Recent applications of PSA for managing nuclear power plant safety

Pergamon

www.elsevier,com/locate/pnucene

Progress in Nuclear Energy, Vol. 39, No. 3-4, pp. 367-425,2001 0 2001 Elsevier Science Ltd. All rights reserved

Printed in Great Britain

PII:SOI49-1970(01)00021-X 0149-1970/01/$ - see front matter

RECENT APPLICATIONS OF PSA FOR

MANAGING NUCLEAR POWER PLANT SAFETY

IAN B. WALL,A JOHN. J. HAUGH,B DAVID H. WOIUEGE ’

A Consultant, 8 1 Avenue, Irving Atherton, CA 94027

B EPRI, Palo Alto, CA 94303

c Consultant, 3 13 Lane, Nobles Corrales, NM 87048

ABSTRACT

The safety design and regulation of nuclear power plants has traditionally been based upon deterministic approaches that consider a set of challenges to safety, e.g. design basis accidents, and determine how those challenges should be handled. The approach has been very successful since no plant designed or regulated to United States standards has ever harmed a member of the public. The arbitrary nature of these safety criteria, the potential inconsistencies in the judgments on relative probabilities, and the lack of definition for ‘safety’ became increasingly evident during the 1960s. Probabilistic approaches to reactor safety were proposed ‘, 2* 3 but did not take off in the United States until publication of the Reactor Safety Study 4 in 1975. Even as the methodology matured, there remained a challenge to integrate it into the regulatory process. This article will describe this integration process. A probabilistic approach to regulation enhances and extends the traditional deterministic approach by introducing the concept of safety (risk) significance that allows the designer/operator to focus on important issues. Emphasis was initially placed on relative risk but now regulatory decision-making is employing both relative and absolute risk. Measures of importance will be defined. Risk infotiation can be used to prioritize the alIocation of resources and three examples will be described. Equipment configuration control systems are being installed and used at nuclear power plants to enhance safety and to reduce Operating and Maintenance costs; they will be described. Finally, the US Nuclear Regulatory Commission’s introduction of risk-informed decisionmaking into the regulatory process will be discussed. 0 200 1 Elsevier Science Ltd. All rights

reserved.

367

368 I. B. Wail et al.

BACKGROUND

The landmark Reactor Safety Study4 (WASH-1400) was published in 1975. It was the first large-scale probabilistic assessment of reactor safety and was widely circulated within the United States and throughout the world. It was immediately evident to its authors that the probabilistic methodology had a large potential to improve the regulation and licensing of nuclear power plants by focusing attention on significant safety issues. However, it was unclear how the methodology should be integrated into the regulations. Moreover, other issues needed to be addressed. First, the study became the centerpiece of a fierce political controversy over the use of nuclear power in the US that, on the short-term, obscured the general acceptance of its methodology and findings within the knowledgeable scientific community. This controversy undoubtedly delayed implementation of the technology into the US regulation of nuclear power plants. Second, there was a lack of congruence between the Reactor Safety Study’s engineering insights and the existing licensing focus of the US Nuclear Regulatory Commission (NRC).’ Unsurprisingly, the NRC staff needed time to satisfy themselves on the validity and value of the probabilistic methodology and to identify the appropriate integration .approach. Third, before the methodology could be implemented, both industry and the NRC needed to train cadres of staff with the necessary expertise.

The 1979 accident at the Three Mile Island 2 nuclear power plant provided some indirect validation of the Reactor Safety Study (RSS). The sequence of events had been analyzed in the study howbeit for a different reactor design for which it was unimportant. More importantly, the accident confirmed a major RSS insight that small Loss of Cooling Accidents (LOCA) were more important than large LOCAs and therefore warranted more attention. Second, given the accident sequence and the degree of fuel melting, the quantities of radioactive materials released to the atmosphere were orders of magnitude smaller than those which would have been predicted by the then current licensing models and somewhat smaller than Reactor Safety Study predictions.6 These observations led the Kemeny Commission,’ appointed by President Carter, and the Rogovin Inquiry,* appointed by the NRC Commissioners, to recommend greater use of risk assessment in the regulatory process. They also stimulated very large programs of analytical and experimental studies of severe accident phenomena.

As a result of the Kemeny and Rogovin recommendations and the increased understanding of severe accident phenomena, the NRC and industry began to do PSAs a for different reactor designs. The motivations for these activities were threefold: to refine and standardize the methodology, to explore how risk insights varied for different reactor designs, and to train NRC staff, contractors, and utility engineers in applying the methodologies. Several procedural guides were published, most notably the PRA Procedures Guide 9 prepared under the auspices of the American Nuclear Society and the Institute of Electrical and Electronic Engi- neers. A dozen or so plant-specific PSAs exposed relatively unique vulnerabilities to severe accidents; generally the undesirable risk from these unique features was reduced by low-cost changes in procedures or mi- nor design modifications. All these studies confirmed the general insights of the Reactor Safety Study. A particular example of the last-named activity was the Oconee PSA lo sponsored by Duke Power and EPRI that involved personnel from many utilities. Two of the most comprehensive studies were done, in 1980-82, for the Zion and Indian Point plants,“’ I2 about which NRC was expressing concern about their relatively high population areas. The Indian Point study was the subject of a public adjudicary hearing that concluded that its safety was acceptable.

The largest, most comprehensive, and most sophisticated of these ‘research’ studies was the NRC’s evaluation of five LWR reactor designs (NUREG-1150) l3 which was published in 1990. This study as-

a The terms Probabilistic Risk Assessment (PRA) and Probabilistic Safety Analysis (PSA) are used by different groups to describe the same scope of work. The latter term has been adoptedby the International Atomic Energy Agency and is preferred by most professionals in the field. However, many, mostly older, references use the former term.

Recent applications of PSA 369

sessed the health risks to the public from not only internal initiators but also from earthquakes and fires. It also examined the uncertainties in the estimated risks by assigning uncertainties to the input parameters and models and by propagating them to uncertainties in core damage frequency, magnitudes of radioactive re- leases, and public health effects. In part, the study was an update of the Reactor Safety Study (WASH- 1400). Comparisons between the two studies showed that, during the 15 years since WASH-1400, refinements in the methodologies and increased information about the reliability of components and severe accident phenomena had lowered the core damage frequencies slightly and had reduced the source term (composition and quantities of radioactive materials released as a result of a severe accident) by about a factor of twenty.14 Further, NUREG-1150 calculated larger uncertainty intervals for the core damage and large early release frequencies than those estimates in WASH-1400. Finally, NUREG-1150 concluded that commercial nuclear power plants imposed even smaller risks on the public than had been predicted in WASH-1400 and fully met the NRC’s safety goals to be discussed in the following paragraph.

In parallel with the above activities, the NRC was formulating its policies with respect to severe accidents. In 1986, in response to one of the Kemeny Commission’s recommendations and following many public workshops and meetings, the NRC published 15* I6 a final Policy Statement establishing qualitative safety goals for the operation of nuclear power plants, and quantitative health objectives (QHOs) to be used in determining achievement of these goalsb The specific goals and QHOs are beyond the scope of this paper and the reader is referred to the referenced reports.’ In 1985, the NRC published l9 a Policy Statement on severe reactor accidents. This policy statement had several elements of which the following are germane to this article. The Commission (NRC) concluded that, on the basis of currently available information, existing plants posed no undue risk to public health and safety. Recognizing that plant-specific PSAs had yielded valuable insights into unique plant vulnerabilities to severe accidents, the Commission announced a future expectation that owners of each o

In 1988, the NRC requested % erating reactor would be expected to perform limited-scope PSAs. plant licensees to complete Individual Plant Examinations (IPE) for each

operating reactor within three years. The objective of the examinations was to identify severe accident vulnerabilities. The Generic Letter 203 2’ specified the scope of the IPE to be a Level 1 d and limited Level 2 PSA. Seventy-five IPEs analyzing 108 nuclear power plant units were submitted to the NRC which later summarized their results in a report2’ In 1991, the NRC requested 23, 24 plant licensees to complete IPEs for external events (IPEEE). The NRC has made available a preliminary summary 25 of the results of these examinations. All this work has provided to the NRC and utilities a comprehensive database of the risk profiles of every operating nuclear power plant within the United States. It provides to NRC the basis for introducing risk information into its regulations and to each utility the opportunity to take advantage of such information to make low cost improvements to their operations.

b The NRC plans to modify “* I8 this reactor Safety Goal Policy Statement to relate it to the recent Regulatory Guide.73 ’ The 1998 Acceptance Guidelines described in NRC RISK-INFORMED REGULATIONS are consistent with these safety

goals. d As described in reference 9, PSA scopes are categorized as Levels 1,2, and 3. Level 1 is the systems analysis with an end-

state of Core Damage Frequency (CDF), Level 2 analyses the physical processes of the accident including the containment response with an end-state of Large Early Release Frequency (LERF) and the quantities and compositions of the radioactive materials released to the atmosphere (source term), and Level 3 analyses the transport of radioactive material through the environment and estimates the public health and economic consequences of the accident.

370 1. B. Wall et al

BEYOND THE INDIVIDUAL PLANT EXAMINATIONS

Having completed Individual Plant Examinations for every operating nuclear power plant within the United States, industry and NRC focused upon using the risk information. They quickly focused on importance measures that provide information on which components, procedures, human actions, are risk significant. The earliest reference to importance measures is by Birnbaum.26 tention of nuclear system analysts by Lambert 27

The concept was brought to the at- and extended and applied to reactor safety by Vesely.**. ”

The failure of a system can be related to basic events by a Boolean model, usually a fault tree. Basic events can include hardware failure, human error, external events, e.g. earthquake, or component unavailability due to test or maintenance, etc. If the basic event probabilities are known, the failure probability of the system can be estimated and the relative importances of individual causes to that failure probability can be calculated. By using a PSA or IPE that relates the basic event probabilities for individual components to a Core Damage Frequency (CDF)” or Large Early Release Frequency (LERF), this concept can be applied to reactor safety. There are several measures of importance which are defined in APPENDIX A and whose interpreta- tions will be discussed in the following section.

In a briefing 3o of the NRC Commissioners and in several papers 3’-33 , Specter and Brons observed a serious distortion in the allocation of resources when deterministic practices were evaluated through the prism of PSA. There was a lack of attention to important safety concerns, e.g. configuration control, and a squandering of industry and NRC staff resources on low safety significance items. For many years, Vesely

et al 34-37 had been pointing out that the Core Damage Frequencies being estimated in PSAs and IPEs were average values and that, during the periods when selected components, trains, or systems were taken out of service for testing or maintenance, the CDF could be up to 100 times higher. Specter 3’, 32 pointed out that this allowed variation in CDFs (by then current NRC regulations) was larger than the uncertainties in the baseline CDF that were often cited as an impediment to the use of PSA in the regulatory process. This comparison is distinctly shown in Figure 1.’ It became manifest to NRC and utilities that risk-informed equipment configuration control was important to safety. The development of such systems will be described in EQUIPMENT CONFIGURATION CONTROL.

In the briefing,30 Specter pointed out that, after ranking components according to their contribution to Core Damage Frequency, of -100,000 active components in a power plant, “50 to 500 or 0.5% of the total number control/determine about 90% of the CDF.” g By focusing more resources, e.g. QA, regular testing, preventive maintenance, on these 500 components and by allocating less resources to the other 99,500, utilities could simultaneously enhance the safety of their power plants and reduce Operating and Maintenance costs. In practice, there are additional active and passive components whose failure would seriously challenge a plant. Nevertheless, only a very small fraction of the components is truly significant to safety. At- tention to the multitude of low risk significant components wastes both NRC staff and industry resources.

e In this context, a CDF or LERF is called a figure of merit. ’ This figure will be explained in EQUIPMENT CONFIGURATION CONTROL. g Analyses by the New York Power Authority have found that 283 and 555 components contribute 95% to the CDFs of its

Indian Point 3 and Fitzpatrick plants respectively. “* 39 When considering such numbers, it is important to recognize that the definition of ‘component’ varies from apphcation to application. For example, a diesel-generator might be considered as a single component in a PSA but as 5000 components in a graded QA process (see Table 5).


l.OE+OO

l.OE-01

l.OE-02

F

%

g l.OE-03

8

I ; l.OE-04

e 5

l.OE-05

l.OE-06

l.OE-07

Bmelhe CDF Single Double

outage Canngllratioas

Triple Quadruple

Figure 1, Range of Variation of Core Damage Frequency (CDF) due to Different Component Configurations. Baseline CDF uncertainty is 90% confidence interval.

(Modified from reference 37)

In the same briefing,30 a paper,33 and a letter,40 Specter and Brons pointed out the very high costs of ‘safety-related’ components. For several common components, they compared the initial procurement costs for ‘safety-related’ items that satisfied NRC’s Quality Assurance requirements to the same items available commercially, sometimes at the local hardware store. For expensive components, e.g. over $1 million, the safety-related items cost 3 to 7 times more than the commercial items. For lower cost items, e.g. $20, the cost ratio was up to 100, Many items, e.g. O-rings, setscrews were identical but the commercial ones lacked the required QA provenance. It was also noted that commercial items were often used in less controlled and more stressful environments than a nuclear power plant. The initial cost differential is compounded by costly inventory and warehousing requirements for ‘safety-related’ items. An Institute of Nuclear Power Operations (INPO) study 41 compared the failure rates of pairs of components, one ‘safety-related’ and one commercial, and found no statistically significant difference.

The observation that an important safety concern, e.g. configuration control, was being overlooked while great amounts of NRC staff and industry resources were being wasted on low safety significance issues provided a powerful impetus for more risk-informed regulation. As a result, with the support of EPRI and the Nuclear Energy Institute and the cooperation of the NRC, the utilities have performed pilot studies in graded quality assurance, inservice testing, and technical specifications. These studies used the risk information available in their plant-specific PSAs or IPEs to support a more focused use of resources; they will be described in later sections. In 1995, the NRC issued a policy statement 42 on the use of PSA methods in nuclear regulatory activities. This statement was followed, in 1998, by Regulatory Guides and Standard Re- view Plan (SRP) chapters for risk-informed regulation that will be discussed in NRC RISK-INFORMED REGULATIONS.

The final examples of a risk-informed approach to reactor safety and regulation are the Maintenance Rule 43 and Primary Containment Leakage Rate Testing.44 They incorporate the significant additional concept of adapting requirements on the basis of performance. The Maintenance Rule is described as a risk-

372 I. B. Wall et al.

informed performance-based rule.h In this context, the PSA results are used to 1) determine which SSCs are risk significant and therefore must be most closely monitored, 2) determine the numerical targets or performance criteria that should normally be achieved by these SSCs, and 3) limit the equipment that is permitted to be out of service simultaneously for preventive maintenance. ‘Performance-based’ refers to assessing the effectiveness of maintenance by measuring the reliability actually achieved by components, or their condition, rather than by focusing on programmatic compliance to address maintenance issues. If an SSC is observed to be under performing, the utility is required to perform a cause evaluation that may lead to the frequency or scope of its preventive maintenance being adjusted.

The NRC’s determination that a maintenance rule was needed rested primarily on the conclusion that

proper maintenance is essential to plant safety. There is a general consensus that effective maintenance and safety are linked as measured by such factors as number of transients and challenges to safety systems and the associated need for operability, availability and reliability of safety equipment. Minimizing challenges to safety systems is consistent with the NRC’s defense-in-depth philosophy and is clearly important in protecting the public health and safety.

Industry has interpreted this regulation as requiring a) the monitoring of the number of failures and unavailability for risk significant SSCs and comparing their performance against individual numerical targets that are derived to be consistent with PSA results, and b) the monitoring of the rest of the SSCs in the scope of the rule against plant level targets. .The identity of the risk significant SSCs is decided by a panel of experienced plant engineers who review and interpret measures of risk calculated for the equipment in the plant PSA. The rule is thus being implemented in a way that is definitely risk-informed, by using data from ongoing performance monitoring, and by comparing these data to criteria and goals established by licensees themselves (although subsequently approved by NRC inspectors). The rule has been implemented by using plant programs that are to a significant degree at the discretion of the licensee.

Prior to 1995, primary containment leakage rate testing requirements were explicit and compliance- based as specified in Appendix J, 10 CFR 50.46 The regulatory safety objective, as stated in General Design Criterion 16:’ was an essentially leak-tight barrier against the uncontrolled release of radioactive material for postulated accidents. It required a leakage test of the primary containment every two or so years and allowed only very small leakage rates. However, technical studies and risk evaluations 48 have consistently shown that design basis containment leakage is a relatively minor contributor to accident risk. Reactor accident risk is dominated by accidents in which containment fails or is bypassed. Some studies indicated that significant, 100-200 fold, increases in allowable leakage rates could be accommodated without setting the public at risk. Furthermore, performance of these leakage tests was very costly in terms of labor, occupational radiation doses, equipment, and replacement power; for the US, a present value of -$l billion over the

next 20 years.44 For these reasons, the NRC studied the issue under its Marginal-to-Safety Program and worked with industry to introduce, in 1995, an Option B to Appendix J.44 Option B establishes a performance-based approach to primary containment leakage testing. When two previous tests demonstrate leakage to be within the allowable limit, the time interval before the next test may be significantly extended. This change is expected to reduce the above costs by -$500 million.44 The risk-informed performance-based option for Appendix J will be discussed in a later section.

h This concept is concisely defined in a recent NRC Commission Policy and Guidancee4’


INTERPRETATION AND USE OF IMPORTANCE MEASURES

Definitions of Importance Measures

Importance measures are defined in APPENDIX A from a simple but exact expression for the core damage frequency (CDF). i In order to facilitate the following discussion, this expression is repeated here. The CDF is computed from multiple accident sequences representing different combinations of structures, systems, or components (SSCs) being unavailable ’ for one reason or another and thereby causing core damage. Since each SSC appears as a factor in many accident sequences but at the most once in each, the CDF can be represented as a linear function of any specified SSC’s basic event probability, P, as follows:

CDF=axP+b (1)

where aP is the sum of all the accident sequences which contain P, and b represents all other accident sequences. The value of the parameter a is the weighted and combined frequency of initiating events and basic event probabilities of other SSC(s) whose coincident failure(s) are necessary for core damage to occur. It should be emphasized that this simple formulation exactly represents changes in a CDF as a function of a change in the basic event probability of one component at a time. If simultaneous changes in the basic event probabilities of multiple components are being considered, a more complex representation would be needed which is discussed in APPENDIX A.

In APPENDIX A, the usual importance measures are derived from equation (1) and thereby defined. They are Fussell-Vesely (FV), Risk Reduction Worth (RRW), Risk Achievement Worth (RAW), and Birnbaum (B) importances. The reader is referred to APPENDIX A for more detailed description.

Interpretation and Use of Importance Measures

The above importance measures are being used by many utilities to identify risk-significant SSCs as input to risk-informed regulation. By focusing resources on the risk-significant SSCs, they expect to reduce O&M costs while maintaining or improving safety. Definitions of the importance measures appear in many documents.2629 However, there is wide-spread misunderstanding of their interpretation and use, especially of the Risk Achievement Worth. The mathematical definitions in APPENDIX A focus their use more precisely and bring additional facts to light. Second, there are genuine limitations in the use of importance measures that are not always appreciated. This subsection addresses both issues.

As shown in APPENDIX A, the Fussell-Vesely (FV) and Risk Reduction Worth (RRW) importances are entirely equivalent concepts although expressed slightly differently. Since it is more directly related to the figure of merit, i.e. CDF or LERF, the Fussell-Vesely importance measure is usually preferred. As shown in APPENDIX A, FV is proportional to the basic event probability, P, of the specified SSC and therefore ex- presses long-term average effects of the SSC’s performance. For an SSC with a large FV, it is important not to allow its long-term average basic event probability to increase either due to its degradation or by increasing its testing interval. For such an SSC, Quality Assurance and regular testing are important. Conversely,

’ The discussion is based on the CDF but the same arguments apply to the large, early release frequency (LERF). J The more general term is basic event probability that encompasses unavailability due to an undetected failure, unreliability due

to failure upon demand or failure to run, and unavailability due to test and maintenance. The term ‘basic event probability’ is used in this article unless unavailability is more appropriate.


for the many SSCs having a very small FV, e.g. 9.5%, a ten-fold increase in an individual P would increase the baseline CDF by ~5%.~ It should be noted that both CDF (and LERF) and P are probabilities averaged over a long time period. Consequently, FV is an average value for the same time period.

As shown in APPENDIX A, the Risk Achievement Worth (RAW) is the increase in risk, viz, CDF or LERF, when a specified SSC is assumed to be failed or taken out of service, i.e. its P is assumed to be unity during the period of interest. Some reports have interpreted a high RAW value as reflecting the importance of a component if it was permanently failed or as a measure of extreme degradation in its reliability. While it is true that, under such circumstances, the average CDF (over a long time period) would be increased by the RAW ratio, such an interpretation is misleading because the meaning of RAW is restricted to the period of unavailability and the condition is unlikely to be permanent. The more likely scenario is that the component is taken out of service for testing or maintenance during which time period the CDF would be increased by the RAW ratio. The other interpretation is the immediate increase in risk when a component fails upon demand and is unavailable until it is repaired.

More fundamentally, it is shown in APPENDIX A that the RAW importance of a SSC is determined by

the system configuration with respect to that SSC, viz. its values of a and b, rather than its basic event probability, P. A high RAW value is neither a reliable measure of the importance of avoiding degradation nor of maintaining short testing intervals. It is a meature of the importance of promptly returning a component to service following a failure, testing, br maintenance. A human error on this action would significantly increase the CDF. The FV value, on the other hand, is a reliable indicator of the importance of avoiding degradation or of maintaining short testing intervals. Vesely is making the same distinction when he observes that FV measures the importances of occurring events, e.g. occurring failures, whereas RAW measures the importances of existing conditions, e.g. existing failures.4g

Several applications of risk information, including Inservice Testing and Graded Quality Assurance discussed in this article, use a PSA to rank SSCs according to their risk significance and then to assign more or less stringent safety requirements to high and low significance SSCs respectively. Analysts using such rankings should be aware of their limitations and potential for misassignment.4gT 50, 5’ The first caution is that importance measures and risk significance apply to events, not components. As shown in APPENDIX A, FV importance is proportional to aP. When ascribed to a specified SSC, it is a weighted average of many accident sequences in which the SSC participates. Its FV importance will be underestimated if either the frequencies of the initiating events and of other SSCs contributing to these sequences (parameter a) are underestimated or, conversely, the frequencies of accident sequences in which the specified SSC does not par- ticipate (parameter b) are overestimated. In this sense, the FV importances of components X and Y are not independent. Second, it is easy to underestimate the importance of an SSC since its contribution may be ‘buried’ in the PSA model, e.g. within initiating event data. Third, when considering an SSC’s importance, an analyst needs to examine the handling of common cause failures. Such basic events act upon more than

one SSC; they must neither be ignored nor double counted. Fleming So poses an important question in asking “To what is the importance ascribed?”

As another caution, Fleming 5o provides an example of the need for an analyst to look beyond a ranked list of SSCs for underlying causes. His example shows a typical list of components ranked by their FV importance, However, a careful review of the underlying accident sequences shows that those associated with a reactor coolant pump (RCP) seal LOCA contribute greatly to each of the SSCs importance but this common dependence is not evident in the original list. By separating out these sequences, one not only highlights the true importance of a RCP seal LOCA but also changes the ranking of the SSCs. Two other cautions are addressed in INSERVICE TESTING-Methodology.

k This statement only applies to a specific SSC. If the basic event probabilities of multiple SSCs are increased, the cumulative impact on the CDF or LERF should be examined.

Recent applications of PSA

INSERVICE TESTING

375

Background

The structural integrity and reliable performance of piping, pumps, and valves are critical to the safety of nuclear power plants. Their conservative design is achieved by conformance to the requirements in the American Society of Mechanical Engineers (ASME) Boiler & Pressure Vessel Code.52 Since many of the active components are in a standby mode, i.e. they are only required to operate very occasionally in response to transients, they are susceptible to undetected failures. Such failures are detected by regular inservice testing (IST) as specified in the ASME Operations and Maintenance Code.53 Both these codes are incorporated by reference 54 into NRC’s regulations.

There have been continuing concerns about the performance of pumps and valves in safety-related systems. In a 1989 Generic Letter,55 the NRC requested licensees to establish programs to ensure the capability of all Motor Operated Valves (MOV) to perform their safety function. In partial response to that letter, many licensees decided to rank the MOVs in their plants according to their risk-significance in order to prioritize the required work. A methodology for this process is described in reference 56. In parallel with this activity, the NRC 57 requested the ASME O&M Committee to consider revising existing requirements for inservice testing to ensure the ability of certain pumps and valves to perform their intended hydraulic and mechanical safety functions. More specifically, the requested revisions would have expanded the scope of the Code to include additional components, required verification of safety functions, and required such verification be accomplished at design basis conditions. By using the NRC’s PSA models and data, an EPRI evaluation 58 documented that the potential safety benefits and associated costs of the revisions would not meet the criterion in the Backfit Rule 59 of a ‘substantial increase in the overall protection of the public.’ The evaluation further noted that the typical plant had about 30 pumps and 500 valves in its IST program. If these IST components were assigned to high and low risk significant categories, NRC’s requested revisions would be cost effective for the high category. Conversely, a relaxation of the existing ASME IST code requirements for the low category would reduce costs without losing significant safety benefits.

With this background, EPRI initiated a Risk-Based IST Pilot Project, involving ten nuclear power plant units, to support component importance ranking and the development of IST programs for less risk significant equipment. The pilot plants were selected to encompass a broad spectrum of NSSS models, architect/engineers, and plant vintages. The ASME already had an ongoing research program to determine how risk-based methods could be used to establish inspection requirements and its Center for Research and Tech- nological Development now formed a Risk-Based IST Research Task Force to support this EPRI project and to ensure that the resultant methodology could be integrated into ASME Codes.60 The methodology will be described in the following subsection.

By using risk information to delineate between high and low risk significant components, utilities hoped to focus their inservice testing and thereby reduce O&M costs while maintaining or improving safety. More specifically, they expected to lengthen the testing interval for the large number of low risk significant components while maintaining or shortening the interval for the small number of high risk components.’ The focus of the project was not to reduce the number of components within the scope of an IST program but rather to optimize what is tested and how frequently. TU Electric submitted the first application to NRC for risk-

’ There is an ancillary potential benefit from such a program. The use of different testing intervals for like components could produce valuable performance databases that relate component degradation to test interval.


informed changes to the inservice testing program at its Comanche Peak plant; its overall findings will be summarized later.

Methodology

The starting points for analysis are the plant’s PSA or IPE for internal initiators, and lists of components modeled in the PSA or already being tested in the existing IST program. Before proceeding, it would be prudent to ensure that the PSA (IPE) is current, viz. represents the current plant configuration, testing protocols, etc., and that the PSA has adequate technical quality. The latter attribute may be ensured by comparing the PSA against the checklist in Appendix B of the EPRI PSA Applications Guide 6’ or a NRC checklist, if available.” As will be discussed in NRC RISK-INFORMED REGULATIONS, NRC correctly places high value on an application potentially affecting plant safety being based upon an adequate PSA. Another preliminary activity should be the formation of an expert panel to review the risk and other information and to approve any proposed changes in testing. The expert panel should include plant personnel familiar with PSA, ASME codes and standards, plant operations, maintenance, systems, and design. Many utilities use the same panel for this activity and for implementation of the Maintenance Rule.43 Its deliberations are an important part of the analysis.

The methodology has four steps: 1. After calculating their risk importances, rank components according to their risk significance.

Assign components to high and low risk significance categories. 2. Assess the adequacy and completeness of the supporting PSA and other risk models by a se-

ries of sensitivity analyses. 3. Evaluate the cumulative impact on plant risk of extending the inservice test intervals for many

low risk significant components. 4. Review the process and results with the expert panel. This review should blend deterministic

safety insights with quantitative risk measures to ensure that risk significance was appropri- ately identified.

In the first step, by using the PSA, the components are ranked by their relative importance with respect to Core Damage Frequency (CDF). Usually the Fussell-Vesely (FV) and Risk Achievement Worth (RAW) measures are used. Some references recommend use of the Risk Reduction Worth measure but, as shown in APPENDIX A, it is mathematically equivalent to FV. These rankings should be supplemented by consideration of the Large Early Release Frequency (LERF) figure of merit, external event initiators, and outage configurations. These supplementary considerations may be based upon calculations, if the PSA encompasses this end-state and these initiators or, if not, qualitatively.* It is necessary to extend the scope of the analysis to IST components that are not explicitly identified in the PSA. There will likely be many such components most of which will not be risk significant. Nevertheless, a systematic review of them is essential. A more detailed discussion of this review process may be found in reference 65. Components are assigned to high and low risk significance categories according their Fussell-Vesely importance by using the criterion in Table 1. There was a further subcategorization based upon their Risk Achievement Worth importance and the criterion in Table 1.

m When published and endorsed by NRC, the ASME Standard for PRA for Nuclear Power Plant Applications 62 should fulfill this role.

” In the performance of their IPEs and IPEEEs, many utilities did a limited Level 2 analysis and used the seismic margins 63 and FIVE 64 approaches for earthquakes and fires respectively. To date, there has been no general NRC request for outage PSAs although many utilities have performed one.


I~-- Low co.00 1 c2.0 I

Table 1. TU Electric Criteria for Categorization of Components

The above criterion of 0.00 1 for Fussell-Vesely importance reflects the recommendation of the ASME 6o and the analysis of TU Electric.65 The EPRI PSA Applications Guide 6’ recommends a less conservative value of 0.005.

The ASME 6o suggests that the importance values for each component be plotted in the format of Figure 2.

B C

A D

0.001 FV Importance

Figure 2. ASME Quadrant Plot for Component Importance (Reproduced from reference 60)

The FV-RAW plot is divided into four quadrants by a vertical line at FV=O.OOl and a horizontal line at RAW=2.0. Depending upon its FV and RAW importances, each component is assigned to one of four quadrants. Clearly, components assigned to quadrant C (high FV and RAW) are more risk significant than those in quadrant A (low FV and RAW). By relating safety requirements to each ‘quadrant, they will be aligned to the risk significance of the components assigned therein. The criteria for FV and RAW should be regarded not as sharp, absolute lines, but rather as bands. Based upon the grouping of components, there may be sound technical reasons for the analysts or the expert panel to adjust the criteria.

With respect to Inservice Testing, the vertical line at FV=O.OOl partitions the population of components on the basis of their long-term importance to CDF. Components whose existing FV importance place them to the left of the line do not significantly contribute to long-term risk. Such components are candidates for


either no or very small IST requirements. For all components, degradation of their reliability or longer testing intervals would increase their FV importances (which may be one reason that ASME recommended a value significantly less than 0.005). Thus, the expert panel” should focus carefully on components whose FV values are just below 0.00 1. The amount that a FV importance would change is proportional to a component’s basic event probability, P, (see equation (A2)) Components placed to the right of the line are currently risk significant and any degradation in their reliability would be significant. Such components rate an effective IST program. The RAW importance of a component should not enter into the decision on whether to require periodic testing or its frequency.

The horizontal line at RAW=2.0 partitions the population of components on the basis of available “defense in depth” and safety challenges and hence shows the importance of their being in rather than out of service. Components, whose RAW importance places them above the line, significantly increase the CDF when they are out of service, even though their contribution to CDF may be insignificant in the long term, i.e. they have low FV values. The expert panel should review their testing and maintenance protocols to ensure that such components are returned to service promptly following testing or maintenance. Components whose RAW importance places them below the line warrant less attention on this issue. As shown in Figure Al, a component’s RAW importance is a weak function of its basic event probability for typical values, viz. it will not be affected by any reasonable changes in testing frequency or the policy on returning equipment to service. Since the FV importance addresses the long-term performance of a component and automatically incorporates the behavior of the CDF when it is in and out of service, it should not enter into the review of the spectfk conditional situation of being out of service.

The second step in the methodology is an assessment of the completeness and adequacy of the PSA and other risk models for this application. Quantitative risk models and importance measures have limitations associated with the structure of the models, their assumptions, and the input data; some are discussed in INTERPRETATION AND USE OF IMPORTANCE MEASURES. These limitations must be examined to ensure that they do not cause misleading results. The TU Electric project examined the following limitations; the truncation limit, changes to multiple components, the potential of ‘masking’ of certain components by other events which are not explicitly modeled, common cause failures, asymmetry, the use of generic reliability input data, and completeness. The truncation issue and changes to multiple components are discussed below. All these issues are of generic concern in most applications of PSA to risk-informed decisionmaking and are discussed in more detail in references 49, 50, 5 1, and 65.

All risk models identify cutsets or accident sequences that are minimum numbers of basic events that could lead to the undesirable outcome, e.g. core damage. For a large system such as a nuclear power plant, there are potentially millions of cutsets. By quantifying their probabilities, one finds that the Core Damage Frequency, for example, is dominated by a few hundred cutsets. In order to make analysis of the system manageable, the analyst sets a truncation limit below which a cutset is ignored. The EPRI PSA Applications Guide ” recommends that the truncation limit be 10m4 below the baseline CDF, i.e. if the CDF is about lo-’ per reactor-year, the truncation limit should be 40e9. Experience has shown that a very low truncation limit creates inefficiencies such that analysis costs quickly exceed the value of risk insights gained. On the other hand, a too high truncation limit may create misleading results with respect to calculation of RAW values.66 The truncation limit may be evaluated by a sensitivity study in which identified components and their importances are shown to have small changes when the limit is lowered. The TU Electric project compared importance rankings by using truncation limits of 10m8 and lo-’ per reactor-year and found that the former was acceptable (since its CDF was 5.72x10s5, its limit was slightly higher than the EPRI recommendation). It is worth noting that truncated components were usually in fourth order or higher cutsets.

An expert panel should also consider the likelihood of significant changes in the a parameter, viz. the totality of cut sets in which the SSC participates.


As stated in APPENDIX A, the above calculation of importance measures is based upon changes to components, one at a time. Simultaneous changes to multiple components could cause unintended increases in risk even though the individual changes satisfy the conservative importance criteria. The third step in the methodology is a calculation of the potential risk impact from lengthening inservice testing intervals simultaneously for all low risk significant components. More specifically, the Core Damage and Large Early Re- lease Frequencies are recalculated by assuming that the basic event probabilities of all such components are increased by the same multiple, e.g. five times, as their testing intervals. This is a conservative assumption since only the testing contribution to basic event probability would be increased by changing the testing interval and maintenance and other contributions would not change. Some results of these calculations for Comanche Peak will be presented in the next subsection.

The fourth and final step in the methodology is the expert panel review of the risk ranking and other calculations. The panel’s principal responsibility is to ensure that the risk ranking information is consistent with plant design, operating procedures, and plant-specific operating experience. At TU Electric, the project team prepared a set of simplified P&IDS for all systems modeled in the PSA showing the risk importance results and other relevant information. By using this information and the design basis functions addressed by IST as documented in the IST plan, the expert panel reviewed and validated or adjusted the ranking results. At the conclusion of their review, the expert panel should have reviewed and evaluated every component in the IST program. Their recommendations for which components could have longer testing intervals and which ones should have enhanced testing are submitted to the NRC.

Results of the TU Electric Project

The TU Electric risk-informed IST project 65 was co-sponsored by EPRI and coordinated with ASME and other utilities operating nuclear power plants. There were regular interactions with the NRC staff thereby resulting in a process which was acceptable to them and the issuance of a favorable Safety Evalua- tion Report6’ The project was designed to provide plant-specific benefits to TU and, as a pilot project, to provide generic insights and tools that would benefit similar industry projects. More specifically, the project developed generic methods for identifying opportunities to reduce those IST-related regulatory requirements and commitments with whose compliance requires significant resources but which contribute insignificantly to safe and reliable operation.

The IST program at the Comanche Peak Steam Electric Station included 619 components. Their existing testing intervals ranged from 3 months to 5 years. By using its Individual Plant Examination (IPE), TU Electric ranked these 619 components by their FV and RAW importances relative to the Core Damage and Large Early Release Frequencies. The rankings were then adjusted for other considerations as described in the previous subsection. Initially, TU Electric considered having three categories based upon FV importance but, based upon the numbers of components in the medium category, concluded that two categories were more cost effective so the medium category was combined with the high one. A partial summary of the risk ranking is shown in Table 2.

380 1. B. Wall et al.

Table 2. Partial Summary of Risk Ranking Results for IST Components (Reproduced from reference 65)

According to their importances, all IST components were now plotted on a FV-RAW plot, illustrated in Fig- ure 2. One hundred and fifty-one components were found to have high FV importance (Quadrants C and D) and 468 were found to have low FV importance (Quadrants A and B).p These 468 components were candidates for longer testing intervals.

To fulfill the third step in the methodology, the cumulative impacts on CDF and LERF of longer testing intervals for all these 468 components were calculated. For each component, its existing testing interval was multiplied by factors ranging from 2 to 100. The results, in Figure 3, show a linear change in the CDF with up to a lOO-fold simultaneous increase in the basic event probabilities of 468 components.q TU Electric wanted to extend the existing testing intervals for many IST components from quarterly to 6 years; a 24-fold

increase. Figure 3 suggests that such a change would increase the base-line CDF (5.72~10”) by 13%; the actual increase would probably be smaller as a result of other offsetting changes being proposed by TU Electric. The acceptability of such an increase is a policy issue beyond the scope of this article. Quantitative Screening Criteria in the EPRI PSA Applications Guide 61 suggest that such a change is non- risk-significant, i.e. acceptable. The NRC Acceptance Guidelines to be discussed in NRC RISK- INFORMED REGULATIONS would allow such a change subject to increased NRC technical and management review.

Figure 3 shows that the CDF increases linearly with very large changes in the availability of numerous components. With reference to the discussion in APPENDIX A of Simultaneous Changes in Basic Event Probabilities of more than One Component, the cross-term in equation (A12) appears to be negligible for at least the Comanche Peak system configuration. The likely reason for this result is that the existing basic event probabilities for every low risk component were very low. It is not known whether other plants would show a similar result. Similarly, the approximation for calculating joint Fussell-Vesely importances (equa-

p TU Electric categorized components with FV<O.OOl and RAW>Z.O (Quadrant B) as having potentially high risk significance. For these components, although their FV importances implied low risk significance, TU Electric required compensatory measures to offset their high RAW importances. The concepts developed in the previous Methodology subsection, that FV and RAW importances represent different aspects of a system reliability and that they should be treated independently, post- date the TU Electric work. In order to focus on the main ideas, this aspect of the TU Electric work will not be addressed further. In practice, TU Electric’s requirement of compensatory measures for potentially high risk significant components achieved a similar end result to that advocated in the Methodology subsection.

q TU Electric prepared a similar graph for LERF. It also examined the effect of compensatory actions for potentially high risk significant components.


tion (A15)) and the neglect of the c/CDF term in equation (A19) were found to be valid for the Comanche Peak plant; this result may not extend to other plants.

8.5OE-05

8.00E-05

a

::

t

7.5OE-05

6

u, 7.00E-05

t

s 8.5OE-05

ST

ct

8 8.OOE-05

1

d 5.5OE-05

f

s

5.OOE-05

4.5OE-05

20 30 40 50 80 70 00

Factor Change in Equipment Unavailability

Figure 3. Change in Core Damage Frequency versus Simultaneous Factor Change in Equipment Basic event probability

(Reproduced from reference 65)

GRADED QUALITY ASSURANCE

Background

The assurance of quality for safety-related structures, systems, and components (SSCs) has always been an integral part of the design and regulation of nuclear power plants. As part of the original design of a nuclear power plant, the NSSS vendor and Architect/Engineer identified SSCs important to safety and assigned them to a Q-list. Structures and passive components, viz. those whose functioning does not require a change of state, were designated as P. The design, procurement, and maintenance of such components had to meet stringent quality assurance in order to satisfy the requirements specified in 10 CFR 50, Appendix B.68 In order to minimize design costs and to simplify procurement specifications, vendors typically identified all SSCs as being important to safety’without consideration of the importance of specific components and subcomponents. This simplification lead to very large Q-lists containing tens of thousands of components, e.g. 75,000 at Grand Gulf Nuclear Station,69 each of which had to be procured, maintained, and warehoused to meet Appendix B requirements. Although the initial costs were reduced, the ongoing annual expenses to utilities are very large.


As stated in BEYOND THE INDIVIDUAL PLANT EXAMINATIONS, more knowledge about system functions allows an improved understanding of which components are truly important to safety and it was recognized that a large fraction of the safety-related SSCs did not justify their Q classification and associated cost. On the other hand, enhanced QA might be justified for some of the non-safety-related SSCs. The following examples illustrate some considerations.

An o-ring failure leads to leakage but, if it does not prevent functional performance, its failure does not truly impact safety and it could receive reduced QA coverage. Some subcomponents are inherently robust, whether commercial grade or safety-related, and the additional quality provided by Q-based purchasing may not be significant. For example, o-ring and gasket materials are not very much improved by nuclear QA requirements nor are their failure modes always significant. These considerations are sufficient reason to consider commercial grade gasket and o-ring materials satisfactory for safety-related applications.

Another subcomponent may be considered relatively unimportant to the function because it is not only robust but the system is very redundant. For example, starting motors on some emergency diesel generators (EDGs) are typically installed in sets of 4 although only 1 or 2 are necessary to start the diesel. Many of these starter motors are identical to motors used in commercial applications, e.g. the railroad industry, which exhibit very high reliability. This redundancy and inherent reliability result in the relative unimportance of the starter motors to the EDGs function and the conclusion that they could receive reduced QA coverage.

As a final example, some subcomponents may not have any supporting role in the required safety mnc- tion. A motor operated valve may be safety-related only for the integrity of the pressure boundary. In this case, the motor operator has no importance to the safety function and can be considered non-safety with reduced QA coverage.

Although the provision had not been utilized, the regulations always permitted graded Quality Assur- ance. In 10 CFR 50, they state:

Appendix A: Criterion 1 - Quality standards and records. Structures, systems, and components important to safety should be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety function to be performed. Appendix B: . ..the Quality Assurance program shall provide control over activities affecting the quality of the identified structures, systems, and components to an extent consistent with their importance to safety.

With the encouragement of the NRC, utilities initiated the introduction of graded QA by using their enhanced knowledge of system and component functions and the availability of risk information from PSAs.

Methodology

The starting point for industry efforts on graded QA was a program organized by the Nuclear Energy Institute ‘O of pilot studies involving seven plants from six utilities over a twelve-month period, concluding in December, 1994. The methodology, combining probabilistic and deterministic insights to rank SSCs, was similar to that used for the Maintenance Rule.7’ Based upon their function within the plant, SSCs were graded as either risk significant or non-risk significant. After reviewing the NE1 report, the NRC offered several comments that prompted NE1 to reconsider its original approach. Their comments involved the ap- propriateness of performance monitoring in-lieu of quality monitoring; the assurance that QA commitments would continue to be met; the use of ‘low’ and ‘high’ risk significance instead of ‘risk’ and ‘non-risk’ significance; and, that PSA insights should complement deterministic evaluations. Several utilities pursued their programs in parallel with NRC’s preparation of a Regulatory Guide for graded QA. A final guide ‘* was issued in 1998.

While the methodologies developed by different utilities vary slightly, their basic concepts are very similar. In the following paragraphs, the approach of the South Texas Project will be described since it was the first application to receive NRC approval.73

Rrcenl applications of PSA 383

The NRC staff and South Texas Project agreed upon the following essential elements for the GQA process:

1. Identification of appropriate safety significance of SSCs in a reasonable and consistent manner,

2. Implementation of appropriate QA controls for SSCs, or groups of SSCs, based upon their safety function and safety significance,

3. An effective root cause analysis and corrective action program, 4. A means for reassessing SSC safety significance and QA controls when new information be-

comes available. The South Texas Project approach to graded QA (GQA) is embedded in a Comprehensive Risk Man-

agement program whose mission is: “A process by which the change in risk to station personnel and the public’s health and safety are evaluated as a result of changes in commitments, processes, activities, and human and equipment performance.”

Its overall process for GQA is shown in Figure 4. For a selected plant system, a Working Group identities all functions performed by the system, determines their risk significance, identifies all active components and collects relevant data including risk importances from the PSA, assigns each component to a safety significance category and thereby an appropriate QA control program, and finally documents its conclusions. An Expert Panel reviews the WG’s recommendations and makes the final decisions. Ongoing performance monitoring and feedback is an integral part of the process.

-z I

Figure 4. Graded Quality Assurance Process of South Texas Project

As a basis for the risk ranking of each component, the Working Group makes a traditional engineering evaluation supplemented by importance information from the plant’s PSA. The sources of deterministic information are:

l the current design basis description, functions, and constraints on the system and components, l the licensing basis including regulatory commitments, constraints imposed by the updated Fi-

nal Safety Analysis Report, Technical Specifications, and other correspondence commitments,

l review of the operating experience a reflected in the plant-specific reliability and condition re- porting system and deficiencies reported by industry groups,


l use of the system components in the emergency operations or response procedures, l current safety-related and Maintenance Rule status, l self-assessment and system health reports, l equipment history (successes and failures), l NRC inspection reports and systematic assessments of licensee performance (SALP), l corporate and joint utility management audits and reports, and l reports issued by the Institute of Nuclear Power Operations (INPO).

The South Texas Project has a Level 2 PSA that addresses internal and external initiating events at full power. A shutdown risk assessment has been prepared but has not been reviewed or incorporated into the full power model. In the interim, the qualitative review of SSCs by the WG and EP includes explicit consideration of whether a given SSC is used during shutdown. The South Texas Project incorporated quality assurance procedures during the preparation of its PSA and maintains ongoing quality control. The Project is committed to updating its PSA at least once every refueling cycle in order to incorporate changes in the model and input failure parameters. The PSA has been reviewed three times by the NRC staff. In its Safety Evaluation Report,73 the NRC staff gave considerable weight to the quality of the PSA and the ongoing quality controls.

The use of importance measures to place a risk perspective on some action requires the establishment of a relationship between the action and the basic events in the PSA model and hence a change in the estimated CDF or LERF. In this respect, the usefulness of a PSA for grading quality assurance is limited for two reasons. First, changes in quality assurance do not lend themselves to quantitative assessments of changes in basic event probabilities. Second, the PSA model only represents a few thousand components out of the approximately 75,000 components in the plant. Recognizing these limitations, the South Texas Project used the plant specific PSA to identify clear groups of components which, individually, are high safety significance by virtue of their contribution to CDF and LERF, or which would become important contributors if their reliability or availability degraded. Other components with less safety significance are further subdi- vided to provide the WG and EP with as much guidance as can reasonably be gained by using PSA insights. In its final Regulatory Guide,74 the NRC staff acknowledged that, in some applications, quantitative estimates may not be possible and allowed the use of acceptable alternatives.

The South Texas Project established the following categories of safety significance for SSCs; High-, Medium-, and Low-Safety Significance denoted as HSS, MSS, and LSS respectively. MSS components whose RAWs are >lO are required to receive further evaluation of their critical attributes.’ Finally, there is a non-risk significant (NRS) category to make a total of five categories.

Components, which are evaluated in the PSA, are ranked according to their Fussell-Vesely (FV) and Risk Achievement Worth (RAW) importance measures. This ranking is done for both the CDF and LERF figures of merit; for each SSC, the higher importance is used. The criteria for assigning components to specific safety-significance categories are shown in Figure 5.

By using engineering evaluations and PSA insights, components are ultimately assigned to safety-significance categories according to the impacts that their impaired performance would have on the system and plant performance. The definitions of these impacts are stated in Table 3 that also associates QA control levels to safety-significance categories for both safety-related and non-safety-related components.

r Originally, these subdivisions were denoted as MSS-1 and MSS-2.


0.005 0.01 Fussell-Vesely Importance

Figure 5. Risk Importance Criteria for Input to Component Safety-Significance Categorization

DEFINITIONS for

SAFETY-SIGNIFICANCE CATEGORIES

Degradation of component will result in unacceptable system performance, and

l@b!Y P!a@_ Perc?_!anc_e_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Degradation of component could result in unacceptable systemperformance ___-- __---- ____ __________--_________. Degradation of component could impair system-level performance. The WG and EP should consider this potential. ______-_____-____ __-_-______-_-______-. Degradation of component is not expected to impact system performance. __ ___-_____ __--_-______---____-------. Failure of component does not impact any safety-significant function (not applied to SSCs modeled in PSA).

.

. .,

Safety QA PROGRAM Signifi- Safety- Non-Safety- cance Related Related

HSS . FULL TARGETED

TARGETED

MSS BASIC TARGETED

----__---__-_____--_-------_-----

LSS BASIC Existing

Quality____ ____-____-___---____________

NRS BASIC Existing Quality

Further evaluation of critical attributes is required.

Table 3. Definitions for Safety Significance Categories and Related QA Control Program for South Texas Project. (Acronyms are explained in text)

In its final assessment of impact, the Working Group assigns consensus weighting factors to each of the following questions for each component:

l Could the SSC’s failure cause an initiating event? l Could the SSC’s failure cause a risk significant system to fail? l Is the SSC used to mitigate accidents or transients? l Is the SSC relied upon in a Emergency Operating Procedure?


l Is the SSC significant to safety during mode changes or shutdown? After assigning the weighting factors, the WG assigns a safety-significance category and a corresponding level of QA controls to each component. The WG documents all its work and submits it to the Expert Panel for review and final decisions.

In order to implement Graded QA, the South Texas Project established three levels of QA controls denoted as FULL, BASIC, and TARGETED. The FULL level consists of QA elements that remain essentially unchanged from those originally implemented for safety-related SSCs. They meet the requirements of 10 CFR 50, Appendix B 68 for SSCs that are the most significant to safety. As stated in Table 3, the FULL level is applied to all safety-related SSCs categorized as HSS.

The BASIC level includes QA elements that have been graded, relative to those elements in the FULL level, consistent with the lesser safety importance of plant equipment to which it is applied. The specific reductions in QA requirements are described in the South Texas QA plan and evaluated in the NRC staffs SER.73 The BASIC level is applied to MSS, LSS, and NRS safety-related SSCs.

The South Texas Project recognized that some safety-related SSCs modeled in its PSA, while highly reliable, would result in a significant increase in risk if they failed upon demand, viz. their RAW importance exceeded 10. For SSCs assigned to this category, denoted as MSS (Further evaluation required), the FULL QA controls are applied to those attributes that are relied upon to ensure a high level of confidence in the equipment performance needed to maintain low risk; BASIC QA controls are applied to the other attributes.

The TARGETED level consists of QA elements from the FULL and BASIC levels applied to those characteristics or critical attributes that render non-safety-related SSCs safety significant, but only in a for- ward fit manner, i.e. only future operational activities associated with previously procured and installed equipment of this type would be subject to these requirements. More specifically, the South Texas Project will apply FULL and BASIC QA controls in a selected manner to non-safety-related SSCs that have categorized as HSS or MSS in future activities.

Non-safety-related SSCs that are categorized as LSS and NRS would continue to be subject to South Texas Project’s existing administrative and quality provisions for activities such as procurement and maintenance.

Results of South Texas Project Study

Initially, the South Texas Project applied its graded QA process to three systems and then extended it to 26 systems that incorporate 38,043 components. The numbers of components assigned to different safety significance categories is stated in Table 4.” It should be noted in Table 4 that 91% of the Safety Related SSCs are available for less than FULL QA and ~3% of the Non-Safety Related SSCs require enhancement of their existing QA. By applying the graded QA process, the South Texas Project expects to be able to reduce quality assurance controls for 15,371 (40% of total) components. Since some components, which had been non-safety-related and hence not subject to Appendix B quality controls, are categorized as safety- significant and become subject to some quality controls, the Project believes that the overall safety of these systems will be enhanced. By 2001, the process has been extended to 3 1 systems incorporating 44,120 components of which 10% are categorized as safety significant.

’ See footnote g about the number of components.


Safety Significance Categories

HSS MSS LSS

Safety Related

1452 2358 4860

Non-Safety Related

20 352

1534 19.666

1 21,572

Table 4. Numbers of Components by Safety-Significance Categories,

The South Texas Project quickly found that implementation of graded QA was limited by other ‘quality’ requirements for components as illustrated in Table 5 for the Standby Diesel Generator System. Three hundred and fifty-eight components were eligible for reduced QA but were subject to ASME Code requirements, Two thousand, three hundred and forty-eight components would be eligible for reduced QA but were subject to environmental qualification, seismic, or other special requirements. Procurement cost savings were thereby limited. In July 1999, as a pilot program under NRC’s Option 2 for risk-informing 10 CFR 50 which will be briefly discussed later in NRC RISK-INFORMED REGULATIONS, the South Texas Project submitted a request ‘34 for an exemption to the special requirements. NRC approved this request in August 2001 .‘36 Effectively, components subject to special requirements will be assessed for risk significance and treated in a manner similar to the graded QA program described earlier.

Safety Significance Categories

HSS MSS LSS NRS

TOTAL

Safety Related Limited QA FULL BASIC TARGET

ASME No ASME Limits Limits

387 0 0 6 0 42 150 0 0 240 677 7 0 76 1262 2341

387 358 2089 2354

Non-Safety Related TARGET NO QA

0 0

0 0 0 6 0 409

0 1 415

Table 5. Numbers of Components in Standby Diesel Generator System as function of Safety Significance, Graded QA, and other Requirements.

To date, the South Texas Project has realized several $lOOK cost savings from its introduction of graded quality assurance. When fully implemented, the Project hopes to save about one million dollars per year.

388 I. B. Wall el al.

TECHNICAL SPECIFICATIONS

Background

In order to achieve their very small risks, nuclear power plants have safety systems which are redundant, viz. a system will have 2 or 3 parallel trains, and diverse, viz. functionally similar systems will have different designs and will use different heat sinks. From the earliest days of reactor safety, it was recognized that the likelihood of an accident would be higher when one or more trains were unavailable due to failure, testi;g, or maintenance. Accordingly, a plant’s Operating License incorporates Technical Specifications that specify, among other things, Limiting Conditions for Operation (LCO) and Surveillance Requirements.

Technical Specifications are derived from the analyses and evaluation in the plant’s Safety Analysis Re- port. Since they are part of the license, the utility cannot change them without prior NRC approval. Origi- nally, they were customized for each plant. In 1980’s, industry and NRC staff began studying desirable improvements. In 1987, NRC agreed to adopt criteria defining the scope of Technical Specifications; the NSSS vendors and NRC staff agreed to jointly rewrite and streamline existing Technical Specifications and to prepare standardized versions for the major NSSS designs. In 1993, the NRC issued a Policy Statement 76 that set forth four criteria and encouraged utilities to update their Technical Specifications to conform to the standard versions.77 These Standard Technical Specifications are now being modified to incorporate the insights of plant-specific PSAs and the installation of Configuration Risk Management Programs that are the subject of a later section.

Limiting Conditions for Operation (LCO) define the allowed outage times (AOT)’ within which period a component or train in a safety system can remain inoperable before an action is required, which typically is a plant shutdown. An AOT is used to repair or replace a failed or degraded component and, with increasing frequency, to perform preventive maintenance while remaining at power. Allowed outage times are typically 3 or 7 days for one inoperable train and 8 hours or 3 days for two inoperable trains in the same system; the shorter AOTs for multiple inoperable trains reflects the greater risk.

The Surveillance Requirements specify Surveillance Test Intervals (STI) for many components.” The primary purpose of surveillance testing is to assure that the components of standby safety systems will be operable if needed during an accident. By testing these components, some failures can be detected that may have occurred since the last test or occasion when the equipment was last known to be operational. STIs are typically monthly or quarterly. As described in INSERVICE TESTING, current initiatives are seeking longer intervals for some components subject to the ASME Code. Both AOTs and STIs were originally determined by engineering judgment at time when there was less knowledge of system reliability and risk than is available today.

Probabilistic Safety Analyses estimate average risks over long time periods, e.g. one year. When one or more components or trains are out of service, the plant risk is increased during such outages. Following publication of the Reactor Safety Study,4 it was recognized that a comprehensive PSA could be used to analyze AOTs and STIS.~~ More sophisticated methodologies are now available and are described in reference 79.

’ Original plant-specific TSs used the term AOT. In Standard TSs, an AOT is called a completion time (CT). This article will use the term AOT since it is more familiar.

” With respect to components, e.g. pumps, valves, covered by the ASME Operations and Maintenance Code,s3 the Technical Specifications reference that Code. See INSERVICE TESTING for discussion of these provisions.


Analyses have suggested that many existing AOTs and STIs are shorter than are necessary and thereby cause hasty, inefficient maintenance, unnecessary shutdowns, wearout of equipment, additional plant risk, higher personnel radiation exposure, and larger Operating and Maintenance costs than necessary.” It has also been found that some combinations of equipment, whose simultaneous outages would be prejudicial to risk, are not addressed by existing Technical Specifications. Consequently, both utilities and NRC are interested in adjusting AOTs and STIs in order to enhance safety and reduce Operating and Maintenance costs.

With the availability of plant-specific PSAs (IPEs) *’ and the encouragement of the NRC,42 utilities are analyzing their Technical Specifications and submitting proposals to NRC for relief of selected AOTs and STIs. The lead submittal, organized by the Combustion Engineering Owners Group (CEOG), was the pilot project for NRC’s new Regulatory Guide and Standard Review Plan for Technical Specifications.80* ‘I

Methodology

The ‘optimum’ AOTs and STIs are a balancing of risks. This subsection will describe the underlying concepts. For more detailed formulations, the reader is referred to the NRC Handbook.7g The intent of an AOT is to provide adequate time to repair or replace a failed component without incurring undue plant risk because of loss of function of the component. A long AOT implies the incurrence of relatively larger risk, but a too short AOT may result in an inadequate or incomplete repair and/or an unnecessary plant shutdown. An inadequate repair has a self-evident risk. An incomplete repair will necessitate a re-entry into the AOT configuration and increased exposure to operator errors causing a transient. Transient-initiated accidents are major contributors to the Core Damage Frequency for all reactor types. A plant shutdown is a controlled transient whose frequency should be minimized. This caution is especially warranted when the system needing repair is expected to remove decay heat during the shutdown, e.g. Residual Heat Removal System, Standby Service Water System.** For such systems, less risk may be incurred by continued operation of the power plant than by shutting it down. Thus, the ‘optimum’ duration of an AOT is primarily a balance between the increased risk from operating while the component is unavailable and the risk incurred from an inadequate repair or by shutting the plant down.

As illustrated in Figure 6, the plant risk level increases during an AOT because of the loss of the component’s function. The usual figure of merit for assessing AOTs is Core Damage Frequency (CDF) but, for those components whose function is to mitigate the consequences of core damage as opposed to preventing it, the Large Early Release Frequency (LERF) should be used. Sometimes, the unavailability of the safety function or of the system is used as a surrogate for CDF or LERF. It is important to distinguish between the single-event AOT risk and the yearly AOT risk contribution. The former is the risk associated with a given occurrence of an AOT. With reference to Figure 6, it is the product of the risk increase when the component is out of service times the duration of the downtime. The yearly AOT risk contribution accounts for the annual frequency with which the AOT is invoked. Both the single-event AOT risk and the yearly AOT risk contribution should be controlled since both short-term spikes in the CDF and an elevated average CDF may be unacceptable.

The usual PSA calculates average annual frequencies for core damage and large early release by assuming expected outage times for components’ maintenance and testing. Thus, the calculated CDF and LERF incorporate the yearly AOT risk contributions for all components. When using a PSA to calculate the

” Short AOTs encourage doing maintenance on several components in parallel rather than in series. While parallel maintenance minimizes outage time, it results in a longer restoration period that, in the event that the system is needed, is undesirable. Longer AOTs allow series maintenance and a shorter restoration period.


higher risk when a specified component is out of service (single-event AOT risk), one needs to exercise care with respect to common cause failures associated with the specified component and the truncation limits assumed in the PSA. The above calculation assumes that only one component or train of a system is out of service at one time since AOTs for different components or trains usually do not generally interact. When multiple components or trains are simultaneously out of service, e.g. preventive maintenance, and are part of the same minimum cutset or accident sequence, the spike in the CDF or LERF can be very large.34 Under these circumstances, calculation of the single-event AOT risk must consider all potentially down components. The single-event AOT risk can be controlled by avoiding those outage configurations having the most adverse impact on risk. The practice of configuration control is addressed in EQUIPMENT CONFIGURA- TION CONTROL.

Risk

Risk when component& function is not lost

Time

Downtime Duration

Figure 6. Risk contribution associated with an AOT

In the process of shutting down, a plant is vulnerable to transients that may occur during the transition to the shutdown state because of insufficient capability of removing decay heat. There is smaller but continuing risk while the plant is in the shutdown mode. Again, during restart, there is another spike in risk due to the increased likelihood of transients. The instantaneous risks for continued operation and shutdown are illustrated in Figure 7.

The risks during the intermodal transitions may be estimated by modeling them as a modified uncompli- cated tripag3 For example, the trip transient in the PSA would be modified to reflect the increased availability of main feedwater during the transition period. Shutdown PSAs have been performed for many plants.849 ” The risks of continued operation and shutdown may be compared by integrating their instantaneous risks in Figure 7 as a function of the repair time. Their cumulative risks are shown in Figure 8. If the repair duration is less than X, continued operation incurs less risk than shutting down; for longer repairs, the converse is true. This conceptual framework can and should be refined by considerations of uncertainties in the risk estimates and in the repair duration, testing, and timing of the shutdown8*


LCO Risk

. ..W”. rt.11 I.r*l

I

1, . c

Time

Figure 7. Profiles of Instantaneous Risks for Basic Operational Alternatives: CO is Continued Operation, SD is Non-Delayed Shutdown after

Detection of Failure. (A= failure detection and immediate shutdown, B= completion of repair, C= re-startup of plant.) (Reproduced from reference 82)

I

A Repair Time

X

Figure 8. Cumulative Risk during Predicted Repair Time for the Basic Operational Alternatives. CO is Continued operation, SD is Immediate Shutdown (Reproduced from reference 82)

The intent of surveillance testing is to assure that the components of standby safety systems will be operable if they are needed in an accident. By testing these components, failures can be detected that may have occurred since the last test or occasion when the equipment was last known to be operational. The period between tests is called a Surveillance Test Interval (STI). A long ST1 will result in a higher likelihood of a component being unavailable due to an undetected failure than a short interval. On the other hand, since a test usually requires that the equipment in question be removed temporarily from service, frequent surveillance tests (short STI) would result in more outage time than infrequent tests (long STI); some equipment and tests incorporate an override feature to avoid this negative aspect of testing. Furthermore, surveillance

392 I. B. Wall et al

testing of components (a) causes wear which, over time, will result in more failures, (b) affords opportunities for operator errors which could trigger a transient or result in equipment not being restored to operational status, (c) contributes to personnel radiation exposure, and (d) requires substantial utility and NRC resources on planning, conducting, and verifying them. The ‘optimum’ ST1 is primarily a balance between all these factors.

The risk contribution associated with an ST1 arises mainly from the possibility that the component will fail between consecutive tests. Its magnitude depends upon the probability of the component failing within the STI. As time increases from the last test, the probability that the component is failed increases. The probability of the component being failed drops essentially to zero after an effective test. If the component time-related failure rate is h and t is the time since the last test, the time-dependent component unreliability U(t) is given by:

U(t) = 1 - e-*.’ (2)

= ht when At 10.1 (3)

The time-dependent component unreliability is given by equation 3 for t up to the test interval T, i.e. for 0 It IT. This unreliability, i.e. cumulative probability that component has failed, is illustrated in Figure 9.

Failed Probability Uftj

Average failure probability I

Increase in failed probability at end of test interval

2T 3T )

Time

Figure 9. Time-dependent unreliability for a tested component

If the component failed at t, its average unavailability would be (T-t)/T. Therefore, the average component unavailability, qavg ,is given by:

T T-t 4 = 2% I(-)?&“dt

0 T (4)

(5)

= $T _ $‘Tz +......


= AAT whenhT 50.1

Equation (6) is the first order approximation usually used in PSAs. Additional contributions for repair time and test downtime are added to qavp if they are non-negligible. It is appropriate to reiterate that h is the time- related rate for failures that occur while the component is standing by between tests. When using failure rate databases, an analyst should be careful to distinguish between time-related rates and cyclic demand-related contributions. The latter are the probability contributions associated with failures that are caused by demanding, starting, or cycling the component.

By surveillance testing, the risk associated with the potential failure of a component is limited and may be calculated from its average unavailability by using its Bimbaum importance and equation (A7) as follows:

Ro=axq=aihT L

(7)

where Ro is the test-limited risk. The right-hand side is simply the term aP from before, where the only term in the basic event probability is hT/2. When n non-interacting components, i.e. in different minimum cut sets, are tested with the same or overlapping intervals, their total test-limited risk is the sum of their individual contributions as follows:

Ro = iTzaini I-1

(8)

If the evaluation concerns a change in the testing interval, T, which is common to several components, equation (8) can be used to assess the test-limited risk. Alternatively, their Fussell-Vesely importances can be used in equation (Al 1).

For two or more interacting components, viz. components in different trains of the same system or more generally in the same minimum cut set, the total test-limited risk is affected by the relative scheduling of the tests. The standard PSA quantification assumes that the relative test times of components are random with no specific schedule, i.e. independent. By staggering the test schedules of components in the same minimum cut set, the test-limited risk will be reduced compared to independent testing. Conversely, sequential testing of the same components will increase the test-limited risk. The formulae for such test schedules are given in the NRC Handbook 79 and elsewhere.86 It should be noted that one reason for using staggered testing is to reduce human error common causes which requires careful modeling.87 The more general issue of the impacts of wearout and human error on the selection of Surveillance Test Intervals has been studied by Kim et a1.83

With the above concepts in mind, the process for changing Technical Specifications based upon risk information will be summarized. The recommended approach is a blend of deterministic engineering analyses plus the PSA insights of the plant plus supplemental risk assessments that together will provide the evidence to the NRC that the criteria for a license amendment will be met. The EPRI has prepared guidelines ** for preparing such requests that are summarized below:

l Identify candidate Technical Specification changes. There should be a justifiable motivation for implementing changes. They could include: achieve improvement in operational safety, produce consistency in meeting regulatory requirements, reduce burdens that have insignificant safety benefit. The NRC has published criteria 89190 for such improvements.


l Select appropriate figures of merit for quantifying the effects of the changes. As stated earlier, proposed changes should be evaluated by using system unavailability, Core Damage Frequency, or Large Early Release Frequency, as appropriate.

l Establish the decision criteria used to justify the changes. A successful submittal will demonstrate that public health and safety are being maintained with an acceptable degree of risk, This demonstration will be supported by comparison of the changes in risk to some accepted decision criteria such as those contained in EPRI’s PSA Applications Guide 6’ As part of its Regulatory Guide,74 the NRC has stated some acceptance guidelines which will be discussed in a later section. An important aspect of this activity will be the identification of compensatory actions that the plant staff will take to control risk. Configuration management will be discussed in a later section.

l Modify the plant risk model as necessary to support the Technical Specifications safety impact evaluation. A clear relationship is necessary between the TS changes being evaluated and their representation in the plant risk model that may require modifications to ensure that redundant systems are modeled and that truncation is not masking interactions or dependencies. With respect to STIs, average system/ component unavailabilities may be insufficient and a more detailed model that delineates between component failure modes, e.g. standby failures, test-caused failures, may be required.

l Update PSA parameters with current data as necessary to address safety issues. Additional data, preferably plant-specific, may be needed including unplanned maintenance durations, correlation of observed failures to standby or demand failure mechanisms, means by which component failures have been revealed (monitored versus surveillance testing), duration of out-of-service time when equipment is realigned for testing, etc.

l Quantify the impact of the Technical Specifications modifications. The analysis will typically quantify system unavailability, single-event AOT risk and the yearly AOT risk contributions, modified plant PSA results to ascertain the cumulative impact of multiple changes to TSs, comparison to decision criteria.

l Perform sensitivity and uncertainty analyses on the major assumptions and issues. The major objective is to verify that assumptions and the potential range of associated uncertainties would not change the conclusions of the analysis relative to the decision criteria.

The EPRl guidelines ** outline suggested documedtation for requesting license amendment requests.

Combustion Engineering Owners Group Technical Specifications Project

The Combustion Engineering Owners Group (CEOG) has a long history of using risk information to modify Technical Specifications. As early as 1986, it evaluated extensions of Surveillance Test Intervals (STI) for the Reactor Protection System; on the basis of a risk assessment, 9’ NRC approved an extension from 30 to 90 days. More recently, it has organized joint submittals to NRC by several utilities that operate CE plants for improving their Technical Specifications by using risk information. The joint submissions were made in accordance with the EPRI template.92 The CEOG program has addressed two subjects. With respect to AOTs, it evaluated extended outage times for several systems and ultimately submitted to NRC applications for AOT extensions for Safety Injection Tanks (SIT),g3 Low Pressure Safety Injection (LPSI)y4’ 95 and Emergency Diesel Generators (EDG).96 With respect to Action Statements, it is currently evaluating changing accepted End States from cold shutdown (Mode 5) to hot standby (Mode 4).

The methodology used to analyze the above AOT extensions generally followed the EPRI guidelines described in the previous subsection. The justifiable motivation for requesting a change was based upon plant equipment repair periods, maintenance needs and anticipated usage over the CE fleet to establish a single common AOT extension request. The requested AOT was established, not to maximize or

Recent applications oJPSA 395

analytically optimize the AOT based upon risk, but rather to state simply what was needed and why. As an important element in the analysis of the proposed change, the design basis of the system was reviewed to qualitatively assess the impact of the unavailable component on the plant design basis. In this process, the conservatism of the thermal-hydraulic and radiological analyses supporting the plant design basis was evaluated and the potential availability of non-safety grade backup equipment was considered. The intent of these deterministic assessments was to provide a realistic practical evaluation of the plant state when the subject equipment was non-functional. The primary figure of merit was Core Damage Frequency although Large Early Release Frequency was also considered. The ratio of CDF when component is unavailable to the baseline CDF, single-event AOT risk, and yearly AOT risk were calculated. While EPRI’s decision criteria 6’ were not specifically used, the CEOG decision process was typically consistent with them. Finally, potential contingency actions were examined; their definition and implementation would be controlled under Subsection A3 of the Maintenance Rule.43

The results of the AOT extension work are presented in Table 6 that is excerpted from reference 97. The ranges reflect the fact that several utilities participated in this program. Their existing Technical Speci- fications incorporated different AOTs and their PSAs incorporated different degrees of conservatism, e.g. design basis vs realistic success criteria.

In 1998, the NRC issued a Safety Evaluation Report 98 that approved an Allowed Outage Time for Safety Injection Tanks and LPSI for all participating utilities. This AOT will result in smaller personnel radiation doses. The SER 99 for extending AOTs for LPSI and EDG required the utility to incorporate an equipment configuration risk management program (see EQUIPMENT CONFIGURATION CONTROL). To date, one utility has fulfilled this requirement and is able to save $1 million per year by doing maintenance of its Emergency Diesel Generators on-line. It also accrued a one-time $3 million saving for testing of fuel oil tank liner replacement.

Proposed AOT Changes

Absolute single-event

Yearly AOT (% of CDF)

Negligible to <2E-7 (PM) 5E-7 to 2E-6 (PM)

rge compared to at- mental risk of PM

Table 6. Summary of Proposed AOT Extensions for CEOG Plants and their Justifications; PM denotes Preventive Maintenance, CM denotes

Corrective Maintenance. (Adapted from reference 97)

396 I. B. Wall et al,

Existing Action Statements require utilities to transition the power plant to cold shutdown (Mode 5) when the duration of an abnormal condition exceeds the AOT. As discussed in the previous subsection, intermodal transitions create additional risk. By limiting the transition to hot standby (Mode 4), these additional risks may be reduced. Mode 4 is a safer End State for most AOTs for the following reasons: the operating system, e.g. steam generators, is removing heat, more safety systems remain on automatic standby, fewer configuration changes, less thermal recycling of the Primary Coolant System, a lower likelihood of leaks, delay in shutdown results in lower heat generation. PSA studies show that hot standby is a less risky operating state than cold shutdown. In addition to enhanced safety, a Mode 4 End State results in shorter plant outages and higher plant availability, an economic benefit. An application for changing accepted End States from cold shutdown (Mode 5) to hot standby (Mode 4) is pending before the NRC.

EQUIPMENT CONFIGURATION CONTROL

Background

Equipment configuration control is the management of component configurations to achieve specific objectives. In this context, a configuration is a set of component statuses that define the operational state of a nuclear power plant. In a risk-informed operating environment, plant equipment configurations are controlled by using procedures that evaluate the risk presented by any given configuration. While the primary objective of configuration control is to maintain safety, another important objective is optimize the unit cost of electricity production, i.e., to improve reliability and to use plant resources, viz. labor and materials, efti- ciently. By controlling plant configurations from a risk perspective, the operators have more direct control of risk and greater operational flexibility, allowing less emphasis on components and systems unimportant to risk. Implementation of a configuration control system results in a safer plant and is an important factor in implementing revised Technical Specifications.

In TECHNICAL SPECIFICATIONS, it was pointed out that, while a component, train, or system, is out of service for maintenance, there is a spike in the plant risk (Figure 6). Samanta, et a1,37 used the NUREG- 1150 I3 study of the Peach-Bottom BWR plant to examine the potential impact on its Core Damage Fre- quency of different configurations and hence the potential benefit of a configuration control system. By ex- amining the dominant accident sequences, they identified hardware-related events and then groups of two, three, or four hardware-related events that appeared in one or more sequences. All combinations of hardware-related events that appear together in at least a single sequence are potentially significant configurations, The events and groups of events were ranked in order of their impact on the Core Damage Frequency (CDF). Their report 37 tabulates representative samples of CDF-significant configurations and their impacts on CDF; the ranges of their frequencies were summarized in Figure 1. For reference, it should be noted that this analysis I3 of the Peach-Bottom plant estimated a baseline CDF of 8.4E-06 per reactor-year. For single hardware-related events, the impacts range from ratios of -2 to -475. For doubles, triples, and quadruple events, the ratios and their ranges are much larger. BWR) reviewed the findings of Samanta, et a1,37

The BWR Owners’ Group (Peach-Bottom plant is a and found that approximately 80% of the configurations

were high risk and were prohibited by existing Technical Specifications, a further 10% were prohibited by Technical Specifications but were not risk significant, and that the remaining 10% of the configurations were judged to be risk significant but were not addressed by the Technical Specifications.“’

Recent applications o$PSA 397

Samanta, et al, then estimated the expected frequencies of occurrence for each configuration including contributions for maintenance and failures. The ranges of their frequencies are shown in Figure 10 w. Unsurprisingly, the occurrence frequency decreases for configurations with more numerous components. The expected contributions to yearly CDF may be calculated, by multiplying (a) the CDF associated with a configuration, (b) its frequency of occurrence, and (c) the allowed duration for each occurrence of the configuration. The allowed duration of a configuration is the minimum AOT allowed under existing Technical Specifications for any component in the configuration, i.e. the maximum period that the configuration can exist under existing Technical Specifications. For some typical single, double, triple, and quadruple configurations, their CDF impact, their expected frequency, and their yearly CDF are shown in Figure 11. The typical single event causes a relatively small spike to the CDF but its high occurrence frequency results in a 9% contribution to the baseline CDF. While the typical configurations with multiple components can cause larger CDF spikes, their contributions to the yearly CDF are smaller since their frequencies of occurrence are lower. This result graphically illustrates the importance of identifying risk significant configurations, and of controlling their occurrence.

E l.OE+Ob X

: ‘-OE-02

: 1.0E-04 ’ I

“d l.OE-06

F l.OE-06

; l.OE-

; l.OE-

E l.OE-

; l.OE-

Single Doljble ----.

T&e QuZGple

Outage Configurations

Figure 10. Range of Variation of Expected Frequency of Occurrences of Different Types of Configurations (Reproduced from reference 37)

w Reference 37 uses the expression Core Melt Frequency or CMF that is synonymous with the more commonly used Core Damage Frequency or CDF. Accordingly, Figures 10 and 11, which originally appeared in that reference, use the expression CMF.


CMFL/Y~)

i.OE*OO Expe%ieb Frequency(/yr) Yearly Risk

l.OE-01

l.OE-02

l.OE-OS

l.OE-04

l.OE-06

l.OE-00

l.OE-07

l.OE-08

l.OE-00

l.OE-10

l.OE-11

l.OE-12 Single Dou bls Triple Cuadruple

l.OE-06

l.OE-07

l.OE-08

l.OE-00

l.OE-10

l.OE-11

l.OE-12

l.OE-13

l.OE-14

l.OE- IS

l.OE-10

- CMF

m Exp. Freq.

m Yearly Risk

EBW Pump A Bittery B Battery B DQ-8 DO-S ESW-AV22 E8W-HX31

EHV-FAN-CVS4 ESW Pump B EHV-FAN-BVO4

Outage Configurations

Figure 11. Characteristics of Configuration Risks (Reproduced from reference 37)

Equipment Configuration Control Systems

The initial equipment configuration control systems were developed for use during shutdown operations. By 2001, EPRI’s ORAM ‘“‘-103 and EOOS ‘04 software were being utilized at 65 and 89 domestic and international units respectively. In addition, Scientech’s Safety Monitor lo5 was being used in 19 units. Subsequently, the ORAM code was merged with EPRI’s SENTINEL code to create the ORAM-SENTINEL code. lo6

In an ORAM-SENTINEL shutdown analysis, configuration control systems are treated as plant-specific and their starting point is a Probabilistic Shutdown Safety Analysis (PSSA) 84, 85 for the plant in question. Although a PSSA models many of the same engineered safety systems as a PSA, there are some significant differences. First, a PSA only examines a single plant state at a time, viz. full power operation, In contrast, a PSSA must represent a continually changing plant state since, during shutdown, the decay heat is monotonically decreasing. As the heat load diminishes, the demands on heat removal systems are reduced and the timing of an accident sequence changes. A PSSA typically subdivides an outage into many consecutive periods following shutdown (the number varies between 50 and 500 time slices depending on the specific outage and the model design), each with its own heat load, thermal-hydraulic analyses, and timing. Although PSA can be used in the same way, the analysis is more complicated. Further, the location of the heat load may be in the reactor vessel, the refueling pool, or both depending upon the refueling program. Second, the likely causes of component unavailability are different from at-power conditions. During shutdown, data shows that random hardware failures contribute 1% or less to system unavailability. On the other hand, trains of important safety systems may be unavailable 30-50% of the time for scheduled maintenance on them or their support systems. Third, potential operator errors become relatively more important since most automatic equipment actions are disabled and because the time period for operator response can be extremely short during certain configurations (e.g., mid loop operations in PWRs).

The ORAM-SENTINEL PSSA is encoded by focusing upon the availability of systems and of their support systems. The model can relate:

l accident sequence initiating events, l key plant systems unavailabilities, l key operator actions, at


l all times on an outage schedule to the frequencies of a set of end states which have operational significance for outage planners and manag- ers. These end states typically include:

l reactor coolant system (RCS) boiling in cold shutdown and refueling. l spent fuel pool boiling, and l core damage in cold shutdown and refueling.

Other end states were considered but were omitted as being small contributors to overall shutdown risk. The simplified model can calculate the impact of a different plant configuration on the end states very quickly so that outage planners have a ‘real-time’ risk informed decision tool. By using ORAM-SENTINEL, they can explore alternate maintenance schedules and prepare contingency plans in order to avoid high-risk plant configurations. In event of an unplanned equipment failure, they can quickly implement compensatory measures. This decision-making is facilitated by graphical displays of the frequency of a selected end state versus time elapsed during the outage. A sample display is shown in Figure 12.

1X-06

11.08 I

I;.'*. I ..'. I"'. I"'. I .'. 1 10 20

RSD - CSD

Figure 12. RCS Boiling Risk Profile from ORAM (abscissa units are days) (Reproduced from reference 10 1)

In ORAM-SENTINEL, the quantitative results illustrated in Figure 12 are complemented by qualitative Risk Management Guidelines (RMG). The basis for the RMGs is a report from NUMARC ” lo7 that provides guidance to utilities on assessing and enhancing their current practices for planning and conducting outages. For its specific plant, a utility translates these guidelines into minimum defense-in-depth requirements and establishes controls for the management of changes or deviations from these requirements. De- fense-in-depth is controlled by consideration of key safety functions examples of which are given in the

’ Nuclear Management and Resources Council, Inc. has been renamed Nuclear Energy Institute, Washington, DC.


NUMARC report; a representative list of key safety functions are tabulated in Table 7. For each safety function, Shutdown Safety Function Assessment Trees (SSFATs) are encoded within ORAM to compare the measured defense-in-depth with the required defense-in-depth for the various configurations throughout an outage. An SSFAT ends with one of four color codes, green, yellow, orange, and red, representing a level of defense-in-depth. These colors and their changes provide an easy visual way for outage planners to monitor defense-in-depth throughout an outage. An example of a display is shown in Figure 13. The SSFAT logic also directs plant personnel to a set of RMGs which apply to the measured defense-in-depth for the particular outage configuration. The plant personnel have the opportunity to respond to each RMG with an explanation for their actions. Thus, a permanent record of actions and justifications can be maintained. The SSFAT structure and the number and wording of individual RMGs are established by plant personnel so that they reflect the utilities operating practices. . The ORAM-SENTINEL software is linked to the outage planning software so that the SSFAT logic and the PSSA evaluations for changing outage conditions are automated.

Containment Control

Decay Heat Removal

Inventory Control Instrumentation and

Instrument Air

Reactivity Control

Spent Fuel Pool Cooling

Table 7. Example of Key Safety Functions for Outage Planning

Reactivity Control

Shutdown Cooling

Inventory Control

Fuel Pool Cooling

Elect Power Control

Containment

SUPPORT SYSTEMS

f

.,..,..._,....,....,._._,_.. I 10 20

RSD CSD 1 RtJ

Figure 13. Safety Function Status Report (Risk Management Guidelines) (Reproduced from reference 10 1)


As stated in TECHNICAL SPECIFICATIONS, the purpose of Allowed Outage Times (AOT) is to provide adequate time to repair or replace a failed component without incurring undue plant risk because of loss of function of the component for an extended period. Since Technical Specifications do not explicitly pro- hibit voluntary entry into an AOT, utilities have recently begun to use them for preventive maintenance during power operations. It should also be noted that Technical Specifications do not necessarily cover all equipment outages that are known to increase risk nor do they explicitly provide a mechanism for controlling risk in a way which would support the requirements of the Maintenance Rule.43 The Maintenance Rule requires utilities to assess and control the impact on key plant safety functions of removing equipment from service. NUMARC 7’ (see footnote x) suggested that utilities could elect to use qualitative guidelines or quantitative risk monitoring to satisfy the Maintenance Rule and that these guidelines be used during planning and prior to removal of equipment from service.

The performance of maintenance on-line has a number of advantages compared to off-line, i.e. during an outage, including:

l Planned on-line maintenance optimizes activities to support increased reliability of equipment thereby increasing configuration control and minimizing unplanned events.

l It allows utility personnel, who are most familiar with the equipment, to perform the maintenance as opposed to contractor outage personnel, who are unfamiliar with it, performing it during refueling outages.

l It allows performance of the maintenance in a controlled environment without the competition for both resources and management attention that is usually the case during refueling outages.

l It allows maintenance planning to focus on specific projects rather than splitting its resources among multiple on-going projects during an outage.

l When on-line maintenance is performed on equipment subject to Technical Specifications, testing may be required to demonstrate the operability of redundant equipment. This testing adds assurance of overall safety.

l As a result of maintenance being done at power, outages become more manageable and shorter.

Therefore, on-line maintenance, particularly when properly planned and conducted by using risk contigura- tion tools such as ORAM-SENTINEL, EOOS, or Safety Monitor, should enhance overall safety. However, during site visits, NRC inspectors observed that some utilities were performing on-line maintenance without adequate planning and control. In a series of memoranda,‘08’ lo9 letters,“” “’ and in its Inspection Manual,“* the NRC made clear that “The staff does not want to discourage licensees from doing preventive maintenance at power because of the potential for achieving better reliability; but it should be done in a manner that decreases plant risk.”

With the above motivation and the need to cover all operational modes for at-power maintenance operations, EPRI sponsored the adaptation of EOOS and ORAM-SENTINEL for operations at power. EPRI has also developed the Risk and Reliability Workstation to support and interface with other tools, such as the Safety Monitor. By using PSA analysis, EOOS assesses in real time the plant damage risk (CDF and LERF), and provides equipment importance and restoration advice in a simple, clear, and unambiguous manner. Information about the plant’s planned or actual condition is input into EOOS. This information includes equipment/system availability and alignments, testing activities, and activities that impact risk, such as switchyard work. For actual operations, this information can be input directly into EOOS from various of the plant’s process computers. The Safety Monitor operates in a similar manner.

Maintenance planners use EOOS to evaluate in advance the risk associated with all planned activities and to reschedule tasks until the risk is acceptably low. Just prior to actual work execution, operational personnel also check the risk, incorporating any imminent equipment realignments. EOOS is also used to monitor in real time operational changes, such a unanticipated forced equipment outages, loss of support

402 I. B. Wall ef al.

systems (e.g., off-site power), or changes in environmental conditions (e.g., approaching torna- does/hurricanes). In each instance, EOOS supplies return-to-service priorities to allow operational personnel to restore safety margin or to perform contingency planning. EOOS operates on a utility’s intranet, accessi- ble to any PC on site. This accessibility allows all personnel to have access to the information and allows frequent updating insuring that the information is always current. Figures 14 and 15 show EOOS running in an operations and planning mode. Figure 14 displays among other things the Plant Tagging System and Computerized Operator Log. Figure 15 displays a simplified Gantt chart, system status timelines, plant safety index timeline.

Figure 14. EOOS Data for Point-in-time Applications (Reproduced from reference 104)

The scope and function of the ORAM-SENTINEL lo6 software as applied to at-power configurations is similar to those described earlier for outage planning using ORAM-SENTINEL for shutdown analysis with some differences reflecting the different operational mode. ORAM-SENTINEL complements the implementation of revised risk-informed Technical Specifications. As with EOOS, potentially higher risks stem- ming from longer AOTs can be offset by the installation and use of ORAM-SENTINEL to avoid high risk configurations. Since ORAM-SENTINEL, EOOS and Safety Monitor have the capability to assess numerous combinations of multiple unavailable components, safer and more economical operation of the plant is possible.

Recent applications ofF’SA 403

Qptions Schedule window Help

Figure 15. EOOS Information for Outage Schedulers (Reproduced from reference 104)

MAINTENANCE RULE

Background

Despite the widely held belief that effective maintenance is a prerequisite of safe and cost-effective plant operations, historically, the industry and the NRC had both failed to develop practical performance in- dicators for the effectiveness of a plant maintenance program. In 1988, the Commission attempted to introduce a maintenance rule ‘I3 to require commercial nuclear power plant licensees to implement a maintenance program to reduce the likelihood of failures and events caused by the lack of effective maintenance. After a draft regulatory guide had been published,“4 the rule was delayed while NRC staff and inspectors carried out an assessment of licensee progress against four criteria. These criteria addressed whether adequate maintenance programs were already in place or being implemented at US nuclear plants, whether a favorable trend in performance was evident, whether licensees were committed to acceptable maintenance performance standards, and whether they were making progress towards sustained maintenance performance using continuous evaluation methods. In 1990, while the assessment was proceeding, the Commission asked the staff to consider a reliability-based rule, quoting the need for better enforcement of maintenance programs, the need to monitor equipment performance, to conduct root cause analysis, to track corrective actions, and to feedback operating information into the maintenance program.

During 199 1, the staffs evaluation of the need for maintenance rulemaking referred to the issuance of either a process-oriented rule or a reliability-based rule, and pointed out that, although the survey of industry maintenance programs had revealed broadly adequate plant programs and an improving trend in program implementation, there remained weaknesses. These weaknesses included repetitive failures, lack of cause analysis, lack of performance trending, and a failure to consider plant risk in the prioritizing, planning, and scheduling of maintenance. The staff did not believe that industry was making a sufficient commitment to

404 I. B. Wall ei al.

maintenance standards, and claimed that existing industry maintenance evaluations were limited to programmatic measures of performance, and were not preventing the occurrence of degradation of equipment and significant plant events.

Subsequently, in 199 1, a maintenance rule was proposed that incorporated novel features for an NRC regulation. First, it required ongoing monitoring of SSC performance, condition, or both, to establish that key equipment was capable of performing required functions. Second, it required the monitoring results to be evaluated against licensee established goals that had to be commensurate with the equipment’s safety significance. Third, it required PSA assumptions and results to be factored into the goals. Finally, for equipment that did not need such monitoring, the rule advocated the use of reliability-based methods to develop and improve the preventive maintenance program. In a departure from traditional NRC regulations, the proposed rule did not prescribe the utility programs used to implement these provisions.

Further, important parts of the proposed rule required that 1) a balance be struck between equipment unavailability caused by preventive maintenance and the reliability benefits of performing the maintenance, 2) the planning and scheduling of maintenance should consider the cumulative impact on plant safety of all equipment simultaneously out of service, and 3) a periodic review be carried out by each licensee to ensure that all parts of the maintenance rule program were working effectively.

Implementation

Implementation of the rule became effective in July 1996. Between 1991 and 1993, NIJMARC (see footnote x) conducted a series of industry task force meetings to help utilities and other industry organizations determine the most effective way to implement the rule. These meetings resulted in an industry guide-

line document 7’ which was subsequently endorsed by the Commission.“5 Since the rule did not prescribe a programmatic approach for its implementation, during the two years

prior to its effective date, NUMARC verified and validated its guidelines, ‘I6 through a series of studies at a small group of plants, and EPRI conducted two full scale Maintenance Rule implementation projects at Boston Edison’s Pilgrim plant, and at Northeast Utilities’ Millstone units, and two smaller scale projects at the Pacific Gas and Electric Diablo Canyon plant, and New York Power Authority’s Fitzpatrick and Indian Point 3 plants. Insights from the EPRI projects are provided in reference 117.

These insights focused upon programmatic implementation issues such as the qualifications and training required for membership of an expert panel and the role played by the panel members, as well as technical issues which quickly surfaced as the most challenging aspects of the rule. These issues included further definition of “Maintenance Preventable Functional Failures,” the need for several approaches for developing performance criteria, methods to link the performance criteria to the plant PSA, and acceptable day-to-day approaches for evaluating the risk of multiple equipment outages.

The consideration of Maintenance Preventable Functional Failures was introduced by the industry, and is not an intrinsic element of the Maintenance Rule. The objective was to focus implementation of the rule on those failures that could be prevented by applicable and effective maintenance. However, many utilities have chosen to include all failures in their monitoring schemes to avoid making difficult distinctions that could be challenged by regulators. For example, cases in which maintenance may be unreasonably expected to compensate for shortcomings of design.

For practical rule implementation, the licensee-established goals, i.e. performance criteria, used in the reliability monitoring process should be based upon experience. The NRC has interpreted the rule’s statement that these goals will be “commensurate with safety,” as requiring that they be consistent with the reliability parameters used in the plant PSA. Two technical bulletins “*, ‘I9 subsequently issued by EPRI provided amplification and additional methods for setting the performance criteria to be consistent with PSA parameters. The basic approach, which is widely employed, is to use the plant specific PSA values of failure


rates to calculate the expected range of possible monitoring results. Practical targets for monitoring reliability are then derived from this range by using an acceptable false alarm rate.

A third EPRI technical bulletin ‘*’ addressed the balance between equipment unavailability and reliability. A criterion for balance was proposed which depended mainly on achieving acceptable reliability, with a subsidiary condition on the FV risk significance values of an SSC’s basic events. This balance criterion has, to date, received little attention.

In the 18 months since the rule became effective, the NRC has conducted inspections at many more plants and developed procedures I*’ for the conduct of these “baseline inspections”. The baseline inspections focus more attention on the programmatic aspects of a utility’s program than, presumably, will be the case in the future after the NRC is assured that the rule has been properly implemented.

Implementation of the maintenance rule and the ongoing inspections have made evident a number of issues that are partly technical and partly a result of the rapid evolution of risk-informed and performance- based regulations. The continued advance towards successful maintenance rule programs and additional widespread uses of risk-informed and performance-based technology requires the development of a solid technical foundation and a universal recognition of the properties of the risk significance measures currently in use, the characteristics of PSA results, and the limitations of monitoring processes. The growth of adequate industry expertise in these areas requires improved interaction between the fields of maintenance, PSA, and reliability engineering, and a unified attempt by utilities, industry organizations, regulators, and contractors to fill in all the gaps in our current technical grasp of these issues.

CONTAINMENT LEAKAGE TESTING-APPENDIX J

Background

As described in BEYOND THE INDIVIDUAL PLANT EXAMINATIONS, prior to 1995, primary containment leakage rate testing requirements were explicit and compliance-based as specified in Appendix J, 10 CFR 50.46 The allowable leakage rates are typically 0.1 and 1 percent of the containment volume per day for PWRs and BWRs respectively. Three types of tests were required: Type A tests (ILRTs) measure the integrated leakage rate of the primary containment. Generally, three tests were required during each IO- year service period. Type B and C tests (LLRTs) respectively measure the leakage rate across each pressure containing or leakage-limiting boundary for various penetrations, including airlocks, and across isolation valves. Generally, Type B and C tests were required to be performed during each refueling outage. As stated in the earlier section, these tests are very costly and PSAs consistently showed that public risk was in- sensitive to leakage rates up to 100-200 fold larger than the aforementioned allowable rates since risk is dominated by failure or bypass of the primary containment. Therefore, NRC and industry worked together to design a more cost-effective testing program.

Performance-Based Containment Leakage Testing Requirements

As part of the program to modify or eliminate requirements marginal to safety, NRC considered relaxing the allowed leakage rate by approximately two orders of magnitude (100-200 fold) which would have marginal impact on population dose estimates from reactor accidents and negligible impact on occupational exposures. This relaxation would have decreased future industry testing costs by about 10%. However, such a change would have entailed a major change in policy and restructuring of the existing licensing basis for a relatively small benefit. Accordingly, NRC deferred this change to be part of a later comprehensive examination of needed containment performance.


Instead, NRC and industry focused upon extending the allowed intervals between tests. A Type A test is the primary test to detect significant leakage from the containment that would not be detected by Type B and C tests, and to verify at periodic intervals the accident leakage assumptions in the accident analysis; the purpose is not to quantify the leakage rate. A review of leakage rate testing experience showed that only a small percentage (-3%) of Type A tests had excess leakage. Furthermore, the observed leakage rates for the few Type A test failures were only marginally above the allowed rates. These observations, together with the insensitivity of public risk to containment leakage rate at these low levels, suggested that Type A test intervals could be based upon performance. The purpose of Type B and C testing is to assure that individual penetrations are essentially leak tight. Type B and C tests detect over 97% of containment leakages, of which virtually all are associated with isolation valves. A detailed evaluation of experience at a single two- unit plant found no correlation of failures with type of valve or plant service. Accordingly, a lower test frequency was justified for good-performing components.

Only a simplified description of the determination of the performance-based test intervals is presented in this article; a complete description may be found in the Nuclear Energy Institute guideline ‘22 which is incorporated by reference into Regulatory Guide 1. 163.123 Determination of the surveillance intervals for Type A, B, and C tests is based upon satisfactory performance of leakage tests that meet the requirements of Appendix J. Performance in this context refers to both the performance history necessary to determine test intervals as well as overall criteria needed to demonstrate leakage integrity performance; the latter criteria are not addressed in this article.

Extensions in Type A test intervals are allowed based upon two consecutive, periodic tests. The elapsed time between the first and last tests in a series of consecutive passing tests used to determine performance shall be at least 24 months. Based upon acceptable performance history, Type A testing shall be performed during a reactor shutdown at a frequency of at least once per 10 years. If the containment is repaired, modified, or its Type A test results are not acceptable, then acceptable performance shall be reestablished by performing a Type A test within 48 months of the unsuccessful test. Following a successful Type A test, the surveillance interval may be returned to 10 years.

The test intervals for Type B penetrations, except airlocks, and for Type C valves, with a few exceptions,Y may be extended based upon the completion of two consecutive periodic tests. As before, the elapsed time between the first and last tests in a series of consecutive satisfactory tests used to determine performance shall be 24 months or the nominal test interval, e.g. retieling cycle, for the component prior to implementing Option B. Based upon acceptable performance history, Type B and C testing intervals may be extended from greater than 30 months up to a maximum of 60 months,’ on a component by component basis. If a penetration or valve is replaced, modified, or its Type B or C test results are not acceptable, then the testing interval reverts to 30 months until acceptable performance has been reestablished. The testing intervals for airlocks and excepted valves continue to be 30 months.

The effect of exteriding containment leakage rate testing intervals is an increase in the likelihood of containment leakage since there would be longer time periods during which an excessive leak path could exist undetected. This issue is discussed for Surveillance Test Intervals in TECHNICAL SPECIFICA- TIONS-Background. The degree to which intervals can be extended is a direct function of the potential effects on the health and safety of the public due to that higher likelihood. The increase in public risk has been estimated by NRC 48 and EPRI 124 with comparable results. By reviewing the results of industry leakage rate tests and IPEs, EPRI estimated the historical industry failure rates that were used to generate failure-

y The Nuclear Energy Institute offered no exceptions.‘22 The NRC limited the testing interval to 30 months for main steam and feedwater isolation valves in BWRs, and containment purge and vent valves in PWRs and BWRS”~

’ The Nuclear Energy Institute proposed ‘22 a maximum of 120 months but the NRC limited the maximum to 60 months.44F lz3

Recent applications oJPSA 407

to-seal aa probabilities for classes of components. These probabilities were utilized in a containment isolation system fault tree to estimate a failure-to-seal probability. For Type B tests, it was assumed that penetrations were tested at a nominal 120 month interval. For Type C tests, a bounding analysis was performed that assumed all valves have testing intervals that were extended to 48, 60, 72, and 120 months. The EPRI results, stated in Table 8, confirmed the low risk significance associated with extending testing intervals to the above periods.

Some offset to the above increases in the public risk is reduced occupational doses .to plant workers incurred during the testing. The NRC estimated industry-wide occupational dose reductions to be about 9 and 75 person-rem per year for Type A and Type B and C tests respectively.44

Less frequent containment leakage testing has an additional risk benefit that was not considered in NRC’s decision to issue Option B of Appendix J. A review of plant operating data showed that required containment leakage testing extends the intervals for reactor shutdowns. As discussed in TECHNICAL SPECIFICATIONS-Background, reactor shutdowns do create some risk and thus less frequent testing, resulting in shorter shutdown duration and fewer testing evolutions, should reduce risk. EPRI estimated 12’ this risk reduction by using its ORAM code,101-103 which was discussed in EQUIPMENT CONFIGURA- TION CONTROL. For representative PWR and BWR plants, EPRI found that fewer containment leakage tests would reduce their Core Damage Frequency by about 10e7 per reactor-year.

The modified Appendix J was issued in 1995 before guides on risk-informed regulation became available in 1998. Would the modified Appendix J meet the requirements of these guides, most notably RG 1.174? 74 The changes to Appendix J appear to be generally consistent with the five key principles of RG 1.174 that are listed in the following section. The changes generally satisfy the intent but not the letter of the Acceptance Guidelines in RG 1.174. The safety and risk impacts of the change were thoroughly evaluated, although not in the context of an overall risk management approach. Although the risk assessments were performed in a manner that permitted comparison with NRC’s safety goals, some adjustment would be required today in order to be consistent with current NRC expectations. The direct increases in risk were very small and are partially offset by reductions in shutdown risk. In order to conform to RG 1.174, the licensees would have to track the cumulative effect of the changes in risk.

aa This failure definition is different from ‘failure-to-close’ used in IPEs.

408 I. B. Wall e/ al

Test Type

Risk-Impact Risk-Impact Current Test Intervals Extended Test Intervals Comment

PWR Representative Plant Summary

rypc A

rype B

Type C

0.0032% incremental risk 0.035% incremental risk contribution Compares well with Surry risk contribution, based on 2xL, based on test interval 1 in 10 years contribution of 0.07%. A range of

leakage 0.002 to 0.14% is reported in ref. 48.

<<O.OO 1% incremental risk <O.OOl% incremental risk A range of 0.2 to 4.4% is provided contribution contribution, I .3E 04 person-remiyr for other plants for both Type B and

6.9E-05 person-remiyr rebaselined rebaselined risk. Based on testing Type C penetrations in ref. 48.

risk with some components tested periodically during time interval months. In addition, blind flanges and penetrations would be removed and retested during every refueling outage. Airlocks to be tested every 24 months.

0.022% of total risk 0.04% incremental risk contribution, A range of 0.2 to 4.4% of total risk is

4.9E-03 person-remlyr S.SE-03 person-remiyr rebaselined provided for other plants for both risk, based on 48 month test Type B and Type C penetrations in intervals. ref. 48. I E-02, 1.2E-02, and I .64E-02 person-remiyr risk, based on 60, 72, and I20 month test intervals.

BWR Representative Plant Summary

Type A

Type B

Type C

0.026% incremental risk contribu- 0.029% incremental risk Compares well with Peach Bottom

tion, based on 2xL, leakage contribution, based on test interval 1 risk estimated value of 0.038%. A in IO years range of 0.002 to 0.14% is reported

in ref. 48.

<O.OOl% of total risk O.OOl%, I .85E 05 person-remiyr. A range of 0.2 to 4.4% is provided

KOE-06 person-remiyr Based on testing with some for other plants for both Type B and components tested periodically Type C penetration types in ref. 48. during time interval months. In addition, blind flanges and penetrations would be removed and retested during every refueling outage. Airlocks to be tested every 24 months.

0.002% of total risk 0.006% of total risk, 1. I E-04 person- A range of 0.2 to 4.4% is provided

4.58-06 person-rem/yr rem/yr, based on 48 month test for other plants for both Type B and intervals. Type C penetration types in ref. 4X. 1.8E-04,2.3E-04, and 5.0lE-04 person-rem/yr risk, based on 60, 72, and 120 month test intervals.

Table 8. Risk Results for Type A, Type B, and Type C Test Intervals (Reproduced from reference 124)

NRC RISK-INFORMED REGULATIONS

As described in BACKGROUND, the NRC has a long history in the development and application of Probabilistic Safety Analysis starting with the publication of the Reactor Safety Study 4 in 1975. In 1995, the NRC issued a policy statement 42 on the use of PSA methods in nuclear regulatory activities. The key elements of the Commission’s policy statement are:


1. The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data and in a manner that complements the NRC’s deterministic approach and supports the NRC’s traditional defense-in-depth philoso-

phy. 2. PRA and associated analyses should be used in regulatory matters, where practical within the

bounds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments, and staff practices. It is un- derstood that existing rules and regulations shall be complied with unless they are revised.

3. PRA evaluations in support of regulatory decisions should be as realistic as practicable and appropriate supporting data should be publicly available for review.

4. The Commission’s safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgments on the need for proposing and backfitting new generic requirements on nuclear power plant licensees.

The policy statement has been implemented by the issuance of a series of Regulatory Guides,72* 74, 8oT ‘26Y r2’ and chapters in the Standard Review Plan,*” ‘28-‘30 describing the attributes of acceptable risk-informed applications. Regulatory Guides describe to the public methods acceptable to the NRC staff for implementing specific parts of the NRC regulations and thereby provide guidance to utility applicants. Standard Re- view Plan chapters describe for the NRC staff how license applications should be reviewed. The specific contents of these Regulatory Guides and Standard Review Plan chapters are beyond the scope of this article. The methods described therein are generally consistent with the methodologies described in previous sections. A few selected subjects will be discussed below.

Regulatory Guide 1.174 74 is the most general of the five guides and establishes the overall framework for risk-informed decision-making. As a starting point, it implements the Commission’s policy statement (earlier in this Section) by setting forth five key principles which proposed risk-informed changes are expected to meet in order to ensure integrated decision-making:

1. The proposed change meets the current regulations unless it is explicitly related to a requested exemption or rule change.

2. The proposed change is consistent with the defense-in-depth philosophy. 3. The proposed change maintains sufficient safety margins. 4. When proposed changes result in an increase in core damage frequency and/or risk, the in-

crease should be small and consistent with the intent of the Commission’s Safety Goal Policy Statement.16

5. The impact of the proposed change should be monitored using performance measurement strategies.

The Regulatory Guide 74 goes on to specify in detail NRC’s requirements for proposed risk-informed changes, including scope, level of detail, and quality of the PSA, quality assurance, and documentation.

In Regulatory Guide 1.174, 74 NRC presents guidelines on acceptable changes in risk that are shown in Figure 16. They are conceptually identical but slightly more restrictive than those recommended by EPRI’s PSA Applications Guide.61 They show changes in risk (ACDF or ALERF) as a function of the baseline risk metrics (CDF or LERF) that are acceptable to NRC. These guidelines are intended for comparison with a full scope (including internal and external events, full and low power, and shutdown) assessment of the change in risk metric, although NRC recognizes that many PSAs are not full scope and their use may be acceptable. There are many subtleties in the interpretation of Figure 16 and, for a full discussion, the reader is referred to the Regulatory Guide.74

410

105 LERF +

Figure 16. NRC’s Acceptance Guidelines* for Core Damage Frequency (CDF) and Large Early Release Frequency (LERF)

* The analysis will be subject to increased technical review and management attention as indicated by the darkness of the shading of the figure. In the context of the integrated decision-making, the boundaries between regions should not be interpreted as being definitive; the numerical values associated with defining the regions in the figure are to be interpreted as indicative values only.

As noted in the discussion of Results of South Texas Project Study in GRADED QUALITY ASSUR- ANCE, implementation of graded QA was limited by other ‘quality’ requirements. With the successful implementation of selected risk-informed applications, described in earlier sections, NRC proposed 13’ rulemaking to modify regulations in 10 CFR 50 to make them more risk-informed. It recommended a phased approach involving two options; Options 2 and 3. Option 2 would make changes to the overall scope of systems, structures, and components (SSCs) covered by those sections of part 50 requiring special treatment, e.g. Q/A, environmental qualification, by formulating new definitions of safety-related and important-to- safety SSCs. Option 3, would change specific requirements in the body of regulations, including general design criteria (GDCS).~’ An important feature of the proposal was that risk-informed implementation of Part 50 would be voluntary for licensees.

Option 2 would modify Part 50 regulations by adding flexibility to utilize a risk-informed process to evaluate the need for special treatment, The process would ensure that risk insights are used in a manner that complements NRC’s traditional deterministic approach. The change would refine the existing definitions of “safety-related” and “important-to-safety” SSCs by overlaying a new “risk-informed safety class” (RISC) as shown in Figure 17. The reader is referred to references 132 and 133 for definitions of RISC-l, RISC-2, RISC-3, and RISC-4 and the proposed safety requirements for SSCs assigned to them. To implement the modification to Part 50, NRC proposes to add a new Section 50.69 and Appendix T,


Categorization of SSCs into Risk-Informed Safety Classes. NRC’s review of STP Nuclear Operating Company’s exemption request 134 was an integral part of the rulemaking for Option 2. As noted in the discussion of Results of South Texas Project Study in GRADED QUALITY ASSURANCE, NRC approved the STP request in June 2001.‘35’ ‘36 Other pilot programs are underway by individual utilities and the owners’ groups. NRC expects to complete the rulemaking and implement the new regulations for this aspect of Option 2 in mid-2002.

11 uRrsc-l” sscs

Safety-Related Safety Siicant

$ecial Treatment + 50.69 Requirements

2 1 wsc-2” sscs

Nonsafety-Related Safety Significant

SO.69 Requirements

Safety-Related Low Safety Significant

SO.69 Requirements to Maintain Functions

41 Out of Scope SSCs

Nonsafety-Related Low Safety Significant

Dktmhnihc

Figure 17. Diagram of Categorization and Treatment

NRC’s plan 13’ for Option 3 had two phases. Phase 1 would review existing Part 50 requirements to identify and prioritize requirements and Design Basis Accidents (DBAs) potentially meriting change by considering the frequencies of initiating events, risk contributions of sequences and SSCs, the extent of excessive conservatism or lack thereof in associated methods, assumptions, or acceptance criteria, estimates of the values and impacts of candidate changes, and their practicality. Phase 2 would develo

P the technical bases

for changes and perform rulemaking to implement them. In July 200 1, NRC offered 38 recommendations for risk-informed changes to 10 CFR 50.46, (ECCS Acceptance Criteria). The breadth of NRC’s considerations is shown in Table 9. The final changes are likely to be a composite of various aspects of these different options.

In August 200 1, NRC offered ‘39 recommendations for risk-informed changes to 10 CFR 50.44 (Com- bustible Gas Control). The main recommendation would delete the existing requirement for thermal hydrogen recombiners for all LWR containments. It is worth noting that they were originally required to mitigate design basis accidents but PRAs have shown that, on a broader perspective, they actually have low risk significance. It should be noted that, independent of this recommendation, there remains an outstanding generic issue (GI- 189) about the need for more reliable power for hydrogen igniters in PWR ice condenser and BWR Mark III containments.


Option I Description Spectrum of Breaks

1 LBLOCA redefinition Permit each plant to define a maximum design-basis LOCA size based on leak-before-break and probabilistic fracture mechanics analyses performed in accordance with NRC-approved methods and assumptions.

ECCS Functional Reliability 2 Modify design-basis LOCA-LOOP Drop the requirement that LOOP be postulated in larger, more unlikely

assumptions design-basis LOCAs. 3 Use reliability analyses in lieu of Single Permit the use of ECCS reliability and LOCA frequency information to

Failure Criterion for ECCS establish ECCS reliability requirements in lieu of the single failure criterion. ECCS Evaluation Models

4 Relax excessive Appendix K Revise Appendix K to 10 CFR 50 to permit excessively conservative conservatisms features, e.g. decay heat and cladding oxidation models) to be replaced by

more realistic ones. 5 Make best-estimate ECCS performance Apply advanced methods to accelerate uncertainty analyses (and potentially

analyses less burdensome model reviews) for best-estimate evaluations of ECCS performance. 6 Propagate uncertainty in LBLOCA size Permit uncertainties in large-break size and location to be addressed along

and location with and in the same manner as uncertainties in other inputs to best-estimate ECCS evaluation models.

7 Enable best-estimate analyses with Enable licensees to evaluate ECCS performance using best-estimate code approved uncertainty increments predictions with NRC-approved allowances added to account for

uncertainties. ECCS Acceptance Criteria

8 Modify ECCS acceptance criteria Replace the current prescriptive ECCS acceptance criteria in 10 CFR 50.46 with a performance-based requirement to demonstrate adequate post-quench cladding ductility and adequate core- coolant flow area to ensure that the core remains amenable to cooling, and for the duration of the accident, maintain the calculated core temperature at an acceptably low value and remove decay heat. Permit demonstration of adequate post-quench ductility through testing as a performance-based alternative to the current acceptance criteria for peak cladding temperature and maximum oxidation.

Table 9. Summary of Potential Risk-Informed Options for Modifying 10 CFR 50.46

The NRC places heavy emphasis upon the quality of the PSA being commensurate with the application for which it is intended and the role the PSA results play in the integrated decision process. The more emphasis that is put on the risk insights and on PSA results in the decision-making process, the more requirements have to be placed on the PSA, in terms of how well the risk and/or the change in risk is assessed. Quality is defined as measuring the adequacy of the actual modeling. A PSA used in risk-informed regulation should be performed correctly, and in a manner that is consistent with accepted practices. A utility can assure quality by performing a peer review of its PSA. In this case, the submittal should document the review process, the qualification of the reviewers, a summary of the review findings and their resolution. The BWR Owners’ Group,14’ has developed a PSA certification program, has implemented it for 16 BWRs, and will do so for all BWRs by 2001. The other Owners’ Groups, b recognizing the value of the certification process, endorsed the BWROG approach. Using it as the basis, the methodology has been adapted to handle PSAs for both BWRs and PWRs. The resulting industry guidelines i4’ are being issued by the Nuclear En-

bb Westinghouse Owners’ Group (WOG), Babcock & Wilcox Owners’ Group (B&WOG), and Combustion Engineering Owners’ Group (CEOG)


ergy Institute. On the longer-term, the NRC wants to reference a standard for PSAs; industry and NRC are currently developing such a standard under the auspices of the American Society of Mechanical Engineers.62

SUMMARY AND CONCLUSIONS

This article has traced the application of Probabilistic Safety Analysis to nuclearpower plant safety from the watershed Reactor Safety Study, published in 1975, to the integration of the methodology into NRC regulations in 1999. The effective use of PSA methodology to enhance nuclear power plant safety was not initially obvious. During a couple of decades, the natural tension between government regulators and regulated utilities with their supporting contractors has been used constructively to implement a sophisticated and subtle technology into a regulatory process which is subject to intense public scrutiny. The transformation from deterministic to risk-informed appaches is not yet complete as evidenced by the pending NRC rulemaking 13’$ 13** I37 and a recent article.’ * The outcome is that nuclear power plants throughout the world are operating more safely and economically to the benefit of the public.

ACKNOWLEDGMENTS

The work described in this article includes the efforts of numerous colleagues during the past 20 years. The authors would particularly like to express their appreciation to Robert J. Budnitz (Future Resources Assoc. Inc.), Andrew Dykes (EQE), John M. Gisclon (Consultant to EPRI), Carl R. Grantom (South Texas Project Nuclear Operating Company), Alan Hackerott (Omaha Public Power District), Thomas Hook (Southern California Edison), Jeff Mitman and Frank J. Rahn (EPRI), Bruce B. Mrowca (Baltimore Gas & Electric), Pranab Samanta (BNL), Raymond E. Schneider (ABB Combustion Engineering), Herschel Specter (RBR Consultants, Inc.), and Clem Yeh (New York Power Authority) who have provided invaluable support in the preparation of this article.

REFERENCES

1. F. R. Farmer, Siting Criteria-A New Approach, Symposium on the Containment and Siting of Nuclear Power Reactors, International Atomic Energy Agency, Vienna, Austria, (1967).

2. I. B. Wall, Probabilistic Assessment of Risk for Reactor Design and Siting, Trans. ofAmerican Nuclear Society, l2, 1, (1969).

3. H. J. Otway and R. C. Erdmann, Reactor Siting and Design from a Risk Viewpoint, Nuclear Engineer- ing h Design, pp 365-376, (1970).

4. Reactor Safety Study-An Assessment qf Accident Risks in US Nuclear Power Plants, WASH-1400 (NUREG-75/014), (1975).

5. I. B. Wall, Government sponsored assessment, in: High Risk Safev Technology, A. E. Green, ed., John Wiley & Sons, Chichester, UK, (1982).

6. C. Starr, M. Levenson, and I. B. Wall, ‘Realistic estimates of the consequences of nuclear accidents,’ Briefing for NRC Commission, 18 November 1980. Transcript available from NRC.

7. President’s Commission on the Accident at Three Mile Island, Chairman, J. G. Kemeny, Pergamon Press, (1979).

8. Nuclear Regulatory Commission Special Inquiry Group, Three Mile Island: A Report to the Commissioners and to the Public, Director, M. Rogovin, (1979). Vol. II, pp 1241. Available from GPO Sales Program and National Technical Information Service.


9. PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plant, NUREG/CR-2300, (1983).

10. W. R. Sugnet, et al, Oconee PRA; A Probabilistic Risk Assessment of Oconee Unit 3, Nuclear Safety Analysis Center Report NSAC-60, (1984). Available from EPRI.

11. Zion Probabilistic Safety Study, Commonwealth Edison Company, (198 1). Available in NRC’s Public Document Room, Washington, DC.

12. Indian Point Probabilistic Safety Study, Consolidated Edison Company of New York, Inc. and Power Authority of the State of New York, (1982). Available in the NRC Public Document Room, Rockville, MD.

13. Severe Accident Risks: An Assessment of Five U S. Nuclear Power Plants, NUREG- 1150, (1990). 14. H. J. C. Kouts, et al, Special Committee Review of the Nuclear Regulatory Commission’s Severe

Accident Risks Report (NUREG-I 150), NUREG-1420, (1990). 15. Safety Goals for Nuclear Power Plant Operation, NUREG-0880, (1983). 16. Safety Goals for the Operations of Nuclear Power Plants; Policy Statement, Federal Register, 5_I,

pp 30028-30033, August 2 1, 1986. 17. Modifications to the Reactor Safety Goal Policy Statement, SECY-00-77, March 30,200O. Available in

the NRC Public Document Room, Rockville, MD, or from www.nrc.gov. 18. Modifications to the Reactor Safety Goal Policy Statement, SRM-SECY-00-77, June 27, 2000.

Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.gov. 19. Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants, Federal

Register, 50, pp 32138-32150, August 8, 1985. 20. NRC Generic Letter (GL) 88-20, Individual Plant Examination for Severe Accident Vulnerabilities-

10 CFR 50.54(f), November 23, 1988. 2 1. Individual Plant Examination: Submittal Guidance, NUREG-1335, (i989). 22. Individual Plant Examination Program: Perspectives on Reactor Safety and Plant Per$ormance,

NUREG-1560, (1996). 23. NRC Generic Letter (GL) 88-20, Supplement 4, Individual Plant Examination of External Events

(IPEEE) for Severe Accident Vulnerabilities-10 CFR 50.54(f), April 1991. 24. Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE)

for Severe Accident Vulnerabilities, NUREG- 1407, (199 1). 25. Preliminary Perspectives gained from Initial Individual Plant Examinations of External Events (IPEEE)

Submittal Reviews, NUREG-XXXX, December 17, 1997. Transmitted by Mark C. Cunningham on February 3, 1998 to NRC’s Public Document Room, Rockville, MD, or from www.nrc.gov. To be published later.

26. Z. W. Birnbaum, On the Importance of Different Components in a Multicomponent System, in: Multivariate Analysis - II, ed P. R. Krishnaiah, Academic Press, New York (1969).

27. H. E. Imnbert, Measures of Importance of Events and Cut Sets in Fault Trees, in: Reliability and Fault Tree Analysis , ed. R. E. Barlow, J. B. Fussell, and N. D. Singpurwalla, SIAM Press, Philadelphia, pp 77-100 (1975).

28. W. E. Vesely, et al, Measures of Risk Importance and their Applications, NUREG/CR-3385, (1983). 29. W. E. Vesely and T. C. Davis, Evaluations and Utilizations of Risk Importances, NUREG/CR-4377,

(1985). 30. J. C. Brons, W. H. Rasin, and H. Specter, Public briefing of NRC Commissioners, March 10, 1992.

Transcript available from US Nuclear Regulatory Commission. 3 1. H. Specter, Risk-based regulation, Trans. of American Nuclear Society, 65, TANSAO 65 l-580, (1992). 32. H. Specter, Shifting the regulatory paradigm, Proc. of ANS Executive Conference, Marco Island, FL,

(1992). Available from American Nuclear Society. 33. H. Specter, PSA, Calculus, and Nuclear Regulation, Proc. of International Topical Meeting on

Probabilistic Safety Assessment, pp 571-577, (1993). Available from American Nuclear Society.


34. E. V. Lofgren, F. Varcolik, and W, E, Vesely, Optimum Test Intervals for Online Testing, NUREG/CR-2158, (1981).

35. E. V. Lofgren, F. Varcolik, and W. E. Vesely, Probabilistic Approaches to LCOs and Surveillance Requirements for Standby Safety Systems, NUREGICR-3082, (1982).

36. W, E, Vesely, Evaluation of Allowed Outage Times (AOT) f rom a Risk and Reliability Standpoint, NUREG/CR-5425, (1989).

37. P. K. Samanta, W. E. Vesely, and I. S. Kim, Study of operational risk-based configuration control, NUREG/CR-5641, (1991)

38. Indian Point 3 Individual Plant Examination, New York Power Authority, (1994). Available in NRC’s Public Document Room, Rockville, MD.

39. James A. Fitzpatrick Individual Plant Examination, New York Power Authority, (1998). Available from New York Power Authority, White Plains, NY.

40. J. C. Brons (New York Power Authority), Letter to NRC Chairman I. Selin, September 18, 1992. Copy available from NYPA or NRC files.

41. F. J. Rahn, Comparison of reliabilities of Q and non-Q components, Private communication of an unpublished report.

42. Use of PRA Methods in Nuclear Regulatory Activities; Policy Statement, Federal Register, 60, pp 42622-42629, August 16, 1995.

43. Code of Federal Regulations, 10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants.

44. Primary Reactor Containment leakage Testing for Water-Cooled Power Reactors, Federal Register @, No. 186, pp 49495-49505, September 26, 1995.

45. Risk-Informed and Performance-Based Regulation, NRC Commission Policy and Guidance, White paper issued 16 March 1999.

46. Code of Federal Regulations, 10 CFR 50, Appendix J, Primary Reactor Containment leakage Testing for Water-Cooled Power Reactors.

47. Code of Federal Regulations, 10 CFR 50, Appendix A, General Design Criteria for Nuclear Power Plants.

48. M. Dey, et al, Performance-Based Containment Leak-Test Program, NUREG-1493, (1995). 49. W. E. Vesely, Letter to the Editor; Supplemental viewpoints on the use of importance measures in risk-

informed regulatory applications, Reliability Engineering and System Safety, 60, pp257-259, Elsevier Science Ltd., (1998).

50. K. N. Fleming, Developing Useful Insights and Avoiding Misleading Conclusions from Risk Importance Measures in PSA Applications, International Topical Meeting on Probabilistic Safety Assessment, pp 2 15-22 1, Park City, UT, (1996). Available from the American Nuclear Society.

5 1. W. E. Vesely, Reservations on ‘ASME Risk-Based Inservice Inspection and Testing: An Outlook to the Future, Risk Analysis, pp 423-425,l8, No. 4, (1998).

52. ASME Boiler and Pressure Vessel Code, Section III, New York, NY. Updated annually by and available from American Society of Mechanical Engineers.

53. ASME Code for Operation and Maintenance of Nuclear Power Plants, Section IST, Subsection ISTB Inservice Testing of Valves in Light- Water Reactor Power Plants, New York, NY, (1994) Available from American Society of Mechanical Engineers.

54. Code of Federal Regulations, 10 CFR 50.55a, Codes and standards. 55. NRC Generic Letter (GL) 89-10, Safety-related motor-operated valve testing and surveillance, June 28,

1989. 56. Guidelines for optimizing safety benefits in assuring the performance of motor-operated valves,

NUMARC 93-05, (1993). Available from the Nuclear Energy Institute, Washington, DC. 57. J. E. Richardson (NRC) Letter to F. T. Rhodes, Chairman, ASME O&M Committee, September 19,

199 1. Available from either NRC or ASME archives.


58. D. L. Maret and C. W. Rowley, Evaluation of the Safety Benefits and Costs of Proposed Revisions to Inservice Testing Requirements for Pumps and Valves, EPRI Report TR- 102240, (1993).

59. Code of Federal Regulations, 10 CFR 50.109, Backfitting. 60. Light Water Reactor (LWR) Nuclear Power Plant Components: Risk-Based Inservice Testing-

Development of Guidelines, American Society of Mechanical Engineers Report CRTD-Vol. 40-2, (1996).

61. D. True, et al, PSA Applications Guide, EPRI Report TR-105396, (1995). 62. Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, Proposed National

Standard being written by American Society of Mechanical Engineers. Publication expected in early 2002. Available from ASME, 345 East 47th Street, New York, NY 10017.

63. R. D. Campbell, et al, A Methodology for Assessment of Nuclear Power Plant Seismic Margin, EPRI Report NP-6041, (1988). J. W. Reed, et al, Same title, Revision 1, NP-6041 SL, (1991).

64. Professional Loss Control, Inc., Fire-Induced Vulnerability Evaluation (FIVE), EPRI Report TR-100370, (1992).

65. W. J. Parkinson, Risk-Based In-Service Testing Program for Comanche Peak Steam Electric Station, EPRI Report TR-105870, (1995).

66. K. T. Canavan, Effect of probabilistic safety assessment truncation limits on risk achievement worth calculation, Proc. International Topical Meeting on Probabilistic Safe@ Assessment, pp 237-241, Park City, UT, (1996). Available from the American Nuclear Society.

67. Approval of Risk-Informed Inservice Testing (RI-IST) Program for Comanche Peak Steam Electric Station, Units 1 and 2 (TAC Nos. M94165, M94166, MA1972, and MA1973) Attached to letter to C. L. Terry (TU Electric) from NRC, dated August 14, 1998. Available in the NRC Public Document Room, Rockville, MD.

68. Code of Federal Regulations, 10 CFR 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants.

69. W. J. Parkinson, Quality Assurance Grading Criteria for Plant Systems and Components, EPRI Report TR-105868, (1995).

70. Draft Guideline for Implementation of a Graded Approach to Quality, (1995). Available from the Nuclear Energy Institute, Washington, DC.

71. Industry Guidelines for Monitoring the EfSectiveness of Maintenance at Nuclear Power Plants, NUMARC 93-01, (1993). Available from the Nuclear Energy Institute, Washington, DC.

72. An Approach for Plant-Specific, Risk-Informed, Decisionmaking: Graded Quality Assurance, NRC Regulatory Guide 1.176, (1998).

73. Safety Evaluation by the Office of Nuclear Reactor Regulation of Houston Lighting and Power Com- pany South Texas Project, Units 1 and 2, Graded Quality Assurance Program, Dockets Nos. 50-498 and 50-499. Attached to letter to W. T. Cottle (HLP) from T. W. Alexion (NRC), dated November 6: 1997. Available in the NRC Public Document Room, Rockville, MD.

74. An Approach for using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, NRC Regulatory Guide 1.174, (1998).

75. Code of Federal Regulations, IO CFR 50.36, Technical Specifications. 76. Final Commission Policy Statement on Technical Specifications Improvements for Nuclear Power

Reactors, Federal Register, 58, pp 39132-9, July 22, 1993. 77. Standard Technical Specifications; Babcock and Wilcox Plants, NUREG-1430,

Vols l-3, Rev. 1, (1995). There are parallel reports for Westinghouse, Combustion Engineering General Electric BWR/4 and BWR/6 Plants are NUREG-143 1, -1432, -1433, and -1434 respectively, (1995).

78. W. E. Vesely and F. F. Goldberg, FRANTIC-A Computer Code for Time Dependent Unavailabili~ Analysis, NUREG-0193, (1977).


79. P. K. Samanta, et al, Handbook of Methods for Risk-Based Analyses of Technical Specifications, NUREG/CR-6141, (1994).

80. An Approach for Plant-Specific, Risk-Informed, Decisionmaking: Technical Specifications, NRC Regulatory Guide 1.177, (1998).

8 1. Standard Review Plan for Risk-Informed Decisionmaking: Technical Specifications, NRC Standard Review Plan, Chapter 16.1, NUREG-0800, (1998).

82. T. Mankamo, et al, Technical Spectjication Action Statements Requiring Shutdown; A risk perspective

with application to the RHR/SSW systems of a B WR, NUREG/CR-5995, (1993). 83. I. S. Kim, et al, Quantitative Evaluation of Surveillance Test Intervals including Test-Caused Risks,

NUREG/CR-5775, (1992). 84. Outage Risk Assessment and Management Implementation at Fermi 2, EPRI Report TR-109013,

(1997). 85. Safety Assessment of B WR Risk during Shutdown Operations; EPRI Outage Risk Management (ORAM)

Program, Nuclear Safety Analysis Center Report NSAC- 175L, (1992). Available from EPRI. 86. E. E. Lewis, Nuclear Power Reactor Safety, John Wiley & Sons, Inc., (1977). 87. E. Lofgren, S. Uryasev, and P. Samanta, Technical Spectjication Defenses against Common Cause

Failures, NUREG/CR-6140, (1995). 88. A. A. Dykes and J. K. Liming, Guidelines for Preparing Risk-Based Technical Specifications Change

Request Submittals, EPRI Report TR- 105867, (1995). 89. Task Group on Technical Specifications (J. H. Sniezek, Chairman), Technical Spectftcations Enhancing

the Safety Impact, NUREG/CR- 1024, (1983). 90. R. Lobe1 and T. R. Tjader, Improvements to Technical Spectftcations Surveillance Requirements,

NUREG-1366, (1992). 91. RPYESFAS Extended Test Interval Evaluation, Combustion Engineering, Inc. Report CEN-327-A, May

1986. Supplement 1, January, 1989 92, R. E. Schneider, et. al., Template for the Submission of Revised Risk-Based Technical Speczjications,

EPRI Report TR- 105987, (1995). 93. Joint Applications Report for Safety Injection Tank AOT/STI Extension, Combustion Engineering, Inc.

Report CE-NPSD-994, April 1995. 94. Joint Applications Report for Low Pressure Safety Injection System AOT Extension, Combustion

Engineering, Inc. Report CE-NPSD-995, April 1995. 95. Joint Applications Report, Modtfications to the Containment Spray and Low Pressure Safety Injection

System Technical Spectfications, Combustion Engineering, Inc. Report CE-NPSD-1045. April 1998. 96. Joint Applications Report for Emergency Diesel Generator AOT Extension, Combustion Engineering,

Inc. Report CE-NPSD-996, April 1995. 97. R. E. Schneider, et al, Application of PSA in Modifying Plant Technical Specifications, Procedings of

Fourth International Conference on Nuclear Energy, New Orleans, LA, (1996). Available from the American Society of Mechanical Engineers, New York, NY.

98. Safety Evaluation by the Office of Nuclear Reactor Regulation Related toAmendment No. 139 to Facility Operating License No. NPF-10 and Amendment No. 13 1 to Facility Operating License No, NPF- 15, Southern California Edison Company, San Diego Gas and Electric Company, The City of Riverside, CA, The City of Anaheim, CA, San Onofre Nuclear Generating Station, Units 2 and 3, Docket Nos. 50-361 and 50-362. Attached to letter to H.R. Ray (SCE) from J. W. Clifford (NRC), “Subject: Issuance of Amendment for San Onofre Nuclear Generating Station, Unit No. 2 and Unit No. 3”, dated June 19, 1998. Available in the NRC Public Document Room, Rockville, MD.


99. Safety Evaluation by the Office of Nuclear Reactor Regulation Related to Amendment No. 141 to Facility Operating License No. NPF-10 and Amendment No. 133 to Facility Operating License No. NPF-15, Southern California Edison Company, San Diego Gas and Electric Company, The City of Riverside, CA, The City of Anaheim, CA, San Onofre Nuclear Generating Station, Units 2 and 3, Docket Nos. 50-361 and 50-362. Attached to letter to H.R. Ray (SCE) from J. W. Clifford (NRC), “Subject: Issuance of Amendment for San Onofre Nuclear Generating Station, Unit No. 2 and Unit No. 3”, dated September 9, 1998. Available in the NRC Public Document Room, Rockville, MD.

100. G. A. Krueger, Private communication from PECo Energy Company. 101 .L. A. Bennett, et al, Risk Management and Safety Assessment for Arkansas Nuclear One Unit I during

Shutdown Operations; Outage Risk Assessment and Management (ORAM) Technology, EPRI Report TR-105031, (1994).

102. V. M. Anderson, et. al., Outage Risk Assessment and Management (ORAM) Implementation at Fermi 2, EPRI Report TR-109013, (1997).

103. ORAM-SENTINELTM Version 3.3 Software and User s Manual, EPRI Report AP- 112894~CD, (1999). 104. EOOS-A Tool for Risk Awareness, Version 2.6, Risk & Reliability Users Group Manual, SAIC Report,

(1997). Available from EPRI. 105. R. Michal, Computer-based PRA at San Onofre, Nuclear News, September 1996. A Publication of the

American Nuclear Society, ISSN:0029-5574. 106. E. T. Bums, et. al., SENTINEL Technical Basis Report for Limerick, EPRI Report TR-108953, (1997). 107. Guidelines for Industry Actions to Assess Shutdown Management, NUMARC 91-06, (1991). Available

from the Nuclear Energy Institute, Washington, DC. 108. F. Rosa, NRC Internal Memorandum to R. Weissman, Vermont Yankee Plan to Overhaul an Emergency

Diesel Generator at Full Power, April 6, 1990. Available in the NRC Public Document Room, Rockville, MD.

109.T. E. Murley, NRC Internal Memorandum to T. T. Martin, Using the Outage Time Allowed by the Limiting Condition for Operation for overhauling an Emergency Diesel Generator with the Plant operating at Full Power, May 18, 1990. Available in the NRC Public Document Room, Rockville, MD.

110. W. T. Russell (NRC), Letter to J. F. Colvin (NEI), October 6, 1994. 111. J. M. Taylor (NRC), Letter to Z. T. Pate (INPO), October 6, 1994. 112. NRC Inspection Manual, Part 9900 (Technical Guidance), “Maintenance-Voluntary Entry into Limit-

ing Conditions for Operation Action Statements to Perform Preventive Maintenance,” April 18, 1991. Available in the NRC Public Document Room, Rockville, MD.

113. Proposed Rule: Ensuring the Effectiveness of Maintenance Programs for Nuclear Power Plants, Federal Register, 53, pp 47822-9, November 28, 1988.

114.Regulatory Guide: Issuance, Availability, Federal Register, 54, pp 33988-9, August 17,1989. 115, Regulatory Guide 1.160, Revision 2, “Monitoring the Effectiveness of Maintenance at Nuclear Power

Plants.” 116. A Report on the Verification and Validation of NUMARC 93-01, “Industry Guideline for Monitoring the

Effectiveness of Maintenance at Nuclear Power Plants “, NUMARC 93-02, 1993. Available from the Nuclear Energy Institute, Washington, DC.

117.D. H. Worledge, Insightsfrom EPRIMaintenance Rule Projects, EPRI Report TR-106280 (1996). 118. J. Gisclon and D. H. Worledge, Monitoring Reliability For The Maintenance Rule, EPRI Technical

Bulletin 96- 11-O 1, November, 1996. 119. J. Gisclon and D. H. Worledge, Monitoring Reliability For The Maintenance Rule - Failures To Run.

EPRI Technical Bulletin 97-3-01, March, 1997. 120.D. H. Worledge, A Decision Rule for Balance Between Reliability And Availability, EPRI Technical

Bulletin 6-26-97, June 1997.


12 1. Inspection Procedure 62706, Maintenance Rule. Available in the NRC Public Document Room, Rockville, MD.

122. Industry Guideline for Implementing Performance-Based Option of IO CFR Part SO, Appendix J, Nuclear Energy Institute Report 94-01, (1995).

123. Performance-Based Containment Leak-Test Program, USNRC Regulatory Guide 1.163, September 1995.

124. J. M. Gisclon and G. P. Simion, Risk Impact Assessment of Revised Containment Leak Rate Testing Intervals, EPRI Report TR-104285, (1994).

125.L. Bennett, E. Burns, and D. True, Shutdown Risk Impact Assessment for Extended Containment Leakage Testing Intervals utilizing ORAM, EPRI Report TR- 105 189, (1995).

126. An Approach for Plant-Specific, Risk-Informed, Decisionmaking: Inservice Testing, NRC Regulatory Guide 1.175, (1998).

127. An Approach for Plant-Specific, Risk-Informed, Decision-making: Inservice Inspection of Piping, NRC (For trial use) Regulatory Guide 1.178, (1998).

128. Use of Probabilistic Risk Assessment in Plant-Specific, Risk Informed Decisionmaking: General Guidance, NRC Standard Review Plan, Chapter 19, NUREG-0800, (1998).

129. Standard Review Plan for Risk-Informed Decisionmaking: Inservice Testing, NRC Standard Review Plan, Chapter 3.9.7, NUREG-0800, (1998).

130. Standard Review Plan (For trial use) for Review of Risk-Informed Inservice Inspection of Piping, NRC Standard Review Plan, Chapter 3.9.8, (1998).

131. Options for Risk-Informed Revisions to 10 CFR Part 5O-“Domestic Licensing of Production and Utilization Facilities,” SECY-98-300, December 23, 1998. Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.gov.

132. Rulemaking Plan for Risk-Informing Special Treatment Requirements, SECY-99-256, October 29, 1999. Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.g;ov.

133. Risk-Informing Special Treatment Requirements, SECY-OO- 194, September 7, .2000. Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.Eov.

134. Request Exemption from Various Special Treatment Requirements of 10 CFR 50 as described in Enclosures. Houston Lighting and Power Company, South Texas Project, Units 1 and 2, Dockets Nos. 50-498 and 50-499. Attached to letter from J. J. Sheppard (HLP) to NRC, dated July 13,1999.

Revised Request for Exemption to Exclude Certain Components from the Scope of Special Treatment Requirements Required by Regulations. Attached to letter from J:J. Sheppard (HLP) to NRC, dated August 3 1,200O. Available in the NRC Public Document Room, Rockville, MD.

135. STP Nuclear Operating Company Exemption Requests: Proof-of-Concept for Risk-Informing 10 CFR Part 50, Option 2, SECY-01-103, June 12, 2001. Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.gov.

136. South Texas Project, Units 1 and 2-Safety Evaluation on Exemption Requests from Special Treatment Requirements of 10 CFR Parts 21, 50, and 100 (TAC Nos. MA6057 and MA6058). Attached to letter to W. T. Cottle (HLP) from J. A. Zwolinski (NRC), dated August 3, 2001. Available in the NRC Public Document Room, Rockville, MD.

137. Proposed Staff Plan for Risk-Informing Technical Requirements in 10 CFR Part 50,” SECY-99-264, November 8, 1999. Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.gov.

138. Status Report on Study of Risk-Informed Changes to the Technical Requirements of 10 CFR Part 50 (Option 3) and Recommendations on Risk-Informed Changes to 10 CFR 50.46 (ECCS Acceptance Criteria), SECY-01-133, July 23, 2001. Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.gov.


139. Staff Plans for Proceeding with the Risk-Informed Alternative to the Standards for Combustible Gas Control Systems in 10 CFR 50.44, SECY-01-162, August 23, 2001. Available in the NRC Public Document Room, Rockville, MD, or from www.nrc.g;ov.

140. PSA Peer Review Certzjication Implementation Guidelines, Boiling Water Reactor Owners’ Group Report BWROG/PSA-9604, (1997).

141. Probabilistic Risk Assessment (PRA) Peer Review Process Guidance, Draft Nuclear Energy Institute Report (Rev. A3), May 1999.

142. H. Specter, Win-win initiatives, Reliability Engineering & System Safety, 63, pp 275-281, Elsevier Science Ltd., (1999).

143. I. B. Wall and D. H. Worledge, Some Perspectives on Risk Importance Measures, Proc. International Topical Meeting on Probabilistic Safety Assessment, pp 203-208, Park City, UT, (1996). Available from the American Nuclear Society.

144. D. Hanley, Private communication from Boston Edison Company. 145. C. W. Rowley, Risk-Based In-Service Testing Pilot Project, EPRI Report TR-105869, (1995).

APPENDIX A-MEASURES OF IMPORTANCE

Definitions of Importance Measures

The core damage frequency (CDF) is computed from multiple accident sequences representing different combinations of structures, systems, or components (SSCs) being unavailable for one reason or another and thereby causing core damage. Since each SSC appears as a factor in many accident sequences but at the most once in each, the CDF can be represented as a linear function of any specified SSC’s basic event probability, P, as follows:

CDF=axP+b (Al)

where aP is the sum of all the accident sequences which contain P, and b represents all other accident sequences. This formulation has been presented previously by one of us (DHW) in a NUMARC (see footnote x) workshop in August 1993 on implementation of the Maintenance Rule and more recently in depth.‘17, ‘43 The value of the parameter a is the weighted and combined frequency of initiating events and basic event probabilities of other SSC(s) whose coincident failure(s) are necessary for core damage to occur. For a specified SSC, a large value of the a parameter reflects either a high frequency of initiating events for which the SSC is needed or large basic event probabilities of the other SSCs in the same accident sequences. It is a measure of the functional redundancy or “defense in depth” with respect to the safety challenges faced by the specified SSC. A small a suggests a high degree of functional redundancy, viz. there are many alternative SSCs should the specified SSC fail, and vice versa. As equation (A7) will show, the a parameter is proportional to the Bimbaum importance measure and does not depend on the basic event probability, P,

It should be emphasized that this simple formulation exactly represents changes in a CDF as a function of a change in the basic event probability of one component at a time. If simultaneous changes in the basic event probabilities of multiple components are being considered, a more complex representation would be needed as discussed later.


Fussell-Vesely (FV) importance Cc is defined as the fractional contribution to the CDF of all accident sequences containing the specified SSC. From equation (Al),

FV = aP/CDF = aP/(aP+b) (A2)

It should be noted that, unless FV is larger than about 20%, FV is proportional to the basic event probability, P, of the specified SSC.

The Risk Reduction Worth (RRW) is the ratio of the baseline CDF to the reduced CDF’ when the basic event probability of the specified SSC is set to zero. It measures precisely the same aspect of risk signiti- cance as Fussell-Vesely. From equation (Al),

RRW = CDFKDF’ = CDF/‘b (A3)

= CDF/(CDF - aP)

by substituting (A2) = l/( 1 - FV)

and FV = (RRW - l)/RRW (A4)

This relationship between FV and RRW is mathematically exact. When FV 10.1, RRW -1 + FV. The Risk Achievement Worth (RAW) is the ratio to the baseline CDF of the increased CDF” when the

basic event probability of the specified SSC is set to unity. From equation (Al),

RAW = CDF”/CDF = (a + b)/ (aP + b) (A9

For small values of FV, aP << b, so

RAW=l+a/b 646)

It should be noted that, unless FV is large, RAW is an extremely weak function (almost independent) of the baseline basic event probability, P, of the specified SSC.

The Birnbaum 26 importance (B) is defined as the rate of change in CDF with a change in a component’s basic event probability, normalized to the baseline CDF. In mathematical terms, one would differentiate equation (Al) with the following result:

B= dCDF/dP a

=- CDF CDF

(A7)

It is proportional to the number of safety challenges per reactor year experienced by the specified component and to the defense in depth available. By ranking components according to their Birnbaum importance, one can identify those components that experience either the highest frequency of challenges or have the weakest defense in depth. Following the earlier discussion about the parameter a, a small Birnbaum importance implies a high degree of functional redundancy.

Cc This is the original definition of FV importance.” In our opinion, later definitions 6’S “’ are less satisfactory


A more useful result is the ability to calculate the impact of an incremental change in a component’s performance on the core damage frequency that may be derived from equation (A7) as follows:

ACDF aAE’ aP AP

CDF = - = -‘- CDF CDF P = FVx$ w3)

This equation is accurate for any change in a component’s basic event probability since the CDF is a linear function of P. There are two useful observations from equation (A8). First, a component’s Fussell-Vesely importance equals the increase in the CDF if its basic event probability, P, is doubled, i.e. AP = P. Second, the impact of a change in a component’s performance on CDF can be calculated without redoing the whole PSA calculation. For example, if a component has a baseline basic event probability of 10e4 and a FV importance of l%, a lo-fold improvement (degradation) in its basic event probability or failure rate would have a respectively 0.9% beneficial (9O/, adverse) impact on the CDF. For & changes, this result can be extended to multiple basic events (and hence components) by recognizing that the CDF is a function of the probabilities of all basic events, viz. CDF = f(P1, P2,...Pi,...PJ.

ACDF = APIs+APzE+...+APi- ZDF

&f? B2

.+AP LCDF zi “-zT

Following equation (A8):

ACDF AP”

CDF %FVlf)l+FV*~+...+FVi~+...+FVn-

I P”

(A9)

(AlO)

If the proportional change in performance is the same for all components, viz. APi = gPi, then the impact upon the CDF may be written as:

ACDFKDF = g 2FVi i=l

(Al 1)

where the summation extends over all basic events in the model. Since, in most PSAs, a large fraction of a CDF derives from accident sequences that include two to four basic events, one would expect the sum of all FV importances to be in the range 2 to 4.dd This result suggests that a simultaneous improvement (degradation) of lo%, i.e. g = 0.1, in all basic events will have a 20 to 40% beneficial (adverse) impact on the CDF. A calculation using the Pilgrim Station PSA produced a value of 2.6 for the sum of FVi over basic events. 144

For an individual SSC, the values of a, b, and RAW can be computed from P, CDF, and FV.

Interpretation of Risk Achievement Worth

In the main body of the article, the interpretation of RAW was discussed. A broader, more fundamental interpretation will now be discussed. As shown in equation (A5), RAW is an extremely weak function (almost independent) of the baseline basic event probability, P. In other words, two SSCs could have the same

dd For example, the sum would equal twice the sum of second-order sequences plus three times the sum of third-order sequences, etc.

Recent applicatim of PSA 423

RAW importances even though their average P values are radically different, or the RAW for a given SSC will remain essentially constant as the SSC’s basic event probability changes by orders of magnitude. What parameter(s) determine a high or low ILAW importance? What determines the increase in risk when a specified SSC is taken out of service?

A common criterion for risk significance is RAW > 2.0.601 613 65, ‘I, 14’ In Table Al, the value of RAW is calculated from equation (A6) for different relative values of a and b:

I a>b I RAW > 2.0 I

Table Al. Relationship of RAW to Relative Magnitudes of a and b.

For a specified SSC, a RAW importance of < 2.0 is associated with a small value of a relative to b. As discussed in the previous subsection, a small a means either a low frequency of initiating events for which the specified SSC is needed or low basic event probabilities for other SSCs whose coincident failure would lead to core damage. In other words, the plant design has an effective “defense in depth” for this specified SSC across the whole spectrum of accident sequences in which it participates. Conversely, a RAW importance of > 2.0 is associated with a large a relative to b and low “defense in depth” and/or a high level of safety challenges.

By considering equation (A5), it should be noted that, for a specified SSC for which a<b and hence RAWc2.0, a degradation in availability (i.e. larger P) would very slightly reduce RAW and certainly not lead to RAW>2.0. Conversely, if a specified SSC is associated with a>b and hence has a RAW > 2.0, improvements in its basic event probability (i.e. smaller P) would not reduce RAW below 2.0. These observations are illustrated in Figure Al in which the Risk Achievement Worths of three components are plotted as a function their basic event probabilities-P. (The main graph has a linear abscissa; the portion for very small basic event probabilities has been expanded on a logarithmic scale) The three components have RAW values greater than, equal to, and less than 2.0. For a component having a typical basic event probability of 10s4, its RAW importance does not change significantly for up to two orders of magnitude change in its basic event probability due to wear or a different testing interval. For such a component with RAW>2.0, its basic event probability would have to degrade by more than three orders of magnitude before its RAW importance would reduce below 2.0. Such large changes in testing intervals are not being proposed and such wear-induced degradation is unrealistic.

The above discussion shows that the RAW importance of a SSC is determined by the system configuration with respect to that SSC, viz. its values of a and b, rather than its basic event probability, P. A high RAW value is not a reliable measure of the importance of avoiding degradation or of maintaining short testing intervals. It is a measure of the importance of promptly returning a component to service following a failure, testing, or maintenance. A human error on this action would significantly increase the CDF. The FV value, on the other hand, is a reliable indicator of the importance of avoiding degradation or of maintaining short testing intervals.

1. B. Wall et al.

1 .OE-05 1 .OE-04 1 .OE-03 1 .OE-02

Unavallablllty-P

___. az9.b

----_a=b

--_--__a=0.5’b

-RAW=P.O

Figure A 1. Risk Achievement Worth as Function of P

Simultaneous Changes in Basic Event Probabilities of More than One Component

As stated in a previous section, equation (Al) is an exact formulation that represents changes in a CDF as a function of a change in the basic event probability of one component at a time. If the basic event probabilities of two SSCs were being changed simultaneously, equation (Al) would become:

CDF = al x Pi + a2 x P2 + c x Pr x P2 + b’ (A12)

where aiPr represents all the accident sequences which contain PI but not Pz, a2P2 represents all the accident sequences which contain PZ but not Pi, c PlP2 represents all the accident sequences which contain both Pi and Pz, and b’ represent all other accident sequences, viz. those that contain neither Pr nor P2. A knowledge of the P, CDF, FV and RAW values are insufficient to solve this equation for ai, a2, c, and b’.

Since Pi and P:! are usually (( 1.0 and the number of accident sequences including both SSCs would be a small fraction of the total, it is tempting to claim that the cross term would be small compared to the other terms and could be dropped. Some evidence will be presented in a later section that this claim is valid under some circumstances but it is not guaranteed.

For Risk-Based Inset-vice Testing projects, it is proposed to reduce the frequency of testing of many low risk components and hence increase their basic event probabilities. To test the sensitivity of the results in one project,65 the risk importance measures, FV and RAW, were recalculated for two components at a time. Approximations for these calculations can be derived by rearranging equation (A12) as follows:

CDF = (ai + cP2)Pi + (a2 + c Pr)P2 - cPiP2 + b’ (A13)

By considering equation (2), the Fussell-Vesely importance for both components may be written as:

FVi2 = FVr + FV;, - cPrP2/CDF (A14)

where FV12 is the FV importance for both components, and FVr and FV2 are the FV importances for components 1 and 2 respectively. Since both Pi and PZ are (( 1 and the number of cutsets involving both components is a small fraction of the total number, the third term will probably (but is not guaranteed to) be small and equation (A14) can be approximated as:

FV,z =FV, +FV2


(Al5

In any event, the use of equation (A15) leads to a conservatively high estimate of FV12. This is a ver practical and useful result. Equation (A15) is exact if Pi and PZ are failure modes of the same component Furthermore, a lower bound for FVQ can be established by recognizing that:

FV, + FV2 >J;Vi2 Max {FVi, FVz} (Al6

By considering equation (A5), the Risk Achievement Worth for both components may be written as:

&yw,2 = 1 + {ai(l- P,) + c P2 (l- PI) + a2 (I- P2) + C PI (I- P2) + C

- c(P1 - PIP2 + P2))KDF (Al7

Equation (A 17) may be rewritten as:

mw12 = RAW, + RAW2 - 1+ C( 1 - (P, - P,P2 -t P2)j/CDF (A18)

Again, since Pt and P2 (( 1, equation (A18) can be approximated as:

mw12 = ~WI + RAW2 - 1 + c/CDF (A19

Unfortunately, there will be pairs of components for which c/CDF can make a large contribution. Further more, the inclusion of accident sequences that were previously below the truncation limit (described i INSERVICE TESTING-Methodology) can increase at, a2, c by significant amounts.

Documents

Recent applications of PSA for managing nuclear power plant safety