ML18178A586

From kanterella
Revision as of 21:39, 20 October 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Draft NEI 18-03, Rev. F
ML18178A586
Person / Time
Site: Nuclear Energy Institute
Issue date: 06/27/2018
From: Joseph Holonich
Nuclear Energy Institute
To: Joseph Holonich
Office of Nuclear Reactor Regulation
Holonich J, NRR/DLP, 415-7297
References
NEI 18-03
Download: ML18178A586 (34)


Text

NEI 18-03, DRAFT Operability Determination month 2018 Nuclear Energy Institute, 1201 F Street N. W., Suite 1100, Washington D.C. (202.739.8000)

© NEI 2018. All rights reserved. nei.org

Nuclear Energy Institute, 1201 F Street N. W., Suite 1100, Washington D.C. (202.739.8000)

© NEI 2018. All rights reserved. nei.org

NEI 18-03, DRAFT Month 2018 ACKNOWLEDGEMENTS This document was developed by nuclear industry at the direction of the Nuclear Energy Institute Regulatory Issues Task Force, with support from the Pressurized Water Reactor Owners Group (PWROG) Licensing Committee and the Boiling Water Reactor Owners' Group (BWROG)

Licensing Committee. The dedicated and timely effort of the many participants, including management support of the effort, is greatly appreciated.

NOTICE Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assume any legal responsibility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information apparatus, methods, or process disclosed in this report or that such may not infringe privately owned rights.

© NEI 2018. All rights reserved. nei.org i

NEI 18-03, DRAFT Month 2018 FOREWORD In 1991, the Nuclear Regulatory Commission issued Generic Letter (GL) 91-18, "Information to Licensees Regarding Two NRC Inspection Manual Sections on Resolution of Degraded and Nonconforming Conditions and on Operability." The inspector guidance promulgated by this GL has been revised on several occasions, and is currently provided in NRC Inspection Manual Chapter 0326, "Operability Determinations & Functionality Assessments for Conditions Adverse to Quality or Safety." Since issuance of GL 91-18, nuclear power plant operators have incorporated aspects of the inspector guidance into their quality assurance programs; however, industry operating and regulatory experience has indicated the need to provide additional guidance to plant management and operating staff. This document describes an approach that may be used by the nuclear utility industry to develop plant-specific programs and procedures for evaluating the operability of structures, systems and components (SSC) addressed in technical specifications when deficient conditions are identified. This document focuses on the operability determination process.

The guidance in this document does not establish or relieve any regulatory requirements, but suggests a process to ensure appropriate steps are taken to ensure plant safety and technical specification compliance are maintained when deficient SSC conditions are identified.

© NEI 2018. All rights reserved. nei.org ii

NEI 18-03, DRAFT Month 2018 TABLE OF CONTENTS 1 INTRODUCTION ............................................................................................................................. 5 2 SCOPE AND APPLICABILITY ...................................................................................................... 6 2.1 Scope of SSCs for Operability Determinations ......................................................................... 6 3 DEFINITIONS .................................................................................................................................. 6 3.1 Compensatory Actions ...................................................................................................................... 6 3.2 Deficient SSC Condition .................................................................................................................... 6 3.3 Design Bases ......................................................................................................................................... 7 3.4 Licensing Basis .................................................................................................................................... 7 3.5 Mission Time ........................................................................................................................................ 7 3.6 Necessary Support Function ........................................................................................................... 8 3.7 Operable - Operability ..................................................................................................................... 8 3.8 Specified Function/Specified Safety Function ......................................................................... 8 3.9 Presumption of Operability ............................................................................................................ 9 3.10 Reasonable Expectation of Operability ...................................................................................... 9 4 OPERABILITY DETERMINATION PROCESS ........................................................................ 10 4.1 Three Required Entry Criteria.................................................................................................... 10 4.2 Documented Operability Process .............................................................................................. 11 4.2.1 Immediate Determination of Operability .......................................................................................... 12 4.2.2 Prompt Determination of Operability ................................................................................................ 13 4.3 Other Considerations ..................................................................................................................... 14 4.3.1 Sufficiency of Operability Determination.......................................................................................... 14 4.3.2 Continuous monitoring of operability ................................................................................................ 15 5 OPERATIONAL DECISIONS BASED ON OPERABILITY DETERMINATIONS ............... 15 5.1 Operability Determination Conclusions ................................................................................. 15 5.1.1 SSC Inoperable.............................................................................................................................................. 15 5.1.2 SSC Operable ................................................................................................................................................. 15 6 References..................................................................................................................................... 16 Appendix A Specific Operability Considerations ..................................................................... 17 A.1 Consequential Failures in Operability Determinations .................................................... 17 A.2 Use of Alternative Analytical Methods to Determine Operability ................................. 17 A.3 Compensatory Actions ................................................................................................................... 18 A.4 Consideration of Probability and Risk in Operability Determinations ....................... 19 A.5 Piping and Pipe Support Requirements .................................................................................. 19 A.6 Structural Requirements .............................................................................................................. 19 A.7 Technical Specification Operability vs. ASME Code Criteria ............................................ 20 A.8 Operability during Technical Specification Surveillances ............................................... 21 A.9 Reduced Reliability ......................................................................................................................... 21 A.10 Flaw Evaluation ................................................................................................................................ 21 A.11 Support System Operability......................................................................................................... 21 Appendix B Definition of Specified Safety Function ............................................................... 23 B.1 Development of the Definition of Operability ....................................................................... 23

© NEI 2018. All rights reserved. nei.org iii

NEI 18-03, DRAFT Month 2018 B.2 Final Policy Statement on Technical Specifications Improvements ............................. 25 B.3 Regulatory Foundation.................................................................................................................. 29 B.4 Specified Safety Function Definition ........................................................................................ 30 Appendix C Additional Considerations for Corrective Actions of Deficient Conditions ...................................................................................................................... 31 C.1 Relationship between Operability and the Corrective Action Program ...................... 31 C.2 Timing of Corrective Actions ....................................................................................................... 31 C.3 Final Corrective Action .................................................................................................................. 32 C.4 Change to Facility or Procedures in Lieu of Restoration ................................................... 33 C.5 Acceptance of an As-Found Condition...................................................................................... 33

© NEI 2018. All rights reserved. nei.org iv

OPERABILITY DETERMINATIONS 1 INTRODUCTION This document provides guidance for assessing operability. Operability is a continuous process, and the assessment of operability is the responsibility of a senior licensed operator on the operating shift crew.

The terms "operable" or "operability" do not appear in laws or regulations related to commercial nuclear power. The terms are defined in the technical specifications (TS) for each plant and, therefore, only have meaning as used relative to that document. Further, no regulatory requirements exist regarding entry into the documented operability process, how to assess operability, or how to transition between the states of operability or inoperability.

This document will utilize the improved Standard Technical Specifications (STS)

NUREG 1 definition 2 of "Operable/Operability" which states:

A system, subsystem, train, component, or device shall be OPERABLE when it is capable of performing its specified safety function(s) and when all necessary attendant instrumentation, controls, normal or emergency electrical power, cooling and seal water, lubrication, and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified function(s) are also capable of performing their related support function(s).

This definition of operability has not changed since Revision 0 of the improved STS issued in 1992.

The regulatory obligation regarding operability is compliance with the requirements specified in TS. Therefore, the management of operability is a fundamental priority for nuclear plant operators. Practical application necessitates a structured and consistent approach to operability determination. This guidance is therefore provided to assist in the determination of the operability of TS structures, systems, and components (SSCs).

The immediate, primary, and ongoing concern is the safe operation of the plant. When an SSC deficiency that may pose a threat to public health and safety is identified, the plant should be placed or maintained in a safe condition whether or not action is explicitly required by regulations. In cases where the SSC is specifically addressed by the plants 1

NUREG-1430, NUREG-1431, NUREG-1432, NUREG-1433, NUREG-1434, and NUREG-2194.

2 The TS of all operating plants have either the definition of operability provided in Generic Letter 80-30, or the STS definition of operability. As the majority of operating plant TS are based on the improved STS, the improved STS definition will be used in this document. The term "specified function(s)" in the GL 80-30 definition is equivalent to the improved STS term "specified safety function(s)".

5

© NEI 2018. All rights reserved. nei.org

TS limiting conditions for operation (LCOs), there should be a reasonable expectation that the SSC in question is operable while operability is being assessed, or the appropriate TS action requirements should be followed.

2 SCOPE AND APPLICABILITY The Corrective Action Program (CAP) is designed to satisfy the requirements of 10 CFR 50, Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants." The CAP process is used to identify, track, and resolve conditions adverse to quality (CAQ), including significant conditions adverse to quality (SCAQ).

Deficient conditions are evaluated under the CAP. If those evaluated deficient conditions meet the operability entry criteria, operability should be assessed as described in section 4.0 of this document.

2.1 SCOPE OF SSCS FOR OPERABILITY DETERMINATIONS The scope of SSCs considered within the operability determination process is limited to those SSCs that are required to be operable by TS and those SSCs which provide necessary support functions for SSCs required to be operable. For example, the capabilities of a cooling system not directly addressed by the TS may perform a necessary support function for an SSC directly required by a TS LCO.

Operational impacts of deficient conditions of other SSCs not subject to TS LCOs should be considered and evaluated under existing processes (i.e. CAP), but are not subject to the operability process.

3 DEFINITIONS The following definitions are provided for terms that are used in this document.

3.1 COMPENSATORY ACTIONS As used in this document, a compensatory action is any action taken in response to an identified deficient condition to restore or maintain the operability of an SSC until the deficient condition can be corrected.

3.2 DEFICIENT SSC CONDITION A deficient SSC condition is one which may compromise the required capabilities of the affected SSC. A subset of deficient SSC conditions will require an assessment of operability as described in Section 4.

6

© NEI 2018. All rights reserved. nei.org

3.3 DESIGN BASES As defined in 10 CFR 50.2 3, design bases means that information which identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals.

The design basis for safety-related SSCs is initially established during the original plant licensing and relates primarily to accident and event prevention or mitigation functions.

Design bases information is documented in the FSAR, and is updated as required by 10 CFR 50.71(e).

3.4 LICENSING BASIS The licensing basis is the set of NRC requirements applicable to a specific plant, plus a licensee's docketed and currently effective written commitments for ensuring compliance with, and operation within, applicable NRC requirements and the plant-specific design basis, including all modifications and additions to such commitments over the life of the facility operating license.

The set of NRC requirements applicable to a specific plant licensing basis include:

  • NRC regulations in 10 CFR Parts 2, 19, 20, 21, 26, 30, 40, 50, 51, 54, 55, 70, 72, 73, and 100 and appendices thereto;
  • Commission orders;
  • License conditions;
  • Exemptions;
  • Technical specifications;
  • Licensee commitments remaining in effect that were made in docketed licensing correspondence (such as licensee responses to NRC bulletins, Licensee Event Reports, generic letters, and enforcement actions); and
  • Licensee commitments documented in NRC safety evaluations.

3.5 MISSION TIME As used in this document, the mission time is the time an SSC must be capable of performing the specified safety function.

3 NRC Regulatory Guide 1.186, "Guidance and Examples for Identifying 10 CFR 50.2 Design Bases,"

endorses Appendix B to Nuclear Energy Institute (NEI) document NEI 97-04, "Guidance and Examples for Identifying 10 CFR 50.2 Design Bases."

7

© NEI 2018. All rights reserved. nei.org

3.6 NECESSARY SUPPORT FUNCTION The definition of operability embodies a principle that an SSC can perform its specified safety function(s) only when all its necessary support systems are capable of performing its related support function(s). A necessary support function is a function required for the supported TS system, subsystem, train, component, or device to perform its specified safety function.

3.7 OPERABLE - OPERABILITY The STS define "Operable - Operability" as follows:

A system, subsystem, train, component, or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified safety function(s), and when all necessary attendant instrumentation, controls, normal or emergency electrical power, cooling and seal water, lubrication, and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s).

Plant-specific TS that are not based on the STS definition typically define "Operable -

Operability" as follows:

A system, subsystem, train, component, or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified function(s), and when all necessary attendant instrumentation, controls, electrical power, cooling or seal water, lubrication and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s).

As described above, a plant-specific definition may differ from that found in the STS. Any difference in the definition does not imply a significant difference in application of the plant-specific TS.

3.8 SPECIFIED FUNCTION/SPECIFIED SAFETY FUNCTION A Specified Safety Function (SSF) is a function assumed to be performed by a system, structure, or component (SSC) in the analyses summarized in the Updated Final Safety Analysis Report, Chapters 6 and 15 (or the plant-specific equivalent chapters). SSFs are the subset of functions that meet one or more criterion in 10 CFR 50.36(c)(2)(ii) from all the functions performed by an SSC, as described in the NRC's Final Policy Statement on Technical Specifications Improvement 4.

For plants with improved standard technical specifications, these functions are normally discussed in the TS Limiting Condition for Operation (LCO) Bases.

4 Technical Specifications Improvements for Nuclear Power Reactors; 58 FR 39132; July 22, 1993 8

© NEI 2018. All rights reserved. nei.org

Note that not all functions or conditions of TS SSCs are considered SSFs, and the functions of non-TS SSCs are never considered SSFs.

The plant-specific SSF scope derives from the functions and design conditions for performance relied on by the licensee and the NRC when the TS were prepared, submitted, reviewed, and approved. The primary sources for deciding whether a function or design condition is an SSF are the application and supplements submitted by the licensee and the requests for additional information (RAIs) and safety evaluations prepared by the NRC.

Additional information regarding the derivation of this definition is provided in Appendix B.

3.9 PRESUMPTION OF OPERABILITY A TS SSC is presumed to be operable if the associated surveillance requirements have been met, unless there is a deficient condition associated with the SSC or its required and necessary support SSCs that meets the three required entry criteria described in Section 4.1.

The improved STS Bases for surveillance requirement (SR) 3.0.1 state:

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a. The systems or components are known to be inoperable, although still meeting the SRs; or
b. The requirements of the Surveillance(s) are known to be not met between required Surveillance performances.

3.10 REASONABLE EXPECTATION OF OPERABILITY Upon discovery of a deficient condition which satisfies the three required entry criteria described in Section 4.1, the presumption of operability is lost. A subsequent determination of operability should be based on the "reasonable expectation," from the evidence collected, that the SSCs are capable of performing its specified safety function and that the operability determination will support that expectation. Reasonable expectation does not mean absolute assurance that the SSCs are operable. The SSCs may be considered operable when there is evidence that the possibility of failure of an SSC has increased, but not to the point of eroding confidence in the reasonable expectation that the SSC remains operable. The supporting basis for the reasonable expectation of SSC operability should provide a high degree of confidence that the SSCs remain operable. It should be noted that the standard of "reasonable expectation" is a high standard, and that there is no such thing as an indeterminate state of operability; an SSC is either operable or inoperable.

9

© NEI 2018. All rights reserved. nei.org

The concepts of presumption of operability and reasonable expectation of operability are distinct and do not co-exist.

4 OPERABILITY DETERMINATION PROCESS The control room operating staff should be aware of the operability status of SSCs.

Conclusions regarding TS compliance in regard to SSC operability are ultimately the responsibility of the on-shift licensed Senior Reactor Operator.

Appendix A contains information regarding specific conditions for consideration when performing an operability determination.

4.1 THREE REQUIRED ENTRY CRITERIA The assessment of operability is a continuous process. Issues and questions should be addressed through other appropriate station processes until such time that a deficient condition is confirmed. Entry into the documented operability determination process is contingent upon the deficient condition satisfying the three required entry criteria.

If an SSC is clearly inoperable (incapable of performing its specified safety function) as a result of a deficiency (for example, loss of motive power or failed TS surveillance), it is inoperable and the requirements of TS must be satisfied. A documented operability determination is not necessary.

If a deficient condition satisfies the three required entry criteria, a documented operability determination is required. If the three required entry criteria are not met, then the presumption of operability is retained and performance of a documented operability determination is not required. However, the documented operability determination process may always be used to evaluate a deficient condition if desired.

Regardless of whether a documented operability determination is performed, deficient conditions are still subject to the corrective action process. Operability is a continuous process, and provisions should exist for reexamining deficient conditions against the three required entry criteria if new functional impacts, degrading trends, or resolution of a previously unresolved question affect the previous determination.

The three required entry criteria are based upon the TS definition of operability, which requires the performance of "functions." In order to challenge operability, the deficient conditions must satisfy all of the following three required entry criteria:

Criterion 1: The deficient condition must affect a TS SSC installed in an operating unit.

Criterion 2: The deficient condition must have a functional impact on the SSC. This includes the ability to perform required functions under postulated, off-normal design conditions.

10

© NEI 2018. All rights reserved. nei.org

Criterion 3: The functional impact of the deficient condition must be substantive (i.e.,

non-trivial).

As used within Criteria 2 and 3, the functional impact refers to the function most closely related to the deficient condition.

Expanding upon Criterion 2, for a functional impact to exist there must be direct evidence of the condition, or there is an observable or confirmed impact.

Expanding upon Criterion 3, the functional impact of the deficient condition is substantive based on a simplistic evaluation. Substantive (more than trivial) means:

  • The functional impact is observable, or
  • The deviation from as-designed values is more than approximately 10%.

Criterion 3 acknowledges that SSCs are designed, licensed, and installed with substantial margins. This concept is discussed in Regulatory Guide 1.186, "Guidance and Examples for Identifying 10 CFR 50.2 Design Bases."

If Criterion 3 is not satisfied (i.e., the effect of the deficient condition is not substantive) any postulated margin loss is either non-existent or trivial. It also includes consideration of design errors that may result in functional issues during off-normal events. In every instance, the deficient condition would have the following characteristics:

  • The deficient condition is manifested at a functional level beneath that described in the UFSAR.
  • There is no functional effect observable under any condition.
  • No evidence or indication that a functional impact would be manifest under off-normal/accident conditions.
  • If the available margin is amenable to an estimate, then the margin loss is estimated to be approximately 10% or less (using the as-designed value as a reference.)

4.2 DOCUMENTED OPERABILITY PROCESS Documentation of an immediate or prompt determination may be informal for the simplest cases, such as captured by a checked box, or documented in plant operating logs, or in corrective action forms. In other cases, a formally documented evaluation in accordance with plant-specific procedures may be required. In either case, an immediate or prompt determination should consider all available information and will involve data gathering, consideration of plant and SSC conditions, and appropriate use of engineering judgment.

Immediate or prompt operability determinations should be documented in sufficient detail to allow an individual knowledgeable in the technical discipline associated with the condition to understand the basis for the determination. For the simplest cases requiring no additional justification, operability can be simply and adequately documented in existing plant process documents - for example, indication by a check-box on a 11

© NEI 2018. All rights reserved. nei.org

corrective action form. For straightforward conditions and immediate determinations of operability, only the assumptions supporting the conclusion of the operability determination need be documented. Plant records such as operator logs or corrective action program documents are often sufficient documentation.

For prompt operability determinations, a formally documented engineering analysis involving calculations and evaluations may be necessary. Such analyses should be reviewed and approved as required by plant procedures, with supporting information included or appropriately referenced.

Immediate or prompt operability determinations may include the following information:

  • The SSCs affected by the deficient condition, and the nature and severity of the deficiency.
  • Technical specification LCOs and Surveillance Requirements that include specific operability requirements for the SSCs being evaluated.
  • The SSC specified safety functions related to the deficient condition, including the licensing basis source for the information.
  • The potential effects of the deficient condition on the SSC's ability to perform specified safety functions for its specified mission time.
  • For a completed IOD resulting in a POD, the IOD should document the basis of a reasonable expectation of operability while the POD is in progress.

Additionally, when warranted, the following additional information should also be considered for inclusion into a documented immediate or prompt operability determination.

  • Identification of any operational or environmental conditions or limits necessary to maintain the validity of the operability determination.
  • Identification of any compensatory measures implemented to compensate for the deficient condition and maintain SSC operability, and the administrative processes under which such measures are implemented and maintained.

Documentation of immediate or prompt operability determinations may be subject to subsequent reviews by plant management, oversight staff, and NRC inspection personnel.

Although the immediate or prompt operability determination is influenced by engineering judgment and the amount of limited information, the scope and content of the supporting documentation should support independent review.

Record development and retention requirements for immediate or prompt operability determinations should be established in the administrative programs.

4.2.1 Immediate Determination of Operability Confirming the three required entry criteria are met, an immediate determination of SSC operability should be completed. The determination should be made without delay and in a controlled manner using the best available information. While this determination may be based on limited information, the information should be sufficient to conclude that 12

© NEI 2018. All rights reserved. nei.org

there is a reasonable expectation that the SSC is operable. The determination of operability should not be postponed until receiving the results of detailed evaluations. If a piece of information material to the determination is missing or unconfirmed, and cannot reasonably be expected to support a determination that the SSC is operable, the SSC should be considered inoperable. While the determination is in progress, operators should remain aware of the status of affected SSCs. The immediate determination should document the basis for concluding that a reasonable expectation of operability exists.

An immediate determination of operability may yield only one of three possible conclusions:

  • The SSC is operable and additional information is not expected to change the conclusion. The determination of operability is concluded.
  • The SSC is inoperable, and the determination of operability is concluded.
  • The SSC maintains a reasonable expectation of operability while more information is obtained to confirm the immediate determination via a prompt determination of operability.

4.2.2 Prompt Determination of Operability A prompt determination of SSC operability confirms or refutes the conclusions of an immediate determination of SSC operability. A prompt determination is warranted when additional information, such as supporting analysis, is needed to confirm the immediate determination. Operations support, engineering, and licensing personnel can appropriately assist development of operability determinations to be presented to the operating staff for acceptance. The control room staff should be kept aware of the status of ongoing evaluations.

Regulatory requirements establish no explicit time limit for completing a prompt determination of operability; however, when needed, the prompt determination to confirm earlier conclusions should be done without unnecessary delay. A reasonable expectation of operability must exist throughout the time period to complete the prompt determination, otherwise the SSC should be declared inoperable.

Timeliness of the prompt determination of operability may be affected by the complexity or safety significance of the issue. For example, it may be appropriate to make a prompt operability determination within a few hours for situations involving highly safety significant SSCs. Prompt determinations can often be done within hours of discovery even if complete information is not available. If more time is needed to gather additional information (such as a vendor analyses or calculations), plant staff can evaluate the risk importance of the additional information to decide whether to accept the extended schedule for the prompt determination. The Technical Specifications completion time for the inoperability of the affected SSC is one factor that can be used in determining an appropriate time frame within which a prompt determination should be completed.

13

© NEI 2018. All rights reserved. nei.org

4.3 OTHER CONSIDERATIONS 4.3.1 Sufficiency of Operability Determination The scope and content of a documented immediate or prompt operability determination should be sufficient to support the conclusion that the SSC can perform its specified safety function(s). The operability determination may be based on analysis, testing, historical operating performance, operating experience, vendor-supplied information, engineering judgment, or any combination thereof.

TS operability is focused on the capability of the SSC to perform its specified safety function. Accordingly, clearly identifying the specified safety functions is critical to an effective determination of operability. As described in the definition of specified safety function, a review of the plant licensing basis is sometimes necessary to provide a clear understanding of the specified safety function.

The following factors should be considered when performing documented operability determinations:

  • The licensing basis is plant-specific; the UFSAR, TS bases, and safety evaluations should be reviewed to confirm the applicability of generic licensing considerations related to operability.
  • The determination should consider the applicable modes or other specified conditions in the Applicability of the relevant TS.
  • The operability requirements include the capability of all necessary and required support systems to perform their related support functions.
  • The occurrence of multiple simultaneous design basis events should be assumed only to the extent that they are described in the plants licensing basis.
  • Operability determinations consider the capability of the SSC to perform its specified safety function in its current state. Consideration should be given to the sustained operability as plant or environmental conditions change, or as a deficient condition may progress over time.
  • Sustained operability may be dependent on compensatory actions such as temporary cooling or ventilation, modified instrumentation or control settings, temporary procedure changes, and increased monitoring or surveillance activity.

Feasibility and effectiveness of such actions should be verified to support any conclusion of operability. 10 CFR 50.59 applies to interim compensatory actions to determine whether the temporary change or compensatory action impacts other aspects of the facility or procedures in such a way that prior NRC approval is required. (See NEI 96-07, Revision 1, "Guidelines for 10 CFR 50.59 Implementation.")

A graded approach should be used when determining the amount of information necessary to support the documented conclusion that an SSC is operable. One of the key concepts associated with the operability determination process is that the process should conclude when additional information will not alter the determination. This graded approach makes use of the immediate operability and, when necessary, prompt operability processes.

14

© NEI 2018. All rights reserved. nei.org

4.3.2 Continuous monitoring of operability A continuous understanding of the operability status should be maintained for an SSC in a deficient condition until the deficiency is resolved. Initial conclusions regarding operability can be affected by factors such as plant operating conditions, power levels, support system performance, and environmental conditions. If, at any time, information is discovered that calls into question a previous operability determination, operability should be reassessed.

5 OPERATIONAL DECISIONS BASED ON OPERABILITY DETERMINATIONS The purpose of an operability determination is to provide a basis for making a timely decision on technical specification compliance when a deficient SSC condition is discovered.

Correction of deficient conditions is not part of the operability process. Corrective actions are discussed in Appendix C, "Additional Considerations for Corrective Actions of Deficient Conditions."

5.1 OPERABILITY DETERMINATION CONCLUSIONS The following conclusions are possible as a result of operability determination.

5.1.1 SSC Inoperable An SSC is inoperable when it is unable to perform its specified safety functions due to a deficient condition in the SSC itself or in an SSC that is necessary to provide a required support function. This could be immediately apparent upon discovery of the condition, (i.e., a self-revealing event such as a failed surveillance requirement), or could be determined through a operability determination.

5.1.2 SSC Operable When a deficient condition is identified, operability should be assessed. The operability determination may conclude that the deficient condition does not prevent the performance of the specified safety functions. For example, an assessment for a deficient condition in a non-TS ventilation system may conclude that a TS support function is impaired. The supported TS SSC, however, could remain operable due to the current plant conditions or alternate systems that can provide the necessary support function.

Because operability of the affected SSC is not compromised, the LCO continues to be met.

An SSC addressed in TS can sometimes be operable even though a deficient condition is present. The effect of the deficiency might include a reduction in the margin between expected SSC performance and the ability to perform the specified safety function. For 15

© NEI 2018. All rights reserved. nei.org

example, heat exchanger fouling might reduce the cooling capabilities of a decay heat removal system to a level below expected performance requirements, but the system SSC may still be fully capable of the heat removal necessary to perform the specified safety function.

6 REFERENCES

1. NRC Inspection Manual Chapter 0326, "Operability Determinations &

Functionality Assessments for Conditions Adverse to Quality or Safety."

2. Generic Letter 91-18, "Information to Licensees Regarding Two NRC Inspection Manual Chapters on Resolution of Degraded and Nonconforming Conditions and on Operability."
3. 10 CFR 50.2, "Definitions."
4. NUREGs 1430 - 1434, NUREG-2194 "Standard Technical Specifications."
5. 10 CFR 50.36, "Technical Specifications."
6. NEI 96-07, Revision 1, "Guidelines for10 CFR 50.59 Implementation."

16

© NEI 2018. All rights reserved. nei.org

APPENDIX A SPECIFIC OPERABILITY CONSIDERATIONS A.1 CONSEQUENTIAL FAILURES IN OPERABILITY DETERMINATIONS A consequential failure is a failure of an SSC caused by an accident for which the subject SSC provides a mitigating function, as postulated in the licensing basis. For example, a loss-of-coolant accident (LOCA) may cause pipe whip or jet impingement that incapacitates an emergency core cooling pump needed to mitigate the effects of a LOCA.

Such a failure is a consequential failure because the pump fails as a result of the event itself. In general, the facility design provides adequate protection against consequential failures.

When an SSC is found to be deficient, the operability determination should assess credible consequential failures that may result from any postulated event for which the deficient SSC needs to function. When, due to a deficient SSC condition, a postulated event would cause a consequential failure resulting in the loss of a specified safety function, the affected SSC is inoperable.

A.2 USE OF ALTERNATIVE ANALYTICAL METHODS TO DETERMINE OPERABILITY When performing operability determinations, analytical methods or computer codes different from those originally used in the calculations supporting the plant design may be used. This practice involves applying engineering judgment to determine if an SSC remains capable of performing its specified safety function during the corrective action period. The use of alternative methods is not subject to 10 CFR 50.59 unless the methods are used in the final corrective action. The use of alternative methods should generally consider the following:

a. Occasionally, a regulation or license condition may specify the name of the analytical method for an application. In such instances, the application of the alternative analysis must be consistent with the TS, license condition, or regulation. For example, the methods used to determine limits placed in the core operating limits report (COLR) may be specified in TS. An evaluation of an SSC performance capability may be determined with a non-COLR method, but the limits in the COLR must continue to comply with the technical specification.
b. The use of any alternative analytical method must be technically appropriate to characterize the SSCs involved, the nature of the deficient condition, and specific facility design. General considerations for establishing this adequacy include:
1. If the analytic method in question is described in the licensing basis, the situation-specific application of this method should be evaluated, including the differences between the licensing basis method and the proposed application in support of the operability determination process.

17

© NEI 2018. All rights reserved. nei.org

2. Utilizing a new method because it has been approved for use at a similar facility does not alone constitute adequate justification.
3. The method should produce results consistent with the applicable acceptance criteria in the licensing basis. For example, if the current performance levels are expressed in terms of Rem, the method should not generate results expressed in TEDE (total effective dose equivalent).
4. If the analytic method is not currently described in the licensing basis, the models employed must be capable of properly characterizing the SSCs performance. This includes modeling of the effect of the deficient condition.
5. Acceptable alternative methods, such as the use of "best estimate" codes, methods, and techniques, is acceptable. In these cases, the evaluation should ensure that the SSCs performance is not over-predicted by performing a benchmark comparison of the alternative analysis methods to the applicable licensing basis analysis methods.
6. The use of the software should be controlled in accordance with the quality assurance program, as applicable. This includes the availability of reviewers qualified to verify results.

A.3 COMPENSATORY ACTIONS When proposing compensatory action to maintain operability, many aspects should be considered such as feasibility, resource availability, post-accident environment, staging of necessary tools and equipment, and the need for personnel training. In determining whether a compensatory action is acceptable, the effect of the action on other aspects of the facility should also be considered. Quality assurance program requirements for temporary design modification and procedural controls should be satisfied and the requirements of 10 CFR 50.59 are applicable if the compensatory measure involves a change to the facility or procedures as described in the UFSAR. See NEI 96-07, "Guidelines for10 CFR 50.59 Implementation."

While a compensatory action may be implemented to maintain or restore SSC operability and ensure plant safety, it is not an exception to TS compliance. For example, if automatic actuation of a component has failed, it is possible that manual actuation of the component following an accident would satisfy the assumptions in the safety analysis.

However, if a TS SR requires verification of automatic actuation, the associated limiting LCO is not met.

For situations where substitution of manual action for automatic action is proposed as a compensatory action, the evaluation of manual action should focus on the physical differences between automatic and manual action and the ability of the manual action to accomplish the specified safety functions. The physical differences include the ability to recognize input signals for action, ready access to or recognition of setpoints, design nuances that may complicate subsequent manual operation (such as auto-reset, 18

© NEI 2018. All rights reserved. nei.org

repositioning on temperature or pressure), timing required for automatic action, minimum staffing requirements, and emergency operating procedures written for the automatic mode of operation. Written procedures should be in place and personnel should be trained on the procedures before manual action is substituted for the loss of an automatic action. The consideration of a manual action in remote areas should include the time needed to reach the area and occupational hazards such as radiation, temperature, chemical, sound, or visibility hazards.

A.4 CONSIDERATION OF PROBABILITY AND RISK IN OPERABILITY DETERMINATIONS The definition of operability (that the SSC must be capable of performing its specified safety functions) is based on the inherent assumption that the event occurs. Therefore, the use of probability of occurrence of accidents or external events is not acceptable for making operability decisions. In other words, the likelihood that an SSC will not be needed is not an appropriate consideration when determining if it is capable of functioning as intended.

Probabilistic risk assessment involves the consideration of both the probability of occurrence and the consequences of an event, and can be a valuable tool for determining the safety significance of SSCs. The safety significance, whether determined by PRA or other analyses, may be considered when making decisions about the timeliness and technical rigor of operability determinations.

A.5 PIPING AND PIPE SUPPORT REQUIREMENTS A deficient condition may involve piping or pipe supports. Inspection and Enforcement (IE)Bulletin 79-14, "Seismic Analyses for As-Built Safety-Related Piping Systems,"

including Supplements 1 and 2, provides additional guidance. The following references also provide information that may be helpful in performing evaluations.

  • SQUG GIP-2 provides acceptance criteria that can be used to confirm operability of mechanical component anchorages consistent with design basis loadings.
  • Regulatory Guide 1.199, "Anchoring Components and Structural Supports in Concrete", November 2003 endorses American Concrete Institute (ACI) 349, 2001, "Code Requirements for Nuclear Safety Related Concrete Structures," and provides acceptance criteria for evaluation of deficient nonconforming or degraded anchors (steel embedments).

A.6 STRUCTURAL REQUIREMENTS Structures may be required to be operable by the TS, or they may be providing related support functions for systems or components addressed by TS operability requirements.

When a structure deficiency is identified, affected TS SSCs should be evaluated for operability.

For structures and related support functions, operability determinations should demonstrate that a reasonable expectation of operability exists for meeting acceptance 19

© NEI 2018. All rights reserved. nei.org

limits for expected load combinations. The use of loads, load combinations, and load factors should be consistent with design and licensing basis assumptions unless adequately justified.

Physical degradation such as concrete cracking and spalling, excessive deflection or deformation of structures, water leakage, corrosion of rebar, cracked welds, corrosion of steel members, corrosion of anchor bolts, bent anchor bolt(s), or structural bolting of a structure or component may be evaluated in accordance with generally accepted industry standards and guidance documents.

Current industry standards, technical reports, or regulatory guidance may be used in operability determinations in addition to or in lieu of the standards specified in the licensing basis, provided the necessary technical requirements and conditions are met to justify such use for the specific application.

Operability determinations may rely on as-built material properties when the properties of the materials are established based on test data and a sound statistical basis, for example:

  • Structural steel yield and tensile strength from Certified Material Test Reports may be used in lieu of the specified minimum yield and tensile strength.
  • Concrete compressive strength from cylinder tests may be used in lieu of the specified minimum design strength.

Operability determinations may apply current regulatory guidance to reduce design basis conservatism, if applicable. For example:

A.7 TECHNICAL SPECIFICATION OPERABILITY VS. ASME CODE CRITERIA Operability is distinct from compliance with the American Society of Mechanical Engineers (ASME) Operation and Maintenance of Nuclear Power Plants (OM) Code and related regulatory requirements.

The ASME OM Code establishes the requirements for preservice and inservice testing and the examination of certain components to assess their operational readiness. ASME OM Code acceptance criteria for inservice testing (IST) include "required action ranges" or limiting values for certain component performance parameters. These required action ranges or limiting values, defined by the ASME OM Code as component performance parameters, may be more limiting than the TS values (which are accident analysis limits).

When performance data fall outside the required action range, the deficient condition should be reviewed in accordance with Section 4.

20

© NEI 2018. All rights reserved. nei.org

A.8 OPERABILITY DURING TECHNICAL SPECIFICATION SURVEILLANCES If performance of TS surveillances requires that SSCs be rendered incapable of performing their specified safety function, the SSCs are inoperable.

If during a test it is obvious that a test instrument is malfunctioning, the test may be halted and the instruments recalibrated or replaced. During a test, anomalous data with no clear indication of the cause should be attributed to the pump or valve under test.

Test failures should be examined to determine the cause and correct the problem before resumption of testing. Repetitive testing to achieve acceptable test results without identifying the root cause or correction of a problem in a previous test is not acceptable as a means to establish or verify operability and may constitute "preconditioning." See NRC Information Notice 97-16, "Preconditioning of Plant Structures, Systems, and Components Before ASME Code Inservice Testing or Technical Specification Surveillance Testing."

A.9 REDUCED RELIABILITY Reliability is a measure of the confidence in the ability of an SSC to perform its specified safety function(s) when required. When an SSC experiences multiple failures, especially repetitive failures (i.e., failures for the same or a similar cause) such as those addressed in Maintenance Rule 5 programs, and when the failures exceed the number of expected failures based on operating experience, the reliability of the affected SSC is reduced. An SSC that has been identified as having reduced reliability should be assessed for operability in accordance with Section 4. When an SSCs reliability is reduced to the point where there is no longer confidence that it can perform its specified safety function, the SSC is inoperable.

A.10 FLAW EVALUATION When ASME Class 1, Class 2, or Class 3 components do not meet ASME Code or construction code acceptance standards, the operability should be assessed as described in this document. ASME Class 1 components provide a necessary and required support function for a variety of required Emergency Core Cooling Systems. Satisfaction of Code acceptance standards is generally required for operability of Class 1 pressure boundary components because of the importance of the safety function being performed.

A.11 SUPPORT SYSTEM OPERABILITY The definition of operability assumes that an SSC described in TS can perform its specified safety function when all necessary support systems are capable of performing their related support functions. In some cases, engineering judgment may be used in determining whether a support system that is not described in TS is necessary and is, 5

10 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants."

21

© NEI 2018. All rights reserved. nei.org

therefore, required to be capable of performing its related support function. Engineering principals may be applied in the final analysis of the basis for the decision. For example, a ventilation system may be required in the summer to ensure that SSCs can perform their specified safety functions, but may not be required in the winter. Similarly, the electrical power supply for heat tracing may be required in the winter to ensure that SSCs can perform their specified safety functions, but may not be required in the summer. In all such cases, the basis for determining that a support system is not required should be periodically reviewed to ensure (a) that the conclusion remains valid, and (b) that there is timely restoration of the support system (the review may be done as part of the corrective action program). As an alternative to restoration, the support function could be modified (as with any other change to the facility) by following the 10 CFR 50.59 change process and updating the UFSAR.

Upon discovery of a support system that is not capable of performing its related support function(s), the most important consideration is the possibility of having lost all capability to perform a specified safety function. Upon declaring a support or supported system inoperable in one train, the required actions in the TS should be implemented. It should be verified that the facility has not lost the complete capability to perform the specified safety function. The word "verify" as used here covers examining logs or other information to determine if required features are out of service for maintenance or other reasons. The TS may contain specific requirements or allowances regarding support systems.

22

© NEI 2018. All rights reserved. nei.org

APPENDIX B DEFINITION OF SPECIFIED SAFETY FUNCTION The ability to perform a specified safety function is the central concept in operability.

The following describes the basis of the definition of specified safety function used in this document.

B.1 DEVELOPMENT OF THE DEFINITION OF OPERABILITY In December 1968, the Atomic Energy Commission (AEC) revised the regulations for Technical Specifications. The revised rule required TS for five categories of requirements: (1) safety limits and limiting safety system settings, (2) limiting conditions for operation, (3) surveillance requirements, (4) design features, and (5) administrative controls. The Statements of Consideration for the rule change stated:

In the revised system, emphasis is placed on two general classes of technical matters: (1) Those related to prevention of accidents, and (2) those related to mitigation of the consequences of accidents. By systematic analysis and evaluation of a particular facility, each application is required to identify at the construction permit state those items that are directly related to maintaining the integrity of the physical barriers designed to contain radioactivity. Such items are expected to be the subjects of Technical Specifications in the operating license.

The Statements of Consideration for the 1968 rule change referenced a document prepared by the AEC staff, "Guide to Content of Technical Specifications for Nuclear Reactors." In the discussion of "limiting conditions for operation," the guide states, "it is intended that technical specifications establish the lowest acceptable level of performance for a system or component, or the minimum number of components or portion of the system that must remain operable in order that plant operation may continue."

The first Standard Technical Specifications (STS) for each reactor design reflecting the 1968 rule were published in 1975 through 1977. These STS contained nearly identical definitions of operability 6:

A system, subsystem, train, component or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified function(s).

Implicit in this definition shall be the assumption that all necessary attendant instrumentation, controls, normal and emergency electrical power sources, cooling or seal water, lubrication or other auxiliary equipment, that are required for the system, subsystem, train, component or device to perform its function(s),

are also capable of performing their related support function(s).

6 There is one exception. The NUREG-0452 (Westinghouse plant) definition stated "electric power" instead of "normal and emergency electric power sources." This difference was retained through all four revisions of NUREG-0452.

23

© NEI 2018. All rights reserved. nei.org

Before the STS were published in 1975 through 1977, 33 operating licenses had been issued. These licenses had varying definitions of operability. In April 1980, the NRC issued a letter to all licensees (later referred to as Generic Letter (GL) 80-30). It required all licensees to submit proposed changes to the TS within 30 days to revise the definition of operability to that given in the STS.

Following the 1979 accident at Three Mile Island, the NRC and the industry expressed concern that the size and complexity of the Technical Specifications may be detrimental to safety. Each Owners Group proposed improved STS and in 1991 the NRC published for comment draft improved STS for each reactor type. The draft improved STS retained the GL 80-30 definition of operability:

A system, subsystem, train, component, or device shall be OPERABLE when it is capable of performing its specified function(s) and when all necessary attendant instrumentation, controls, electrical power, cooling or seal water, lubrication, or other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified function(s) are also capable of performing their related support function(s).

The draft improved STS included Section 5.8, "Operability Definition Implementation Principles and Rules." This section gave general guidance on operability and, in particular, the effect of inoperable support systems on supported systems. It stated, "The specified function(s) of the system, subsystem, train, component, or device (hereafter referred to as system) is that specified safety function(s) in the licensing basis for the facility."

In 1993, the NRC issued final improved STS NUREGs after considering extensive comments. Section 5.8 was removed. The statement in Section 5.8 equating the "specified function(s)" with the "specified safety function(s)" was retained by a change to the definition of operability:

A system, subsystem, train, component, or device shall be OPERABLE when it is capable of performing its specified safety function(s) and when all necessary attendant instrumentation, controls, normal or emergency electrical power, cooling and seal water, lubrication, and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified function(s) are also capable of performing their related support function(s).

This definition of operability has not changed since Revision 0 of the improved STS.

The TS of all operating plants should have either the GL 80-30 definition of operability or the improved STS definition of operability. As the majority 7 of operating plant TS are 7

As of July 2017, 75 operating plants have TS based on the improved STS.

24

© NEI 2018. All rights reserved. nei.org

based on the improved STS, the improved STS definition will be used in this document.

The term "specified function(s)" in the GL 80-30 definition is equivalent to the improved STS term "specified safety function(s)".

In the TS, a system, subsystem, train, component or device is required to be operable by a Limiting Condition for Operability (LCO). Per LCO 3.0.1, LCOs are only required to be met during the Applicability of the TS; therefore, a system, subsystem, train, component or device is only required to be operable when in the Applicability of the LCO. Systems which provide required support functions for supported systems outside of the Applicability of the support system LCO are not required to be operable, but may be required to provide a necessary support function.

In the improved STS, the LCO section of the Bases describes what is required for operability for the subject system. This does not alter the definition of operability, but explains how the definition is applied to that system. For example, NUREG-1430 TS 3.5.1, "Core Flood Tanks," requires two Core Flood Tanks (CFTs) to be operable.

The LCO Bases state, "For a CFT to be considered OPERABLE, the isolation valve must be fully open, power removed above [2000] psig, and the limits established in the SR for contained volume, boron concentration, and nitrogen cover pressure must be met."

B.2 FINAL POLICY STATEMENT ON TECHNICAL SPECIFICATIONS IMPROVEMENTS On July 16, 1993, the Commission approved the "Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors." The Final Policy Statement criteria and accompanying discussion are included below.

Criteria 1: Installed instrumentation that is used to detect, and indicate in the control room, a significant abnormal degradation of the reactor coolant pressure boundary.

Discussion: A basic concept in the adequate protection of the public health and safety is the prevention of accidents. Instrumentation is installed to detect significant abnormal degradation of the reactor coolant pressure boundary so as to allow operator actions to either correct the condition or to shut down the plant safely, thus reducing the likelihood of a loss-of-coolant accident.

This criterion is intended to ensure that Technical Specifications control those instruments specifically installed to detect excessive reactor coolant system leakage. This criterion should not, however, be interpreted to include instrumentation to detect precursors to reactor coolant pressure boundary leakage or instrumentation to identify the source of actual leakage (e.g., loose parts monitor, seismic instrumentation, valve position indicators).

25

© NEI 2018. All rights reserved. nei.org

Criteria 2: A process variable, design feature, or operating restriction that is an initial condition of a Design Basis Accident or Transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

Discussion: Another basic concept in the adequate protection of the public health and safety is that the plant shall be operated within the bounds of the initial conditions assumed in the existing Design Basis Accident and Transient analyses and that the plant will be operated to preclude unanalyzed transients and accidents. These analyses consist of postulated events, analyzed in the FSAR, for which a structure, system, or component must meet specified functional goals. These analyses are contained in Chapters 6 and 15 of the FSAR (or equivalent chapters) and are identified as Condition II, III, or IV events (ANSI N18.2) (or equivalent) that either assume the failure of or present a challenge to the integrity of a fission product barrier.

As used in Criterion 2, process variables are only those parameters for which specific values or ranges of values have been chosen as reference bounds in the Design Basis Accident or Transient analyses and which are monitored and controlled during power operation such that process values remain within the analysis bounds. Process variables captured by Criterion 2 are not, however, limited to only those directly monitored and controlled from the control room. These could also include other features or characteristics that are specifically assumed in Design Basis Accident and Transient analyses even if they cannot be directly observed in the control room (e.g., moderator temperature coefficient and hot channel factors).

The purpose of this criterion is to capture those process variables that have initial values assumed in the Design Basis Accident and Transient analyses, and which are monitored and controlled during power operation.

As long as these variables are maintained within the established values, risk to the public safety is presumed to be acceptably low. This criterion also includes active design features (e.g., high pressure/low pressure system valves and interlocks) and operating restrictions (pressure/temperature limits) needed to preclude unanalyzed accidents and transients.

Criteria 3: A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a Design Basis Accident or Transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

Discussion: A third concept in the adequate protection of the public health and safety is that in the event that a postulated Design Basis Accident or 26

© NEI 2018. All rights reserved. nei.org

Transient should occur, structures, systems, and components are available to function or to actuate in order to mitigate the consequence of the Design Basis Accident or Transient. Safety sequence analyses or their equivalent have been performed in recent years and provide a method of presenting the plant response to an accident. These can be used to define the primary success paths.

A safety sequence analysis is a systematic examination of the actions required to mitigate the consequences of events considered in the plant's Design Basis Accident and Transient analyses, as presented in Chapters 6 and 15 of the plant's FSAR (or equivalent chapters). Such a safety sequence analysis considers all applicable events, whether explicitly or implicitly presented. The primary success path of a safety sequence analysis consists of the combination and sequences of equipment needed to operate (including consideration of the single failure criteria), so that the plant response to Design Basis Accidents and Transients limits the consequences of these events to within the appropriate acceptance criteria.

It is the intent of this criterion to capture into Technical Specifications only those structures, systems, and components that are part of the primary success path of a safety sequence analysis. Also captured by this criterion are those support and actuation systems that are necessary for items in the primary success path to successfully function. The primary success path for a particular mode of operation does not include backup and diverse equipment (e.g., rod withdrawal block which is a backup to the average power range monitor high flux trip in the startup mode, safety valves which are backup to low* temperature overpressure relief valves during cold shutdown).

Criteria 4: A structure, system, or component which operating experience or probabilistic safety assessment has shown to be significant to public health and safety.

Discussion: It is the Commission policy that licensees retain in their Technical Specifications LCOs, action statements and Surveillance Requirements for the following systems (as applicable), which operating experience and PSA have generally shown to be significant to public health and safety and any other structures, systems, or components that meet this criterion:

  • Reactor Core Isolation Cooling/Isolation Condenser,

© NEI 2018. All rights reserved. nei.org

  • Recirculation Pump Trip.

The Commission" recognizes that other structures, systems, or components may meet this criterion. Plant- and design-specific PSAs have yielded valuable insight to unique plant vulnerabilities not fully recognized in the safety analysis report Design Basis Accident or Transient analyses. It is the intent of this criterion that those requirements that PSA or operating experience exposes as significant to public health and safety, consistent with the Commission's Safety Goal and Severe Accident Policies, be retained or included in Technical Specifications.

The Commission expects that licensees, in preparing their Technical Specification related submittals, will utilize any plant-specific PSA or risk survey and any available literature on risk insights and PSAs. This material should be employed to strengthen the technical bases for those requirements that remain in Technical Specifications, when applicable, and to verify that none of the requirements to be relocated contain constraints of prime importance in limiting the likelihood or severity of the accident sequences that are commonly found to dominate risk.

Similarly, the NRC staff will also employ risk insights and PSAs in evaluating Technical Specifications related submittals. Further, as a part of the Commission's ongoing program of improving Technical Specifications, it will continue to consider methods to make better use of risk and reliability information for defining future generic Technical Specification requirements.

In August 1995, the NRC added the four criteria in the Commission Policy Statement to the regulations as 10 CFR 50.36(c)(2)(ii), with the introduction, "A technical specification limiting condition for operation of a nuclear reactor must be established for each item meeting one or more of the following criteria."

The statements of consideration for the rule change stated:

The Commission has decided not to withdraw the final policy statement because it contains detailed discussions of the four criteria and guidance on how the NRC staff and licensees should apply the criteria.

The Commissions description of Criterion 2 included a reference to ANSI N18.2 Condition II, III, and IV events. Section 2 of ANSI N18.2-1973 describes these events caused by equipment failure or human error:

2. General Design Considerations 2.1.2 Condition II: Incidents of Moderate Frequency . may occur during a calendar year .[examples include structure, system and 28

© NEI 2018. All rights reserved. nei.org

component malfunctions and operator errors that may be expected to occur with moderate frequency] .

2.1.3 Condition III: Infrequent Incidents . May occur during the lifetime of a particular plant . [examples include more significant, less frequent structure, system and component malfunctions and more significant, less frequent operator errors] .

2.1.4 Condition IV: Limiting Faults . Faults that are not expected to occur, but are postulated because their consequences would include the potential for the releases of significant amounts of radioactive material. [examples include major structure, system and component malfunctions] .

NUREG-0800, Standard Review Plan, Section 15, divides events into Anticipated Operational Occurrences (AOOs) and Postulated Accidents. AOOs are ANSI N18.1 Condition 2 and 3 events. Postulated Accidents are Condition 4 events.

B.3 REGULATORY FOUNDATION The four criteria in 10 CFR 50.36(c)(2)(ii) were added in August 1995, and are based on the July 16, 1993, "Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors." Attachment 1 provides the four criteria and the discussion of each criteria provided in the Final Policy Statement.

The statements of consideration for the 10 CFR 50.36 rule change stated:

The Commission has decided not to withdraw the final policy statement because it contains detailed discussions of the four criteria and guidance on how the NRC staff and licensees should apply the criteria.

This document establishes the regulatory foundation of the definition of specified safety function as:

  • The TS definition of operability states that an operable SSC must be capable of performing its specified safety functions, equating operability with specified safety functions. (OPERABILITY=SSF)
  • Therefore, the regulations and the TS establish a link between the criteria in 10 CFR 50.36(c)(2)(ii) and the specified safety functions of an SSC.

29

© NEI 2018. All rights reserved. nei.org

CRITERIA = LCO = OPERABILITY = SPECIFIED SAFETY FUNCTIONS The regulatory foundation for defining "Specified Safety Function" should be based on the criteria for selecting Limiting Conditions for Operation (LCOs) given in 10 CFR 50.36.

For the three-quarters of the licensees that have converted their TS to the STS, the conversion license amendment request, reviewed and approved by the NRC, compared the plant-specific design and licensing basis against the 50.36 criteria. Therefore, the proposed approach links a plant's design and licensing basis, as described in Chapters 6 and 15 of the UFSAR, with the LCOs in TS and the specified safety functions required for operability B.4 SPECIFIED SAFETY FUNCTION DEFINITION Based on the Final Policy Statement and the regulatory foundation given above, the definition of specified safety function is:

A Specified Safety Function (SSF) is a function assumed to be performed by a system, structure, or component (SSC) in the analyses summarized in the Updated Final Safety Analysis Report, Chapters 6 and 15 (or the plant-specific equivalent chapters). SSFs are the subset of functions that meet one or more criterion in 10 CFR 50.36(c)(2)(ii) from all the functions performed by an SSC, as described in the NRC's Final Policy Statement on Technical Specifications Improvement.

For plants with improved standard technical specifications, these functions are normally discussed in the TS Limiting Condition for Operation (LCO) Bases.

Note that not all functions or conditions of TS SSCs are considered SSFs, and the functions of non-TS SSCs are never considered SSFs.

The plant-specific SSF scope derives from the functions and design conditions for performance relied on by the licensee and the NRC when the TS were prepared, submitted, reviewed, and approved. The primary sources for deciding whether a function or design condition is an SSF are the application and supplements submitted by the licensee and the requests for additional information (RAIs) and safety evaluations prepared by the NRC.

30

© NEI 2018. All rights reserved. nei.org

APPENDIX C ADDITIONAL CONSIDERATIONS FOR CORRECTIVE ACTIONS OF DEFICIENT CONDITIONS All licensees have a program that implements 10 CFR 50, Appendix B, Criteria XVI:

XVI. Corrective Action Measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances are promptly identified and corrected. In the case of significant conditions adverse to quality, the measures shall assure that the cause of the condition is determined and corrective action taken to preclude repetition.

The identification of the significant condition adverse to quality, the cause of the condition, and the corrective action taken shall be documented and reported to appropriate levels of management.

The program may be expanded to include conditions that are not limited to those that fall under Criteria XVI (i.e., beyond safety related).

In addition to consideration of operability, plant conditions described in the body of this document are evaluated and corrected in accordance with Criteria XVI and the corrective action program. This attachment discusses additional considerations which may apply to resolution of the subset of conditions which are assessed in accordance with the operability process described in Section 4.

C.1 RELATIONSHIP BETWEEN OPERABILITY AND THE CORRECTIVE ACTION PROGRAM The purpose of an operability determination is to provide a basis for making a timely decision on LCO compliance. Corrective actions taken to correct the deficient condition should be addressed through the corrective action process. The treatment of operability as a separate issue from the resolution of the deficient condition emphasizes that the operability determination process is focused on Technical Specification compliance and should not be affected by decisions or actions necessary to plan and implement corrective action.

C.2 TIMING OF CORRECTIVE ACTIONS A schedule should be established for completing a corrective action, as necessary when an SSC exhibits a deficient condition. Deficient conditions should be addressed in a time frame commensurate with the safety significance of the condition.

In determining the timing of corrective action, considerations are the safety significance, the effects on operability, the significance of the deficient condition, and what is necessary to implement the corrective action, as well as the time needed for design, review, approval, or procurement of the repair or modification; the availability of specialized equipment to perform the repair or modification; and whether the plant must 31

© NEI 2018. All rights reserved. nei.org

be in hot or cold shutdown to implement the actions. The deficient condition should be resolved at the first available opportunity or appropriately justify a longer completion schedule. Factors that may be used when justifying a longer completion schedule may include (1) the identified cause, including contributing factors and proposed corrective actions, (2) existing conditions and compensatory measures, including the acceptability of the schedule for repair and replacement activities, (3) the basis for why the repair or replacement activities will not be accomplished prior to restart after a planned outage (e.g., additional time is needed to prepare a design/modification package or to procure necessary components), and (4) review and approval of the schedule by appropriate site management and/or oversight organizations.

Deficient conditions calling for compensatory measures to restore SSC operability should have a higher priority than conditions that do not rely on compensatory measures to restore operability. The reason is that reliance on compensatory measures to restore SSC operability suggests a greater degree of degradation. Similarly, conditions calling for compensatory measures to restore operability, where the compensatory measures substitute manual operator actions for automatic actions to perform a specified safety function, should be resolved expeditiously.

C.3 FINAL CORRECTIVE ACTION Final corrective action may involve (1) restoration of the deficient condition, (2) a change to the licensing basis to accept the deficient condition, or (3) some modification of the facility or licensing basis other than restoration.

If corrective action is taken to restore the deficient condition, no 10 CFR 50.59 screening evaluation is required. The 10 CFR 50.59 process applies when the final resolution of the deficient condition differs from the established Updated Final Safety Analysis Report (UFSAR) description or analysis.

However, if a change is made to the facility or procedures as described in the UFSAR, the review process established by 10 CFR 50.59 applies. A change can be safe, but still require NRC approval under the rule. The proposed final resolution may require staff review and approval (via license amendment) without affecting the continued operation of the plant because interim operation is governed by the processes for determining operability and taking corrective action (10 CFR Part 50, Appendix B).

In two situations, the identification of a final resolution or final corrective action requires a 10 CFR 50.59 review, unless another regulation applies (e.g., 10 CFR 50.55a): (1) when the final corrective action is to change the facility or procedures to something other than full restoration to the UFSAR described condition and (2) when the licensing basis, as described in the UFSAR, is changed to accept the deficient condition. Both situations are discussed in greater detail below.

In every case, including the need for a relief request in accordance with 10 CFR 50.55a, the need for NRC approval for a change does not affect the authority to operate the plant.

Plant operation may continue with mode changes, restart from outages, etc., with 32

© NEI 2018. All rights reserved. nei.org

deficient conditions provided that operations in these conditions do not violate the TS.

The basis for this authority to continue to operate is that the TS contains the specific characteristics and conditions of operation necessary to avoid an abnormal situation or event that might give rise to an immediate threat to public health and safety.

The use of alternative methods is not subject to 10 CFR 50.59 unless the methods are used in the final corrective action. Section 50.59 is applicable upon implementation of the corrective action.

C.4 CHANGE TO FACILITY OR PROCEDURES IN LIEU OF RESTORATION In this situation, the proposed final resolution of the deficient condition includes other changes to the facility or procedures to cope with the uncorrected or only partially corrected deficient condition. Rather than fully correcting the deficient condition, capability or margin is restored by making another change. In this case, the change from the UFSAR-described condition to the final condition should be evaluated. If the 10 CFR 50.59 screening and/or evaluation concludes that a change to the TS is involved or the change meets any of the evaluation criteria specified in the rule for prior NRC approval, a license amendment must be approved, and the corrective action process is not complete until the approval is received or some other resolution occurs.

C.5 ACCEPTANCE OF AN AS-FOUND CONDITION In the other situation, the deficient condition is accepted. In this case, the 10 CFR 50.59 review covers the change from the UFSAR-described condition to the existing condition (i.e., exit the corrective action process by revising its licensing basis to document acceptance of the condition). If the 10 CFR 50.59 screening and/or evaluation concludes that a change to the TS is involved or the change meets any of the evaluation criteria specified in the rule for prior NRC approval, a license amendment must be approved and the corrective action process is not complete until the approval is received or some other resolution occurs. To resolve the deficient condition without restoring the affected SSC to its licensing basis, an exemption from 10 CFR Part 50 in accordance with 10 CFR 50.12 or relief from a design code in accordance with 10 CFR 50.55a may be required. The use of 10 CFR 50.59, 50.12, or 50.55a does not relieve the responsibility to comply with 10 CFR Part 50, Appendix B, Criterion XVI, "Corrective Action," for significant conditions adverse to quality to determine the root cause, to examine other affected systems, to take action to prevent recurrence, and to report the original condition, as appropriate.

33

© NEI 2018. All rights reserved. nei.org