ML17312B762
| ML17312B762 | |
| Person / Time | |
|---|---|
| Site: | South Texas  |
| Issue date: | 01/31/1996 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML17312B763 | List: |
| References | |
| PROC-960131, NUDOCS 9601290031 | |
| Download: ML17312B762 (62) | |
Text
MkR Draft Evaluation Guide Development of Graded Quality Assurance Programs Draft - Revision 5 January 1996
1.0
'INTRODUCTION 3
4 5
6 7
'0 11 12 13 14 15 16 17 18 19 20 21 22 23 24 26 27 28 30 31 32 33 34 35 36 37 38 39 Requirements related to quality assurance (QA) programs for nuclear power plants are set forth in Appendix B to Part 50 of Title 10 of the Code of Federal Regulations (10 CFR 50).
The general statements contained in Appendix B are supplemented by industry standards and NRC regulatory guides which describe specific practices that have been found acceptable by the industry and NRC staff. Although both Appendix B and the associated industry standards allow a large degree of flexibility,the licensees and the NRC staff have been reluctant to make major changes in established QA practices.
Recently, however, changes in the nuclear industry have resulted in numerous proposals to revise QA practices.
These changes include the completion ofconstruction projects, establishment ofprograms related to plant operations and maintenance, maturing of licensee programs and personnel, and increased pressures to control plant operating costs.
The Graded Quality Assurance (GQA) initiativejointlyundertaken by the industry and the NRC staff is intended to (1) provide a safety benefit by allowing licensees and NRC to preferentially allocate resources to higher safety significant items, and (2) provide cost savings by reducing resources spent on lesser safety significant items.
Background information about initial efforts to implement GQA is given in SECY-95-059, "Development of Graded Quality Assurance Methodology" (March 10, 1995).
Licensees developing GQA programs will consider various methods and adjust their,QA programs to accommodate their individual needs.
Licensees'rograms will affect different functional areas, such as procurement, records, or design control, varying according to perceived problems or cost control initiatives.
The NRC conveyed its goals and expectations for an acceptable graded QA program to NEI on June 15, 1994.
Irrespective of a licensee's specific
- approach, the NRC stated a graded QA program should have four essential elements:
(1) a process that determines the safety significance of structures,
- systems, and components (SSCs) in a reasonable and consistent manner (2) the implementation of appropriate QA controls for SSCs, or groups of SSCs, according to safety function and safety significance (3) an effective root-cause analysis and corrective action program (4) a means for reassessing SSC safety significance and QA controls when new information becomes available
J e
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 2.0 EVALUATIONGUIDE OB ECTIVES:
Graded QA programs allow licensees and the NRC to preferentially allocate resources to higher safety-significant items and reduce resources spent on lesser safety-significant items.
Licensees are expected to establish GQA programs that relax the documentation associated with the procurement and receipt inspection processes, the level of independent oversight of line organization activities, and the frequency of QA audits.
The GQA programs will not change facility design bases or fundamentally change the activities of line organizations.
NRC evaluations should ensure that a licensee's GQA program does not relax plant design bases or regulatory requirements.
However, the NRC staff should recognize that the GQA programs will exercise the flexibility allowed by the regulations in adjusting QA provisions to the safety significance of equipment or activities.
Some aspects of the GQA programs willrequire long-term followup to assess the effect of specific licensee changes,to existing QA controls. If necessary, the final NRC internal guidance will address long-term followup requirements in documents such as routine or reactive inspection procedures.
I Ed U
ff'h hihQA I
igHf SSC h
within the scope of the graded QA program.
The graded QA controls should maintain reasonable confidence in equipment performance and support the corrective action and feedback aspects of the program.
Safet Si nificance Determination:
Evaluate the methods for determining safety significance for the SSCs within the scope of the graded QA program, including the use of probabilistic risk analysis (PRA) insights and deterministic considerations.
Evaluate the effectiveness ofthe expert panel'n making safety significance classifications and in integrating PRA and deterministic considerations with reasonable confidence and consistency.
This is a preliminary guide for NRR and regional office staff evaluating volunteer licensees'raded QA programs.
Such evaluations should ensure that the quality assurance provisions being applied to SSCs are consistent with the SSCs'afety significance.
This guide wi11 provide a framework'for evaluating graded QA programs until the NRC develops its final guidance.
The experience gained in using this guide willassist the staff in developing regulatory positions and the final guidance.
Internal NRC procedures and regulatory guidance for licensees, ifdeemed necessary, will be completed in accordance with the NRR Action Plan for Graded Quality Assurance.
41 42 For the purpose of this guide, an expert panel is any of the various means used to perform a multiMisciplinary review related to the importance of SSCs or the grading of quality provisions.
0 4
C
'1 2
3 4
5
'6 7
'v i Pro:
Evaluate the effectiveness of the corrective action and root-ause analysis program related to the graded QA process.
Ed h
ff i*
f h
i I
SSC hy significance and QA controls in light of operating experiences, new information, or changes in plant design.
I
}I t
4
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23'4 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 3.0 SAFETY SIGNIFICANCE DETERMINATION Before QA practices can be graded, SSCs must be classified by safety significance.
The classification can be based either'n deterministic considerations or a combination of deterministic and probabilistic considerations.
This evaluation guide is written in terms of the combined approach since it is the preferred method and has also been adopted by the volunteer licensees developing GQA programs.
Future guidance may specify acceptable alternative approaches or such alternatives may be reviewed on a case-by-case basis.
How much regulatory scrutiny is dedicated to the safety significance determination depends on the potential safety impact of the activity for which the determination is being made.
The implementation of graded QA controls instead of maintaining existing QA controls is expected to have a minimal impact on the overall plant safety.'his expectation is based upon each licensee defining a program that addresses each of the four fundamental elements described in this evaluation guide and that meets all other regulatory requirements.
Although the GQA programs may reduce the availability or reliabilityof some systems or components, a meaningful assessment may not be possible until a GQA program has been in effect for several years. From the staff's experience with both PRA and deterministic analyses, some SSCs are obviously high-safety-significant and some are obviously low-safety-significant.
However, there willalso be SSCs that may reasonably be judged to be either high or low-safety-significant and for which the licensee's engineering judgment is a major factor in the classification.
The staff should follow the guidelines below in evaluating safety-significance determinations made by licensees developing GQA programs.
3.1 Review the volunteer licensee's graded QA program description to determine the population of plant equipment to be considered for application of graded QA. Note that systems that contain safety-related components do not require that all components within the system be classified at the same level of safety significance or be assigned the same level of QA controls.
The Maintenance Rule (10 CFR 50.65) lists broad classes of equipment that, are considered within scope (see NUMARC93-01 and 93-02 and Regulatory Guide 1.160). The initialgraded QA programs proposed have defined the scope to be the same as the Maintenance Rule, which includes both safety-related and non-safety-related SSCs.
However, note that non-safety-related SSCs, including those that are categorized as high-safety-significant, are not specifically covered by the provisions of 10 CFR 50 Appendix B except by the licensee's volition. However, the NRC expects that SSCs categorized as a high-safety-significant, including non-safety-related SSCs, would receive a level of attention and programmatic controls commensurate with the safety-significance categorization.
Although perhaps not enforceable under Appendix B, any concerns with a licensee's treatment of a high-risk-significant non-safety-related SSC should be communicated to the licensee as a potential program weakness.
The NRC will continue to evaluate the issue related to the appropriate scope of graded QA programs and the treatment of high-safety-significant/non-safety related SSCs.
If deemed necessary, the final regulatory
1 2
3 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 guidance or rulemaking activities willbe used to resolve concerns in these areas, Also, review
- the following services, activities, and SSCs to see whether they have augmented quality provisions and whether appropriate quality verification processes have been established:
~
safety-related services.and activities
~
seismic category II SSCs located in proximity to Seismic Category I SSCs (RG 1.29)
~
station blackout (SBO) equipment (10 CFR 50.63 and RG 1.155)
~
anticipated transient without scram (ATWS) equipment (10 CFR 50.62 and Generic Letter 85-06)
~
fire protection equipment (10 CFR 50.48, 10 CFR 50 Appendix R, and Branch Technical Position 9.5-1)
~
Post-Accident Monitoring (RG 1.97)
Class 1E Equipment Qualification (10 CFR 50.49 and RG 1.89)
Although these
- programs, evaluations should consider the current regulatory requirements and licensee commitments with respect to these items.
The establishment of a graded QA program does not confer relief or exemption from any regulatory requirements associated with these items.
This discussion of program scope assumes that the licensee is developing a broad-based GQA program.
It is possible that future adjustments to QA practices willbe developed for specific systems, activities, or tasks.
Although situational applications would be expected to generally conform to this guide, the issue willbe further discussed in the final regulatory guidance.
3.2 f
i ifi D
The safety significance determination identifies and ranks the plant equipment that has the greatest contribution, or potential contribution to plant risk.
Does the safety significance process carefully integrate deterministic and probabilistic considerationst Are functions related to both accident response and normal operations considered'l Determining the safety significance of SSCs for GQA programs may be different than the categorizations for implementation of the Maintenance Rule which may have only considered maintenance preventable functional failures.
Examine the methods or processes proposed for determining safety significance: how effectively 41 42
~ Core damage frequency (CDF) by itself is not a complete measure of risk. Containment failure, large release likelihood, and total dose must also be considered in determining risk importance.
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 does the expert panel combine PRA insights and deterministic insights in considering safety significance?
The plant-specific PRA results are expected to play an important part in determining the safety significance of various SSCs.
The relative importance of various SSCs can be estimated by using appropriate PRA importance measures.
However, in using PRA results, the licensee must recognize that plant systems are modeled in varying degrees in the PRA. Does the expert panel consider limitations in the PRA modeling?
Supplementary guidance and criteria should be available to the expert panel to ensure that such limitations are recognized and addressed in the safety significance determinations.
Various considerations related to the use of PRA in safety significance classification are provided in Appendix D.
Related guidance from the NEI PSA Applications Guide is given as Appendix E. The issues identified in these appendices are useful in evaluating whether a licensee is using the PRA insights appropriately. Ifpractical, assess the validity and applicability of the NEI PSA Applications Guide to GQA programs.
Supporting deterministic analyses are used to validate PRA
- insights, change initial categorizations to address limitations in PRAs, or to categorize those SSCs for which the specific PRA does not provide insights.
Before categorizing an SSC as low-safety-significant, the expert panel should develop and consider additional deterministic screening criteria.
In evaluating a GQA program, the panel's consideration of PRA limitations and deterministic factors is as important as their use of PRA importance measures in the safety significance classifications.
Examples of deterministic considerations that should be included in licensee safety significance classifications are given in Appendix F.
Regarding level of categorization, licensees may categorize SSCs at several levels.
The Maintenance Rule approach is performed at the system level.
Licensees may limit their evaluation to the system level and conservatively judge all components in a high-safety-significant system to be high-safety-significant, or they may further categorize components within systems.
If the level of detail in PRA modeling is increased so that the major components within a system are modeled, licensees may be able to use PRA insights partly to distinguish between high-safety-significant and low-safety-significant components within a
system.
However, to provide a high-level perspective, system-level importances should be determined even when component-level importance measures are available.
3.3
~HP The expert panel plays an essential part in determining safety significance.
In this guide, an expert panel is an actual multi-disciplinary review panel or any functionally equivalent group or process in which various perspectives are represented.
The panel would nominally include experienced representatives from various disciplines such as operations, maintenance, engineering, safety analysis and licensing, and PRA.
The composition of the expert panel should be augmented, ifnecessary, to support the purpose of the safety significance ranking.
For example, because of the emphasis on QA considerations in the GQA process, QA and procurement personnel may be assigned to this panel.
h 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 The licensee's expert panel safety significance determinations should be both scrutable and repeatable.
To satisfy these key evaluation criteria (scrutability and repeatability), the licensee will need to establish procedures and guidance for the expert panel and sufficiently document expert panel activities to allow subsequent independent assessments of whether the safety significance determination process provided results with reasonable confidence and consistency.
Evaluations of expert panel activities should answer the following questions:
~
Are the expert panel's composition, its responsibilities, and its methods defined?
~
Does the panel use clear criteria in classifying SSCs within safety significance categories (Section 3.2)?
~
Does the panel have a means for addressing concerns through technical evaluations, sensitivity analysis, or actual classification of SSCs?
~
Does the panel objectively consider deterministic and PRA information?
Does the panel consistently give SSCs of similar safety significance similar quality treatment?
Does the panel use specific deterministic criteria to validate PRA importance measures?
Does the panel ensure continued compliance with existing regulations and commitments (including those that are plant specific)?
Y Does the panel incorporate lessons learned from its activities or the experiences of implementing line organizations?
Are expert panel activities documented so that the bases for important decisions and SSC classifications are recorded?
The expert panel evaluates both probabilistic and deterministic information available regarding SSCs (or broad classes of functionally similar 8,. Cs) within the defined scope to determine the safety significance of SSCs.
The expert panel, needs to carefully weigh the PRA insights,-
recognizing the limitations of PRAs.
PRA results should be augmented with information from other sources such as design bases documents, design specifications, analyses of failure modes and
- effects, plant operating procedures, normal and abnormal plant configurations and alignments, and plant licensing basis documents.
Safety significance may be determined using criteria related to prevention or mitigation ofcore damage, containment integrity, or a reduction in the release probability or consequence to the public. Factors such as potential common-mode failures, human errors of omission and commission, defense in depth, and the maintenance of safety margins should also be considered.
Both the high-safety-significant and low-safety-significant categories could include safety-related and non-safety-related SSCs.
~ l~
For graded QA programs that have more than two categories, the QA controls for the groupings between the highest and lowest safety significance categories are expected to mix elements from the current program and the graded program for low-safety-significant SSCs.
'.0 GRADING OF QUALITYELEMENTS 2
3 4
After classifying SSCs into two or more safety significance categories, the licensee must select 5
appropriate QA requirements for the various categories.
This is a critical factor in achieving 6
the goals of the GQA initiative. To satisfy regulatory requirements and generally provide the 7 -
staff with a reasonable explanation of the implementation of a GQA program, licensees are 8
expected to prepare and submit changes to their QA programs.
The revised QA plans should 9
adequately describe the GQA program, including the safety significance determination process 10 and how the program affects each of the elements within the QA program.
Licensees willlimit 11 the descriptions to avoid detailed commitments that would trigger unwarranted submittals and 12 staff reviews in accordance with 10 CFR 50.54(a).
The staff should accept a limited level of 13 detail in QA program descriptions.
14 15 For safety-related SSCs determined to be of the highest safety significance, the current QA 16 practices would normally be retained.
A certain number of SSCs currently classified as non-17 safety-related may fall into the high-safety-significant category.
Has the licensee considered 18 more rigorous quality assurance practices for these high-safety-significant non-safety-related 19 SSCs than normal for non-safety-related SSCs (e.g., commensurate with the SSCs'elative 20 importance to plant safety)?
Non-safety-related SSCs, including those that are categorized as 21 high-safety-significant, are not specifically covered by the provisions of 10 CFR 50 Appendix 22 B, except by the licensee's choice.
Although perhaps not enforceable under Appendix B, any 23 concerns with a licensee's treatment of a high-risk-significant non-safety-related SSC should be 24 communicated to the licensee as a potential program weakness.
(see Section 3.1) 25 26 For those SSCs put in the lowest safety significance category, the licensee willdevelop redu'ced 27 or graded quality assurance controls.
What QA aspects and characteristics has the licensee 28 selected for grading?
In making this selection, the licensee should consider the safety function 29 of the SSC and factors having to do with design, procurement, fabrication, construction, 30 installation, maintenance, testing, and human performance.
Grading of quality elements may 31 reduce documentation and verification activities for low-safety-significant SSCs, but should 32 maintain a reasonable level of confidence that each SSC willperform all intended functions with 33 potential safety implications.
Within the constraints of specific regulatory requirements, 34 licensees have the flexibilityto define the processes used to achieve reasonable confidence in 35 SSC performance.
In addition to providing reasonable assurance of SSC performance, the GQA 36 program should include processes and documentation that support an effective corrective action 37 program.
38 39 40 41 42
0 4
1 2
3 4
5 6
'7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 4.1 Emhmhaa Does the expert panel or the line organization consider appropriate QA factors when determining how much to adjust the existing 10 CFR 50 Appendix B program for low-safety-significant SSCs7 How does the licensee's process establish the relationship between SSC safety function and the level to which QA controls are applied?
Verify that the existing QA requirements have been maintained for the high-safety-significant systems.
In reviewing any changes to the QA controls for high-safety-significant SSCs, use traditional review practices, including comparisons to the standard review plan,. regulato'ry guides, and endorsed industry standards.
Nevertheless, existing flexibilitieswithin the traditional QA provisions and alternate approaches willnot necessarily be found unacceptable and should not be discouraged.
For the low-safety-significant category, does 'the program have an acceptable process for QA verification, including commercial grade item (CGg dedication. Although QA verification for low-safety-significant SSCs may be graded, the process should continue to assure the design integrity and successful safety function performance of the SSC. Within this area, the technica1 requirements for CGI dedication (critical design and performance characteristics of an item for an application) are not subject to grading.
However, for items of low safety significance, the verification of critical characteristics may be graded (e.g, by reduced sampling plans, alternate testing techniques, or correspondence with the vendor).
Examples of graded QA controls for the procurement and dedication of CGIs are given in Appendix C.
Ifavailable, examine the licensee's procedures or instructions for implementing its graded QA program.
Do these documents adequately define the QA provisions to be applied to SSCs according to their relative safety significance and design requirements?
Has the licensee established provisions for feedback mechanisms as discussed in Sections 5 and 6 of this guide'l Areas in which quality assurance adjustments have been considered and found acceptable are discussed below.
The list is not exhaustive but provides examples of the types of changes expected from implementation of GQA programs.
~
Procurement:
Licensees may establish less stringent quality assurance requirements for the procurement of low-safety-significant components than for high-safety-significant components.
In making these changes, licensees need to consider CGI dedication issues as well as possible 10 CFR 50 Appendix B requirements.
Procurement is further discussed in Appendix C of this evaluation guide.
~
Lev 1 f D m n r v 'raditionally, QA plans have specified levels of licensee management authorized to approve documents such as procedures and design packages.
GQA programs may reassign such approval authority to lower levels in the licensee organization.
4 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
'ocumentation, such as procedures and design packages, forlow-safety-significant SSCs may be less detailed than for high-safety-significant items.
This is likely already the case for existing documentation, but the GQA program may formalize this distinction.
In assessing the level of detail specified in procedures or actual packages related to low-safety-significant items, there should be enough detail to maintain plant design and configuration control and to evaluate failures to determine corrective actions.
I~Ri ill igQAP i Wi idi d
i i
licensee activities. For example, in the area of design control, licensee programs reflect the position in Regulatory Guide 1.64, "Quality Assurance Requirements for the Design of Nuclear Power Plants,"
that an immediate supervisor may not perform design verification functions.
GQA programs may revise the independent review process to include review by peer personnel'from line organizations, supervisors, or knowledgeable personnel from other licensee organizations.
However, to be considered independent, the review should be performed by an individual not directly involved in the performance of the activity.
~
F n
fI i n The licensee may choose to continue current practices related to specifying quality control "hold points" for activities involving SSCs considered high-safety-significant and to reduce such practices for low-safety-significant SSCs.
Verifications by peer personnel in lieu of certified inspectors may be implemented for the low-safety-significant SSCs provided that the licensee designates individuals considered knowledgeable and qualified to do inspections.
~
zAi>d'. Processes and work associated with low-safety-significant SSCs could be audited less deeply and less frequently than high-safety-significant activities.
Surveillances,
~ performance monitoring, self-assessments, trend data or other activities may supplant formal audits in low-safety-signifiicant areas.
~
ffT inin R
The licensees may establish different training and qualification requirements for personnel performing tasks on high-safety-significant and low-safety-significant SSCs.
I Review the regulatory and licensing commitments that may be impacted by the implementation of a graded QA program.
Do changes to any of the identified commitments involve license amendments, exemptions to regulations, or other NRC authorization apart from that of 10 CFR 50.54(a).
GQA programs should not result in either intended or effective changes in the design or configuration of plant systems.
Such design or configuration changes occur when QA program reductions result in a loss of confidence in one or more SSC critical characteristics.
An example of such a change might be reduction in procurement controls and a resulting lack of confidence in seismic or environmental qualifications of a component.
The licensee should ensure that changes to technical requirements are performed in accordance with 10
l J
1
10 CFR 50.59 and other applicable regulations'. Ifsuch changes are identified, find out what actions the licensee has taken to address these issues.
Evaluate the appropriateness of these actions.
1 2
3 4
5 Ifa licensee concludes that a change to the program reduces a QA program commitment, has 6
the licensee submitted or does itplan to submit a QA program change to the NRC in accordance 7
with 10 CFR 50.54(a)?
This change should describe what elements of the program will be 8
revised and justify the conclusion that the program willcontinue to meet the requirements of 9
10 CFR 50 Appendix B. For'he purposes of the volunteer program, it is envisioned that the 1o reviews of any proposed revisions to the licensee's QA program description willbe performed by NRR.
12 13 11
0 C
The low-safety-significant classification of an SSC may reduce the level of corrective action followinga failure. For example, root-cause evaluations may not be performed for each failure of low-safety-significant SSCs since such failures may not meet the threshold of a significant condition adverse to quality. However, licensee corrective action or trending programs should at least identify, and determine the apparent cause of repetitive failures of SSCs under the GQA controls to determine ifperformance criteria and/or quality elements need to be changed.
The licensee's response to negative performance trends may include an assessment of the SSC's safety significance categorization, since the reduction in performance could affect the basis for classifying the SSC in the low-safety-significant category.
Licensees should evaluate individual failures of low-safety-significant SSCs to determine ifthere are implications for common-mode failures or the failure of similar. equipment in high-safety-significant applications.
Such evaluations should be explicitly required in the licensee's corrective action process or be incorporated into equipment performance trending programs.
1 5.0 CORRECTIVE ACTIONS 2
3 The licensee's graded QA program should have elements specifically related to effective 4
corrective actions and root-cause analysis.
Within this area, the licensee's process controls 5
should consider whether the specified graded quality assurance treatments ofSSCs are sufficient.
6 Failures of low-safety-significant SSCs should be identified in accordance with licensee 7
corrective action programs or trending programs so that the licensee can tell whether the 8
reduction of the QA controls results in an unacceptable decrease in an SSC's performance.
It 9
is recognized that licensees may develop performance expectations (reliability and availability) io that also reflect the low safety significance of items subject to graded QA controls.
Although this option may be acceptable, the evaluation should ensure that the reduced performance 12 standards do not effectively undermine the ability to identify potential problems in the GQA 13 pfogMll.
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 12
k i
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 6.0 OPERATIONALFEEDBACK The evaluation should examine the GQA program or existing programs to ensure that a process exists to consider plant and industry operational experience and the potential need to revise SSC safety significance classifications or QA controls.
Operating experience and plant modifications are two sources of information that could give insights about the effectiveness of a licensee's GQA program and feedback mechanisms.
R i *e'ph fif ',i IChg performance indicators, NRC generic communications, Institute of Nuclear Power Operations (INPO) and Electric Power Research Institute (EPRI) design reliability data, Systematic Assessment of Licensee Performance (SALP) reports, licensee event reports (LERs), NRC inspection reports, equipment maintenance histories, plant performance reviews, reliability and unavailability data, equipment performance or condition trending data, Nuclear Plant Reliability Data System (NPRDS), and quality assurance audits.
Review a sample of the PRA assumptions, system unavailabilities, and other plant-specific data used to justify safety significance classifications.
Plant Modifications'lant modifications might affect the safety significance determination or selection of QA controls for low-safety-significant SSCs.
Accordingly, review the pertinent aspects of the GQA program to determine ifplant modifications are periodically reviewed with respect to their potential impact on safety significance determinations.
Alternately, the design change process may include provisions to verify that changes do not affect SSC safety significance or required QA controls.
Periodic audits of the QA program are performed as specified in the licensee's QA program.
The evaluation should ensure either that the GQA programs willbe included in the overall QA program audits or that special audits willbe conducted to assess the GQA program.
The audits, which could be accomplished in conjunction with similar requirements related to periodic evaluations of Maintenance Rule programs, should include the process for incorporating newly developed risk management insights and configuration management insights into the GQA program.
The audits should evaluate deficiencies across the whole spectrum of plant activities, including operations, design, procurement, and maintenance.
The audits should also determine whether the GQA program needs improvements and whether the bases for the safety significance classifications and assignment of QA controls (e.g., the PRA model and assumptions) continue to reflect plant design and operating practices.
13
C V
~ r..
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 1&
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 7.0 A
LE REVIEW 7.1 i nifi Review the licensee's evaluation regarding safety significance of SSCs.
Evaluate the factors discussed in Section 3 and the associated appendices.
Evaluate the expert panel conclusions and its use of both PRA and deterministic considerations.
Does the process used by the expert panel satisfy the key criteria of scrutability and repeatability?
Assess the methodology and the actual categorizing of SSCs: has the licensee's process produced reasonable classifications for high and low safety significance.
It should be recognized that engineering judgment plays a key role in the expert panel deliberations as well as the staff's evaluations.
How deeply to review a licensee's justification for a specific safety significance determination and how much to expect of the licensee should depend on the possible safety impact of the activity.
Implementation of graded QA controls instead ofexisting QA controls is expected to have littleeffect on the overall plant safety.
Some speculate that GQA programs may lead to reduced availability or reliability for some systems or components.
Whether this is so cannot be known until a GQA program has been implemented for at least several years.
Some systems willobviously have high-safety and some low-safety significance.
When engineering judgment is a major factor in classifying, the staff may ask questions or voice concerns, but the final classification of these systems should remain the licensee's, Ifdeemed necessary, reviewers may escalate concerns to NRC management, who may, in turn, initiate interactions with licensee management.
7.2 din f
u li A s e Elemen 7.2,1 i h-f
- i ni i n
~Sf
a: y*'fyU U*l
- 2 fq sly pplld h
SSQ with the QA plan commitments.
2.2.2 ~f- "f Select a sample of safety-related
- systems, structures, and components categorized under the licensee's graded QA program as low-safety-significant (including mechanical and electrical components).
Review the licensee's evaluation regarding the level of quality assurance controls 2
2 h
SSQ ld Ri p
R h
g d&QAU g d
select several non-safety-relate'd SSCs that the licensee classified as high-safety-significant (if applicable).
Review the actions that were taken in accordance with the licensee's GQA procedures (e.g., increased quality assurance controls).
Are the quality assurance controls imposed on these SSCs adequate considering their safety significance.
Although perhaps not enforceable under Appendix B, any concerns with a licensee's treatment ofa high-risk significant non-safety-related SSC should be communicated to the licensee as a potential program weakness.,
14
4
1 2
3 4
5 6
7 8
9 10ll 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 to be implemented for each affected activity for the SSCs selected.
Has the expert panel or the responsible line organization established adequate QA controls as discussed in Section 4?
A useful assessment technique may be to compare the" graded QA controls applied to a low-safety-significant SSC and the controls applied to a similar SSC assigned to the high-safety-significant category.
For the SSCs selected in the sample, has the licensee taken other commitments or requirements, beside those of 10 CFR 50 Appendix 8, into consideration in determining safety significance or grading ofquality assurance controls. For example, grading of QA controls in the procurement processes should not result in changes in the seismic capability of plant components.
7.3 Licensee programs should provide for revising quality assurance practices or controls and safety significance determinations on the basis of plant or industry operational experiences, performance
- trends, program reviews or audits, or other methods of assessing the GQA program. Initialevaluations may be limited to ensuring that the program descriptions or related procedures include feedback provisions similar to those discussed in Section 6.
The licensee's GQA program should have elements specifically related to effective corrective actions.
The licensee should have process controls to consider whether the specified graded quality assurance treatments of SSCs are sufficient.
Failures of low-safety-significant SSCs should be identified by the licensee's corrective action or trending programs so that the licensee can tell whether the reduction of the QA controls unacceptably impairs an SSC's performance.
In addition, corrective action programs should address. the importance of failures of low-safety-significant components in terms of potential common-mode failure concerns or implications for similar components in high-safety-significant applications.
InitialNRC staff evaluations may be limited to ensuring that the program descriptions or related procedures include corrective action processes similar to those discussed in Section 5.
i F
7.6 Records enerated and Maintained:
The licensee's program should specify the necessary procurement, design, installation, and other records that will be retained to document reasonable assurance that SSCs will perform their intended functions and to enable effective evaluations of SSC failures and corrective action determinations.
Furthermore, the program should require that individual failures oflow-safety-significant items be evaluated to address the common-mode failure issues and implications for similar SSCs in high-safety-significant applications.
Documentation related to the expert panel activities should be sufficient to ensure that the determinations are both scrutable and repeatable.
15
l I
y"y 3
4 5
6 7
8 9
10 11 12 13 14 15 16 Appendix A DEFINITIONS Assessments:
A collective term covering reviews, monitoring, tests, surveillances, inspections, audits, or examinations.
Basic Component:
A plant structure,,system, component, or part thereof necessary to assure (1) the integrity of the reactor coolant pressure boundary, (2) the capability to shut down the reactor and maintain it in a safe shutdown condition, or (3) the capability to prevent or mitigate the consequences of accidents which could result in potential offsite radiation exposures comparable to those referred to in 10 CFR 100.11.
Critical Characteristics:,
Those important design, material, and performance characteristics which, once verified, willprovide reasonable assurance that the item willperform its intended safety function.
h Expert Panel:
As used in this guide, a mechanism to achieve multi-disciplinary reviews such as a group of experienced and knowledgeable facilitypersonnel that meet to determine the safety significance of SSCs based on PRA and deterministic considerations, The panel would typically include representatives from operations, maintenance, engineering, PRA, and quality assurance.
The panel may also be responsible for specifying the graded QA provisions for SSCs and for
, determining the necessary performance monitoring criteria.
24 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 Graded Quality Assurance:
The application of quality assurance controls to SSCs and/or activities according to their safety or risk significance.
Industry Wide Operating Experience:
The information available in NRC, industry, and vendor equipment documentation shared within the nuclear industry to minimize adverse plant conditions or situations.
Performance monitoring: Continuous or periodic tests, inspections, measurement, or trending of the performance or physical characteristics of an SSC for use in determining corrective actions and the need to modify GQA controls.
Q-List: The licensee's list of SSCs required by Criterion II of 10 CFR 50 Appendix B, plus other SSCs within the explicit scope of other regulations (see definition of safety-related SSC).
17 18 Deviations:
A departure from a specified requirement or performance criterion.
19 20, Engineering judgment:
A process of logical reasoning that leads from stated premises to a 21
~
conclusion.
The process should be supported by sufficient documentation to permit verification 22 by a qualified individual.
23 A-1
4
QA Topical Report:
A general report and description of the licensee's 10 CFR 50 Appendix B quality program and the corresponding standard:.
Itcons'titus!he quality assurance! icensing commitments associated with implementing 10 CFR 50 Appendix B.
Safety-Related SSC (From 10 CFR Part 100 and 50.49/50/65):
A structure,
- system, component, or part thereof necessary to assure:
(1) the integrity of the reactor coolant pressure boundary; or (2) the capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) the capability to prevent or mitigate the consequences of accidents which could result in potential offsite radiation'exposures comparable to the 10 CFR Part 100 guidelines.
High-Safety-Significant SSCs:
The set of SSCs (safety-related and non-safety-related) that is determined by an expert panel, considering both PRA and deterministic information, to have a relatively high safety significance.
Low-Safety-Significant SSCs; The set of SSCs (safety-related and non-safety-related) that is determined by an expert panel, considering both PRA and deterministic information, to have relatively low safety significance.
1 3
4 5
Quality elements:
The quality attributes, controls, criteria, processes, or practices necessary 6
to provide reasonable assurance that an SSC willbe able to perform its intended safety function.
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 A-2
1 2
3 4
5 1.
6 7
8 2.
9 10 11 '.
12 4.
14 15 16 5.
17 18 19 6.
20 21 22 23 7.
24 25 26 8.
27 2S 9.
29 30 -
10.
31 APPENDIX B REFERENCES Regulatory Guide 1.160, "Monitoring the Effectiveness ofMaintenance at Nuclear Power Plants," June 1993.
NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," May 1993.
NRC Inspection Procedure 38703, "Commercial Grade Procurement Inspection."
Generic Letter 89-02, "Actions to Improve the Detection of Counterfeit and Fraudulently Marked Products."
Generic Letter 91-05, "Licensee Commercial Grade Procurement and Dedication Programs."
NUMARC 93-02, "A Report on the Verification and Validation of NUMARC 93-01, Draft Revision 2A, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," May 1993.
NUMARC 93-05, "Guidelines for Optimizing Safety Benefits in Assuring the Performance of Motor-Operated Valves," December 1993.
SECY-95-059, "Development of Graded Quality Assurance Methodology."
NUREG/CR-5696, "A Process for Risk-Focused Maintenance," March 1991.
NEI, "Draft Pilot Project Guideline for Implementation of a Graded, Performance-Based Approach to Quality," September 1994.
~>>'~\\
i
'I 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 APPENDIX C GRADED QA FOR PROCUREMENT AND DEDICATIONOF COMMERCIALGRADE ITEMS V
The quality assurance requirements should be compatible with the type of item or service to be supplied.
Certain items and services may require extensive QA controls throughout aH stages of development, whereas others will require only limited controls in certain stages.
The following factors should be considered in determining the extent to which quality assurance practices should be applied during the dedication.
I.
THE IMPORTANCE OF THE MALFUNCTIONOR FAILURE OF THE ITEM TO PLANT SAFETY Each item to be procured must be evaluated to determine whether it is important to plant safety and whether it is of high or low safety significance.
This determination should also consider applicable requirements of Appendix B to 10 CFR Part 50 (for CGIs to be dedicated for safety-related services applicable requirements from EPRI NP-5652, as endorsed by GL 89-02); the requirements should be specified in the procurement and CGI dedication process and in related procurement and dedication documents.
The safety determination should be made by technically knowledgeable personnel who are thoroughly familiar with an item's functions and design parameters.
II.
THE COMPLEXITYOR UNIQUENESS OF THE ITEM In developing quality assurance requirements for an item, the complexity and uniqueness of the
-item should be considered.
The extent of the controls needed to assure the quality of characteristics necessary for proper functioning and long-term performance may depend heavily upon the item s complexity and the industry experience, or lack of, in accomplishing the quality-related activity. Obviously, ifa design effort is required to develop the item or accomplish the activity, design quality assurance requirements should be included in the procurement document.
Items which require a complex manufacturing plan may require extensive control over critical characteristics.
The control over critical characteristics should extend beyond the manufacturing phase when it is necessary to preclude damage to those characteristics during packaging, shipping, handling, and storage.
In determining the extent of quality assurance to be applied, past experience in the development of similar items should be considered.
An item developed for the first time willprobably require much more control over critical characteristics than one which has a history of successful performance.
The complexity or uniqueness of the item may also affect how much personnel training and indoctrination are required.
C-1
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 11 19 20 21n 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 THE NEED FOR SPECIAL CONTROLS AND SURVEILLANCEOVER PROCESS AND EQUIPMENT IV.
V.
THE QUALITYHISTORY AND DEGREE OF STANDARDIZATIONOF THE ITEM
- i nif (1) Destructive and Nondestructive Testing For dedicated CGIs used in low-safety-significant applications, the licensee may perform destructive and nondestructive testing on shipments received using a reduced sample plan (relative to sampling plans used for dedicating CGIs designated for use in high-safety-significant applications).
The testing would be performed at intervals determined by a supplier's performance history, the quantity of CGIs received, and information related to manufacturing processes.
The licensee's test and performance results should be Certain work operations may require the use of special processes such as welding, non-destructive examination, brazing and soldering, hardness and tensile testing, protective coating, and heat treatment.
Special processes may also include certain in-process operations such as chemical batch
- process, plating operations, and electric insulation impregnation, These processes should be accomplished under specially controlled conditions.
Controlled conditions include the use of appropriate equipment, suitable environmental conditions, definitive procedures, qualified personnel, and assurance that prerequisites have been satisfied.
THE DEGREE TO WHICH FUNCTIONAL COMPLIANCE CAN BE DEMONSTRATED BY INSPECTION AND TEST It may be possible to demonstrate certain characteristics of an item by an appropriate inspection or test.
In such cases, the in-process controls (e.g., audits, surveys, and source surveillance) may be reduced ifan appropriate inspection and test willprovide an assurance of quality. An ed-product test, for example, may eliminate the need for in-process controls.
The usefulness of historical data in evaluating the quality experience of an item depends in part on the degree of standardization of the item. Ifa manufacturer has been producing a particular standard item for a long time, using essentially the same controls, and ifthe operational quality history of the item indicates that its critical characteristics perform satisfactorily, the quality assurance program may be tailored to reflect this satisfactory performance history. Conversely, ifoperational data shows certain characteristics to be unsatisfactory, additional quality assurance effor,ts may be required to correct deficiencies.
ID i
i f
The followingdedication activities exemplify one approach for dedicating CGIs intended for use in low-safety-significant applications; these CGIs are relatively simple products and of standard design, and their critical-characteristics may be verified by standard or automated inspections or tests.
C-2
1 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23.
24 25 26 27 28 29 30 31
'32 33 34 35 36 37 38 39 40 41 42 43 compared to similar results identified on any certifichtions provided by the supplier, and any abnormal variances should be evaluated.
Substitute or alternate test methods (e,g.
hardness testing of carbon steel to determine the approximate material strength in lieu of performing actual tensile tests, partial in lieu of full chemical analyses) may be used to verify critical characteristics provided that the basis for using the alternate test is documented.
(2) Performance Testing Testing of low-safety-significant CGIs after installation instead of during receipt inspection may be acceptable for some products provided that the post-installation testing verifies the designated critical characteristics.
Supplier testing may also be used to some extent ifthe supplier history is satisfactory.
(3) Dimensional Inspection Any sample plan used by the licensee for accepting dimensions on low-safety-significant CGIs is product dependent and needs to provide reasonable assurance that the critical dimensions are correct.
An acceptable supplier history may be used to justify reducing this sampling.
For some products, a satisfactory supplier history may allow the licensee to eliminate dimensional inspection during receipt of the CGIs and may permit the licensee to rely on proper fitduring the installation of the dedicated CGI.
(4) Product Markings The licensee should determine ifthe manufacturer has the capability to have markings, such as the production run, serial number, batch number, or lot number,'laced on each CGI. Although, by itself, this marking may not be sufficient to ensure homogeneity of the CGIs, it may provide additional assurance that the products were produced essentially at the same time, with the same materials and by the same method.
The marking may also provide additional confidence that the CGIs were not from mixed production runs, heats, lots, or batches so that a further reduced sampling plan could be considered for accepting these products.
(5) Sampling Plans The basis for selecting the sampling plan for dedicating low-safety-significant CGIs should be documented.
Satisfactory supplier performance history, ifused to reduce the sampling plan, should also be documented.
For safety-related SSCs classified as low-risk significant, the following options appear to be acceptable alternatives to traditional methods of applying Appendix B QA requirements.
These options alone, do not fully constitute an acceptable method for meeting graded Appendix B requirements.
However, when used in combination with other graded QA program controls or C-3
1 with traditional Appendix B controls, they may form the basis of an acceptable graded QA 2
program.
~
Qgi~nA In lieu of doing a traditional CGI survey or Appendix B audit, the licensee obtains copies of the manufacturer's QA program manual and ofimplementing procedures that control certain critical characteristics ofthe item being manufactured.
Afterreviewing the manufacturer's QA program and implementing procedures, the licensee determines that, ifproperly implemented, the QA 10 controls and procedures would provide reasonable confidence in some or all of the CGI's critical characteristics.
The licensee could then use a reduced sampling plan (e.g., spot checking critical 12 characteristics) to dedicate the CGI. The purchase order (PO) should clearly invoke technical 13 requirements (e,g., specifications,
- codes, standards),
and the QA controls should require the 14 manufacturer's certification that the CGI was manufactured under these controls.
15 16 17 18 19 20 21
~
Qgtion B The manufacturer has established an International Standardization Organization (ISO) 9001 QA program (to control the manufacturing of a CGI) that has been accepted by a third party registrar.
The licensee invokes technical requirements (e.g., specifications,
The 22.
manufacturer certifies that the CGI was manufactured in accordance with the ISO 9001 QA 23 program.
When the CGI arrives, with the manufacturer's certification, the licensee reduces the 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 41 42 43 CGI dedication activities for this CGI.
Standard receiving inspection practices could then be applied on a sampling basis (e.g., part number,
- damage, some dimensions).
The reduced dedication program could use post-installation testing to a large degree and use a much reduced sampling plan to overcheck selected critical characteristics (other than dimensions and part number).
~
Qgi~n Quality history and standardization were discussed in Section V above.
The logical considerations outlined in Section V should apply to each procurement action. However, ifthese considerations have only limited applicability to a particular procurement action, unique graded procurement QA requirements willneed to be developed.
Acceptable supplier/item performance records should not be employed alone to justify the acceptance of a CGI unless:
~
the established historical record is based on industry-wide performance data that is directly applicable to the critical characteristic being verified and the intended related application, and C-4
1 2
3 4
5 6
7 8
9 10
~
the manufacturer's measures for the control of design,
- process, and material changes have been adequately implemented, as verified by audit or by Options A or B above.
In lieu of the above, performance history (see Section V) may be combined with other dedication methods and the options discussed above and used in dedicating CGIs. The use of and rationale for such combinations should be documented.
When industry information (e.g.,
NRC information notices, bulletins, and generic letters; INFO SERs; NPRDS; LERs) identifies problems with equipment, the licensee should address the problems during the CGI dedication process.
C-5
I s
)
r
'(
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40'1 42 43 44 Appendix D PRA Considerations The following considerations relate to the use of PRA in safety significance classification:
Appropriate importance measures, including core damage frequency (CDF) contribution, risk achievement worth, and risk reduction worth, should be'used.
E Since CDF is not a direct measure of risk, containment failure and large release must also be considered in the risk-ranking process to ensure that SSC risk importance is reflected, rather than solely CDF importance.
Common-mode failures across system boundaries are not considered in PRA yet may be important as QA provisions are amended for components used in multiple systems.
Dynamic risk management recognizes that risk is time dependent and is a function of plant operating practices.
Operational insights should be fed back to the panel for consideration.
Plant systems are modeled to varying degrees in PRAs.
The fact that an SSC is not modeled in the PRA does not justify classifying an SSC as low-safety-significant.
Deterministic factors need to be considered.
The scope of plant PRAs should be taken into consideration.
Ifthe scope is that of a Level 1'study, containment performance provisions including containment isolation functions should be factored in. Ifthe PRA scope is limited to internal events, external events like fires, earthquakes, floods, and high winds should also be considered.
The internal flooding initiator should also be included in the evaluation of CDF and risk importance.
Likewise, low-power, shutdown, and transitional modes of operation may not be addressed by plant PRAs but would nevertheless need to be considered in the determination of SSC safety or risk significance.
The level of detail in PRAs determines how the results can be utilized. Licensees may limit their evaluation to the system level and conservatively judge all components in a high-safety-significant system to be high-safety-significant, or additional evaluations may be performed to further categorize components within systems.
Ifthe level of detail in PRA modeling is increased so that the major components within a system are modeled, PRA insights may be more valuable in distinguishing between high-safety-significant and low-safety-significant components within a given system.
The failure modes modeled by the PRA may not be all-inclusive.
Consideration should be given 'to the failure modes modeled and the potential for the introduction of new failure modes related to the. application.
For example, if D-1
I g
F
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 41 42 43 valve mispositioning has been assumed to be a low-probability event because of independent verification and therefore is not included in the PRA assumptions, any changes to such independent verifications should be evaluated for potential impact on the PRA results.
The type of data for equipment failure rates, unavailabilities, and initiating-event frequencies may be either plant specific or generic. Ifgeneric data is used, an evaluation is warranted to assure the appropriateness of using the generic data or updating the data with plant-specific experience.
Truncation of low-frequency sequences (beyond approximately 95% of CDF) may exclude some low-probability events from the dominant cutsets, making them unavailable for the subsequent determination of importance measures.
Truncation levels need to be considered so that the safety significance of SSCs is not underestimated.
Plant-specific PRA modeling practices could skew the plant-specific PRA results in relation to the generic population of similar plant PRA results.
Therefore, licensees would be prudent to compare plant-specific results to those for similar plants for additional insights.
Software driven-solid-state control and protection devices are not readily amenable to being analyzed by PRA.
PRAs normally address only 100% power operation.
The effects of partial or low-power, shutdown, and refueling modes on plant safety also need to be considered.
Generally, fault trees are not developed nor generic event data used for modeling the switchyard and emergency diesel generator.
Containment performance, including containment isolation, may not be explicitly modeled, or the Level II PRA may be incomplete or may not have been reviewed.
Potential influences of aging on component reliability are not examined by the PRA.
Low-safety-significant components not required to support safety functions but whose failure could adversely impact safety function performance may not be addressed by the PRA models.
Examples of such failures are seismic II/Isystem interactions, seismic-fire interactions, and the spurious operation of fire suppression systems.
Whether an uncertainty analysis has been done on the PRA results and whether the analysis (ifdone) confirms that an SSC is oflow safety significance should be examined.
D-2
4 I
a Vg
2 3
4 5
6 7
8 9
~
10 11 12 13 14 15 16 17
~
18 19 20 21 22 Initiating events may be modelled as single modularized events in the, PRAs, masking the importance of the individual systems and components in these events.
Exznples of such initiating events are the loss of instrument air; the loss of HVAC/room cooling; the loss of offsite power (through local switchyard faults); the loss of AC or DC busses; small LOCAs (especially those involving pump seal failures and spurious or stuck open relief valves); interfacing system LOCAs (isolation valves and MOVs); and ATWS (electrical and mechanical portions of the RPS).
Screening analyses are used to dismiss some initiators as insignificant, In many cases, credit for'lant systems or 'structures is taken to bolster the arguments for redundancy and/or reliability. The importance of these systems and structures willnot show up in the PRA results since the initiator is screened out.
(Examples are'he screening of certain containment penetrations because of the number of isolation valves involved; the screening of fire boundaries because of the existence ofwater curtains or fire suppression systems; and the screening of flood areas because of the presence of flood alarms.)
When certain events dominate sequence importance, the importance of other events may be hidden.
An example of this shadowing effect (for BWRs) is that during an automatic depressurization system (ADS) inhibit, the dominance of human error in the depressurization function willmask the failure of the ADS valves themselves or even the common-mode failure of the valves.
An example (for PWRs) is that potential human errors willmask the failure of the PORVs or HPI pumps in the feed and bleed function.
D-3
~
~
s
(
)
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Appendix E NEI PSA'Applications Guide Does the application address changes. that lead to a modification of the initiating event groups?
Does the application necessitate the introduction of new branches or top events to present concerns not addressed in the event trees?
INI'HATINGEVENTS
~
Does the application introduce consideration of new initiating events?
~
Does the application necessitate a reassessment of the frequencies of the initiating event groups?
~
Does the application increase the likelihood of a system failure that was bounded by an initiating event group to the extent that it needs to considered explicitly?
SUCCESS CRITERIA
~
Does the application necessitate modification of the success criteria?
Does the modification of success criteria necessitate changes in other criteria, such as system interdependencies?
EVENT TREES
~
Does the application address an issue that can be associated with a particular branch, or branches on the event trees, and ifso, is the branching structure adequate?
~
Does the application necessitate consideration of re-ordering branch points?
SYSTEM RELIABILITYMODELS
~
Does the application impact system design in such a way as to alter system reliability models?
C
~
Does the application impact the support functions of the system in such a way as to alter the dependencies in the model?
~
Does the application impact the system performance, and, ifso, is that impact on the function obscured by conservative modeling techniques?
E-1
~
g
~
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Does the application involve a change which may impact parameter values, and do the present estimates reflect the current status of the plant with respect to what is to be changed?
Is the application likely to affect CCF probabilities?
Is the application concerned with events that have been screened from the model, either in whole or in part?
Does the application impact a particular performance shaping factor (PSF), or a group of PSFs, and are they explicitly addressed in the estimation approach?
For example, if
'the issue is to address training, is training one of the PSFs used in the HRA?
PARAMETER DATA BASE
~
Can the application be clearly associated with one or more of the basic event definitions, or does it necessitate new basic events?
~
Does the application necessitate a specialized probability model (e.g., time-dependent model etc.)?
~
Does the application necessitate modifications to specific parameter values?
~
Does the application necessitate that the plant-specific (historical) data be taken into account, and can this be achieved easily by an update of the previous parameters?
~
~
DEPENDENT FAILURE ANALYSIS
~
Does the application introduce or suggest new common cause failure (CCF) contributions?
~
Does the application introduce new asymmetries that might create sub-groups within the CCF component groups?
HUMANRELIABILITYANALYSIS
~
Does the application involve a procedure change?
Does the applicatioa involve a new human action?
~
Does the application eliminate or modify an existing human action?
~
Does success in the application hinge on incorporating the impact of changes in PSFs, and ifso, do the current estimates reflect the current status of these PSFs?
E-2
,os
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 Does the application change relative magnitudes of probabilities?
Does the application only make probabilities smaller?
ANALYSISOF RESULTS Are there uncertainties in the application that could'e clarified by the application of sensitivity studies?
Is it possible that th particular group of human error events that is affronted by the change being analyzed has been truncated?
~
Does the change address new recovery actions?
QUANTIFICATION
~
Does the application change any of the basic event probabilities?
A C
~
Is the new result needed in a short-time scale?
~
Does the application necessitate a change in the truncation limits for the model?
~
Does the application necessitate an assessment of uncertainty, and is it be qualitative or quantitative?
Does the application strategy necessitate an importance analysis to rank contributions?
~
Does the application necessitate that an importance, uncertainty, or sensitivity analysis of the base case PSA exist?
PLANT DAMAGESTATE CLASSIFICATION
~
Does the application impact the choice of parameters used to define plant damage states?
~
Do the Key Plant Damage States (KPDS) utilized adequately represent the results of the Level 1 analysis by including the plant damage states that have a significant frequency of occurrence?
~
Have those plant damage states that have been eliminated in this process been assigned to KPDSs of higher consequence (e.g. likelihood of Large Early. Release)?
LEVEL 2 (CONTAINMENTANALYSISPSA)
E-3
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Have new containment failure modes identified by the application been addressed in the PSA'?
Are potential changes accounted for?
Does the application involve mechanisms that could lead to containment bypass?
Does the application directly affect the occurrence of any severe accident phenomena?
Is evacuation or sheltering being considered as a mitigation measure?
EXTERNAL EVENTS PSA (HAZARDANALYSIS)
Does the change impact the availability and performance of necessary mitigation systems for an external hazard?
~
Are any dependencies among containment failure modes being changed?
~
Does the application involve mechanisms that could cause failure of the containment to isolate?
0
~
Does the application necessitate use of risk measures other than large early release?
LEVEL3 (CONSEQUENCE ANALYSISPSA)
~
Does the application necessitate detailed evacuee doses?
~
Are individual doses at specific locations needed for this application?
~
Are terrain features significant enough to impact local wind patters?
~
Are long term doses a consideration in this application?
~
Willthe changes introduce external hazards not previously evaluated?
~
Willthe changes increase the intensity of existing hazards significantly?
~
Are design changes modifying the structural response of the plant being considered?
~
Does the application significantly modify the inputs to the plant model conditioned on the external event?
~
Are changes being requested for systems designed to mitigate against specific external events?
E-4
I
)
Will the changes affect the availability of equipment or instrumentation used for contingency plans?
1
~
Does the application involve availability and performance of containment systems under 2
the external hazard?
3 SHUTDOWN PSA 5
6
~
Willthe changes affect the scheduling of outage activities?
7 8
~
Willthe changes affect the ability of the operator to respond to shutdown events?
9 1o
~
Willthe application affect the reliability of equipment used for shutdown conditions?
11 12
~
13 E-5
f
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 17 18
'19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Appendix F DETERMINISTIC CONSIDERATIONS In addition to gaining insights from reviewing PRA results and related importance measures, licensees must consider certain deterministic factors in determining the safety significance and grading of quality elements for SSCs or activities.
Following are some examples of deterministic considerations.
Licensees should know ifan SSC has multiple applications in the plant and is,susceptible to generic or common-mode failure that could affect redundant trains or multiple plant systems.
The potential consequences of such common-mode failures should be considered.
When used in conjunction with PRA insights, the deterministic evaluations need to consider the scope of the PRA. For example, ifthe PRA is a Level 1 study, containment performance, including containment isolation functions, should be evaluated using deterministic factors. Ifthe PRA scope includes only internal events, external events like fires, earthquakes, floods, and high winds should also be considered.
Likewise, low-power, shutdown, and transitional modes of operation may not be addressed by plant PRAs but nevertheless need to be considered in determining SSC safety significance.
The PRA may not provide insights related to some potential failure modes or may not model the failure of some SSCs on the basis of inherent reliability assumptions.
Such assumptions need to be evaluated to ensure that the safety significance of passive systems or structures is not underestimated.
In addition, certain failure modes, aging for example, may not be modelled as a result of credit taken for maintenance programs; in that case, licensees should consider whether the GQA program could invalidate the conclusions reached about SSC safety significance.
The redundancy of systems able to fulfilla critically important function may have the result that each individual system is determined to be of low safety significance. It may be prudent to designate at least one system associated with critical safety functions as high-safety-significant.
This approach is further discussed in Reference 9 and has been used at one of the volunteer plants in the development of GQA programs.
PRA importance measures may not fully address the significance of SSCs that support operator actions.
Such systems may include environmental controls, lighting, alarms, and annunciators.
The importance of such systems should be considered by the expert panel.
The panel should consider whether the loss of such systems could cause short-term or long-term problems, whether a system failure coincident with an accident is likely, and whether personnel could reasonably compensate for the loss of these support systems.
F-1
I )
A.
I J
k 1
II
l p
1 2
3 4
5 6
7 8
9 10 11 12 13 14 15 16 The expert panel should consider design and licensing basis information in its evaluations.
System descriptions or other documentation may provide valuable insights into the design basis functions and the safety significance of various SSCs.
A failure modes and effects analysis is another traditional deterministic design document that may have information valuable to the expert panel.
An understanding of design basis functions may also be important in grading QA controls.
Licensees may choose to develop GQA programs that refiect the multiplicity of regulations and programs to which some SSCs are subject.
For example, one licensee has excluded SSCs from the reduced QA controls category if those SSCs are also governed by ASME Code requirements.
Or an SSC may be subject to reduced QA controls except activities associated with specific regulations or activities. necessary to provide adequate confidence for a specific SSC characteristic; such an SSG may have added QA controls for design features such as environmental qualification or ASME Code requirements, This "targeted" approach has been proposed by another licensee developing GQA programs.
F-2
0 C',~ y
'h
~4 t+~
Ql