), fuel system (local), cooling components
              (local), startup air system receiver, exhaust and combustion air system,
              dedicated diesel battery (which is not part of the normal DC distribution
Component  
              system), individual diesel generator control system, circuit breaker for supply
              to safeguard buses and their associated local control circuit (coil, auxiliary
Component boundary  
              contacts, wiring and control circuit contacts, and breaker closure interlocks) .
  Motor-Driven The pump boundary includes the pump body, motor/actuator, lubrication
Diesel  
  Pumps        system cooling components of the pump seals, the voltage supply breaker,
Generators
              and its associated local control circuit (coil, auxiliary contacts, wiring and
              control circuit contacts).
The diesel generator boundary includes the generator body, generator  
  Turbine-     The turbine-driven pump boundary includes the pump body, turbine/actuator,
actuator, lubrication system (local), fuel system (local), cooling components  
  Driven Pumps lubrication system (including pump), extractions, turbo-pump seal, cooling
(local), startup air system receiver, exhaust and combustion air system,  
              components, and local turbine control system (speed).
dedicated diesel battery (which is not part of the normal DC distribution  
  Motor-       The valve boundary inc1udes the valve body, motor/actuator, the voltage
system), individual diesel generator control system, circuit breaker for supply  
  Operated    supply breaker (both motive and control power) and its associated local
to safeguard buses and their associated local control circuit (coil, auxiliary  
  Valves      open/close circuit (open/close switches, auxiliary and switch contacts, and
contacts, wiring and control circuit contacts, and breaker closure interlocks) .  
              wiring and switch energization contacts).
  Air-Operated The valve boundary includes the valve body, the air operator, associated
Motor-Driven  
  Valves      solenoid-operated valve, the power supply breaker or fuse for the solenoid
Pumps
              valve, and its associated control circuit (open/close switches and local
              auxiliary and switch contacts).
The pump boundary includes the pump body, motor/actuator, lubrication  
1
system cooling components of the pump seals, the voltage supply breaker,  
                                            F-14
and its associated local control circuit (coil, auxiliary contacts, wiring and  
control circuit contacts).  
Turbine-
Driven Pumps
The turbine-driven pump boundary includes the pump body, turbine/actuator,  
lubrication system (including pump), extractions, turbo-pump seal, cooling  
components, and local turbine control system (speed).
Motor-
Operated
Valves
The valve boundary inc1udes the valve body, motor/actuator, the voltage  
supply breaker (both motive and control power) and its associated local  
open/close circuit (open/close switches, auxiliary and switch contacts, and  
wiring and switch energization contacts).  
Air-Operated  
Valves
The valve boundary includes the valve body, the air operator, associated  
solenoid-operated valve, the power supply breaker or fuse for the solenoid  
valve, and its associated control circuit (open/close switches and local  
auxiliary and switch contacts).  
1  


      DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
  1ESFAS/Sequencer
F-15
  2
   
            DC Power                                Class 1E Bus
1
3
   
  4
2  
  5
  6
3  
  7                                                                                         EDG
   
                                                                                          Breaker
4  
  8                Lubrication          Governor and              Exhaust
   
                  System              Control System            System
5  
  9
   
10
6  
    Control and
   
11  Protection System
7  
12                                       Diesel Engine                       Generator
13      Starting Air
8
        System Receiver
   
14
9
                                        Jacket         Fuel Oil             Exciter and
   
15                                      Water          System                Voltage
10  
                      Combustion Air
16                    System and                                             Regulator
11  
                      Supply                          Fuel Oil Day
   
17                                        Isol.        Tank
12  
                                        Valve
18 EDG Boundary
13
19
20
14
                                      Cooling Water                 Fuel Storage and
21                                                                  Transfer System
15
22
23                                                                Figure F-1
16
                                                                      F-15
17
18
19
20
21
22
Figure F-1
23
Diesel Engine  
Control and
Protection System
Starting Air  
System Receiver  
Combustion Air
System and
Supply
Jacket  
Water
Fuel Oil
System
Fuel Oil Day
Tank
Generator
Exciter and  
Voltage  
Regulator
Exhaust
System  
Governor and  
Control System
Lubrication
System
EDG  
Breaker
ESFAS/Sequencer
DC Power
Cooling Water  
Class 1E Bus
EDG Boundary
Isol.
Valve
Fuel Storage and  
Transfer System  


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1
F-16
                                                    Controls   ESFAS
                                                    Breaker
1  
                                                Motor Operator
                                                    Pump
2
                                Motor Driven Pump Boundary
Figure F-2
2
3
3                                              Figure F-2
4
4
5
                                                  F-16
5
Controls  
Breaker  
Motor Operator  
Motor Driven Pump Boundary  
Pump
ESFAS


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
                                                Controls   ESFAS
F-17
                                                Breaker
Figure F-3
                                            Motor Operator
1
                            MOV Boundary
2
1                                              Figure F-3
Controls  
2
Breaker  
                                                  F-17
Motor Operator  
MOV Boundary  
ESFAS


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
1
F-18
                                                  Controls ESFAS
                                                  Turbine
1
                                                  Pump
                              Turbine Driven Pump Boundary
2  
2
Figure F-4  
3                                              Figure F-4
3
4
4  
                                                  F-18
Controls
Turbine
Turbine Driven Pump Boundary
Pump
ESFAS


  DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002
DRAFT NEI 99-02 MSPI   8/28/20028/23/20028/9/2002  
                                                            Non-active
F-19
1                                                           Components
                                                Active
1  
                    Active                      Components
T
                    Components
A
        T
N
        A
K
        N
Figure F-5  
        K
Active
                                          Figure F-5
Components
                                                  F-19
Active
Components
Non-active
Components
}}
}}

Latest revision as of 16:07, 16 January 2025

Attachment 1 and Attachment 2, Regularory Issue Summary 2002-14, Proposed Changes to the Safety System Unavailability Performance Indicators
ML022410004
Person / Time
Issue date: 08/28/2002
From: Beckner W
NRC/NRR/DRIP/RORP
To:
Sanders S
References
OMB 3150-0195 RIS-02-014
Download: ML022410004 (37)
v  d  e


See also: RIS 2002-14

Text

Attachment 1

RIS 2002-14

Attachment 1, Section 2.2, Mitigating Systems Cornerstone, of NEI 99-02, Regulatory

Assessment Performance Indicator Guideline (Draft)

1

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

1

MITIGATING SYSTEM PERFORMANCE INDEX

2

Purpose

3

The purpose of the mitigating system performance index is to monitor the performance of

4

selected systems based on their ability to perform risk-significant functions as defined herein. It

5

is comprised of two elements - system unavailability and system unreliability. The index is used

6

to determine the significance of performance issues for single demand failures and accumulated

7

unavailability. Due to the limitations of the index, the following conditions will rely upon the

8

inspection process for determining the significance of performance issues:

9

10

1. Multiple concurrent failures of components

11

2. Common cause failures

12

3. Conditions not capable of being discovered during normal surveillance tests

13

4. Failures of non-active components

14

15

Indicator Definition

16

Mitigating System Performance Index (MSPI) is the sum of changes in a simplified core damage

17

frequency evaluation resulting from changes in unavailability and unreliability relative to

18

baseline values.

19

20

Unavailability is the ratio of the hours the train/system was unavailable to perform its risk-

21

significant functions due to planned and unplanned maintenance or test on active and non-active

22

components during the previous 12 quarters while critical to the number of critical hours during

23

the previous 12 quarters. (Fault exposure hours are not included; unavailable hours are counted

24

only for the time required to recover the trains risk-significant functions.)

25

26

Unreliability is the probability that the system would not perform its risk-significant functions

27

when called upon during the previous 12 quarters.

28

29

Baseline values are the values for unavailability and unreliability against which current changes

30

in unavailability and unreliability are measured. See Appendix F for further details.

31

32

The MSPI is calculated separately for each of the following five systems for each reactor type.

33

34

BWRs

35

 emergency AC power system

36

 high pressure injection systems (high pressure coolant injection, high pressure core spray, or

37

feedwater coolant injection)

38

 heat removal systems (reactor core isolation cooling)

39

 residual heat removal system (or their equivalent function as described in the Additional

40

Guidance for Specific Systems section.)

41

2

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

 cooling water support system (includes risk significant direct cooling functions provided by

1

service water and component cooling water or their cooling water equivalents for the above

2

four monitored systems)

3

4

PWRs

5

 emergency AC power system

6

 high pressure safety injection system

7

 auxiliary feedwater system

8

 residual heat removal system (or their equivalent function as described in the Additional

9

Guidance for Specific Systems section.)

10

 cooling water support system (includes risk significant direct cooling functions provided by

11

service water and component cooling water or their cooling water equivalents for the above

12

four monitored systems)

13

14

Data Reporting Elements

15

The following data elements are reported for each system

16

17

 Unavailability Index (UAI) due to unavailability for each monitored system

18

 Unreliability Index (URI) due to unreliability for each monitored system

19

20

During the pilot, the additional data elements necessary to calculate UAI and URI will be

21

reported monthly for each system on an Excel spreadsheet. See Appendix F.

22

23

24

Calculation

25

The MSPI for each system is the sum of the UAI due to unavailability for the system plus URI

26

due to unreliability for the system during the previous twelve quarters.

27

28

MSPI = UAI + URI.

29

30

See Appendix F for the calculational methodology for UAI due to system unavailability and URI

31

due to system unreliability.

32

33

Definition of Terms

34

A train consists of a group of components that together provide the risk significant functions of

35

the system as explained in the additional guidance for specific mitigating systems. Fulfilling the

36

risk-significant function of the system may require one or more trains of a system to operate

37

simultaneously. The number of trains in a system is generally determined as follows:

38

39

 for systems that provide cooling of fluids, the number of trains is determined by the number

40

of parallel heat exchangers, or the number of parallel pumps, or the minimum number of

41

parallel flow paths, whichever is fewer.

42

43

3

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

 for emergency AC power systems the number of trains is the number of class 1E emergency

1

(diesel, gas turbine, or hydroelectric) generators at the station that are installed to power

2

shutdown loads in the event of a loss of off-site power. (This does not include the diesel

3

generator dedicated to the BWR HPCS system, which is included in the scope of the HPCS

4

system.)

5

6

Risk Significant Functions: those at power functions, described in the Additional Guidance for

7

Specific Systems, that were determined to be risk-significant in accordance with NUMARC 93-

8

01, or NRC approved equivalents (e.g., the STP exemption request.) The system functions

9

described in the Additional Guidance for Specific Systems must be modeled in the plants

10

PRA/PSA. of risk-significant SSCs as modeled in the plant-specific PRA. Risk metrics for

11

identifying risk-significant functions are:

12

13

Risk Achievement Worth > 2.0, or

14

Risk Reduction Worth >0.005, or

15

PRA cutsets that account for 90% of core damage frequency90% of core damage

16

frequency accounted for.

17

18

Risk-Significant Mission Times: The mission time modeled in the PRA for satisfying the risk-

19

significant function of reaching a stable plant condition where normal shutdown cooling is

20

sufficient. Note that PRA models typically analyze an event for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, which may exceed the

21

time needed for the risk-significant function captured in the MSPI. However, other intervals as

22

justified by analyses and modeled in the PRA may be used.

23

24

Success criteria are the plant specific values of parameters the train/system is required to achieve

25

to perform its risk-significant function. Default values of those parameters are the plants design

26

bases values unless other values are modeled in the PRA.

27

28

Clarifying Notes

29

Documentation

30

31

Each licensee will have the system boundaries, active components, risk-significant functions and

32

success criteria readily available for NRC inspection on site. Additionally, plant-specific

33

information used in Appendix F should also be readily available for inspection.

34

35

Success Criteria

36

37

Individual component capability must be evaluated against train/system level success criteria

38

(e.g., a valve stroke time may exceed an ASME requirement, but if the valve still strokes in time

39

to meet the PRA success criteria for the train/system, the component has not failed for the

40

purposes of this indicator because the risk-significant train/system function is still satisfied).

41

Important plant specific performance factors that can be used to identify the required capability

42

of the train/system to meet the risk-significant functions include, but are not limited to:

43

 Actuation

44

o Time

45

4

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

o Auto/manual

1

o Multiple or sequential

2

 Success requirements

3

o Numbers of components or trains

4

o Flows

5

o Pressures

6

o Heat exchange rates

7

o Temperatures

8

o Tank water level

9

 Other mission requirements

10

o Run time

11

o State/configuration changes during mission

12

 Accident environment from internal events

13

o Pressure, temperature, humidity

14

 Operational factors

15

o Procedures

16

o Human actions

17

o Training

18

o Available externalities (e.g., power supplies, special equipment, etc.)

19

20

21

22

System/Component Interface Boundaries

23

24

For active components that are supported by other components from both monitored and

25

unmonitored systems, the following general rules apply:

26

27

 For control and motive power, only the last relay, breaker or contactor necessary to

28

power or control the component is included in the active component boundary. For

29

example, if an ESFAS signal actuates a MOV, only the relay that receives the ESFAS

30

signal in the control circuitry for the MOV is in the MOV boundary. No other portions

31

of the ESFAS are included.

32

33

 For water connections from systems that provide cooling water to an active component,

34

only the final active connecting valve is included in the boundary. For example, for

35

service water that provides cooling to support an AFW pump, only the final active valve

36

in the service water system that supplies the cooling water to the AFW system is

37

included in the AFW system scope. This same valve is not included in the cooling water

38

support system scope.

39

40

Water Sources and Inventory

41

42

Water tanks are not considered to be active components. As such, they do not contribute to URI.

43

However, periods of insufficient water inventory contribute to UAI if they result in loss of the

44

risk-significant train function for the required mission time. Water inventory can include

45

operator recovery actions for water make-up provided the actions can be taken in time to meet

46

5

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

the mission times and are modeled in the PRA. If additional water sources are required to satisfy

1

train mission times, only the connecting active valve from the additional water source is

2

considered as an active component for calculating URI. If there are valves in the primary water

3

source that must change state to permit use of the additional water source, these valves are

4

considered active and should be included in URI for the system.

5

6

Monitored Systems

7

8

Systems have been generically selected for this indicator based on their importance in preventing

9

reactor core damage. The systems include the principal systems needed for maintaining reactor

10

coolant inventory following a loss of coolant accident, for decay heat removal following a

11

reactor trip or loss of main feedwater, and for providing emergency AC power following a loss

12

of plant off-site power. One risk-significant support function (cooling water support system) is

13

also monitored. The cooling water support system monitors the risk significant cooling functions

14

provided by service water and component cooling water, or their direct cooling water

15

equivalents, for the four front-line monitored systems. No support systems are to be cascaded

16

onto the monitored systems, e.g., HVAC room coolers, DC power, instrument air, etc.

17

18

Diverse Systems

19

20

Except as specifically stated in the indicator definition and reporting guidance, no credit is given

21

for the achievement of a risk-significant function by an unmonitored system in determining

22

unavailability or unreliability of the monitored systems.

23

24

Common Components

25

26

Some components in a system may be common to more than one train or system, in which case

27

the unavailability/unreliability of a common component is included in all affected trains or

28

systems. (However, see Additional Guidance for Specific Systems for exceptions; for example,

29

the PWR High Pressure Safety Injection System.)

30

31

Short Duration Unavailability

32

33

Trains are generally considered to be available during periodic system or equipment

34

realignments to swap components or flow paths as part of normal operations. Evolutions or

35

surveillance tests that result in less than 15 minutes of unavailable hours per train at a time need

36

not be counted as unavailable hours. Licensees should compile a list of surveillances/evolutions

37

that meet this criterion and have it available for inspector review. In addition, equipment

38

misalignment or mispositioning which is corrected in less than 15 minutes need not be counted

39

as unavailable hours. The intent is to minimize unnecessary burden of data collection,

40

documentation, and verification because these short durations have insignificant risk impact.

41

42

If a licensee is required to take a component out of service for evaluation and corrective actions

43

for greater than 15 minutes (for example, related to a Part 21 Notification), the unavailable hours

44

must be included.

45

46

6

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

Treatment of Demand /Run Failures and Degraded Conditions

1

2

1. Treatment of Demand and Run Failures

3

Failures of active components (see Appendix F) on demand or failures to run, either

4

actual or test, while critical, are included in unreliability. Failures on demand or failures

5

to run at any other timewith the reactor shutdown must be evaluated to determine if the

6

failure would have resulted in the train not being able to perform its risk-significant at

7

power functions, and must therefore be included in unreliability. Unavailable hours are

8

included only for the time required to recover the trains risk-significant functions and

9

only when the reactor is critical.

10

11

2. Treatment of Degraded Conditions

12

13

a) Capable of Being Discovered By Normal Surveillance Tests

14

Normal surveillance tests are those tests that are performed at a frequency of a

15

refueling cycle or more frequently.

16

17

Degraded conditions, even ifwhere no actual demand existed, that render an

18

active component incapable of performing its risk-significant functions are

19

included in unreliability as a demand and a failure. The appropriate failure mode

20

must be accounted for. For example, for valves, a demand and a demand failure

21

would be assumed and included in URI. For pumps and diesels, if the degraded

22

condition would have prevented a successful start demand, a demand and a failure

23

is included in URI, but there would be no run time hours or run failures. If it was

24

determined that the pump/diesel would start and load run, but would fail

25

sometime during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> run test or its surveillance test equivalent, the

26

evaluated failure time would be included in run hours and a run failure would be

27

assumed. A start demand and start failure would not be included. If a running

28

component is secured from operation due to observed degraded performance, but

29

prior to failure, then a run failure shall be counted unless evaluation of the

30

condition shows that the component would have continued to operate for the risk-

31

significant mission time starting from the time the component was secured.

32

Unavailable hours are included for the time required to recover the risk-

33

significant function(s).

34

35

Degraded conditions, or actual unavailability due to mispositioning of non-active

36

components that render a train incapable of performing its risk-significant

37

functions are only included in unavailability for the time required to recover the

38

risk-significant function(s).

39

40

Loss of risk significant function(s) is assumed to have occurred if the established

41

success criteria has not been met. If subsequent analysis identifies additional

42

margin for the success criterion, future impacts on URI or UAI for degraded

43

conditions may be determined based on the new criterion. However, URI and

44

UAI must be based on the success criteria of record at the time the degraded

45

condition is discovered. If the degraded condition is not addressed by any of the

46

7

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

pre-defined success criteria, an engineering evaluation to determine the impact of

1

the degraded condition on the risk-significant function(s) should be completed

2

and documented. The use of component failure analysis, circuit analysis, or event

3

investigations is acceptable. Engineering judgment may be used in conjunction

4

with analytical techniques to determine the impact of the degraded condition on

5

the risk-significant function. The engineering evaluation should be completed as

6

soon as practicable. If it cannot be completed in time to support submission of the

7

PI report for the current quarter, the comment field shall note that an evaluation is

8

pending. The evaluation must be completed in time to accurately account for

9

unavailability/unreliability in the next quarterly report. Exceptions to this

10

guidance are expected to be rare and will be treated on a case-by-case basis.

11

Licensees should identify these situations to the resident inspector.

12

13

b) Not Capable of Being Discovered by Normal Surveillance Tests

14

These failures or conditions are usually of longer exposure time. Since these

15

failure modes have not been tested on a regular basis, it is inappropriate to include

16

them in the performance index statistics. These failures or conditions are subject

17

to evaluation through the inspection process. Examples of this type are failures

18

due to pressure locking/thermal binding of isolation valves, blockages in lines not

19

regularly tested, or inadequate component sizing/settings under accident

20

conditions (not under normal test conditions). While not included in the

21

calculation of the index, they should be reported in the comment field of the PI

22

data submittal.

23

24

25

Credit for Operator Recovery Actions to Restore the Risk-Significant Function

26

27

1. During testing or operational alignment:

28

Unavailability of a risk-significant function during testing or operational alignment need not

29

be included if the test configuration is automatically overridden by a valid starting signal, or

30

the function can be promptly restored either by an operator in the control room or by a

31

designated operator1 stationed locally for that purpose. Restoration actions must be

32

contained in a written procedure2, must be uncomplicated (a single action or a few simple

33

actions), must be capable of being restored in time to satisfy PRA success criteria and must

34

not require diagnosis or repair. Credit for a designated local operator can be taken only if

35

(s)he is positioned at the proper location throughout the duration of the test for the purpose of

36

restoration of the train should a valid demand occur. The intent of this paragraph is to allow

37

licensees to take credit for restoration actions that are virtually certain to be successful (i.e.,

38

probability nearly equal to 1) during accident conditions.

39

40

1 Operator in this circumstance refers to any plant personnel qualified and designated to perform

the restoration function.

2 Including restoration steps in an approved test procedure.

8

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

The individual performing the restoration function can be the person conducting the test and

1

must be in communication with the control room. Credit can also be taken for an operator in

2

the main control room provided (s)he is in close proximity to restore the equipment when

3

needed. Normal staffing for the test may satisfy the requirement for a dedicated operator,

4

depending on work assignments. In all cases, the staffing must be considered in advance and

5

an operator identified to perform the restoration actions independent of other control room

6

actions that may be required.

7

8

Under stressful, chaotic conditions, otherwise simple multiple actions may not be

9

accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and

10

landing wires; or clearing tags). In addition, some manual operations of systems designed to

11

operate automatically, such as manually controlling HPCI turbine to establish and control

12

injection flow, are not virtually certain to be successful. These situations should be resolved

13

on a case-by-case basis through the FAQ process.

14

15

2. During Maintenance

16

Unavailability of a risk-significant function during maintenance need not be included if the

17

risk-significant function can be promptly restored either by an operator in the control room or

18

by a designated operator3 stationed locally for that purpose. Restoration actions must be

19

contained in a written procedure4, must be uncomplicated (a single action or a few simple

20

actions), must be capable of being restored in time to satisfy PRA success criteria and must

21

not require diagnosis or repair. Credit for a designated local operator can be taken only if

22

(s)he is positioned at a proper location throughout the duration of the maintenance activity

23

for the purpose of restoration of the train should a valid demand occur. The intent of this

24

paragraph is to allow licensees to take credit for restoration of risk-significant functions that

25

are virtually certain to be successful (i.e., probability nearly equal to 1). The individual

26

performing the restoration function can be the person performing the maintenance and must

27

be in communication with the control room. Credit can also be taken for an operator in the

28

main control room provided (s)he is in close proximity to restore the equipment when

29

needed. Under stressful chaotic conditions otherwise simple multiple actions may not be

30

accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and

31

landing wires, or clearing tags). These situations should be resolved on a case-by-case basis

32

through the FAQ process.

33

34

3. Satisfying PRA success criteriaRisk Significant Mission Times

35

Risk significant operator actions to satisfy pre-determined train/system risk-significant

36

mission times can only be credited if they are modeled in the PRA.

37

38

Swing trains and components shared between units

39

40

3 Operator in this circumstance refers to any plant personnel qualified and designated to perform the

restoration function.

4 Including restoration steps in an approved test procedure.

9

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

Swing trains/components are trains/components that can be aligned to any unit. To be credited

1

as such, their swing capability should be modeled in the PRA to provide an appropriate Fussell-

2

Vesely value.

3

4

Unit Cross Tie Capability

5

6

Components that cross tie monitored systems between units should be considered active

7

components if they are modeled in the PRA and meet the active component criteria in Appendix

8

F. Such active components are counted in each units performance indicators.

9

10

Maintenance Trains and Installed Spares

11

12

Some power plants have systems with extra trains to allow preventive maintenance to be carried

13

out with the unit at power without impacting the risk-significant function of the system. That is,

14

one of the remaining trains may fail, but the system can still perform its risk significant function.

15

To be a maintenance train, a train must not be needed to perform the systems risk significant

16

function.

17

18

An "installed spare" is a component (or set of components) that is used as a replacement for other

19

equipment to allow for the removal of equipment from service for preventive or corrective

20

maintenance without impacting the risk-significant function of the system. To be an "installed

21

spare," a component must not be needed for the system to perform the risk significant function.

22

23

24

For unreliability, spare active components are included if they are modeled in the PRA.

25

Unavailability of the spare component/train is only counted in the index if the spare is substituted

26

for a primary train/component. Unavailability is not monitored for a component/train when that

27

component/train has been replaced by an installed spare or maintenance train.

28

29

Use of Plant-Specific PRA and SPAR Models

30

31

The MSPI is an approximation using some information from a plants actual PRA and is

32

intended as an indicator of system performance. Plant-specific PRAs and SPAR models cannot

33

be used to question the outcome of the PIs computed in accordance with this guideline.

34

35

Maintenance Rule Performance Monitoring

36

37

It is the intent that NUMARC 93-01 be revised to require consistent unavailability and

38

unreliability data gathering as required by this guideline.

39

40

10

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

ADDITIONAL GUIDANCE FOR SPECIFIC SYSTEMS

1

This guidance provides typical system scopes. Individual plants should include those systems

2

employed at their plant that are necessary to satisfy the specific risk-significant functions

3

described below and reflected in their PRAs.

4

Emergency AC Power Systems

5

Scope

6

The function monitored for the emergency AC power system is the ability of the emergency

7

generators to provide AC power to the class 1E buses upon a loss of off-site power while the

8

reactor is critical, including post-accident conditions. The emergency AC power system is

9

typically comprised of two or more independent emergency generators that provide AC power to

10

class 1E buses following a loss of off-site power. The emergency generator dedicated to

11

providing AC power to the high pressure core spray system in BWRs is not within the scope of

12

emergency AC power.

13

14

The electrical circuit breaker(s) that connect(s) an emergency generator to the class lE buses that

15

are normally served by that emergency generator are considered to be part of the emergency

16

generator train.

17

18

Emergency generators that are not safety grade, or that serve a backup role only (e.g., an

19

alternate AC power source), are not included in the performance reporting.

20

21

Train Determination

22

The number of emergency AC power system trains for a unit is equal to the number of class 1E

23

emergency generators that are available to power safe-shutdown loads in the event of a loss of

24

off-site power for that unit. There are three typical configurations for EDGs at a multi-unit

25

station:

26

27

1. EDGs dedicated to only one unit.

28

2. One or more EDGs are available to swing to either unit

29

3. All EDGs can supply all units

30

31

For configuration 1, the number of trains for a unit is equal to the number of EDGs dedicated to

32

the unit. For configuration 2, the number of trains for a unit is equal to the number of dedicated

33

EDGs for that unit plus the number of swing EDGs available to that unit (i.e., The swing

34

EDGs are included in the train count for each unit). For configuration 3, the number of trains is

35

equal to the number of EDGs.

36

37

Clarifying Notes

38

The emergency diesel generators are not considered to be available during the following portions

39

of periodic surveillance tests unless recovery from the test configuration during accident

40

conditions is virtually certain, as described in Credit for operator recovery actions during

41

11

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

testing, can be satisfied; or the duration of the condition is less than fifteen minutes per train at

1

one time:

2

3

 Load-run testing

4

 Barring

5

6

An EDG is not considered to have failed due to any of the following events:

7

8



spurious operation of a trip that would be bypassed in a loss of offsite power event

9



malfunction of equipment that is not required to operate during a loss of offsite power event

10

(e.g., circuitry used to synchronize the EDG with off-site power sources)

11

 failure to start because a redundant portion of the starting system was intentionally disabled

12

for test purposes, if followed by a successful start with the starting system in its normal

13

alignment

14

Air compressors are not part of the EDG boundary. However, air receivers that provide starting

15

air for the diesel are included in the EDG boundary.

16

17

If an EDG has a dedicated battery independent of the stations normal DC distribution system,

18

the dedicated battery is included in the EDG system boundary.

19

20

If the EDG day tank is not sufficient to meet the EDG mission time, the fuel transfer function

21

should be modeled in the PRA. However, the fuel transfer pumps are not considered to be an

22

active component in the EDG system because they are considered to be a support system.

23

24

25

26

BWR High Pressure Injection Systems

27

(High Pressure Coolant Injection, High Pressure Core Spray, and Feedwater Coolant

28

Injection)

29

30

Scope

31

These systems function at high pressure to maintain reactor coolant inventory and to remove

32

decay heat following a small-break Loss of Coolant Accident (LOCA) event or a loss of main

33

feedwater event.

34

35

The function monitored for the indicator is the ability of the monitored system to take suction

36

from the suppression pool (and from the condensate storage tank, if credited in the plants

37

accident analysis) and inject into the reactor vessel.

38

39

Plants should monitor either the high-pressure coolant injection (HPCI), the high-pressure core

40

spray (HPCS), or the feedwater coolant injection (FWCI) system, whichever is installed. The

41

turbine and governor (or motor-driven FWCI pumps), and associated piping and valves for

42

turbine steam supply and exhaust are within the scope of these systems. Valves in the feedwater

43

line are not considered within the scope of these systems. The emergency generator dedicated to

44

12

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

providing AC power to the high-pressure core spray system is included in the scope of the

1

HPCS. The HPCS system typically includes a "water leg" pump to prevent water hammer in the

2

HPCS piping to the reactor vessel. The "water leg" pump and valves in the "water leg" pump

3

flow path are ancillary components and are not included in the scope of the HPCS system.

4

Unavailability is not included while critical if the system is below steam pressure specified in

5

technical specifications at which the system can be operated.

6

7

Train Determination

8

The HPCI and HPCS systems are considered single-train systems. The booster pump and other

9

small pumps are ancillary components not used in determining the number of trains. The effect

10

of these pumps on system performance is included in the system indicator to the extent their

11

failure detracts from the ability of the system to perform its risk-significant function. For the

12

FWCI system, the number of trains is determined by the number of feedwater pumps. The

13

number of condensate and feedwater booster pumps are not used to determine the number of

14

trains.

15

16

BWR Heat Removal Systems

17

(Reactor Core Isolation Cooling or Isolation Condenser)

18

19

Scope

20

This system functions at high pressure to remove decay heat following a loss of main feedwater

21

event. The RCIC system also functions to maintain reactor coolant inventory following a very

22

small LOCA event.

23

24

The function monitored for the indicator is the ability of the RCIC system to cool the reactor

25

vessel core and provide makeup water by taking a suction from either the condensate storage

26

tank or the suppression pool and injecting at rated pressure and flow into the reactor vessel.

27

28

The Reactor Core Isolation Cooling (RCIC) system turbine, governor, and associated piping and

29

valves for steam supply and exhaust are within the scope of the RCIC system. Valves in the

30

feedwater line are not considered within the scope of the RCIC system. The Isolation Condenser

31

and inlet valves are within the scope of Isolation Condenser system. Unavailability is not

32

included while critical if the system is below steam pressure specified in technical specifications

33

at which the system can be operated.

34

35

36

Train Determination

37

The RCIC system is considered a single-train system. The condensate and vacuum pumps are

38

ancillary components not used in determining the number of trains. The effect of these pumps on

39

RCIC performance is included in the system indicator to the extent that a component failure

40

results in an inability of the system to perform its risk-significant function.

41

13

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

1

BWR Residual Heat Removal Systems

2

Scope

3

The functions monitored for the BWR residual heat removal (RHR) system are the ability of the

4

RHR system to remove heat from the suppression pool, provide low pressure coolant injection,

5

and provide post-accident decay heat removal. The pumps, heat exchangers, and associated

6

piping and valves for those functions are included in the scope of the RHR system.

7

8

Train Determination

9

The number of trains in the RHR system is determined by the number of parallel RHR heat

10

exchangers.

11

12

PWR High Pressure Safety Injection Systems

13

Scope

14

These systems are used primarily to maintain reactor coolant inventory at high pressures

15

following a loss of reactor coolant. HPSI system operation following a small-break LOCA

16

involves transferring an initial supply of water from the refueling water storage tank (RWST) to

17

cold leg piping of the reactor coolant system. Once the RWST inventory is depleted,

18

recirculation of water from the reactor building emergency sump is required. The function

19

monitored for HPSI is the ability of a HPSI train to take a suction from the primary water source

20

(typically, a borated water tank), or from the containment emergency sump, and inject into the

21

reactor coolant system at rated flow and pressure.

22

23

The scope includes the pumps and associated piping and valves from both the refueling water

24

storage tank and from the containment sump to the pumps, and from the pumps into the reactor

25

coolant system piping. For plants where the high-pressure injection pump takes suction from the

26

residual heat removal pumps, the residual heat removal pump discharge header isolation valve to

27

the HPSI pump suction is included in the scope of HPSI system. Some components may be

28

included in the scope of more than one train. For example, cold-leg injection lines may be fed

29

from a common header that is supplied by both HPSI trains. In these cases, the effects of testing

30

or component failures in an injection line should be reported in both trains.

31

32

Train Determination

33

34

In general, the number of HPSI system trains is defined by the number of high head injection

35

paths that provide cold-leg and/or hot-leg injection capability, as applicable.

36

37

For Babcock and Wilcox (B&W) reactors, the design features centrifugal pumps used for high

38

pressure injection (about 2,500 psig) and no hot-leg injection path. Recirculation from the

39

containment sump requires operation of pumps in the residual heat removal system. They are

40

14

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

typically a two-train system, with an installed spare pump (depending on plant-specific design)

1

that can be aligned to either train.

2

3

For two-loop Westinghouse plants, the pumps operate at a lower pressure (about 1600 psig) and

4

there may be a hot-leg injection path in addition to a cold-leg injection path (both are included as

5

a part of the train).

6

7

For Combustion Engineering (CE) plants, the design features three centrifugal pumps that

8

operate at intermediate pressure (about 1300 psig) and provide flow to two cold-leg injection

9

paths or two hot-leg injection paths. In most designs, the HPSI pumps take suction directly from

10

the containment sump for recirculation. In these cases, the sump suction valves are included

11

within the scope of the HPSI system. This is a two-train system (two trains of combined cold-leg

12

and hot-leg injection capability). One of the three pumps is typically an installed spare that can

13

be aligned to either train or only to one of the trains (depending on plant-specific design).

14

15

For Westinghouse three-loop plants, the design features three centrifugal pumps that operate at

16

high pressure (about 2500 psig), a cold-leg injection path through the BIT (with two trains of

17

redundant valves), an alternate cold-leg injection path, and two hot-leg injection paths. One of

18

the pumps is considered an installed spare. Recirculation is provided by taking suction from the

19

RHR pump discharges. A train consists of a pump, the pump suction valves and boron injection

20

tank (BIT) injection line valves electrically associated with the pump, and the associated hot-leg

21

injection path. The alternate cold-leg injection path is required for recirculation, and should be

22

included in the train with which its isolation valve is electrically associated. This represents a

23

two-train HPSI system.

24

25

For Four-loop Westinghouse plants, the design features two centrifugal pumps that operate at

26

high pressure (about 2500 psig), two centrifugal pumps that operate at an intermediate pressure

27

(about 1600 psig), a BIT injection path (with two trains of injection valves), a cold-leg safety

28

injection path, and two hot-leg injection paths. Recirculation is provided by taking suction from

29

the RHR pump discharges. Each of two high pressure trains is comprised of a high pressure

30

centrifugal pump, the pump suction valves and BIT valves that are electrically associated with

31

the pump. Each of two intermediate pressure trains is comprised of the safety injection pump, the

32

suction valves and the hot-leg injection valves electrically associated with the pump. The cold-

33

leg safety injection path can be fed with either safety injection pump, thus it should be associated

34

with both intermediate pressure trains. This HPSI system is considered a four-train system for

35

monitoring purposes.

36

37

38

39

PWR Auxiliary Feedwater Systems

40

Scope

41

The AFW system provides decay heat removal via the steam generators to cool down and

42

depressurize the reactor coolant system following a reactor trip. The AFW system is assumed to

43

be required for an extended period of operation during which the initial supply of water from the

44

condensate storage tank is depleted and water from an alternative water source (e.g., the service

45

water system) is required. Therefore components in the flow paths from both of these water

46

15

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

sources are included; however, the alternative water source (e.g., service water system) is not

1

included.

2

3

The function monitored for the indicator is the ability of the AFW system to take a suction from

4

the primary water source (typically, the condensate storage tank) or, if required, from an

5

emergency source (typically, a lake or river via the service water system) and inject into at least

6

one steam generator at rated flow and pressure.

7

8

The scope of the auxiliary feedwater (AFW) or emergency feedwater (EFW) systems includes

9

the pumps and the components in the flow paths from the condensate storage tank and, if

10

required, the valve(s) that connect the alternative water source to the auxiliary feedwater system.

11

Startup feedwater pumps are not included in the scope of this indicator.

12

13

Train Determination

14

The number of trains is determined primarily by the number of parallel pumps. For example, a

15

system with three pumps is defined as a three-train system, whether it feeds two, three, or four

16

injection lines, and regardless of the flow capacity of the pumps. Some components may be

17

included in the scope of more than one train. For example, one set of flow regulating valves and

18

isolation valves in a three-pump, two-steam generator system are included in the motor-driven

19

pump train with which they are electrically associated, but they are also included (along with the

20

redundant set of valves) in the turbine-driven pump train. In these instances, the effects of testing

21

or failure of the valves should be reported in both affected trains. Similarly, when two trains

22

provide flow to a common header, the effect of isolation or flow regulating valve failures in

23

paths connected to the header should be considered in both trains.

24

25

PWR Residual Heat Removal System

26

Scope

27

The functions monitored for the PWR residual heat removal (RHR) system are those that are

28

required to be available when the reactor is critical. These typically include the low-pressure

29

injection function (if risk-significant) and the post-accident recirculation mode used to cool and

30

recirculate water from the containment sump following depletion of RWST inventory to provide

31

post-accident decay heat removal. The pumps, heat exchangers, and associated piping and valves

32

for those functions are included in the scope of the RHR system. Containment spray function

33

should be included if it is identified in the PRA as a risk-significant post accident decay heat

34

removal function. Containment spray systems that only provide containment pressure control are

35

not included.

36

37

38

39

Train Determination

40

The number of trains in the RHR system is determined by the number of parallel RHR heat

41

exchangers. Some components are used to provide more than one function of RHR. If a

42

component cannot perform as designed, rendering its associated train incapable of meeting one

43

16

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

of the risk-significant functions, then the train is considered to be failed. Unavailable hours

1

would be reported as a result of the component failure.

2

Cooling Water Support System

3

Scope

4

The function of the cooling water support system is to provide for direct cooling of the

5

components in the other monitored systems. It does not include indirect cooling provided by

6

room coolers or other HVAC features.

7

8

Systems that provide this function typically include service water and component cooling water

9

or their cooling water equivalents. Pumps, valves, heat exchangers and line segments that are

10

necessary to provide cooling to the other monitored systems are included in the system scope up

11

to, but not including, the last valve that connects the cooling water support system to the other

12

monitored systems. This last valve is included in the other monitored system boundary.

13

14

Valves in the cooling water support system that must close to ensure sufficient cooling to the

15

other monitored system components to meet risk significant functions are included in the system

16

boundary.

17

18

19

20

Train Determination

21

The number of trains in the Cooling Water Support System will vary considerably from plant to

22

plant. The way these functions are modeled in the plant-specific PRA will determine a logical

23

approach for train determination. For example, if the PRA modeled separate pump and line

24

segments, then the number of pumps and line segments would be the number of trains.

25

26

Clarifying Notes

27

Service water pump strainers and traveling screens are not considered to be active components

28

and are therefore not part of URI. However, clogging of strainers and screens due to expected or

29

routinely predictable environmental conditions that render the train unavailable to perform its

30

risk significant cooling function (which includes the risk-significant mission times)are included

31

in UAI.

32

33

Unpredictable extreme environmental conditions that render the train unavailable to perform its

34

risk significant cooling function should be addressed through the FAQ process to determine if

35

resulting unavailability should be included in UAI.

36

37

Attachment 2

RIS 2002-14

NEI 99-02, Appendix F, Methodologies For Computing the Unavailability Index, the

Unreliability Index and Determining Performance Index Validity (Draft).

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-1

APPENDIX F

1

2

METHODOLOGIES FOR COMPUTING THE UNAVAILABILITY

3

INDEX, THE UNRELIABILITY INDEX AND DETERMINING

4

PERFORMANCE INDEX VALIDITY

5

This appendix provides the details of three calculations, calculation of the System

6

Unavailability Index, the System Unreliability Index, and the criteria for determining

7

when the Mitigating System Performance Index is unsuitable for use as a performance

8

index.

9

System Unavailability Index (UAI) Due to Changes in Train Unavailability

10

Calculation of System UAI due to changes in train unavailability is as follows:

11

UAI 

UAItj

j 1

n



Eq. 1

12

where the summation is over the number of trains (n) and UAIt is the unavailability index

13

for a train.

14

Calculation of UAIt for each train due to changes in train unavailability is as follows:

15

)

(

max

BLt

t

p

UAp

p

t

UA

UA

UA

FV

CDF

UAI













,

Eq. 2

16

where:

17

CDFp is the plant-specific, internal events, at power Core Damage Frequency,

18

FVUAp is the train-specific Fussell-Vesely value for unavailability,

19

UAP is the plant-specific PRA value of unavailability for the train,

20

UAt is the actual unavailability of train t, defined as:

21

quarters

12

previous

the

during

hours

Critical

critical

while

quarters

12

previous

the

during

hours

e

Unavailabl



t

UA

22

and,

23

UABLt is the historical baseline unavailability value for the train determined

24

as described below.

25

UABLt is the sum of two elements: planned and unplanned unavailability. Planned

26

unavailability is the actual, plant-specific three-year total planned unavailability

27

for the train for the years 1999 through 2001 (see clarifying notes for details).

28

This period is chosen as the most representative of how the plant intends to

29

perform routine maintenance and surveillances at power. Unplanned

30

unavailability is the historical industry average for unplanned unavailability for

31

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-2

the years 1999 through 2001. See Table 1 for historical train values for

1

unplanned unavailability.

2

Calculation of the quantity inside the square bracket in equation 2 will be discussed at the

3

end of the next section. See clarifying notes for calculation of UAI for cooling water

4

support system.

5

6

System Unreliability Index (URI) Due to Changes in Component Unreliability

7

Unreliability is monitored at the component level and calculated at the system level.

8

Calculation of system URI due to changes in component unreliability is as follows:

9

)

(

1

max

BLcj

Bcj

m

j

pcj

URcj

p

UR

UR

UR

FV

CDF

URI
















Eq. 3

10

Where the summation is over the number of active components (m) in the system, and:

11

CDFp is the plant-specific internal events, at power, core damage frequency,

12

FVURc is the component-specific Fussell-Vesely value for unreliability,

13

URPc is the plant-specific PRA value of component unreliability,

14

URBc is the Bayesian corrected component unreliability for the previous 12

15

quarters,

16

and

17

URBLc is the historical industry baseline calculated from unreliability mean values

18

for each monitored component in the system. The calculation is performed in a

19

manner similar to equation 4 below using the industry average values in Table 2.

20

Calculation of the quantity inside the square bracket in equation 3 will be discussed at the

21

end of this section.

22

Component unreliability is calculated as follows.

23

URBc  PD  Tm

Eq 4

24

where:

25

PD is the component failure on demand probability calculated based on data

26

collected during the previous 12 quarters,

27

 is the component failure rate (per hour) for failure to run calculated based on

28

data collected during the previous 12 quarters,

29

and

30

Tm is the risk-significant mission time for the component based on plant specific

31

PRA model assumptions. Add acceptable methodologies for determining mission

32

time.

33

34

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-3

NOTE:

1

For valves only the PD term applies

2

For pumps PD +  Tm applies

3

For diesels PD start + PD load run +  Tm applies

4

5

The first term on the right side of equation 4 is calculated as follows.1

6

PD 

(Nd  a)

(a  b  D)

Eq. 5

7

where:

8

Nd is the total number of failures on demand during the previous 12 quarters,

9

D is the total number of demands during the previous 12 quarters (actual ESF

10

demands plus estimated test and estimated operational/alignment demands. An

11

update to the estimated demands is required if a change to the basis for the

12

estimated demands results in a >25% change in the estimate),

13

and

14

a and b are parameters of the industry prior, derived from industry experience (see

15

Table 2).

16

In the calculation of equation 5 the numbers of demands and failures is the sum of all

17

demands and failures for similar components within each system. Do not sum across

18

units for a multi-unit plant. For example, for a plant with two trains of Emergency Diesel

19

Generators, the demands and failures for both trains would be added together for one

20

evaluation of PD which would be used for both trains of EDGs.

21

In the second term on the right side of equation 4,  is calculated as follows.

22

  (Nr  a)

(Tr  b)

Eq. 6

23

where:

24

Nr is the total number of failures to run during the previous 12 quarters,

25

Tr is the total number of run hours during the previous 12 quarters (actual ESF run

26

hours plus estimated test and estimated operational/alignment run hours. An

27

update to the estimated run hours is required if a change to the basis for the

28

estimated hours results in a >25% change in the estimate).

29

and

30

1 Atwood, Corwin L., Constrained noninformative priors in risk assessment, Reliability

Engineering and System Safety, 53 (1996; 37-46)

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-4

a and b are parameters of the industry prior, derived from industry experience (see

1

Table 2).

2

In the calculation of equation 6 the numbers of demands and run hours is the sum of all

3

run hours and failures for similar components within each system. Do not sum across

4

units for a multi-unit plant. For example, a plant with two trains of Emergency Diesel

5

Generators, the run hours and failures for both trains would be added together for one

6

evaluation of  which would be used for both trains of EDGs.

7

Fussell-Vesely, Unavailability and Unreliability

8

Equations 2 and 3 include a term that is the ratio of a Fussell-Vesely importance value

9

divided by the related unreliability or unavailability. Calculation of these quantities is

10

generally complex, but in the specific application used here, can be greatly simplified.

11

The simplifying feature of this application is that only those components (or the

12

associated basic events) that can fail a train are included in the performance index.

13

Components within a train that can each fail the train are logically equivalent and the

14

ratio FV/UR is a constant value for any basic event in that train. It can also be shown that

15

for a given component or train represented by multiple basic events, the ratio of the two

16

values for the component or train is equal to the ratio of values for any basic event within

17

the train. Or:

18

FVbe

URbe  FVURc

URPc  FVt

URt  Constant

19

and

20

FVbe

UAbe  FVUAp

UAp  Constant

21

Note that the constant value may be different for the unreliability ratio and the

22

unavailability ratio because the two types of events are frequently not logically

23

equivalent. For example recovery actions may be modeled in the PRA for one but not the

24

other.

25

Thus, the process for determining the value of this ratio for any component or train is to

26

identify a basic event that fails the component or train, determine the failure probability

27

or unavailability for the event, determine the associated FV value for the event and then

28

calculate the ratio. Use the basic event in the component or train with the largest failure

29

probability (hence the maximum notation on the bracket) to minimize the effects of

30

truncation on the calculation. Exclude common cause events, which are not within the

31

scope of this performance index

32

Some systems have multiple modes of operation, such as PWR HPSI systems that operate

33

in injection as well as recirculation modes. In these systems all active components are not

34

logically equivalent, unavailability of the pump fails all operating modes while

35

unavailability of the sump suction valves only fails the recirculation mode. In cases such

36

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-5

as these, if unavailability events exist separately for the components within a train, the

1

appropriate ratio to use is the maximum.

2

Determination of systems for which the performance index is not valid

3

The performance index relies on the existing testing programs as the source of the data

4

that is input to the calculations. Thus, the number of demands in the monitoring period is

5

based on the frequency of testing required by the current test programs. In most cases this

6

will provide a sufficient number of demands to result in a valid statistical result.

7

However, in some cases, the number of demands will be insufficient to resolve the

8

change in the performance index (1.0x10-6) that corresponds to movement from a green

9

performance to a white performance level. In these cases, one failure is the difference

10

between baseline performance and performance in the white performance band. The

11

performance index is not suitable for monitoring such systems and monitoring is

12

performed through the inspection process.

13

This section will define the method to be used to identify systems for which the

14

performance index is not valid, and will not be used.

15

The criteria to be used to identify an invalid performance index is:

16

If, for any failure mode for any component in a system, the risk increase

17

(CDF) associated with the change in unreliability resulting from single

18

failure is larger than 1.0x10-6, then the performance index will be

19

considered invalid for that system.

20

The increase in risk associated with a component failure is the sum of the contribution

21

from the decrease in calculated reliability as a result of the failure and the decrease in

22

availability resulting from the time required to affect the repair of the failed component.

23

The change in CDF that results from a demand type failure is given by:

24

25

CR

Mean

p

UAp

p

comp

similar

N

pc

URc

p

T

T

UA

FV

CDF

D

b

a

UR

FV

CDF

MSPI

Repair

1






















Eq. 7

26

27

Likewise, the change in CDF per run type failure is given by:

28

29

CR

p

UAp

p

comp

similar

N

r

m

pc

URc

p

T

T

UA

FV

CDF

T

b

T

UR

FV

CDF

MSPI

Repair

Mean




















Eq. 8

30

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-6

In these expressions, the variables are as defined earlier and additionally

1

TMR is the mean time to repair for the component

2

and

3

TCR is the number of critical hours in the monitoring period.

4

The summation in the equations is taken over all similar components within a system.

5

With multiple components of a given type in one system, the impact of the failure on

6

CDF is included in the increased unavailability of all components of that type due to

7

pooling the demand and failure data.

8

The mean time to repair can be estimate as one-half the Technical Specification Allowed

9

Outage Time for the component and the number of critical hours should correspond to the

10

1999 - 2001 actual number of critical hours.

11

These equations are be used for all failure modes for each component in a system. If the

12

resulting value of CDF is greater than 1.0x10-6 for any failure mode of any component,

13

then the performance index for that system is not considered valid.

14

15

Definitions

16

17

Train Unavailability: Train unavailability is the ratio of the hours the train was

18

unavailable to perform its risk-significant functions due to planned or unplanned

19

maintenance or test during the previous 12 quarters while critical to the number of critical

20

hours during the previous 12 quarters. (Fault exposure hours are not included;

21

unavailable hours are counted only for the time required to recover the trains risk-

22

significant functions.)

23

Train unavailable hours: The hours the train was not able to perform its risk significant

24

function due to maintenance, testing, equipment modification, electively removed from

25

service, corrective maintenance, or the elapsed time between the discovery and the

26

restoration to service of an equipment failure or human error that makes the train

27

unavailable (such as a misalignment) while the reactor is critical.

28

Fussell-Vesely (FV) Importance:

29

The Fussell-Vesely importance for a feature (component, sub-system, train, etc.) of a

30

system is representative of the fractional contribution that feature makes to the to the total

31

risk of the system.

32

The Fussell-Vesely importance of a basic event or group of basic events that represent a

33

feature of a system is represented by:

34

0

1

R

R

FV

i





35

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-7

Where:

1

R0 is the base (reference) case overall model risk,

2

Ri is the decreased risk level with feature i completely reliable.

3

In this expression, the second term on the right represents the fraction of the reference

4

risk remaining assuming the feature of interest is perfect. Thus 1 minus the second term is

5

the fraction of the reference risk attributed to the feature of interest.

6

The Fussell-Vesely importance is calculated according to the following equation:

7





m

j

j

n

j

j

i

C

C

FV

,1

0

,1

1









,

8

where the denominator represents the union of m minimal cutsets C0 generated with the

9

reference (baseline) model, and the numerator represents the union of n minimal cutsets

10

Ci generated assuming events related to the feature are perfectly reliable, or their failure

11

probability is False.

12

Critical hours: The number of hours the reactor was critical during a specified period of

13

time.

14

Component Unreliability: Component unreliability is the probability that the component

15

would not perform its risk-significant functions when called upon during the previous 12

16

quarters.

17

Active Component: A component whose failure to change state renders the train incapable

18

of performing its risk-significant functions. In addition, all pumps and diesels in the

19

monitored systems are included as active components. (See clarifying notes.)

20

Manual Valve: A valve that can only be operated by a person. An MOV or AOV that is

21

remotely operated by a person may be an active component.

22

Start demand: Any demand for the component to successfully start to perform its risk-

23

significant functions, actual or test. (Exclude post maintenance tests, unless in case of a

24

failure the cause of failure was independent of the maintenance performed.)

25

Post maintenance tests: Tests performed following maintenance but prior to declaring the

26

train/component operable, consistent with Maintenance Rule implementation.

27

Run demand: Any demand for the component, given that it has successfully started, to

28

run/operate for its mission time to perform its risk-significant functions. (Exclude post

29

maintenance tests, unless in case of a failure the cause of failure was independent of the

30

maintenance performed.)

31

EDG failure to start: A failure to start includes those failures up to the point the EDG has

32

achieved rated speed and voltage. (Exclude post maintenance tests, unless the cause of

33

failure was independent of the maintenance performed.)

34

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-8

EDG failure to load/run: Given that it has successfully started, a failure of the EDG

1

output breaker to close, loads successfully sequence and to run/operate for one hour to

2

perform its risk-significant functions. This failure mode is treated as a demand failure for

3

calculation purposes. (Exclude post maintenance tests, unless the cause of failure was

4

independent of the maintenance performed.)

5

EDG failure to run: Given that it has successfully started and loaded and run for an hour,

6

a failure of an EDG to run/operate. for its mission time to perform its risk-significant

7

functions. (Exclude post maintenance tests, unless the cause of failure was independent of

8

the maintenance performed.)

9

Pump failure on demand: A failure to start and run for at least one hour is counted as

10

failure on demand. (Exclude post maintenance tests, unless the cause of failure was

11

independent of the maintenance performed.)

12

Pump failure to run: Given that it has successfully started and run for an hour, a failure of

13

a pump to run/operate. for its mission time to perform its risk-significant functions.

14

(Exclude post maintenance tests, unless the cause of failure was independent of the

15

maintenance performed.)

16

Valve failure on demand: A failure to open or close is counted as failure on demand.

17

(Exclude post maintenance tests, unless the cause of failure was independent of the

18

maintenance performed.)

19

Clarifying Notes

20

Train Boundaries and Unavailable Hours

21

Include all components that are required to satisfy the risk-significant function of the

22

train. For example, high-pressure injection may have both an injection mode with

23

suction from the refueling water storage tank and a recirculation mode with suction from

24

the containment sump. Some components may be included in the scope of more than one

25

train. For example, one set of flow regulating valves and isolation valves in a three-pump,

26

two-steam generator system are included in the motor-driven pump train with which they

27

are electrically associated, but they are also included (along with the redundant set of

28

valves) in the turbine-driven pump train. In these instances, the effects of unavailability

29

of the valves should be reported in both affected trains. Similarly, when two trains

30

provide flow to a common header, the effect of isolation or flow regulating valve failures

31

in paths connected to the header should be considered in both trains

32

Cooling Water Support System Trains

33

The number of trains in the Cooling Water Support System will vary considerably from

34

plant to plant. The way these functions are modeled in the plant-specific PRA will

35

determine a logical approach for train determination. For example, if the PRA modeled

36

separate pump and line segments, then the number of pumps and line segments would be

37

the number of trains. A separate value for UAI and URI will be calculated for each of the

38

systems in this indicator and then they will be added together to calculate the MSPI.

39

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-9

1

Active Components

2

For unreliability, use the following criteria for determining those components that should

3

be monitored:

4

 Components that are normally running or have to change state to achieve the risk

5

significant function will be included in the performance index. Active failures of

6

check valves and manual valves are excluded from the performance index and will be

7

evaluated in the NRC inspection program.

8

 Redundant valves within a train are not included in the performance index. Only

9

those valves whose failure alone can fail a train will be included. The PRA success

10

criteria are to be used to identify these valves.

11

 Redundant valves within a multi-train system, whether in series or parallel, where the

12

failure of both valves would prevent all trains in the system from performing a risk-

13

significant function are included. (See Figure F-5)

14

 All pumps and diesels are included in the performance index

15

Table 3 defines the boundaries of components, and Figures F-1, F-2, F-3 and F-4 provide

16

examples of typical component boundaries as described in Table 3. Each plant will

17

determine their system boundaries, active components, and support components, and

18

have them available for NRC inspection.

19

Failures of Non-Active Components

20

Failures of SSCs that are not included in the performance index will not be counted as a

21

failure or a demand. Failures of SSCs that cause an SSC within the scope of the

22

performance index to fail will not be counted as a failure or demand. An example could

23

be a manual suction isolation valve left closed which causes a pump to fail. This would

24

not be counted as a failure of the pump. Any mispositioning of the valve that caused the

25

train to be unavailable would be counted as unavailability from the time of discovery.

26

The significance of the mispositioned valve prior to discovery would be addressed

27

through the inspection process.

28

29

Baseline Values

30

The baseline values for unreliability are contained in Table 2 and remain fixed.

31

The baseline values for unavailability include both plant-specific planned unavailability

32

values and unplanned unavailability values. The unplanned unavailability values are

33

contained in Table 1 and remain fixed. They are based on ROP PI industry data from

34

1999 through 2001. (Most baseline data used in PIs come from the 1995-1997 time

35

period. However, in this case, the 1999-2001 ROP data are preferable, because the ROP

36

data breaks out systems separately (some of the industry 1995-1997 INPO data combine

37

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-10

systems, such as HPCI and RCIC, and do not include PWR RHR). It is important to note

1

that the data for the two periods is very similar.)

2

Support cooling baseline data is based on plant specific maintenance rule unplanned and

3

planned unavailability for years 1999 to 2001. (Maintenance rule data does not

4

distinguish between planned and unplanned unavailability. There is no ROP support

5

cooling data.)

6

The baseline planned unavailability is based on actual plant-specific values for the period

7

1999 through 2001. These values are expected to remain fixed unless the plant

8

maintenance philosophy is substantially changed with respect to on-line maintenance or

9

preventive maintenance. In these cases, the planned unavailability baseline value can be

10

adjusted. A comment should be placed in the comment field of the quarterly report to

11

identify a substantial change in planned unavailability. To determine the planned

12

unavailability:

13

1. Record the total train unavailable hours reported under the Reactor Oversight Process

14

for 1999 through 2001.

15

2. Subtract any fault exposure hours still included in the 1999-2001 period.

16

3. Subtract unplanned unavailable hours

17

4. Add any on-line overhaul hours and any other planned unavailability excluded in

18

accordance with NEI 99-02. 2

19

5. Add any planned unavailable hours for functions monitored under MSPI which were

20

not monitored under SSU in NEI 99-02.

21

6. Subtract any unavailable hours reported when the reactor was not critical.

22

7. Subtract hours cascaded onto monitored systems by support systems.

23

8. Divide the hours derived from steps 1-6 above by the total critical hours during 1999-

24

2001. This is the baseline planned unavailability

25

Baseline unavailability is the sum of planned unavailability from step 7 and unplanned

26

unavailability from Table 1.

27

28

29

2 Note: The plant-specific PRA should model significant on-line overhaul hours.

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-11

Table 1. Historical Unplanned Maintenance Unavailability Train Values

1

(Based on ROP Industrywide Data for 1999 through 2001)

2

3

4

SYSTEM

UNPLANNED UNAVAILABILITY/TRAIN

EAC

1.7 E-03

PWR HPSI

6.1 E-04

PWR AFW (TD)

9.1 E-04

PWR AFW (MD)

6.9 E-04

PWR AFW (DieselD)

7.6 E-04

PWR (except CE) RHR

4.2 E-04

CE RHR

1.1 E-03

BWR HPCI

3.3 E-03

BWR HPCS

5.4 E-04

BWR RCIC

2.9 E-03

BWR RHR

1.2 E-03

Support Cooling

No Data Available Use plant specific Maintenance

Rule data for 1999-2001

5

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-12

Table 2. Industry Priors and Parameters for Unreliability

1

2

3

Component

Failure

Mode

a a

b a

Industry

Mean

Value b

Source(s)

Motor-operated

valve

Fail to open

(or close)

5.0E-1

2.4E+2

2.1E-3

NUREG/CR-5500, Vol.

4,7,8,9

Air-operated

valve

Fail to open

(or close)

5.0E-1

2.5E+2

2.0E-3

NUREG/CR-4550, Vol. 1

Fail to start

5.0E-1

2.4E+2

2.1E-3

NUREG/CR-5500, Vol.

1,8,9

Motor-driven

pump, standby

Fail to run

5.0E-1

5.0E+3h

1.0E-4/h

NUREG/CR-5500, Vol.

1,8,9

Fail to start

4.9E-1

1.6E+2

3.0E-3

NUREG/CR-4550, Vol. 1

Motor-driven

pump, running

or alternating

Fail to run

5.0E-1

1.7E+4h

3.0E-5/h

NUREG/CR-4550, Vol. 1

Fail to start

4.7E-1

2.4E+1

1.9E-2

NUREG/CR-5500, Vol. 1

Turbine-driven

pump, AFWS

Fail to run

5.0E-1

3.1E+2

1.6E-3/h

NUREG/CR-5500, Vol. 1

Fail to start

4.6E-1

1.7E+1

2.7E-2

NUREG/CR-5500, Vol.

4,7

Turbine-driven

pump, HPCI or

RCIC

Fail to run

5.0E-1

3.1E+2h

1.6E-3/h

NUREG/CR-5500, Vol.

1,4,7

Fail to start

4.7E-1

2.4E+1

1.9E-2

NUREG/CR-5500, Vol. 1

Diesel-driven

pump, AFWS

Fail to run

5.0E-1

6.3E+2h

8.0E-4/h

NUREG/CR-4550, Vol. 1

Fail to start

4.8E-1

4.3E+1

1.1E-2

NUREG/CR-5500, Vol. 5

Fail to

load/run

5.0E-1

2.9E+2

1.7E-3 c

NUREG/CR-5500, Vol. 5

Emergency

diesel generator

Fail to run

5.0E-1

2.2E+3h

2.3E-4/h

NUREG/CR-5500, Vol. 5

4

5

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-13

a. A constrained, non-informative prior is assumed. For failure to run events, a = 0.5 and

1

b = (a)/(mean rate). For failure upon demand events, a is a function of the mean

2

probability:

3

4

Mean Probability

a

5

0.0 to 0.0025

0.50

6

>0.0025 to 0.010

0.49

7

>0.010 to 0.016

0.48

8

>0.016 to 0.023

0.47

9

>0.023 to 0.027

0.46

10

11

Then b = (a)(1.0 - mean probability)/(mean probability).

12

13

b. Failure to run events occurring within the first hour of operation are included within

14

the fail to start failure mode. Failure to run events occurring after the first hour of

15

operation are included within the fail to run failure mode. Unless otherwise noted, the

16

mean failure probabilities and rates include the probability of non-recovery. Types of

17

allowable recovery are outlined in the clarifying notes, under Credit for Recovery

18

Actions.

19

20

c. Fail to load and run for one hour was calculated from the failure to run data in the

21

report indicated. The failure rate for 0.0 to 0.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> (3.3E-3/h) multiplied by 0.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />,

22

was added to the failure rate for 0.5 to 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> (2.3E-4/h) multiplied by 0.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

23

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-14

Table 3. Component Boundary Definition

Component

Component boundary

Diesel

Generators

The diesel generator boundary includes the generator body, generator

actuator, lubrication system (local), fuel system (local), cooling components

(local), startup air system receiver, exhaust and combustion air system,

dedicated diesel battery (which is not part of the normal DC distribution

system), individual diesel generator control system, circuit breaker for supply

to safeguard buses and their associated local control circuit (coil, auxiliary

contacts, wiring and control circuit contacts, and breaker closure interlocks) .

Motor-Driven

Pumps

The pump boundary includes the pump body, motor/actuator, lubrication

system cooling components of the pump seals, the voltage supply breaker,

and its associated local control circuit (coil, auxiliary contacts, wiring and

control circuit contacts).

Turbine-

Driven Pumps

The turbine-driven pump boundary includes the pump body, turbine/actuator,

lubrication system (including pump), extractions, turbo-pump seal, cooling

components, and local turbine control system (speed).

Motor-

Operated

Valves

The valve boundary inc1udes the valve body, motor/actuator, the voltage

supply breaker (both motive and control power) and its associated local

open/close circuit (open/close switches, auxiliary and switch contacts, and

wiring and switch energization contacts).

Air-Operated

Valves

The valve boundary includes the valve body, the air operator, associated

solenoid-operated valve, the power supply breaker or fuse for the solenoid

valve, and its associated control circuit (open/close switches and local

auxiliary and switch contacts).

1

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-15

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

Figure F-1

23

Diesel Engine

Control and

Protection System

Starting Air

System Receiver

Combustion Air

System and

Supply

Jacket

Water

Fuel Oil

System

Fuel Oil Day

Tank

Generator

Exciter and

Voltage

Regulator

Exhaust

System

Governor and

Control System

Lubrication

System

EDG

Breaker

ESFAS/Sequencer

DC Power

Cooling Water

Class 1E Bus

EDG Boundary

Isol.

Valve

Fuel Storage and

Transfer System

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-16

1

2

Figure F-2

3

4

5

Controls

Breaker

Motor Operator

Motor Driven Pump Boundary

Pump

ESFAS

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-17

Figure F-3

1

2

Controls

Breaker

Motor Operator

MOV Boundary

ESFAS

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-18

1

2

Figure F-4

3

4

Controls

Turbine

Turbine Driven Pump Boundary

Pump

ESFAS

DRAFT NEI 99-02 MSPI 8/28/20028/23/20028/9/2002

F-19

1

T

A

N

K

Figure F-5

Active

Components

Active

Components

Non-active

Components

Retrieved from "https://kanterella.com/w/index.php?title=ML022410004&oldid=5434372"