IP 71111.21M, Design Bases Assurance Inspection
Design Bases Assurance Inspection
Text
NRC INSPECTION MANUAL IRIB
INSPECTION PROCEDURE 71111.21M
DESIGN BASES ASSURANCE INSPECTION (TEAM)
Effective Date: January 1, 2017
INSPECTABLE AREA:
Design Bases Assurance (DBA) Inspection
CORNERSTONES:
INSPECTION BASES:
This inspection of component design bases and modifications made to structures, systems, and components (SSCs) verifies that plant components are maintained within their design basis. Additionally, this inspection provides monitoring of the capability of the selected components and operator actions to perform their design bases functions. The inspection also monitors the implementation of modifications to SSCs. Modifications to one system may also affect the design bases and functioning of interfacing systems as well as introduce the potential for common cause failures. As plants age, modifications may alter or disable important design features making the design bases difficult to determine or obsolete. The plant risk assessment model assumes the capability of safety systems and components to perform their intended safety function successfully.
This inspectable area verifies aspects of the Initiating Events, Mitigating Systems and Barrier Integrity cornerstones for which there are no indicators to measure performance.
LEVEL OF EFFORT: Review 8-12 risk informed samples plus 1-3 (Operating Experience) OpE samples during the 2-week team inspection. Risk informed
samples (8 to 12) will consist of 4 to 6 components plus 4 to 6 modifications made to components selected based on risk. Additionally, one of these samples (either a component or modification sample) will be an SSC which can have an impact on large early release frequency (LERF). In situations where there are no substantive modifications made to systems of high risk, the team leader may select modifications made to other safety-related or important-to-safety systems as samples. Note that IP Attachment 71111.21N provides direction on conducting a 2-week engineering program inspection.
71111.21M-01 INSPECTION OBJECTIVE
This is a design bases assurance inspection procedure. The purpose of this inspection is to gain reasonable assurance that risk significant SSCs can adequately perform their design basis function. This includes reasonable assurance that the components can fulfill their design basis function during or after licensee’s activities (e.g., maintenance, surveillance) which can affect component’s availability, reliability and capability. Additionally, this includes reasonable assurance that risk significant issues resulting from generic communications have been adequately addressed. This inspection also verifies that modifications affecting the design bases, licensing bases, and performance capability of SSCs have been adequately implemented; that procedures and design and license basis documentation affected by changes have been adequately updated; and that design and license basis documentation used to support changes, and that procedures and design and license basis documentation affected by changes, reflect the design and license basis of the facility after the change has been made. Inspectors shall verify that the licensees are maintaining their design bases as approved by NRC. The inspectors shall work through NRC regional and NRR management in situations where the requirements associated with approved design of the facility are not clear.
71111.21M-02 INSPECTION REQUIREMENTS
02.01 Sample Selection. Select the required number of components, modifications and OpE samples.
- Total of four to six components selected based on risk significance
- Total of four to six modifications to mitigation SSCs
- One inspection sample selected shall be associated with containment-related SSCs which are considered for large early release frequency (LERF) implications (see Table 4.1 of IMC 0609 Appendix H for selection)
- One to three OpE samples (see paragraph 02.06)
02.02 Design Review.
a. Verify that components will function as required and support the proper operation of associated systems. Verify the appropriateness of design assumptions, boundary conditions, and models. Independent calculations by inspectors may be required to verify appropriateness of the licensee’s analysis methods.
b. Review outstanding design issues, including open/deferred or canceled engineering action items, temporary modifications, operator workarounds, and items that are tracked by the operations or engineering departments. For the preceding three years, identify any instances of when and why these systems were operated out of their normal configuration by interviewing appropriate Operations and Engineering Department personnel.
c. Verify that operator actions can be accomplished as assumed in the licensee’s design basis or as assumed in the licensee’s PRA analysis.
02.03 Modification Review. Permanent plant modifications include permanent plant changes, design changes, set point changes, procedure changes, equivalency evaluations, suitability analyses, calculations, and commercial grade dedications.
a. Verify that design bases, licensing bases, and performance capability of components have not been degraded through modifications.
b. Determine whether post-modification testing establishes operability by verifying:
1. Unintended system interactions will not occur
2. SSC performance characteristics, which could have been affected by the modification, meet the design bases
3. Appropriateness of modification design assumptions
4. Modification test acceptance criteria have been met.
c. Verify that supporting design basis documentation, such as calculations, design specifications, vendor manuals, the UFSAR, Technical Specification and Bases, and plant specific Safety Evaluation Reports, were updated consistent with the design change.
d. Verify that other design basis features, such as structural, fire protection, flooding, environmental qualification, and potential Emergency Core Cooling System strainer blockage mitigation, which could be affected by the modification were not adversely impacted.
e. Verify that procedures and training plans, such as abnormal operating procedures, alarm response procedures, and Licensed Operator Training Manuals, affected by the modification were updated. Inspectors may review programmatic procedures to verify that licensee processes and standards are met.
f. Verify that affected test documentation, such as instrument calibration, inservice testing, and breaker clean and inspect, were updated and/or new test documentation has been initiated as required by applicable test programs.
02.04 Maintenance Area Review. Obtain a brief description of each of the licensee’s corrective maintenance activities performed on the components selected for inspection.
a. Review repetitive or similar maintenance work requests which could be an indicator of a design deficiency and could affect the ability of the components to perform their functions, when needed.
b. Ensure that the licensee has procedures for establishing, implementing, and maintaining preventive maintenance (PM) requirements associated with safety related equipment.
c. Ensure that PM activities are performed as scheduled. When not performed as scheduled, ensure that management controls are followed to defer and/or reschedule
the PM. Any equipment failure should be evaluated to determine if the PM program could be changed to prevent future failures.
d. Verify that the licensee was in compliance with these procedures for components that have exceeded vendor recommended life times.
e. Verify that comparable components are included in a periodic PM program by using the licensee’s list of safety-related components and sub-components that must meet 10 CFR Part 50, Appendix B requirements.
f. Verify that the components or sub-components are being replaced before the end of their intended service life by reviewing past equipment failures.
g. Verify that the licensee has the following for those components that are beyond vendor recommended life:
1. PM program that includes these components
2. PM program is adequate and robust and incorporates accepted industry practices
(e.g., Regulatory Guide (RG) 1.33, “Quality Assurance Program Requirements”)
3. Conducted an appropriate assessment for age-related issues for components installed beyond vendor-recommended life through periodic testing or an engineering evaluation that has accounted for environmental effects (elevated temperatures, humidity, harsh environments).
h. Ensure the selected SSCs that are subject (operating in the post-40-year licensing period) to aging management review pursuant to 10 CFR Part 54 are being managed for aging (e.g., loss of material, cracking, reduction of heat transfer) in accordance with appropriate aging management programs.
i. Perform a walkdown inspection to identify equipment alignment discrepancies. Inspect for deficient conditions such as corrosion, missing fasteners, cracks, and degraded insulation (see Appendix C). Obtain records of inspection for those areas which are not normally accessible (e.g., some areas where system piping is routed may not normally be accessible; however, licensee may have performed periodic inspections in the past and have recorded their inspection results. Review photographs or videos which may have been taken during these types of inspections, if available.
j. Review any operability evaluations related to the selected components. If operability is justified, no further review is required. If the operability evaluation involves compensatory measures, determine if the measures are in place, will work as intended, and are appropriately controlled. If operability is not justified determine impact on any Technical Specification Limiting Conditions for Operations (LCOs). Refer to Inspection Manual Chapter 0326, “Operability Determinations & Functionality Assessments for
Conditions Adverse to Quality or Safety” for guidance.
02.05 Problem Identification and Resolution Area Review. For the samples selected for inspection, verify that the licensee is identifying engineering design issues and problems and entering them in their corrective action program.
a. Obtain a brief description of all corrective action documents written against the components and modifications selected for inspection. Have the licensee sort by system, component, significance (use licensee’s significance determination assigned to the corrective action document) and followed by adequate description of the deficiency identified in order to determine whether a copy of the full corrective action document is desired for additional review by the team.
b. Review selected corrective action documents for the last three years, including those resulting from events and degraded/deficient conditions. Review reports of Augmented Inspection Teams or Special Inspections to evaluate adequacy of licensee corrective actions. Review adequacy of licensee technical evaluation (corrective action program evaluations, engineering evaluations, operability determinations). Determine if operability is justified and problems are properly identified and corrected. Verify that the licensee considered other degraded conditions and their impact on compensatory measures for the condition being evaluated.
c. Sample the effectiveness of corrective actions taken by the licensee to issues identified during previous CDBI and DBA inspections and determine their effectiveness.
d. Provide a list of corrective action documents which were written to resolve issues identified by the current DBA inspection team in the section of the inspection report attachment commonly titled “List of Documents Reviewed.”
02.06 Review of Operating Experience Issues. Review operating experience issues related to the selected components as well as generic or common cause issues that are not related to the components to ensure that conditions discussed in the operating experience either are not applicable, or have been adequately addressed by the licensee to ensure operability of the component.
71111.21M-03 INSPECTION GUIDANCE
03.01 Sample Selection. Using the guidance provided in paragraphs 03.01.a through 03.01.c, select the required number of components and operating experience for inspection as follows:
• Total of four to six components selected based on risk significance
• Total of four to six modifications to mitigation SSCs
• One inspection sample selected shall be associated with containment-related SSCs which are considered for large early release frequency (LERF) implications (see Table 4.1 of IMC 0609 Appendix H for selection)
• One to three OpE samples (see paragraph 02.06)
The inspection team should solicit input from the resident inspectors for possible components and modifications for inspection.
Component selection can be performed through the following approaches:
• Mitigating SSCs which have been modified (four to six samples):
o For the purpose of this inspection, permanent plant modifications include permanent plant changes, design changes, set point changes, procedure changes, equivalency evaluations, suitability analyses, calculations, and commercial grade dedications.
o Samples should be of such complexity that the change affects either the license basis or the 10 CFR 50.2 Design Basis. Note: Since lists of changes provided by the licensee will not necessarily indicate the complexity and scope of a change, a number of changes will need to be reviewed prior to the inspection to meet the "complexity" criteria contained in section 03.01.c. This is best accomplished by first choosing documents from the list provided by the licensee and then requesting the actual documentation for the changes. An initial review of these changes for complexity prior to the inspection will result in a smaller final list of samples.
o The intent of this procedure is to sample substantial changes. After ensuring that the change is substantial, the inspector should perform a vertical slice review, when possible, of supporting and affected documents. Some documents that could be affected by the change are:
1. Procedures;
2. Calculations;
3. Schematics;
4. Plant Specific Standards;
5. UFSAR (including supplements associated with aging management);
6. Technical Requirements Manual.
• Components (four to six samples)
o System Approach: Select components in the most risk significant systems for inspection. Risk-significant components in most risk significant systems are considered for inspection in the system approach. See paragraph 03.01.a for more guidance on using the system based approach.
o Risk-Significance/Low Margin Approach: Select components which are risk significant. Use of low margin, (either low design margin; low maintenance margin; or operating margins), for selection as a component for inspection is optional. See paragraph 03.01.b for more guidance on using risk and low margin approach.
o Event Scenario-Based Approach: See paragraph 03.01.c for more guidance on using the event scenario-based approach.
The team leader shall obtain a list of potential components for inspection from the senior reactor analyst (SRA) in the regional office. Additionally, the team leader should obtain a listing of potential components for inspections, sorted by risk, from the licensee. The team leader should make an initial selection of components for inspection based on component risk, operating experience information and whether the component was inspected during the previous Component Design Bases Inspection (CDBI) or DBA inspections. When choosing samples, consider a review of the structural adequacy of risk significant components. Latent design or construction errors could affect component operability by exceeding allowable stress levels. The number of components initially selected for inspection should be greater than the number of samples needed to satisfactorily complete the DBA inspection
procedure. This will allow the flexibility of team members to refine the initial component selection while still satisfying the inspection sample criteria. Component selection can be performed during the bagman trip (pre-inspection site visit) but should be finalized during the end of the in-office preparation week. SRA participation in the bagman trip is highly encouraged to assist the team leader with the sample selection.
a. System Approach. Identify the most risk significant systems and select components in the risk significant systems based on their risk. Factors discussed in paragraphs 03.01.b and 03.01.c.4, as applicable, should be used in developing the selection.
Consider the use of new digital technologies that have a common programmable base for several different applications. Ensure that the controller is suitable for the safety related SSC, including the potential for common mode failures. Also, consider identified deficiencies in the licensee’s corrective action program, corrective maintenance, and operating experience as factors for determining whether a component should be selected. Many facilities maintain a list of most risk significant systems.
b. Risk-Significance/Low Margin Approach. Use the following as a guide when selecting components using risk significant and low margin approach:
1. Although the methods used to identify the risk-significant components and operator actions will be dependent on the type and quality of the licensee’s risk assessment tools, the following criteria should be considered:
a) Risk Reduction Worth (RRW): The RRW is the factor by which the plant’s core damage frequency decreases if the component or operator action is assumed to be successful. Components or operator actions with a RRW value of 1.005 or greater should be considered for inclusion in the inspection sample. A lower threshold may be used if desired.
b) Risk Achievement Worth (RAW): The RAW is the factor by which the plant’s core damage frequency increases if the component or operator action of interest is assumed to fail. Components and actions with a RAW value of 1.3 or greater should be considered for inclusion within the inspection sample. A lower threshold may be used if desired.
c) Subjective risk rankings based on engineering or expert panel judgment such as those performed to identify risk significant structures, systems, and components for the licensee’s Maintenance Rule program. These subjective risk rankings typically are performed to establish the risk significance of equipment that may not be fully modeled in the licensee’s probabilistic risk assessment.
d) The use of dominant accident sequences in probabilistic risk assessment (PRA) to select components may be appropriate for SSCs that are more significant to LERF than core damage frequency (CDF); external events (e.g., fire, seismic, flood) than internal events (e.g., loss-of-coolant accidents (LOCAs)); or risk during shutdown compared to normal operation.
e) Other risk criteria established by the team leader (e.g., operating experience, engineering judgment, etc.).
2. In identifying specific inspection areas for the margin review, the team should broadly assess component and operator attributes necessary to meet the probabilistic risk assessment functional success criteria. For example, if the sample selection review identifies a specific pump failure to start or run as risk- significant, margin review activities should consider all conditions that could reasonably cause loss of pump flow (e.g., clogged suction strainer, loss of motive power, inadequate net positive suction head, valve misalignment or failure, etc.).
The margin review should evaluate the impact of plant modifications or licensing basis changes on available margin. Consider licensing changes that can reduce safety analysis margins, such as extended power uprates. Contact the NRR licensing project manager, as necessary, to obtain this information.
The following attributes should be considered in evaluating component margin.
a) Analytical (design) margin is the margin in the design calculations related to the performance of the component. For example, the analytical margin for a pump includes flow and head required for the pump to perform its function compared to the calculated capacity of the equipment. For valves required to change position, valve thrust margin and stroke time margin should be considered. For an emergency diesel generator or battery, the capacity margin should be considered. These design margin values can be extracted from the licensee's design analyses. The margin between the design performance of components and actual performance can be extracted from test results. Evaluate test alignments for components to verify that acceptance criteria are appropriate for accident conditions that may differ from the test condition.
b) Operations margin refers to components required to be operated during high risk and/or time critical operations. During a station blackout, the plant may take credit for rapid operator actions to manually control equipment. The operation of equipment may be dependent on operator actions within specific time limits. For example, operators may be required to realign the charging pumps within a specific time to prevent a reactor coolant pump seal LOCA in a PWR if cooling water is lost. In these cases, operators would have little time to recover if the component did not respond as expected.
c) Maintenance margin refers to the physical condition and reliability of the components being reviewed. The plant PRA may not reflect the actual reliability of the installed components. Review of system health reports, corrective action documents, operating experience, and discussions with plant personnel can identify components with a history of failures. For example, an isolation valve with a history of significant leakage could reduce the margin in a fluid system. Unreliable heating ventilation and air conditioning (HVAC) components could affect critical equipment in the area. Review Maintenance Rule history and obtain input from the resident inspectors, as necessary.
d) Complexity margin is a subjective evaluation of the complexity of the design associated with the component being considered. A more complex design may be more vulnerable to failures, and is more likely to include a design error that could result in a potential common mode failure. For example, an incorrect
setpoint in the controls for a component could be applied to both trains of redundant equipment, resulting in both trains being vulnerable to failure.
c. Event Scenario-Based Approach.
1. Review the licensee’s most current PRA model, the NRC’s Standardized Plant
Analysis Risk (SPAR) model and the Risk-Informed Site-Specific Significant Determination Process (SDP) Notebook to select components associated with accident sequences. These accident sequences can be segmented into the following broad categories – the initiating event frequency, and the mitigation equipment/functions, which include operator actions for using or recovering the mitigation equipment. Each of these categories should be inspected.
2. For the initiating event (IE) category review the mechanisms that have caused the IE at this and other facilities. For some IEs there will be a large number of previous events. In that case take a sampling emphasizing the site-specific ones and the most current that would be applicable to the reactor type. Include in the inspection any alarms and indications that could alert operators to take actions prior to the occurrence of initiating events.
3. For the mitigating equipment (ME) category translate the basic events of the dominant cutsets of the PRA model into specific components. Begin with the component importance measure, for example Birnbaum, to gauge its risk worth. This numerical result is the increase in risk for the component being out of service for one year (see Appendix E for example scenarios).
4. Consideration should also be given to the following factors:
a) What is a reasonable exposure time?
b) Is this a standby or normally operating component?
c) How well does the normal operating condition mirror the accident conditions?
d) What level of confidence does the periodic testing give in terms of accident performance?
e) What is the potential failure mechanism involved?
f) Do Technical Specifications govern how long the component can be out of service?
g) Is recovery from the component’s failure reasonable?
03.02.a. Design Review. Evaluate whether the design basis is met by the installed and tested configuration. Review the original purpose of the design and the manner/conditions under which the system will be required to function during transients and accidents. If Updated Final Safety Analysis Report (UFSAR) information was used as inputs for design or procedures, these inputs should be verified to be consistent with the design bases. Review interfaces between safety related and non-safety related components.
Focus on those attributes that are not fully demonstrated by testing, have not received recent in-depth NRC review, or are critical for the component function. Appendix 1, Component Review Attributes, lists attributes needed for a component to perform its required function and potential inspection activities. The listing should be modified as appropriate based on the selected components. Appendix 2 lists component design review considerations.
03.02.b. No Specific Guidance
03.02.c. The intent of this inspection requirement is to support verification of engineering inputs and assumptions. Resource permitting, the team may verify other aspects of operating procedures such as whether any special equipment is required to perform these procedures and if the equipment is available, accessible, properly staged, and in good working order. Additionally, the team may choose to verify that the knowledge level of the operators is adequate concerning equipment location and operation.
Some aspects to consider when verifying whether the key operator actions can be performed within the constraints of the design analyses include:
1. Specific operator actions required
2. Potentially harsh or inhospitable environmental conditions expected
3. General discussion of the ingress/egress paths taken by the operators to accomplish functions including adequate lighting available to perform the intended actions.
4. Procedural guidance and proper sequence for required actions
5. Specific operator training necessary to carry out actions, including any operator qualifications required to carry out actions
6. Any additional support personnel and/or equipment required by the operator to carry out actions
7. Description of information required by the control room staff to determine whether such operator action is required, including qualified instrumentation used to diagnose the situation and to verify that the required action has successfully been taken
8. Ability to recover from credible errors in performance of manual actions, and the expected time required to make such a recovery
9. Consideration of the risk significance of the proposed operator actions
10. Time available to complete an action based on safety analyses and the methods used by the license to verify and validate that the required actions can be completed within the available time. This review area should include a field walkdown to validate the licensee’s timing assumptions. Particular attention should be given to time dependent actions that must be accomplished outside the control room by auxiliary equipment operators
11. Observe demonstrations or training in the simulator that validate operator actions for a given event or accident condition
03.04 Description of the corrective maintenance work performed should be sufficient to allow understanding of the type of work performed for each of the components in the systems. Additionally, inspectors should try to determine through review of these corrective work maintenance activities whether licensee’s preventive maintenance or other programs such as aging management are being reasonably effective in preventing component failures. Discussions with plant engineering or operations department may be necessary to understand the reasons for the corrective maintenance activities.
03.04.a No specific guidance
03.04.b No specific guidance
03.04.c No specific guidance
03.04.d No specific guidance
03.04.e No specific guidance
03.04.f No specific guidance
03.04.g No specific guidance
03.04.h Indications of aging should be evaluated to determine if changes to the aging management program are required in order to ensure degradation is identified prior to loss of intended function.
03.04.i No specific guidance
03.04.j No specific guidance
03.05 No specific guidance
03.06 Some of the operating experience selected should cover initiating events and barrier integrity cornerstones. Assess how the licensee evaluated and dispositioned each item. The focus should be on ensuring that the conditions discussed in the operating experience either are not applicable, or have been adequately addressed by the licensee to ensure operability of the component. To the extent practical, acquire objective evidence that the operating experience item has been resolved, beyond a written licensee evaluation. For example, if the operating experience item required a procedure change, verify that the procedure was changed. If the operating experience required modification of a component, verify that the modification was completed.
Information Notice 2008-02, “Findings Identified During Component Design Bases Inspections,” provides findings from previous CDBI inspections. This is a good source to determine whether licensees are addressing generic issues that may apply to their site. Additional operating experience information can be found at the following NRC websites:
a. Historical operating experience associated with DBA inspections
(http://nrr10.nrc.gov/rorp/ip71111-21.html)
b. Any operating experience smart sample associated with the DBA inspection procedure (http://fusion.nrc.gov/nrr/team/dirs/ioeb/opess/default.aspx)
71111.21M-04 INSPECTION SCHEDULE
04.01 Inspection Schedule.
a. Preparation for the on-site visit/sample selection week (a.k.a. “bagman trip”) should include:
1. Review previous CDBI and DBA inspection reports
2. Become familiar with most risk significant event scenarios and components at the plant
3. Become familiar with the most (top ten) risk significant safety systems at the plant
4. Become familiar with the plant electrical distribution design. Develop an initial set of components to be considered for inspection from the list obtained from the SRA.
b. On-site visit/sample selection (bagman trip)
1. Unless a suitable alternative is approved by regional management, the team leader shall make a site visit/bagman trip. During this trip, the team leader should validate the components initially selected for inspection before the site visit. The team leader should ensure that the components proposed for inspection by the regional SRA are reflective of current plant risk and should be inspected based on discussion with plant personnel, past inspection results and current industry operating experience information. Accompaniment of the regional SRA during the on-site preparation week is encouraged to support vetting of components for inspection since this process may involve discussions with plant risk engineering department management and staff.
2. The team leader shall identify and request plant procedures, drawings, modification packages, calculations, analyses and other background information associated with components selected for inspection so that the team members can understand the risk significance of the components during the in-office preparation week.
3. The team leader should depart the site with a greater number of components identified than the number required to satisfy inspection requirements. This will allow vetting of possible components for inspection by other team members during the in office preparation week.
c. Week 1: In-office preparation/finalizing samples for inspection. The inspection team should finalize the components selected for inspection during this time period. Minor adjustments to components selected for inspection during the bagman trip are acceptable. The team leader shall encourage team synergy by maximizing opportunities for team member interactions during the in-office preparation week. With the exception of team travel days (Monday and Friday), the team leader shall conduct daily team meetings during the in-office preparation week. Additionally, the team leader should ensure the following:
• Adequate and timely access to information being provided by the licensees is made available to team members, including NRC contractors.
• Documents needed for review during the first onsite week are communicated to the licensee daily.
d. Week 2: Entrance Meeting. Start on-site inspection of selected samples.
e. Week 3: In-office inspection activities. The team leader should maintain contact with team members working in their home offices, by conducting periodic team meetings.
f. Week 4: Complete on-site inspection of selected samples and conduct exit meeting
g. Week 5: Documentation of inspection results.
Regions may revise the above schedule as long as the below resource estimate and the contractor Statement of Work are not exceeded. The team leader may require additional time to prepare for the inspection and to integrate the report input.
04.02 Re-inspection and Working Spaces.
Components inspected in previous inspections may be re-inspected. This may include attributes not previously inspected, or where attribute conditions change (such as by modifications to hardware or manner of operation, and performance history).
Team leader should request sufficient working spaces to allow for conduct of team meetings and to allow inspectors to conduct interviews with plant personnel without disrupting other inspection team members.
71111.21M-05 DOCUMENTATION
DBA inspection reports should identify component and modification inspection scope in sufficient detail to implement this requirement. This includes (1) component description/number (e.g., Essential 4.16kV Switchgear EH12) and (2) attributes inspected (e.g., maximum available fault current); and for modifications, include (1) modification number, and (2) attributes inspected (e.g., SSC performance characteristics, which could have been affected by the modification, meet the design bases).
71111.21M-06 RESOURCE ESTIMATE
The inspection procedure is estimated to take 312 hours0.00361 days <br />0.0867 hours <br />5.15873e-4 weeks <br />1.18716e-4 months <br /> of NRC’s direct inspection effort (plus or minus 15%) every three years. This is based on a multi-disciplinary team comprised of team leader and two to three regional inspectors (operations/maintenance and engineering). In addition, the team includes two contractor design specialists in the mechanical and electrical/instrumentation and control disciplines. All DBA inspections (both team and program) should be performed on a triennial cycle.
71111.21M-07 PROCEDURE COMPLETION
Inspection of the minimum sample size will constitute completion of this procedure in the Reactor Program System (RPS). The minimum sample size consists of eight samples plus one OpE sample regardless of the number of units at the site.
71111.21M-08 REFERENCES
IP 71111.04, Equipment Alignment
IP 71111.15, Operability Evaluations
IP 71111.17T, Evaluation of Changes, Tests, or Experiments
IP 71111.18, Plant Modifications
IP 71111.22, Surveillance Testing
IP 71152, Problem Identification and Resolution
IP 93801, Safety System Functional Inspection (SSFI)
Information Notice 97-078, Crediting of Operator Actions in Place of Automatic Actions and Modifications of Operator Actions, Including Response Times
Information Notice 2008-02, “Findings Identified During Component Design Bases Inspections”
SECY-04-0071, “Proposed Program to Improve the Effectiveness of the Nuclear Regulatory Commission Inspections of Design Issues,” dated April 29, 2004 (ML040970328)
SECY-05-0118, “Results of the Pilot Program to Improve the Effectiveness of Nuclear Regulatory Commission Inspections of Engineering and Design Issues,” dated July 1, 2005 (ML051390465)
Generic Aging Lessons Learned (GALL) Report, NUREG-1801 Final Report, Revision 2 (ML103490041)
IP 62708, Motor-Operated Valve Capability (ML13142A123)
END
APPENDIX A, COMPONENT REVIEW ATTRIBUTES
Attributes Inspection Activity
Process Medium
• water
• air
• electrical signal
Verify that process medium will be available and unimpeded during accident/event conditions.
• Example: For an auxiliary feedwater pump, verify that the alternate water source will be available under accident conditions.
• Example: For emergency core cooling system piping, verify that the piping is kept free of voids as required by design bases or Technical Specifications.
Energy Source
• electricity
• steam
• fuel + air
• air
Verify energy sources, including those used for control functions, will be available and adequate during accident/event conditions
• Example: For a diesel-driven auxiliary feedwater pump, verify that diesel fuel is sufficient for the duration of the accident.
• Example: For an air-operated pressurizer power-operated relief valve (PORV), verify that either a sufficient air reservoir will exist or instrument air will be available to support feed and bleed operation.
• Example: For a standby direct-current (DC) battery, verify adequacy of battery capacity.
Controls
• initiation actions
• control actions
• shutdown actions
Verify component controls will be functional and provide desired control during accident/event conditions.
• Example: For refueling water storage tank level instrumentation providing signals for suction swap-over to injection recirculation, verify that the setpoint established to ensure sufficient water inventory and prevent loss of required net positive suction head is acceptable.
Operator Actions
• initiation
• monitoring
• control shutdown Verify operating procedures (normal, abnormal, or emergency) are consistent with operator actions for accident/event conditions.
• Example: If accident analyses assume containment fan coolers are running in slow speed, verify that procedures include checking this requirement.
• Example: If accident analyses assume that containment spray will be manually initiated within a certain time, verify that procedures ensure manual initiation within assumed time and that testing performed to validate the procedures was consistent with design basis assumptions.
Attributes Inspection Activity
Operator Actions
• initiation
• monitoring
• control
• shutdown Verify instrumentation and alarms are available to operators for making necessary decisions
• Example: For swap-over from injection to recirculation, verify that alarms and level instrumentation provide operators with sufficient information to perform the task.
Heat Removal
• cooling water
• ventilation
Verify that heat will be adequately removed from major components
• Example: For an emergency diesel generator, verify heat removal through service water will be sufficient for extended operation.
Installed Configuration
• elevations
• flowpath components
Verify, by walkdown or other means, that components’ installed configuration will support its design basis function under accident/event conditions
• Example: Verify level or pressure instrumentation installation is consistent with instrument setpoint calculations.
• Verify that component configurations have been maintained to be consistent with design assumptions.
Operation
Verify that component operation and alignments are consistent with design and licensing basis assumptions
• Example: For containment spray system components, verify emergency operating procedure changes have not impacted design assumptions and requirements.
• Example: For service water system components, verify flow balancing will ensure adequate heat transfer to support accident mitigation
Design
• calculations
• procedures
• plant modifications
Verify that design bases and design assumptions have been appropriately translated into design calculations and procedures.
Also, verify that performance capability of selected components have not been degraded through modifications.
Attributes
Inspection Activity
Testing
• flowrate
• pressure
• temperature
• voltage
• current Verify that acceptance criteria for tested parameters are supported by calculations or other engineering documents to ensure that design and licensing bases are met.
• Example: Verify that flowrate acceptance criterion is correlated to the flowrate required under accident conditions with associated head losses, taking setpoint tolerances and instrument inaccuracies into account.
Verify that individual tests and/or analyses validate component operation under accident/event conditions.
• Example: Verify that the emergency diesel generator (EDG) sequencer testing properly simulates accident conditions and the equipment response is in accordance with design requirements.
Component Degradation Verify that potential degradation is monitored or prevented.
• Example: For ice condensers, verify that inspection activities ensure air channels have been maintained consistent with design assumptions.
• Verify that component replacement is consistent with inservice/equipment qualification life.
• Verify that the numbers of cycles are appropriately tracked for operating cycle sensitive components.
• Verify that the activities established in the aging management programs to identify, address, and/or prevent aging effects (such as loss of material, loss of preload, or cracking) are being performed. Consult with the regional license renewal point of contact for support if needed.
Attributes
Equipment/
Environmental Qualification
• Temperature
• Humidity
• Radiation
• Pressure
• Voltage
• Vibration Inspection Activity
Verify that equipment qualification is suitable for the environment expected under all conditions.
• Example: Verify equipment is qualified for room temperatures under accident conditions.
Equipment Protection
• Fire
• Flood
• Missile
• High energy line break
• HVAC
• Freezing
• Water intrusion/spray Verify equipment is adequately protected.
• Example: Verify freeze protection adequate for condensate storage tank (CST) level instrumentation.
• Example: Verify that conditions and modifications identified by the licensee’s high energy line break analysis have been implemented to protect selected highly risk-significant components.
Component Inputs/Outputs
Verify that component inputs and outputs are suitable for application and will be acceptable under accident/event conditions.
• Example: Verify that valve fails in the safe configuration.
• Example: Verify that required inputs to components, such as coolant flow, electrical voltage, and control air necessary for proper component operation are provided.
APPENDIX B, COMPONENT DESIGN REVIEW CONSIDERATIONS
Valves
1. Are the permissive interlocks appropriate?
2. Will the valve function at the pressures and differential pressures that will exist during transient/accident conditions?
3. Will the control and indication power supply be adequate for system function?
4. Is the control logic consistent with the system functional requirements?
5. What manual actions are required to back up and/or correct a degraded function?
Pumps
1. Is the pump capable of supplying required flow at required pressures under transient/accident conditions?
2. Is adequate net positive suction head (NPSH) available under all operating conditions?
3. Is the permissive interlock and control logic appropriate for the system function?
4. Is the pump control adequately designed for automatic operation?
5. When manual control is required, do the operating procedures appropriately describe necessary operator actions?
6. What manual actions are required to back up and/or correct a degraded function?
7. Has the motive power required for the pump during transient/accident conditions been correctly estimated and included in the normal and emergency power supplies?
8. Do vendor data and specifications support sustained operations at low flow rates?
9. Is the design and quality of bearing and seal cooling systems acceptable?
Instrumentation
1. Are the required plant parameters used as inputs to the initiation and control system?
2. If operator intervention is required in certain scenarios, have appropriate alarms and indications been provided?
3. Are the range, accuracy, and setpoint of instrumentation adequate?
4. Are the specified surveillance and calibrations of such instrumentation acceptable?
5. Are the essential instruments, including instrumentation panel, adequately protected from the effects of spraying and wetting as required by the facility licensing basis?
6. Are conduits leading to essential instrument and control panels adequately sealed to prevent water intrusion?
Circuit Breakers and Fuses
1. Is the breaker control logic adequate to fulfill the functional requirements?
2. Is the short circuit rating in accordance with the short circuit duty and breaker coordination requirements?
3. Are the breakers and fuses properly rated for the load current capability?
4. Are breakers and fuses properly rated for DC operation?
Cables
1. Are cables rated to handle full load at the environmental temperature expected?
2. Are cables properly rated for short circuit capability?
3. Are cables properly restrained/mounted/braced for ground-fault currents?
4. Are cables properly rated for voltage requirements for the loads?
5. If submerged or exposed to prolong periods of moisture, are the cables qualified for submergence.
Electrical Loads
1. Have electrical loads been analyzed to function properly under the expected lowest and highest voltage conditions?
2. Have loads been analyzed for their inrush and full load currents?
3. Have loads been analyzed for their electrical protection requirements?
Motor Control Centers (MCCs)
1. Is the MCC adequately protected from the effects of spraying and wetting as required by the facility licensing basis?
2. Are cables and conduits leading to and from the MCC adequately sealed to prevent water intrusion?
3. Is the MCC preventive maintenance (i.e., visual inspection, cleaning and lubrication of the bus/stab contact surface, thermography) adequate and up-to-date?
4. Is there adequate ventilation for the MCC? What potential heat sources are in the area?
5. Is there evidence of any current or previous water leakage from above (i.e., pooling, drip bags, catch containers, staining, or deficiency tags)?
As-built System
1. Are service water flow capacities sufficient with the minimum number of pumps available under accident conditions?
2. Have modified equipment components falling under the scope of 10 CFR 50.49 been thoroughly evaluated for environmental equipment qualification considerations such as temperature, radiation, and humidity?
3. Are the modifications to the system consistent with the original design and licensing bases?
APPENDIX C, COMPONENT WALKDOWN CONSIDERATIONS
1. Is the installed component consistent with the piping and instrument diagram?
2. Will equipment and instrumentation elevations support the design function?
3. Has adequate sloping of piping and instrument tubing been provided?
4. Are required equipment protection barriers (such as walls) and systems (such as freeze protection) in place and intact?
5. Does the location of the equipment make it susceptible to flooding, fire, high energy line breaks, or other environmental concerns?
6. Has adequate physical separation/electrical isolation been provided?
7. Are there any non-seismic structures or components surrounding the components which require evaluation for impact upon the selected component?
8. Does the location of equipment facilitate manual operator action and is sufficient lighting available, if required?
9. Are baseplates, hangers, supports and struts installed properly?
10. Are there indications of degradations of equipment?
11. Are the motor-operated valve operators and check valves (particularly lift check valves) installed in the orientation required by the manufacturer?
APPENDIX D, SOURCES OF INFORMATION
Information Suggested Sources
Design Bases Updated Final Safety Analysis Report (UFSAR)
Design Basis Documentation
System Descriptions
Design Calculations
Design Analyses
Piping & Instrumentation Drawings
Significant Design Drawings
Significant Surveillance Procedures
Pre-operational Test Documents
Vendor Manuals
Licensing Bases NRC Regulations
Plant Technical Specifications
NRC Safety Evaluation Reports
Generic Aging Lessons Learned (GALL) Report, NUREG-1801 Final Report, Revision 2 (ML103490041)
Applicable
Accidents/Events UFSAR
Individual Plant Examination
PRA analyses
Emergency Operating Procedures (EOPs)
System Changes System Modification Packages (including post modification test documents)
10 CFR 50.59 Safety Evaluations
Work Requests
Setpoint Changes
EOP Changes
Industry Experience Licensee Event Reports
Bulletins
Generic Letters
Information Notices
PRA Information Individual Plant Examinations (IPE) or Updated PRA model results Risk-informed inspection notebooks
Risk importance rankings for SSCs
Dominant accident sequences
Important operator actions
Individual Plant Examinations for External Events
APPENDIX E - EXAMPLE SCENARIOS
a. Example #1 – A safety related instrument inverter with a Birnbaum value of 2E-4 is normally in service and carries loads equal to or less than those for accident conditions. Recovery from inverter failure is not reasonable. It is routinely monitored by auxiliary operators every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and its failure is fully known by the operators in the Main Control Room via multiple alarms and equipment failures but, does not cause a reactor trip. Technical Specifications does require plant shutdown within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> upon loss of the inverter. Just using the Birnbaum, this would be a “high” risk component for inclusion in the inspection sample. However, realistically the component can only be out of service less than a day before the plant is shutdown. Now the risk significance is 2E-4 * 1/365 days = 5.5E-7 (Green). Given a reasonable exposure time and that the normal operating conditions are essentially performing a constant test of the inverter; it should be classified as “low” risk.
b. Example #2 – A non-Technical Specification Auxiliary Feed Water Pump with a Birnbaum of 2E-4 is maintained by the licensee in a standby condition with no routine monitoring by auxiliary operators. It is energized (bump tested) every quarter and flow tested to a head curve every 18 months. This component clearly should be included in the inspection sample. A simple breaker or discharge valve misalignment/failure could realistically have a 90 day exposure time or a risk significance of 2E-4 * 90/365 days = 5E-5 (Yellow). This would be a fail to start in the PRA. A bearing misassembled may only show up during a flow test as a fail to run with a risk significance of 2E-4 (Red).
The attributes for emphasis during the component inspection should be biased, depending upon the answers to these questions. Recognize that for standby components the fail-to-run is far more serious than the fail-to-start because recovery from failed-to-run is more difficult to accomplish by the nature of the failure (i.e., correction to a bearing mis-assembly would require component disassembly which would take much longer time than a correction of a simple breaker or valve misalignment).
Additionally, fail-to-run has a longer exposure time since it takes longer to reveal itself because surveillances performed to verify ability of SSCs to perform over an extended period is performed less frequently. Therefore, the inspection for the FTR mechanism should take precedence. Also, inspection of the pump’s suction valve would take precedence over the discharge valve. A failure of the suction valve, whether through a mechanical or electrical failure or because the valve is mispositioned, may cause un-recoverable pump failure in a matter of minutes whereas failure of the discharge valve may cause pump failure in matter of hours. Once the component is selected, two other facets should be included in the inspection. The first items to inspect are those mechanisms that could result in a common cause failure. The second item to inspect is confirmation that the machinery history/reliability is reasonably consistent with the PRA basic event failure probability.
Attachment 1
Revision History for IP 71111.21M
Commitment
Tracking
Number Accession
Number
Issue Date
Change Notice Description of Change Description of
Training
Required and
Completion
Date Comment and
Feedback Resolution
Accession Number
N/A ML15154A586 07/28/15 Initial Issuance of the inspection procedure.
Researched commitments for 4 years and found none. No N/A
N/A ML15302A004
11/2415
CN 15-026 Reissued inspection procedure after incorporating regional comments No N/A
N/A ML16238A320
DRAFT
CN 16-XXX Revised inspection procedure to address internal and external comments from conducting the eight CDBI pilot inspections and also to address FFs -1989; -2072; and -2172.
Made draft version public prior to final version being issued to allow viewing of potential inspections starting CY 2017. No ML16239A088
71111.21-1989
71111.21-2072
71111.21-2172
N/A ML16340B000
12/08/16
CN 16-032 Changes associated with ML16238A320
A new ADAMS Accession Number was created to address a non-concurrence on the changes proposed by version of the IP associated with ML16238A320. Completed non-concurrence package can be found in ML16341C689. No additional changes were made to this IP. No ML16239A088
71111.21-1989
71111.21-2072
71111.21-2172
See non-concurrence package ML16341C689.