| number = ML003740176

| issue date = 08/31/1998

| title = (Draft Issued as DG-1065) an Approach for Plant-Specific,Risk-Informed Decisionmaking:Technical Specifications

| author affiliation = NRC/RES

| contact person =  

| document report number = RG-1.177

| page count = 28

{{#Wiki_filter:U.S. NUCLEAR REGULATORY  

COMMISSION

GUIDE OFFICE OF NUCLEAR REGULATORY  

GUIDE 1.177 (Draft was Issued as DG-1065) AN APPROACH FOR PLANT-SPECIFIC, RISK-INFORMED  

DECISIONMAKING:  

TECHNICAL  

SPECIFICATIONS

The NRC's policy statement on probabilistic risk analysis (PRA)(Ref.

1) encourages greater use of this analysis technique to improve safety decisionmaking and improve regulatory efficiency.

The NRC staff's PRA Implementation Plan (Ref. 2) describes activities now under way or planned to expand this use. One ac tivity under way in response to the policy statement is the use of PRA in support of decisions to modify an in dividual plant's technical specifications (TS).  Licensee-initiated TS changes that are consistent with currently approved staff positions

[e.g., regulatory guides, standard review plans, branch technical posi tions, or the Standard Technical Specifications (STS) (Refs. 3-7)] are normally evaluated by the staff using traditional engineering analyses.

A licensee would not be expected to submit risk information in support of the proposed change. Licensee-initiated TS change re quests that go beyond current staff positions may be evaluated by the staff using traditional engineering analyses as well as the risk-informed approach set forth in this regulatory guide. A licensee may be requested to submit supplemental risk information if such informa tion is not provided in the original submittal by the li censee. If risk information on the proposed TS change is not provided to the staff, the staff will review the in formation provided by the licensee to determine whether the application can be approved based upon the information provided using traditional methods and will either approve or reject the application based upon the review.  The guidance provided here does not preclude other approaches for requesting changes to the TS.  Rather, this regulatory guide is intended to improve consistency in regulatory decisions when the results of risk analyses are used to help justify TS changes.

Background Section 182a of the Atomic Energy Act requires that applicants for nuclear power plant operating li censes state: [S]uch technical specifications, including information of the amount, kind, and source of special nuclear material re quired, the place of the use, the specific characteristics of the facility, and such other information as the Commission may, by rule or regulation, deem neces sary in order to enable it to find that the utilization

...of special nuclear material will be in accord with the common de fense and security and will provide ade-USNRC REGULATORY

GUIDES The guides wre issued In t following ton broad dvisions:

Reguolaty Guides am Issued to describe and make available to the pullic such Informa Ion as methods acceptable to the NRC staff for lmplementing pecdflc pers of the Com- 1. Power Reactor. 6. Products regulstons, technmiquesued bytheItanf ievautingepecc problems orpos. 2. Research and Test Reactors 7. Transportation tuiated acddents, and data needed by the NRC taff ltsrvIewofapplIct for per- 3. Fuel and Materials Fadlities Occuational Health mits and lcenses. Raguietory guOdes are not oulbtitutes for reguiations, and compliance

4, Envronmental and Siting 9. Anitut and FInancid Review wlththem Isno required.

10. General will be acceptable If they provide a basis for the Widings requisite to the issuarnce or con tnunce of a perfmi or license by the Commission.

Single copies of regulatory guides may be obtained free of charge by writing the Repro This gtide was Issued alter consideration of comments received from tie pbibc. Com- dumion end Distribution Services SecdM Office of the Chief Information Officer US. Nu ments aind suggestions for Improvements In tose guides areencouraged at eil times, and dear Regutlatory Commission, Washinlgton, DC 20555-0001;

or by ftx at (301)415-22W, u wi be revised, as appropriate, lo accommodate comments and to reflect new in- or by e-meal to GRWI@NRC.GOV.

ormalooreIxpseaece.

Issued guides may also be purchased from the National Technical Informtion Service on Written comments may be eibmltted to the Rules Review and Directives Branch. ADM. a sttanding order basis. Details on Itis service may be obtained by writing NTIS, 6285 Port U.S. Nudear Regulatory Commission, Washington.

DC 20M55-0001.

Royal Road, Springfield, VA 22101.

quate protection to the health and safety of the public. Such technical specifications shall be a part of any license issued. In Section 50.36, "Technical Specifications," of 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities," the Commission estab lished its regulatory requirements related to the content of TS. In doing this, the Commission emphasized mat ters related to the prevention of accidents and the miti gation of accident consequences;

the Commission noted that applicants were expected to incorporate into their TS "those items that are directly related to main taining the integrity of the physical barriers designed to contain radioactivity" (33 FR 18612) (Ref. 8). Pursuant to 10 CFR 50.36, TS are required to contain items in the following five specific categories:

(1) safety limits, limiting safety system settings, and limiting control settings, (2) limiting conditions for operation, (3) sur veillance requirements, (4) design features, and (5) ad ministrative controls.

Since the mid-1980s, the NRC has been reviewing and granting improvements to TS based, at least in part, on PRA insights.

Some of these improvements have been proposed by the Nuclear Steam Supply System (NSSS) owners groups to apply to an entire class of plants. Many others have been proposed by individual licensees.

Typically, the proposed improvements in volved a relaxation of one or more allowed outage times (AOTs) or surveillance test intervals (STIs) in the "TS.1 In its July 22, 1993, final policy statement on TS "improvements (Ref. 9), the Commission stated that it: ...expects that licensees, in preparing their Technical Specification related submit tals, will utilize any plant-specific PSA or risk survey and any available literature on risk insights and PSAs... Similarly, the NRC staff will also employ risk insights and PSAs in evaluating Technical Speci fications related submittals.

Further, as a part of the Commission's ongoing pro gram of improving Technical Specifica tions, it will continue to consider methods to make better use of risk and reliability information for defining future generic Technical Specification requirements.

use the ter minology "completion times" and "surveillance frequency" in place of "allowed outage time" and "surveillance test interval." The Commission reiterated this point when it is sued the revision to 10 CFR 50.36 in July 1995 (Ref.  10).  In August 1995, the NRC adopted the policy state ment, including the following regarding the expanded use of PRA (Ref. 1).  " The use of PRA technology should be in creased in all regulatory matters to the ex tent supported by the state of the art in PRA methods and data and in a manner that complements the NRC's determinis tic approach and supports the NRC's traditional defense-in-depth philosophy.  " PRA and associated analyses (e.g., sensi tivity studies, uncertainty analyses, and importance measures)

should be used in regulatory matters, where practical within the bounds of the state of the art, to reduce unnecessary conservatism associated with current regulatory requirements, reg ulatory guides, license commitments, and staff practices.

Where appropriate, PRA should be used to support the proposal of additional regulatory requirements in ac cordance with 10 CFR 50.109 (Backfit Rule). Appropriate procedures for includ ing PRA in the process for changing regu latory requirements should be developed and followed.

It is, of course, understood that the intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised.

PRA evaluations in support of regulatory decisions should be as realistic as practi cable and appropriate supporting data should be publicly available for review. The Commission's safety goals for nu clear power plants and subsidiary numeri cal objectives are to be used with ap propriate consideration of uncertainties in making regulatory judgments on need for proposing and backfitting new generic re quirements on nuclear power plant licen sees. In its approval of the policy statement, the Com mission articulated its expectation that implementation of the policy statement will improve the regulatory pro cess in three areas: foremost, through safety decision making enhanced by the use of PRA insights;

through 1.177-2 more efficient use of agency resources;

and through a reduction in unnecessary burdens on licensees.

Purpose of this Regulatory Guide .This regulatory guide describes methods accept able to the NRC staff for assessing the nature and im pact of proposed TS changes by considering engineer ing issues and applying risk insights.

Licensees submitting risk information (whether on their own ini tiative or at the request of the staff) should address each of the principles of risk-informed regulation discussed in this regulatory guide. Licensees should identify how chosen approaches and methods (whether they are quantitative or qualitative, traditional or probabilistic), data, and criteria for considering risk are appropriate for the decision to be made. This regulatory guide provides the staff's recom mendations for utilizing risk information to evaluate changes to nuclear power plant TS AOTs and STIs in order to assess the impact of such proposed changes on the risk associated with plant operation.

Other types of TS changes that follow the principles outlined in this regulatory guide may be proposed and will be consid ered on their own merit. The guidance provided here does not preclude other approaches for requesting TS changes. Rather, this regulatory guide is intended to improve consistency in regulatory decisions related to TS changes in which the results of risk analyses are used to help justify the change. As such, this regulatory guide, the use of which is voluntary, provides guidance concerning an approach that the NRC has determined to be acceptable for analyzing issues associated with pro posed changes to a plant's TS and for assessing the im pact of such proposed changes on the risk associated with plant design and operation.

Scope of this Regulatory Guide This regulatory guide describes an acceptable ap proach for assessing the nature and impact of proposed permanent TS changes in AOTs and STIs by consider ing engineering issues and applying risk insights.

As sessments should consider relevant safety margins and defense-in-depth attributes, including considering suc cess criteria as well as equipment functionality, reli ability, and availability.

Acceptance guidelines for evaluating the results of such evaluations are provided also. This regulatory guide also describes acceptable TS change implementation strategies and performance monitoring plans that will help ensure that assumptions and analyses supporting the change are verified.This regulatory guide indicates an acceptable level of documentation that will enable the staff to reach a finding that the licensee has performed a sufficiently complete and scrutable TS change analysis and that the results of the engineering evaluations support the li censee's request for the TS change. Risk-informed TS submittals primarily deal with permanent changes to TS requirements, i.e., as the name suggests, the requirement is permanently changed when approved, and is applicable to all future occurrences.

A one-time change to a TS requirement, in which a different requirement is requested for a par ticular incident, also can use risk-informed evaluations, but it involves slightly different scope and consider ations. This regulatory guide focuses on permanent changes to TS.  Relationship to Other Guidance Documents Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Deci sions on Plant-Specific Changes to the licensing Ba sis" (Ref. 11), describes a general approach to risk informed regulatory decisionmaking and includes dis cussion of specific topics common to all risk-informed regulatory applications.

This regulatory guide provi des guidance specifically for risk-informed TS changes consistent with but more detailed than the generally ap plicable guidance given in Regulatory Guide 1.174. The information collections contained in this regu latory guide are covered by the requirements of 10 CFR Part 50, which were approved by the Office of Manage ment and Budget, approval number 3150-0011.

The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information un less it displays a currently valid OMB control number.

==B. DISCUSSION==

Risk-Informed Philosophy In its approval of the policy statement on the use of PRA methods in nuclear regulatory activities, the Commission stated an expectation that "the use of PRA technology should be increased in all regulatory mat ters...in a manner that complements the NRC's deter ministic approach and supports the NRC's traditional defense-in-depth philosophy" (Ref. 1). The use of risk insights in licensee submittals requesting TS changes will assist the staff in the disposition of such licensee proposals.

The NRC staff has defined an acceptable approach to analyzing and evaluating proposed TS changes. This approach supports the NRC's desire to base its deci-1.177-3 sions on the results of traditional engineering evalua tions, supported by insights (derived from the use of PRA methods) about the risk significance of the pro posed changes. Decisions concerning proposed changes are expected to be reached in an integrated fashion, considering traditional engineering and risk information, and may be based on qualitative factors as well as quantitative analyses and information.

In implementing risk-informed decisionmaking, TS changes are expected to meet a set of key principles.

Some of these principles are written in terms typically used in traditional engineering decisions (e.g., defense in depth). While written in these terms, it should be un derstood that risk analysis techniques can be, and are encouraged to be, used to help ensure and show that these principles are met. These principles are: 1. The proposed change meets the current regula tions unless it is explicitly related to a requested exemption or rule change. Applicable rules and regulations that form the regulatory basis for TS are discussed in Regulatory Position 2.1, "Compliance with Current Regulations." 2. The proposed change is consistent with the de fense-in-depth philosophy.

The guidance con tained in Regulatory Position 2.2, "Traditional En gineering Considerations," applies the various aspects of maintaining defense in depth to the sub ject of changes in TS.  3. The proposed change maintains sufficient safe ty margins. The guidance contained in Regulatory Position 2.2, "Traditional Engineering Consider ations," applies various aspects of maintaining suf ficient safety margin to the subject of changes to TS.4. When proposed changes result in an increase in core damage frequency or risk, the increases should be small and consistent with the intent of the Commission's Safety Goal Policy State ment. Regulatory Position 2.3, "Evaluation of Risk Impact," provides guidance for meeting this principle.

5. The impact of the proposed change should be monitored using performance measurement strategies.

The three-tiered implementation ap proach discussed in Regulatory Position 3.1 and Maintenance Rule control discussed in Regulatory Position 3.2 provide guidance in meeting this prin ciple.  Additional information regarding to the staff's ex pectations with respect to implementation of these principles can be found in Regulatory Guide 1.174.  A Four-Element Approach to Integrated Decisionmaking for TS Changes Given the principles of risk-informed decision making discussed above, the staff expects that a certain evaluation approach and the acceptance guidelines that follow from those principles will be followed by licen sees in implementing these principles, and the staff has identified a four-element approach to evaluating pro posed changes to a plant's design, operations, and other activities that require NRC approval (illustrated in Fig ure 2), as described in Regulatory Guide 1.174 (Ref.  11). Those detailed discussions regarding the evalua tion approach and acceptance guidelines are not re peated here; instead, specific application of the four-element approach for risk-informed changes to IS is discussed.

1.177-4 Figure 2. Principal Elements of Risk-Informed, Plant-Specific Decisionmaking Element 1: Define the Proposed Change The licensee needs to explicitly identify the partic ular TS that are affected by the proposed change and identify available engineering studies (e.g., topical re ports), methods, codes, and PRA studies that are related to the proposed change. The licensee should also deter mine how the affected systems, components, or param eters are modeled in the PRA and should identify all elements of the PRA that the change impacts. This in formation should be used collectively to provide a de scription of the TS change and to outline the method of analysis.

The licensee should describe the proposed change and how it meets the objectives of the Commis sion's PRA Policy Statement, including enhanced deci sionmaking, more efficient use of resources, and reduc tion of unnecessary burden. Regulatory Position 1 describes element 1 in more detail.  Element 2: Perform Engineering Analysis The licensee should examine the proposed TS change to verify that it meets existing applicable rules and regulations.

In addition, the licensee should deter mine how the change impacts defense-in-depth aspects of the plant's design and operation and should deter mine the adequacy of safety margins following the pro posed change. The licensee should consider how plant and industry operating experience relates to the pro posed change, and whether potential compensatory measures could be taken to offset any negative impact from the proposed change.  The licensee should also perform risk-informed evaluations of the proposed change to determine the impact on plant risk. The evaluation should explicitly consider the specific plant equipment affected by the proposed TS changes and the effects of the proposed change on the functionality, reliability, and availability of the affected equipment.

The necessary scope and le vel of detail of the analysis depends upon the particular systems and functions that are affected, and it is recog nized that there will be cases for which a qualitative, rather than quantitative, risk analysis is acceptable.

The licensee should provide the rationale that sup ports the acceptability of the proposed changes by inte grating probabilistic insights with traditional consider ations to arrive at a final determination of risk. The determination should consider continued conformance to applicable rules and regulations, the adequacy of the traditional engineering evaluation of the proposed change, and the change in plant risk relative to the ac ceptance guidelines.

All these areas should be ade quately addressed before the change is considered ac ceptable.

Specific guidance for an acceptable approach for performing engineering evaluations of changes to TS is found in Regulatory Position 2. Element 3: Define Implementation and Monitoring Program The licensee should consider implementation and performance monitoring strategies formulated to en sure (1) that no adverse safety degradation occurs be cause of the changes to the TS and (2) that the engineer ing evaluation conducted to examine the impact of the proposed changes continues to reflect the actual reli ability and availability of TS equipment that has been evaluated.

This will ensure that the conclusions that have been drawn from the evaluation remain valid.  Specific guidance for Element 3 is provided in Regula tory Position 3. Element 4: Submit Proposed Change The final element involves documenting the analy ses and submitting the license amendment request.

(10 CFR 50.90,50.91, and 50.92).  Guidance on documentation and submittals for risk-in formed TS change evaluations is in Regulatory Posi tion 4 of this regulatory guide.1.177-5 C. REGULATORY

POSITION 1. ELEMENT 1: DEFINE THE PROPOSED CHANGES 1.1 Reason for Proposed Change The reasons for requesting the TS change or changes should be stated in the submittals, along with information that demonstrates that the extent of the change is needed. Generally, acceptable reasons for re questing TS changes fall into one or more of the catego ries below.  1.1.1 Improvement in Operational Safety The reason for the TS change may be to improve operational safety; that is, a reduction in the plant risk or a reduction in occupational exposure of plant person nel in complying with the requirements.

1.1.2 Consistency of Risk Basis in Regulatory Requirements The TS changes requested can be supported on their risk implications.

TS requirements can be changed to reflect improved design features in a plant or to reflect equipment reliability improvements that make a previous requirement unnecessarily stringent or ineffective.

TS may be changed to establish consistent ly based requirements across the industry or across an industry group. It must be ensured that the risk result ing from the change remains acceptable.

1.1.3 Reduce Unnecessary Burdens The change may be requested to reduce unneces sary burdens in complying with current TS require ments, based on the operating history of the plant or in dustry in general. For example, in specific instances, the repair time needed may be longer than the AOT de fined in the TS. The required surveillance may lead to plant transients, result in unnecessary equipment wear, result in excessive radiation exposure to plant person nel, or place unnecessary administrative burdens on plant personnel that are not justified by the safety sig nificance of the surveillance requirement.

In some cases, the change may provide operational flexibility;

in those cases, the change might allow an increased allocation of the plant personnel's time to more safety-significant aspects.

In some cases, licensees may determine there is a common need for a TS change among several licensees and that it is beneficial to request the changes as a group rather than individually.

Group submittals can be ad vantageous when the equipment being considered in the change is similar across all plants in the group.Plant-specific information with regard to the engineer ing evaluations described in Regulatory Position 2 must still be provided.

However, the group may be able to draw generic conclusions from a compilation of the plant-specific data. In addition, there will be benefits from cross-comparison of the results of the plant-spe cific evaluations.

2. ELEMENT 2: ENGINEERING

As part of the second element, the licensee should evaluate the proposed TS change with regard to the principles that adequate defense in depth is maintained, that sufficient safety margins are maintained, and that proposed increases in core damage frequency and risk are small and are consistent with the intent of the Com mission's Safety Goal Policy Statement.

Licensees are expected to provide strong technical bases for any TS change. The technical bases should be rooted in traditional engineering and system analyses.

TS change requests based on PRA results alone should not be submitted for review. TS change requests should give proper attention to the integration of consider ations such as conformance to the STS, generic applica bility of the requested change if it is different from the STS, operational constraints, manufacturer recommen dations, and practical considerations for test and main tenance. Standard practices used in setting AOTs and STIs should be followed, e.g., AOTs normally are 8 hours, 12 hours, 24 hours, 72 hours, 7 days, 14 days, etc. STIs normally are 12 hours, 7 days, 1 month, 3 months, etc. Usingsuch standards greatly simplifies implementation, sclduling, monitoring, and auditing.

Logical consistency among the requirements should be maintained, e.g., AOT requirements for multiple trains out of service should not be longer than that for one of the constituent trains. 2.1 Compliance with Current Regulations In evaluating proposed changes to TS, the licensee must ensure that the current regulations, orders, and li cense conditions are met, consistent with Principle I of risk-informed regulation.

The NRC regulations specif ic toTIS are stated in 10 CFR 50.36, "Technical Specifi cations." Additional information with regard to the NRC's policies on TS is contained in the "Final Policy Statement on Technical Specification Improvements for Nuclear Power Reactors" (58 FR 39132) of July 22, 1993 (Ref. 9). These documents define the main ele ments of TS and provide criteria for items to be in cluded in the TS. The final policy statement and the statement of considerations for 10 CFR 50.36 of July 19,1995 (Ref. 10), also discuss the use of probabilistic

1.177-6 approaches to improve TS. Regulations regarding ap plication for and issuance of license amendments are found in 10 CFR 50.90,50.91, and 50.92. In addition, the licensee should ensure that any discrepancies be tween the proposed TS change and licensee commit ments are identified and considered in the evaluation.

2.2.1 Defense in Depth The engineering evaluation conducted should de termine whether the impact of the proposed TS change is consistent with the defense-in-depth philosophy.

In this regard, the intent of the principle is to ensure that the philosophy of defense in depth is maintained, not to prevent changes in the way defense in depth is achieved.

The defense-in-depth philosophy has tradi tionally been applied in reactor design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material.

It has been and continues to be an effective way to account for uncertainties in equipment and human performance.

When a comprehensive risk analysis can be performed, it can be used to help determine the appropriate extent of defense in depth (e.g., balance among core damage prevention, containment failures, and consequence mitigation)

to ensure protection of public health and safety. When a comprehensive risk analysis is not or cannot be performed, traditional defense-in-depth con siderations should be used or maintained to account for uncertainties.

The evaluation should consider the in tent of the general design criteria, national standards, and engineering principles such as the single failure cri terion. Further, the evaluation should consider the im pact of the proposed IS change on barriers (both pre ventive and mitigative)

to core damage, containment failure or bypass, and the balance among defense-in depth attributes.

As stated earlier, the licensee should select the engineering analysis techniques, whether quantitative or qualitative, traditional or probabilistic, appropriate to the proposed TS change.  The licensee should assess whether the proposed TS change meets the defense-in-depth principle.

De fense in depth consists of a number of elements as sum marized below. These elements can be used as guide lines for assessing defense in depth. Other equivalent acceptance guidelines may also be used.  Consistency with the defense-in-depth philosophy is maintained if:

* A reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved, i.e., the pro-posed change in a TS has not significantly changed the balance among these principles of prevention and mitigation, to the extent that such balance is needed to meet the acceptance criteria of the spe cific design basis accidents and transients, consis tent with 10 CFR 50.36. TS change requests should consider whether the anticipated operational changes associated with a TS change could introduce new accidents or transients or could in crease the likelihood of an accident or transient (as is required by 10 CFR 50.92).  " Over-reliance on programmatic activities to com pensate for weaknesses in plant design is avoided, e.g., use of high reliability estimates that are pri marily based on optimistic program assumptions.  " System redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges to the system, e.g., there are no risk outliers.

The follow ing items should be considered.

-Whether there are appropriate restrictions in place to preclude simultaneous equipment out ages that would erode the principles of redun dancy and diversity, -Whether compensatory actions to be taken when entering the modified AOT for pre planned maintenance are identified, -Whether voluntary removal of equipment from service during plant operation should not be scheduled when adverse weather conditions are predicted or at times when the plant may be subjected to other abnormal conditions, and .Whether the impact of the TS change on the safety function should be taken into consider ation. For example, what is the impact of a change in the AOT for the low-pressure safety injection system on the overall availability and reliability of the low-pressure injection func tion? " Defenses against potential common cause failures are maintained and the potential for introduction of new common cause failure mechanisms is as sessed, e.g., TS change requests should consider whether the anticipated operational changes asso ciated with a change in an AOT or STI could introduce any new common cause failure modes not previously considered.  " Independence of physical barriers is not degraded, e.g., TS change requests should address a means of ensuring that the independence of barriers has not 177-7 I I

been degraded by the TS change (e.g., when chang ing TS for containment systems). 

"* Defenses against human errors are maintained, e.g., TS change requests should consider whether the anticipated operation changes associated with a change in an AOT or STI could change the ex pected operator response or introduce any new hu man errors not previously considered, such as the change from performing maintenance during shut down to performing maintenance at power when different personnel and different activities may be involved.

"* The intent of the General Design Criteria in Appen dix A to 10 CFR Part 50 is maintained.

2.2.2 Safety Margins The engineering evaluation conducted should as sess whether the impact of the proposed TS change is consistent with the principle that sufficient safety mar gins are maintained (Principle

3). An acceptable set of guidelines for making that assessment are summarized below. Other equivalent decision guidelines are ac ceptable.

Sufficient safety margins are maintained when: "* Codes and standards (e.g., American Society of Mechanical Engineers (ASME), Institute of Elec trical and Electronic Engineers (IEEE) or alterna tives approved for use by the NRC are met, e.g., the proposed TS AOT or STI change is not in conflict with approved Codes and standards relevant to the subject system. "* Safety analysis acceptance criteria in the Final Safety Analysis Report (FSAR) are met, or pro posed revisions provide sufficient margin to ac count for analysis and data uncertainties, e.g., the proposed TS AOT or STI change does not ad versely affect any assumptions or inputs to the safety analysis, or, if such inputs are affected,justi fication is provided to ensure sufficient safety mar gin will continue to exist. For TS AOT changes, an assessment should be made of the effect on the FSAR acceptance criteria assuming the plant is in the AOT (i.e., the subject equipment is inoperable)

and there are no additional failures.

Such an as sessment should result in the identification of all si tuations in which entry into the proposed AOT could result in failure to meet an intended safety function.

2.3 Evaluation of Risk Impact The NRC staff has identified a three-tiered ap proach for licensees to evaluate the risk associated with proposed TS AOT changes. Tier I is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (ACDF), the incremental conditional core damage probability (ICCDP), 2 and, when appropriate, the change in large early release frequency (ALERF) and the incremental conditional large early release proba bility (ICLERP).3 Tier 2 is an identification of poten tially high-risk configurations that could exist if equip ment in addition to that associated with the change were to be taken out of service simultaneously, or other risk significant operational factors such as concurrent sys tem or equipment testing were also involved.

The ob jective of this part of the evaluation is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place.  Tier 3 is the establishment of an overall configuration risk management program to ensure that other poten tially lower probability, but nonetheless risk-signifi cant, configurations resulting from maintenance and other operational activities are identified and compen sated for. If the Tier 2 assessment demonstrates, with reasonable assurance, that there are no risk-significant configurations involving the subject equipment, the ap plication of Tier 3 to the proposed AOT may not be nec essary. Although defense in depth is protected to some degree by most current TS, application of the three tiered approach to risk-informed TS AOT changes dis cussed below provides additional assurance that de fense in depth will not be significantly impacted by such changes to the licensing basis.  Tier 1: PRA Capability and Insights In Tier 1, the licensee should assess the impact of the proposed TS change on CDF, ICCDP, and, when ap propriate, LERF and ICLERP. To support this assess ment, two aspects need to be considered:

(1) the valid ity of the PRA and (2) the PRA insights and findings.

The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk.  Tier 2: Avoidance of Risk-Significant Plant Configurations The licensee should also provide reasonable assur ance that risk-significant plant equipment outage con figurations will not occur when specific plant equip ment is out of service consistent with the proposed TS 2 ICCDP -[(conditional CDF with the subject equipment out of ser vice)-(baseline CDFwith nominalexpected equipment unavailabili ties)] x (duration of single AOT under consideration). 

3 ICLERP -[(conditional LERF with the subject equipment out of service) -(baseline LERFwith nominal expected equipment unavai labilities)]

1.177-8 change. An effective way to perform such an asse., ment is to evaluate equipment according to contribution to plant risk (or safety) while the equi ment covered by the proposed AOT change is out service. Evaluation of such combinations of equipme out of service against the Tier 1 ICCDP acceptan guideline could be one appropriate method of identif ing risk-significant configurations.

Once plant equi ment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedur are needed to avoid risk-significant Plant configut tions. In addition, compensatory actions that can mi gate any corresponding increase in risk (e.g., baclk equipment, increased surveillance frequency, or u grading procedures and training)

should be identifit and evaluated.

Any changes made to the plant design operating procedures as a result of such a risk evalu tion (e.g., required backup equipment, increased st veillance frequency, or upgraded procedures and trai ing required before certain plant system configuratio can be entered) should be incorporated into the analys utilized for TS changes as described under Tier I abo-, Tier 3: Risk-Informed Configuration Risk Management The licensee should develop a program that e sures that the risk impact of out-of-service equipment appropriately evaluated prior to performing any mai tenance activity.

A viable program would be one that able to uncover risk-significant plant equipment outaj configurations in a timely manner during normal pla operation.

This can be accomplished by evaluating C impact on plant risk of, for example, equipment u availability, operational activities like testing or loi dispatching, or weather conditions.

The need for tl third tier stems from the difficulty of identifying possible risk-significant configurations under Tier that will ever be encountered over extended periods plant operation.

2.3.1 through 2.3.7 and A pendix A discuss various issues related to t] three-tiered approach described above. In general, Re, ulatory Positions

2.3.2 through 2.3.5 and Appendix outline issues associated with Tier 1, and Regulato Positions

2.3.6 and 2.3.7 outline issues associated wi Tiers 2 and 3.  The NRC staff has identified several factors th should be considered in proposals for ST1 changes th are discussed below. In summary, the licensee shou identify the STIs to be evaluated, determine the ri: contribution associated with the subject STIs, dete mine the risk impact from the change to the propose;s- STI, and perform sensitivity and uncertainty evalua its tions to address uncertainties associated with the STI p- evaluations.

More detail on risk evaluation for STI of changes is provided in Regulatory Positions

2.3.1 :nt through 2.3.6 and in Appendix A.  Ice 2.3.1 Quality of the PRA p IlThe quality of the PRA must be compatible with to the safety implications of the TS change being re es quested and the role that the PRA plays in justifying ,a- that change. That is, the more the potential change in ti- risk or the greater the uncertainty in that risk from the Lp requested TS change, or both, the more rigor that must p- go into ensuring the quality of the PRA. One approach ed a licensee could use to ensure quality is to perform a or peer review of the PRA. In this case, the submittal a- should document the review process, the qualification ir- of the reviewers, a summary of the review findings, and n- resolutions to these findings when applicable.

Industry ns PRA certification programs and PRA cross es comparison studies could also be used to help ensure ,e. appropriate scope, level of detail, and quality of the PRA. If such a program or studies are to be used, a de scription of the program, including the approach and standard or guidelines to which the PRA is compared;

the depth of the review; and the make-up and qualifica n- tions of the personnel involved should be provided for is NRC review. Based on the peer review or other certifi n- cation process and on the findings from this process, the is licensee should justify why the PRA is adequate for the ge present TS application in terms of scope and quality. A nt peer review, certification, or cross-comparison would he not replace a staff review in its entirety, although the n- more confidence the staff has in the review that has id been performed by or for the licensee, the less rigor is should be expected of the staff review. For most TS re Ill views, demonstration of PRA quality by means of an 2 industry certification or cross-comparison process, in of combination with a focus-scoped staff review, should be sufficient.

Cross-comparisons are most appropriate when the system designs are similar across the plants he being compared.

Some licensees may elect to use the PRA underlying their individual plant examination A (IPE) to analyze the risk impact associated with re ry quested TS changes. It should be noted that the NRC th staff's review of the IPE submittal alone does not suf fice as an adequate review for TS applications.

at 2.3.2 Scope of the PRA for TS Change at Evaluations ld The scope and the level of PRA necessary to fully sk support the evaluation of a TS change depend on the :r- type of TS change being sought. The scope and level of ed analysis required is discussed below for a variety of 1.177-9 cases. However, in some cases, a PRA of sufficient scope may not be available.

This will have to be com pensated for by qualitative arguments, bounding analy ses, or compensatory measures.

As a minimum, for systems used to prevent core damage (i.e., most of the TS systems modeled in a PRA other than the containment systems), Level 1 evalua tions should be performed.

For containment systems, Level 2 evaluations are likely to be needed at least to the point of assessing containment structural performance in order to estimate the LERF. When only a Level 1 PRA is available but additional Level 2 information is desirable, one acceptable method for approximating the needed information is proposed in NUREG/CR 6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events" (Ref. 13).  For changes to TS requirements defined for the power operation mode, the scope of analysis should in clude internal fires and flooding if appropriate (e.g., when the subject TS equipment is located in areas iden tified as vulnerable to fires or floods). When changes to requirements for systems needed for decay heat remov al are considered, an appropriate assessment of shut down risk should also be considered.

Examples of such systems are auxiliary feedwater, residual heat removal, emergency diesel generator, and service water. Also, when AOTs are being modified to facilitate online maintenance (that is, transferring scheduled preventive maintenance (PM) from shutdown to power operation), the impact on the shutdown modes should also be eval uated. When available, using both power operation and shutdown models, a comparative evaluation may be presented to decide the appropriate condition for sched uling maintenance based on risk evaluations.

In some cases, a semi-quantitative analysis of shutdown risk may be adequate (e.g., fault tree analysis or failure modes and effects analysis). 

When AOTs are being modified in anticipation of the need for additional time for corrective maintenance, an assessment of transition risk (the risk of transition ing from power operation to the mode required by the current TS in question)

that could be incurred under the current, shorter AOT may be desirable, if the initial cal culated risk increase is near or somewhat above the ac ceptance guidelines.

Also, TS changes to requirements for a controlled shutdown (i.e., the time allocated to transit through hot standby to hot shutdown to cold shutdown, or to the final state that should be reached) should be evaluated, if possible, using a model for the transition risk covering these periods, or at least a quali tative evaluation of the transition risk.2.3.3 PRA Modeling 2.3.3.1 Detail Needed forTS Changes. To evalu ate a TS change, the specific systems or components in volved should be modeled in the PRA. The model should also be able to treat the alignments of compo nents during periods when testing and maintenance are being carried out. Typically, limiting conditions for op erations (LCOs) and surveillance requirements relate to the system trains or components that are modeled in the system fault trees of a PRA. System fault trees should be sufficiently detailed to specifically include all the components for which surveillance tests and mainte nance are performed and are to be evaluated.

"* For AOT evaluations, system train-level models are adequate as long as all components belonging to the train are clearly identified (i.e., all those components that could cause the train to fail). "* For evaluating STIs, individual component-level models are necessary.

Since PRAs are typically done at the component level, they are directly used to analyze both AOTs and STIs.  Component unavailability models should include contributions from random failure, common cause fail ure (CCF), test downtime, and maintenance downtime.

"* Changes to the component unavailability model for test downtime and maintenance downtime should be based on a realistic estimate of expected surveillance and maintenance practices after the TS change is approved and implemented, e.g., how often the AOT is expected to be entered for pre planned maintenance or surveillance.

"* The component unavailability model for test downtime and maintenance downtime should be based on plant-specific or industry-wide operating experience, or both, as appropriate.

"* The component unavailability model should have the flexibility to separate contributions from test and maintenance downtime.

For evaluating an AOT, the contribution from maintenance down time can be equated to zero to delete maintenance activities, if desired. For an STI evaluation, the contribution from test downtime determines a con tribution to risk from carrying out the test.  "* Additional details in terms of separating the failure rate contributions into cyclic demand-related and standby time-related contributions can be incorpo rated, if justifiable, for evaluating surveillance re quirements.

The CCF contributions should be modeled so that they can be modified to reflect the condition in which 1.177-10 i one or more of the components is unavailable.

It should be noted, however, that CCF modeling of components is not only dependent on the number of remaining in-service components, but is also dependent on the reason components were removed from service, i.e., whether for preventive or corrective maintenance.

For appropriate configuration risk management and con trol, preventive and corrective maintenance activities need to be considered, and licensees should, therefore, have the ability to address the subtle difference that ex ists between maintenance activities (see Section A.1.3.2 of Appendix A to this guide for details). 

To account for the effects of test placements for re dundant components in relation to each other (e.g., staggered or sequential test s'rategy), time-dependent models and additional evaluations using specialized codes may be used, if available.

If the PRA does not model the system for which the TS change is being requested, specialized analyses may be necessary when requesting changes to the TS for these systems. Examples of these situations are given below: " When a system is modeled in the event tree, but a detailed fault tree model is not provided (direct es timate of system unavailability from experience data or expert judgment is used), the TS evaluation can proceed in one of two ways: (1) A separate fault tree can be developed for the system for TS evaluation and used to comple ment the existing PRA model without directly modifying the PRA (e.g., detailed separate fault tree modeling of the reactor protection system combined with the existing PRA mod el), or (2) Abounding evaluation can be conducted based on the impact of system failures that are mod eled in the PRA event trees, that is, failure of any component in the system can be assumed to cause system failure.  " When a separate fault tree is developed, specificTS

requirements within the system can be changed and changes in the system unavailability can be measured, which can then be used in the PRA mod el to obtain the corresponding Level 1 and Level 2 and 3 measures, as appropriate.

Such evaluations can be considered similarly as those evaluations made directly using PRA models, but should satis fy the following conditions:

* (1) Failures within the system should not affect any other system or component failure, (2) The effect of system failure should not influ ence any initiating event frequency (or it should have a minimal or negligible effect), and (3) The system should not share components with another system.  ° When bounding evaluations are performed assum ing any failure in the system as a system failure, the calculated risk impacts for TS changes are ex pected to be overestimated.

The corresponding changes that may be acceptable will also be fewer than those that could have been justified using a de tailed model. When considering the incorporation of non-PRA factors, this perspective should be kept, while at the same time considering the lack of a detailed model. Here also, the above three condi tions discussed for the previous case apply. In some cases, since the risk-informed evaluation will be limited and some mis-estimation of the risk may have been incorporated, non-risk-related engineering considerations gain importance in the overall decision.

In such cases, arguments for the change also must be for small increments from current requirements.

2.3.3.2 Modeling of Initiating Events. Some ini tiating events resulting from support system failure (e.g., service water, component cooling water, instru ment air) are modeled explicitly in the logic model, i.e., fault tree models are developed in the PRA. Any TS change for these systems will affect the corresponding initiating event frequency as well as the system un availability and availability of other supported sys tems. The effect of TS changes on these initiating event frequencies should be considered.

Some test and maintenance activities can contrib ute to some transients.

Initiating-event frequencies used in the PRA do not typically separate out this con tribution, but such a separation may be needed during TS change evaluations.

For example, the effect of test caused transients may be evaluated in deciding an STI.  Initiating-event frequencies from conduct of the test (i.e., test-caused transients)  

could then be modeled sep arately to evaluate the risk contribution from test caused transients.

Data needs for estimating initiating event frequencies from test-caused transients are dis cussed in Section A.2 of the appendix to this guide.  2.3.3.3 Screening Criteria.

The main qualitative consideration regarding the screening of sequences in TS change evaluations is the inclusion of sequences di rectly affected by the TS change that would have been truncated by frequency-based screening alone. For ex ample, if the TS change involves accumulators in a pressurized-water reactor (P WR), qualitative consider-1.177-11 I I

ations imply that sequences that contain the accumula tors should be included, even if these sequences do not meet the frequency criteria.

Excluding these sequences would result in an underestimate of the risk impact of the TS changes.

23.3.4 Truncation Limits. Truncation levels should be used appropriately to ensure that significant underestimation, caused by truncation of cutsets, does not occur as discussed below. Additional precautions relevant to the cutset manipulation method of analysis are needed to avoid truncation errors in calculating risk measures.

Particular care should be taken if the evaluation of R 1 is based on requantifica tion of pre-solved cutsets, as the events related to the component of concern may not even appear in the cut sets. 2.3.4 Assumptions in AOT and STI Evaluations Using PRAs to evaluate TS changes requires con sideration of a number of assumptions made within the PRA that can have a significant influence on the ulti mate acceptability of the proposed changes. Such as sumptions should be discussed in the submittal re questing the TS changes. Assumptions that should be considered for AOT change evaluations can be summa rized as follows.

1. If AOT risk evaluations are performed using only the PRA for power operation (i.e., to calculate the risk associated with (a) the equipment being un available during power operation for the duration of the AOT and (b) any change in the AOT), the risk associated with shutting the plant down because of AOT violations is not being considered.

In most cases, this risk has not been considered or, if con sidered, is assumed to further justify the requested change. For some situations (e.g., for residual heat removal systems, service water systems, auxiliary feedwater systems), comparative risk evaluations of continued power operation vs. plant shutdown should be considered.

2. When calculating the risk impacts (i.e., a change in CDF or LERF caused by AOT changes), the change in average CDF should be estimated using the mean outage times (or an appropriate surrogate)

for the current and proposed AOTs. If a licensee chooses to use the zero maintenance state as the base case (case in which no equipment is unavail able because of maintenance), an explanation stat ing so should be part of the submittal.

Usually, data for outage times correspond to the current AOT, but not to the proposed AOT. Different assumptions are made to estimate the outage time corresponding to the proposed AOT. Assumptions concerning changes in maintenance practices under the ex tended AOT regime should be discussed and their impact on the results of the analysis characterized.

3. When the risk impact of an AOT change is evaluat ed, the yearly risk impact that is calculated takes into account the outage frequency.

An AOT exten sion may imply that the maintenance of the compo nent is improved, which may reduce the compo nent's failure rate, and consequently, reduce the frequency of outages needed for correcting degra dations or failure. Again, there are no experience data for the extended AOT; therefore, the assump tion should be made that both the frequency of out age for corrective maintenance and the compo nent's failure rate remain the same. Here, the beneficial aspect of maintenance is not quantified and this may give a slightly higher estimate of the yearly AOT risk measure for the proposed AOT.  4. Often, AOT extensions are requested to facilitate on-line (or at-power)

preventive maintenance of safety-system components.

The frequency and duration of the extension may be estimated and the risk impact from the resulting unavailability of such equipment can be calculated.

1.177-12

5. When AOTs of multiple safety system trains are extended, the likelihood of simultaneous outages of multiple components increases (resulting from combinations of failures, testing, and mainte nances) because the increased duration increases the probability of the individual events that consti tute the simultaneous multiple outages; hence, overlapping of routinely scheduled activities and random failures becomes more likely. The impact of such occurrences on the average plant risk, e.g., CDF, is small, but the conditional risk can be large.  This issue is addressed as part of the implementa tion considerations (see Regulatory Positions

2.3.7 and 4.1).  Assumptions that should be considered for STI evaluations can be summarized as follows.

1. Surveillance tests usually are assumed to detect failures that have occurred in the standby period.  The component failure rate, X, represents these fail ures in the formulation of component unavailabil ity. The test-limited risk is normally estimated by assuming that a surveillance test of a component detects the failures, and that after the test, the com ponent's unavailability resets to zero or "false" in the Boolean expression.

A few component fail ures, depending on a component's design and the test performed, may not be detected by a routine surveillance test. Usually, their contribution to risk is considered negligible.

2. Regular surveillance testing of a component, as performed for safety system components, is con sidered to influence its performance.

Generally, for most components, the increase of a surveillance in terval beyond a certain value may reduce the com ponent's performance (i.e., increase the failure rate). Experience data are not available to assess the STI values beyond which the component fail ure rate, X., increases.

If, in a risk-informed evalua tion of surveillance requirements, the failure rate is assumed to remain the same (i.e., unaffected by a change in the test interval), this assumption implies that the STIs are not being changed beyond the val ue at which k.may be affected.

Care should be taken not to extend the STIs beyond such values using risk-informed analyses only. 3. The timing of surveillance tests for redundant com ponents relative to each other (i.e., the test strategy used) has an impact on the risk measures calcu lated. Staggered or sequential test strategies are commonly used. The risk impacts of adopting dif ferent test strategies (e.g., sequential vs. staggered)

should be evaluated to determine whether there is an impact on the evaluation of the change being considered (NUREG/CR-6141, Ref. 14).  4. Notwithstanding the beneficial aspects of testing to detect failures that occur in a standby period, a number of adverse effects may be associated with the test: downtime to conduct the test, errors of res toration after the test, test-caused transients, and test-caused wear of the equipment.

Downtime and errors of restoration are usually modeled in a PRA, unless they are negligible.

Test-caused transients and wear of the equipment are applicable to a few tests, but they are not generally modeled separately in a PRA. However, they can be evaluated using PRA models supplemented with additional data and analysis.

however, qualitative arguments can also be presented to support the extension of a test inter val. If the adverse impact of testing is considered significant, such cases should be addressed quanti tatively.

2.3.5 Sensitivity and Uncertainty Analyses Relating to Assumptions in TS Change Evaluations As in any risk-informed study, risk-informed anal yses of TS changes can be affected by numerous uncer tainties regarding the assumptions made during the PRA model's development and application.

Sensitivity analyses may be necessary to address the important assumptions in the submittal made with respect to TS change analyses.

"* The impact of variation in repair/maintenance policy because of AOT changes (e.g., scheduling a PM of longer duration at power).  " The impact of variation in assumed mean down times or frequencies.

"* The effect of separating the cyclic demand vs.  standby time-related contribution to the compo nent's unavailability in deciding changes to an STI.

* The effect of details (e.g., equipment failure rate,)., 0) regarding how CCFs are modeled in the PRA.  Previous sensitivity analyses performed for risk informed TS changes have shown that the risk resulting from TS AOT changes is relatively insensitive to un certainties (compared, for example, to the effect on risk from uncertainties in assumptions regarding plant de sign changes, or regarding significant changes to plant operating procedures).

This is because the uncertain ties associated with AOT changes tend to similarly af fect the base case (i.e., before the change) and the 77-13 changed case (i.e., with the change in place). That is, the risks result from similar causes in both cases (i.e., no new initiating transients or subsequent failure modes are likely to have been introduced by relatively minor AOT changes).

AOT changes subject the plant to a variation in its exposure to the same type of risk, and the PRA model is able to predict, with relative sure ty based on data from operating experience, how much that risk will change based on that changed exposure.

Similar results are expected for STI changes. Licensees are expected to justify any deviations from these expec tations.

The above argument may be more difficult tojusti fy in cases when the effects of multiple outages may be come significant during relatively large increases in AOTs or STIs. In those cases, however, the Tier 2 and Tier 3 aspects of TS changes (i.e., configuration moni toring, risk predictions, and configuration control based on the risk predictions)

are expected to be robust and will be relied upon to control the resulting potential for significant risk increases.

4, as described in the Discussion section of this regulatory guide), and as part of proposed TS change evaluations, certain compensatory measures (discussed below) that balance the calculated risk increase caused by the changes may be considered.

This consideration should be made in light of the acceptance guidelines given in Regulatory Guide 1.174 (Ref. 11). Also, note that these considerations may be part of Tier 2 or Tier 3 programs.

When the licensee wishes to reduce the risk in crease resulting from a proposed change even though the individual change is judged by the licensee to meet the acceptance guidelines, the licensee might consider taking compensatory measures such as those suggested below. If compensatory measures are considered as part of the analysis of the change, they should be in cluded in the overall application for the TS change.  However, compensatory measures should not be relied upon to compensate for weaknesses in plant design.  Compensatory measures included in the submittal for a TS change should be measures for which the licensee is not already taking credit. Any such compensatory mea sures would become part of the licensing basis if the TS change were approved.

Examples of compensatory measures are: S Adding a test of a redundant train before initiating a scheduled maintenance activity as part of an AOT extension application.

"* Limiting simultaneous testing and maintenance of redundant or diverse systems as part of an AOT ex tension application.

"* Incorporating a staggered test strategy aspart of the STI extension application.

"* Improving test and maintenance procedures to re-. duce test-and maintenance-related errors. "* Improving operating procedures and operator training to reduce the impact of human errors.  "* Improving system designs, which reduces overall system unavailability and plant risk.  When compensatory measures are part of the TS change evaluation, the risk impact of these measures should be considered and presented, either quantita tively or qualitatively.

(1) Evaluation of the proposed TS changes without the compensatory measures.

(2) Evaluation of the proposed TS changes with the compensatory measures.

(3) Specific discussion of how each of the compensa tory measures is credited in the PRA model or dur ing the evaluation process.

2.3.7 Contemporaneous Configuration Control Consistent with the fundamental principle that changes to TS result in small increases in the risk to public health and safety (Principle

4), certain configu ration controls need to be utilized.

The need for the controls discussed below is described at the beginning of Regulatory Position 2.3 in the discussion regarding Tier 3.  2.3.7.1 Configuration Risk Management Pro gram (CRMP). Licensees should describe their capa bility to perform a contemporaneous assessment of the overall impact on safety of proposed plant configura tions prior to performing and during performance of maintenance activities that remove equipment, from service. Licensees should explain how these tools or other processes will be used to ensure that risk-signifi cant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration.

., The TS Administrative Controls section should de scribe the licensee's program for performing a real time risk assessment.

The bases for TS for which an ex tended AOT is granted should reference this program 23.7.2 Key Components of the CRMP. The li censee should ensure that the CRMP contains the fol lowing key components.

1. The scope of structures, systems, and components (SSCs). to be included in the CRMP is all SSCs modeled in the licensee's plant PRA in addition to all SSCs considered high safety significant per Re vision 2 of Regulatory Guide 1.160 (Ref. 16) that are not modeled in the PRA.  2. The CRMP assessment tool is PRA-informed and may be in the form of a risk matrix, an on-line as sessment, or a direct PRA assessment.

3. The CRMP will be invoked as follows: For pre-planned entrance into the plant config uration described by a TS action statement with a risk-informed AOT, a risk assessment, including, at a minimum, a search for risk significant configurations, will be performed prior to entering the action statement.

description.

The following program should be incorpo rated and should be described in the TS Administrative Controls section."* For unplanned entrance into the plant configu ration described by a TS action statement with a risk-informed AOT, a similar assessment will be performed in a time frame defined by the plant's Corrective Action Program (Criteria XVI of Appendix B to 10 CFR Part 50).  "* When in the plant configuration described by a "TS action statement with a risk-informed AOT, if additional SSCs become inoperable or non functional, a risk assessment, including, at a minimum, a search for risk-significant config urations, will be performed in a time frame de fined by the plant's Corrective Action Program (Criteria XVI of Appendix B to 10 CFR Part 50). 4. Tier 2 commitments apply only for planned main tenance, but should be evaluated as part of the Tier 3 assessment for unplanned occurrences.

2: Control and Use of the CRMP Assessment Tool 1. Plant modifications and procedure changes will be monitored, assessed, and dispositioned.

* Evaluation of changes in plant configuration or PRA model features will be dispositioned by implementing PRA model changes or by the 1.177-15 SI i , MODEL CONFIGURATION

PROGRAM The Configuration Risk Management Program (CRMP) provides a proceduralized risk-informed assessment to manage the risk associated with equipment inoperability.

The program is to include the following.

a. Provisions for the control and implementation of a Level I at-power internal events PRA-informed methodolo gy. The assessment is to be capable of evaluating the applicable plant configuration.

b. Provisions for performing an assessment prior to entering the plant configuration described by the Limiting Conditions for Operation (LCO) Action Statement for preplanned activities.

c. Provisions for performing an assessment after entering the plant configuration described by the LCO Action Statement for unplanned entry into the LCO Action Statement.

d. Provisions for assessing the need for additional actions after the discovery of additional equipment-out-of service conditions while in the plant configuration described by the LCO Action Statement.

e. Provisions for considering other applicable risk-significant contributors such as Level 2 issues and external events, qualitatively or quantitatively.

Each submittal for a risk-informed TS AOT extension should contain appropriate changes to the Administrative Control section that incorporates the above program description, unless an approved CRMP program description has already been incorporated into the licensee's TS.

qualitative assessment of the impact of the changes on the CRMP assessment tool. This qualitative assessment recognizes that changes to the PRA take time to implement and that changes can be effectively compensated for without compromising the ability to make sound engineering judgments..

Limitations of the CRMP assessment tool are identified and understood for each specific AOT extension.

2. Procedures exist for the control and application of CRMP assessment tools, including a description of the process when the plant configuration of con cern is outside the scope of the CRMP assessment too

====l. Key Component ====

1. Quantitative assessments should be performed whenever necessary for sound decisionmaking.

2. When quantitative assessments are not necessary for sound decisionmaking, qualitative assessments can be performed.

Qualitative assessments should consider applicable existing insights from previous quantitative assessments.

4: Level 2 Issues and External Events External events and Level 2 issues are treated qual itatively or quantitatively, or both. 2.4 Acceptance Guidelines for TS Changes The guidelines discussed in Sections 2.2.4 and 2.2.5 of Regulatory Guide 1.174 (Ref. 11) are applica ble to TS AOT and STI change requests.

Risk acceptance guidelines are presented in those sections as a function of the result of the licensee's.risk analysis in terms of total CDF predicted for the plant and the change in CDF and LERF predicted for the TS changes requested by the licensee.

In addition, those sections discuss cases when the scope of the licensee's PRA does not include a Level 2 (containment performance)

analysis, and when, according to the guidelines pre sented in this regulatory guide and in Regulatory Guide 1.174, such an analysis is needed. TS submittals for changes to AOTs should also be evaluated against the risk acceptance guidelines presented herein, in addition to those in Regulatory Guide 1.174. Application of all the risk acceptance guidelines to individual proposals for TS changes will be done in a manner consistent with the fundamental principle that changes to TS result in small increases in the risk to the health and safety of the public (Principle

4, as described in the Discussion sec tion of this regulatory guide).  TS change evaluations may involve some small in crease in risk as quantified by PRA models. Usually, it is argued that such a small increase is offset by the many beneficial effects of the change that are not modeled by the PRA. The role of numerical guidelines is to ensure that the increase in risk is small, and to provide a quanti tative basis for the risk increase based on aspects of the TS change that are modeled or quantified.

The numerical guidelines used to decide an accept able TS change are taken into account along with other traditional considerations, operating experience, les sons learned from previous changes, and practical con siderations associated with test and maintenance prac tices. The final acceptability of the proposed change should be based on all these considerations and not solely on the use of PRA-informed results compared to numerical acceptance guidelines.

As discussed previously, the numerical guidelines are used to ensure that any increase in risk is within ac ceptable limits; traditional considerations are used to ensure that the change satisfies rules and regulations that are in effect; practical considerations judge the ac ceptability of implementing the change; and lessons learned from past experience ensure that mistakes are not repeated.

Using the risk measures discussed in this regula tory guide, the change in risk should be calculated for the TS changes and compared against the numeric guidelines referenced in Regulatory Guide 1.174, and for AOT changes, against the numerical guidelines presented below. In calculating the risk impact of the changed case, additional changes to be implemented as part of the change can be credited.

For example, in seek ing an STI change, if the test strategy is also to be changed, the effect of this should also be incorporated in the risk evaluation.

It should be noted that this regulatory guide, as well as Regulatory Guide 1.174, are applicable only to per manent (as opposed to temporary, or "one time") changes to TS requirements.

TS AOT changes are per manent changes, but because AOTs are entered infre quently and are temporary by their very nature, the fol lowing TS acceptance guidelines specific to AOT changes are provided for evaluating the risk associated

1.177-16 with the revised AOT, in addition to those acceptance guidelines given in Regulatory Guide 1.174.  1. The licensee has demonstrated that the TS AOT change has only a small quantitative impact on plant risk. An ICCDP 4 of less than 5.0E-7is con sidered small for a single TS AOT change.5 An ICLERP 6 of 5.OE-8 or less is also considered small. Also, the ICCDP contribution should be distributed in time such that any increase in the as sociated conditional risk is small and within the normal operating background (risk fluctuations)

of the plant (Tier 1).  2. The licensee has demonstrated that there are ap propriate restrictions on dominant risk-significant configurations associated with the change (Tier 2).  3. The licensee has implemented a risk-informed plant configuration control program. The licensee has implemented procedures to utilize, maintain, and control such a program (Tier 3).  In the context of the integrated decisionmaking, the acceptance guidelines should not be interpreted as being overly prescriptive.

They are intended to provide an indication, in numerical terms, of what is considered acceptable.

As such, the numerical values above are approximate values that provide an indication of the changes that are generally acceptable.

The ICCDP acceptance guideline of 5.OE-7 is based upon the hypo thetical situation in which the subject equipment at a representative plant is out for five hours, causing the CDF of the plant, with an as sumed baseline CDF of 1.OE4 per reactor year, to conditionally in crease to I.OE-3 per reactor year during the five-hour period. This basis assumes that the majority of repairs can be made infive hoursor less and that the NRC has accepted this level of risk for existingoper ating plants.  61CLERP [(conditional LERF with the subject equipment out of service) -(baseline LERF with nominal expected equipment unavailabilities)]

the acceptability (to support regulatory decisionmak ing) of the risk argument being considered, including the appropriate blend of quantitative and qualitative assessments.

2.5 Comparison of Risk of Available Alternatives In some cases, in support of a TS change, available alternatives are compared tojustify the TS change. For changes in TS AOTs, such cases primarily involve comparing the risk of shutting down with the risk of continuing power operation, given that the plant is not meeting one or more TS LCOs. Such comparisons can be used to justify that the increase in at-power risk asso ciated with the TS change is offset by the averting of some transition or shutdown risk.  In the case of an STI change, the beneficial and ad verse impacts can be similarly compared.

The modi fied STI should be chosen so that the benefit of testing is at least equal to, or greater than, the adverse effects of testing. For example, if the calibration of relays in the reactor protection system causes plant transients, the risk from the test-caused transients is then estimated and compared with the test-limited risk of an extended STI.  In using such guidelines, the following consider ations apply: (1) The uncertainty associated with the two measures being compared can differ and should be consid ered in deciding on an acceptable change.  (2) When the risk measures associated with all alterna tives are unacceptably large, ways to reduce the risk should be explored instead of only extending the TS requirement.

That is, a large risk from one of the alternatives should not be the justification for TS relaxation without giving appropriate attention to risk-reduction options. If the risk from test caused transients is large, attention may then be given to exploring changes in test procedures to re duce such risk, rather than only extending the test interval.

However, a combination of the two also may be appropriate.

3. ELEMENT 3: DEFINEIMPLEMEN

PROGRAM 3.1 Three-Tiered Implementation Approach As described in Regulatory Position 2.3, the staff expects the licensee to use a three-tiered approach in implementing the proposed TS AOT changes. Ap plication of the three-tiered approach is in keeping with the fundamental principle that the proposed change is consistent with the defense-in-depth philosophy.

Ap plication of the three-tiered approach provides assur-1.177-17 ance that defense in depth will not be significantly im pacted by the proposed change.  3.2 Maintenance Rule Control To ensure that extension of a TS AOT or STI does not degrade operational safety over time, the licensee should ensure, as part of its Maintenance Rule program (10 CFR 50.65), that when equipment does not meet its performance criteria, the evaluation required under the Maintenance Rule includes prior related TS changes in its scope. If the licensee concludes that the perfor mance or condition of TS equipment affected by a TS change does not meet established performance criteria, appropriate corrective action should be taken, in accor dance with the Maintenance Rule. Such corrective ac tion could include consideration of another TS change to shorten the revised AOT or STI, or imposition of a more restrictive administrative limit, if the licensee de termines this is an important factor in reversing the neg ative trend.  4. ELEMENT 4: DOCUMENTATION

The evaluations performed to justify the proposed TS changes should be documented and included in the license amendment request submittal.

Specifically, documentation to support risk-informed TS change re quests should include: "* A description of the TS changes being proposed and the reasons for seeking the changes, "* A description of the process used to arrive at the proposed changes, "* Traditional engineering evaluations performed,"* Changes made to the PRA for use in the TS change evaluation, "* Review of the applicability and quality of the PRA models for TS evaluations, "* Discussion of the risk measures used in evaluating the changes, "* Data developed and used in addition to the plant's PRA database, "* Summary of the riskmeasures calculated including intermediate results, "* Sensitivity and uncertainty analyses performed, "* Summary of the risk impacts of the proposed changes and any compensating actions proposed, "* A tabulation of the outage configurations that could threaten the integrity of the safety functions of the subject equipment and that are, or will be, prohibited by TS or plant procedures (Tier 2).  "* A description of the capability to perform a con temporaneous assessment of the overall impact on safety of proposed plant configurations, including an explanation of how these tools will be used to ensure that risk-significant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration (Tier 3).  "* A marked up copy of the relevant TS and bases.  The level of detail provided in the TS Bases should include adequate information to provide the tech nical basis for the revised AOT or STI.  " All other documentation required to be submitted with a license amendment request.1.177-18 REFERENCES

Final Policy State ment," Federal Register, Vol. 60, p. 42622, Au gust 16, 1995.1 2. "Quarterly Status Update for the Probabilistic Risk Assessment Implementation Plan, SECY-97-234, October 14, 1997.1 3. USNRC, "Standard Technical Specifications, Bab cock and Wilcox Plants," NUREG-1430 (latest re vision).2 4. USNRC, "Standard Technical Specifications, Westinghouse Plants," NUREG-1431 (latest revi sion).2 5. USNRC, "Standard Technical Specifications, Combustion Engineering Plants," NUREG-1432 (latest revision).

fax (202)634-3343.

2 Copies of NUREG-series documents are available at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washing ton, DC20402-9328 (telephone

(202)512-2249);orfrom the Nation al Technical Information Service bywritingNTIS

at 5285 PortRoyal Road, Springfield, VA 22161. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW, Washington, DC; the PDR's mailing addressis Mail Stop LL-6, Washington, DC 20555; telephone

fax (fl22634-3343.

9. USNRC, "Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors,"FederalRegister, 58 FR 39132, July 22, 1993.  10. USNRC, 10 CFR 50.36, "Technical Specifica tions," Federal Register, 60 FR 36953, July 19, 1995.  11. USNRC, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," Regulatory Guide 1.174, July 1998.3 12. USNRC, "Risk-Informed Decisionmaking:

Tech nical Specifications," NUREG-0800, SRP Chapter 16.1, August 1998.3 13. W.T. Pratt et al., "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," Draft NUREG/ CR-6595, December 1997.3 14. P.K. Samanta and I.S.Kim, "Handbook of Methods for Risk-Based Analyses of Technical Specifica tions," NUREG/CR-6141, USNRC, December 1994.2 15. I.S. Kim et al., "Quantitative Evaluation of Sur veillance Test Intervals Including Test-Caused Risks," NUREG/CR-5775, USNRC, February 1992.2 16. USNRC, "Monitoring the Effectiveness of Mainte nance at Nuclear Power Plants," Regulatory Guide 1.160, Revision 2, March 1997.3 3Single copies of regulatory guides, both active and draft, and draft NUREG documents, may be obtained free of charge by writing the Reproduction and Distribution Services Section, OCIO, USNRC, Washington, DC 20555-0001, or by fax to (301)415-2289, or by email to GRWI@NRC.GOV