Regulatory Guide 1.177
| ML003740176 | |
| Person / Time | |
|---|---|
| Issue date: | 08/31/1998 |
| From: | Office of Nuclear Regulatory Research |
| To: | |
| References | |
| RG-1.177 | |
| Download: ML003740176 (28) | |
U.S. NUCLEAR REGULATORY COMMISSION
August 1998 REGULATORY GUIDE
OFFICE OF NUCLEAR REGULATORY RESEARCH
REGULATORY GUIDE 1.177 (Draft was Issued as DG-1065)
AN APPROACH FOR PLANT-SPECIFIC, RISK-INFORMED
DECISIONMAKING: TECHNICAL SPECIFICATIONS
A. INTRODUCTION
The NRC's policy statement on probabilistic risk analysis (PRA)(Ref. 1) encourages greater use of this analysis technique to improve safety decisionmaking and improve regulatory efficiency. The NRC staff's PRA Implementation Plan (Ref. 2) describes activities now under way or planned to expand this use. One ac tivity under way in response to the policy statement is the use of PRA in support of decisions to modify an in dividual plant's technical specifications (TS).
Licensee-initiated TS changes that are consistent with currently approved staff positions [e.g., regulatory guides, standard review plans, branch technical posi tions, or the Standard Technical Specifications (STS)
(Refs. 3-7)] are normally evaluated by the staff using traditional engineering analyses. A licensee would not be expected to submit risk information in support of the proposed change. Licensee-initiated TS change re quests that go beyond current staff positions may be evaluated by the staff using traditional engineering analyses as well as the risk-informed approach set forth in this regulatory guide. A licensee may be requested to submit supplemental risk information if such informa tion is not provided in the original submittal by the li censee. If risk information on the proposed TS change is not provided to the staff, the staff will review the in formation provided by the licensee to determine whether the application can be approved based upon the information provided using traditional methods and will either approve or reject the application based upon the review.
The guidance provided here does not preclude other approaches for requesting changes to the TS.
Rather, this regulatory guide is intended to improve consistency in regulatory decisions when the results of risk analyses are used to help justify TS changes.
Background Section 182a of the Atomic Energy Act requires that applicants for nuclear power plant operating li censes state:
[S]uch technical specifications, including information of the amount, kind, and source of special nuclear material re quired, the place of the use, the specific characteristics of the facility, and such other information as the Commission may, by rule or regulation, deem neces sary in order to enable it to find that the utilization ...of special nuclear material will be in accord with the common de fense and security and will provide ade- USNRC REGULATORY GUIDES
The guides wre issued In t following ton broad dvisions:
Reguolaty Guides am Issued to describe and make available to the pullic such Informa Ion as methods acceptable to the NRC staff for lmplementing pecdflc pers of the Com-
1. Power Reactor.
6. Products missi*on regulstons, technmiquesued bytheItanf ievautingepecc problems orpos.
2. Research and Test Reactors
7. Transportation tuiated acddents, and data needed by the NRC taff ltsrvIewofapplIct for per-
3. Fuel and Materials Fadlities Occuational Health mits and lcenses. Raguietory guOdes are not oulbtitutes for reguiations, and compliance
4, Envronmental and Siting
9. Anitut and FInancid Review wlththem Isno required. Methodsandsouitorsdifferent fromrthoeeset outlntheguides
&. Materiala and Plant Protection
10. General will be acceptable If they provide a basis for the Widings requisite to the issuarnce or con tnunce of a perfmi or license by the Commission.
Single copies of regulatory guides may be obtained free of charge by writing the Repro This gtide was Issued alter consideration of comments received from tie pbibc. Com- dumion end Distribution Services SecdM Office of the Chief Information Officer US. Nu ments aind suggestions for Improvements In tose guides areencouraged at eil times, and dear Regutlatory Commission, Washinlgton, DC 20555-0001; or by ftx at (301)415-22W,
u wi be revised, as appropriate, lo accommodate comments and to reflect new in- or by e-meal to GRWI@NRC.GOV.
ormalooreIxpseaece.
Issued guides may also be purchased from the National Technical Informtion Service on Written comments may be eibmltted to the Rules Review and Directives Branch. ADM.
a sttanding order basis. Details on Itis service may be obtained by writing NTIS, 6285 Port U.S. Nudear Regulatory Commission, Washington. DC 20M55-0001.
Royal Road, Springfield, VA 22101.
quate protection to the health and safety of the public. Such technical specifications shall be a part of any license issued.
In Section 50.36, "Technical Specifications," of
10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities," the Commission estab lished its regulatory requirements related to the content of TS. In doing this, the Commission emphasized mat ters related to the prevention of accidents and the miti gation of accident consequences; the Commission noted that applicants were expected to incorporate into their TS "those items that are directly related to main taining the integrity of the physical barriers designed to contain radioactivity" (33 FR 18612) (Ref. 8). Pursuant to 10 CFR 50.36, TS are required to contain items in the following five specific categories: (1) safety limits, limiting safety system settings, and limiting control settings, (2) limiting conditions for operation, (3) sur veillance requirements, (4) design features, and (5) ad ministrative controls.
Since the mid-1980s, the NRC has been reviewing and granting improvements to TS based, at least in part, on PRA insights. Some of these improvements have been proposed by the Nuclear Steam Supply System (NSSS) owners groups to apply to an entire class of plants. Many others have been proposed by individual licensees. Typically, the proposed improvements in volved a relaxation of one or more allowed outage times (AOTs) or surveillance test intervals (STIs) in the
"TS. 1 In its July 22, 1993, final policy statement on TS
"improvements (Ref. 9), the Commission stated that it:
...expects that licensees, in preparing their Technical Specification related submit tals, will utilize any plant-specific PSA or risk survey and any available literature on risk insights and PSAs... Similarly, the NRC staff will also employ risk insights and PSAs in evaluating Technical Speci fications related submittals. Further, as a part of the Commission's ongoing pro gram of improving Technical Specifica tions, it will continue to consider methods to make better use of risk and reliability information for defining future generic Technical Specification requirements.
tThe improved STSs (Refs. 3-7) (NUREGs-1430-1434) use the ter minology "completion times" and "surveillance frequency" in place of "allowed outage time" and "surveillance test interval."
The Commission reiterated this point when it is sued the revision to 10 CFR 50.36 in July 1995 (Ref.
10).
In August 1995, the NRC adopted the policy state ment, including the following regarding the expanded use of PRA (Ref. 1).
"
The use of PRA technology should be in creased in all regulatory matters to the ex tent supported by the state of the art in PRA methods and data and in a manner that complements the NRC's determinis tic approach and supports the NRC's traditional defense-in-depth philosophy.
"
PRA and associated analyses (e.g., sensi tivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state of the art, to reduce unnecessary conservatism associated with current regulatory requirements, reg ulatory guides, license commitments, and staff practices. Where appropriate, PRA
should be used to support the proposal of additional regulatory requirements in ac cordance with 10 CFR 50.109 (Backfit Rule). Appropriate procedures for includ ing PRA in the process for changing regu latory requirements should be developed and followed. It is, of course, understood that the intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised.
PRA evaluations in support of regulatory decisions should be as realistic as practi cable and appropriate supporting data should be publicly available for review.
The Commission's safety goals for nu clear power plants and subsidiary numeri cal objectives are to be used with ap propriate consideration of uncertainties in making regulatory judgments on need for proposing and backfitting new generic re quirements on nuclear power plant licen sees.
In its approval of the policy statement, the Com mission articulated its expectation that implementation of the policy statement will improve the regulatory pro cess in three areas: foremost, through safety decision making enhanced by the use of PRA insights; through
1.177-2
more efficient use of agency resources; and through a reduction in unnecessary burdens on licensees.
Purpose of this Regulatory Guide
. This regulatory guide describes methods accept able to the NRC staff for assessing the nature and im pact of proposed TS changes by considering engineer ing issues and applying risk insights. Licensees submitting risk information (whether on their own ini tiative or at the request of the staff) should address each of the principles of risk-informed regulation discussed in this regulatory guide. Licensees should identify how chosen approaches and methods (whether they are quantitative or qualitative, traditional or probabilistic),
data, and criteria for considering risk are appropriate for the decision to be made.
This regulatory guide provides the staff's recom mendations for utilizing risk information to evaluate changes to nuclear power plant TS AOTs and STIs in order to assess the impact of such proposed changes on the risk associated with plant operation. Other types of TS changes that follow the principles outlined in this regulatory guide may be proposed and will be consid ered on their own merit. The guidance provided here does not preclude other approaches for requesting TS
changes. Rather, this regulatory guide is intended to improve consistency in regulatory decisions related to TS changes in which the results of risk analyses are used to help justify the change. As such, this regulatory guide, the use of which is voluntary, provides guidance concerning an approach that the NRC has determined to be acceptable for analyzing issues associated with pro posed changes to a plant's TS and for assessing the im pact of such proposed changes on the risk associated with plant design and operation.
Scope of this Regulatory Guide This regulatory guide describes an acceptable ap proach for assessing the nature and impact of proposed permanent TS changes in AOTs and STIs by consider ing engineering issues and applying risk insights. As sessments should consider relevant safety margins and defense-in-depth attributes, including considering suc cess criteria as well as equipment functionality, reli ability, and availability. Acceptance guidelines for evaluating the results of such evaluations are provided also.
This regulatory guide also describes acceptable TS
change implementation strategies and performance monitoring plans that will help ensure that assumptions and analyses supporting the change are verified.
This regulatory guide indicates an acceptable level of documentation that will enable the staff to reach a finding that the licensee has performed a sufficiently complete and scrutable TS change analysis and that the results of the engineering evaluations support the li censee's request for the TS change.
Risk-informed TS submittals primarily deal with permanent changes to TS requirements, i.e., as the name suggests, the requirement is permanently changed when approved, and is applicable to all future occurrences. A one-time change to a TS requirement, in which a different requirement is requested for a par ticular incident, also can use risk-informed evaluations, but it involves slightly different scope and consider ations. This regulatory guide focuses on permanent changes to TS.
Relationship to Other Guidance Documents Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Deci sions on Plant-Specific Changes to the licensing Ba sis" (Ref. 11), describes a general approach to risk informed regulatory decisionmaking and includes dis cussion of specific topics common to all risk-informed regulatory applications. This regulatory guide provi des guidance specifically for risk-informed TS changes consistent with but more detailed than the generally ap plicable guidance given in Regulatory Guide 1.174.
The information collections contained in this regu latory guide are covered by the requirements of 10 CFR
Part 50, which were approved by the Office of Manage ment and Budget, approval number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information un less it displays a currently valid OMB control number.
B. DISCUSSION
Risk-Informed Philosophy In its approval of the policy statement on the use of PRA methods in nuclear regulatory activities, the Commission stated an expectation that "the use of PRA
technology should be increased in all regulatory mat ters...in a manner that complements the NRC's deter ministic approach and supports the NRC's traditional defense-in-depth philosophy" (Ref. 1). The use of risk insights in licensee submittals requesting TS changes will assist the staff in the disposition of such licensee proposals.
The NRC staff has defined an acceptable approach to analyzing and evaluating proposed TS changes. This approach supports the NRC's desire to base its deci-
1.177-3
sions on the results of traditional engineering evalua tions, supported by insights (derived from the use of PRA methods) about the risk significance of the pro posed changes. Decisions concerning proposed changes are expected to be reached in an integrated fashion, considering traditional engineering and risk information, and may be based on qualitative factors as well as quantitative analyses and information.
In implementing risk-informed decisionmaking, TS changes are expected to meet a set of key principles.
Some of these principles are written in terms typically used in traditional engineering decisions (e.g., defense in depth). While written in these terms, it should be un derstood that risk analysis techniques can be, and are encouraged to be, used to help ensure and show that these principles are met. These principles are:
1. The proposed change meets the current regula tions unless it is explicitly related to a requested exemption or rule change. Applicable rules and regulations that form the regulatory basis for TS are discussed in Regulatory Position 2.1, "Compliance with Current Regulations."
2. The proposed change is consistent with the de fense-in-depth philosophy. The guidance con tained in Regulatory Position 2.2, "Traditional En gineering Considerations," applies the various aspects of maintaining defense in depth to the sub ject of changes in TS.
3. The proposed change maintains sufficient safe ty margins. The guidance contained in Regulatory Position 2.2, "Traditional Engineering Consider ations," applies various aspects of maintaining suf ficient safety margin to the subject of changes to TS.
4. When proposed changes result in an increase in core damage frequency or risk, the increases should be small and consistent with the intent of the Commission's Safety Goal Policy State ment. Regulatory Position 2.3, "Evaluation of Risk Impact," provides guidance for meeting this principle.
5. The impact of the proposed change should be monitored using performance measurement strategies. The three-tiered implementation ap proach discussed in Regulatory Position 3.1 and Maintenance Rule control discussed in Regulatory Position 3.2 provide guidance in meeting this prin ciple.
Additional information regarding to the staff's ex pectations with respect to implementation of these principles can be found in Regulatory Guide 1.174.
A Four-Element Approach to Integrated Decisionmaking for TS Changes Given the principles of risk-informed decision making discussed above, the staff expects that a certain evaluation approach and the acceptance guidelines that follow from those principles will be followed by licen sees in implementing these principles, and the staff has identified a four-element approach to evaluating pro posed changes to a plant's design, operations, and other activities that require NRC approval (illustrated in Fig ure 2), as described in Regulatory Guide 1.174 (Ref.
11). Those detailed discussions regarding the evalua tion approach and acceptance guidelines are not re peated here; instead, specific application of the four-element approach for risk-informed changes to IS
is discussed.
Figure 1. Principles of Risk-Informed Integrated Decisionmaking
1.177-4
Figure 2. Principal Elements of Risk-Informed, Plant-Specific Decisionmaking Element 1: Define the Proposed Change The licensee needs to explicitly identify the partic ular TS that are affected by the proposed change and identify available engineering studies (e.g., topical re ports), methods, codes, and PRA studies that are related to the proposed change. The licensee should also deter mine how the affected systems, components, or param eters are modeled in the PRA and should identify all elements of the PRA that the change impacts. This in formation should be used collectively to provide a de scription of the TS change and to outline the method of analysis. The licensee should describe the proposed change and how it meets the objectives of the Commis sion's PRA Policy Statement, including enhanced deci sionmaking, more efficient use of resources, and reduc tion of unnecessary burden. Regulatory Position 1 describes element 1 in more detail.
Element 2: Perform Engineering Analysis The licensee should examine the proposed TS
change to verify that it meets existing applicable rules and regulations. In addition, the licensee should deter mine how the change impacts defense-in-depth aspects of the plant's design and operation and should deter mine the adequacy of safety margins following the pro posed change. The licensee should consider how plant and industry operating experience relates to the pro posed change, and whether potential compensatory measures could be taken to offset any negative impact from the proposed change.
The licensee should also perform risk-informed evaluations of the proposed change to determine the impact on plant risk. The evaluation should explicitly consider the specific plant equipment affected by the proposed TS changes and the effects of the proposed change on the functionality, reliability, and availability of the affected equipment. The necessary scope and le vel of detail of the analysis depends upon the particular systems and functions that are affected, and it is recog nized that there will be cases for which a qualitative, rather than quantitative, risk analysis is acceptable.
The licensee should provide the rationale that sup ports the acceptability of the proposed changes by inte grating probabilistic insights with traditional consider ations to arrive at a final determination of risk. The determination should consider continued conformance to applicable rules and regulations, the adequacy of the traditional engineering evaluation of the proposed change, and the change in plant risk relative to the ac ceptance guidelines. All these areas should be ade quately addressed before the change is considered ac ceptable. Specific guidance for an acceptable approach for performing engineering evaluations of changes to TS is found in Regulatory Position 2.
Element 3: Define Implementation and Monitoring Program The licensee should consider implementation and performance monitoring strategies formulated to en sure (1) that no adverse safety degradation occurs be cause of the changes to the TS and (2) that the engineer ing evaluation conducted to examine the impact of the proposed changes continues to reflect the actual reli ability and availability of TS equipment that has been evaluated. This will ensure that the conclusions that have been drawn from the evaluation remain valid.
Specific guidance for Element 3 is provided in Regula tory Position 3.
Element 4: Submit Proposed Change The final element involves documenting the analy ses and submitting the license amendment request.
NRC will review the submittal according to NRC Stan dard Review Plan (SRP) Chapter 16.1, "Risk-Informed Decisionmaking: Technical Specifications" (Ref. 12),
and in accordance with the NRC regulations governing license amendments (10 CFR 50.90,50.91, and 50.92).
Guidance on documentation and submittals for risk-in formed TS change evaluations is in Regulatory Posi tion 4 of this regulatory guide.
1.177-5
C. REGULATORY POSITION
1. ELEMENT 1: DEFINE THE PROPOSED
CHANGES
1.1 Reason for Proposed Change The reasons for requesting the TS change or changes should be stated in the submittals, along with information that demonstrates that the extent of the change is needed. Generally, acceptable reasons for re questing TS changes fall into one or more of the catego ries below.
1.1.1 Improvement in Operational Safety The reason for the TS change may be to improve operational safety; that is, a reduction in the plant risk or a reduction in occupational exposure of plant person nel in complying with the requirements.
1.1.2 Consistency of Risk Basis in Regulatory Requirements The TS changes requested can be supported on their risk implications. TS requirements can be changed to reflect improved design features in a plant or to reflect equipment reliability improvements that make a previous requirement unnecessarily stringent or ineffective. TS may be changed to establish consistent ly based requirements across the industry or across an industry group. It must be ensured that the risk result ing from the change remains acceptable.
1.1.3 Reduce Unnecessary Burdens The change may be requested to reduce unneces sary burdens in complying with current TS require ments, based on the operating history of the plant or in dustry in general. For example, in specific instances, the repair time needed may be longer than the AOT de fined in the TS. The required surveillance may lead to plant transients, result in unnecessary equipment wear, result in excessive radiation exposure to plant person nel, or place unnecessary administrative burdens on plant personnel that are not justified by the safety sig nificance of the surveillance requirement. In some cases, the change may provide operational flexibility;
in those cases, the change might allow an increased allocation of the plant personnel's time to more safety-significant aspects.
In some cases, licensees may determine there is a common need for a TS change among several licensees and that it is beneficial to request the changes as a group rather than individually. Group submittals can be ad vantageous when the equipment being considered in the change is similar across all plants in the group.
Plant-specific information with regard to the engineer ing evaluations described in Regulatory Position 2 must still be provided. However, the group may be able to draw generic conclusions from a compilation of the plant-specific data. In addition, there will be benefits from cross-comparison of the results of the plant-spe cific evaluations.
2. ELEMENT 2: ENGINEERING
EVALUATION
As part of the second element, the licensee should evaluate the proposed TS change with regard to the principles that adequate defense in depth is maintained, that sufficient safety margins are maintained, and that proposed increases in core damage frequency and risk are small and are consistent with the intent of the Com mission's Safety Goal Policy Statement.
Licensees are expected to provide strong technical bases for any TS change. The technical bases should be rooted in traditional engineering and system analyses.
TS change requests based on PRA results alone should not be submitted for review. TS change requests should give proper attention to the integration of consider ations such as conformance to the STS, generic applica bility of the requested change if it is different from the STS, operational constraints, manufacturer recommen dations, and practical considerations for test and main tenance. Standard practices used in setting AOTs and STIs should be followed, e.g., AOTs normally are 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, 7 days, 14 days, etc. STIs normally are 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, 7 days, 1 month, 3 months, etc. Usingsuch standards greatly simplifies implementation, sclduling, monitoring, and auditing.
Logical consistency among the requirements should be maintained, e.g., AOT requirements for multiple trains out of service should not be longer than that for one of the constituent trains.
2.1 Compliance with Current Regulations In evaluating proposed changes to TS, the licensee must ensure that the current regulations, orders, and li cense conditions are met, consistent with Principle I of risk-informed regulation. The NRC regulations specif ic toTIS are stated in 10 CFR 50.36, "Technical Specifi cations." Additional information with regard to the NRC's policies on TS is contained in the "Final Policy Statement on Technical Specification Improvements for Nuclear Power Reactors" (58 FR 39132) of July 22,
1993 (Ref. 9). These documents define the main ele ments of TS and provide criteria for items to be in cluded in the TS. The final policy statement and the statement of considerations for 10 CFR 50.36 of July
19,1995 (Ref. 10), also discuss the use of probabilistic
1.177-6
approaches to improve TS. Regulations regarding ap plication for and issuance of license amendments are found in 10 CFR 50.90,50.91, and 50.92. In addition, the licensee should ensure that any discrepancies be tween the proposed TS change and licensee commit ments are identified and considered in the evaluation.
2.2 Traditional Engineering Considerations
2.2.1 Defense in Depth The engineering evaluation conducted should de termine whether the impact of the proposed TS change is consistent with the defense-in-depth philosophy. In this regard, the intent of the principle is to ensure that the philosophy of defense in depth is maintained, not to prevent changes in the way defense in depth is achieved. The defense-in-depth philosophy has tradi tionally been applied in reactor design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material. It has been and continues to be an effective way to account for uncertainties in equipment and human performance.
When a comprehensive risk analysis can be performed, it can be used to help determine the appropriate extent of defense in depth (e.g., balance among core damage prevention, containment failures, and consequence mitigation) to ensure protection of public health and safety. When a comprehensive risk analysis is not or cannot be performed, traditional defense-in-depth con siderations should be used or maintained to account for uncertainties. The evaluation should consider the in tent of the general design criteria, national standards, and engineering principles such as the single failure cri terion. Further, the evaluation should consider the im pact of the proposed IS change on barriers (both pre ventive and mitigative) to core damage, containment failure or bypass, and the balance among defense-in depth attributes. As stated earlier, the licensee should select the engineering analysis techniques, whether quantitative or qualitative, traditional or probabilistic, appropriate to the proposed TS change.
The licensee should assess whether the proposed TS change meets the defense-in-depth principle. De fense in depth consists of a number of elements as sum marized below. These elements can be used as guide lines for assessing defense in depth. Other equivalent acceptance guidelines may also be used.
Consistency with the defense-in-depth philosophy is maintained if:
A reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved, i.e., the pro- posed change in a TS has not significantly changed the balance among these principles of prevention and mitigation, to the extent that such balance is needed to meet the acceptance criteria of the spe cific design basis accidents and transients, consis tent with 10 CFR 50.36. TS change requests should consider whether the anticipated operational changes associated with a TS change could introduce new accidents or transients or could in crease the likelihood of an accident or transient (as is required by 10 CFR 50.92).
"
Over-reliance on programmatic activities to com pensate for weaknesses in plant design is avoided, e.g., use of high reliability estimates that are pri marily based on optimistic program assumptions.
"
System redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges to the system, e.g., there are no risk outliers. The follow ing items should be considered.
-
Whether there are appropriate restrictions in place to preclude simultaneous equipment out ages that would erode the principles of redun dancy and diversity,
-
Whether compensatory actions to be taken when entering the modified AOT for pre planned maintenance are identified,
-
Whether voluntary removal of equipment from service during plant operation should not be scheduled when adverse weather conditions are predicted or at times when the plant may be subjected to other abnormal conditions, and
.
Whether the impact of the TS change on the safety function should be taken into consider ation. For example, what is the impact of a change in the AOT for the low-pressure safety injection system on the overall availability and reliability of the low-pressure injection func tion?
"
Defenses against potential common cause failures are maintained and the potential for introduction of new common cause failure mechanisms is as sessed, e.g., TS change requests should consider whether the anticipated operational changes asso ciated with a change in an AOT or STI could introduce any new common cause failure modes not previously considered.
"
Independence of physical barriers is not degraded, e.g., TS change requests should address a means of ensuring that the independence of barriers has not
177-7 I I
been degraded by the TS change (e.g., when chang ing TS for containment systems).
"* Defenses against human errors are maintained, e.g., TS change requests should consider whether the anticipated operation changes associated with a change in an AOT or STI could change the ex pected operator response or introduce any new hu man errors not previously considered, such as the change from performing maintenance during shut down to performing maintenance at power when different personnel and different activities may be involved.
"* The intent of the General Design Criteria in Appen dix A to 10 CFR Part 50 is maintained.
2.2.2 Safety Margins The engineering evaluation conducted should as sess whether the impact of the proposed TS change is consistent with the principle that sufficient safety mar gins are maintained (Principle 3). An acceptable set of guidelines for making that assessment are summarized below. Other equivalent decision guidelines are ac ceptable.
Sufficient safety margins are maintained when:
"* Codes and standards (e.g., American Society of Mechanical Engineers (ASME), Institute of Elec trical and Electronic Engineers (IEEE) or alterna tives approved for use by the NRC are met, e.g., the proposed TS AOT or STI change is not in conflict with approved Codes and standards relevant to the subject system.
"* Safety analysis acceptance criteria in the Final Safety Analysis Report (FSAR) are met, or pro posed revisions provide sufficient margin to ac count for analysis and data uncertainties, e.g., the proposed TS AOT or STI change does not ad versely affect any assumptions or inputs to the safety analysis, or, if such inputs are affected,justi fication is provided to ensure sufficient safety mar gin will continue to exist. For TS AOT changes, an assessment should be made of the effect on the FSAR acceptance criteria assuming the plant is in the AOT (i.e., the subject equipment is inoperable)
and there are no additional failures. Such an as sessment should result in the identification of all si tuations in which entry into the proposed AOT
could result in failure to meet an intended safety function.
2.3 Evaluation of Risk Impact The NRC staff has identified a three-tiered ap proach for licensees to evaluate the risk associated with proposed TS AOT changes. Tier I is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (ACDF), the incremental conditional core damage probability (ICCDP), 2 and, when appropriate, the change in large early release frequency (ALERF) and the incremental conditional large early release proba bility (ICLERP).3 Tier 2 is an identification of poten tially high-risk configurations that could exist if equip ment in addition to that associated with the change were to be taken out of service simultaneously, or other risk significant operational factors such as concurrent sys tem or equipment testing were also involved. The ob jective of this part of the evaluation is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place.
Tier 3 is the establishment of an overall configuration risk management program to ensure that other poten tially lower probability, but nonetheless risk-signifi cant, configurations resulting from maintenance and other operational activities are identified and compen sated for. If the Tier 2 assessment demonstrates, with reasonable assurance, that there are no risk-significant configurations involving the subject equipment, the ap plication of Tier 3 to the proposed AOT may not be nec essary. Although defense in depth is protected to some degree by most current TS, application of the three tiered approach to risk-informed TS AOT changes dis cussed below provides additional assurance that de fense in depth will not be significantly impacted by such changes to the licensing basis.
Tier 1:
PRA Capability and Insights In Tier 1, the licensee should assess the impact of the proposed TS change on CDF, ICCDP, and, when ap propriate, LERF and ICLERP. To support this assess ment, two aspects need to be considered: (1) the valid ity of the PRA and (2) the PRA insights and findings.
The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk.
Tier 2:
Avoidance of Risk-Significant Plant Configurations The licensee should also provide reasonable assur ance that risk-significant plant equipment outage con figurations will not occur when specific plant equip ment is out of service consistent with the proposed TS
2ICCDP - [(conditional CDF with the subject equipment out of ser vice)-(baseline CDFwith nominalexpected equipment unavailabili ties)] x (duration of single AOT under consideration).
3ICLERP - [(conditional LERF with the subject equipment out of service) -(baseline LERFwith nominal expected equipment unavai labilities)] x (duration of single AOT under consideration).
1.177-8
change. An effective way to perform such an asse.,
ment is to evaluate equipment according to contribution to plant risk (or safety) while the equi ment covered by the proposed AOT change is out service. Evaluation of such combinations of equipme out of service against the Tier 1 ICCDP acceptan guideline could be one appropriate method of identif ing risk-significant configurations. Once plant equi ment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedur are needed to avoid risk-significant Plant configut tions. In addition, compensatory actions that can mi gate any corresponding increase in risk (e.g., baclk equipment, increased surveillance frequency, or u grading procedures and training) should be identifit and evaluated. Any changes made to the plant design operating procedures as a result of such a risk evalu tion (e.g., required backup equipment, increased st veillance frequency, or upgraded procedures and trai ing required before certain plant system configuratio can be entered) should be incorporated into the analys utilized for TS changes as described under Tier I abo-,
Tier 3:
Risk-Informed Configuration Risk Management The licensee should develop a program that e sures that the risk impact of out-of-service equipment appropriately evaluated prior to performing any mai tenance activity. A viable program would be one that able to uncover risk-significant plant equipment outaj configurations in a timely manner during normal pla operation. This can be accomplished by evaluating C
impact on plant risk of, for example, equipment u availability, operational activities like testing or loi dispatching, or weather conditions. The need for tl third tier stems from the difficulty of identifying possible risk-significant configurations under Tier that will ever be encountered over extended periods plant operation.
Regulatory Positions 2.3.1 through 2.3.7 and A
pendix A discuss various issues related to t]
three-tiered approach described above. In general, Re, ulatory Positions 2.3.2 through 2.3.5 and Appendix outline issues associated with Tier 1, and Regulato Positions 2.3.6 and 2.3.7 outline issues associated wi Tiers 2 and 3.
The NRC staff has identified several factors th should be considered in proposals for ST1 changes th are discussed below. In summary, the licensee shou identify the STIs to be evaluated, determine the ri:
contribution associated with the subject STIs, dete mine the risk impact from the change to the propose
- s- STI, and perform sensitivity and uncertainty evalua its tions to address uncertainties associated with the STI
p- evaluations. More detail on risk evaluation for STI
of changes is provided in Regulatory Positions 2.3.1
- nt through 2.3.6 and in Appendix A.
Ice
2.3.1 Quality of the PRA
p IlThe quality of the PRA must be compatible with to the safety implications of the TS change being re es quested and the role that the PRA plays in justifying
,a- that change. That is, the more the potential change in ti- risk or the greater the uncertainty in that risk from the Lp requested TS change, or both, the more rigor that must p-
go into ensuring the quality of the PRA. One approach ed a licensee could use to ensure quality is to perform a or peer review of the PRA. In this case, the submittal a-
should document the review process, the qualification ir- of the reviewers, a summary of the review findings, and n-
resolutions to these findings when applicabl
e. Industry ns PRA
certification programs and PRA cross es comparison studies could also be used to help ensure
,e.
appropriate scope, level of detail, and quality of the PRA. If such a program or studies are to be used, a de scription of the program, including the approach and standard or guidelines to which the PRA is compared;
the depth of the review; and the make-up and qualifica n-
tions of the personnel involved should be provided for is NRC review. Based on the peer review or other certifi n-
cation process and on the findings from this process, the is licensee should justify why the PRA is adequate for the ge present TS application in terms of scope and quality. A
nt peer review, certification, or cross-comparison would he not replace a staff review in its entirety, although the n-
more confidence the staff has in the review that has id been performed by or for the licensee, the less rigor is should be expected of the staff review. For most TS re Ill views, demonstration of PRA quality by means of an
2 industry certification or cross-comparison process, in of combination with a focus-scoped staff review, should be sufficient. Cross-comparisons are most appropriate
- p.
when the system designs are similar across the plants he being compared. Some licensees may elect to use the
- g- PRA underlying their individual plant examination A
(IPE) to analyze the risk impact associated with re ry quested TS changes. It should be noted that the NRC
th staff's review of the IPE submittal alone does not suf fice as an adequate review for TS applications.
at
2.3.2 Scope of the PRA for TS Change at Evaluations ld The scope and the level of PRA necessary to fully sk support the evaluation of a TS change depend on the
- r- type of TS change being sought. The scope and level of ed analysis required is discussed below for a variety of
1.177-9
cases. However, in some cases, a PRA of sufficient scope may not be available. This will have to be com pensated for by qualitative arguments, bounding analy ses, or compensatory measures.
As a minimum, for systems used to prevent core damage (i.e., most of the TS systems modeled in a PRA
other than the containment systems), Level 1 evalua tions should be performed. For containment systems, Level 2 evaluations are likely to be needed at least to the point of assessing containment structural performance in order to estimate the LERF. When only a Level 1 PRA is available but additional Level 2 information is desirable, one acceptable method for approximating the needed information is proposed in NUREG/CR 6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events" (Ref. 13).
For changes to TS requirements defined for the power operation mode, the scope of analysis should in clude internal fires and flooding if appropriate (e.g.,
when the subject TS equipment is located in areas iden tified as vulnerable to fires or floods). When changes to requirements for systems needed for decay heat remov al are considered, an appropriate assessment of shut down risk should also be considered. Examples of such systems are auxiliary feedwater, residual heat removal, emergency diesel generator, and service water. Also, when AOTs are being modified to facilitate online maintenance (that is, transferring scheduled preventive maintenance (PM) from shutdown to power operation),
the impact on the shutdown modes should also be eval uated. When available, using both power operation and shutdown models, a comparative evaluation may be presented to decide the appropriate condition for sched uling maintenance based on risk evaluations. In some cases, a semi-quantitative analysis of shutdown risk may be adequate (e.g., fault tree analysis or failure modes and effects analysis).
When AOTs are being modified in anticipation of the need for additional time for corrective maintenance, an assessment of transition risk (the risk of transition ing from power operation to the mode required by the current TS in question) that could be incurred under the current, shorter AOT may be desirable, if the initial cal culated risk increase is near or somewhat above the ac ceptance guidelines. Also, TS changes to requirements for a controlled shutdown (i.e., the time allocated to transit through hot standby to hot shutdown to cold shutdown, or to the final state that should be reached)
should be evaluated, if possible, using a model for the transition risk covering these periods, or at least a quali tative evaluation of the transition risk.
2.3.3 PRA Modeling
2.3.3.1 Detail Needed forTS Changes. To evalu ate a TS change, the specific systems or components in volved should be modeled in the PRA. The model should also be able to treat the alignments of compo nents during periods when testing and maintenance are being carried out. Typically, limiting conditions for op erations (LCOs) and surveillance requirements relate to the system trains or components that are modeled in the system fault trees of a PRA. System fault trees should be sufficiently detailed to specifically include all the components for which surveillance tests and mainte nance are performed and are to be evaluated.
"* For AOT evaluations, system train-level models are adequate as long as all components belonging to the train are clearly identified (i.e., all those components that could cause the train to fail).
"* For evaluating STIs, individual component-level models are necessary.
Since PRAs are typically done at the component level, they are directly used to analyze both AOTs and STIs.
Component unavailability models should include contributions from random failure, common cause fail ure (CCF), test downtime, and maintenance downtime.
"* Changes to the component unavailability model for test downtime and maintenance downtime should be based on a realistic estimate of expected surveillance and maintenance practices after the TS change is approved and implemented, e.g., how often the AOT is expected to be entered for pre planned maintenance or surveillance.
"* The component unavailability model for test downtime and maintenance downtime should be based on plant-specific or industry-wide operating experience, or both, as appropriate.
"* The component unavailability model should have the flexibility to separate contributions from test and maintenance downtime. For evaluating an AOT, the contribution from maintenance down time can be equated to zero to delete maintenance activities, if desired. For an STI evaluation, the contribution from test downtime determines a con tribution to risk from carrying out the test.
"* Additional details in terms of separating the failure rate contributions into cyclic demand-related and standby time-related contributions can be incorpo rated, if justifiable, for evaluating surveillance re quirements.
The CCF contributions should be modeled so that they can be modified to reflect the condition in which
1.177-10
i
one or more of the components is unavailable. It should be noted, however, that CCF modeling of components is not only dependent on the number of remaining in-service components, but is also dependent on the reason components were removed from service, i.e.,
whether for preventive or corrective maintenance. For appropriate configuration risk management and con trol, preventive and corrective maintenance activities need to be considered, and licensees should, therefore, have the ability to address the subtle difference that ex ists between maintenance activities (see Section A.1.3.2 of Appendix A to this guide for details).
To account for the effects of test placements for re dundant components in relation to each other (e.g.,
staggered or sequential test s'rategy), time-dependent models and additional evaluations using specialized codes may be used, if available.
If the PRA does not model the system for which the TS change is being requested, specialized analyses may be necessary when requesting changes to the TS for these systems. Examples of these situations are given below:
"
When a system is modeled in the event tree, but a detailed fault tree model is not provided (direct es timate of system unavailability from experience data or expert judgment is used), the TS evaluation can proceed in one of two ways:
(1) A separate fault tree can be developed for the system for TS evaluation and used to comple ment the existing PRA model without directly modifying the PRA (e.g., detailed separate fault tree modeling of the reactor protection system combined with the existing PRA mod el), or
(2) Abounding evaluation can be conducted based on the impact of system failures that are mod eled in the PRA event trees, that is, failure of any component in the system can be assumed to cause system failure.
"
When a separate fault tree is developed, specificTS
requirements within the system can be changed and changes in the system unavailability can be measured, which can then be used in the PRA mod el to obtain the corresponding Level 1 and Level 2 and 3 measures, as appropriate. Such evaluations can be considered similarly as those evaluations made directly using PRA models, but should satis fy the following conditions: *
(1) Failures within the system should not affect any other system or component failure,
(2) The effect of system failure should not influ ence any initiating event frequency (or it should have a minimal or negligible effect),
and
(3) The system should not share components with another system.
°
When bounding evaluations are performed assum ing any failure in the system as a system failure, the calculated risk impacts for TS changes are ex pected to be overestimated. The corresponding changes that may be acceptable will also be fewer than those that could have been justified using a de tailed model. When considering the incorporation of non-PRA factors, this perspective should be kept, while at the same time considering the lack of a detailed model. Here also, the above three condi tions discussed for the previous case apply.
In some cases, since the risk-informed evaluation will be limited and some mis-estimation of the risk may have been incorporated, non-risk-related engineering considerations gain importance in the overall decision.
In such cases, arguments for the change also must be for small increments from current requirements.
2.3.3.2 Modeling of Initiating Events. Some ini tiating events resulting from support system failure (e.g., service water, component cooling water, instru ment air) are modeled explicitly in the logic model, i.e.,
fault tree models are developed in the PRA. Any TS
change for these systems will affect the corresponding initiating event frequency as well as the system un availability and availability of other supported sys tems. The effect of TS changes on these initiating event frequencies should be considered.
Some test and maintenance activities can contrib ute to some transients. Initiating-event frequencies used in the PRA do not typically separate out this con tribution, but such a separation may be needed during TS change evaluations. For example, the effect of test caused transients may be evaluated in deciding an STI.
Initiating-event frequencies from conduct of the test (i.e., test-caused transients) could then be modeled sep arately to evaluate the risk contribution from test caused transients. Data needs for estimating initiating event frequencies from test-caused transients are dis cussed in Section A.2 of the appendix to this guide.
2.3.3.3 Screening Criteria. The main qualitative consideration regarding the screening of sequences in TS change evaluations is the inclusion of sequences di rectly affected by the TS change that would have been truncated by frequency-based screening alone. For ex ample, if the TS change involves accumulators in a pressurized-water reactor (P WR), qualitative consider-
1.177-11 I I
ations imply that sequences that contain the accumula tors should be included, even if these sequences do not meet the frequency criteria. Excluding these sequences would result in an underestimate of the risk impact of the TS changes.
23.3.4 Truncation Limits. Truncation levels should be used appropriately to ensure that significant underestimation, caused by truncation of cutsets, does not occur as discussed below. Additional precautions relevant to the cutset manipulation method of analysis are needed to avoid truncation errors in calculating risk measures.
When failure or outage of a single component is considered, as in the case of an AOT or STI risk evalua tion, the truncation levels in evaluating R1 and Ro are of concern. [Ri is the increased CDF, with the component assumed to be inoperable (or equivalently the compo nent unavailability set to "true"), and Ro is the reduced CDF, with the component assumed to be operable (or equivalently, the component unavailability set to
"false")]. If the component in question appears in the cutsets near the truncation limit (e.g., all appearances are in cutsets within a factor of 10 of the truncation lim it), it may be necessary to reduce the truncation limit. If R1 is marginally larger than the base case value, then one order of additional cutsets should be generated to ensure that any underestimation did not take place.
When risk from plant configurations involving multiple components is being considered, a cutset with a relatively small frequency can become a significant contributor to the CDF. This is because more than one of the affected components may appear in the same minimal cutset, and the unavailability (increased by the TS change) of more than one of these components could cause a significant increase in the cutset's fre quency. For such cases, truncation levels have to be re duced by a larger amount than would be the case for the case of single components. Particular care should be taken if the evaluation of R1 is based on requantifica tion of pre-solved cutsets, as the events related to the component of concern may not even appear in the cut sets.
2.3.4 Assumptions in AOT and STI Evaluations Using PRAs to evaluate TS changes requires con sideration of a number of assumptions made within the PRA that can have a significant influence on the ulti mate acceptability of the proposed changes. Such as sumptions should be discussed in the submittal re questing the TS changes. Assumptions that should be considered for AOT change evaluations can be summa rized as follows.
1. If AOT risk evaluations are performed using only the PRA for power operation (i.e., to calculate the risk associated with (a) the equipment being un available during power operation for the duration of the AOT and (b) any change in the AOT), the risk associated with shutting the plant down because of AOT violations is not being considered. In most cases, this risk has not been considered or, if con sidered, is assumed to further justify the requested change. For some situations (e.g., for residual heat removal systems, service water systems, auxiliary feedwater systems), comparative risk evaluations of continued power operation vs. plant shutdown should be considered.
2. When calculating the risk impacts (i.e., a change in CDF or LERF caused by AOT changes), the change in average CDF should be estimated using the mean outage times (or an appropriate surrogate)
for the current and proposed AOTs. If a licensee chooses to use the zero maintenance state as the base case (case in which no equipment is unavail able because of maintenance), an explanation stat ing so should be part of the submittal. Usually, data for outage times correspond to the current AOT, but not to the proposed AOT. Different assumptions are made to estimate the outage time corresponding to the proposed AOT. Assumptions concerning changes in maintenance practices under the ex tended AOT regime should be discussed and their impact on the results of the analysis characterized.
3. When the risk impact of an AOT change is evaluat ed, the yearly risk impact that is calculated takes into account the outage frequency. An AOT exten sion may imply that the maintenance of the compo nent is improved, which may reduce the compo nent's failure rate, and consequently, reduce the frequency of outages needed for correcting degra dations or failure. Again, there are no experience data for the extended AOT; therefore, the assump tion should be made that both the frequency of out age for corrective maintenance and the compo nent's failure rate remain the same.
Here, the beneficial aspect of maintenance is not quantified and this may give a slightly higher estimate of the yearly AOT risk measure for the proposed AOT.
4. Often, AOT extensions are requested to facilitate on-line (or at-power) preventive maintenance of safety-system components.
The frequency and duration of the extension may be estimated and the risk impact from the resulting unavailability of such equipment can be calculated.
1.177-12
5. When AOTs of multiple safety system trains are extended, the likelihood of simultaneous outages of multiple components increases (resulting from combinations of failures, testing, and mainte nances) because the increased duration increases the probability of the individual events that consti tute the simultaneous multiple outages; hence, overlapping of routinely scheduled activities and random failures becomes more likely. The impact of such occurrences on the average plant risk, e.g.,
CDF, is small, but the conditional risk can be large.
This issue is addressed as part of the implementa tion considerations (see Regulatory Positions 2.3.7 and 4.1).
Assumptions that should be considered for STI
evaluations can be summarized as follows.
1. Surveillance tests usually are assumed to detect failures that have occurred in the standby period.
The component failure rate, X, represents these fail ures in the formulation of component unavailabil ity. The test-limited risk is normally estimated by assuming that a surveillance test of a component detects the failures, and that after the test, the com ponent's unavailability resets to zero or "false" in the Boolean expression. A few component fail ures, depending on a component's design and the test performed, may not be detected by a routine surveillance test. Usually, their contribution to risk is considered negligible.
2. Regular surveillance testing of a component, as performed for safety system components, is con sidered to influence its performance. Generally, for most components, the increase of a surveillance in terval beyond a certain value may reduce the com ponent's performance (i.e., increase the failure rate). Experience data are not available to assess the STI values beyond which the component fail ure rate, X., increases. If, in a risk-informed evalua tion of surveillance requirements, the failure rate is assumed to remain the same (i.e., unaffected by a change in the test interval), this assumption implies that the STIs are not being changed beyond the val ue at which k.may be affected. Care should be taken not to extend the STIs beyond such values using risk-informed analyses only.
3. The timing of surveillance tests for redundant com ponents relative to each other (i.e., the test strategy used) has an impact on the risk measures calcu lated. Staggered or sequential test strategies are commonly used. The risk impacts of adopting dif ferent test strategies (e.g., sequential vs. staggered)
should be evaluated to determine whether there is an impact on the evaluation of the change being considered (NUREG/CR-6141, Ref. 14).
4. Notwithstanding the beneficial aspects of testing to detect failures that occur in a standby period, a number of adverse effects may be associated with the test: downtime to conduct the test, errors of res toration after the test, test-caused transients, and test-caused wear of the equipment. Downtime and errors of restoration are usually modeled in a PRA,
unless they are negligible. Test-caused transients and wear of the equipment are applicable to a few tests, but they are not generally modeled separately in a PRA. However, they can be evaluated using PRA models supplemented with additional data and analysis. Methods are available to quantita tively address these aspects [NUREG/CR-5775 (Ref.15)]; however, qualitative arguments can also be presented to support the extension of a test inter val. If the adverse impact of testing is considered significant, such cases should be addressed quanti tatively.
2.3.5 Sensitivity and Uncertainty Analyses Relating to Assumptions in TS Change Evaluations As in any risk-informed study, risk-informed anal yses of TS changes can be affected by numerous uncer tainties regarding the assumptions made during the PRA model's development and application.
Sensitivity analyses may be necessary to address the important assumptions in the submittal made with respect to TS change analyses. They may include, as appropriate:
"* The impact of variation in repair/maintenance policy because of AOT changes (e.g., scheduling a PM of longer duration at power).
"
The impact of variation in assumed mean down times or frequencies.
"* The effect of separating the cyclic demand vs.
standby time-related contribution to the compo nent's unavailability in deciding changes to an STI.
The effect of details (e.g., equipment failure rate,).,
0) regarding how CCFs are modeled in the PRA.
Previous sensitivity analyses performed for risk informed TS changes have shown that the risk resulting from TS AOT changes is relatively insensitive to un certainties (compared, for example, to the effect on risk from uncertainties in assumptions regarding plant de sign changes, or regarding significant changes to plant operating procedures). This is because the uncertain ties associated with AOT changes tend to similarly af fect the base case (i.e., before the change) and the
77-13
changed case (i.e., with the change in place). That is, the risks result from similar causes in both cases (i.e.,
no new initiating transients or subsequent failure modes are likely to have been introduced by relatively minor AOT changes). AOT changes subject the plant to a variation in its exposure to the same type of risk, and the PRA model is able to predict, with relative sure ty based on data from operating experience, how much that risk will change based on that changed exposure.
Similar results are expected for STI changes. Licensees are expected to justify any deviations from these expec tations.
The above argument may be more difficult tojusti fy in cases when the effects of multiple outages may be come significant during relatively large increases in AOTs or STIs. In those cases, however, the Tier 2 and Tier 3 aspects of TS changes (i.e., configuration moni toring, risk predictions, and configuration control based on the risk predictions) are expected to be robust and will be relied upon to control the resulting potential for significant risk increases.
2.3.6 Use of Compensatory Measures in TS
Change Evaluations Consistent with the fundamental principle that changes to TS should result in only small increases in the risk to the public health and safety (Principle 4, as described in the Discussion section of this regulatory guide), and as part of proposed TS change evaluations, certain compensatory measures (discussed below) that balance the calculated risk increase caused by the changes may be considered. This consideration should be made in light of the acceptance guidelines given in Regulatory Guide 1.174 (Ref. 11). Also, note that these considerations may be part of Tier 2 or Tier 3 programs.
When the licensee wishes to reduce the risk in crease resulting from a proposed change even though the individual change is judged by the licensee to meet the acceptance guidelines, the licensee might consider taking compensatory measures such as those suggested below. If compensatory measures are considered as part of the analysis of the change, they should be in cluded in the overall application for the TS change.
However, compensatory measures should not be relied upon to compensate for weaknesses in plant design.
Compensatory measures included in the submittal for a TS change should be measures for which the licensee is not already taking credit. Any such compensatory mea sures would become part of the licensing basis if the TS
change were approved. Examples of compensatory measures are:
S
Adding a test of a redundant train before initiating a scheduled maintenance activity as part of an AOT
extension application.
"* Limiting simultaneous testing and maintenance of redundant or diverse systems as part of an AOT ex tension application.
"* Incorporating a staggered test strategy aspart of the STI extension application.
"* Improving test and maintenance procedures to re-.
duce test-and maintenance-related errors.
"* Improving operating procedures and operator training to reduce the impact of human errors.
"* Improving system designs, which reduces overall system unavailability and plant risk.
When compensatory measures are part of the TS
change evaluation, the risk impact of these measures should be considered and presented, either quantita tively or qualitatively. When a quantitative evaluation is used, the total impact of these measures should be evaluated by comparison to the "small" guideline (Principle 4, as described in the Discussion section of this regulatory guide). This includes:
(1) Evaluation of the proposed TS changes without the compensatory measures.
(2) Evaluation of the proposed TS changes with the compensatory measures.
(3) Specific discussion of how each of the compensa tory measures is credited in the PRA model or dur ing the evaluation process.
2.3.7 Contemporaneous Configuration Control Consistent with the fundamental principle that changes to TS result in small increases in the risk to public health and safety (Principle 4), certain configu ration controls need to be utilized. The need for the controls discussed below is described at the beginning of Regulatory Position 2.3 in the discussion regarding Tier 3.
2.3.7.1 Configuration Risk Management Pro gram (CRMP). Licensees should describe their capa bility to perform a contemporaneous assessment of the overall impact on safety of proposed plant configura tions prior to performing and during performance of maintenance activities that remove equipment, from service. Licensees should explain how these tools or other processes will be used to ensure that risk-signifi cant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration.
1.177-14
(
. , The TS Administrative Controls section should de scribe the licensee's program for performing a real time risk assessment. The bases for TS for which an ex tended AOT is granted should reference this program
23.7.2 Key Components of the CRMP. The li censee should ensure that the CRMP contains the fol lowing key components.
Key Component 1: Implementation of CRMP
The intent of the CRMP is to implement Section a(3) of the Maintenance Rule (10 CFR 50.65) with re spect to on-line maintenance for risk-informed TS,
with the following additions and clarifications:
1. The scope of structures, systems, and components (SSCs). to be included in the CRMP is all SSCs modeled in the licensee's plant PRA in addition to all SSCs considered high safety significant per Re vision 2 of Regulatory Guide 1.160 (Ref. 16) that are not modeled in the PRA.
2. The CRMP assessment tool is PRA-informed and may be in the form of a risk matrix, an on-line as sessment, or a direct PRA assessment.
3. The CRMP will be invoked as follows:
For pre-planned entrance into the plant config uration described by a TS action statement with a risk-informed AOT, a risk assessment, including, at a minimum, a search for risk significant configurations, will be performed prior to entering the action statement.
description. The following program should be incorpo rated and should be described in the TS Administrative Controls section.
"* For unplanned entrance into the plant configu ration described by a TS action statement with a risk-informed AOT, a similar assessment will be performed in a time frame defined by the plant's Corrective Action Program (Criteria XVI of Appendix B to 10 CFR Part 50).
"* When in the plant configuration described by a
"TS action statement with a risk-informed AOT,
if additional SSCs become inoperable or non functional, a risk assessment, including, at a minimum, a search for risk-significant config urations, will be performed in a time frame de fined by the plant's Corrective Action Program (Criteria XVI of Appendix B to 10 CFR
Part 50).
4. Tier 2 commitments apply only for planned main tenance, but should be evaluated as part of the Tier
3 assessment for unplanned occurrences.
Key Component 2: Control and Use of the CRMP Assessment Tool
1. Plant modifications and procedure changes will be monitored, assessed, and dispositioned.
Evaluation of changes in plant configuration or PRA model features will be dispositioned by implementing PRA model changes or by the
1.177-15 SI
i
,
MODEL CONFIGURATION RISK MANAGEMENT PROGRAM
The Configuration Risk Management Program (CRMP) provides a proceduralized risk-informed assessment to manage the risk associated with equipment inoperability. The program applies to technical specification structures, systems, or components for which a risk-informed allowed outage time has been granted.' The program is to include the following.
a. Provisions for the control and implementation of a Level I at-power internal events PRA-informed methodolo gy. The assessment is to be capable of evaluating the applicable plant configuration.
b. Provisions for performing an assessment prior to entering the plant configuration described by the Limiting Conditions for Operation (LCO) Action Statement for preplanned activities.
c. Provisions for performing an assessment after entering the plant configuration described by the LCO Action Statement for unplanned entry into the LCO Action Statement.
d. Provisions for assessing the need for additional actions after the discovery of additional equipment-out-of service conditions while in the plant configuration described by the LCO Action Statement.
e.
Provisions for considering other applicable risk-significant contributors such as Level 2 issues and external events, qualitatively or quantitatively.
Each submittal for a risk-informed TS AOT extension should contain appropriate changes to the Administrative Control section that incorporates the above program description, unless an approved CRMP program description has already been incorporated into the licensee's TS.
qualitative assessment of the impact of the changes on the CRMP assessment tool. This qualitative assessment recognizes that changes to the PRA take time to implement and that changes can be effectively compensated for without compromising the ability to make sound engineering judgments..
Limitations of the CRMP assessment tool are identified and understood for each specific AOT extension.
2. Procedures exist for the control and application of CRMP assessment tools, including a description of the process when the plant configuration of con cern is outside the scope of the CRMP assessment tool.
Key Component 3: Level 1 Risk-Informed Assessment The CRMP assessment tool utilizes at least a Level
1, at-power, internal events PRA mode
l. The CRMP
assessment may use any combination of quantitative and qualitative input. CRMP assessments can include reference to a risk matrix, pre-existing calculations, or new PRA analyses.
1. Quantitative assessments should be performed whenever necessary for sound decisionmaking.
2. When quantitative assessments are not necessary for sound decisionmaking, qualitative assessments can be performed. Qualitative assessments should consider applicable existing insights from previous quantitative assessments.
Key Component 4: Level 2 Issues and External Events External events and Level 2 issues are treated qual itatively or quantitatively, or both.
2.4 Acceptance Guidelines for TS Changes The guidelines discussed in Sections 2.2.4 and
2.2.5 of Regulatory Guide 1.174 (Ref. 11) are applica ble to TS AOT and STI change requests. Risk acceptance guidelines are presented in those sections as a function of the result of the licensee's.risk analysis in terms of total CDF predicted for the plant and the change in CDF and LERF predicted for the TS changes requested by the licensee. In addition, those sections discuss cases when the scope of the licensee's PRA
does not include a Level 2 (containment performance)
analysis, and when, according to the guidelines pre sented in this regulatory guide and in Regulatory Guide
1.174, such an analysis is needed. TS submittals for changes to AOTs should also be evaluated against the risk acceptance guidelines presented herein, in addition to those in Regulatory Guide 1.174. Application of all the risk acceptance guidelines to individual proposals for TS changes will be done in a manner consistent with the fundamental principle that changes to TS result in small increases in the risk to the health and safety of the public (Principle 4, as described in the Discussion sec tion of this regulatory guide).
TS change evaluations may involve some small in crease in risk as quantified by PRA models. Usually, it is argued that such a small increase is offset by the many beneficial effects of the change that are not modeled by the PRA. The role of numerical guidelines is to ensure that the increase in risk is small, and to provide a quanti tative basis for the risk increase based on aspects of the TS change that are modeled or quantified.
The numerical guidelines used to decide an accept able TS change are taken into account along with other traditional considerations, operating experience, les sons learned from previous changes, and practical con siderations associated with test and maintenance prac tices. The final acceptability of the proposed change should be based on all these considerations and not solely on the use of PRA-informed results compared to numerical acceptance guidelines.
As discussed previously, the numerical guidelines are used to ensure that any increase in risk is within ac ceptable limits; traditional considerations are used to ensure that the change satisfies rules and regulations that are in effect; practical considerations judge the ac ceptability of implementing the change; and lessons learned from past experience ensure that mistakes are not repeated.
Using the risk measures discussed in this regula tory guide, the change in risk should be calculated for the TS changes and compared against the numeric guidelines referenced in Regulatory Guide 1.174, and for AOT changes, against the numerical guidelines presented below. In calculating the risk impact of the changed case, additional changes to be implemented as part of the change can be credited. For example, in seek ing an STI change, if the test strategy is also to be changed, the effect of this should also be incorporated in the risk evaluation.
It should be noted that this regulatory guide, as well as Regulatory Guide 1.174, are applicable only to per manent (as opposed to temporary, or "one time")
changes to TS requirements. TS AOT changes are per manent changes, but because AOTs are entered infre quently and are temporary by their very nature, the fol lowing TS acceptance guidelines specific to AOT
changes are provided for evaluating the risk associated
1.177-16
with the revised AOT, in addition to those acceptance guidelines given in Regulatory Guide 1.174.
1. The licensee has demonstrated that the TS AOT
change has only a small quantitative impact on plant risk. An ICCDP4 of less than 5.0E-7is con sidered small for a single TS AOT change.5 An ICLERP6 of 5.OE-8 or less is also considered small. Also, the ICCDP contribution should be distributed in time such that any increase in the as sociated conditional risk is small and within the normal operating background (risk fluctuations) of the plant (Tier 1).
2. The licensee has demonstrated that there are ap propriate restrictions on dominant risk-significant configurations associated with the change (Tier 2).
3. The licensee has implemented a risk-informed plant configuration control program. The licensee has implemented procedures to utilize, maintain, and control such a program (Tier 3).
In the context of the integrated decisionmaking, the acceptance guidelines should not be interpreted as being overly prescriptive. They are intended to provide an indication, in numerical terms, of what is considered acceptable. As such, the numerical values above are approximate values that provide an indication of the changes that are generally acceptable. Furthermore, the state of knowledge, or epistemic, uncertainties associ ated with PRA calculations preclude a definitive deci sion with respect to the acceptance of the proposed change based purely on the numerical results. The in tent in comparing the PRA results with the acceptance guidelines is to demonstrate with reasonable assurance that Principle 4 is being met. This decision must be based on a full understanding of the contributors to the PRA results and the impacts of the uncertainties, both those that are explicitly accounted for in the results and those that are not.
There may be situations in which a nonquantitative assessment of risk (either alone or accompanied by quantitative assessment) is sufficient to justify TS
changes. The licensee is expected to use judgment on
4ICCDP - [(conditional CDF with the subject equipment out of ser vice) - (baseline CDFwith nominal expected equipment unavailabi lities)] x duration of single AOT under consideration).
The ICCDP acceptance guideline of 5.OE-7 is based upon the hypo thetical situation in which the subject equipment at a representative plant is out for five hours, causing the CDF of the plant, with an as sumed baseline CDF of 1.OE4 per reactor year, to conditionally in crease to I.OE-3 per reactor year during the five-hour period. This basis assumes that the majority of repairs can be made infive hoursor less and that the NRC has accepted this level of risk for existingoper ating plants.
61CLERP
[(conditional LERF with the subject equipment out of service) -
(baseline LERF with nominal expected equipment unavailabilities)] x (duration of single AOT under consideration).
the acceptability (to support regulatory decisionmak ing) of the risk argument being considered, including the appropriate blend of quantitative and qualitative assessments.
2.5 Comparison of Risk of Available Alternatives In some cases, in support of a TS change, available alternatives are compared tojustify the TS change. For changes in TS AOTs, such cases primarily involve comparing the risk of shutting down with the risk of continuing power operation, given that the plant is not meeting one or more TS LCOs. Such comparisons can be used to justify that the increase in at-power risk asso ciated with the TS change is offset by the averting of some transition or shutdown risk.
In the case of an STI change, the beneficial and ad verse impacts can be similarly compared. The modi fied STI should be chosen so that the benefit of testing is at least equal to, or greater than, the adverse effects of testing. For example, if the calibration of relays in the reactor protection system causes plant transients, the risk from the test-caused transients is then estimated and compared with the test-limited risk of an extended STI.
In using such guidelines, the following consider ations apply:
(1) The uncertainty associated with the two measures being compared can differ and should be consid ered in deciding on an acceptable change.
(2) When the risk measures associated with all alterna tives are unacceptably large, ways to reduce the risk should be explored instead of only extending the TS requirement. That is, a large risk from one of the alternatives should not be the justification for TS relaxation without giving appropriate attention to risk-reduction options. If the risk from test caused transients is large, attention may then be given to exploring changes in test procedures to re duce such risk, rather than only extending the test interval. However, a combination of the two also may be appropriate.
3. ELEMENT 3: DEFINEIMPLEMEN
TATION AND MONITORING PROGRAM
3.1 Three-Tiered Implementation Approach As described in Regulatory Position 2.3, the staff expects the licensee to use a three-tiered approach in implementing the proposed TS AOT changes. Ap plication of the three-tiered approach is in keeping with the fundamental principle that the proposed change is consistent with the defense-in-depth philosophy. Ap plication of the three-tiered approach provides assur-
1.177-17
ance that defense in depth will not be significantly im pacted by the proposed change.
3.2 Maintenance Rule Control To ensure that extension of a TS AOT or STI does not degrade operational safety over time, the licensee should ensure, as part of its Maintenance Rule program
(10 CFR 50.65), that when equipment does not meet its performance criteria, the evaluation required under the Maintenance Rule includes prior related TS changes in its scope. If the licensee concludes that the perfor mance or condition of TS equipment affected by a TS
change does not meet established performance criteria, appropriate corrective action should be taken, in accor dance with the Maintenance Rule. Such corrective ac tion could include consideration of another TS change to shorten the revised AOT or STI, or imposition of a more restrictive administrative limit, if the licensee de termines this is an important factor in reversing the neg ative trend.
4. ELEMENT 4: DOCUMENTATION AND
SUBMITfAL
The evaluations performed to justify the proposed TS changes should be documented and included in the license amendment request submittal. Specifically, documentation to support risk-informed TS change re quests should include:
"* A description of the TS changes being proposed and the reasons for seeking the changes,
"* A description of the process used to arrive at the proposed changes,
"* Traditional engineering evaluations performed,
"* Changes made to the PRA for use in the TS change evaluation,
"* Review of the applicability and quality of the PRA
models for TS evaluations,
"* Discussion of the risk measures used in evaluating the changes,
"* Data developed and used in addition to the plant's PRA database,
"* Summary of the riskmeasures calculated including intermediate results,
"* Sensitivity and uncertainty analyses performed,
"* Summary of the risk impacts of the proposed changes and any compensating actions proposed,
"* A tabulation of the outage configurations that could threaten the integrity of the safety functions of the subject equipment and that are, or will be, prohibited by TS or plant procedures (Tier 2).
"* A description of the capability to perform a con temporaneous assessment of the overall impact on safety of proposed plant configurations, including an explanation of how these tools will be used to ensure that risk-significant plant configurations will not be entered and that appropriate actions will be taken when unforeseen events put the plant in a risk-significant configuration (Tier 3).
"* A marked up copy of the relevant TS and bases.
The level of detail provided in the TS Bases should include adequate information to provide the tech nical basis for the revised AOT or STI.
"
All other documentation required to be submitted with a license amendment request.
1.177-18
REFERENCES
1. USNRC, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy State ment," Federal Register, Vol. 60, p. 42622, Au gust 16, 1995.1
2. "Quarterly Status Update for the Probabilistic Risk Assessment Implementation Plan, SECY-97-234, October 14, 1997.1
3. USNRC, "Standard Technical Specifications, Bab cock and Wilcox Plants," NUREG-1430 (latest re vision).2
4. USNRC, "Standard Technical Specifications, Westinghouse Plants," NUREG-1431 (latest revi sion).2
5. USNRC, "Standard Technical Specifications, Combustion Engineering Plants," NUREG-1432 (latest revision).2
6. USNRC, "Standard Technical Specifications, General Electric Plants, BWR/4," NUREG-1433 (latest revision).2
7. USNRC, "Standard Technical Specifications, General Electric Plants, BWR/6," NUREG-1434 (latest revision).2
8. USNRC, Statement of Considerations, "Technical Specifications for Facility Licensees; Safety Anal yses Reports," Federal Register, 33 FR 18612, December 17, 1968.
ICopies are available for inspection or copyingforafee from the NRC
Public Document Room at 2120 L Street NW, Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555;
telephone (202)634-3273; fax (202)634-3343.
2Copies of NUREG-series documents are available at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washing ton, DC20402-9328 (telephone (202)512-2249);orfrom the Nation al Technical Information Service bywritingNTIS at 5285 PortRoyal Road, Springfield, VA 22161. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L
Street NW, Washington, DC; the PDR's mailing addressis Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (fl22634-3343.
9. USNRC, "Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors,"FederalRegister,
58 FR 39132, July 22,
1993.
10. USNRC, 10 CFR 50.36, "Technical Specifica tions," Federal Register, 60 FR 36953, July 19,
1995.
11. USNRC, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,"
Regulatory Guide 1.174, July 1998.3
12. USNRC, "Risk-Informed Decisionmaking: Tech nical Specifications," NUREG-0800, SRP Chapter
16.1, August 1998.3
13. W.T. Pratt et al., "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," Draft NUREG/
CR-6595, December 1997.3
14. P.K. Samanta and I.S.Kim, "Handbook of Methods for Risk-Based Analyses of Technical Specifica tions," NUREG/CR-6141, USNRC, December
1994.2
15. I.S. Kim et al., "Quantitative Evaluation of Sur veillance Test Intervals Including Test-Caused Risks," NUREG/CR-5775, USNRC, February
1992.2
16. USNRC, "Monitoring the Effectiveness of Mainte nance at Nuclear Power Plants," Regulatory Guide
1.160, Revision 2, March 1997.3
3Single copies of regulatory guides, both active and draft, and draft NUREG documents, may be obtained free of charge by writing the Reproduction and Distribution Services Section, OCIO, USNRC,
Washington, DC 20555-0001, or by fax to (301)415-2289, or by email to GRWI@NRC.GOV Active guides may also be purchased from the National Technical Information Service on astandingorderbasis.
Details on this service may be obtained by writing NTIS, 5285 Port RoyalRoad,Springfield,VA22161. Copiesofactive and draftguides are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW, Washington, DC; the PDR's ma'lingaddressisMailStopLL-6,Wa~shington,DC20555;telephone
(202)634-3343; fax (202)634-3343.
1.177-19
APPENDIX A
CONSIDERATIONS AND DATA NEEDS FOR TECHNICAL
SPECIFICATION CHANGE RISK EVALUATIONS
A.1 OTHER CONSIDERATIONS IN
TECHNICAL SPECIFICATION CHANGE
RISK EVALUATIONS
A.1.1 Risk Measures for Technical Specification Changes to Allowed Outage Times and Surveillance Test Intervals In this section, a list of the risk-informed measures used in allowed outage time (AOT) and surveillance test interval (STI) evaluations is presented. Amore de tailed discussion of these measures can be found in NUREG/CR-6141, "Handbook of Methods for Risk Based Analyses of Technical Specifications" (Ref. 1).
The measures applicable for AOT evaluations are:
a Conditional risk given the limiting condition of operation (LCO)
"* Incremental conditional core damage probability (ICCDP)
"o Yearly AOT risk When comparing the risk of shutting down with the risk of continuing power operation for a given LCO, the applicable measures are:
Risk of continued power operation for a given downtime, similar to ICCDP
°
Risk of shutting down for the same downtime The measures applicable for STI evaluations are:
Test-limited risk
Test-caused risk Similar to the AOT evaluations, the risk contribu tions associated with preventive maintenance (PM) are:
"* Single PM risk
"* Yearly PM risk The risk associated with simultaneous outages of multiple components, called configuration risk, is cal culated as part of AOT changes. The three-tier ap proach discussed in Regulatory Position 2.3 of Regula tory Guide 1.177 includes calculations of risks associated with multiple components that may be taken down together. The applicable measures are similar to the AOT measures stated above.
-
Conditional risk (e.g., increase in core damage fre quency (CDF)) caused by the configuration
Increase in risk [e.g., core damage probability (CDP) (obtained by multiplying the increase in CDF by the duration of the configuration for the occurrence of a given configuration)].
If different measures are used, the licensee should provide adequate discussions of them in the submittal.
A.1.2 Measures for Multiple Technical Specification Changes When multiple technical specification (TS)
changes are being considered, the combined impact of the changes should be considered in addition to the in dividual impacts. The considerations related to the cal culation of total impacts are discussed here.
A.1.2.1 Measures That Can Be Combined for Multiple TS Changes When considering risk contributions from several AOTs, the risk measures can be combined according to the following guidelines.
The ICCDPs from several AOTs do not generally interact nor do they accumulate to give a total contribu tion because the single AOT risks are conditional risks per event, and the downtime events for the different AOTs are different events. The only time that ICCDPs should be considered simultaneously is when multiple components can be down at the same time, constituting the same event. Such a case is referred to as "downed configuration," or simply a "configuration." The risk contribution associated with a configuration is referred to as the configuration risk and is evaluated separately as a multiple component downtime. Conducting main tenance on several components is a principal cause of potentially high configuration risks.
Yearly AOT risk contributions from several AOTs can interact and should be accumulated to give the total yearly contribution from all the AOTs being consid ered. When the AOTs do not interact, that is, when the downed components are not in the same minimal cut set, the yearly AOT risk contribution from several AOTs is the sum of the individual yearly AOT risk con tributions. When the AOTs do interact, that is, when two or more of the downed components are in the same minimal cutset, interaction of the AOT risk contribu tions should be considered.
When calculating the test-limited risk for changes in multiple STIs, the total test-limited risk should be
1.177-20
properly evaluated. Simple addition of individual test limited risks will not provide the combined test-limited risk. In a simple addition, the total test-limited risk con tribution is underestimated because the interacting terms are neglected.
A.1.2.2 Total Impact of Multiple Changes When multiple changes are requested, the total col lective risk impact from all the changes should be eval uated. For example, for a group of AOT and STI
changes, this includes the total impact of all the re quested:
AOT changes
STI changes
AOT and STI changes If multiple changes are made, the impact of each change is assessed individually; then as a check, the plant probabilistic risk analysis (PRA) should be used to quantify the total impact.
A.1.3 Quantification of Risk Measures A.1.3.1 Alternative Ways of Calculating TS
Change Risk Measures In calculating the measures discussed for evaluat ing TS changes, two specific risk levels are discussed, which should be quantified using a PRA. Focusing on the CDF level, they are R1, the increased risk level (e.g.,
CDF) with the component assumed down or equivalent component unavailability set to "true," and R0, the re duced CDF with the component assumed up; that is, the component unavailability is set to "false."
A.1.3.1.1 Using PRA To Obtain AOT, PM, and Configuration Risk Contributions. R1 can be calcu lated by setting the component-down event to a true state in the PRA. Similarly, Ro can be calculated by set ting the component-down event to a false state in the PRA. The component-down event in the PRA is the event describing that the component is down for repair or maintenance. If the component-down event is in cluded in the existing minimal cutsets, these minimal cutsets can be used to determine RI and Ro provided the minimal cutsets sufficiently cover the contribution of the down event. The existing minimal cutsets are suffi cient if those containing the down event are not all near the truncation limit (i.e., are not all within a factor of 10
of the truncation limit). Alternatively, the minimal cut sets are sufficient if those containing the down event have a non-negligible contribution (i.e., have a con tribution greater than or equal to 1%). If the existing minimal cutsets are sufficient, the increased risk level RI can be determined by setting the component-down unavailability to I and deleting larger minimal cutsets that contain smaller minimal cutsets (i.e., are absorbed by the smaller minimal cutsets). If there are any mini mal cutsets containing complementary events, they also should be removed if they are inconsistent with the component being down. The reduced risk level Ro can be determined analogously by setting the down un availability to zero.
If the component-down event is not contained in the existing minimal cutsets, or if there is a question on the coverage of the existing minimal cutsets, the mini mal cutsets should be regenerated. R1 is determined by setting the down-component event in the PRA models to a true state. The truncation limit of the minimal cut set can be reduced by at least a factor of 10 to give added assurance of sufficient coverage. The minimal cutsets that are generated using the reduced truncation limit can then be used to determine R1 by setting the down unavailability at zero.
Contributions from common cause failures (CCFs)
need special attention when calculating the increased risk level R1. If the component is down because of a failure, the common-cause contributions involving the component should be divided by the probability of the component being down because of failure since the component is given to be down. If the component is down because it is being brought down for mainte nance, the CCF contributions involving the component should be modified to remove the component and to only include failures of the remaining components (also see Regulatory Position 2.3.1 of Regulatory Guide 1.177).
If other components are reconfigured while the component is down, these reconfigurations can be in corporated in estimating R1 or AR, using the PRA. If other components are tested before repair or if mainte nance is carried out on the downed components, the conduct of these tests and their outcomes also can be modeled. If other components are more frequently tes ted when the component is down for the AOT, this in creased frequency of testing also can be incorporated.
These modeling details are sometimes neglected in the PRA because of their apparently small contribution.
However, when isolating the AOT risk contributions and in justifying modified AOTs, these details can be come significant.
A.-.3.1.2 Use of PRA Minimal Cutsets When It Is Appropriate. As indicated, a PRA computes the yearly AOT risk contribution to the yearly CDF. Basi cally, the yearly AOT risk contribution is the sum of the minimal cutset contributions containing the compo-
1.177-21 I I
nent-downed unavailability (typically, for mainte nance) qm, qm =f'd where f is the downtime frequency and d is the downtime associated with the AOT. The downtime d usually is estimated as an average downtime associated with the AOT. If the minimal cutsets sufficiently cover the downed unavailability, those that contain the downed unavailability qm can be summed to give the yearly AOT risk contribution Ry.
A.13.13 Using the PRA To Determine the Test Limited Risk Contribution. The PRA can be used to calculate the increase in the risk-level AR and to obtain the component unavailability, q, which are the contrib uting factors in calculating the test-limited risk con tribution. The considerations involved in calculating RI and Re to obtain AR are those discussed above and in the next section.
When the effect of change in STI for one or more components is being evaluated, the PRA can be directly used to calculate the change in the risk measure (e.g., in the CDF). The calculation of PRA results, when changed STIs are included, incorporates interactions among the STIs. The differences between the results (i.e., CDF when the STIs are changed from the baseline CDF) provides the test-limited risk contribution for changing the STIs.
In such a calculation, the contributions of CCFs should be appropriately modified. The common failure terms modeled as a function of the test interval should be modified to reflect the new STI. Typically, CCFs are modeled using a il-factor or Multiple Greek Letter model when the CCF of multiple components is a func tion of the STI. When changing STIs, care should be ta ken to change this term within the common cause con tribution. The common cause of failing multiple components resulting from human error following a test is not a function of the STI, but may be affected by the test strategy used.
When different test strategies are being evaluated, the human error term should be evaluated. Specific as sumptions that were used in quantifying the human er ror common cause term should be identified and checked if they apply for the test strategy being ana lyzed. For example, if the term was developed assum ing a sequential test strategy, but a staggered test stra tegy is being analyzed, the term should be modified to reflect this change. The failure probability from a com mon cause human error for a staggered test strategy is expected to be significantly lower than that for the se quential test strategy.
A.1.3.1.4 Using Minimal Cutsets To Calculate Test-Limited Risks. The test-limited risk for a compo nent or a set of components also can be determined by identifying those minimal cutsets that contain one or more of the STI contributions. The sum of the relevant minimal cutset contributions is then equal to the test limited risk. To evaluate changes in the test-limited risks for changes in the STIs, the difference between the minimal cutset contributions with and without the STI
changes will be the difference between the test-limited risks. In using the minimal cutsets, one should ensure that the STI contributions are all included in the set of minimal cutsets used. Even though use of the minimal cutsets gives the same results, the above basic descrip tion of methods for obtaining the test-limited risks is useful, since it shows the basic contributing factors to the STI risk.
A.1.3.1.5 Specific Considerations for Evaluat ing Multiple Test-Limited Risks. When multiple STIs are modified or are defined, the total test-limited risk from the multiple STI changes or definitions should be properly evaluated. Instead of using the PRA
to evaluate all the changes in a given run, the individual test-limited risks can be evaluated one at a time, pro vided that the updated STIs are used for the other rele vant components. An iterative procedure can then be used in which individual STIs are successively up dated, using the methods described above for individ ual component STI risk contributors. These one-at-a time evaluations, or "iterative" evaluations, are useful if acceptable guidelines on test-limited risks are de fined and the STIs are to be selected to satisfy the risk guidelines.
A.1.3.2 Appropriate Calculation of Conditional CDF
A.1.3.2.1 Conditional CDF for Failure of a Component. To calculate the conditional CDF when a component is failed (typically represented by R1 in this document), the component unavailability is changed to the "true" or "T" state. However, the component un availability may be modeled in terms of many contribu tors:
random failure, maintenance downtime, test downtime, and CCF. The CCF term represents the fail ure probability of two or more redundant components that include the failed component in question. The CCF term is modeled as a product of multiple terms (e.g., using the P-factor model for two redundant com ponents, the CCF term is 0 times the component un-
1.177-22
availability from random failures), but may be repre sented by one parameter.
Consider a component Q in Train A of a safety sys
/'
tem, letting QLA, QMA, and QTA represent the com ponent's unavailability from random failures, mainte nance downtimes, and test downtimes, respectively.
Also, let QC = PQL be the term for CCF of the redun dant components in Trains A and B, where QL is nu merically equal to QLA and represents QLA or QLB.
QLB is the unavailability of a component in Train B
from random failure. Usually, the terms QLA, QMA,
QTA, and QC will be part of the PRA input data.
To calculate the conditional CDF given that the component is failed, the component unavailability should be represented by the "T" state. This means that QLA, QMA, and QTA should be changed to the "T"
state and QC should be divided by QLA since the com ponent is down because of failure. In principle, chang ing one of the three conditions (QLA, QMA, QTA) to the "T" state should suffice. However, in many cases, truncated cutsets are used to calculate the conditional CDF, and changing all three will ensure that the failed state of the component is represented. For this exam ple, QC will be changed to P3, which represents the con ditional failure probability of the redundant compo nent. When QC represents the failure of more than two components, QC will be converted to the failure proba bility of the remaining components, in this case, two components.
A.13.2.2 Conditional CDF When a Compo nent Is Down (but Not Failed) for PM. To calculate the conditional CDF when a component is taken down for PM (R1 for PM analyses), the CCF term should be treated differently from that described above for the failure of the component.
Considering the same example as above, the down state of the component is represented by changing QLA, QMA, and QTA to "T" and by changing QC to QL, which is numerically the same as QLB or QLA.
The CCF term is changed to represent the unavailabil ity of the remaining component and not 0, since the ini tial component is already down for PM and is not down due to failure. If the redundant component is success fully tested before taking the component down for PM,
OC can then be equated to zero for a short-duration PM
(i.e., when the duration of the PM is much less than the test interval).
A.1.3.2.3 Conditional CDF When the Compo nent Is Not Down for Maintenance or Is Tested Op erable. The conditional CDFis reduced when the com ponent is not down for maintenance or when it has just successfully been tested. The calculation of AOT and STI risk contributions involve calculating this condi tional CDF (R0). For evaluating the AOT risk contribu tion, Ro signifies that the component is not down for test or maintenance, and this condition is represented by setting test and maintenance downtime unavailabili ties to the "false" or "F' state. In this example, QMA
and QTA should be changed to the "F' stat
e. For STI
evaluations, Rk signifies that the component is up, which is known from the test and is represented by set ting its unavailability to "false." In this example, QLA,
QMA, and QTA should be changed to the "F" state. In many cases, the reduction in CDF from the baseline CDF is negligible.
A.1.3.2.4 Conditional CDF When Multiple Components Are Involved. To calculate conditional CDFs (Ri and Ro) when multiple components are in volved, the corresponding terms relating to each of the components should be changed to the "T" or "F' state.
For each component, the corresponding terms relating to random failures, CCFs, test downtimes, and mainte nance downtimes should be converted, as discussed above. When all the components modeled by a com mon cause term are failed, this term changes to the 'T'
state for calculating R1. Otherwise, it is modeled as dis cussed above, representing the unavailability of the re maining components. In many PRA computer codes, the CCF term does not retain the specific component designator (for example, a unique notation identifying the specific component involved may not be part of the name of the CCF term), and the relevant term cannot di rectly be identified by searching the names of the input parameters of the PRA. The description of the CCF
terms modeled in the PRA may need to be examined to identify the relevant term or the input parameter.
A.1.3.3 Treatment of CCF and Recovery Factors The treatment of CCF in estimating the conditional CDF for AOT and STI evaluations was discussed ear lier. Appropriate considerations in modifying CCF
terms modeled in the PRA (to include the effect of a component being unavailable because of failure, main tenance, or testing and for implementing a staggered test strategy) have been discussed. In addition, since the CCF contributions can be a dominant contributor, sensitivity analyses with respect to these parameters may be appropriate (see Regulatory Position 2.3.5 of RG 1.177). Recovery factors used in the PRA model perhaps should be reviewed to learn whether the com ponent assumed to be down because of failure is cred ited to be recovered. For example, consider that a TS
change for an emergency diesel generator (EDG) is be ing evaluated, and conditional CDF for the EDG being
1.177-23 I I -
I J
I
down is being calculated. Then, if the cutsets used to calculate the conditional CDF take credit for the same EDG being recovered, such recovery factors should be modified. In such cases, no credit should be taken.
A.1.3.4 Calculations of Transition Risk Transition risk is calculated to compare the risk of continuing operation in a given LCO to that of a transi tion to plant shutdown. Such companions can be used to decide which option is preferable and which other al ternatives may be used. Such evaluations particularly apply for systems used to remove decay heat. The fol lowing considerations apply in calculating transition risk.
(1) Various stages of the shutdown cooling phases and the operator's interactions should be modeled to as sess the impact on the CDF of shutting down the plant in a LCO.
(2) Any initiating event not modeled in the basic PRA,
but important during the shutdown phases, should be modeled. Specific examples are those events that challenge the residual heat removal (RHR)
system and that can render part of it unavailable.
Also, the frequency of initiating events during the transition to shutdown may have to be reassessed, since it may differ from that during power opera tion (e.g., more frequent loss of offsite power or loss of main feedwater during the transition to shut down).
(3) Different recovery paths applicable at various stages of shutdown should be modeled to realisti cally quantify the risk of shutting down, consider ing the diminishing levels of decay heat.
(4) Available time margins for uncovering the reactor core and heating up the suppression pool [in a boil ing water reactor (BWR)] or drying out the steam generator [in a pressurized water reactor (PWR)]
should be modeled to evaluate specific accident se quences.
A.2 DATA NEEDS FOR TS CHANGE
EVALUATIONS
A request for plant-specific TS changes should use plant-specific data and not rely solely on generic data or data from similar plant designs. Usually, TS changes are requested because plant operation indicates that such changes are needed and, accordingly, plant specific data are expected to be available. For the com ponents or systems for which TS changes are being considered, plant-specific data should be evaluated and assurance should be obtained that the data used are con- sistent with the plant experience. The use of other than plant-specific data should be justified.
When a generic analysis is being performed using a representative plant model, the use of generic data from similar plants is acceptable. The generic data should bound the specific plants under consideration, not an average plant.
A.2.1 Care in Using Plant-Specific Data When plant-specific data are used to update input parameters of the PRA during a TS change evaluation (additional to that used during the latest update of the PRA), care should be taken that such data are consis tently used both for the base case, where existing TS re quirements apply, and the change case, where TS
changes are incorporated. This is done to ensure that the increase in the risk measure obtained is due to the TS change only and not to the use of plant-specific data in aspects of plant operation.
This situation typically arises when recent plant specific data are evaluated and reduced values of the pa rameters are obtained. Use of the reduced values may negate the risk increase from the TS change and may give an erroneous impression that the TS change has re duced the risk. When the base case is also updated, such difficulties are avoided. Sensitivity and uncer tainty analyses should also be performed using the same set of input data.
A.2.2 Considerations When Generic Data Are Used When generic data are used for the TS parameters in evaluating TS changes, the focus should be on justi fying small changes that do not strongly depend on the data parameters. The reasons why generic data are be ing used and why generic data apply for plant-specific evaluations should be presented. In many cases, be cause of limited experience, the use of plant-specific data may result in very optimistic values justifying the use of generic data.
A.2.3 Specific Data Needs Basic data needed for a PRA-informed TS change evaluation for risk-informed regulation are those col lected as part of the PRA. Comparative risk calcula tions for LCO changes require no additional data be yond those in the Full-Power Operations Level 1 and the Low Power/Shutdown Level 1 PRAs. The addi tional data needs for evaluating changes in TS require ments, such as STIs and AOTs, are discussed in this subsection.
1.177-24
'4'
A.2.3.1 Maintenance Downtime Data Maintenance downtime data should be partitioned into plant-specific unplanned unavailability for un scheduled maintenance and planned unavailability for preventive maintenance or testing. For this purpose, data are needed on the frequency of events leading to planned and unplanned maintenance, i.e., the number of occurrences of each type of downtime event during a given time period, and the time interval that the compo nent was out of service for each occurrence. These data are also needed forjudgingwhether an adequate AOTis being provided to complete a repair. The distribution of downtimes also can be used to estimate the expected risk for a given AOT.
The distribution of time for unscheduled mainte nance may shift when an AOT is being changed. For this reason, information about such an influence on the distribution is not expected to be available when the AOT change is being evaluated. The average down time can be assumed to proportionally increase with the increase in the proposed AOT for downtimes associ ated with unscheduled maintenance. For scheduled (preventive) maintenance, the downtime assumed can be representative of plant practices (e.g., one-half of the AOT).
A.2.3.2 Maintenance Schedules and Frequency These data include the maintenance scheduling used by the plant for defining the situations in which multiple equipment or system trains may be taken down for PM. These schedules are important to ensure that high risks from components being down simulta neously, implicitly allowed by the TS change, do not occur. The maintenance frequency or frequency of downtime for a component may be from 3 to 10 times higher than the failure frequency. Since AOTs can be used for maintenance, the frequency of maintenance should be incorporated in estimating the downtime fre quency.
A.2.3.3 Data Relating to Component Testing The following data related to component testing, in addition to those available as part of the PRA study, form part of a TS change evaluation relating to surveil lance requirements.
A list of the components being tested, any compo nent realigned from the safety position during a test, duration of the test, and the test frequency rec ommended by the manufacturer
The efficiency of the test (i.e., the failure modes de tected by the test in regard to components, support system interfaces, and so forth). Bounding as- sumptions can be made if obtaining detailed data or related information is costly.
"Any potential for negative effects of surveillance testing (e.g., that may cause the potential for introducing plant transients, or that may cause un necessary wear of the equipment) should be taken into account by the analyses. Preliminary evalua tions can be used to determine whether a more de tailed analysis should be performed.
"
The test strategy used for the redundant compo nents in a system (i.e., whether staggered or se quential testing is performed) should be stated.
The standard PRA quantification assumes that components follow no specific schedule and are randomly placed with regard to one another. By staggering the test times of components in different trains, the test-limited risk contribution will be re duced for the same STIs as compared to the PRA
assumption. Conversely, if the tests are carried out sequentially, the test-limited risk will increase compared to the PRA assumptions.
A.2.3.4 Parameters for Component Unavailability The component unavailabilities used in a PRA
contain a number of parameters that are relevant for evaluating TS changes. These parameters should be delineated, as modeled, to facilitate evaluations to be conducted and reviewed by the regulatory authority.
The following desirable parameters contributed to the estimated component unavailability:
"* Component failure rate
"* Component test interval
"° Maintenance/repair downtime contribution (main tenance frequency, downtime for scheduled and unscheduled maintenance)
"* Test downtime, if applicable
"* Human errors following test or maintenance, if modeled
"
Separation of cyclic-demand vs. standby time con tribution, if modeled.
A.2.3.5 Separating Demand and Standby Time Contributions to Unavailability Since the test-limited risk (typically defined as RD)
is associated with a failure occurring between tests, the failure rate that should be used in calculating the test limited risk should be the standby time-related failure rate, which is associated with what can occur while the component is in standby between tests. Test-limited risk contributes to increases in risk associated with lon-
1.177-25 I II
I
ger test intervals caused by the longer time to detect standby-stress failures. The time-related failure rate is expressed in units per time period, such as per hour. For estimating RD, the data needed are the standby stress failure rate of the component and the proposed test in terval.
The failure probability of a component consists of a time-related contribution (the standby time-related failure rate), and a cyclic, demand-related contribution (the demand stress failure probability). The latter is the probability contribution associated with failures that are caused by demanding, starting, or cycling the com ponent, which include (but are not necessarily limited to) test-caused transients as discussed below in A.2.3.6.
Since the test-limited risk, RD, is associated with a fail ure occurring between tests, the failure rate that should be used in calculating the test-limited risk is the time related standby stress failure rate. From the total num ber of failures on demand, the number of failures caused by standby stress and the number of failures from demand stresses can be partitioned by either an engineering analysis of failure causes or by a graphical method based on the relationship between the observed number of failures and the test interval lengths from which the failures came.
The test-caused contribution to risk is primarily composed of Rdown, the risk contribution that is due to the unavailability of equipment resulting from aligning equipment away from its preferred position/state to conduct a test, when there is no automatic return to the preferred position. The additional data needed for esti mating this parameter are the surveillance test interval and the out-of-service time needed for each test.
Dividing the failure probability into a time-related and cyclic demand-related contribution results in a lower test-limited risk because only part of the compo nent's failure rate is treated as time-related. However, treating only part of the failure rate as being time related when this is not the case underestimates the test-limited risk; therefore, such a breakdown of the failure rate should be justified through data analysis or engineering analyses.
Also, sometimes only the failure probability (i.e.,
the component unavailability q) may be provided with out giving a failure rate. In such a case, the effect of a change in the test interval cannot be evaluated unless the component test interval previously used for T is used to convert the unavailability q in terms of X and T.
When the breakdown between time-related and cyclic demand-related contribution is unknown, all failures can be assumed to be time-related to obtain the maxi mum test-limited risk contribution.
In summary, the data required for measuring a change in risk with a change in the surveillance test in terval are a breakdown of the failure probability of the component into its time-related and demand-related components, the proposed test interval, and the out-of service time for surveillance testing for the component.
A.2.3.6 Test-Caused Transients To evaluate and identify the test-caused transients risk (typically defined as Rc), transient events should be analyzed and those caused by a test should be identi fied. In most cases, this requires reading through the description of transients that have occurred and noting those caused by the test. When longer test intervals are allowed, the resulting reduction in test-caused tran sients per unit time tends to cause decreases in risk be cause there are fewer adverse effects of testing over that longer test interval (which, however, will be partially or wholly balanced by increases in RD that are caused by the longer time period before detection and correction of failures).
The transient events are obtained from the follow ing plant operating data:
(1) Performance indicator reports: These reports list the number of reactor trips and safety system actua tions at each plant, the date of the events, and the numbers of the relevant licensee event reports (LERs).
(2) LER system: Reactor trips are described in LERs.
When test-caused transients for a single plant are evaluated, the plant-specific data may be sparse unless the plant's operating experience covers a substantial pe riod. When this is the case, more data may be used from the operating experience of other plants of similar vin tage (for example, other BWR/4s) assuming that the likelihood of occurrence of test-caused transients is similar for all the plants in the data base. (The perfor mance indicator reports categorize plants according to design classes.) Testing, however, tends to be very plant-specific, so that cross-plant data applicability must be evaluated in detail.
A.2.3.7 Data for Evaluating Transition Risk Data available in a PRA for full-power operation provide the basic information for evaluating the transi tion risks when a plant is being shut down for an LCO.
In addition, the PRA for low-power and shutdown op erations, if available, will significantly ease the ac quisition of the data necessary for evaluating the risk of shutdown. The low-power and shutdown PRAs typi-
1.177-26
cally contain relevant data, such as the durations of shutdown phases and the frequencies of initiators that may occur during shutdown operation (e.g., loss of RHR).
The full-power PRA is available for most operat ing plants, but the low-power and shutdown PRAs are only available for some plants. Hence, the data needed to evaluate transition risk are discussed here, assuming that only data from a full-power PRA are available.
(1) Plant-specific data on shutdown operations: To analyze shutdown phases in detail, plant-specific information may be needed, such as operating and abnormal procedures, shift supervisor's log books, or monthly operating reports. From this informa tion, data on timing of the plant shutdown and op erational preferences of equipment during plant shutdown can be extracted.
(2) Plant-specific traditional data: The evaluation of heatup and recovery scenarios, including estimates of heatup time, requires some design data on the plant, such as the temperature of the ultimate heat sink or the cooling capacity of the RHR system.
These data typically are available from the plant's final safety analysis report (FSAR).
(3) Frequency of transients during controlled shut down: The LERs for the plant may need to be re viewed in order to evaluate the likelihood of tran sients during controlled shutdown. The likelihood of a transient during a shutdown may be different from that during power operation (this should be considered).
REFERENCE
1.
P.IKSamanta and I.S.Kim, "Handbook of Methods for Risk-Based Analyses of Technical Specifica tions," NUREG/CR-6141, USNRC, December
1994.1
1Copies of NUREG-series documents are available at current rates fromthe U.S. GovernmentPrintingOffice,PO. Box37082,Washing ton, DC20402-9328 (telephone (202)512-2249); orfrom the Nation al Technical Information Service bywriting NTIS at 5285 Port Royal Road, Springfield, VA 22161. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L
Street NW, Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax
(202)634-3343.
Value/Impact Statement A draft value/impact statement was published with the draft of this guide, DG-1065, when it was published for public comment in June
1997. No significant changes were necessary from the original draft, so a separate value/impact statement for the final guide has not been prepared.
A copy of the draft value/impact statement is available for inspection or copying for a fee in the Commission's Public Document Room at 2120 L
Street NW, Washington, DC.
1.177-27 I I
ý
i I
UNITED STATES
NUCLEAR REGULATORY COMMISSION
WASHINGTON, DC 20555-0001 FIRST CLASS MAIL
POSTAGE AND FEES PAID
PERMIT NO. G-67 OFFICIAL BUSINESS
PENALTY FOR PRIVATE USE, $300