Download:
pdf |
pdfNEI 99-02 [Revision 7]
Regulatory Assessment
Performance Indicator
Guideline
August 31, 2013
[THIS PAGE IS LEFT BLANK INTENTIONALLY]
NEI 99-02 [Revision 7]
Nuclear Energy Institute
Regulatory Assessment
Performance Indicator
Guideline
August 31, 2013
Nuclear Energy Institute, 1201 F Street N.W., Suite 1100, Washington D.C. 20004 (202.739.8000)
ACKNOWLEDGMENTS
This guidance document, Regulatory Assessment Performance Indicator Guideline, NEI 99-02,
was originally developed by the NEI Safety Performance Assessment Task Force in conjunction
with the NRC staff. We appreciate the direct participation of the many utilities, INPO and the
NRC who contributed to the development of the original guidance. Today (2013), the industry
role in supporting and maintaining NEI 99-02 is led by the efforts of the NEI Reactor Oversight
Process Task Force (ROPTF). The ROPTF is comprised of representatives of NEI member
utilities and vendors, and INPO. This document benefits from their collaboration and from our
continuing interactions with, and inputs from, the NRC staff.
Additional information on the ROPTF can be found at www.nei.org, or by contacting James
Slider at NEI, phone number (202) 739-8015 and e-mail jes@nei.org.
INFORMATION COLLECTION
Licensee submission of performance indicator information to the Nuclear Regulatory
Commission (NRC) is an information collection that was approved by the Office of Management
and Budget. Additional information regarding this information collection is contained in NRC
Regulatory Issue Summary 2000-08, Revision 1, "Voluntary Submission of Performance
Indicator Data."
NOTICE
Neither NEI, nor any of its employees, members, supporting organizations, contractors, or
consultants make any warranty, expressed or implied, or assume any legal responsibility for the
accuracy or completeness of, or assume any liability for damages resulting from any use of, any
information apparatus, methods, or process disclosed in this report or that such may not infringe
privately-owned rights.
NEI 99-02 [Revision 7]
08/31/2013
EXECUTIVE SUMMARY
In 2000 the Nuclear Regulatory Commission revised its regulatory oversight process for
inspection, assessment and enforcement of commercial nuclear power reactors. This process
utilizes information obtained from licensee-reported performance indicators and NRC inspection
findings. The purpose of this manual is to provide the guidance necessary for power reactor
licensees to collect and report the data elements that will be used to compute the Performance
Indicators.
An overview of the complete oversight process is provided in NUREG 1649 1, “Reactor
Oversight Process.” More detail is provided in SECY 99-007 2, “Recommendations for Reactor
Oversight Process Improvements,” as amended in SECY 99-007A 3 and SECY 00-049 4 “Results
of the Revised Reactor Oversight Process Pilot Program.”
This revision is effective for data collection as of October 1, 2013 and includes Frequently Asked
Questions approved through March 31, 2013.
1
NUREG-1649, “Reactor Oversight Process”, Revision 4, December 2006, available at URL: http://www.nrc.gov/reading-rm/doccollections/nuregs/staff/sr1649/r4/.
2
SECY-99-007, “Recommendations for Reactor Oversight Process Improvements”, January 8, 1999, available at URL:
http://www.nrc.gov/reading-rm/doc-collections/commission/secys/1999/secy1999-007/1999-007scy_attach.pdf.
3
SECY-99-007A, Recommendations for Reactor Oversight Process Improvements (Follow-up to SECY-99-007)”, March 22, 1999, available at
URL: http://www.nrc.gov/reading-rm/doc-collections/commission/secys/1999/secy1999-007/1999-007ascy.pdf
4
SECY-00-0049, “Results of the Revised Reactor Oversight Process Pilot Program”, February 24, 2000, available at URL:
http://www.nrc.gov/reading-rm/doc-collections/commission/secys/2000/secy2000-0049/2000-0049scy.pdf
i
NEI 99-02 [Revision 7]
08/31/2013
Summary of Changes to NEI 99-02
Revision 6 to Revision 7
Page or
Section
p. iii
pp. 1-6
p. 4
pp. 8-9
p. 13
p. 14-16
p. 17-19
p. 20
pp. 21-29
p. 28
p. 32
p. 33
pp. 34-39
p. 40
p. 43
p. 45
p. 46
p. 49
p. 49
p. 53
p. 54
p. 53
pp. 55-56
p.59
p. 61
p. 64
p. 70
p. 72
pp. 73-78
p. 79
Table B-1
App. D
p. D-13
p. D-15
App. E
p. E-3
Figure E-1
App. F
pp. F-1 to
F-3, F-7, F-
Major Changes
Added list of FAQs incorporated in Rev. 7
Editorial corrections from Slider, Heffner, Balazik
Tabularized the criteria for submitting comments in CDE.
Editorial corrections to Table 2, Performance Indicators
Editorial corrections to data example
Incorporated FAQ 469 (09-09) for unplanned power changes indicator
Editorial corrections from Gary Miller eliminating repetition in definition of unplanned
power changes
Editorial corrections to data example
Incorporated numerous changes to unplanned scrams with complications per FAQ 481
(10-02)
Editorial corrections to data example
Amplified guidance saying SSFF report date is tied to date of revised LER.
Editorial corrections to data example
Incorporated numerous changes on guidance for updating PRA data and basis
document, per FAQ 477 (11-02) and conforming changes per Roy Linthicum.
Editorial corrections to data example
Editorial corrections to data example
Editorial corrections to data example
Incorporated clarification on notification criterion, per FAQ 12-06
Incorporated clarification on multi-site ERO members, per FAQ 09-10
Incorporated clarification on phone-talker, per FAQ 09-06
Editorial corrections to data example
Incorporated clarification on multi-site ERO members, per FAQ 09-10
Incorporated clarification on performance enhancing opportunities, per FAQ 12-06
Incorporated clarification on multi-site ERO members, per FAQ 09-10
Editorial corrections to data example
Incorporated guidance on sirens deliberately unavailable, per FAQ 11-13
Editorial corrections to data example
Editorial corrections to data example
Editorial corrections to data example
Misc. clarifications per FAQ 12-02
Editorial corrections to data example
Corrected MSPI data element descriptions
Replaced discussion of FAQ timeliness with a reference pointing to App. E
Inserted Point Beach addition of auxiliary feedwater pumps, per FAQ 11-05
Inserted Fort Calhoun case on sirens de-powered because of flood, per FAQ 11-11
Inserted guidance on timely submittal of FAQs per whitepaper accepted May 2013
Inserted guidance on withdrawal of FAQs, per FAQ 10-01
Revised FAQ template to link to updates of PRA information or basis document
Incorporated numerous conforming changes and corrections provided by Roy
Linthicum throughout this appendix (e.g., adding “segment” where “train” appears)
Clarified guidance on no cascading of unavailability, per FAQ 10-06.
ii
NEI 99-02 [Revision 7]
08/31/2013
Page or
Section
33
p. F-5
p. F-10
F2.1.2
p. F-29
App. F,
Table 7
p. F-57
Fig. F-1
Fig. F-6
App. G
App. H
Major Changes
Clarified guidance on operability, per FAQ 09-08
Clarified guidance on changes in baseline unavailability, per FAQ 09-07
Clarified that the fuel oil transfer pump is part of the EDG super-component, per FAQ
11-07
Revised EDG failure mode definitions per FAQ 09-08
Incorporated Browns Ferry generic common cause factor adjustments, per FAQ 10-03.
Clarified treatment of last isolation valve in a cooling water line, per FAQ 11-01
Revised to show FOTP is within the boundary of the EDG, per FAQ 11-07
Revised to show treatment of last isolation valve, per FAQ 11-01
Incorporated conforming changes and corrections provided by Roy Linthicum
Clarified guidance regarding availability of main feedwater in determining complicated
scrams, per FAQ 10-02
iii
NEI 99-02 [Revision 7]
08/31/2013
Frequently Asked Questions
The following table identifies where NRC-approved FAQs were incorporated in the text. Not all
FAQs required a text change, and those FAQs are also identified. All of these FAQs will be
placed in the archived FAQ file which is available on the NRC website for reference only.
FAQ#
PI
Subject
09-04
(467)
IE04
USwC,
Availability of
Feedwater
09-08
(472)
MS06
MS07
MS08
MS09
MS10
Definition of
Availability
MS06
MS07
MS08
MS09
MS10
IE03
Baseline
Revisions
09-07
(468)
09-09
(469)
Subject
Text Rev.6
pp. 21-22.
App. F,
§1.2.1
Changes
Text?
No
Final Approval Date and Documentation
Where Found in Revision 7?
October 15, 2009 Meeting
http://pbadupws.nrc.gov/docs/ML0930/ML093060290.html
Yes
Done.
January 21, 2010 Meeting
http://pbadupws.nrc.gov/docs/ML1002/ML100261638.html
Subject was Brunswick scram
on 11/26/2008 that was
judged to be uncomplicated.
The proposed resolution
called for generic guidance to
be clarified in a future generic
FAQ.
Page F-6, “Return to
Service:…”
Page F-8, “or return to
service…”
Page F-29, “…when the EDG
output breaker…”
Page F-30, Added “Include all
failures…” text to definitions
of pump and valve failures.
Page F-10, “Prior to
implementation…”
Changes are effective April 1, 2010 for data to be reported
on July 21, 2010.
March 18, 2010 Meeting
http://pbadupws.nrc.gov/docs/ML1008/ML100850185.html
Pages 14-16, delineation of
applicable power changes
Yes
Done.
December 2, 2009 Meeting
http://pbadupws.nrc.gov/docs/ML0930/ML093060290.html
Changes are effective April 1, 2010 for data to be reported
on July 21, 2010.
App. F,
§1.2.1
Unplanned
Power
Changes
Withdrawal of
FAQs
Designated
Notifier
p. 14
Yes
Done.
App. E
Yes
Done.
Yes
Done.
Browns Ferry
CCF Values
Wolf Creek
Scrams
Palo Verde
Scrams
App. F,
Table 7
App. H
Yes
Done.
No
App. H
No
10-01
(470)
09-06
(471)
None
10-04
(473)
10-03
(474)
10-05
(475)
MS06
09-10
(476)
EP02
Common EOF
p. 50
Yes
Done.
February 16, 2011
http://pbadupws.nrc.gov/docs/ML1106/ML11068A001.pdf
Effective 3Q2011, for data to be reported by October 21,
2011.
11-02
(477)
MS05
pp. 33- 34
Yes
Done.
February 16, 2011
http://pbadupws.nrc.gov/docs/ML1106/ML11068A001.pdf
11-03
(478)
IE04
MSPI Basis
Document
Update
Robinson
Scram
App. H
No
February 16, 2011
http://pbadupws.nrc.gov/docs/ML1106/ML11068A001.pdf
11-05
(479)
MS08
Point Beach
AFW Pumps
App. D
Yes
Done
May 4, 2011
http://pbadupws.nrc.gov/docs/ML1114/ML11140A101.html
EP01
IE04
IE04
pp. 45-46
March 18, 2010 Meeting
http://pbadupws.nrc.gov/docs/ML1008/ML100850185.html
April 21, 2010 Meeting
http://pbadupws.nrc.gov/docs/ML1011/ML101130117.html
Effective July 1, 2010.
May 26, 2010 Meeting
http://pbadupws.nrc.gov/docs/ML1015/ML101530434.html
June 23, 2010 Meeting
http://pbadupws.nrc.gov/docs/ML1018/ML101800474.pdf
June 23, 2010 Meeting
http://pbadupws.nrc.gov/docs/ML1018/ML101800474.pdf
iv
Page E-3, “Withdrawal of
FAQs…”
Page 51, “Demonstrating
sufficient knowledge…”
Page F-42, Table 7, Added Unit
1 CCF adjustment value.
Decided scram should count
as complicated
NRC suggests generic FAQ
should follow. This was later
determined to be unneeded.
Page 50, “If an ERO
member…”
Page 55, “The participation
indicator…”
Pages 56-58, “Option for
ERO…”
Page 37-38, Inserted various
mentions of when to update
the basis document.
Scram determined not to
count as complicated. No
change in text needed.
Page D-13, “Point Beach…”
Page F-43, Table 7, Revised
Point Beach MDP Standby
value.
NEI 99-02 [Revision 7]
08/31/2013
Changes
Text?
Yes
Done
PI
10-02
(481)
IE04
USwC
11-01
(482)
MS10
Cooling Water
Valve
p. F-52
Yes
Done
September 21, 2011
http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf
Effective January 1, 2012 for data to be reported by April 21,
2012.
11-04
(483)
IE03
p. 13, lines
24-29
Yes
Done
11-06
(480)
11-07
(484)
MS06
Downpower
to Recover
Lost Recirc
Pump
EDG Run
Hours
Fuel Oil
Transfer
Pump
App. F,
§2.2.1
App. F,
§2.1.2
Yes
Done
Yes
Done
September 21, 2011
http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf
Effective October 1, 2011 for data to be reported by January
21, 2012.
September 21, 2011
http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf
May 4, 2011
http://pbadupws.nrc.gov/docs/ML1114/ML11140A101.html
Effective January 1, 2012 for data to be reported by April 21,
2012
11-08
(487)
MS06
EDG Failure
Modes
p.F-26,
lines 3-15
Yes
Done
11-11
(485)
EP03
Siren Testing
p. 57, lines
6-10
Yes
Done
10-06
(486)
MS06
Cascaded
Unavailability
§2.2,
pp.31-36
Yes
Done
11-09
(488)
10-07
MS
App. D
IE04
Crystal River
Shutdown
Vendor EOPs
11-10
PP01
Security OUO
No
11-12
IE03
No
11-13
EP03
Fitzpatrick
Downpowers
Suspension of
MS05
Subject
Subject
Text Rev.6
p. 20, lines
22-46
FAQ#
No
No
Yes
Final Approval Date and Documentation
Where Found in Revision 7?
September 21, 2011
http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf
Effective October 1, 2011, for data to be reported by
January 21, 2012
Pages 20-26, Edited in role of
MFW availability.
Page H-1, Revised
introduction to mention
unavailability of MFW.
Page H-4, Extensive revisions
of Question H1.5.
Page H-5, conforming edits to
text of H1.5.
Page H-20, conforming edits
to H3.5.
Page F-58, Revised “Cooling
Water Support System”
description.
Page F-66, Revised Figure F-6
to show train boundaries
consistent with FAQ.
Page 17, “Power changes to
restore…”
October 26, 2011
http://pbadupws.nrc.gov/docs/ML1130/ML11304A260.pdf
Effective January 1, 2012 for data to be reported by April 21,
2012
September 21, 2011
http://pbadupws.nrc.gov/docs/ML1128/ML11284A011.pdf
Effective 2Q2011
October 26, 2011
http://pbadupws.nrc.gov/docs/ML1130/ML11304A260.pdf
Effective April 1, 2012, for data to be reported by July 21,
2012.
October 26, 2011
http://pbadupws.nrc.gov/docs/ML1130/ML11304A260.pdf
May 4, 2011
http://pbadupws.nrc.gov/docs/ML1114/ML11140A101.html
January 19, 2012
http://pbadupws.nrc.gov/docs/ML1203/ML12030A117.pdf
January 19, 2012
http://pbadupws.nrc.gov/docs/ML1203/ML12030A117.pdf
March 28, 2012
v
Page F-24, “For pumps, run
hours…”
Page F-21, “…which are part
of the EDG supercomponent…”
Page F-22, Table 2, “Diesel
Generators…”
Page F-50, Revised “Scope”
section to mention fuel oil
transfer pump and valve.
Page F-60, Revised Figure F-1
to clarify that FOTP is within
EDG Component Boundary
depicted.
Page F-29, Revised definition
of EDF failure to run.
Page D-15, “Fort Calhoun…”
Pages 35-40, “…train/system
boundaries…”
Page F-1, “The cooling water
support system…”
Page F-2, “The impact of room
cooling…”
Page F-7, “No Cascading…”
Page F-33, Revised “Failures of
Discovered Conditions”.
Page F-55, Revised Scope to
mention CST.
Withdrawn
Withdrawn
Approved final; see generic
FAQ 12-02 for text changes
needed
Approved final; determination
only; no change required.
Page 63, “Additionally, if
NEI 99-02 [Revision 7]
08/31/2013
FAQ#
PI
Subject
Siren Testing
12-01
MS06
12-02
PP01
12-03
IE04
12-06
EP02
Subject
Text Rev.6
Columbia EDG
Failure
Counting of
Compensatory
Hours for PIDS
St. Lucie
USwC
DEP Oppys
Changes
Text?
Done
No
Yes
Done
No
p. 51
Yes
Done
Final Approval Date and Documentation
http://pbadupws.nrc.gov/docs/ML1211/ML12110A103.pdf
Effective April 1, 2012, for data to be reported by July 21,
2012.
August 29, 2012
http://pbadupws.nrc.gov/docs/ML1224/ML12249A179.html
August 29, 2012
http://pbadupws.nrc.gov/docs/ML1224/ML12249A179.html
August 29, 2012
http://pbadupws.nrc.gov/docs/ML1224/ML12249A179.html
March 27, 2013
http://pbadupws.nrc.gov/docs/ML1311/ML13113A355.html
vi
Where Found in Revision 7?
sirens are not…”
Withdrawn
Page 77, “This indicator serves
as a measure of…”
Page 79, “Compensatory
measures: Measures…”
Page 81, “Degradation:…”
Section 2.4
NEI 99-02 [Revision 7]
08/31/2013
[This page left intentionally blank]
vii
NEI 99-02 [Revision 7]
08/31/2013
TABLE OF CONTENTS
EXECUTIVE SUMMARY ................................................................................................ i
SUMMARY OF CHANGES TO NEI 99-02 ................................................................... ii
FAQ TABLE ..................................................................................................................... iv
1
INTRODUCTION ..................................................................................................... 1
Background ................................................................................................................ 1
General Reporting Guidance ................................................................................... 2
Guidance for Correcting Previously Submitted Performance Indicator Data ... 3
Comment Fields ......................................................................................................... 3
Numerical Reporting Criteria .................................................................................. 5
Submittal of Performance Indicator Data .............................................................. 5
2
PERFORMANCE INDICATORS ......................................................................... 10
2.1 INITIATING EVENTS CORNERSTONE .................................................... 10
UNPLANNED SCRAMS PER 7,000 CRITICAL HOURS......................................... 10
UNPLANNED POWER CHANGES PER 7,000 CRITICAL HOURS......................... 14
UNPLANNED SCRAMS WITH COMPLICATIONS ................................................. 21
2.2 MITIGATING SYSTEMS CORNERSTONE............................................... 30
SAFETY SYSTEM FUNCTIONAL FAILURES ....................................................... 30
MITIGATING SYSTEM PERFORMANCE INDEX ................................................. 34
2.3 BARRIER INTEGRITY CORNERSTONE .................................................. 41
REACTOR COOLANT SYSTEM (RCS) SPECIFIC ACTIVITY ............................. 41
REACTOR COOLANT SYSTEM LEAKAGE ......................................................... 44
2.4 EMERGENCY PREPAREDNESS CORNERSTONE ................................. 46
DRILL/EXERCISE PERFORMANCE .................................................................... 46
EMERGENCY RESPONSE ORGANIZATION DRILL PARTICIPATION ................. 53
ALERT AND NOTIFICATION SYSTEM RELIABILITY ......................................... 60
2.5 OCCUPATIONAL RADIATION SAFETY CORNERSTONE .................. 65
OCCUPATIONAL EXPOSURE CONTROL EFFECTIVENESS ................................ 65
2.6 PUBLIC RADIATION SAFETY CORNERSTONE .................................... 71
RETS/ODCM RADIOLOGICAL EFFLUENT OCCURRENCE ............................. 71
2.7 PHYSICAL PROTECTIONSECURITY CORNERSTONE ....................... 73
PROTECTED AREA (PA) SECURITY EQUIPMENT PERFORMANCE INDEX ...... 73
viii
NEI 99-02 [Revision 7]
08/31/2013
Appendices
A.
B.
C.
D.
E.
F.
G.
H.
Acronyms & Abbreviations ............................................................... A-1
Structure and Format of NRC Performance Indicator Data Files B-1
Background Information and Cornerstone Development.............. C-1
Plant Specific-Specific Design Issues ................................................ D-1
Frequently Asked Questions.............................................................. E-1
Methodologies for Computing the Unavailability Index, the
Unreliability
Index and Component Performance Limits .....................................F-1
MSPI Basis Document Development ................................................ G-1
USwC Basis Document …………………………………………… H-1
ix
NEI 99-02 [Revision 7]
08/31/2013
1
1
INTRODUCTION
2
3
4
5
6
7
8
9
10
11
12
13
14
This guideline describes the data and calculations for each performance indicator in the United
States Nuclear Regulatory Commission’s (NRC) power reactor licensee assessment process. The
guideline also describes the licensee quarterly indicator reports that are to be submitted to the
NRC for use in its licensee assessment process.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
In 1998 and 1999, the NRC conducted a series of public meetings to develop a more objective
process for assessing a licensee’s regulatory and safety performance. The new process uses riskinformed insights to focus on those matters that are of safety significance. The objective is to
monitor performance in three broad areas – reactor safety (avoiding accidents and reducing the
consequences of accidents if they occur); radiation safety for plant workers and the public during
routine operations; and protection of the plant against sabotage or other security threats.
35
36
•
improve the objectivity of the oversight processes so that subjective decisions and
judgment are not central process features,
37
38
•
improve the scrutability of the NRC assessment process so that NRC actions have a clear
tie to licensee performance, and
39
40
41
42
•
risk-Risk-inform the regulatory assessment process so that NRC and licensee resources
are focused on those aspects of performance having the greatest impact on safe plant
operation.
This guideline provides the definitions and guidance for the purposes of reporting performance
indicator data. Responses to Frequently Asked Questions (FAQs) that have been approved by
the Industry/NRC working group and posted on the NRC’s external website become addenda to
this guideline. No other documents should be used for definitions or guidance unless specifically
referenced in this document. This guideline should not be used for purposes other than
collection and reporting of performance indicator data in the NRC licensee assessment process.
Background
The three broad areas are divided into seven cornerstones: Initiating Events, Mitigating Systems,
Barrier Integrity, Emergency Preparedness, Public Radiation Safety, Occupational Radiation
Safety and Physical ProtectionSecurity. Performance indicators are used to assess licensee
performance in each cornerstone. The NRC will uses a risk-informed baseline inspection
process to supplement and complement the performance indicator(s). This guideline focuses on
the performance indicator segment of the assessment process.
The thresholds for each performance indicator provide objective indication of the potential need
to modify NRC inspection resources or to take other regulatory actions based on licensee
performance. Table 1 provides a summary of the performance indicators and their associated
thresholds.
The overall objectives of the process are to:
1
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
In identifying those aspects of licensee performance that are important to the NRC’s mission,
adequate protection of public health and safety, the NRC set high level performance goals for
regulatory oversight. These goals are:
•
•
•
•
maintain a low frequency of events that could lead to a nuclear reactor accident;
zero significant radiation exposures resulting from civilian nuclear reactors;
no increase in the number of offsite releases of radioactive material from civilian nuclear
reactors that exceed 10 CFR Part 20 limits; and
noNo substantiated breakdown of physical protection that significantly weakens
protection against radiological sabotage, theft, or diversion of special nuclear materials.
These performance goals are represented in the new assessment framework as the strategic
performance areas of Reactor Safety, Radiation Safety, and Safeguards.
Figure 1.0 provides a graphical representation of the licensee assessment process.
General Reporting Guidance
At quarterly intervals, each licensee will submit to the NRC the performance assessment data
described in this guideline. The data is submitted electronically to the NRC by the 21st calendar
day of the month following the end of the reporting quarter. If a submittal date falls on a
Saturday, Sunday, or federal holiday,; the next federal working day becomes the official due date
(in accordance with 10 CFR 50.4). The format and examples of the data provided in each
subsection show the complete data record for an indicator, and provide a chart of the indicator.
These are provided for illustrative purposes only. Each licensee only sends to the NRC only the
data set from the previous quarter, as defined in each Data Reporting Elements subsection (See
Appendix B) along with any changes to previously submitted data.
The reporting of performance indicators is a separate and distinct function from other NRC
reporting requirements. Licensees will continue to submit other regulatory reports as required by
regulations,; such as, 10 CFR 50.72 and 10 CFR 50.73.
Performance indicator reports are submitted to the NRC for each power reactor unit. Some
indicators are based on station parameters. In these cases the station value is reported for each
power reactor unit at the station.
Issues regarding interpretation or implementation of NEI 99-02 guidance may occur during
implementation. Licensees are encouraged to resolve these issues with the Region. In those
instances where the NRC staff and the Licensee are unable to reach resolution, or to address
plant specific-specific exceptions, the issue should be escalated to appropriate industry and NRC
management using the FAQ process. 5 In the interim period until the issue is resolved, the
Licensee is encouraged to maintain open communication with the NRC. Issues involving
enforcement are not included in thisaddressed through the FAQ process.
5
See additional information on FAQs in Appendix E, Frequently Asked Questions, and Appendix D, Plant Specific Design Issues.
2
NEI 99-02 [Revision 7]
08/31/2013
1
Guidance for Correcting Previously Submitted Performance Indicator Data
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
In instances whereIf data errors or a newly identified faulted condition are determined to have
occurred in a previous reporting period, the previously submitted indicator data are amended
only to the extent necessary to correctly calculate the indicator(s) for the current reporting period
correctly. 6 This amended information is submitted using a the “change report” feature provided
in the INPO Consolidated Data Entry (CDE) software. The values of previous reporting periods
are revised, as appropriate, when the amended data is used by the NRC to recalculate the affected
performance indicator. The current report should reflect the new information, as discussed in the
detailed sections of this document. In these cases, the quarterly data report should include a
comment to indicate that the indicator values for past reporting periods are different than
previously reported. If an a Licensee Event Report (LER) was required and the number is
available at the time of the report, the LER reference is noted.
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
The quarterly report allows comments to be included with performance indicator data. A general
comment field is provided for comments pertinent to the quarterly submittal that are not specific
to an individual performance indicator. A separate comment field is provided for each
performance indicator. Comments included in the report should be brief and understandable by
the general public. Comments provided as part of the quarterly report will be included along
with performance indicator data as part of the NRC Public Web7 site on the oversight program.
If multiple PI comments are received by NRC that are applicable to the same unit/PI/quarter, the
NRC Public Web site will display all applicable comments for the quarter in the order received
(e.g., If a comment for the current quarter is received via quarterly report and a comment for the
same PI is received via a change report, then both comments will be displayed on the Web site.)
For General Comments, the NRC Public Web site will display only the latest “general” comment
received for the current quarter (e.g., A “general” comment received via a change report will
replace any “general” comment provided via a previously submitted quarterly report.)
If a performance indicator data reporting error is discovered, an amended “mid-quarter” report
does not need to be submitted if both the previously reported and amended performance
indicator values are within the “green”same performance indicator band. In these instances,
corrected data should be included in the next quarterly report along with a brief description of
the reason for the change(s). If a performance indicator data error is discovered that causes a
threshold to be crossed, a “mid-quarter” report should be submitted as soon as practical
following discovery of the error. Probabilistic Risk Assessment (PRAError! Bookmark not
defined.) model changes are the exception to this guidance (see “Clarifying Notes” under
Mitigating System Performance Index description on pages 33-3435-37 for additional details).
Comment Fields
Comments should be generally limited to instances as directed in this guideline. These instances
includeare summarized in Table 1 below.
6
Changes to data collection rules or practices required by the current revision of this document will not be applied retroactively to previously
submitted data. Previously submitted data will not require correction or amendment provided it was collected and reported consistent with the
NEI 99-02 revision and FAQ guidance in effect at the time of submittal.
7
www.nrc.gov/NRR/OVERSIGHT/ASSESS/index.html
3
Heffner
2/6/13
NEI 99-02 [Revision 7]
08/31/2013
1
Table 1 – Guidance for Submitting Comments with PI Data 8
Submit a Comment When…
A threshold has been exceeded
Guidance
Comment should include a brief explanation and
should be repeated in subsequent quarterly reports
as necessary to address the exceedance.
Comment should include a brief characterization of
the change, should identify affected time periods
and should identify whether the change affects the
“color” of the indicator.
For example, RCS activity may be unavailable for
one or more months due to plant conditions that do
not require calculation of RCS activity.
Revising previously submitted data
Data is unavailable for the quarterly report
An FAQ has been submitted that could impact
current or previously submitted data
An Safety System Functional Failure (SSFF) is
reported
A Notice of Enforcement Discretion or Technical
Specification change has been granted without
which the unit would have had an unplanned power
change of greater than 20-percent of full power
There is a failure to perform regularly-scheduled
tests of the Alert and Notification System (ANS)
There is a change in the ANS test methodology
There is a change in Mitigating System
Performance Index (MSPI) coefficients
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Comment shall include the LER number
The comments automatically generated by CDE do
not fulfill this requirement. The plant must generate
a plant-specific comment that describes what was
changed.
There is a change in the MSPI Basis Document that
affects the value of an indicatort
Compensatory hours for security equipment
upgrade modifications are excluded
Engineering evaluations of a degraded condition
are incomplete
•
•
•
•
•
•
•
8
Exceedance of a threshold (Comment should include a brief explanation and should be
repeated in subsequent quarterly reports as necessary to address the threshold exceedance)
Revision to previously submitted data (Comment should include a brief characterization of
the change, should identify affected time periods and should identify whether the change
affects the “color” of the indicator.)
Unavailability of data for quarterly report (Examples include unavailability of RCS Activity
data for one or more months due to plant conditions that do not require RCS activity to be
calculated.)
When an FAQ has been submitted that could impact the current or previously submitted data
When a Safety System Functional Failure is reported, the LER number shall be listed
If an NOED or technical specification change has been granted which would otherwise have
resulted in an unplanned power change of greater than 20% full power
Failure to perform regularly scheduled ANS tests
Text reformatted as table to improve readability; no change in Rev. 6 content is intended herein Rev. 7.
4
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
•
•
•
•
•
Changes in ANS test methodology
Changes to MSPI coefficients
Changes to MSPI Basis Documents
Excluded compensatory hours for security equipment upgrade modifications
Uncompleted engineering evaluations of a degraded condition
Changes to MSPI coefficients require comments to be submitted. The comments automatically
generated by CDE when MSPI coefficients are changed do not fulfill this requirement. The plant
must generate a plant–specific comment that describes what was changed.
In specific circumstances, some plants, because of unique design characteristics, may typically
appear in the “increased regulatory response band,” as shown in Table 12. In such cases the
unique condition and the resulting impact on the specific indicator should be explained in the
associated comment field. Additional guidance is provided under the appropriate indicator
sections.
The quarterly data reports are submitted to the NRC under 10 CFR 50.4 requirements. The
quarterly reports are to be submitted in electronic form only. Separate submittal of a paper copy
is not requested. Licensees should apply standard commercial quality practices to provide
reasonable assurance that the quarterly data submittals are correct, since they are subject to the
requirements of 10 CFR 50.9. Licensees should plan to retain the data consistent with the
historical data requirements for each performance indicator. For example, data associated with
the barrier cornerstone should be retained for 12 months.
Heffner
2/6/13
The criterion for reporting is based on the time the failure or deficiency is identified, with the
exception of the Safety System Functional Failure indicator, which is based on the Report Date
of the LER. In some cases the time of failure is immediately known, in other cases there may be
a time-lapse while calculations are performed to determine whether a deficiency exists, and in
some instances the time of occurrence is not known and has to be estimated. Additional
clarification is provided in specific indicator sections.
Numerical Reporting Criteria
33
34
35
36
Final calculations are rounded up or down to the same number of significant figures digits as
shown in Table 12. Where required, percentages are reported and noted as: 9.0%, 25%.
37
38
39
40
41
42
43
44
Performance indicator data should be submitted as a delimited text file (data stream) for each
unit, attached to an email addressed to Pidata.Resource@nrc.gov. The structure and format of
the delimited text files is discussed in Appendix B. The email message can include report files
containing PI data for the quarter (quarterly reports) for all units at a site and can also include
any report file(s) providing changes to previously submitted data (change reports). The
title/subject of the email should indicate the unit(s) for which data is included, the applicable
quarter, and whether the attachment includes quarterly report(s) (QR), change report(s) (CR) or
both. The recommended format of the email message title line is “-
Submittal of Performance Indicator Data
5
Balazik
6/3/13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
-PI Data Elements (QR and/or CR)” (e.g., “Salem Units 1 and 2 – 1Q2000 – PI
Data Elements (QR)”). Licensees should not submit hard copies of the PI data submittal (with
the possible exception of a back back-up if the email system is unavailable).
The NRC will send return emails with the licensee’s submittal attached to confirm and
authenticate receipt of the proper data, generally within 2 business days. The licensee is
responsible for ensuring that the submitted data is received without corruption by comparing the
response file with the original file. Any problems with the data transmittal should be identified
in an email to Pidata.Resource@nrc.gov within 4 business days of the original data transmittal.
Additional guidance on the collection of performance indicator data and the creation of quarterly
reports and change reports is provided in the INPO CDE Job Aids available on the INPO CDE
webpage. 9
The reports made to the NRC under the regulatory assessment process [: what does this mean? Is
it still needed?] are in addition to the standard reporting requirements prescribed by NRC
regulations.
9
http://www.inpo.org/inpo/CDE.asp
6
NEI 99-02 [Revision 7]
08/31/2013
1
2
PUBLIC HEALTH AND SAFETY
AS A RESULT OF CIVILIAN
NUCLEAR REACTOR
OPERATION
NRC’s
Overall
Safety
Mission
Strategic
Performance
Areas
Cornerstones
REACTOR
SAFETY
INITIATING
EVENTS
MITIGATING
SYSTEMS
RADIATION
SAFETY
BARRIER
INTEGRITY
EMERGENCY
PREPAREDNESS
SAFEGUARDS
PUBLIC
RADIATION
SAFETY
OCCUPATIONAL
RADIATION
SAFETY
SECURITY
-------HUMAN -------------- SAFETY CONSCIOUS WORK ---------PROBLEM ---------------------PERFORMANCE
ENVIRONMENT
IDENTIFICATION AND
RESOLUTION
3
4
5
Figure 1 - Regulatory Oversight Framework
7
NEI 99-02 [Revision 7]
08/31/2013
Table 21 – PERFORMANCE INDICATORS
Cornerstone
Initiating Events
Indicator
IE01
IE03
IE04
Mitigating Systems
MS05
MS06
MS07
MS08
MS09
MS10
Barrier Integrity
Fuel Cladding
BI01
Reactor Coolant
System
BI02
Thresholds
(see Note 1 and Note 2 for PLE)
Unplanned Scrams per 7000 Critical
Hours (automatic and manual scrams
during the previous four quarters)
Unplanned Power Changes per 7000
Critical Hours (over previous four
quarters)
Unplanned Scrams with Complications
(over the previous four quarters)
Safety System Functional
BWRs
Failures (over previous four
PWRs
quarters)
Mitigating System Performance Index
(Emergency AC Power Systems)
Mitigating System Performance Index
(High Pressure Injection Systems)
Mitigating System Performance Index
(Heat Removal Systems)
Mitigating System Performance Index
(Residual Heat Removal Systems)
Mitigating System Performance Index
(Cooling Water Systems)
Reactor Coolant System (RCS) Specific
Activity (maximum monthly values,
percent of Tech. Spec limit)
RCS Identified Leak Rate (maximum
monthly values, percent of Tech. Spec.
limit)
1
8
Increased
Regulatory
Response Band
>3.0
Required
Regulatory
Response Band
>6.0
Unacceptable
Performance
Band
>25.0
>6.0
N/A
N/A
>1
N/A
N/A
>6
>5
N/A
N/A
N/A
N/A
>1.0E-06
OR or PLE = YES
>1.0E-06 OR
or PLE = YES
>1.0E-06
ORor PLE = YES
>1.0E-06
or OR PLE = YES
>1.0E-06
or OR PLE = YES
>50.0%
>1.0E-05
>1.0E-04
>1.0E-05
>1.0E-04
>1.0E-05
>1.0E-04
>1.0E-05
>1.0E-04
>1.0E-05
>1.0E-04
>100.0%
N/A
>50.0%
>100.0%
N/A
NEI 99-02 [Revision 7]
08/31/2013
Table 1 2 - PERFORMANCE INDICATORS Cont’d
Cornerstone
Indicator
Emergency
Preparedness
EP01
EP02
EP03
Occupational
OR01
Radiation Safety
Public Radiation
PR01
Safety
Physical
PP01
ProtectionSecurity
1
2
3
4
Drill/Exercise Performance (over previous eight
quarters)
ERO Drill Participation (percentage of Key ERO
personnel that have participated in a drill or exercise in
the previous eight quarters)
Alert and Notification System Reliability (percentage
reliability during previous four quarters)
Occupational Exposure Control Effectiveness
(occurrences during previous 4 quarters)
RETS/ODCM Radiological Effluent Occurrence
(occurrences during previous four quarters)
Protected Area Security Equipment Performance Index
(over a four quarter period)
Thresholds (see Note 1 and Note 2 for PLE)
Increased
Required
Unacceptable
Regulatory
Regulatory
Performance
Response Band Response Band Band
<90.0%
<70.0%
N/A
<80.0%
<60.0%
N/A
<94.0%
<90.0%
N/A
>2
>5
N/A
>1
>3
N/A
>0.080
N/A
N/A
Note 1: Thresholds that are specific to a site or unit will be provided in Appendix D when identified.
Note 2: PLE – = System Component Performance Limit Exceeded (see Appendix F, section F4)
9
Balazik
6/3/13
NEI 99-02 [Revision 7]
08/31/2013
1
2
PERFORMANCE INDICATORS
2
2.1
INITIATING EVENTS CORNERSTONE
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
The objective of this cornerstone is to limit the frequency of those events that upset plant
stability and challenge critical safety functions, during power operations. If not properly
mitigated, and if multiple barriers are breached, a reactor accident could result which may
compromise the public health and safety. Licensees can reduce the likelihood of a reactor
accident by maintaining a low frequency of these initiating events. Such events include reactor
scrams due to turbine trips, loss of feedwater, loss of off-site power, and other significant reactor
transients.
20
Purpose
21
22
23
24
This indicator monitors the number of unplanned scrams. It measures the rate of scrams per year
of operation at power and provides an indication of initiating event frequency.
25
26
27
28
The number of unplanned scrams during the previous four quarters, both manual and automatic,
while critical per 7,000 hours.
29
30
31
32
33
34
The following data are reported for each reactor unit:
The indicators for this cornerstone are reported and calculated per reactor unit.
There are three indicators in this cornerstone:
•
•
•
Unplanned (automatic and manual) scrams Scrams per 7,000 critical hours
Unplanned Power Changes per 7,000 critical hours
Unplanned Scrams with Complications
UNPLANNED SCRAMS PER 7,000 CRITICAL HOURS
Indicator Definition
Data Reporting Elements
•
the number of unplanned automatic and manual scrams while critical in the previous quarter
•
the number of hours of critical operation in the previous quarter
10
NEI 99-02 [Revision 7]
08/31/2013
1
Calculation
2
3
The indicator is determined using the values for the previous four quarters as follows:
4
5
6
valueValue =
(total unplanned scrams while critical in the previous 4 qtrs) × 7,000 hrs
(total number of hours critical in the previous 4 qtrs)
Definition of Terms
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Scram means the shutdown of the reactor by the rapid addition of negative reactivity by any
means, e.g., insertion of control rods, boron, use of diverse scram switch, or opening reactor trip
breakers.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
The value of 7,000 hours is used because it represents one year of reactor operation at about an
80% availability factor.
Unplanned scram means that the scram was not an intentional part of a planned evolution or test
as directed by a normal operating or test procedure. This includes scrams that occurred during
the execution of procedures or evolutions in which there was a high chance of a scram occurring
but the scram was neither planned nor intended.
Criticality, for the purposes of this indicator, typically exists when a licensed reactor operator
declares the reactor critical. There may be instances where a transient initiates from a subcritical
condition and is terminated by a scram after the reactor is critical—this condition would count as
a scram.
Clarifying Notes
If there are fewer than 2,400 critical hours in the previous four quarters the indicator value is
displayed as N/A because rate indicators can produce misleadingly high values when the
denominator is small. The data elements (unplanned scrams and critical hours) are still reported.
Dropped rods, single rod scrams, or half scrams are not considered reactor scrams. Partial rod
insertions, such as runbacks, and rod insertion by the control system at normal speed also do not
count unless the resulting conditions subsequently cause a reactor scram.
Anticipatory plant shutdowns intended to reduce the impact of external events, such as tornadoes
or range fires threatening offsite power transmission lines, are excluded.
Examples of the types of scrams that are included:
•
•
Scrams that resulted from unplanned transients, equipment failures, spurious signals, human
error, or those directed by abnormal, emergency, or annunciator response procedures.
A scram that is initiated to avoid exceeding a technical specification action statement time
limit.
11
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
•
A scram that occurs during the execution of a procedure or evolution in which there is a high
likelihood of a scram occurring but the scram was neither planned nor intended.
Examples of scrams that are not included:
•
Scrams that are planned to occur as part of a test (e.g., a reactor protection system
actuation test), or scrams that are part of a normal planned operation or evolution.
•
Reactor protection system actuation signals or operator actions to trip the reactor that occur
while the reactor is sub-critical.
•
Scrams that are initiated at less than or equal to 35% reactor power in accordance with
normal operating procedures (i.e., not an abnormal or emergency operating procedure) to
complete a planned shutdown and scram signals that occur while the reactor is shut down.
•
Plant shutdown to comply with technical specification Limiting Condition for Operation
(LCOs) 10, if conducted in accordance with normal shutdown procedures which include a
manual scram to complete the shutdown.
10
The section of Technical Specifications that identifies the lowest functional capability or performance level of equipment required for safe
operation of the facility. (http://www.nrc.gov/reading-rm/basic-ref/glossary/limiting-condition-for-operation.html)
12
Balazik
6/3/13
NEI 99-02 [Revision 7]
08/31/2013
1
Data Example
Unplanned Scrams Per 7,000 Critical Hours
2Q97
3Q97
No. of Scrams Critical in Qtr
1
0
Total Scrams over 4 Qtrs
NA
NA
4Q97
0
NA
1Q98
1
2
2Q98
1
2
3Q98
1
3
4Q98
2
5
1Q99
2
6
No. Hrs Critical in Qtr
Total Hrs Critical in 4 Qtrs
2160
NA
2136
6796
2160
7456
2136
8592
2136
8568
1751
8183
1.9
2.4
4.1
5.1
Indicator Value
Thresholds
Green: ≤ 3.0
White: > 3.0
Yellow: > 6.0
Red:
> 25.0
1500
NA
1000
NA
(Grayed) (Grayed) (Grayed) Grayed)
Unplanned Scrams per 7,000 Hrs
2Q98
0
3Q98
5
2.8
3.1
4Q982.8
3.1
2.8
3.1
6
6
Green 6≤ 3.0
24.9
24.9
24.9
White
> 3.0
Yellow > 6.0
10
15
20
Red > 25.0
25
2
3
13
2.8
1Q99
3.1
6
24.9
NEI 99-02 [Revision 7]
08/31/2013
1
UNPLANNED POWER CHANGES PER 7,000 CRITICAL HOURS
2
Purpose
3
4
5
6
7
8
This indicator monitors the number of unplanned power changes (excluding scrams) that could
have, under other plant conditions, challenged safety functions. It may provide leading
indication of risk-significant events but is not itself risk-significant. The indicator measures the
number of plant power changes for a typical year of operation at power.
9
10
11
12
The number of unplanned changes in reactor power of greater than 20% of full-power, per 7,000
hours of critical operation excluding manual and automatic scrams.
13
14
15
16
17
18
19
The following data is reported for each reactor unit:
20
21
22
The indicator is determined using the values reported for the previous 4 four quarters as follows:
23
24
25
Indicator Definition
Data Reporting Elements
•
the number of unplanned power changes, excluding scrams, during the previous quarter
•
the number of hours of critical operation in the previous quarter
Calculation
valueValue =
(total number of unplanned power changes over the previous 4 qtrs)
× 7,000 hrs
(total number of hours critical during the previous 4 qtrs)
Definition of Terms
26
27
28
29
30
31
32
33
34
FAQ469
Unplanned changes in reactor power, for the purposes of this indicator, are is a changes in
(09-09)
reactor power that (1) are was initiated less than 72 hours following the discovery of an offnormal condition that required or resulted in a power change, and that result in, or require a
change in power level of greater than 20% of full power to resolve, and (2) has not been
excluded from counting per the guidance below. Unplanned changes in reactor power also
include uncontrolled excursions of greater than 20% of full power that occur in response to
changes in reactor or plant conditions and are not an expected part of a planned evolution or test.
35
36
37
38
39
The value of 7,000 hours is used because it represents one year of reactor operation at about an
80% availability factor.
Clarifying Notes
If there are fewer than 2,400 critical hours in the previous four quarters the indicator value is
displayed as “N/A” because rate indicators can produce misleadingly high values when the
14
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
denominator is small. The data elements (unplanned power changes and critical hours) are still
reported.
The 72 72-hour period between discovery of an off-normal condition and the corresponding
change in power level is based on the typical time to assess the plant condition, and prepare,
review, and approve the necessary work orders, procedures, and necessary safety reviews, to
effect a repair. The key element to be used in determining whether a power change should be
counted as part of this indicator is the 72-hour period and not the extent of the planning that is
performed between the discovery of the condition and initiation of the power change.
Given the above, it is incumbent upon licensees to provide objective evidence that
identifies when the off-normal condition was discovered and when the power change of
more than 20% was initiated. Such objective evidence may include logs, troubleshooting
plans, meeting minutes, corrective action program documents, or similar type
documentation.
FAQ469
(09-09)
Examples of occurrences that would be counted against this indicator include:
18
19
20
21
•
Power reductions that exceed 20% of full power and are not part of a planned and
documented evolution or test. Such power changes may include those conducted in
response to equipment failures or personnel errors or those conducted to perform
maintenance.
22
23
24
25
26
27
28
29
30
•
Runbacks and power oscillations greater than 20% of full power. A power oscillation
that results in an unplanned power decrease of greater than 20% followed by an
unplanned power increase of 20% should be counted as two separate PI events, unless the
power restoration is implemented using approved procedures. For example, an operator
mistakenly opens a breaker causing a recirculation flow decrease and a decrease in power
of greater than 20%. The operator, hearing an alarm, suspects it was caused by his action
and closes the breaker resulting in a power increase of greater than 20%. Both transients
would count since they were the result of two separate errors (or unplanned/nonproceduralized action).
31
•
Unplanned downpowers of greater than 20% of full power for ALARA 11 reasons.
32
33
34
35
•
Power reductions due to equipment failures that are under the control of the nuclear unit
are included in this indicator.
Examples of occurrences that are not counted include the following:
36
37
38
•
Planned power reductions (anticipated and contingency) that exceed 20% of full power
and are initiated in response to an off-normal condition discovered at least 72 hours
before initiation of the power change.
11
As defined in Title 10, Section 20.1003, of the Code of Federal Regulations (10 CFR 20.1003), ALARA is an acronym for "as low as (is)
reasonably achievable," which means making every reasonable effort to maintain exposures to ionizing radiation as far below the dose limits as
practical, consistent with the purpose for which the licensed activity is undertaken, taking into account the state of technology, the economics of
improvements in relation to state of technology, the economics of improvements in relation to benefits to the public health and safety, and other
societal and socioeconomic considerations, and in relation to utilization of nuclear energy and licensed materials in the public interest. (Source:
http://www.nrc.gov/reading-rm/basic-ref/glossary/alara.html)
15
Balazik
6/3/13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
•
Unanticipated equipment problems that are encountered and repaired during a planned
power reduction greater than 20% that alone could have required a power reduction of
20% or more to repair.
4
•
Apparent power changes that are determined to be caused by instrument problems.
5
6
7
8
9
10
•
If conditions arise that would normally require unit shutdown, and a Notice of
Enforcement Discretionn NOED (NOED) is granted that allows continued operation
before power is reduced greater than 20%, an unplanned power change is not reported
because no actual change in power greater than 20% of full power occurred. However, a
comment should be made that the NRC had granted an NOED during the quarter, which,
if not granted, may have resulted in an unplanned power change.
11
12
13
•
Anticipatory power reductions intended to reduce the impact of external events such
as hurricanes or range fires threatening offsite power transmission lines, and power
changes requested by the systeam load dispatcher.
14
•
Power changes to make rod pattern adjustments.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
•
Power changes directed by the load dispatcher under normal operating conditions due to
load demand, for economic reasons, for grid stability, or for nuclear plant safety
concerns.
FAQ469
(09-09)
Anticipated power changes greater than 20% in response to expected environmental problems
(such as accumulation of marine debris, biological contaminants, or frazil icing) which are
proceduralized but cannot be predicted greater than 72 hours in advance may not need to be
counted unless they are reactive to the sudden discovery of off-normal conditions. However,
unique environmental conditions which have not been previously experienced and could not
have been anticipated and mitigated by procedure or plant modification, may not count, even if
they are reactive. The licensee is expected to take reasonable steps to prevent intrusion of
marine or other biological growth from causing power reductions. Intrusion events that can be
anticipated as part of a maintenance activity or as part of a predictable cyclic behavior would
normally be counted unless the down power was planned 72 hours in advance. The
circumstances of each situation are different and should be identified to the NRC in a FAQ if the
licensee and resident inspector disagree so that a determination can be made concerning whether
the power change should be counted.
Licensees should use the power indication that is used to control the plant to determine if a
change of greater than 20% of full power has occurred.
If a condition is identified that is slowly degrading and the licensee prepares plans to reduce
power when the condition reaches a predefined limit, and 72 hours have elapsed since the
condition was first identified, the power change does not count. If however, the condition
suddenly degrades beyond the predefined limits and requires rapid response, this situation would
count. If the licensee has previously identified a slowly degraded off-normal condition but has
not prepared plans recognizing the potential need to reduce power when the condition reaches
predefined limits, then a sudden degradation of that condition requiring rapid response would
constitute a new off-normal condition and therefore, a new time of discovery.
16
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Off-normal conditions that begin with one or more power reductions and end with an unplanned
reactor trip are counted in the unplanned reactor scram indicator only. However, if the cause of
the downpower(s) and the scram are different, an unplanned power change and an unplanned
scram must both be counted. For example, an unplanned power reduction is made to take the
turbine generator off line while remaining critical to repair a component. However, when the
generator is taken off line, vacuum drops rapidly due to a separate problem and a scram occurs.
In this case, both an unplanned power change and an unplanned scram would be counted. If an
off-normal condition occurs above 20% power, and the plant is shut down by a planned reactor
trip using normal operating procedures, only an unplanned power change is counted.
In developing a plan to conduct a power reduction, additional contingency power reductions may
be incorporated. These additional power reductions are not counted if they are implemented to
address the initial condition.
Equipment problems encountered during a planned power reduction greater than 20% that alone
may have required a power reduction of 20% or more to repair are not counted as part of this
indicator if they are repaired during the planned power reduction. However, if during the
implementation of a planned power reduction, power is reduced by more than 20% of full power
beyond the planned reduction, then an unplanned power change has occurred.
Unplanned power changes and shutdowns include those conducted in response to equipment
failures or personnel errors and those conducted to perform maintenance. They do not include
automatic or manual scrams or load-follow power changes. Power changes to restore
equipment to service in accordance with approved procedures are excluded.
Apparent power changes that are determined to be caused by instrumentation problems are not
included.
Unplanned power changes include runbacks and power oscillations greater than 20% of full
power. A power oscillation that results in an unplanned power decrease of greater than 20%
followed by an unplanned power increase of 20% should be counted as two separate PI events,
unless the power restoration is implemented using approved procedures. For example, an
operator mistakenly opens a breaker causing a recirculation flow decrease and a decrease in
power of greater than 20%. The operator, hearing an alarm, suspects it was caused by his action
and closes the breaker resulting in a power increase of greater than 20%. Both transients would
count since they were the result of two separate errors (or unplanned/non-proceduralized action).
Alternately, ifIf the power change is implemented to restore equipment to service and is
performed using an approved procedure, the power change(s) (increases or decreases) to
restore the equipment to service would not count against this indicator. For example, in
BWRs, a power reduction for the purpose of re-starting a recently tripped reactor recirculation
pump to re-establish two-loop operation is excluded if the initial power reduction is caused by
the recirculation pump trip. The second power reduction to recover the tripped recirculation
pump does not count if it is implemented by an approved procedure in response to the initial
condition.
17
FAQ483
(11-04)
Miller
2/11/13
Miller
2/11/13
FAQ483
(11-04)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
If conditions arise that would normally require unit shutdown, and an NOED is granted that
allows continued operation before power is reduced greater than 20%, an unplanned power
change is not reported because no actual change in power greater than 20% of full power
occurred. However, a comment should be made that the NRC had granted an NOED during the
quarter, which, if not granted, may have resulted in an unplanned power change.
19
In order fFor an environmental event to be excluded, any of the following may be applied:
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Anticipatory power reductions intended to reduce the impact of external events such as
hurricanes or range fires threatening offsite power transmission lines, and power changes
requested by the system load dispatchers, are excluded.
Anticipated power changes greater than 20% in response to expected environmental problems
(such as accumulation of marine debris, biological contaminants, animal intrusion,
environmental regulations, or frazil icing) may qualify for an exclusion from the indicator. The
licensee is expected to take reasonable steps to prevent intrusion of animals, marine debris, or
other biological growth from causing power reductions. Intrusion events that can be anticipated
as a part of a maintenance activity or as part of a predictable cyclic behavior would normally be
counted, unless the downpower was planned 72 hours in advance or the event meets the guidance
below.
•
•
•
•
If the conditions have been experienced before and they exhibit a pattern of predictability
or periodicity (e.g., seasons, temperatures, weather events, animals, etc.), the station must
have a monitoring procedure in place or make a permanent modification to prevent
recurrence for the event to be considered for exclusion from the indicator. If monitoring
identifies the condition, the licensee must have implemented a proactive procedure (or
procedures) to specifically address mitigation of the condition before it results in impact
to operation. This procedure cannot be a general Abnormal Operating Procedure (AOP)
or Emergency Operating Procedure (EOP) addressing the symptoms or consequences of
the condition (e.g., low condenser vacuum); rather, it must be a condition-specific
procedure that directs actions to be taken to address the specific environmental conditions
(e.g., jellyfish, gracilaria, frazil ice, etc.)
If the event is predictable, but the magnitude of the event becomes unique, the licensee
must take appropriate actions and equipment designed to mitigate the event must be fully
functional at the time of the event to receive an exclusion.
Environmental conditions that are unpredictable (i.e., lightning strikes) may not need to
count if equipment designed to mitigate the event was fully functional at the time of the
event.
Downpowers caused by adherence to environmental regulations, NPDES permits, or
ultimate heat sink temperature limits may be excluded from the indicator.
The circumstances of each situation are different. In all cases, the NRC Region and Resident
Inspectors should evaluate the circumstances of the power change, and if in disagreement with
the licensee’s position, the event should be identified in an FAQ so that a decision can be made
concerning whether the power change should be counted. If the event is truly unique, an FAQ
should be submitted unless the NRC Region and Resident Inspectors agree with the licensee’s
position.
18
Miller
2/11/13
Miller
2/11/13
Miller
2/11/13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Power changes to make rod pattern adjustments are excluded.
Power changes directed by the load dispatcher under normal operating conditions due to load
demand, for economic reasons, for grid stability, or for nuclear plant safety concerns arising
from external events outside the control of the nuclear unit are not included in this indicator.
However, pPower reductions due to equipment failures that are under the control of the nuclear
unit are included in this indicator.
Licensees should use the power indication that is used to control the plant to determine if a
change of greater than 20% of full power has occurred.
Miller
2/11/13
Miller
2/11/13
This indicator captures changes in reactor power that are initiated following the discovery of an
off-normal condition. If a condition is identified that is slowly degrading and the licensee
prepares plans to reduce power when the condition reaches a predefined limit, and 72 hours have
elapsed since the condition was first identified, the power change does not count. If, however,
the condition suddenly degrades beyond the predefined limits and requires rapid response, this
situation would count.
Off-normal conditions that begin with one or more power reductions and end with an unplanned
reactor trip are counted in the unplanned reactor scram indicator only. However, if the cause of
the downpower(s) and the scram are different, an unplanned power change and an unplanned
scram must both be counted. For example, an unplanned power reduction is made to take the
turbine generator off line while remaining critical to repair a component. However, when the
generator is taken off line, vacuum drops rapidly due to a separate problem and a scram occurs.
In this case, both an unplanned power change and an unplanned scram would be counted. If an
off-normal condition occurs above 20% power, and the plant is shutdown by a planned reactor
trip using normal operating procedures, only an unplanned power change is counted.
Downpowers of greater than 20% of full power for ALARA reasons are counted in the indicator.
19
Miller
2/11/13
NEI 99-02 [Revision 7]
08/31/2013
1
Data Example
Unplanned Power Changes per 7,000 Critical Hours
2Q97
3Q97
No. of Power Changes in Qtr
1
0
Total Power Changes in 4 Qtrs
1
1
4Q97
0
1
1Q98
1
2
2Q98
2
3
3Q98
2
5
4Q98
1
6
1Q99
3
8
No. Hrs Critical in Qtr
Total Hrs Critical in 4 Qtrs
2160
NA
2136
6796
2160
7456
2136
8592
2136
8568
1751
8183
2.8
4.1
4.9
6.8
Indicator Value
Thresholds
Green: ≤ 6.0
White: > 6.0
Yellow: NA
Red:
NA
1500
NA
1000
NA
(Grayed) (Grayed) (Grayed) Grayed)
2Q98
0
Unplanned Power Changes
per5.97,000 5.9
Hrs
5.9
3Q98
1
2
3
4
5
6
7
Green≤ 6.0
White > 6.0
8
9
10
2
20
6.08
4Q98
6.08
6.08
5.9
1Q99
6.08
NEI 99-02 [Revision 7]
08/31/2013
1
UNPLANNED SCRAMS WITH COMPLICATIONS (USWC)
2
Purpose
3
4
5
6
7
8
9
This indicator monitors that subset of unplanned automatic and manual scrams that either FAQ481
(10-02)
require additional operator actions beyond that of the “normal” scram or involve the
unavailability of or inability to recover main feedwater. Such events or conditions have the
potential to present additional challenges to the plant operations staff and therefore, may be more
risk-significant than uncomplicated scrams.
10
11
12
13
14
15
16
The USwC indicator is defined as the number of unplanned scrams while critical, both
FAQ481
manual and automatic, during the previous 4 four quarters that require additional
(10-02)
operator actions or involve the unavailability of or inability to recover main feedwater as
defined by the applicable flowchart (Figure 2) during the scram response (see definition of scram
response in the Definitions of Terms section) and the associated flowchart questions.
17
18
19
20
21
22
23
24
The following data are required to be reported for each reactor unit.
Indicator Definition
Data Reporting Elements
The number of unplanned automatic and manual scrams while critical in the previous quarter that
required additional operator response actions or involved the unavailability of or
FAQ481
inability to recover main feedwater as determined by the flowchart criteria during the
(10-02)
scram response.
Calculation
25
26
27
28
29
30
31
32
33
The indicator is determined using the values reported for the previous 4 four quarters as follows:
34
35
36
37
38
39
40
41
Scram means the shutdown of the reactor by the rapid addition of negative reactivity by any
means, e.g., insertion of control rods, boron, use of diverse scram switches, or opening reactor
trip breakers.
Value = total unplanned scrams while critical in the previous 4 four quarters that
required additional operator response actions or involved the unavailability of or
FAQ481
inability to recover main feedwater as defined by the applicable
(10-02)
flowchart and the associated flowchart questions (Figure 2) during the
scram response.
Definition of Terms
Normal Scram means any scram that is not determined to be complicated in accordance
with the guidance provided in the Unplanned Scrams with Complications indicator. A
normal scram is synonymous with an uncomplicated scram.
21
FAQ481
(10-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Unplanned scram means that the scram was not an intentional part of a planned evolution or test
as directed by a normal operating or test procedure. This includes scrams that occurred during
the execution of procedures or evolutions in which there was a high chance of a scram occurring
but the scram was neither planned nor intended.
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
This indicator is a subset of the IE01 indicator “Unplanned Scrams” and to be considered in this
indicator the scram must have counted in IE01.
Criticality, for the purposes of this indicator, typically exists when a licensed reactor operator
declares the reactor critical. There may be instances where a transient initiates from a subcritical
condition and is terminated by a scram after the reactor is critical—this condition would count as
a scram.
Scram Response refers to the period of time that starts with the scram and concludes
when operators have completed the scram response procedures and the plant has
achieved a stabilized condition in accordance with approved plant procedures and as
demonstrated by meeting the following criteria.:
FAQ481
(10-02)
For a PWR:
• Pressurizer pressure is within the normal operating pressure band.
• Pressurizer level is within the no-load pressurizer band.
• Level and pressure of all steam generators are within the normal operating bands.
• RCS temperature is within the allowable RCS no-load temperature band (Tave if any RCS
pump running, Tcold if no RCS pumps running).
For a BWR:
• No emergency operating procedure (EOP) entry conditions exist related to either the
primary containment or the reactor.
• Reactor cool-down rates are less than 100 degrees F/hr.
• Reactor water level is being maintained within the range specified by plant procedures.
Clarifying Notes
PWR FLOWCHART QUESTIONS (See Figure 2)
Did two or more control rods fail to fully insert?
Did control rods that are required to move on a reactor trip fail to fully insert into the core as
evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an example, for
some PWRs using rod bottom light indications, if more than one- rod bottom light is not
illuminated, this question must be answered "Yes." The basis of this step is to determine if
additional actions are required by the operators as a result of the failure of all rods to insert.
Additional actions, such as emergency boration, pose a complication beyond the normal scram
response that this metric is attempting to measure. It is allowable to have one control rod not
fully inserted since core protection design accounts for one control rod remaining fully
withdrawn from the core on a reactor trip. This question must be evaluated using the criteria
contained in the plant EOP used to verify that control rods inserted. During performance of this
22
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
step of the EOP, the licensee staff would not need to apply the “Response Not Obtained” actions.
Other means not specified in the EOPs are not allowed for this metric.
Did the turbine fail to trip?
Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To be a
successful trip, steam flow to the main turbine must have been isolated by the turbine trip logic
actuated by the reactor trip signal, or by operator action from a single switch or pushbutton. The
allowance of operator action to trip the turbine is based on the operation of the turbine trip logic
from the operator action if directed by the EOP. Operator action to close valves or secure pumps
to trip the turbine beyond use of a single turbine trip switch would count in this indicator as a
failure to trip and a complication beyond the normal reactor trip response. Trips that occur prior
to the turbine being placed in service or “latched” should have this question answered as “No”.
Was power lost to any ESF 12 bus?
During a reactor trip or during the period operators are responding to a reactor trip using reactor
trip response procedures, was power lost to any ESF (Emergency Safeguards Features) bus that
was not restored automatically by the Emergency Alternating Current (EAC) power system and
remained de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus
from the main control board is allowed as an acceptable action to satisfy this metric.
This question is looking for a loss of power at any time for any duration where the bus was not
energized/re-energized within 10 minutes. The bus must have:
•
•
•
Remained energized until the scram response procedure was exited, or
Been re-energized automatically by the plant EAC power system (i.e., EDG), or
Been re-energized from normal or emergency sources by an operator closing a
breaker from the main control board.
The question applies to all ESF busses (switchgear, load centers, motor control centers and DC
busses). This does NOT apply to 120-volt power panels. It is expected that operator action to
re-energize an ESF bus would not take longer than 10 minutes.
Was a Safety Injection signal received?
Was a Safety Injection signal generated either manually or automatically during the reactor trip
response? The question’s purpose is to determine if the operator had to respond to an abnormal
condition that required a safety injection or respond to the actuation of additional equipment that
would not normally actuate on an uncomplicated scram. This question would include any
condition that challenged Reactor Coolant System (RCS) inventory, pressure, or temperature
severely enough to require a safety injection. A severe steam generator tube leak that would
require a manual reactor trip because it was beyond the capacity of the normal at power running
12
Engineered Safety Features are provisions made in the design of nuclear power plants to mitigate the consequences of postulated accidents by
maintaining the integrity of the fuel cladding, reactor coolant pressure boundary, and primary reactor containment, and thereby limiting releases
of radioactive material. (Source: http://pbadupws.nrc.gov/docs/ML0909/ML090900198.pdf):
23
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
charging system should be counted even if a safety injection was not used since additional
charging pumps would be required to be started.
Was Main Feedwater unavailable or not recoverable using approved plant
procedures following during the scram response?
FAQ481
(10-02)
If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be
restarted during the reactor scram response? The consideration for this question is whether Main
Feedwater could be used to feed the steam generators if necessary. The qualifier of “not
recoverable using approved plant procedures” will allow a licensee to answer “No” to this
question if there is no physical equipment restraint to prevent the operations staff from starting
the necessary equipment, aligning the required systems, or satisfying required logic using plant
procedures approved for use and in place prior to the reactor scram occurring.
The operations staff must be able to start and operate the required equipment using
FAQ481
(10-02)
normal alignments and approved emergency, normal and off-normal operating
procedures to provide the required flow to feed the minimum number of steam generators
required by the EOPs to satisfy the heat sink criteria. Manual operation of
controllers/equipment, even if normally automatic, is allowed if addressed by procedure.
Situations that require maintenance or repair activities or non-proceduralized operating
alignments require an answer of “Yes.” Additionally, the restoration of Feedwater must be
capable of feeding the Steam Generators in a reasonable period of time. Operations should be
able to start a Main Feedwater pump and start feeding Steam Generators with the Main
Feedwater System within about 30 minutes from the time it was recognized that Main Feedwater
was needed. During startup conditions where Main Feedwater was not placed in service prior to
the scram this question would not be considered and should be skipped. If For plants with design
features or procedural prohibitions that prevent restarting Main Feedwater, this question should
be answered as “No.” if Main Feedwater is free from damage or failure that would prevent it
from performing its intended function and is available for use.
Was the scram response procedure unable to be completed without entering another EOP?
The response to the scram must be completed without transitioning to an additional EOP after
entering the scram response procedure (e.g., ES01 for Westinghouse). This step is used to
determine if the scram was uncomplicated by counting if additional procedures beyond the
normal scram response required entry after the scram. A plant exiting the normal scram response
procedure without using another EOP would answer this step as “No”. The discretionary use of
the lowest level Function Restoration Guideline (Yellow Path) by the operations staff is an
approved exception to this requirement. Use of the Re-diagnosis Procedure by Operations is
acceptable unless a transition to another EOP is required.
24
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
BWR FLOWCHART QUESTIONS (See Figure 2)
Did an RPS 13 actuation fail to indicate / establish a shutdown rod pattern for a cold clean
core?
Withdrawn control rods are required to be inserted to ensure the reactor will remain shutdown
under all conditions without boron to ensure the reactor will have the required shutdown margin
in a cold, xenon-free state.
Any initial evaluation that calls into question the shutdown condition of the reactor requires this
question to be answered “Yes.” The required entry into the Anticipated Transient
Withoutwithout Scram (ATWS) leg of the EOP or required use of Alternate Rod Insertion (ARI)
requires this question to be answered “Yes.” Failure of the rod position indication in conjunction
with the loss of full-in-lights on enough rods to question the cold clean core shutdown status
would require this question to be answered “Yes.”
The basis of this step is to determine if additional actions are required by the operators to ensure
the plant remains shutdown as a result of the failure of any withdrawn rods to insert (or indicate
inserted). Additional actions, such as boron injection, or other actions to insert control rods to
maintain shutdown, pose a complication beyond a normal scram response. This question must be
evaluated using the criteria contained in the plant EOP used to verify the insertion of withdrawn
control rods.
Was pressure control unable to be established following the initial transient?
To be successful, reactor pressure must be controlled following the initial transient without the
use of Safety Relief Valves (SRVs). Automatic cycling of the SRV(s) that may have occurred as
a result of the initial transient would result in a “No” response, but automatic cycling of the
SRV(s) subsequent to the initial transient would result in a “Yes” response. Additionally, the
SRV(s) cannot fail open. The failure of the pressure control system (i.e., turbine valves / turbine
bypass valves / HPCI / RCIC/isolation condenser) to maintain the reactor pressure or a failed
open SRV(s) counts in this indicator as a complication beyond the normal reactor trip response
and would result in a “Yes” response.
Was power lost to any Class 1E Emergency / ESF bus?
During a reactor trip or during the period operators are responding to a reactor trip using reactor
trip response procedures, was power lost to any ESF bus that was not restored automatically by
the Emergency Alternating Current (EAC) power system and remained de-energized for greater
than 10 minutes? Operator action to re-energize the ESF bus from the main control board is
allowed as an acceptable action to result in a “No” response. The focus of this question is a loss
of power for any duration where the bus was not energized/re-energized within 10 minutes. The
bus must have:
13
Reactor Protection System (RPS): a complex control system that provides the ability to produce an automatic or manual rapid shutdown of the
nuclear reactor, known as a reactor trip or scram. (Source: http://nrcoe.inel.gov/resultsdb/SysStudy/W.aspx)
25
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
• Remained energized until the scram response procedure was exited, or
• Been re-energized automatically by the plant EAC power system (i.e., EDG), or
• Been re-energized from normal or emergency sources by an operator closing a breaker or
switch from the main control board.
The question applies to all ESF busses (switchgear, load centers, motor control centers and DC
busses). This does NOT apply to 120-volt power panels. It is expected that operator action to
re-energize an ESF bus would not take longer than 10 minutes.
Was a Level 1 Injection signal received?
Was a Level 1 Injection signal generated either manually or automatically during the reactor
scram response? The consideration here is whether or not the operator had to respond to
abnormal conditions that required a low pressure safety injection or the actuation of additional
equipment that would not normally actuate on an uncomplicated scram. This question would
include any condition that challenged RCS inventory, or Drywell drywell pressure severely
enough to require a safety injection. Alternately the question would be plants that do not have a
high pressure Emergency Core Cooling System (ECCS) level signal that is different from the
low pressure ECCS level signal would ask “was low pressure injection required?”
Was Main Feedwater not available or not recoverable using approved plant
procedures during the scram response?
FAQ481
(10-02)
If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be
restarted during the reactor scram response? The consideration for this question is whether Main
Feedwater could be used to feed the reactor vessel if necessary. The qualifier of “not recoverable
using approved plant procedures” will allow a licensee to answer “NO” to this question if there is
no physical equipment restraint to prevent the operations staff from starting the necessary
equipment, aligning the required systems, or satisfying required logic circuitry using plant
procedures approved for use that were in place prior to the scram occurring.
The operations staff must be able to start and operate the required equipment using normal
alignments and approved emergency, normal and off-normal operating procedures.
FAQ481
Manual operation of controllers/equipment, even if normally automatic, is allowed if
(10-02)
addressed by procedure. Situations that require maintenance or repair activities or nonproceduralized operating alignments will not satisfy this question. Additionally, the restoration
of Main Feedwater must be capable of being restored to provide feedwater to the reactor vessel
in a reasonable period of time. Operations should be able to start a Main Feedwater pump and
start feeding the reactor vessel with the Main Feedwater System within about 30 minutes from
the time it was recognized that Main Feedwater was needed. During startup conditions where
Main Feedwater was not placed in service prior to the scram, this question would not be
considered, and should be skipped.
26
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
Following initial transient, did stabilization of reactor pressure/level and drywell pressure
meet the entry conditions for EOPs?
This step is used to determine if the scram was uncomplicated and did not require using other
procedures beyond the normal scram response. Following the initial transient, maintaining
reactor and drywell pressures below the Emergency Procedure entry values while ensuring
reactor water level is above the Emergency Procedure entry values allows answering ”No.” The
requirement to remain in the EOPs because of reactor pressure/water level and drywell pressure
following the initial transient indicates complications beyond the typical reactor scram.
Additionally, repeated reactor water level scram signal(s) during the initial transientscram
Heffner
2/6/13
response indicate level could not be stabilized and required this question be answered
“Yes”.
27
NEI 99-02 [Revision 7]
08/31/2013
Data Examples
Unplanned Scrams with Complications
1Q05 2Q05 3Q05 4Q05 1Q06 2Q06 3Q06 4Q06 1Q07 2Q07 3Q07
No. Unplanned Scrams in Qtr
0
1
0
0
1
0
1
0
0
1
0
Total in 4 Qtrs
0
1
1
1
2
1
2
2
1
2
1
Indicator Value
0
1
1
1
2
1
2
2
1
2
1
Notes
Example assumes unit achieves first criticality in 1Q05 and ROP is in effect for this unit at that time.
Unit shut down in middle of 3Q06 and restarted in 2Q07; therefore value in 1Q07 is shown as not available.
"NA" value shown for 1Q07 is illustrative only. Actual value entered into INPO's Consolidated Data Entry system may differ.
Thresholds
Green: ≤ 1
White: > 1
Yellow: NA
Red:
NA
0.98
1Q05
0
Unplanned
Scrams
with
Complications
0.98
0.98
0.98
0.98
0.98
0.98
0.98
0.98
0.98
0.98
2Q05
1.02 3Q05
1.02 4Q05
1.02 1Q06
1.02
Green≤ 1
1
White > 1
2
3
28
2Q06
3Q06 1.02
4Q06 1.02
1Q071.022Q07
1.02
1.02
1.02 3Q07
1.02
NEI 99-02 [Revision 7]
08/31/2013
1
2
IE04 Unplanned Scrams with Complications – Flowchart
Figure 2
PWR
BWR
Scram Occurs
Scram Occurs
Did two or more
control rods fail to fully insert?
Yes
Yes
No
No
Did the turbine fail to trip?
Yes
Yes
No
Was power lost to any
ESF bus?
Yes
Yes
Was power lost to any Class1E
Emergency/ESF bus?
No
Yes
Yes
Was a Level 1 Injection signal received?
No
No
Was Main Feedwater
unavailable or not recoverable
using approved plant procedures
during the scram response
Was Main Feedwater
unavailable or not recoverable
using approved plant procedures
during the scram response
Yes
Yes
?
?
No
No
Was the scram response
procedure unable to be
completed without entering
another EOP?
Following initial transient
did stabilization of reactor pressure/
level and drywell pressure meet the
entry conditions for EOPs?
No
3
Was pressure control unable to be
established following initial transient?
No
No
Was a Safety Injection
signal received?
Did an RPS actuation fail to
indicate/establish a shutdown rod pattern
for a cold clean core?
Yes
Yes
Count
Do Not Count
No
Do Not Count
29
NEI 99-02 [Revision 7]
08/31/2013
1
2.2
MITIGATING SYSTEMS CORNERSTONE
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
The objective of this cornerstone is to monitor the availability, reliability, and capability of
systems that mitigate the effects of initiating events to prevent core damage. Licensees reduce
the likelihood of reactor accidents by maintaining the availability and reliability of mitigating
systems. Mitigating systems include those systems associated with safety injection, decay heat
removal, and their support systems, such as emergency AC power. This cornerstone includes
mitigating systems that respond to both operating and shutdown events.
24
Purpose
25
26
27
28
29
30
31
32
33
This indicator monitors events or conditions that prevented, or could have prevented, the
fulfillment of the safety function of structures or systems that are needed to:
34
35
36
37
The number of events or conditions that prevented, or could have prevented, the fulfillment of
the safety function of structures or systems in the previous four quarters.
38
39
40
41
42
The following data is reported for each reactor unit:
43
The definitions and guidance contained in this section, while similar to guidance developed in
support of INPO/WANO indicators and the Maintenance Rule, are unique to the Reactor
Oversight Process (ROP). Differences in definitions and guidance in most instances are
deliberate and are necessary to meet the unique requirements of the ROP.
While safety systems are generally thought of as those that are designed to mitigate design basis
accidents, not all mitigating systems have the same risk importance. PRAs have shown that risk
is often influenced not only by front-line mitigating systems, but also by support systems and
equipment. Such systems and equipment, both safety- and non-safety related, have been
considered in selecting the performance indicators for this cornerstone. Not all aspects of
licensee performance can be monitored by performance indicators, and risk-informed baseline
inspections are used to supplement these indicators.
SAFETY SYSTEM FUNCTIONAL FAILURES
(a) Shut down the reactor and maintain it in a safe shutdown condition;
(b) Remove residual heat;
(c) Control the release of radioactive material; or
(d) Mitigate the consequences of an accident.
Indicator Definition
Data Reporting Elements
•
the number of safety system functional failures reported during the previous quarter
Calculation
unitUnit value = number of safety system functional failures in previous four quarters
30
NEI 99-02 [Revision 7]
08/31/2013
1
2
Definition of Terms
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
A Safety System Functional Failure (SSFF) is any event or condition that could have prevented
the fulfillment of the safety function of structures or systems that are needed to:
22
Clarifying Notes
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
The definition of SSFFs is identical to the wording of the current revision to 10 CFR
50.73(a)(2)(v). Because of overlap among various reporting requirements in 10 CFR 50.73,
some events or conditions that result in safety system functional failures may be properly
reported in accordance with other paragraphs of 10 CFR 50.73, particularly paragraphs (a)(2)(i),
(a)(2)(ii), and (a)(2)(vii). An event or condition that meets the requirements for reporting under
another paragraph of 10 CFR 50.73 should be evaluated to determine if it also prevented the
fulfillment of a safety function. Should this be the case, the requirements of paragraph (a)(2)(v)
are also met and the event or condition should be included in the quarterly performance indicator
report as an SSFFError! Bookmark not defined.. The level of judgment for reporting an event
or condition under paragraph (a)(2)(v) as an SSFF is a reasonable expectation of preventing the
fulfillment of a safety function.
(A) Shut down the reactor and maintain it in a safe shutdown condition;
(B) Remove residual heat;
(C) Control the release of radioactive material; or
(D) Mitigate the consequences of an accident.
The indicator includes a wide variety of events or conditions, ranging from actual failures on
demand to potential failures attributable to various causes, including environmental qualification,
seismic qualification, human error, design or installation errors, etc. Many SSFFs do not involve
actual failures of equipment.
Because the contribution to risk of the structures and systems included in the SSFF varies
considerably, and because potential as well as actual failures are included, it is not possible to
assign a risk-significance to this indicator. It is intended to be used as a possible precursor to
more important equipment problems, until an indicator of safety system performance more
directly related to risk can be developed.
In the past, LERs may not have explicitly identified whether an event or condition was reportable
under 10 CFR 50.73(a)(2)(v) (i.e., all pertinent boxes may not have been checked). It is
important to ensure that the applicability of 10 CFR 50.73(a)(2)(v) has been explicitly considered
for each LER considered for this performance indicator.
NUREG-1022: Unless otherwise specified in this guideline, guidance contained in the latest
revision to NUREG-1022, “Event Reporting Guidelines, 10CFR 50.72 and 50.73,” that is
applicable to reporting under 10 CFR 50.73(a)(2)(v), should be used to assess reportability for
this performance indicator. Questions regarding interpretation of NUREG-1022 should not be
referred to the FAQ process. They must be addressed to the appropriate NRC branch responsible
for NUREG-1022.
31
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Planned Evolution for maintenance or surveillance testing: NUREG-1022, Revision 2, page 56
states, “The following types of events or conditions generally are not reportable under these
criteria:…Removal of a system or part of a system from service as part of a planned evolution
for maintenance or surveillance testing…”
34
The LER number should be entered in the comment field when an SSFF is reported.
“Planned” means the activity is undertaken voluntarily, at the licensee’s discretion, and is not
required to restore operability or for continued plant operation.
A single event or condition that affects several systems: counts as only one failure.
Multiple occurrences of a system failure: the number of failures to be counted depends upon
whether the system was declared operable between occurrences. If the licensee knew that the
problem existed, tried to correct it, and considered the system to be operable, but the system was
subsequently found to have been inoperable the entire time, multiple failures will be counted
whether or not they are reported in the same LER. But if the licensee knew that a potential
problem existed and declared the system inoperable, subsequent failures of the system for the
same problem would not be counted as long as the system was not declared operable in the
interim. Similarly, in situations where the licensee did not realize that a problem existed (and
thus could not have intentionally declared the system inoperable or corrected the problem), only
one failure is counted.
Additional failures: a failure leading to an evaluation in which additional failures are found is
only counted as one failure; new problems found during the evaluation are not counted, even if
the causes or failure modes are different. The intent is to not count additional events when
problems are discovered while resolving the original problem.
Engineering analyses: events in which the licensee declared a system inoperable but an
engineering analysis later determined that the system was capable of performing its safety
function are not counted, even if the system was removed from service to perform the analysis.
Reporting date: the date of the SSFF is the Report Date of the LER. If the LER is revised to
reflect the occurrence of an SSFF, the date of the SSFF is the Report Date of the revised
LER.
32
Klett
Whitepaper
2/23/2012
NEI 99-02 [Revision 7]
08/31/2013
1
Data Examples
Safety System Functional Failures
2Q98 3Q98 4Q98 1Q99 2Q99 3Q99 4Q99 1Q00 2Q00
Number this Quarter
1
3
2
1
1
2
0
1
0
Total over 4 Qtrs
1
4
6
7
7
6
4
4
3
Indicator Value
1
4
6
7
7
6
4
4
3
Notes
Example assumes the unit becomes subject to 10 CFR 50.73 and the ROP during 2Q98.
Unit was shut down in 2Q99 and restarted in 1Q00.
Thresholds for PWRs
Green: ≤ 5
White: > 5
Yellow: NA
Red:
NA
Safety
System
Functional
Failures
4.92
4.92
4.92
4.92
4.92
4.92
4.92
4.92
2Q98 5.05
3Q98 5.05
4Q985.051Q99
5.05 2Q99
5.05
0
1
2
3
4
5
6
Green≤ 5
White > 5
7
8
9
10
2
33
3Q99
5.05
4.92
4Q99 5.05
1Q005.052Q00
5.05
NEI 99-02 [Revision 7]
08/31/2013
1
MITIGATING SYSTEM PERFORMANCE INDEX
2
3
Purpose
4
5
6
7
8
The purpose of the Mitigating System Performance Index is to monitor the performance of
selected systems based on their ability to perform risk-significant functions as defined herein. It
is comprised of three elements - system unavailability, system unreliability and system
component performance limits. The index is used to determine the cumulative significance of
failures and unavailability over the monitored time period.
9
10
Indicator Definition
11
12
13
14
Mitigating System Performance Index (MSPI) is the sum of changes in a simplified core damage
frequency evaluation resulting from differences in unavailability and unreliability relative to
industry standard baseline values. The MSPI is supplemented with system component
performance limits.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Unavailability is the ratio of the hours the train/system was unavailable to perform its
FAQ486
(10-06)
monitored functions (as defined by the train/system boundaries, PRA success criteria and
mission times) due to planned and unplanned maintenance or test during the previous 12 quarters
while critical to the number of critical hours during the previous 12 quarters. (Fault exposure
hours are not included; unavailable hours are counted only from the time of discovery of a failed
condition to the time the train’s monitored functions are recovered.) Time of discovery of a
failed monitored component is when the licensee determines that a failure has occurred or when
an evaluation determines that the train would not have been able to perform its monitored
function(s). In any case where a monitored component has been declared inoperable due to a
degraded condition, if the component is considered available, there must be a documented basis
for that determination, otherwise a failure will be assumed and unplanned unavailability would
accrue. If the component is degraded but considered operable, timeliness of completing
additional evaluations would be addressed through the inspection process.
32
33
Baseline values are the values for unavailability and unreliability against which current plant
unavailability and unreliability are measured.
34
35
36
Component performance limit is a measure of degraded performance that indicates when the
performance of a monitored component in an MSPI system is significantly lower than expected
industry performance.
37
38
39
40
41
42
43
44
Unreliability is the probability that the train/system would not perform its monitored functions,
as defined by PRA success criteria, for a 24 hour run, when called upon during the previous 12
quarters.
The MSPI is calculated separately for each of the following five systems for each reactor type.
BWRs
•
•
•
emergency AC power system
high pressure injection system (high pressure coolant injection, high pressure core spray,
or feedwater coolant injection)
reactor core isolation cooling (or isolation condenser)
34
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
•
•
residual heat removal system (or the equivalent function as described in the Additional
Guidance for Specific Systems section of Appendix F)
cooling water support system (includes direct cooling functions provided by service
water and component cooling water or their cooling water equivalents for the above four
monitored systems)
7
8
9
10
11
12
13
14
15
16
PWRs
• emergency AC power system
• high pressure safety injection system
• auxiliary feedwater system
• residual heat removal system (or the equivalent function as described in the Additional
Guidance for Specific Systems section of Appendix F)
• cooling water support system (includes direct cooling functions provided by service
water and component cooling water or their cooling water equivalents for the above four
monitored systems)
17
Data Reporting Elements
18
The following data elements are reported for each train/system
19
•
Unavailability Index (UAI) due to unavailability for each monitored system
20
•
Unreliability Index (URI) due to unreliability for each monitored system
21
•
Systems that have exceeded their component performance limits
22
23
Calculation
24
25
The MSPI for each system is the sum of the UAI due to unavailability for the system plus URI
due to unreliability for the system during the previous twelve quarters.
26
MSPI = UAI + URI
27
28
29
30
31
32
Component performance limits for each system are calculated as a maximum number of allowed
failures (Fm) from the plant specific number of system demands and run hours. Actual numbers
of equipment failures (Fa) are compared to these limits. When the actual number of failures
exceeds the component performance limit (i.e., Fa>Fm), this is designated as “Performance
Limit Exceeded” or PLE=”yes”. This part of the indicator only applies to the green-white
threshold.
33
34
See Appendix F for the calculation methodology for UAI due to system unavailability, URI due
to system unreliability and system component performance limits.
35
The decision rules for assigning a performance color to a system are:
36
IF[(MSPI ≤ 1.0e - 06) AND (Fa ≤ Fm) ] THEN performance is GREEN
37
38
IF{[(MSPI ≤ 1.0e - 06) AND (Fa > Fm)] OR [(MSPI > 1.0e - 06) AND (MSPI ≤ 1.0e - 05)] }
THEN performance is WHITE
39
IF[(MSPI > 1.0e - 05) AND (MSPI ≤ 1.0e - 04) ] THEN performance is YELLOW
40
IF(MSPI > 1.0e - 04) THEN performance is RED
35
Balazik
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
Plant Specific-specific PRA
The MSPI calculation uses coefficients that are developed from plant specific-specific PRAs.
The PRA used to develop these coefficients should reasonably reflect the as-built, as-operated
configuration of each plant.
Specific requirements appropriate for this PRA application are defined in Appendix G. Any
questions related to the interpretation of these requirements, the use of alternate methods to meet
the requirements or the conformance of a plant specific-specific PRA to these requirements will
be arbitrated by an Industry/NRC expert panel. If the panel determines that a plant specificspecific PRA does not meet the requirements of Appendix G such that the MSPI would be
adversely affected, an appropriate remedy will be determined by the licensee and approved by
the panel. The decisions of this panel will be binding.
14
15
Definition of Terms
16
17
18
19
20
21
22
Risk Significant Functions: those at at-power functions, described in the Appendix F section
“Additional Guidance for Specific Systems,” that were determined to be risk-significant in
accordance with NUMARC 93-01, or NRC NRC-approved equivalents (e.g., the STP exemption
request). The risk risk-significant system functions described in Appendix F, “Additional
Guidance for Specific Systems,” should be modeled in the plant’s PRA/PSA. System and
equipment performance requirements for performing the risk risk-significant functions are
FAQ486
(10-06)
determined from the PRA success criteria, mission times, and boundaries for the system.
23
24
25
26
Mission Time: The mission time modeled in the PRA for satisfying the function of reaching a
stable plant condition where normal shutdown cooling is sufficient. Note that PRA models
typically use a mission time of 24 hours. However, shorter intervals, as justified by analyses and
modeled in the PRA, may be used.
27
28
29
30
31
Success criteria: The plant specific-specific values of parameters the train/system is required to
achieve to perform its monitored functions. Success criteria to be used are those documented in
the plant specific-specific PRA. Design Basis success criteria should be used in the case where
the plant specific-specific PRA has not documented alternative success criteria for use in the
PRA.
32
33
34
35
Individual component capability must be evaluated against train/system level success criteria
(e.g., a valve stroke time may exceed an ASME requirement, but if the valve still strokes in time
to meet the PRA success criteria for the train/system, the component has not failed for the
purposes of this indicator.).
36
37
Clarifying Notes
38
Documentation and Changes
39
40
41
42
43
44
Each licensee will have the system boundaries, monitored components, and monitored functions
and success criteria which differ from design basis readily available for NRC inspection on site.
Design basis criteria do not need to be separately documented. Additionally, plant-specific
information used in Appendix F should also be readily available for inspection. An acceptable
format, listing the minimum required information, is provided in Appendix G. As stated in the
Introduction section of NEI 99-02, plant-specific comments should be provided in the data
36
FAQ477
(11-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
submittal when either the MSPI basis document or an MSPI coefficient is changed. Changes
to the site PRA of record, the site basis document, and the CDE database should be made in
accordance with the following:
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Changes to PRA coefficientPRA Model Revisions: Updates to the MSPI coefficients
developed from the plant specific PRA will be made as soon as practical following an update to
the plant specific- PRA(which are directly obtained from the plant-specific PRA) will be made
in the quarter following approval of an update to the plant-specific PRA of record. The revised
coefficients will be used in the MSPI calculation the quarter following the update. Thus, the
PRA MSPI coefficients in use at the beginning of a quarter will remain in effect for the
remainder of that quarter. In addition, Changes changes to the CDE database and MSPI basis
document that are necessary to reflect changes to the plant plant-specific PRA of record should
be incorporated prior to the next quarter’s data submittal. as soon as practical but need not be
completed prior to the start of the reporting quarter in which they become effective. The
quarterly data submittal should include a comment that provides a summary of any changes to
the MSPI coefficients. The comments automatically generated by CDE when PRA coefficients
are changed do not fulfill this requirement. The plant must generate a plant–specific comment
that describes what was changed. Any PRA model changes will take effect the following quarter
(model changes include error, corrections, updates, etc.). For example, if a plant’s PRA model of
record is approved on September 29 (3rd third quarter), MSPI coefficients based on that model
of record should be used for the 4th fourth quarter. Updates to the MSPI basis document and the
The calculation of the new coefficients should be completed (including a revision of the MSPI
basis document if required by the plant specific- processes) and input to CDE database should be
made prior to reporting the 4th fourth quarter’s data (i.e., completed by January 21).
46
47
Plant Modifications: Any changes to the plant should be evaluated for their impact on the
MSPI basis document, MSPI inputs into the CDE database, and the PRA of record. Plant
FAQ477
(11-02)
FAQ477
(11-02)
Changes to non-PRA information: Updates to information that is not directly obtained from
FAQ477
the PRA (e.g., unavailability baseline data, estimated demands/run hours) can affect both the
(11-02)
MSPI basis document and the MSPI inputs into the CDE database. Changes to the MSPI
basis document and MSPI inputs into the CDE database that are needed to reflect changes to
non-PRA information will be made prior to the next quarterly data submittal. This does not
imply that any change to estimated demands/run hours is required to be reflected in the MSPI
basis document or CDE (See Appendix F, Section F.2.2.1 for requirements on when MSPI basis
document and CDE changes are required for estimated demands/run hours). will become
effective in the quarter following an approved revision to the site MSPI basis document. Changes
to the CDE database that are necessary to reflect changes to the site basis document should be
incorporated as soon as practical but need not be completed prior to the start of the reporting
quarter in which they become effective. The quarterly data submittal should include a comment
that provides a summary of any changes to the MSPI basis document and inputs to the CDE
database. The comments automatically generated by CDE when PRA coefficients are changed
do not fulfill this requirement. The plant must generate a plant–specific comment that describes
what was changed.For example, changes to the planned unavailability baseline that do not
require a change to the PRA model must be documented in an MSPI basis document revision in
the quarter prior to the revised values being used as inputs into the CDE database. This means Linthicum
3/3/12
completed by the 21st day of the month after the end of the quarter.
37
FAQ477
(11-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
modifications have the potential to involve both changes to the PRA model and non-PRA
information, while some modifications may be limited to either the PRA model or non-PRA
information. Modifications to the plant design that result in a change to segment or train
FAQ477
boundaries, monitored components, or affect monitored functions or success criteria, shall
(11-02)
be reflected in the MSPI basis document the quarter following the completed
Linthicum
3/3/12
implementation (i.e., completed by the 21st day of the month after the end of the quarter).
Additionally, if modifications are made to sub-components within the boundary of a monitored
component (such as the replacement of an emergency AC voltage regulator with a different type)
and that sub-component is described in the basis document, the basis document should be
updated to reflect the sub-component modification the quarter following the completed
implementation (i.e., completed by the 21st day of the month after the end of the quarter).
12
13
14
15
16
17
18
19
If the plant modification has the potential to impact the PRA model in a manner that affects
FAQ477
(11-02)
MSPI results, the modification shall be evaluated to determine if it results in a factor of three
Linthicum
change in the corrected Birnbaum value of an MSPI monitored train or component. If the new 3/3/12
Birnbaum value is greater than 1E-6, the MSPI basis document shall be updated to reflect the
new Birnbaum values the quarter following the completed implementation (i.e., completed by
the 21st day of the month after the end of the quarter). Note that the use of supplemental
evaluations to estimate the revised MSPI inputs for pending PRA model changes is allowed as an
interim alternative until the PRA model of record is updated.
20
Example CDE Comments:
21
22
Following a periodic update to a PRA model, the following CDE comment would be
appropriate:
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
The XYZ PRA Model Revision 6 was approved on 7/6/10 with a corresponding MSPI
Basis Document Revision 3 approved on 12/21/10. The PRA model revision was a
periodic update to the model which included a data update, incorporation of an Auxiliary
Feedwater Crosstie between Units and a change in Human Error Probabilities using the
EPRI HRA calculator. As a result of the PRA model change, the CDF, Fussel-Vesely
and Basic Event Probabilities for all monitored trains and components were revised.
Following a change to baseline unavailability, the following CDE comments would be
appropriate:
FAQ477
(11-02)
Scenario 1: Change Results in Negligible (≤1E-8) Increase in Train Birnbaum
The planned unavailability baseline for the Residual Heat Removal was system was
increased by 30 hours per three years as a result of a new preventive maintenance task.
The increase in planned unavailability baseline was evaluated in the MSPI basis
document Revision 3, dated 3/23/11, and determined to result in a negligible increase in
Train Birnbaum values. Therefore, the revised values were incorporated into CDE
effective the second quarter 2011.
Scenario 2: Change Results in Significant (>1E-8) Increase in Train Birnbaum Values
The planned unavailability baseline for the Residual Heat Removal was system was
increased by 30 hours per three years as a result of a new preventive maintenance task.
The increase in planned unavailability baseline was evaluated in the MSPI basis
38
FAQ477
(11-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
document Revision 3, dated 3/23/11, concluding that a revision to the PRA model was
required prior to implementing the change. PRA model Revision 4 to reflect this change
in planned unavailability was approved on 2/15/11. The revised values were
incorporated into CDEError! Bookmark not defined. effective the second quarter 2011.
Following a design change that has a significant impact (≥ factor of three increase) on Birnbaum
values, the following CDE comment would be appropriate:
A modification was completed on 1/15/11 that removed a monitored MOV in the
Residual Heat Removal system. The MSPI basis document Revision 2 was approved
on 3/12/11 to account for this impact. As removal of the MOV had a negligible impact
on the overall CDF, the PRA model was not updated to reflect this change. The MSPI
Basis Document Revision includes an evaluation of the impact on MSPI inputs which
will be used until the next revision of the PRA model is completed.
FAQ477
(11-02)
15
16
Monitored Systems
17
18
19
20
21
22
23
24
25
26
27
28
29
Systems have been generically selected for this indicator based on their importance in preventing
reactor core damage. The systems include the principal systems needed for maintaining reactor
coolant inventory following a loss of coolant accident, for decay heat removal following a
reactor trip or loss of main feedwater, and for providing emergency AC power following a loss
of plant off-site power. One support function (cooling water support system) is also monitored.
The cooling water support system monitors the cooling functions provided by service water and
component cooling water, or their direct cooling water equivalents, for the four front-line
monitored systems. Other support systems (e.g., HVAC room coolers, DC power, instrument
FAQ486
air, etc.) will not be cascaded onto the monitored systems’ unavailability or reliability data.
(10-06)
For the purposes of MSPI, a failure or unavailability of a support system component that is
Linthicum
3/3/12
outside the system and train boundary of a monitored system will not result in unavailability
of a monitored train or failure of a monitored component. No support systems are to be
cascaded onto the monitored systems, e.g., HVAC room coolers, DC power, instrument air, etc.
30
Diverse Systems
31
32
33
Except as specifically stated in the indicator definition and reporting guidance, no credit is given
for the achievement of a monitored function by an unmonitored system in determining
unavailability or unreliability of the monitored systems.
34
Use of Plant-Specific PRAError! Bookmark not defined. and SPAR Models
35
36
37
38
The MSPI is an approximation using information from a plant’s PRA and is intended as an
indicator of system performance. More accurate calculations using plant-specific PRAs or SPAR
models cannot be used to question the outcome of the PIs computed in accordance with this
guideline.
39
NEI 99-02 [Revision 7]
08/31/2013
1
Data Examples
Mitigating System Performance Index
1Q05
Unavailability Index (UAI)
8.48E-08
Unreliability Index (URI)
1.42E-06
Performance Limit Exceeded
No
Indicator Value (Calculated)
1.50E-06
Indicator Value (Displayed)
1.5E-06
Thresholds
Green: ≤ 1.0E-06
White: > 1.0E-06 or PLE=Yes
Yellow: > 1.0E-05
Red:
> 1.0E-04
1Q05
1.00E-09
2Q05
1.00E-09
1.00E-09
No
2.00E-09
2.0E-09
9.00E-07
9.00E-07
9.00E-07
9.00E-07
9.00E-07
1.10E-06
1.10E-06
1.10E-06
1.10E-06
1.10E-06
1.00E-05 1.00E-05 1.00E-05 1.00E-05 1.00E-05
1.00E-04 1.00E-04 1.00E-04 1.00E-04 1.00E-04
1.5E-06 2.0E-09 4.4E-07 3.0E-06 2.0E-07
Mitigating
System Performance Index
2Q05
3Q05
1.00E-08
1.00E-07
1.00E-06
1.00E-05
3Q05
4Q05
1Q06
8.72E-08 1.00E-06 1.00E-07
3.55E-07 1.00E-06 1.00E-07
No
Yes
No
4.42E-07
2.00E-07
4.4E-07
PLE
2.0E-07
Green≤ 1.0E-06
White > 1.0E-06
Yellow > 1.0E-05
1.00E-04
Red > 1.0E-04
1.00E-03
2
40
4Q05
1Q06
NEI 99-02 [Revision 7]
08/31/2013
1
2.3
BARRIER INTEGRITY CORNERSTONE
2
3
4
5
6
7
8
9
10
11
12
13
14
15
The purpose of this cornerstone is to provide reasonable assurance that the physical design
barriers (fuel cladding, reactor coolant system, and containment) protect the public from
radionuclide releases caused by accidents or events. These barriers are an important element in
meeting the NRC mission of assuring adequate protection of public health and safety. The
performance indicators assist in monitoring the functionality of the fuel cladding and the reactor
coolant system. There is currently no performance indicator for the containment barrier. The
performance of this barrier is assured through the inspection program.
16
Purpose
17
18
19
20
21
This indicator monitors the integrity of the fuel cladding, the first of the three barriers to prevent
the release of fission products. It measures the radioactivity in the RCS as an indication of
functionality of the cladding.
22
23
24
25
26
27
The maximum monthly RCS activity in micro-Curies per gram (µCi/gm) dose equivalent Iodine131 per the technical specifications, and expressed as a percentage of the technical specification
limit. Those plants whose technical specifications are based on micro-curies per gram (μCi/gm)
total Iodine should use that measurement.
28
29
30
31
32
33
34
35
36
37
38
39
The following data are reported for each reactor unit:
40
There are two performance indicators for this cornerstone:
•
•
Reactor Coolant System (RCS) Specific Activity
RCS Identified Leak Rate
REACTOR COOLANT SYSTEM (RCS) SPECIFIC ACTIVITY
Indicator Definition
Data Reporting Elements
•
maximumMaximum calculated RCS activity for each unit, in micro-Curies per gram
dose equivalent Iodine-131, as required by technical specifications at steady state
power, for each month during the previous quarter (three values are reported).
•
Technical Specification limit
Calculation
The indicator is calculated as follows:
unitUnit value =
the maximum monthly value of calculated activity
×100
Technical Specification limit
41
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Definitions of Terms
(Blank)
Clarifying Notes
This indicator is recorded monthly and reported quarterly.
The indicator is calculated using the same methodology, assumptions and conditions as for the
Technical Specification calculation. If more than one method can be used to meet Technical
Specifications, use the results of the method that was used at the time to satisfy the Technical
Specifications.
Unless otherwise defined by the licensee, steady state is defined as continuous operation for at
least three days at a power level that does not vary more than ±5 percent.
This indicator monitors the steady state integrity of the fuel-cladding barrier at power. Transient
spikes in RCS Specific Activity following power changes, shutdowns and scrams may not
provide a reliable indication of cladding integrity and should not be included in the monthly
maximum for this indicator.
Samples taken using technical specification methodology, when shutdown, are not reported.
However, samples taken using the technical specification methodology at steady state power
more frequently than required are to be reported. If in the entire month, plant conditions do not
require RCS activity to be calculated, the data field is left blank for that month and the status
“Final – N/A” is selected.
Licensees should use the most restrictive regulatory limit (e.g., technical specifications (TS) or
license condition). However, if the most restrictive regulatory limit is insufficient to assure plant
safety, then NRC Administrative Letter 98-10 applies, which states that imposition of
administrative controls is an acceptable short-term corrective action. When an administrative
control is in place as a temporary measure to ensure that TS limits are met and to ensure public
health and safety (i.e., to ensure 10 CFR Part 100 dose limits are not exceeded), that
administrative limit should be used for this PI.
42
NEI 99-02 [Revision 7]
08/31/2013
1
Data Examples
Reactor Coolant System Specific Activity
Indicator, % of T.S. Limit
Max Activity µCi/gm I-131 Equivalent
T.S Limit
Thresholds
4/98
10
0.1
1
Green
White
Yellow
5/98
6/98
20
5
0.2
0.05
1
1
≤ 50% T.S. limit
> 50% T.S limit
>100% T.S. limit
7/98
4
0.04
1
8/98
0.5
0.005
1
9/98
2
0.02
1
10/98
20
0.2
1
11/98
50
0.5
1
12/98
60
0.6
1
1/99
40
0.4
1
2/99
30
0.3
1
Prev. mth
10
0.1
1
2/99
Prev.
mth
Reactor Coolant System Specific Activity
Month
4/98
0
5/98
6/98
7/98
8/98
9/98
10/98
11/98
12/98
1/99
10
20
30
GREEN
40
Indicator,
% T.S. Limit
50
60
WHITE
70
80
90
Note: Yellow>100% Tech. Spec Limit
100
2
3
4
43
NEI 99-02 [Revision 7]
08/31/2013
1
REACTOR COOLANT SYSTEM LEAKAGE
2
Purpose
3
4
5
6
7
8
This indicator monitors the integrity of the RCS pressure boundary, the second of the three
barriers to prevent the release of fission products. It measures RCS Identified Leakage as a
percentage of the technical specification allowable Identified Leakage to provide an indication of
RCS integrity.
Indicator Definition
9
10
11
12
The maximum RCS Identified Leakage in gallons per minute each month per the technical
specifications and expressed as a percentage of the technical specification limit.
13
14
15
16
17
18
19
The following data are required to be reported each quarter:
20
21
The unit value for this indicator is calculated as follows:
22
23
24
Data Reporting Elements
•
•
The maximum RCS Identified Leakage calculation for each month of the previous
quarter (three values).
Technical Specification limit
Calculation
unitUnit value =
the maximum monthly value of identified leakage
× 100
Technical Specification limiting value
Definition of Terms
25
26
27
RCS Identified Leakage as defined in Technical Specifications.
28
29
30
31
32
33
34
35
36
37
38
39
This indicator is recorded monthly and reported quarterly.
Clarifying Notes
Normal steam generator tube leakage is included in the unit value calculation if required by the
plant’s Technical Specification definition of RCS identified leakage.
For those plants that do not have a Technical Specification limit on Identified Leakage, substitute
RCS Total Leakage in the Data Reporting Elements.
Any RCS leakage determination made in accordance with plant Technical Specifications
methodology is included in the performance indicator calculation. If in the entire month, plant
conditions do not require RCS leakage to be calculated, the data field is left blank for that month
and the status “Final-N/A” is selected )
44
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
If the source and collection point of the leakage were unknown during the time period of the
leak, and the actual collection point was not a monitored tank or sump per the RCS Leakage
Calculation Procedure, then, for the purposes of this indicator, the leakage is not considered RCS
identified leakage and is not to be included in PI data. RCS leakage not captured under this
indicator may be evaluated in the inspection program.
Data Examples
Reactor Coolant System Leakage (RCSL)
4/98 5/98 6/98 7/98 8/98 9/98 10/98 11/98 12/98 1/99 2/99
Indicator %T.S. Value
60
40
10
70
50
60
40
30
30
20
20
Identified Leakage (gpm)
6
4
1
7
5
6
4
3
3
2
2
TS Value (gpm)
10
10
10
10
10
10
10
10
10
10
10
Threshold
Green
White
Yellow
≤50% TS limit
>50% TS limit
>100%TS limit
Data collected monthly, reported quarterly
RCS Leakage
4/98
0
Month
5/98
6/98
7/98
8/98
9/98 10/98 11/98 12/98 1/99
2/99
10
20
30
GREEN BAND
40
Indicator,
% of T. S. Limit
50
60
WHITE BAND
70
80
90
100
110
YELLOW BAND
120
9
45
Prev.
mth
NEI 99-02 [Revision 7]
08/31/2013
1
2.4
EMERGENCY PREPAREDNESS CORNERSTONE
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
The objective of this cornerstone is to ensure that the licensee is capable of implementing
adequate measures to protect the public health and safety during a radiological emergency.
Licensees maintain this capability through Emergency Response Organization (ERO)
participation in drills, exercises, actual events, training, and subsequent problem identification
and resolution. The Emergency Preparedness performance indicators provide a quantitative
indication of the licensee’s ability to implement adequate measures to protect the public health
and safety. These performance indicators create a licensee response band that allows NRC
oversight of Emergency Preparedness programs through a baseline inspection program. These
performance indicators measure onsite Emergency Preparedness programs. Offsite programs are
evaluated by FEMA.
24
Purpose
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
This indicator monitors timely and accurate licensee performance in drills and exercises when
presented with opportunities for classification of emergencies, notification of offsite authorities,
and development of protective action recommendations (PARs). It is the ratio, in percent, of
timely and accurate performance of those actions to total opportunities.
The protection of public health and safety is assured by a defense in depth philosophy that relies
on: safe reactor design and operation, the operation of mitigation features and systems, a multilayered barrier system to prevent fission product release, and emergency preparedness.
The Emergency Preparedness cornerstone performance indicators are:
•
•
•
Drill/Exercise performance (DEP),
Emergency Response Organization Drill Participation (ERO),
Alert and Notification System Reliability (ANS)
DRILL/EXERCISE PERFORMANCE
FAQ 12-06
The notification timeliness criterion for this PI is met when the licensee makes contact with the
first responsible State or local governmental agency within 15 minutes. This success criterion
normalizes the notification capabilities of licensees, regardless of the number of site specific offsite
notification requirements. As such, NRC and licensees can assess a site’s specific capability to a common
industry baseline to identify the possible need for additional inspection resources. Further, the
notification performance enhancement opportunity provides the NRC assurance that a licensee is
conducting the notification process in its entirety and evaluating compliance with the regulatory offsite
notification requirement of Appendix E.IV.D.3 to 10 CFR Part 50.
Indicator Definition
The percentage of all drill, exercise, and actual opportunities that were performed timely and
accurately by Key Positions, as defined in the ERO Drill Participation performance indicator,
during the previous eight quarters.
46
NEI 99-02 [Revision 7]
08/31/2013
1
Data Reporting Elements
2
3
4
5
6
7
8
9
10
The following data are required to calculate this indicator:
11
The site average values for this indicator are calculated as follows:
•
theThe number of drill, exercise, and actual event opportunities during the previous quarter.
•
theThe number of drill, exercise, and actual event opportunities performed timely and
accurately during the previous quarter.
The indicator is calculated and reported quarterly. (See clarifying notes)
Calculation
12
# of timely & accurate classifications, notifications, & PARs from DE & AEs * during the previous 8 quarters
The total opportunities to perform classifications, notifications & PARs during the previous 8 quarters × 100
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
*DE & AEs = Drills, Exercises, and Actual Events
Definition of Terms
Opportunities should include multiple events during a single drill or exercise (if supported by the
scenario) or actual event, as follows:
•
•
•
•
each expected classification or upgrade in classification
each initial notification of an emergency class declaration
each initial notification of PARs or change to PARs
each PAR developed
Timely means:
•
•
•
classifications are made consistent with the goal of 15 minutes once available plant
parameters reach an Emergency Action Level (EAL)
PARs are made consistent with the goal of 15 minutes once data is available.
offsite notifications are initiated within 15 minutes of event classification and/or PAR
development (see clarifying notes)
Accurate means:
•
•
Classification and PAR appropriate to the event as specified by the approved plan and
implementing procedures (see clarifying notes)
Initial notification form completed appropriate to the event to include (see clarifying notes):
- Class of emergency
- EAL number
- Description of emergency
- Wind direction and speed
- Whether offsite protective measures are necessary
47
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
-
Potentially affected population and areas
Whether a release is taking place
Date and time of declaration of emergency
Whether the event is a drill or actual event
Plant and/or unit as applicable
Clarifying Notes
While actual event opportunities are included in the performance indicator data, the NRC will
also inspect licensee response to all actual events.
As a minimum, actual emergency declarations and evaluated exercises are to be included in this
indicator. In addition, other simulated emergency events that the licensee formally assesses for
performance of classification, notification or PAR development may be included in this indicator
(opportunities cannot be removed from the indicator due to poor performance).
The following information provides additional clarification of the accuracy requirements
described above:
•
It is understood that initial notification forms are negotiated with offsite authorities. If
the approved form does not include these elements, they need not be added. Alternately,
if the form includes elements in addition to these, those elements need not be assessed for
accuracy when determining the DEP PI. It is, however, expected that errors in such
additional elements would be critiqued and addressed through the corrective action
system.
•
The description of the event causing the classification may be brief and need not include
all plant conditions. At some sites, the EAL number is the description.
•
“Release” means a radiological release attributable to the emergency event.
•
Minor discrepancies in the wind speed and direction provided on the emergency
notification form need not count as a missed notification opportunity provided the
discrepancy would not result in an incorrect PAR being provided.
The licensee shall identify, in advance, drills, exercises and other performance enhancing
experiences in which opportunities will be formally assessed, and shall be available for NRC
review. The licensee has the latitude to include opportunities in the PI statistics as long as the
drill (in whatever form) simulates the appropriate level of inter-facility interaction. The criteria
for suitable drills/performance enhancing experiences are provided under the ERO Drill
Participation PI clarifying notes.
If credit for an opportunity is given in the ERO Drill Participation performance indicator, then
that opportunity must be included in the drill/exercise performance indicator. For example, if the
communicator performing the entire notification during performance enhancing scenario is an
ERO member in a Key Position, then the notification may be considered as an opportunity and, if
so, participation credit awarded to the ERO member in the Key Position.
48
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
If an ERO member in a Key Position supports multiple units (at one or more sites),
Drill/Exercise Performance (DEP) opportunities performed by the ERO member may be
credited to all sites potentially served by the ERO member, in addition to the specific site
participating in the drill or exercise.
FAQ476
(09-10)
When a performance enhancing experience occurs before an individual is assigned to a Key
Position in the ERO, then opportunities for that individual that were identified in advance shall
contribute to the Drill/Exercise (DEP) metric at the time the member is assigned to the ERO.
Performance statistics from operating shift simulator training evaluations may be included in this
indicator only when the scope requires classification. Classification, PAR notifications and
PARs performed in the simulator may be included in the indicator. Notifications for
Classification and Notifications for PARs may be included in this indicator if they are
performed to the point of filling out the appropriate forms and demonstrating sufficient
knowledge to perform the actual notification.
Hug
01/23/13
“Demonstrating sufficient knowledge” is defined as demonstrating the use of communications FAQ471
(09-06)
equipment to contact the first offsite stakeholder for the purpose of transmitting initial
notification information (offsite stakeholder maybe role-played) in accordance with site
communication procedure(s), as well as, if used, demonstration of the needed interface
between the key ERO communicator and the phone-talker. It is recognized that key control
room positions may not perform the actual communication with offsite agencies as part of the
notification process. Personnel filling non-key positions for contacting offsite agencies (phonetalker) may not be available during simulator training. If an evaluator role-plays the phonetalker during the simulator session, a phone-talker is required to complete the notification
process out of sequence (e.g. notification form completed in the simulator is provided to a
phone-talker at a later time and the phone-talker demonstrates use of the telephone equipment to
an evaluator). Interactions normally between the Key Communicator and the phone-talker (e.g.
receiving instruction, discussion of the notification and correction of errors in the notification
form) occur between the phone-talker and an evaluator role playing the Key Communicator for
this off-sequence demonstration. Timeliness is determined by adding the time required to
complete the notification form in the simulator to the time required by the phone-talker to
interact and then utilize the communications equipment out of sequence. However, there is no
intent to disrupt ongoing operator qualification programs. Appropriate operator training
evolutions should be included in the indicator only when Emergency Preparedness aspects are
consistent with training goals. A successful PI opportunity is determined by evaluating
performance against program expectations. Thus, if it is part of a pre-established expectation to
enhance the realism of the training environment by marking “actual” on the notification forms, it
should be considered a successful PI opportunity if a simulator crew marks “actual” on the
notification form. However, all notification forms must be marked consistently, either “drill” or
“actual” in accordance with the requirements of the licensee’s emergency preparedness program
expectation. Not marking either drill or actual event (regardless of expectations) shall be a failed
opportunity.
Some licensees have specific arrangements with their State authorities that provide for different
notification requirements than those prescribed by the performance indicator, e.g., within one
hour, not 15 minutes. In these instances the licensee should determine success against the
specific state requirements.
49
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
For sites with multiple agencies to notify, the notification is considered to be initiated when
contact is made with the first agency to transmit the initial notification information.
Simulation of notification to offsite agencies is allowed. It is not expected that State/local
agencies be available to support all drills conducted by licensees. The drill should reasonably
simulate the contact and the participants should demonstrate their ability to use the equipment.
Classification is expected to be made promptly following indication that the conditions have
reached an emergency threshold in accordance with the licensee’s EAL scheme. With respect to
classification of emergencies, the 15 minute goal is a reasonable period of time for assessing and
classifying an emergency once indications are available to control room operators that an EAL
has been exceeded. Allowing a delay in classifying an emergency up to 15 minutes will have
minimal impact upon the overall emergency response to protect the public health and safety.
The 15-minute goal should not be interpreted as providing a grace period in which a licensee
may attempt to restore plant conditions and avoid classifying the emergency.
If an event has occurred that resulted in an emergency classification where no EAL was
exceeded, the incorrect classification should be considered a missed opportunity. The subsequent
notification should be considered an opportunity and evaluated on its own merits.
During drill performance, the ERO may not always classify an event exactly the way that the
scenario specifies. This could be due to conservative decision making, Emergency Director
judgment call, or a simulator driven scenario that has the potential for multiple ‘forks’. Situations
can arise in which assessment of classification opportunities is subjective due to deviation from
the expected scenario path. In such cases, evaluators should document the rationale supporting
their decision for eventual NRC inspection. Evaluators must determine if the classification was
appropriate to the event as presented to the participants and in accordance with the approved
emergency plan and implementing procedures.
If the expected classification level is missed because an EAL is not recognized within 15 minutes
of availability, but a subsequent EAL for the same classification level is subsequently
recognized, the subsequent classification is not an opportunity for DEP statistics. The reason
that the classification is not an opportunity is that the appropriate classification level was not
attained in a timely manner.
If a controller intervenes (e.g., coaching, prompting) with the performance of an individual to
make an independent and correct classification, notification, or PAR, then that DEP PI
opportunity shall be considered a failure.
Failure to appropriately classify an event counts as only one failure: This is because notification
of the classification, development of any PARs and PAR notification are subsequent actions to
classification. Similarly, if the same error occurs in follow-up notifications, it should only be
considered a missed opportunity on the initial notification form.
A Classification based on a downgrade from a previously existing higher classification is not
counted as an opportunity. It was not the intent to count downgrades as opportunities for the
DEP performance indicator. When a higher classification is reached in a drill, exercise or real
event it is probable that multiple EALs at equal or lower levels have also been exceeded. When
50
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
the reason for the highest classification is cleared, many of the lower conditions may still exist.
It is impractical to evaluate downgrades in classification from a timeliness and accuracy
standpoint. The notification of the downgrade should be handled as an update rather than a
formal opportunity for the performance indicator.
The notification associated with a PAR is counted separately: e. g., an event triggering a GE
classification would represent a total of 4 opportunities: 1 for classification of the GE, 1 for
notification of the GE to the State and/or local government authorities, 1 for development of a
PAR and 1 for notification of the PAR. All PAR notifications resulting in a Recommendation of
Evacuation or Shelter, whether default or not, should be counted as an opportunity for the
drill/exercise performance indicator.
If PARs at the SAE are in the site Emergency Plan they could be counted as opportunities.
However, this would only be appropriate where assessment and decision making is involved in
development of the PAR. Automatic PARs with little or no assessment required would not be an
appropriate contributor to the PI. PARs limited to livestock or crops and no no-PAR PARnecessary decisions are also not appropriate.
Dose assessment and PAR development are expected to be made promptly following indications
that the conditions have reached a threshold in accordance with the licensee’s PAR scheme. The
15 minute goal from data availability is a reasonable period of time to develop or expand a PAR.
Plant conditions, meteorological data, field monitoring data, and/or radiation monitor data should
provide sufficient information to determine the need to change PARs. If radiation monitor
readings provide sufficient data for assessments, it is not appropriate to wait for field monitoring
to become available to confirm the need to expand the PAR. The 15 minute goal should not be
interpreted as providing a grace period in which the licensee may attempt to restore conditions
and avoid making the PAR recommendation.
If a licensee has identified in its scenario objectives that Protective Action Guidelines (PAGs)
will be exceeded beyond the 10 mile plume exposure pathway emergency planning zone (EPZ)
boundary, then this would constitute a PI opportunity. In addition, there is a DEP PI opportunity
associated with the timeliness of the notification of the PAR to offsite agencies. Essential to
understanding that these DEP PI opportunities exist is the need to realize that it is a regulatory
requirement for a licensee to develop and communicate a PAR when EPA PAG doses may be
exceeded beyond the 10 mile plume exposure pathway EPZ. However, the licensee always has
the latitude to identify which DEP PI opportunities will be included in the PI statistics prior to
the exercise. Thus, a licensee may choose to not include a PAR beyond the 10-mile EPZ as a
DEP PI statistic due to its ad hoc nature.
If a licensee discovers after the fact (greater than 15 minutes) that an event or condition had
existed which exceeded an EAL, but no emergency had been declared and the EAL is no longer
exceeded at the time of discovery, the following applies:
• If the indication of the event was not available to the operator, the event should not be
evaluated for PI purposes.
• If the indication of the event was available to the operator but not recognized, it should be
considered an unsuccessful classification opportunity.
• In either case described above, notification should be performed in accordance with
NUREG-1022 and not be evaluated as a notification opportunity.
51
NEI 99-02 [Revision 7]
08/31/2013
1
Data Example
2
Emergency Response Organization
Drill/Exercise Performance
3Q/96
4Q/96
1Q/97
2Q/97
3Q/97
4Q/97
1Q/98
2Q/98
3Q/98
4Q/98
Prev. Q
Successful Classifications, Notifications & PARs over qtr
0
0
11
11
0
8
10
0
23
11
12
Opportunities to Perform Classifications, Notifications, & PARs in qtr
0
0
12
12
0
12
12
0
24
12
12
40
63
74
75
Total # of succesful Classifications, Notifications, & PARs in 8 qtrs
Total # of opportunities to perform Classification, Notifications & PARs in 8 qtrs
Indicator expressed as a percentage of Opportunities to perform Classifications, Communications & PARs
Green
White
Yellow
Red
≥ 90%
< 90%
< 70%
Not Applicable
72
84
84
3Q/98
4Q/98
Prev. Q
83.3%
87.5%
88.1%
89.3%
EP Drill/Exercise Performance
2Q/98
1
3Q/98
Quarter
4Q/98
Prev. Q
GREEN
0.9
Indicator
Threshold
48
2Q/98
0.8
WHITE
0.7
YELLOW
Note: No Red Threshold
0.6
52
NEI 99-02 [Revision 7]
08/31/2013
1
EMERGENCY RESPONSE ORGANIZATION DRILL PARTICIPATION
2
Purpose
3
4
5
6
7
8
9
10
This indicator tracks the participation of ERO members assigned to fill Key Positions in
performance enhancing experiences, and through linkage to the DEP indicator ensures that the
risk significant aspects of classification, notification, and PAR development are evaluated and
included in the PI process. This indicator measures the percentage of ERO members assigned to
fill Key Positions who have participated recently in performance-enhancing experiences such as
drills, exercises, or in an actual event.
11
12
13
14
15
The percentage of ERO members assigned to fill Key Positions that have participated in a drill,
exercise, or actual event during the previous eight quarters, as measured on the last calendar day
of the quarter.
16
17
18
19
20
21
22
23
24
25
26
27
The following data are required to calculate this indicator and are reported:
28
29
The site indicator is calculated as follows:
30
31
32
33
34
35
36
37
38
39
40
41
42
Indicator Definition
Data Reporting Elements
•
•
total number of ERO members assigned to fill Key Positions
total number of ERO members assigned to fill Key Positions that have participated in a
drill, exercise, or actual event in the previous eight quarters
The indicator is calculated and reported quarterly, based on participation over the previous eight
quarters (see clarifying notes).
The participation indicator may include participation in a facility that supports multiple units.
FAQ476
(09-10)
Calculation
# of ERO members assigned to Key Positions that have participated in drill, exercise or actual event the previous 8 qrts
Total number of Key Positions assigned to ERO Members
Definition of Terms
Key Positions are defined below
•
Control Room
•
Shift Manager (Emergency Director) - Supervision of reactor operations, responsible
for classification, notification, and determination of protective action
recommendations
•
Shift Communicator - provides initial offsite (state/local) notification
53
× 100
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
•
Technical Support Center
•
•
•
•
•
•
Senior Manager - Management of plant operations/corporate resources
Key Operations Support
Key Radiological Controls - Radiological effluent and environs monitoring,
assessment, and dose projections
Key TSC Communicator- provides offsite (state/local) notification
Key Technical Support
Emergency Operations Facility
•
•
•
Senior Manager - Management of corporate resources
Key Protective Measures - Radiological effluent and environs monitoring,
assessment, and dose projections
Key EOF Communicator- provides offsite (state/local) notification
•
Operational Support Center
•
Key OSC Operations Manager
Assigned: Those ERO personnel filling Key Positions listed on the licensee duty roster on the
last day of the quarter of the reporting period.
•
Clarifying Notes
When the performance of Key Positions includes classification, notification, or PAR
development opportunities, the success rate of these opportunities must contribute to
Drill/Exercise Performance (DEP) statistics for participation of those Key Positions to contribute
to ERO Drill Participation. Participation drill credit before being assigned to the ERO may be
counted for these Key Positions once the individual is assigned to the ERO as long as the success
rate for the opportunities contributes to Drill/Exercise (DEP) statistics.
The licensee may designate drills as not contributing to DEP and, if the drill provides a
performance enhancing experience as described herein, those Key Positions that do not involve
classification, notification or PARs may be given credit for ERO Drill Participation.
Additionally, the licensee may designate elements of the drills not contributing to DEP (e.g.,
classifications will not contribute but notifications will contribute to DEP.) In this case, the
participation of all Key Positions, except those associated with the non-contributing elements,
may contribute to ERO Drill Participation. Participation drill credit before being assigned to the
ERO may be counted for the Key Positions not contributing to DEP if the drill provides a
performance enhancing experience as described herein. The licensee must document such
designations in advance of drill performance and make these records available for NRC
inspection.
In order for an opportunity to be considered a performance enhancing experience for a Key
FAQ 12-06
Communicator, the opportunity must include demonstration of the ability to perform a
notification of the emergency classification level to required agencies. Documentation of the
opportunity and its evaluation/critique is to be comprehensive enough to allow an Inspector to reasonably
reach the same conclusion as the licensee as to the adequacy of the performing enhancing experience.
54
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Option for Emergency Response Organizations with Common Facilities
FAQ476
(09-10)
If an ERO member in a Key Position supports multiple units (at one or more sites) and
demonstrates similar skill sets during a performance-enhancing experience, participation
credit may be granted for all sites supported.
Negative performance credit as well as positive performance credit will be assigned to all
units.
FAQ476
(09-10)
Similarity of Skill Sets
Skill sets are considered similar when the procedures, processes and protocols involved
accomplish the same task or goal. Examples of similar skill sets are provided below.
Classification
Classification of Emergencies are similar when Emergency Action Level procedures,
processes and protocols used by the ERO members in the Key Position are essentially the
same (for example all units would use NEI 99-01 or in the case where a unit may be an
advanced passive light water reactor it would be acceptable to utilize NEI 99-01 for
existing technology and NEI 07-01 for passive technology). Training for key ERO
members performing this function is to include unit-specific and/or technology differences
relating to Initiating Conditions/Emergency Action Levels (e.g., ISFSI, unique hazards,
design considerations, etc.).
Protective Action Recommendations (PARs)
Protective Action Recommendations, when developed with the same protective action
strategies, are similar provided that the procedures, processes and protocols for the
development of the protective action recommendations are essentially the same. For
example:
• Logic flow charts may differ (e.g., because of population differences among the
sites), but should serve the same purpose and be used in the same way.
• Protective Action Zones may differ, but the process used to identify the action taken
for the zones is the same.
• Implementation of potassium iodide (KI) strategies may differ based on the
implementation strategies of responsible authorities at the State and/or Local level,
but the procedures, processes and protocols used to determine if KI is warranted
should be the same.
• PAR development discussion strategies should be the same for each site supported by
the common facility.
Dose Assessment
Dose assessment is similar when methodologies, applicable computer programs, and
models are the same across sites and/or unit technologies served by the common facility.
Definitions of what constitutes a radiological release during a classified emergency are
55
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
the same. Training for key ERO members performing this function must include unitspecific differences in effluent monitors and release pathways, local meteorological
regimes and topography impacts and how these differences impact the dose assessment.
Emergency Notifications
The emergency communicator functions are similar when procedures, processes and
protocols are performed utilizing a similar emergency notification form design and
content. Emergency communicators will be trained on all notification procedures,
processes and protocol differences including, but not limited to, offsite contacts, form
content, methods and equipment.
Link to Drill and Exercise Performance
Lessons learned (positive and negative) are shared to ensure that the benefits of the
performance enhancing experience of the key ERO member(s) are applied across all
units. Corrective actions from the performance of key ERO members performing DEP
activities are shared with and applied to all key ERO members of all units. Similarly,
corrective actions associated with common facility Key ERO member performance (e.g.
training or qualification gaps, procedure deficiencies, equipment issues) are applied
across all units corrective action programs. DEP opportunities performed shall be
credited to all units, in addition to the unit participating in the drill or exercise.
Records
Lesson plans, rosters, records, etc., are available for NRC inspection.
Credit can be granted to Key Positions for ERO Participation for a Security related Drill or
Exercise as long as the Key Positions are observed evaluating the need to upgrade to the next
higher classification level and/or evaluating the need to change protective action
recommendations. Key TSC Communicator and Key EOF Communicator may be granted
participation credit as long as the Key Position performs a minimum of one offsite (state/local)
update notification. If an individual participates in more than one Security-related Drill/Exercise
in a three year period, only one of the Security-related Drills/Exercise can be credited. A station
cannot run more than one credited Security-related Drill/Exercise in any consecutive 4 quarter
period. Objective evidence shall be documented to demonstrate the above requirements were
met.
Evaluated simulator training evolutions that contribute to Drill/Exercise Performance indicator
statistics may be considered as opportunities for ERO Drill Participation. The scenarios must at
least contain a formally assessed classification and the results must be included in DEP statistics.
However, there is no intent to disrupt ongoing operator qualification programs. Appropriate
operator training evolutions should be included in this indicator only when Emergency
Preparedness aspects are consistent with training goals.
If an ERO member filling a Key Position has participated in more than one drill during the eight
quarter evaluation period, the most recent participation should be used in the Indicator statistics.
56
FAQ476
(09-10)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
If a change occurs in the number of ERO members filling Key Positions, this change should be
reflected in both the numerator and denominator of the indicator calculation.
If a person is assigned to more than one Key Position, it is expected that the person be counted in
the denominator for each position and in the numerator only for drill participation that addresses
each position. Where the skill set is similar, a single drill might be counted as participation in
both positions.
Assigning a single member to multiple Key Positions and then only counting the performance for
one Key Position could mask the ability or proficiency of the remaining Key Positions. The
concern is that an ERO member having multiple Key Positions may never have a performance
enhancing experience for all of them, yet credit for participation will be given when any one of
the multiple Key Positions is performed; particularly, if more than one ERO position is assigned
to perform the same Key Position.
ERO participation should be counted for each Key Position, even when multiple Key Positions
are assigned to the same ERO member. In the case where a utility has assigned two or more Key
Positions to a single ERO member, each Key Position must be counted in the denominator for
that ERO member and credit given in the numerator when the ERO member performs each Key
Position.
Similarly, ERO members need not individually perform an opportunity of classification,
notification, or PAR development in order to receive ERO Drill Participation credit. The
evaluation of the DEP opportunities is a crew evaluation for the entire Emergency Response
Organization. ERO members may receive credit for the drill if their participation is a meaningful
opportunity to gain proficiency in their ERO function.
When an ERO member changes from one Key Position to a different Key Position with a skill
set similar to the old one, the last drill/exercise participation may count. If the skill set for the
new position is significantly different from the old position then the previous participation would
not count.
Participation may be as a participant, mentor, coach, evaluator, or controller, but not as an
observer. Multiple assignees to a given Key Position could take credit for the same drill if their
participation is a meaningful opportunity to gain proficiency.
Drills performed by an individual before being assigned to a Key Position in the ERO may be
counted once the individual is assigned to the ERO as long as the performance enhancing
experience(s) contributes to the Drill/Exercise (DEP) metric. The meaning of “drills” in this
usage is intended to include performance enhancing experiences (exercises, functional drills,
simulator drills, table top drills, mini drills, etc.) that reasonably simulate the interactions
between appropriate centers and/or individuals that would be expected to occur during
emergencies. For example, control room interaction with offsite agencies could be simulated by
instructors or OSC interaction could be simulated by a control cell simulating the TSC functions,
and damage control teams.
57
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
In general, a drill does not have to include all ERO facilities to be counted in this indicator. A
drill is of adequate scope if it reasonably simulates the interaction between one or more of the
following facilities, as would be expected to occur during emergencies:
•
•
•
•
•
•
•
the control room,
the Technical Support Center (TSC),
the Operations Support Center,
the Emergency Operations Facility (EOF),
field monitoring teams,
damage control teams, and
offsiteOffsite governmental authorities.
The licensee need not develop new scenarios for each drill or each team. However, it is expected
that the licensee will maintain a reasonable level of confidentiality so as to ensure the drill is a
performance enhancing experience. A reasonable level of confidentiality means that some
scenario information could be inadvertently revealed and the drill remain a valid performance
enhancing experience. It is expected that the licensee will remove from drill performance
statistics any opportunities considered to be compromised. There are many processes for the
maintenance of scenario confidentiality that are generally successful. Examples may include
confidentiality statements on the signed attendance sheets and spoken admonitions by drill
controllers. Examples of practices that may challenge scenario confidentiality include drill
controllers or evaluators or mentors, who have scenario knowledge becoming participants in
subsequent uses of the same scenarios and use of scenario reviewers as participants.
All individuals qualified to fill the Control Room Shift Manager/ Emergency Director position
that actually might fill the position should be included in this indicator.
The communicator is the Key Position that fills out the notification form, seeks approval and
usually communicates the information to off siteoffsite agencies. Performance of these duties is
assessed for accuracy and timeliness and contributes to the DEP PI. Senior managers who do not
perform these duties should not be considered communicators even though they approve the
form and may supervise the work of the communicator. However, there are cases where the
senior manager actually collects the data for the form, fills it out, approves it and then
communicates it or hands it off to a phone talker. Where this is the case, the senior manager is
also the communicator and the phone talker need not be tracked. The communicator is not
expected to be just a phone talker who is not tasked with filling out the form. There is no intent
to track a large number of shift communicators or personnel who are just phone talkers.
58
NEI 99-02 [Revision 7]
08/31/2013
1
Data Example
Emergency Response Organization (ERO) Drill Participation
2Q/98
56
48
2Q/98
86%
Total number of Key ERO personnel
Number of Key personnel participating in drill/event in 8 qtrs
Indicator percentage of Key ERO personnel participating in a drill in 8 qtrs
Thresholds
Green
White
Yellow
No Red Threshold
≥80%
<80%
<60%
3Q/98
56
52
3Q/98
93%
4Q/98
64
54
4Q/98
84%
Prev. Q
64
53
Prev. Q
83%
ERO Drill Participation
2Q/98
3Q/98
Quarter
4Q/98
100%
GREEN
90%
Indicator
80%
WHITE
70%
60%
YELLOW
50%
2
59
Note: No Red threshold
Prev. Q
NEI 99-02 [Revision 7]
08/31/2013
1
ALERT AND NOTIFICATION SYSTEM RELIABILITY
2
Purpose
3
4
5
6
7
8
This indicator monitors the reliability of the offsite Alert and Notification System (ANS), a
critical link for alerting and notifying the public of the need to take protective actions. It
provides the percentage of the sirens that are capable of performing their safety function based
on regularly scheduled tests.
Indicator Definition
9
10
11
12
13
14
15
16
17
18
19
The percentage of ANS sirens that are capable of performing their function, as measured by
periodic siren testing in the previous 12 months.
20
21
22
23
24
25
The following data are reported: (see clarifying notes)
26
27
The site value for this indicator is calculated as follows:
28
29
30
Periodic tests are the regularly scheduled tests (documented in the licensee’s test plan or
guidelines) that are conducted to actually test the ability of the sirens to perform their function
(e.g., silent, growl, siren sound test). Tests performed for maintenance purposes should not be
counted in the performance indicator database. Actions that could affect the as found condition
of sirens prior to testing are not allowed.
Data Reporting Elements
•
•
the total number of ANS siren-tests during the previous quarter
the number of successful ANS siren-tests during the previous quarter
Calculation
# of succesful siren - tests in the previous 4 qtrs
×100
total number of siren - tests in the previous 4 qtrs
Definition of Terms
Siren-Tests: the number of sirens times the number of times they are tested. For example, if 100
sirens are tested 3 times in the quarter, there are 300 siren-tests.
31
32
33
34
35
36
37
Successful siren-tests are the sum of sirens that performed their function when tested. For
example, if 100 sirens are tested three times in the quarter and the results of the three tests are:
first test, 90 performed their function; second test, 100 performed their function; third test, 80
performed their function. There were 270 successful siren-tests.
38
Clarifying Notes
39
40
The purpose of the ANS PI is to provide a uniform industry reporting approach and is not
intended to replace the FEMA Alert and Notification reporting requirement at this time.
60
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
For those sites that do not have sirens, the performance of the licensee’s alert and notification
system will be evaluated through the NRC baseline inspection program. A site that does not
have sirens does not report data for this indicator.
If a siren is out of service for maintenance or is inoperable at the time a regularly scheduled test
is conducted, then it counts as both a siren test and a siren failure. Regularly scheduled tests
missed for reasons other than siren unavailability (e.g., out of service for planned maintenance or
repair) should be considered non opportunities. The failure to perform a regularly scheduled test
should be noted in the comment field. Additionally, if sirens are not available for operation because of
intentional actions to disable them, and the area is deemed uninhabitable by State and/or Local agencies,
the siren(s) in question are not required to be counted in the numerator or denominator of the
Performance Indicator for testing throughout the event. The conditions causing the suspension of testing,
its duration and restoration are to be noted in the comment field for the indicator.
For plants where scheduled siren tests are initiated by local or state governments, if a scheduled
test is not performed either intentionally or accidentally, the missed test is not considered as valid
test opportunities. Missed test occurrences should be entered in the plant’s corrective action
program.
If a siren failure is determined to be due only to testing equipment, and subsequent testing shows
the siren to be operable (verified by telemetry or simultaneous local verification) without any
corrective action having been performed, the siren test should be considered a success.
Maintenance records should be complete enough to support such determinations and validation
during NRC inspection.
A licensee may change ANS test methodology at any time consistent with regulatory guidance.
For the purposes of this performance indicator, only the testing methodology in effect on the first
day of the quarter shall be used for that quarter. Neither successes nor failures beyond the testing
methodology at the beginning of the quarter will be counted in the PI. (No actual siren activation
data results shall be included in licensees’ ANS PI data.) Any change in test methodology shall
be reported as part of the ANS Reliability Performance Indicator effective the start of the next
quarterly reporting period. Changes should be noted in the comment field.
Siren systems may be designed with equipment redundancy, multiple signals or feedback
capability. It may be possible for sirens to be activated from multiple control stations or signals.
If the use of redundant control stations or multiple signals is in approved procedures and is part
of the actual system activation process then activation from either control station or any signal
should be considered a success. A failure of both systems would only be considered one failure,
whereas the success of either system would be considered a success. If the redundant control
station is not normally attended, requires setup or initialization, it may not be considered as part
of the regularly scheduled test. Specifically, if the station is only made ready for the purpose of
siren tests it should not be considered as part of the regularly scheduled test.
Actions specifically taken to improve the performance of a scheduled test are not appropriate.
The test results should indicate the actual as-found condition of the ANS. Such practices will
result in an inaccurate indication of ANS reliability.
61
FAQ
11-13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Examples of actions that are NOT allowed and DO affect the as found conditions of sirens (not
an all inclusiveall-inclusive list):
o Preceding test with an unscheduled test with the sole purpose to validate the siren
is functional.
o Prior to a scheduled test, adjustment or calibration of siren system activation
equipment that was not scheduled to support post maintenance testing.
o Prior to a scheduled test, testing siren system activation equipment or an
individual siren(s) unless the equipment is suspected damaged from adverse
weather, vandalism, vehicular strikes, etc.
o Prior to a scheduled test, testing siren system activation equipment or an
individual siren(s) unless the equipment is suspected as being non-functional as a
result of a computer hardware or software failure, radio tower failure, cut phone
line, etc.
However, in no case should response preclude the timely correction of ANS problems and
subsequent post-maintenance testing, or the execution of a comprehensive preventive
maintenance program.
Testing opportunities that will be included in the ANS performance indicator are required to be
defined in licensee ANS procedures. These are typically: bi-weekly, monthly quarterly and
annual tests. The site specific ANS design and testing document approved by FEMA is a
reference for the appropriate types of test, however licensees may perform tests in addition to
what is discussed in the FEMA report.
Examples of actions that ARE allowed and do not affect the as found conditions of sirens (not an
all inclusiveall-inclusive list):
o Regardless of the time, an unscheduled diagnostic test and subsequent
maintenance and repair followed by post maintenance testing after any event that
causes actual or suspected damage, such as:
1.
2.
3.
4.
5.
6.
Severe/inclement weather (high winds, lightning, ice, etc.),
Suspected or actual vandalism,
Physical damage from impact (vehicle, tree limbs, etc.),
Computer hardware and software failures,
Damaged communication cables or phone lines.
Problems identified by established routine use of the siren
feedback systems.
o Scheduled polling tests for the purpose of system monitoring to optimize system
availability and functionality.
62
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
If a siren is out of service for scheduled planned refurbishment or overhaul maintenance
performed in accordance with an established program, or for scheduled equipment upgrades, the
siren need not be counted as a siren test or a siren failure. However, sirens that are out of service
due to unplanned corrective maintenance would continue to be counted as failures. Unplanned
corrective maintenance is a measure of program reliability. The exclusion of a siren due to
temporary unavailability during planned maintenance/upgrade activities is acceptable due to the
level of control placed on scheduled maintenance/upgrade activities. It is not the intent to create
a disincentive to performing maintenance/upgrades to ensure the ANS performs at its peak
reliability.
As part of a refurbishment or overhaul plan, it is expected that each utility would communicate
to the appropriate state and/or local agencies the specific sirens to be worked and ensure that a
functioning backup method of public alerting would be in-place. The acceptable timeframe for
allowing a siren to remain out of service for system refurbishment or overhaul maintenance
should be coordinated with the state and local agencies. Based on the impact to their
organization, these timeframes should be specified in upgrade or system improvement
implementation plans and/or maintenance procedures. Deviations from these plans and/or
procedures would constitute unplanned unavailability and would be included in the PI.
Siren testing conducted at redundant control stations, such as county EOCs that are staffed
during an emergency by an individual capable of activating the sirens, may be credited provided
the redundant control station is in an approved facility as documented in the FEMA ANS design
report.
63
NEI 99-02 [Revision 7]
08/31/2013
1
Data Example
Alert & Notification System Reliability
Quarter
Number of succesful siren-tests in the qtr
Total number of sirens tested in the qtr
Number of successful siren-tests over 4 qtrs
Total number of sirens tested over 4 qtrs
3Q/97
47
50
4Q/97
48
50
1Q/98
49
50
Indicator expressed as a percentage of sirens
Thresholds
Green
White
Yellow
Red
2Q/98
49
50
193
200
2Q/98
96.5%
3Q/98 4Q/98
49
54
50
55
195
201
200
205
3Q/98 4Q/98
97.5% 98.0%
Prev. Q
52
55
204
210
Prev. Q
97.1%
≥94%
<94%
<90%
N/A
ANS Reliability
2Q/98
100.0%
3Q/98
98.0%
Quarter
4Q/98
GREEN
96.0%
94.0%
WHITE
Indicator 92.0%
90.0%
YELLOW
88.0%
86.0%
Note: No Red Threshold
84.0%
82.0%
80.0%
2
3
64
Prev. Q
NEI 99-02 [Revision 7]
08/31/2013
1
2.5
OCCUPATIONAL RADIATION SAFETY CORNERSTONE
2
3
4
5
6
7
8
9
10
11
12
13
14
15
The objectives of this cornerstone are to:
16
Purpose
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
The purpose of this performance indicator is to address the first objective of the occupational
radiation safety cornerstone. The indicator monitors the control of access to and work activities
within radiologically-significant areas of the plant and occurrences involving degradation or
failure of radiation safety barriers that result in readily-identifiable unintended dose.
35
36
37
38
39
40
41
The performance indicator for this cornerstone is the sum of the following:
(1)
keep occupational dose to individual workers below the limits specified in
10 CFR Part 20 Subpart C; and
(2)
use, to the extent practical, procedures and engineering controls based upon sound
radiation protection principles to achieve occupational doses that are as low as is
reasonably achievable (ALARA) as specified in 10 CFR 20.1101(b).
There is one indicator for this cornerstone:
•
Occupational Exposure Control Effectiveness
OCCUPATIONAL EXPOSURE CONTROL EFFECTIVENESS
The indicator includes dose-rate and dose criteria that are risk-informed, in that the indicator
encompasses events that might represent a substantial potential for exposure in excess of
regulatory limits. The performance indicator also is considered “leading” because the indicator:
•
encompasses less-significant occurrences that represent precursors to events that might
represent a substantial potential for exposure in excess of regulatory limits, based on industry
experience; and
•
employsEmploys dose criteria that are set at small fractions of applicable dose limits (e.g.,
the criteria are generally at or below the levels at which dose monitoring is required in
regulation).
Indicator Definition
•
•
•
Technical specification high radiation area (>1 rem per hour) occurrences
Very high radiation area occurrences
Unintended exposure occurrences
65
NEI 99-02 [Revision 7]
08/31/2013
1
Data Reporting Elements
2
3
4
5
6
7
8
9
10
11
The data listed below are reported for each site. For multiple unit sites, an occurrence at one unit
is reported identically as an input for each unit. However, the occurrence is only counted once
against the site-wide threshold value.
12
13
14
15
The indicator is determined by summing the reported number of occurrences for each of the
three data elements during the previous 4 quarters.
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Technical Specification High Radiation Area (>1 rem per hour) Occurrence - A
nonconformance (or concurrent 14 nonconformances) with technical specifications 15 or
comparable requirements in 10 CFR 20 16 applicable to technical specification high radiation
areas (>1 rem per hour) that results in the loss of radiological control over access or work
activities within the respective high-radiation area (>1 rem per hour). For high radiation areas
(>1 rem per hour), this PI does not include nonconformance with licensee-initiated controls that
are beyond what is required by technical specifications and the comparable provisions in 10 CFR
Part 20.
•
•
•
The number of technical specification high radiation area (>1 rem per hour)
occurrences during the previous quarter
The number of very high radiation area occurrences during the previous quarter
The number of unintended exposure occurrences during the previous quarter
Calculation
Definition of Terms
Technical Specification specification high radiation areas, commonly referred to as locked high
radiation areas, includes any area, accessible to individuals, in which radiation levels from
radiation sources external to the body are in excess of 1 rem (10 mSv) per 1 hour at 30
centimeters from the radiation source or 30 centimeters from any surface that the radiation
penetrates, and excludes very high radiation areas. Technical specification high radiation areas,
in which radiation levels from radiation sources external to the body are less than or equal to 1
rem (10 mSv) per 1 hour at 30 centimeters from the radiation source or 30 centimeters from any
surface that the radiation penetrates, are excluded from this performance indicator.
•
•
“Radiological control over access to technical specification high radiation areas” refers to
measures that provide assurance that inadvertent entry 17 into the technical specification high
radiation areas by unauthorized personnel will be prevented.
“Radiological control over work activities” refers to measures that provide assurance that
dose to workers performing tasks in the area is monitored and controlled.
Examples of occurrences that would be counted against this indicator include:
14
“Concurrent” means that the nonconformances occur as a result of the same cause and in a common timeframe.
Or comparable provisions in licensee procedures if the technical specifications do not include provisions for high radiation areas.
Includes 10 CFR 20, §20.1601(a), (b), (c), and (d) and §20.1902(b).
17
In reference to application of the performance indicator definition in evaluating physical barriers, the term “inadvertent entry” means that the
physical barrier cannot be easily circumvented (i.e., an individual who incorrectly assumes, for whatever reason, that he or she is authorized to
enter the area, is unlikely to disregard, and circumvent, the barrier). The barriers used to control access to technical specification high radiation
areas should provide reasonable assurance that they secure the area against unauthorized access. (FAQ 368)
15
16
66
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
•
•
•
•
•
•
Failure to post an area as required by technical specifications,
Failure to secure an area against unauthorized access,
Failure to provide a means of personnel dose monitoring or control required by technical
specifications,
Failure to maintain administrative control over a key to a barrier lock as required by technical
specifications, or
An occurrence involving unauthorized or unmonitored entry into an area, or
Nonconformance with a requirement of an RWP (as specified in the licensee’s technical
specifications) that results in a loss of control of access to or work within a technical
specification high radiation area.
Examples of occurrences that are not counted include the following:
• Situations involving areas in which dose rates are less than or equal to 1 rem per hour,
• Occurrences associated with isolated equipment failures. This might include, for example,
discovery of a burnt-out light, where flashing lights are used as a technical specification
control for access, or a failure of a lock, hinge, or mounting bolts, when a barrier is checked
or tested. 18
• Nonconformance with an RWP requirement that does not result in a loss of control of access
to or work within a technical specification high radiation area (e.g., signing in on the wrong
RWP, but having received the pre-job brief and implemented all of the access work control
requirements of the correct RWP).
Very High Radiation Area Occurrence - A nonconformance (or concurrent nonconformances)
with 10 CFR 20 and licensee procedural requirements that results in the loss of radiological
control over access to or work activities within a very high radiation area. “Very high radiation
area” is defined as any area accessible to individuals, in which radiation levels from radiation
sources external to the body could result in an individual receiving an absorbed dose in excess of
500 rads (5 grays) in 1 hour at 1 meter from a radiation source or 1 meter from any surface that
the radiation penetrates.
•
•
“Radiological control over access to very high radiation areas” refers to measures to ensure
that an individual is not able to gain unauthorized or inadvertent access to very high radiation
areas.
“Radiological control over work activities” refers to measures that provide assurance that
dose to workers performing tasks in the area is monitored and controlled.
Unintended Exposure Occurrence - A single occurrence of degradation or failure of one or more
radiation safety barriers that results in unintended occupational exposure(s), as defined below.
Following are examples of an occurrence of degradation or failure of a radiation safety barrier
included within this indicator:
•
•
•
failure to identify and post a radiological area
failure to implement required physical controls over access to a radiological area
failure to survey and identify radiological conditions
18
Presuming that the equipment is subject to a routine inspection or preventative maintenance program, that the occurrence was indeed isolated,
and that the causal condition was corrected promptly upon identification.
67
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
•
•
failure to train or instruct workers on radiological conditions and radiological work controls
failure to implement radiological work controls (e.g., as part of a radiation work permit)
An occurrence of the degradation or failure of one or more radiation safety barriers is only
counted under this indicator if the occurrence resulted in unintended occupational exposure(s)
equal to or exceeding any of the dose criteria specified in the table below. The dose criteria were
selected to serve as “screening criteria,” only for the purpose of determining whether an
occurrence of degradation or failure of a radiation safety barrier should be counted under this
indicator. The dose criteria should not be taken to represent levels of dose that are “risksignificant.” In fact, the dose criteria selected for screening purposes in this indicator are
generally at or below dose levels that are required by regulation to be monitored or to be
routinely reported to the NRC as occupational dose records.
Table: Dose Values Used as Screening Criteria to Identify an Unintended Exposure
Occurrence in the Occupational Exposure Control Effectiveness PI
2% of the stochastic limit in 10 CFR 20.1201 on total effective dose equivalent.
The 2% value is 0.1 rem.
10 % of the non-stochastic limits in 10 CFR 20.1201. The 10% values are as follows:
5 rem
the sum of the deep-dose equivalent and the committed dose equivalent
to any individual organ or tissue
1.5 rem
the lens dose equivalent to the lens of the eye
5 rem
the shallow-dose equivalent to the skin or any extremity, other than dose
received from a discrete radioactive particle (DRP) 19
20% of the limits in 10 CFR 20.1207 and 20.1208 on dose to minors and declared pregnant
women. The 20% value is 0.1 rem.
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
“Unintended exposure” refers to exposure that results in dose in excess of the administrative
guideline(s) set by a licensee as part of their radiological controls for access or entry into a
radiological area. Administrative dose guidelines may be established:
•
•
•
within radiation work permits, procedures, or other documents,
via the use of alarm setpoints for personnel dose monitoring devices, or
by other means, as specified by the licensee.
It is incumbent upon the licensee to specify the method(s) being used to administratively control
dose. An administrative dose guideline set by the licensee is not a regulatory limit and does not,
in itself, constitute a regulatory requirement. A revision to an administrative dose guideline(s)
during job performance is acceptable (with regard to this PI) if conducted in accordance with
plant procedures or programs.
If a specific type of exposure was not anticipated or specifically included as part of job planning
or controls, the full amount of the dose resulting from that type of exposure should be considered
as “unintended” in making a comparison with the respective criteria in the PI. For example, this
19
Controls established for DRPs are intended to minimize the possibility of exposures that could result in the SDE dose limit being exceeded, not
to maintain the exposure to some intended SDE dose. Therefore, for the purpose of this PI, any DRP exposure is considered “unintended” and is
a reportable PI event if it results (by itself, or added to previous “uniform” SDE exposures) in an SDE in excess of the regulatory limit in
20.1201(a)(2)(ii).
68
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
might include Committed Effective Dose Equivalent (CEDE), Committed Dose Equivalent
(CDE), or Shallow Dose Equivalent (SDE).
Clarifying Notes
An occurrence (or concurrent occurrences) that potentially meet the definition of more than one
element of the performance indicator will only be counted once. In other words, an occurrence
(or concurrent occurrences) will not be double-counted (or triple-counted) against the
performance indicator. If two or more individuals are exposed in a single occurrence, the
occurrence is only counted once.
Radiography work conducted at a plant under another licensee’s 10 CFR Part 34 license is
generally outside the scope of this PI. However, if a Part 50 licensee opts to establish additional
radiological controls under its own program consistent with technical specifications or
comparable provisions in 10 CFR Part 20, then a non-conformance with such additional controls
or unintended dose resulting from the non-conformance shall be evaluated under the criteria in
the PI.
69
NEI 99-02 [Revision 7]
08/31/2013
1
Data Example
Occupational Exposure Control Effectiveness
3Q95*
4Q95
1Q96
2Q96
3Q96
4Q96
1Q97
2Q97
3Q97
4Q97
1Q98
2Q98
3Q98
4Q98
Number of Technical Specification High Radiation Area
Occurrences this quarter
0
0
3
0
0
0
0
0
0
0
0
0
0
0
Number ofVery High Radiation Area Occurrences this Quarter
0
0
0
0
0
0
1
0
1
0
0
0
0
0
Number of Unintended Exposure Occurrences this Quarter
1
0
0
0
0
0
0
0
0
0
0
0
0
1
Cumulative Total Over the Current Four Quarters
1
1
4
4
3
3
1
1
2
2
1
1
0
1
Notes: Example assumes 3Q95 is the first quarter in which the PI
is to be considered valid.
Thresholds
Green: <= 2
White: > 2
Yellow: > 5
No Red Threshold
1
0
3
0
0
2Q96
3Q96
0
Occupational Exposure Control Effectiveness
3Q95* 4Q95
0
1
1Q96
4Q96
1
0
1Q97
GREEN
2
WHITE
3
4
5
YELLOW
6
2
3
70
1
2Q97
0
0
0
3Q97
4Q97
1Q98
0
2Q98
1
3Q98
4Q98
NEI 99-02 [Revision 7]
08/31/2013
1
2.6
2
RETS/ODCM RADIOLOGICAL EFFLUENT OCCURRENCE
3
Purpose
4
5
6
To assess the performance of the radiological effluent control program.
7
8
Radiological effluent release occurrences per site that exceed the values listed below:
9
10
11
12
13
14
15
16
17
18
19
PUBLIC RADIATION SAFETY CORNERSTONE
Indicator Definition
Radiological effluent releases in excess of the following values:
Liquid Effluents
Whole Body
1.5 mrem/qtr
Organ
5 mrem/qtr
Gaseous Effluents
Gamma Dose
5 mrads/qtr
Beta Dose
10 mrads/qtr
Organ Doses from
7.5 mrems/qtr
I-131, I-133, H-3
& Particulates
Note:
(1) Values are derived from the Radiological Effluent Technical Specifications (RETS) or
similar reporting provisions in the Offsite Dose Calculation Manual (ODCM), if applicable
RETS have been moved to the ODCM in accordance with Generic Letter 89-01.
(2) The dose values are applied on a per reactor unit basis in accordance with the RETS/ODCM.
(3) For multiple unit sites, allocation of dose on a per reactor unit basis from releases made via
common discharge points is to be calculated in accordance with the methodology specified in
the ODCM.
Data Reporting Elements
20
21
22
23
Number of RETS/ODCM Radiological Effluent Occurrences each quarter involving assessed
dose in excess of the indicator effluent values.
24
25
26
27
Number of RETS/ODCM Radiological Effluent Occurrences per site in the previous four
quarters.
28
29
30
31
32
A RETS/ODCM Radiological Effluent Occurrence is defined as a release that exceeds any or all
of the five identified values outlined in the above table. These are the whole body and organ
dose values for liquid effluents and the gamma dose, beta dose, and organ dose values for
gaseous effluents.
Calculation
Definition of Terms
71
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Clarifying Notes
The following conditions do not count against the RETS/ODCM Radiological Effluent
Occurrence:
•
Liquid or gaseous monitor operability issues
•
Liquid or gaseous releases in excess of RETS/ODCM concentration or instantaneous
dose-rate values
•
Liquid or gaseous releases without treatment but that do not exceed values in the table
Not all effluent sample (e.g., composite sample analysis) results are required to be finalized at
the time of submitting the quarterly PI reports. Therefore, the reports should be based upon the
best-available data. If subsequently available data indicates that the number of occurrences for
this PI is different than that reported, then the report should be revised, along with an explanation
regarding the basis for the revision.
Data Example
RESTS/ODCM Radiological Effluent Occurrence
3Q97* 4Q97 1Q98 2Q98 3Q98 4Q98 Prev. Q
1
0
0
1
0
0
1
Number of RETS/ODCM Occurrences this Quarter
Number of RETS/ODCM Occurrences in Last Four Quarters
1
1
1
2
1
1
2
Notes: * Example assumes 3Q97 is first quarter in which the PI is considered valid.
Thresholds
Green: <= 1
> 1 White <=3
Yellow: > 3
Red: N/A
RETS/ODCM Effluent Occurrences
3Q97*
0
4Q97
1Q98
2Q98
3Q98
4Q98
Prev. Q
Green
1
White
2
3
Yellow
No Red Threshold
4
19
20
21
22
72
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2.7
SECURITY CORNERSTONE
The performance indicator for this cornerstone was selected to provide baseline and trend
information needed to evaluate each licensee’s physical protection system. The regulatory
purpose is to provide high assurance that this system will function to protect against the design
basis threat of radiological sabotage as defined in 10 CFR Part 73. As a surrogate to any
engineered physical security protection system, posted security officers provide compensation
when a portion of the system is unavailable to perform its intended function. The performance
indicator value is not an indication that the protection afforded by the plant’s physical security
organization is less than required by the regulatory requirements.
There is one performance indicator for the physical protection system. The performance
indicator is assessed against established thresholds using the data and methodology as
established in this guideline. The NRC baseline inspections will validate and verify the testing
requirements for each system to assure performance standards and testing periodicity are
appropriate to provide valid data.
Performance Indicator
The only physical protectionsecurity performance indicator is the Protected Area Security
Equipment Performance Index.
This indicator serves as a measure of a plant’s ability to maintainunavailability of security
equipment—to be available to perform its intended function. When compensatory measures
are employed because a segment of equipment is unavailable (i.e.,not adequately performing its
intended function), there is no security vulnerability but there is an indication that something
needs to be fixed. The PI also provides trend indications for evaluation of the effectiveness of
the maintenance process, and also provides a method of monitoring equipment degradation as a
result of aging that might adversely impact reliability. Maintenance considerations for protected
area and vital area portals are appropriately and sufficiently covered by the inspection program.
Protected Area (PA) Security Equipment Performance Index
31
Purpose:
32
33
34
35
36
37
38
39
40
Operability of the PA security system is necessary to detect and assess safeguards events and to
provide the first line of the defense-in-depth physical protection of the plant perimeter. In the
event of an attempted encroachment, the intrusion detection system identifies the existence of the
threat, the barriers provide a delay to the person(s) posing the threat and the alarm assessment
system is used to determine the magnitude of the threat. The PI is used to monitor the
unavailability of PA intrusion detection systems and alarm assessment systems to perform their
intended function.
41
42
PA Security equipment performance is measured by an index that compares the amount of the
time CCTVs and IDS are unavailable, as measured by compensatory hours, to the total hours in
Indicator Definition:
73
FAQ
12-02
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
the period. A normalization factor is used to take into account site variability in the size and
complexity of the systems.
5
6
7
8
9
Report the following site data for the previous quarter for each unit:
Data Reporting Elements:
•
Compensatory hours, CCTVs: The hours (expressed to the nearest tenth of an hour)
expended in posting a security officer as required compensation for camera(s) unavailability
because of degradation or defects.
10
11
12
•
Compensatory hours, IDS: The hours (expressed to the nearest tenth of an hour) expended in
posting a security officer as required compensation for IDS unavailability because of
degradation or defects.
13
14
15
16
17
18
19
20
21
22
23
•
CCTV Normalization factor: The number of CCTVs divided by 30. If there are 30 or fewer
CCTVs, a normalization factor of 1 should be used.
•
IDS Normalization factor: The number of physical security zones divided by 20. If there are
20 or fewer zones, a normalization factor of 1 should be used.
24
Calculation
The performance indicator is calculated using values reported for the previous four quarters. The
calculation involves averaging the results of the following two equations.
IDS Unavailability Index =
25
26
IDS Compensatory hours in the previous 4 quarters
IDS Normalization Factor x 8760 hrs
CCTV Unavailability Index =
27
CCTV Compensatory hours in the previous 4 quarters
CCTV Normalization Factor x 8760 hrs
IDS Unavilability Index + CCTV Unavailability Index
2
28
Indicator Value =
29
30
Definition of Terms
31
Intrusion detection system (IDS) - E-fields, microwave fields, etc.
32
CCTV - The closed circuit television cameras that support the IDS.
33
Normalization factors - Two factors are used to compensate for larger than nominal size sites.
34
35
36
37
− IDS Normalization Factor: Using a nominal number of physical security zones across the
industry, the normalization factor for IDS is twenty. If a site has twenty or fewer intrusion
detection zones, the normalization factor will be 1. If a site has more zones than 20, the
factor is the total number of site zones divided by 20 (e.g., 50 ÷ 20 = 2.5).
38
39
− CCTV Normalization Factor: Using a nominal number of perimeter cameras across the
industry, the normalization factor for cameras is 30. If a site has thirty or fewer perimeter
74
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
cameras, the normalization factor is 1. If a site has more than 30 perimeter cameras, the
factor is the total number of perimeter cameras divided by 30 (e.g., 50 ÷ 30 = 1.7).
Note: The normalization factors are general approximations and may be modified as
experience in the pilot program dictates.
Compensatory measures: Measures used to meet physical security requirements pending
when the return of required equipment to serviceis unavailable. Protected Area protection is
not diminished by the use of compensatory measures for equipment unavailability.
Compensatory man-hours: The man-hours (expressed to the nearest tenth of an hour) that
compensatory measures are in place (posted) to address a degradation in the IDS and CCTV
systems. When a portion of the system becomes unavailable—incapable of performing its
intended function—and requires posting of compensatory measures, the compensatory man-hour
clock is started. The period of time ends when the cause of the degraded state has been repaired,
tested, and system declared operable.
If a zone is posted for a degraded IDS and a CCTV camera goes out in the same posted area, the
hours for the posting of the IDS will not be double counted. However, if the IDS problem is
corrected and no longer requires compensatory posting but the camera requires posting, the hours
will start to count for the CCTV category.
Equipment unavailability: When the system has been posted because of a degraded condition
(unavailability), the compensatory hours are counted in the PI calculation. If the degradation is
caused by environmental conditions, preventive maintenance or scheduled system upgrade, the
compensatory hours are not counted in the PI calculation. However, if the equipment is
degraded after preventive maintenance or periodic testing, compensatory posting would be
required and the compensatory hours would count. Compensatory hours stop being counted
when the equipment deficiency has been corrected, equipment tested and declared back in
service.
Clarifying Notes
32
Compensatory posting:
33
34
• The posting for this PI is only for the protected area perimeter, not vital area doors or other
35
36
37
38
•
39
40
41
42
43
44
• Some postings are the result of non-equipment failures, which may be the result of
places where such posting may be required.
Postings for IDS segments for false alarms in excess of security program limits would be
counted in the PI. In the absence of a false alarm limit in the security program, qualified
individuals can disposition the condition and determine whether compensatory posting is
required.
test/maintenance conditions. For example, in a situation where a part of the IDS is taken outof-service to check a condition for false alarms not in excess of security program false alarm
limits, no compensatory hours would be counted. If the equipment is determined to have
malfunctioned, it is not operable and maintenance/repair is required, the hours would count.
75
FAQ
12-02
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
• Compensatory hours expended to address simultaneous equipment problems (IDS & CCTV)
8
• IDS equipment issues that do not require compensatory hours would not be counted.
are counted beginning with the initial piece of equipment that required compensatory hours.
When this first piece of equipment is returned to service and no longer requires
compensatory measures, the second covered piece of equipment carries the hours. If one IDS
zone is required to be covered by more than one compensatory post, the total man-hours of
compensatory action are to be counted. If multiple IDS zones are covered by one
compensatory post, the man-hours are only counted once.
9
10
• Compensatory man man-hours for a failed Pan-Tilt-Zoom (PTZ) camera count for the PI
11
12
13
14
15
16
• The PI metric is based on expended compensatory hours and starts when the IDS or CCTV is
17
18
19
20
21
22
23
• In a situation where security persons are already in place at continuously manned remote
24
25
26
27
28
29
• Compensatory hours for this PI cover hours expended in posting a security officer as required
30
31
32
33
34
35
36
37
38
39
40
41
• If an ancillary system is needed to support proper operability of IDS or CCTV and it fails,
only if the PTZ is either being used as a CCTV or is substituting for a failed CCTV.
actually posted. There are no "fault exposure hours" or other consideration beyond the actual
physical compensatory posting. Also, this indicator only uses compensatory man-hours to
provide an indication of CCTV or IDS unavailability. If a PTZ camera or other nonpersonnel (no expended portion of a compensatory man-hour) item is used as the
compensatory measure, it is not counted for this PI.
location security booths around the perimeter of the site and there is a need to provide
compensatory coverage for the loss of IDS equipment, security persons already in these
booths can fulfill this function. If they are used to perform the compensatory function, the
hours are included in the PI. The man man-hours for all persons required to provide
compensation are counted. If more persons are assigned than required, only the required
compensatory man man-hours would be counted.
as compensation for IDS and/or CCTV unavailability because of a degradation or defect. If
other problems (e.g., security computer or multiplexer) result in compensatory postings
because the IDS/CCTV is no longer capable of performing its intended safeguards function,
the hours would count. Equipment malfunctions that do not require compensatory posting
are not included in this PI.
and the supported system does not operate as intended, the hours would count. For example,
a CCTV camera requires sufficient lighting to perform its function so that such a lighting
failure would result in compensatory hours counted for this PI.
Data reporting: For this performance indicator, rounding may be performed as desired provided
it is consistent and the reporting hours are expressed to the nearest tenth of an hour. Information
supporting performance indicators is reported on a per unit basis. For performance indicators that
reflect site conditions (IDS or CCTV), this requires that the information be repeated for each unit
on the site. The criterion for data reporting is from the time the failure or deficiency is identified
to the time it is placed back in service.
76
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Degradation: Required system, /equipment, or /component is no longer available/ or capable
of performing its intended Intended safeguards functionFunction—manufacturer’s equipment
design capability and/or as covered in the PSP.
FAQ
12-02
Extreme environmental conditions:
Compensatory hours do not count for extreme environmental conditions beyond the design
specifications of the system, including severe storms, heavy fog, heavy snowfall, and sun glare
that renders the IDS or CCTV temporarily inoperable. If after the environmental condition
clears, the zone remains unavailable, despite reasonable recovery efforts, the compensatory hours
would not begin to be counted until technically feasible corrective action could be completed.
For example, a hurricane decimates a portion of the perimeter IDS and certain necessary
components have to be obtained from the factory. Any restoration delay would be independent of
the licensee’s maintenance capability and therefore would not be counted in the indicator.
Other naturally occurring conditions that are beyond the control of the licensee, such as damage
or nuisance alarms from animals are not counted.
Independent Spent Fuel Storage Installations (ISFSIs): This indicator does not include protective
measures associated with such installations.
Intended function: The ability of a component to detect the presence of an individual or display
an image as intended by manufacturer’s equipment design capability and/or as covered as
described in the Physical Security Plan PSP.
Operational support: E-fields or equivalent that are taken out of service to support plant
operations and are not equipment failures but are compensatorily posted do not count for this PI.
Scheduled equipment upgrade:
• In the situation where system degradation results in a condition that cannot be corrected
under the normal maintenance program (e.g., engineering evaluation specifies the need for a
system/component 20 modification or upgrade), and the system requires compensatory
posting, the compensatory hours stop being counted toward the PI for those conditions
addressed within the scope of the modification after such an evaluation has been made and
the station has formally approved an upgrade with descriptive information about the upgrade
plan including scope of the project, anticipated schedule, and expected expenditures. This
formally initiated upgrade is the result of established work practices to design, fund, procure,
install and test the project. A note should be made in the comment section of the PI submittal
that the compensatory hours are being excluded under this provision. Compensatory hour
counting resumes when the upgrade is complete and operating as intended as determined by
site requirements for sign-off. Reasonableness should be applied with respect to a justifiable
length of time the compensatory hours are excluded from the PI.
•
For the case where there are a few particularly troubling zones that result in formal initiation
of an entire system upgrade for all zones, counting compensatory hours would stop only for
zones out of service for the upgrade. However, if subsequent failures would have been
prevented by the planned upgrade those would also be excluded from the count. This
20
A modification to prevent the circumvention of the IDS (or CCTV) (such as the installation of a razor wire barrier) would fall under these
provisions because the modification would be acting as an ancillary system of the IDS.
77
FAQ
12-02
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
exclusion applies regardless of whether the failures are in a zone that precipitated the upgrade
action or not, as long as they are in a zone that will be affected by the upgrade, and the
upgrade would have prevented the failure.
Preventive maintenance:
• Scheduled preventive maintenance (PM) on system/equipment/component to include
probability and/or operability testing. Includes activities necessary to keep the system at the
required functional level. Planned plant support activities are considered PM.
• If during preventive maintenance or testing, a camera does not function correctly, and can be
compensated for by means other than posting an officer, no compensatory man-hours are
counted.
• Predictive maintenance is treated as preventive maintenance. Since the equipment has not
failed and remains capable of performing its intended security function, any maintenance
performed in advance of its actual failure is preventive. It is not the intent to create a
disincentive to performing maintenance to ensure the security systems perform at their peak
reliability and capability.
• Scheduled system upgrade: Activity to improve, upgrade or enhance system performance, as
appropriate, in order to be more effective in its reliability or capability.
78
NEI 99-02 [Revision 7]
08/31/2013
1
Data Example
Protected Area Security Equipment Performance Indicator
IDS Compensatory Hours in the Quarter
CCTV Compensatory Hours in the Quarter
IDS Compensatory Hrs in Previous Four Quarters
2Q97*
36
24
3Q97
48
36
4Q97
96
100
1Q98
126
100
2Q98
65
48
3Q98
45
56
4Q98
60
53
Prev. Q
55
31
36
84
180
306
335
332
296
225
160
260
284
304
257
188
24
60
CCTV Compensatory Hrs in the Previous Four Quarters
1.05
1.05
IDS Normalization Factor
1.2
1.2
CCTV Normalization Factor
IDS Unavailability Index
0.003914
0.009132
CCTV Unavailability Index
0.002283
0.005708
Indicator Value
0.00
0.01
Notes: *Example assumes 2Q97 is first quarter in which the PI is considered valid.
1.05
1.05
1.1
1.1
1.1
1.1
1.2
1.2
1.3
1.3
1.3
1.3
0.01957 0.0332681 0.03476546 0.03445413 0.03071814 0.02334994
0.01522 0.02473364 0.02493853 0.02669477 0.02256762 0.01650861
0.02
0.03
0.03
0.03
0.03
0.02
PA Security Equipment Indicator
2Q97*
0.00
3Q97
4Q97
1Q98
2Q98
3Q98
4Q98
0.02
0.04
0.06
GREEN <= 0.08
0.08
0.10
WHITE > 0.08
0.12
Note: No Yellow or Red Threshold
0.14
2
79
Prev. Q
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
[This page left intentionally blank]
80
NEI 99-02 [Revision 7]
08/31/2013
1
APPENDIX A
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Acronyms & Abbreviations
AC
AFW
ALARA
ANS
AOT
AOV
ATWS
BWR
CCF
CCW
CDE
CDF
CFR
CCTV
DC
DE & AEs
EAC
EAL
EDG
EOF
EFW
ERO
ESF
FAQ
FEMA
FSAR
FV
FWCI
IC
IDS
ISFSI
HOV
HPCI
HPCS
HPSI
HVAC
INPO
LER
LPCI
LPSI
LOCA
MD
MOV
Alternating (Electrical) Current
Auxiliary Feedwater System
As Low As Reasonably Achievable
Alert & Notification System
Allowed Outage Time
Air Operated Valve
Anticipated Transient Without Scram
Boiling Water Reactor
Common Cause Failure
Component Cooling Water
Consolidated Data Entry
Core Damage Frequency
Code of Federal Regulations
Closed Circuit Television
Direct (Electrical) Current
Drills, Exercises and Actual Events
Emergency AC
Emergency Action Levels
Emergency Diesel Generator
Emergency Operations Facility
Emergency Feedwater
Emergency Response Organization
Engineered Safety Features
Frequently Asked Question
Federal Emergency Management Agency
Final Safety Analysis Report
Fussel-Vesely
Feedwater Coolant Injection
Isolation Condenser
Intrusion Detection System
Independent Spent Fuel Storage Installation
Hydraulic Operated Valve
High Pressure Coolant Injection
High Pressure Core Spray
High Pressure Safety Injection
Heating, Ventilation and Air Conditioning
Institute of Nuclear Power Operations
Licensee Event Report
Low Pressure Coolant Injection
Low Pressure Safety Injection
Loss of Coolant Accident
Motor Driven
Motor Operated Valve
A-1
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
MSIV
MSPI
N/A
NEI
NRC
NSSS
ODCM
OSC
PA
PARs
PI
PLE
PRA
PSA
PORV
PWR
RETS
RCIC
RCS
RHR
ROP
RWST
SOV
SPAR
SSFF
SSU
SWS
TD
TSC
UAI
URI
USwC
Main Steam Isolation Valve
Mitigating Systems Performance Index
Not Applicable
Nuclear Energy Institute
Nuclear Regulatory Commission
Nuclear Steam Supply System
Offsite Dose Calculation Manual
Operations Support Center
Protected Area
Protective Action Recommendations
Performance Indicator
Performance Limit Exceeded
Probabilistic Risk Analysis
Probabilistic Safety Assessment
Power Operated Relief Valve
Pressurized Water Reactor
Radiological Effluent Technical Specifications
Reactor Core Isolation Cooling
Reactor Coolant System
Residual Heat Removal
Reactor Oversight Process
Refueling Water Storage Tank
Solenoid Operated Valve
Standardized Plant Analysis Risk
Safety System Functional Failure
Safety System Unavailability performance indicator
Service Water System
Turbine Driven
Technical Support Center
Unavailability Index
Unreliability Index
Unplanned Scrams with Complications
A-2
NEI 99-02 [Revision 7]
08/31/2013
1
APPENDIX B
2
3
4
5
6
7
8
STRUCTURE AND FORMAT OF NRC PERFORMANCE INDICATOR DATA FILES
Performance indicator data files submitted to the NRC as part of the Regulatory Oversight
Process should conform to the structure and format identified below. The INPO CDE software
automatically produces files with the structure and format outlined below.
File Naming Convention
9
10
11
12
13
14
15
16
17
18
19
20
Each NRC PI data file should be named according to the following convention. The name
should contain the unit docket number, underscore, the date and time of creation and (if a change
file) a “C” to indicate that the file is a change report. A file extension of .txt is used to indicate a
text file.
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Each line of the report begins with a left bracket (e.g., “[“) and ends with a right bracket (e.g.,
“]”). Individual items of information on a line (elements) are separated by a vertical “pipe” (e.g.,
“|”).
Example: 05000399_20000103151710.txt
In the above example, the report file is for a plant with a docket number of 05000399 and the file
was created on January 3, 2000 at 10 seconds after 3:17 p.m. The absence of a C at the end of
the file name indicates that the file is a quarterly data report.
General Structure
Each file begins with [BOF] as the first line and [EOF] as the last line. These indicate the
beginning and end of the data file. The file may also contain one or more “buffer” lines at the
end of the file to minimize the potential for file corruption. The second line of the file contains
the unit docket number and the date and time of file creation (e.g., [05000399|1/2/2000
14:20:32]). Performance indicator information is contained beginning with line 3 through the
next to last line (last line is [EOF]). The information contained on each line of performance
indicator information consists of the performance indicator ID, applicable quarter/year
(month/year for Barrier Integrity indicators), comments, and each performance indicator data
element. Table B-1 provides a description of the data elements and order for each line of
performance indicator data in a report file.
Example:
[IE01|3Q1998|Comments here|2|2400]
In the above example, the line contains performance indicator data for Unplanned Scrams per
7000 Critical Hours (IE01), during the 3rd quarter of 1998. The applicable comment text is
“Comments here”. The data elements identify that (see Table B-1) there were 2 unplanned
automatic and manual scrams while critical and there were 2400 hours of critical operation
during the quarter.
B-1
NEI 99-02 [Revision 7]
08/31/2013
1
TABLE B-1 – PI DATA ELEMENTS IN NRC DATA REPORT
Performance Indicator
General Comment
Unplanned Scrams per 7,000 Critical
Hours
Data
Element
Number
1
2
3
1
2
3
4
Unplanned Power Changes per 7,000
Critical Hours
5
1
2
3
4
Unplanned Scrams with Complications
5
1
2
3
4
Safety System Functional Failures
1
2
3
4
Mitigating Systems Performance Index
(MSPI)– Emergency AC Power Systems
Mitigating Systems Performance Index
(MSPI)- High Pressure Injection Systems
1
2
3
4
5
6
7
1
2
3
4
5
6
7
Description
Performance Indicator Flag (i.e., GEN)
Report quarter and year (e.g., 1Q2000)
Comment text
Performance Indicator Flag (i.e., IE01)
Quarter and year (e.g., 1Q2000)
Comment text
Number of unplanned automatic and manual scrams while
critical in the reporting quarter
Number of hours of critical operation in the reporting quarter
Performance Indicator Flag (i.e., IE03)
Quarter and year (e.g., 1Q2000)
Comment text
Number of unplanned power changes, excluding scrams, during
the reporting quarter
Number of hours of critical operation in the reporting quarter
Performance Indicator Flag (i.e., IE04)
Quarter and year (e.g., 1Q2000)
Comment text
Number of unplanned scrams with complications during the
reporting quarter
Performance Indicator Flag (i.e., MS05)
Quarter and year (e.g., 1Q2000)
Comment text
Number of safety system functional failures during the
reporting quarter
Performance Indicator Flag (i.e., MS06)
Quarter and year (e.g., 1Q2000)
Comment text
MSPI Calculated ValueUnavailability Index
Unavailability IndexUnreliability Index
MSPI Calculated ValueUnreliability Index
Performance Limit ExceededError! Bookmark not defined.
Performance Indicator Flag (i.e., MS07)
Quarter and year (e.g., 1Q2000)
Comment text
MSPI Calculated Value
Unavailability Index
Unreliability Index
Performance Limit ExceededError! Bookmark not defined.
B-2
NEI 99-02 [Revision 7]
08/31/2013
Performance Indicator
Mitigating Systems Performance Index
(MSPI)– Heat Removal Systems
Mitigating Systems Performance Index
(MSPI)– Residual Heat Removal Systems
Mitigating Systems Performance Index
(MSPI)– Cooling Water Systems
Reactor Coolant System Activity (RCSA)
Data
Element
Number
1
2
3
4
5
6
7
Performance Indicator Flag (i.e., MS08)
Quarter and year (e.g., 1Q2000)
Comment text
MSPI Calculated Value
Unavailability Index
Unreliability Index
Performance Limit ExceededError! Bookmark not defined.
1
2
3
4
5
6
7
1
2
3
4
5
6
7
1
2
3
Performance Indicator Flag (i.e., MS09)
Quarter and year (e.g., 1Q2000)
Comment text
MSPI Calculated Value
Unavailability Index
Unreliability Index
Performance Limit ExceededError! Bookmark not defined.
Performance Indicator Flag (i.e., MS10)
Quarter and year (e.g., 1Q2000)
Comment text
MSPI Calculated Value
Unavailability Index
Unreliability Index
Performance Limit ExceededError! Bookmark not defined.
Performance Indicator Flag (i.e., BI01)
Month and year (e.g., 3/2000)
Comment text
Maximum calculated RCS activity, in micro curies per gram
dose equivalent Iodine 131, as required by technical
specifications, for reporting month
Technical Specification limit for RCS activity in micro curies
per gram does equivalent Iodine 131
Performance Indicator Flag (i.e., BI02)
Month and year (e.g., 3/2000)
Comment text
Maximum RCS Identified Leakage calculation for reporting
month in gpm
Technical Specification limit for RCS Identified Leakage in
gpm
Performance Indicator Flag (i.e., EP01)
Quarter and year (e.g., 1Q2000)
Comment text
Number of drill, exercise and actual event opportunities
performed timely and accurately during the reporting quarter
Number of drill, exercise and actual event opportunities during
the reporting quarter
4
5
Reactor Coolant System Identified
Leakage (RCSL)
1
2
3
4
5
Emergency Response Organization
Drill/Exercise Performance
Description
1
2
3
4
5
B-3
NEI 99-02 [Revision 7]
08/31/2013
Performance Indicator
Emergency Response Organization
(ERO) Drill Participation
Data
Element
Number
1
2
3
4
Alert & Notification System Reliability
5
1
2
3
4
Occupational Exposure Control
Effectiveness
5
1
2
3
4
5
6
RETS/ODCM Radiological Effluent
Indicator
Protected Area Security Equipment
Performance IndicatorIndex
1
1
2
3
4
1
2
3
4
5
6
7
Description
Performance Indicator Flag (i.e.,EP02)
Quarter and year (e.g., 1Q2000)
Comment text
Total Key ERO members that have participated in a drill,
exercise, or actual event in the previous 8 qruarters
Total number of Key ERO personnel at end of reporting quarter
Performance Indicator Flag (i.e., EP03)
Quarter and year (e.g., 1Q2000)
Comment text
Total number of successful ANS siren-tests during the
reporting quarter
Total number of ANS sirens tested during the reporting quarter
Performance Indicator Flag (i.e., OR01)
Quarter and year (e.g., 1Q2000)
Comment text
Number of technical specification high radiation area
occurrences during the reporting quarter
Number of very high radiation area occurrences during the
reporting quarter
The number of unintended exposure occurrences during the
reporting quarter
Performance Indicator Flag (i.e., PR01)
Quarter and year (e.g., 1Q2000)
Comment text
Number of RETS/ODCM occurrences in the quarter
Performance Indicator Flag (i.e., PP01)
Quarter and year (e.g., 1Q2000)
Comment text
IDS Compensatory Hours in the quarter
CCTV Compensatory Hours in the quarter
IDS Normalization Factor
CCTV Normalization Factor
B-4
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
INTRODUCTION
7
8
9
This section discusses the overall objectives and basis for the performance indicators used for
each of the seven cornerstone areas. A more in-depth discussion of the background behind each
of the performance indicators identified in the main report may be found in SECY 99-07.
APPENDIX C
Background Information and Cornerstone Development
10
INITIATING EVENTS CORNERSTONE
11
GENERAL DESCRIPTION
12
13
14
15
16
17
18
The objective of this cornerstone is to limit the frequency of those events that upset plant stability
and challenge critical safety functions, during shutdown as well as power operations. When such
an event occurs in conjunction with equipment and human failures, a reactor accident may occur.
Licensees can therefore reduce the likelihood of a reactor accident by maintaining a low
frequency of these initiating events. Such events include reactor trips due to turbine trip, loss of
feedwater, loss of offsite power, and other reactor transients. There are a few key attributes of
licensee performance that determine the frequency of initiating events at a plant.
19
PERFORMANCE INDICATORS
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PRAs have shown that risk is often determined by initiating events of low frequency, rather than
those that occur with a relatively higher frequency. Such low-frequency, high-risk events have
been considered in selecting the PIs for this cornerstone. All of the PIs used in this cornerstone
are counts of either initiating events, or transients that could lead to initiating events (see Table 12
in the main body of NEI 99-02). They have face validity for their intended use because they are
quantifiable, have a logical relationship to safety performance expectations, are meaningful, and
the data are readily available. The PIs by themselves are not necessarily related to risk. They are
however, the first step in a sequence which could, in conjunction with equipment failures, human
errors, and off-normal plant configurations, result in a nuclear reactor accident. They also provide
indication of problems that, if uncorrected, increase the risk of an accident. In most cases, where
PIs are suitable for identifying problems, they are sufficient as well, since problems that are not
severe enough to cause an initiating event (and therefore result in a PI count) are of low risk
significance. In those cases, no baseline inspection is required (the exception is shutdown
configuration control, for which supplemental baseline inspections is necessary).
34
MITIGATING SYSTEMS CORNERSTONE
35
GENERAL DESCRIPTION
36
37
38
39
40
The objective of this cornerstone is to ensure the availability, reliability, and capability of systems
that respond to initiating events to prevent undesirable consequences (i.e., core damage). When
such an event occurs in conjunction with equipment and human failures, a reactor accident may
result. Licensees therefore reduce the likelihood of reactor accidents by enhancing the availability
and reliability of mitigating systems. Mitigating systems include those systems associated with
C-1
NEI 99-02 [Revision 7]
08/31/2013
1
2
safety injection, residual heat removal, cooling water support systems, and emergency AC power.
This cornerstone includes mitigating systems that respond to both operating and shutdown events.
3
PERFORMANCE INDICATORS
4
5
6
7
8
9
10
11
12
13
While safety systems and components are generally thought of as those that are designed for
design-basis accidents, not all mitigating systems have the same risk importance. PRAs have
shown that risk is often influenced not only by front-line mitigating systems, but also by support
systems and equipment. Such systems and equipment, both safety- and non-safety-related, have
been considered in selecting the PIs for this cornerstone. The PIs are all direct counts of either
mitigating system availability or reliability or surrogates of mitigating system performance. They
have face validity for their intended use, because they are quantifiable, have a logical relationship
to safety performance expectations, are meaningful, and the data are readily available. Not all
aspects of licensee performance can be monitored by PIs. Risk-significant areas not covered by
PIs will be assessed through inspection.
14
BARRIER INTEGRITY CORNERSTONE
15
GENERAL DESCRIPTION
16
17
18
19
20
21
22
The purpose of this cornerstone is to provide reasonable assurance that the physical design
barriers (fuel cladding, reactor coolant system, and containment) protect the public from
radionuclide releases caused by accidents or events. These barriers play an important role in
supporting the NRC Strategic Plan goal for nuclear reactor safety, “Prevent radiation-related
deaths or illnesses due to civilian nuclear reactors.” The defense in depth provided by the
physical design barriers which comprise this cornerstone allow achievement of the reactor safety
goal.
23
PERFORMANCE INDICATORS
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
The performance indicators for this cornerstone cover two of the three physical design barriers.
The first barrier is the fuel cladding. Maintaining the integrity of this barrier prevents the release
of radioactive fission products to the reactor coolant system, the second barrier. Maintaining the
integrity of the reactor coolant system reduces the likelihood of loss of coolant accident initiating
events and prevents the release of radioactive fission products to the containment atmosphere in
transients and other events. Performance indicators for reactor coolant system activity and reactor
coolant system leakage monitor the integrity of the first two physical design barriers. Even if
significant quantities of radionuclides are released into the containment atmosphere, maintaining
the integrity of the third barrier, the containment, will limit radioactive releases to the
environment and limit the threat to the public health and safety. The integrity of the containment
barrier is ensured through the inspection process.
Therefore, there are three desired results associated with the barrier integrity cornerstone. These
are to maintain the functionality of the fuel cladding, the reactor coolant system, and the
containment.
C-2
NEI 99-02 [Revision 7]
08/31/2013
1
EMERGENCY PREPAREDNESS CORNERSTONE
2
GENERAL DESCRIPTION
3
4
5
6
7
8
9
10
Emergency Preparedness (EP) is the final barrier in the defense in depth approach to safety that
NRC regulations provide for ensuring the adequate protection of the public health and safety.
Emergency Preparedness is a fundamental cornerstone of the Reactor Safety Strategic
Performance Area. 10 CFR Part 50.47 and Appendix E to Part 50 define the requirements of an
EP program and a licensee commits to implementation of these requirements through an
Emergency Plan (the Plan). The performance indicators for this cornerstone are designed to
ensure that the licensee is capable of implementing adequate measures to protect the public health
and safety in the event of a radiological emergency.
11
PERFORMANCE INDICATORS
12
13
14
15
16
17
18
19
20
21
Compliance of EP programs with regulation is assessed through observation of response to
simulated emergencies and through routine inspection of onsite programs. Demonstration
exercises involving onsite and offsite programs, form the key observational tool used to support,
on a continuing basis, the reasonable assurance finding that adequate protective measures can
and will be taken in the event of a radiological emergency. This is especially true for the most
risk significant facets of the EP program. This being the case, the PIs for onsite EP draw
significantly from performance during simulated emergencies and actual declared emergencies,
but are supplemented by direct NRC inspection and inspection of licensee self assessmentselfassessment. NRC assessment of the adequacy of offsite EP will rely (as it does currently) on
regular FEMA evaluations.
22
OCCUPATIONAL EXPOSURE CORNERSTONE
23
GENERAL DESCRIPTION
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
This cornerstone includes the attributes and the bases for adequately protecting the health and
safety of workers involved with exposure to radiation from licensed and unlicensed radioactive
material during routine operations at civilian nuclear reactors. The desired result is the adequate
protection of worker health and safety from this exposure. The cornerstone uses as its bases the
occupational dose limits specified in 10 CFR 20 Subpart C and the operating principle of
maintaining worker exposure “as low as reasonably achievable (ALARA)” in accordance with
10 CFR 20.1101. These radiation protection criteria are based upon the assumptions that a linear
relationship, without threshold, exists between dose and the probability of stochastic health
effects (radiological risk); the severity of each type of stochastic health effect is independent of
dose; and non-stochastic radiation-induced health effects can be prevented by limiting exposures
below thresholds for their induction. Thus, 10 CFR Part 20 requires occupational doses to be
maintained ALARA with the exposure limits defined in 10 CFR 20 Subpart C constituting the
maximum allowable radiological risk. Industry experience has shown that the occurrences of
uncontrolled occupational exposure that potentially could result in an individual exceeding a dose
limit have been low frequency events. These potential overexposure incidents are associated with
radiation fields exceeding 1000 millirem per hour (mrem/hr) and have involved the loss of one or
more radiation protection controls (barriers) established to manage and control worker exposure.
The probability of undesirable health effects to workers can be maintained within acceptable
levels by controlling occupational exposures to radiation and radioactive materials to prevent
C-3
NEI 99-02 [Revision 7]
08/31/2013
1
2
regulatory overexposures and by implementing an aggressive and effective ALARA program to
monitor, control and minimize worker dose.
3
PERFORMANCE INDICATORS
4
5
6
7
8
9
10
11
12
13
14
15
16
A combined performance indicator is used to assess licensee performance in controlling worker
doses during work activities associated with high radiation fields or elevated airborne
radioactivity areas. The PI was selected based upon its ability to provide an objective measure of
an uncontrolled measurable worker exposure or a loss of access controls for areas having
radiation fields exceeding 1000 millirem per hour (mrem/hr). The data for the PI are currently
being collected by most licensees in their corrective action programs. The PI either directly
measures the occurrence of unanticipated and uncontrolled dose exceeding a percentage of the
regulatory limits or identifies the failure of barriers established to prevent unauthorized entry into
those areas having dose rates exceeding 1000 mrem/hr. The indicator may identify declining
performance in procedural guidance, training, radiological monitoring, and in exposure and
contamination control prior to exceeding a regulatory dose limit. The effectiveness of the
licensee’s assessment and corrective action program is considered a cross-cutting issue and is
addressed elsewhere.
17
PUBLIC EXPOSURE CORNERSTONE
18
GENERAL DESCRIPTION
19
20
21
22
23
24
25
26
27
28
29
30
31
32
This cornerstone includes the attributes and the bases for adequately protecting public health and
safety from exposure to radioactive material released into the public domain as a result of routine
civilian nuclear reactor operations. The desired result is the adequate protection of public health
and safety from this exposure. These releases include routine gaseous and liquid radioactive
effluent discharges, the inadvertent release of solid contaminated materials, and the offsite
transport of radioactive materials and wastes. The cornerstone uses as its bases, the dose limits
for individual members of the public specified in 10 CFR 20, Subpart D; design objectives
detailed in Appendix I to 10 CFR Part 50 which defines what doses to members of the public
from effluent releases are “as low as reasonably achievable” (ALARA); and the exposure and
contamination limits for transportation activities detailed in 10 CFR Part 71 and associated
Department of Transportation (DOT) regulations. These radiation protection standards require
doses to the public be maintained ALARA with the regulatory limits constituting the maximum
allowable radiological risk based on the linear relationship between dose received and the
probability of adverse health effects.
33
PERFORMANCE INDICATORS
34
35
36
37
38
39
40
41
42
One PI for the radioactive effluent release program has been initially developed to monitor for
inaccurate or increasing projected offsite doses. The effluent radiological occurrence (ERO) PI
does not evaluate performance of the radiological environmental monitoring program (REMP)
which will be assessed through the routine baseline inspection. For transportation activities, the
infrequent occurrences of elevated radiation or contamination limits in the public domain from
this measurement area precluded identification of a corresponding indicator. A second PI has been
proposed for future use to monitor the inadvertent release of potentially contaminated materials
which could result in a measurable dose to a member of the public. These indicators will provide
partial assessments of licensee radioactive effluent monitoring and offsite material release
C-4
NEI 99-02 [Revision 7]
08/31/2013
1
2
activities and were selected to identify decreasing performance prior to exceeding public
regulatory dose limits.
3
PHYSICAL SECURITY CORNERSTONE
4
GENERAL DESCRIPTION
5
6
7
8
9
10
11
12
13
14
15
16
This cornerstone addresses the attributes and establishes the basis to provide assurance that the
physical protection system can protect against the design basis threat of radiological sabotage as
defined in 10 CFR 73.1(a). The key attributes in this cornerstone are based on the defense in
depth concept and are intended to provide protection against both external and internal threats.
To date, there have been no attempted assaults with the intent to commit radiological sabotage
and, although there has been no PRA work done in the area of safeguards, it is assumed that there
exists a small probability of an attempt to commit radiological sabotage. Although radiological
sabotage is assumed to be a small probability, it is also assumed to be risk significant since a
successful sabotage attempt could result in initiating an event with the potential for disabling of
the safety systems necessary to mitigate the consequences of the event with substantial
consequence to public health and safety. An effective security program decreases the risk to
public health and safety associated with an attempt to commit radiological sabotage.
17
PERFORMANCE INDICATORS
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
One performance indicator is used to assess licensee performance in this cornerstone.
The performance of the physical protection system will be measured by the percent of the time all
components (barriers, alarms and assessment aids) in the systems are available and capable of
performing their intended function. When systems are not available and capable of performing
their intended function, compensatory measures must be implemented. Compensatory measures
are considered acceptable pending equipment being returned to service, but historically have been
found to degrade over time. The degradation of compensatory measures over time, along with the
additional costs associated with implementation of compensatory measures provides the incentive
for timely maintenance/I&C support to return equipment to service. The percent of time
equipment is available and capable of performing its intended function will provide data on the
effectiveness of the maintenance process and also provide a method of monitoring equipment
degradation as a result of aging that could adversely impact on reliability.
C-5
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
[This page left intentionally blank.]
C-6
NEI 99-02 [Revision 7]
08/31/2013
APPENDIX D
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Plant Plant-Specific Design Issues
This appendix provides additional guidance on plant specific-specific Frequently Asked Questions
and identifies resolutions to performance indicator reporting issues that are specific to individual
plant designs. Refer to Appendix E for guidance on the process for submitting an FAQ. FAQs
should be submitted as soon as possible once the Licensee and resident inspector or region has
identified an issue on which there is not agreement. If the Licensee is not sure how to interpret a
situation and the quarterly report is due, an FAQ should be submitted and a comment in the PI
comment field would be appropriate. It is incumbent on NRC and the Licensee to work
expeditiously and cooperatively, sharing concerns, questions and data in order that the issue can be
resolved quickly.
Plant-specific Issues
The NEI 99-02 guidance was written to accommodate situations anticipated to arise at a typical
nuclear power plant. However, uncommon plant designs or unique conditions may exist that have
not been anticipated. In these cases, licensees should first apply the guidance as written to
determine the impact on the indicators. Then, if the licensee believes that there are unique
circumstances sufficient to warrant an exception to the guidance as written, the licensee should
submit a Frequently Asked Question to NEI for consideration at a public meeting with the NRC.
If the FAQ is approved, the issue will be included in Appendix D of this document as a plantspecific issue.
Some provisions in NEI 99-02 may differ from the design, programs, or procedures of a particular
plant. Examples include (1) the overlapping Emergency Planning Zones at Kewaunee and Point
Beach and (2) actions to address storm-driven debris on intake structures.
In evaluating each request for a plant-specific exception, this forum will take into consideration
factors related to the particular issue.
Kewaunee and Point Beach
Issue: The Kewaunee and Point Beach sites have overlapping Emergency Planning Zones (EPZ).
We report siren data to the Federal Emergency Management Agency (FEMA) grouped by criterion
other than entire EPZs (such as along county lines). May we report siren data for the PIs in the
same fashion to eliminate confusion and prevent 'double reporting' of sirens that exist in both
EPZs? Kewaunee and Point Beach share a portion of EPZs and responsibility for the sirens has
been divided along the county line that runs between the two sites. FEMA has accepted this, and
so far the NRC has accepted this informally.
Resolution: The purpose of the Alert and Notification System Reliability PI is to indicate the
licensee’s ability to maintain risk-significant EP equipment. In this unique case, each neighboring
plant maintains sirens in a different county. Although the EPZ is shared, the plants do not share
the same site. In this case, it is appropriate for the licensees to report the sirens they are
D-1
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
responsible for. The NRC Web site display of information for each site will contain a footnote
recognizing this shared EPZ responsibility.
North Anna and Surry
Continue to report PP01 in accordance with the current guidance in NEI 99-02.
Grand Gulf
Issue: Of the 43 sirens associated with our Alert Notification System, two of the sirens are located
in flood plain areas. During periods of high river water, the areas associated with these sirens are
inaccessible to personnel and are uninhabitable. During periods of high water, the electrical power
to the entire area and the sirens is turned off. The frequency and duration of this occurrence varies
based upon river conditions but has occurred every year for the past five years and lasts an average
of two months on each occasion.
Assuming the sirens located in the flood plain areas are operable prior to the flooded and
uninhabitable conditions, would these sirens be required to be included in the performance
indicator during flooded conditions?
Resolution: If sirens are not available for operation due to high flood water conditions and the area
is deemed inaccessible and uninhabitable by State and/or Local agencies, the siren(s) in question
will not be counted in the numerator or denominator of the Performance Indicator for that testing
period.
Diablo Canyon Units 1 and 2
Issue: At Diablo Canyon (DC), intrusion of marine debris (kelp and other marine vegetation) at the
circulating water intake structures can occur and, under extreme storm conditions result in high
differential pressure across the circulating water traveling screens, loss of circulating water pumps
and loss of condenser. Over the past several years, DC has taken significant steps, including
changes in operating strategy as well as equipment enhancements, to reduce the vulnerability of
the plant to this phenomenon. DC has also taken efforts to minimize kelp, however environmental
restrictions on kelp removal and the infeasibility of removing (and maintaining removal of)
extensive marine growth for several miles around the plant prevent them from eliminating the
source if the storm-driven debris. To minimize the challenge to the plant under storm conditions
which could likely result in loss of both circulating water pumps, DC procedurally reduces power
to 25% power or less. From this power level, the plant can be safely shut down by control rod
motion and use of atmospheric dump valves without the need for a reactor trip.
Is this anticipatory plant shutdown in response to an external event, where DC has taken all
reasonable actions within environmental constraints to minimize debris quantity and impact, able
to be excluded from being counted under IE01 and IE02?
Resolution: In consideration of the intent of the performance indicators and the extensive actions
taken by PG&E to reduce the plant challenge associated with shutdowns in response to severe
storm-initiated debris loading, the following interpretation will be applied to Diablo Canyon. A
controlled shutdown from reduced power (less than 25%), which is performed in conjunction with
D-2
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
securing of the circulating water pumps to protect the associated traveling screens from damage
due to excessive debris loading under severe storm conditions, will not be considered a "scram." If,
however, the actions taken in response to excessive debris loading result in the initiation of a
reactor trip (manual or automatic), the event would require counting under both the Unplanned
Scrams (IE01) and Scrams with a Loss of Normal Heat Removal (IE02) indicators.
14
15
16
17
18
Due to its location on the Pacific coast, Diablo Canyon is subject to kelp/debris intrusion at the
circulating water intake structure under extreme storm conditions. If the rate of debris intrusion is
sufficiently high, the traveling screens at the intake of the main condenser circulating water pumps
(CWPs) become overwhelmed. This results in high differential pressure across the screens and
necessitates a shutdown of the affected CWP(s) to prevent damage to the screens.
19
20
To minimize the challenge to the plant should a shutdown of the CWP(s) be necessary in order to
protect the circulating water screens, the following operating strategy has been adopted:
21
22
23
24
25
•
If a storm of sufficient intensity is predicted, reactor power is procedurally curtailed to 50% in
anticipation of the potential need to shut down one of the two operating CWPs. Although the
plant could remain at 100% power, this anticipatory action is taken to avoid a reactor trip in the
event that intake conditions necessitate securing a CWP. One CWP is fully capable of
supporting plant operation at 50% power.
26
27
28
29
30
31
32
•
If one CWP must be secured based on adverse traveling screen/condenser differential pressure,
the procedure directs operators to immediately reduce power to less than 25% in anticipation of
the potential need to secure the remaining CWP. Although plant operation at 50% power could
continue indefinitely with one CWP, this anticipatory action is taken to avoid a reactor trip in
the event that intake conditions necessitate securing the remaining CWP. Reactor shutdown
below 25% power is within the capability of the control rods, being driven in at the maximum
rate, in conjunction with operation of the atmospheric dump valves.
33
34
35
36
•
Should traveling screen differential pressure remain high and cavitation of the remaining CWP
is imminent/occurring, the CWP is shutdown and a controlled reactor shutdown is initiated.
Based on anticipatory actions taken as described above, it is expected that a reactor trip would
be avoided under these circumstances.
37
38
39
40
41
42
43
44
45
How should each of the above power reductions (i.e., 100% to 50%, 50% to 25%, and 25% to
reactor shutdown) count under the Unplanned Power Changes PI?
Diablo Canyon
Issue: The response to PI FAQ #158 states “Anticipatory power changes greater than 20% in
response to expected problems (such as accumulation of marine debris and biological
contaminants in certain seasons) which are proceduralized but cannot be predicted greater than 72
hours in advance may not need to be counted if they are not reactive to the sudden discovery of
off-normal conditions.”
Resolution: Anticipatory power reductions, from 100% to 50% and from 50% to less than 25%,
that result from high swells and ocean debris are proceduralized and cannot be predicted 72 hours
in advance. Neither of these anticipatory power reductions would count under the Unplanned
Power Changes PI. However, a power shutdown from less than 25% that is initiated on loss of the
main condenser (i.e., shutdown of the only running CWP) would count as an unplanned power
change since such a reduction is forced and can therefore not be considered anticipatory.
D-3
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
D.C. Cook
Issue: The definition for the Reactor Coolant System (RCS) Leakage performance indicator is
"The maximum RCS Identified Leakage in gallons per minute each month per the technical
specification limit and expressed as a percentage of the technical specification limit."
Cook Nuclear Plant Unit 1 and 2 report Identified Leakage since the Technical Specifications have
a limit for Identified Leakage with no limit for Total Leakage. Plant procedures for RCS leakage
calculation requires RCS leakage into collection tanks to be counted as Unidentified Leakage due
to non-RCS sources directed to the collection tanks. All calculated leakage is considered
Unidentified until the leakage reaches an administrative limit at which point an evaluation is
performed to identify the leakage and calculate the leak rate. Consequently, Identified Leakage is
unchanged until the administrative limit is reached. This does not allow for trending allowed RCS
Leakage. The procedural requirements will remain in place until plant modifications can be made
to remove the non-RCS sources from the drain collection tanks. What alternative method should
be used to trend allowed RCS leakage for the Barrier Integrity Cornerstone?
Resolution: Report the maximum RCS Total Leakage calculated in gallons per minute each month
per the plant procedures instead of the calculated Identified Leakage. This value will be compared
to and expressed as a percentage of the combined Technical Specification Limits for Identified and
Unidentified Leakage. This reporting is considered acceptable to provide consistency in reporting
for plants with the described plant configuration.
Nine Mile Point
Issue: Some plants are designed to have a residual transfer of the non-safety electrical buses from
the generator to an off-site power source when the turbine trip is caused by a generator protective
feature. The residual transfer automatically trips large electrical loads to prevent damaging plant
equipment during re-energization of the switchgear. These large loads include the reactor
feedwater pumps, reactor recirculation pumps, and condensate booster pumps. After the residual
transfer is completed the operators can manually restart the pumps from the control room. The
turbine trip will result in a reactor scram. Should the trip of the reactor feedwater pumps be
counted as a scram with a loss of normal heat removal?
Resolution: No. In this instance, the electrical transfer scheme performed as designed following a
scram and the residual transfer. In addition the pumps can be started from the control room.
Therefore, this would not count as a scram with a loss of normal heat removal.
Point Beach
Issue: On June 27th, Point Beach Unit 2 was manually scrammed, in accordance with Abnormal
Operating Procedure AOP 13A, "Circulating Water System Malfunction," and power was reduced
on Point Beach Unit 1 by greater than 20% (from 100% to 79%) due to reduced water level in the
pump bay attributable to an influx of small forage fish (alewives). The large influx of fish created a
high differential water level across the traveling screens and ultimately failure of shear pins for the
screen drive system, leading to a rapid drop in bay level. The plant knows when the alewife
D-4
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
spawning and hatching seasons occur and the effects of Lake Michigan temperature fluctuations on
the route of alewife schools. It was aware of the presence of large schools at other Lake Michigan
plants this spring and discussed those events and the potential of them occurring at Point Beach at
the morning staff meetings. During the thirty years of plant operation, there have been a few
instances where a large number of fish entered the plant circulating water system.
High alewife populations coupled with seasonal variations, lake conditions and wind conditions
created the situation that resulted in the downpower on June 27th. Point Beach staff believes that
these are uncontrollable environmental conditions. Plant procedures are in place which direct
actions when the water level in the pump bay decreases. However, it is not possible to predict the
exact time of an influx of schooling fish nor the massive population of fish that arrived in the
pump bay. Page 17 of NEI 99-02 Revision 1 states, "Anticipated power changes greater than 20%
in response to expected problems (such as accumulation of marine debris and biological
contaminants in certain seasons) which are proceduralized but cannot be predicted greater than 72
hours in advance may not need to be counted if they are not reactive to the sudden discovery of
off-normal conditions." Would this situation count as an unplanned power change?
Resolution: No. The influx of alewives was expected as evidenced by the discussion of events at
other plants on Lake Michigan but was not predictable greater than 72 hours in advance due to the
variables involved. Large schools of alewives are a result of environmental and aquatic conditions
that occur in certain seasons. The response to the drop in bay level is proceduralized.
Quad Cities
Issue:1) At Quad Cities, load reductions in excess of 20% during hot weather are sometimes
necessary if the limits of the NPDES Permit limit would be exceeded. Actual initiation of a power
change is not predictable 72 hrs in advance, as actions are not taken until temperatures actually
reach predefined levels. Would these power changes be counted?
2) Power reductions are sometimes necessary during summer hot weather and/or lowered river
level conditions when conducting standard condenser flow reversal evolutions. The load reduction
timing is not predictable 72 hrs in advance as the accumulation of Mississippi River debris/silt
drives the actual initiation of each evolution. The main condenser system design allows for
cleaning by flow reversal, which is procedurally controlled to assure sufficient vacuum is
maintained. It is sometimes necessary, due to high inlet temperatures, to reduce power more than
20% to meet procedural requirements during the flow reversal evolution. These conditions are
similar to those previously described in FAQ 158. Would these power changes be counted for this
indicator?
Resolution:
1) No.
2) No. Power changes in excess of 20% for the purposes of condenser flow reversal are not
counted as an unplanned power change.
D-5
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
River Bend Station
Issue: River Bend Station (RBS) seeks clarification of BI-02 information contained in NEI 99-02
guidance, specifically page 80, lines 36 and 37 “Only calculations of RCS leakage that are
computed in accordance with the calculational methodology requirements of the Technical
Specifications are counted in this indicator.”
NEI 99-02, Revision 2 states that the purpose for the Reactor Coolant System (RCS) Leakage
Indicator is to monitor the integrity of the reactor coolant system pressure boundary. To do this,
the indicator uses the identified leakage as a percentage of the technical specification allowable
identified leakage. Moreover, the definition provided is “the maximum RCS identified leakage in
gallons per minute each month per technical specifications and expressed as a percentage of the
technical specification limit.”
The RBS Technical Specification (TS) states “Verify RCS unidentified LEAKAGE, total
LEAKAGE, and unidentified LEAKAGE increase are within limits (12 hour frequency).” RBS
accomplishes this surveillance requirement using an approved station procedure that requires the
leakage values from the 0100 and 1300 calculation be used as the leakage “of record” for the
purpose of satisfying the TS surveillance requirement. These two data points are then used in the
population of data subject to selection for performance indicator calculation each quarter (highest
monthly value is used).
The RBS approved TS method for determining RCS leakage uses programmable controller
generated points for total RCS leakage. The RBS’ programmable controller calculates the average
total leakage for the previous 24 hours and prints a report giving the leakage rate into each sump it
monitors, showing the last four calculations to indicate a trend and printing the total unidentified
LEAKAGE, total identified LEAKAGE, their sum, and the 24 hour average. The programmable
controller will print this report any time an alarm value is exceeded. The printout can be ordered
manually or can be automatic on a 1 or 8 hour basis. While the equipment is capable of generating
leakage values at any frequency, the equipment generates hourly values that are summarized in a
daily report.
The RBS’ TS Bases states “In conjunction with alarms and other administrative controls, a 12 hour
Frequency for this Surveillance is appropriate for identifying changes in LEAKAGE and for
tracking required trends.”
The Licensee provides that NEI 99-02 requires only the calculations performed to accomplish the
approved TS surveillance using the station procedure be counted in the RCS leakage indicator. In
this case, the surveillance procedure captures and records the 0100 and 1300 RCS leakage values
to satisfy the TS surveillance requirements. The NRC Resident has taken the position that all
hourly values from the daily report should be used for the RCS leakage performance indicator
determination, even though they are not required by the station surveillance procedure. The
Resident maintains that all hourly values use the same method as the 0100 and 1300 values and
should be included in the leakage determination.
Is the Licensee interpretation of NEI 99-02 correct?
Resolution:
All calculations of RCS leakage that are computed in accordance with the calculational
methodology requirements of the Technical Specifications are counted in this indicator. Since the
River Bend Station leakage calculation is an average of the previous 24 hourly leakage rates which
are calculated in accordance with the technical specification methodology, it is acceptable for
River Bend Station to include only those calculations that are performed to meet the technical
specifications surveillance requirement when determining the highest monthly values for reporting.
D-6
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
The ROP Working Group is forming a task force to review this performance indicator based on
industry practices.
Catawba
Issue: Catawba Nuclear Station has 89 sirens in their 10-mile EPZ; 68 of these are located in York
County. Duke Power's siren testing program includes a full cycle test for performance indicator
purposes once each calendar quarter. On Tuesday, September 7, 2004, York County sounded the
sirens in their county's portion of the EPZ to alert the public of the need to take protective actions
for a Tornado Warning. Catawba is uncertain whether to include the results of the actual activation
in their ANS PI statistics. The definition in NEI 99-02 does not address actual siren activations. In
contrast, the Drill/Exercise Performance (DEP) Indicator requires that actual events be included in
the PI. Should the performance during the actual siren activation be included in the Alert and
Notification System (ANS) Performance Indicator Data?
Resolution: For this instance, Catawba may include the results of the September 7, 2004 actual
siren activations in their ANS PI data. However, for all future instances, no actual siren activation
data results shall be included in licensees' ANS PI data.
Fitzpatrick
Issue: Frazil icing is a condition that is known to occur in northern climates, under certain
environmental conditions involving clear nights, open water, and low air temperatures. Under
these conditions the surface of the water will experience a super-cooling effect. The super-cooling
allows the formation of small crystals of ice, frazil ice. Strong winds also play a part in the
formation of frazil ice in lakes. The strong winds mix the super-cooled water and the entrained
frazil crystals, which have little buoyancy, to the depths of the lake. The submerged frazil crystals
can then form slushy irregular masses below the surface. The crystals will also adhere to any
submerged surface regardless of shape that is less than 32°F.
In order to prevent the adherence of frazil ice crystals to the intake structure bars and ensure
maintenance of the ultimate heat sink, the bars of the intake structure are continuously heated.
Surveillance tests conducted before and after the event confirmed the operability of the intake
structure deicing heaters. While heating assists in preventing formation of frazil ice crystals
directly on the bars of the intake structure, the irregular slushy masses discussed above can be
drawn to the intake structure in quantities that reduce flow to the intake canal. If the flow to the
intake canal is restricted in this manner, then the circulating (lake) water flow must be reduced, to
allow frazil ice formations to clear. This water flow reduction necessitates a reduction of reactor
power.
The plant put procedural controls in place to monitor the potential for frazil ice formation during
periods of high susceptibility. A surveillance test requires evaluating the potential for frazil ice
formation during the winter months, when intake temperature is less than 33°F. In support of the
surveillance test, the Chemistry Department developed a test procedure for assessing the potential
for frazil ice formation. An abnormal operating procedure was developed to mitigate the
consequences of an event should frazil icing reduce the flow through the intake structure. During
the overnight hours between March 2, and March 3 the environmental conditions were conducive
D-7
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
to the formation of frazil ice. Chemistry notified Operations that the potential for frazil icing was
very high. Operators were briefed on this condition, the very high potential for frazil ice
formation, and the need to closely monitor intake level.
When indications showed a lowering intake canal level with no other abnormalities indicated,
operations entered the appropriate abnormal operating procedure and reduced power from 100% to
approximately 30% so that circulating water pumps could be secured, thereby reducing flow
through the intake structure heated bars, to slow the formation or accumulation of frazil ice and
allow melting and break-up of the ice already formed.
As noted above NEI 99-02 Revision 3, in discussing down-powers that are initiated in response to
environmental conditions states “The circumstances of each situation are different and should be
identified to the NRC in a FAQ so that a determination can be made concerning whether the power
change should be counted.”
Does the transient meet the conditions for the environmental exception to reporting Unplanned
Power changes of greater than 20% RTP?
Resolution: Yes, the downpower was caused by environmental conditions, beyond the control of
the licensee, which could not be predicted greater than 72 hours in advance. Procedures, specific to
frazil ice, were in place to address this expected condition. In lieu of additional FAQ submittals,
this response may be applied by the licensee to future similar instances of frazil ice formation.
Turkey Point
Issue 1: For the MSPI truncation requirements, three methods were provided whereby licensees
could demonstrate sufficient convergence for PRA model acceptability for MSPI. If a licensee is
unable to demonstrate either: (1) a truncation level of 7 orders of magnitude below the baseline
CDF or (2) that Birnbaum values converge within 80% for event with Birnbaum values >1E-6 or
(3) that CDF has converged within 5% when using the approach detailed in section F.6.
What if a licensee, due to limitations with their PRA can “come close” but not meet either of these
requirements?
Is our approach described in the MSPI basis document excerpted below acceptable, given that the
5% guideline is exceeded by only 0.2%, and that we cannot reduce the increase in CDF due to the
last decade decrease in truncation further due to hardware/software limitations?
What should be done in the future when model updates may result in a different degree of
compliance with the truncation guidelines, e.g., the increase in CDF due to the last decade
decrease in truncation is, say, now 6% instead of 5.2%?
NEI 99-02 Guidance needing interpretation (include page and line citation):
Appendix F, Sections F.6, page F-48, which states: “The truncation level used for the method
described in this section should be sufficient to provide a converged value of CDF. CDF is
considered converged when decreasing the truncation level by a decade results in a change in
CDF of less than 5%”
D-8
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Event or circumstances requiring guidance interpretation:
As documented in the Turkey Point MSPI Basis document, due to limitations with Turkey Point’s
PRA they were only able to achieve a truncation of 3E-11 per year, and the increase in CDF due
to the last decade decrease in truncation is 5.2%, only slightly greater than the 5% guideline.
Turkey Point’s Basis Document states in part:
“…The baseline CDF is 4.07E-6 per year, quantified at truncation of 1.0E-11 per year. This
truncation is about five-and-a-half orders of magnitude below the baseline CDF. Attempts to
quantify at lower truncations failed due to hardware/software limitations; therefore, the "7 orders
of magnitude less than the baseline CDF" criterion defined in the first paragraph of Appendix
F, Sections 1.3.1 and 2.3.1 cannot be met. However, an alternative is described in the second
paragraph of these sections. For all MSPI basic events with a Birnbaum importance of greater
than 1E-6, If the ratio of the Birnbaum importances calculated at one decade above
The lowest truncation (for our case, 1E-10 per year) to their Respective importances
calculated at the lowest truncation (for our case, 1E-11 Per year) is greater than 0.8, then the
baseline CDF cutset file at the Lowest truncation can be used to generate the MSPI Birnbaum
importances.
Turkey Point meets this criterion for all but a few of the MSPI basic events with a Birnbaum
importance of greater than 1E-6. The Birnbaum importances for these basic events were
calculated using the alternative described in Section 6 of Appendix F. This alternative allows the
user to calculate the Birnbaum importances by regenerating cutsets provided the truncation level
is "sufficient to provide a converged value of CDF. CDF is considered to be converged when
decreasing the truncation level by a decade results in a change in CDF of less than 5%."
For Turkey Point, at 1E-11 per year, the increase in the baseline CDF due to the last decade
decrease in truncation is 4.1%, meeting this criterion. However, when the Birnbaum calculations
were attempted at a truncation of 1E-11 per year, the runs failed due to hardware/software
limitations. This was most likely due to the fact that many more cutsets were being generated due
to the quantification of the model with an important component out of service. However, the
quantification of these Birnbaum importances via regeneration was possible at a truncation level of
3E-11 per year. This is the truncation that was used to calculate the Birnbaum importances for the
few basic events in the MSPI calculation that did not meet the “0.8” criterion. Birnbaum
importance is not input into the MSPI calculation, FV importance is, and the Birnbaum importance
is calculated using the FV, the basic event probability (p), and the baseline CDF. The FV for these
basic events was calculated using the formula below.
FV = B*p / CDF(baseline)
The MSPI calculation takes the FVs calculated in this manner, divides them by their respective
basic event probabilities, and multiplies the results by the baseline CDF input to the MSPI
calculation, which is the CDF baseline calculated at a truncation of 1E-11 per year. This will
effectively apply a "correction factor" to the Birnbaum equal to the ratio of the baseline CDF
calculated at a truncation of 1E-11 per year and the baseline CDF calculated at a truncation
of 3E-11 per year. This correction Factor should serve to allay any concerns over using a slightly
D-9
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
higher truncation level for quantification of the Birnbaum importances for these basic events.
Further, at a truncation of 3E-11 per year, the increase in CDF due to the last decade decrease in
truncation is 5.2%, just slightly greater than the 5% guideline."
Issue 2: The Turkey Point High Head Safety Injection (HHSI) design is different than the
description provided in Appendix F for Train Determination. Therefore, there is no system-specific
guidance for HHSI which is applicable to the HHSI system at Turkey Point.
At Turkey Point, each unit (Unit 3 and Unit 4) has two HHSI pumps. The Unit 3 and Unit 4 HHSI
pumps start on an SI signal from either unit, and all of them feed the stricken unit. Should the
Turkey Point reporting model be revised to address the four train approach?
Resolution 1: It is acknowledged that there may be limitations with PRA software modeling such
that a few licensees may not meet the explicit guidance limits for truncation and convergence.
In such cases, the licensee shall submit a FAQ and present the details of their analyses. Approval
will be on a case by case basis.
For Turkey Point, their model was able to approach 5.2% (vice 5%) convergence and that is
considered sufficient for the purposes of MSPI calculation.
Resolution 2: Yes. In order to ensure accurate reporting, add the opposite-unit HHSI pump trains
for unavailability monitoring for each unit, and the opposite-unit HHSI pumps for reliability
monitoring for each unit. Although the opposite-unit HHSI pumps are cooled by the opposite-unit
component cooling water (CCW) pumps, they should not be added as they are already monitored
for their associated unit, and their Birnbaum importances for the opposite-unit are several orders of
magnitude less than their Birnbaum importances for their own unit.
Prairie Island and Surry Stations
Issue: Prairie Island has two diesel-driven service water pumps that are monitored under MSPI.
Surry has 3 diesel-driven service water pumps that are monitored under MSPI. There is no
industry prior information associated with this component type on Table 4 on page F-37
Resolution: Due to insufficient industry data upon which to develop a separate set of parameters
for this component type, an existing component type should be chosen. Given that the failures for
this type of pump are expected to be dominated by the driver rather than the pump, the dieseldriven AFW pump component type should be used.
San Onofre
Issue: During March 2006, the San Onofre Nuclear Generating Station (SONGS) completed the
MSPI Basis Document. The MSPI Basis Document contained a calculation of the FV/UA values
for the CCW and SWC systems. The FV/UA values were derived by assuming that Train A is
constantly running for the entire year and therefore all unavailability would be assigned to the nonrunning Train B. The resultant FV/UA value for Train B was then conservatively applied to both
Train A and Train B without averaging.
D-10
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Since the system is symmetric in importance, what should have occurred is that the FV/UA values
should have been calculated for each train and averaged since each train is run approximately 50%
of the time. This would be equivalent to calculating each train’s FV/UA value assuming the other
train is running and then multiplying each train’s FV/UA value by an “operating factor” – the
percentage of time the respective train is actually the running train (approximately 50% in this
case) – and then averaging the two (Train A and Train B) FV/UA values.
In summary, an error was made in application of the NEI 99-02R4, Section F.1.3.4 guidance.
Resolution: The SONGS misapplication of the guidance in NEI 99-02R4 regarding the treatment
of FV/UA due to the modeling asymmetries of the SSC systems were discussed with the NRC at
the May 18 Reactor Oversight Process Task Force public meeting. It was concluded that the MSPI
Basis Document of April 1, 2006 was in error and requires correction to reflect the train averaging
of section F 1.3.4 prior to submittal of the 2Q06 data on July 21, 2006.
Oyster Creek
Issue: An intake structure sea grassing event occurred on 8/6/2005 resulting in an abnormal low
level in the north side of the intake structure and a subsequent unplanned downpower from 100%
power to approximately 41% power for a duration of approximately 40 hours. The event was
reported as Unplanned, excluded per NEI 99-02.
Oyster Creek had been maintaining the intake structure in a summer seasonal readiness condition
that was consistent with conditions in previous summer seasons. Appropriate preventive
maintenance had been performed on the intake traveling screens. Daily flushing of the screen
wash headers and periodic header cleaning had been instituted, in accordance with plant
procedures and monitoring practices for summer readiness. These were expected conditions that
the plant is forced to deal with during summer seasons. However, this event involved larger
amounts of submerged sea grass than had been seen in the past.
Higher than normal levels of grass were experienced between 2300 hours on August 6, 2005 and
0235 hours on August 6, 2006 at the intake structure. At approximately 0235 hours the Control
Room received a report from the operator at the intake that intake level on the north side of the
intake structure downstream of the screens was at < 1.4 psig as sensed by the bubbler indicator.
This equates to a level of <-2.0 ft Mean Sea Level (MSL) and required entry into Abnormal
Operating Procedure ABN-32, Abnormal Intake Level. This required more frequent grass removal
from intake structure components. Backwashing, raking and screen cleaning were in progress
prior to the event, in accordance with plant procedures. At approximately 0305 hours, an
unexpected large influx of submerged sea grass (Gracilaria) entered the North Side of the intake
structure resulting in a collapse of the Trash grates. The grass loading caused each screen’s shear
pin on the #1, 2, & 3 screens to break, as designed to provide a measure of protection for the intake
structure. The three screens on the South Side of the intake structure were not affected during the
entire event. Water level downstream of the screens on the North Side lowered due to operation of
#1 and #2 Circulating Water Pumps, #1 New Radwaste Service Water Pump and #1 Service Water
Pump. The Control Room Unit Operator was informed by the Shift Manager at the intake that
level on the North Side of the intake was 0 psig on the bubbler gage at the Screen Wash Control
Panel (which corresponds to -5.13’ Mean Sea Level). This level exceeded the Alert threshold for
EAL HA3. At 0330 hours Emergency Service Water (ESW) System 1 pumps were declared
D-11
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
inoperable and Technical Specification LCO 3.4.C.3. (7-day clock) was entered. The sudden,
unexpected, large influx of submerged grass impacted the North Side of the Intake Structure
resulting in a collapse of the Trash grates and the #1, 2 & 3 Intake Screen shear pins had broken.
The Trash Rake was caught in #1 Bay. The shear pin for #1 Screen was replaced but sheared
immediately. Both the 1-1 and the 1-2 Main Circulating Water Pumps were secured due to the low
intake level resulting in pump cavitation, which required the power reduction to approximately
40%.
Resolution: The downpower that is described in this FAQ does count. The facility has not
developed a specific procedure to proactively monitor for environmental conditions that would
lead to sea grass intrusion, to direct proactive actions to take before the intrusion, and actions to
take to mitigate an actual intrusion that are appropriate for the station and incorporate lessons
learned. Development and use of a such a procedure in the future, instead of standing orders, may
provide the basis for a future FAQ allowing excluding a downpower >20% for this PI.
No change to PI guidance is needed.
Calvert Cliffs
Issue: Anticipated power changes greater than 20% in response to expected environmental
problems (such as accumulation of marine debris, biological contaminants, or frazil icing) which
are proceduralized but cannot be predicted greater than 72 hours in advance may not need to be
counted unless they are reactive to the sudden discovery of off normal conditions… . The licensee
is expected to take reasonable steps to prevent intrusion of marine or other biological growth from
causing power reductions… The circumstances of each situation are different and should be
identified to the NRC in a FAQ so that a determination can be made concerning whether the power
change should be counted.’
During summer months, under certain environmental conditions, Calvert Cliffs can experience
instances of significant marine life impingements which can cause high differential pressure across
our Circulating Water (bay water) System traveling screens, restricting flow capability of our
Circulating Water (CW) pumps which could ultimately result in a plant derate or trip due to being
unable to maintain sufficient condenser vacuum.
In anticipation of these potential marine life impingement conditions, the site has proceduralized
actions to be taken within an Abnormal Operating Procedure (AOP). The actions to be taken in
these circumstances include placing travel screens in manual mode of operation and using the
intake aerator and fire hoses to disperse the fish population. Although instances of biological
blockages are expected, neither the time of nor the severity of the intrusions can be predicted.
During July 2006 the site had been periodically dealing with instances of jellyfish intrusions which
had challenged maintaining sufficient CW flow, but had not been severe enough to threaten plant
full power operation. On July 7, 2006 the site experienced a severe jellyfish intrusion and
implemented the applicable AOP. This time the actions were unable to ensure sufficient CW flow
to maintain Unit 1 at 100% power and a rapid power reduction was initiated on Unit 1, which
ultimately reduced power to 40%. When the jellyfish intrusion was controlled, sufficient CW flow
was restored, and power was restored to 100%. Given that the circumstances of this jellyfish
intrusion was beyond the control of the plant, and that appropriate site actions have been
proceduralized, should this event be exempted from counting as an unplanned power change? In
D-12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
addition, can this exemption be applied to future, similar marine life impingements at Calvert
Cliffs, where the site carries out the approved actions designed to counter act these conditions,
without submittal of future FAQs?
Resolution: The downpower that is described in this FAQ does count. The facility has not
developed a specific procedure to proactively monitor for environmental conditions that would
lead to jelly fish intrusion, to direct proactive actions to take before the intrusion, and actions to
take to mitigate an actual intrusion that are appropriate for the station and incorporate lessons
learned: e.g.: staging equipment, assigning additional personnel or watches, implementing finer
mesh screen use, use of hose spray to ward off jelly fish. Development and use of a such a
procedure in the future, may provide the basis for a future FAQ allowing excluding a downpower
>20% for this PI.
No change to PI guidance is needed.
Point Beach
FAQ479
(11-05)
Issue: Point Beach is upgrading the Unit 1 and Unit 2 auxiliary feedwater systems (AF) during the
second quarter of 2011 with Unit 2 being completed during the spring outage and Unit 1 while the
plant is on line. The current AF design has two motor-driven AF pumps that are shared between
the two units. In the current configuration, the operating unit has planned unavailability during the
other unit’s refueling outage. After the upgrade modifications are completed, the AF system will
have one new motor-driven pump dedicated to each unit and will no longer have planned
unavailability during the other unit’s refueling outage. The new pumps will be the same model
casing as the old pumps, but will have a different impeller, resulting in a higher flow rate, and will
be powered by 4160V versus 480V. The preventive maintenance activities for the new pumps and
associated monitored valves will be essentially the same as those for the existing pumps and
associated monitored valves. The change will reduce the number of motor-driven AF trains from
two to one per unit and will change the Point Beach generic common cause failure adjustment
value from 1.25 to 1.0 in NEI 99-02, Appendix F, Table 7.
The refueling outage is scheduled to be completed during the second quarter of 2011. As the units
will be putting the new AF pumps and associated monitored valves in service during the middle of
a quarter, the device records in CDE will be updated upon entry into MODE 4 ascending for Unit 2
and when the new AF pump and associated monitored valves are placed in service for Unit 1.
However, CDE and the MSPI Basis Document will not be updated until the end of the second
quarter to reflect the new PRA and the new train definitions.
The completion of the modification during the middle of a quarter will result in the inability to
implement all of the guidance in NEI 99-02 related to reporting of data in CDE. The goal is to
provide a second quarter MSPI submittal for AF that accurately reflects the actual availability and
reliability of the existing and new AF system configurations and implements the guidance of NEI
99-02 as much as reasonable. However, as CDE does not support the submittal of split data and
does not allow PRA model changes mid-quarter, an MSPI result for MS08, Heat Removal
Systems, reflecting second quarter 2011 AF system unavailability and reliability would not be
representative of the new system and would not provide meaningful results. Therefore,
exemptions from NEI 99-02 reporting guidance are requested for Point Beach based upon the
system design changes being implemented in the second quarter of 2011.
D-13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Resolution: Point Beach may have a one-time exemption from the reporting guidance on
Page 2, Lines 15-23, of NEI 99-02, Revision 6. The 2Q2011 MS08 PI will be characterized
as “Insufficient Data to Calculate PI,” as indicated by:
FAQ479
(11-05)
on the NRC’s “ROP Performance Indicators Summary” Web site because (1) the results will not
be representative of the current PRA and MSPI Basis Document for that quarter and (2) the data
reflecting the actual plant configuration cannot be processed in CDE software. A comment shall
be added to the CDE submittal file explaining the basis for this characterization, which will
include that the modification was installed mid-quarter, CDE is not capable of processing a “data
split” within the same quarter, CDE does not allow mid-quarter PRA model changes, and an MSPI
result for MS08, Heat Removal Systems, reflecting 2Q2011 AF system unavailability and
reliability would not be representative of the new system nor provide meaningful results.
AF unavailability and reliability data will be reported to the NRC for 2Q2011. The data will
be used for assessing MS08 data for subsequent quarters.
FAQ479
(11-05)
Because the new pumps and associated monitored valves will be similar to the existing pumps and
associated monitored valves, Point Beach will determine the baseline unavailability data
(nominally 2002-2004) for the new trains by using the unavailability data for the existing trains,
removing the unavailability that was reported when the other unit was in an outage, and averaging
the data over three years. With respect to historical unavailability data, because the new pumps
and associated monitored valves will be similar to the existing pumps and associated monitored
valves, Point Beach will determine the past three years of historical unavailability for the new
trains by using the data for the existing trains, removing the unavailability taken when the other
unit was in an outage, and averaging the data over three years. Point Beach will also update the
MSPI basis document at the end of 2Q2011 to reflect the modification’s impact on system and
train boundaries.
With respect to reliability data, Point Beach will update the device records and associated
reliability data in CDE at the time the new pumps and associated monitored valves are placed in
service and will update the MSPI basis document at the end of 2Q2011 to reflect the
modification’s impact on monitored component boundaries. The most recent three years of
reliability data for the currently installed pumps will serve as the reliability data for the new pumps
because of their similar design and function
It is acceptable to revise the HRS/MDP Standby generic common cause failure adjustment value
from 1.25 to 1.00, which will take effect upon the implementation of the modification, in NEI 9902, Revision 6, Appendix F, Table 7.
D-14
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Fort Calhoun
FAQ485
(11-11)
Issue: Under normal circumstances and in accordance with the Fort Calhoun Radiological
Emergency Response Plan, section E, sirens are tested bi-weekly for functionality via Emergency
Planning Test (EPT) EPT-1 (Alert Notification System Silent Test), quarterly via EPT-2 (Alert
Notification System Growl Test), and annually via EPT-3 (Alert Notification System Complete
Cycle Test).
Current flooding along the Missouri River and within the 10-mile EPZ has resulted in several
sirens being [deliberately] disabled by disconnecting AC power due to rising river levels. These
flooding conditions do not only affect the operability/functionality of the sirens, but have also
resulted in power disconnections for and evacuation of residents in the areas for which these sirens
provide coverage. Additionally, backup route-alerting is still available for any remaining affected
residents as verified through local and state governments.
In accordance with NEI 99-02, Revision 6 (Regulatory Assessment Performance Indicator
Guideline), page 57 concerning siren testing states “Regularly scheduled tests missed for reasons
other than siren unavailability (e.g., out of service for planned maintenance or repair) should be
considered non opportunities.” This evaluation and exemption was applied to the sirens that have
been removed from service due to flooding.
These sirens were removed from service intentionally, and will remain out of service for an
extended period of time; therefore they will not be counted in the performance indicator for Alert
and Notification System Reliability. For all EPTs conducted on sirens during the time period
when power has been removed from the siren due to flooding, the number of sirens tested will only
be those that have normal power available.
Resolution: If sirens are not available for operation due to high flood water conditions, and the
area is deemed inaccessible and uninhabitable by State and/or Local agencies, the siren(s) in
question will not be counted in the numerator or denominator of the Performance Indicator for that
testing period.
[This page left intentionally blank.]
D-15
NEI 99-02 [Revision 7]
08/31/2013
1
APPENDIX E
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
FREQUENTLY ASKED QUESTIONS
Purpose
The Frequently Asked Question (FAQ) process is the mechanism for resolving interpretation
issues with NEI 99-02. FAQs and responses are posted on the NRC Website
(www.nrc.gov/NRR/OVERSIGHT/ASSESS/index.html) and INPO’s Consolidated Data Entry
webpage. They Approved FAQs represent NRC approved interpretations of performance
indicator guidance and should be treated as an extension of NEI 99-02.
There are several reasons for submitting an FAQ:
1. To clarify the guidance when the licensee and NRC regional staff do not agree on the
meaning or how to applyapplication of the guidance to a particular situation.
2. To provide guidance for a class of plants whose design or system functions differ from that
described in the guidance.
3. To request an exemption from the guidance for plant-specific circumstances, such as design
features, procedures, or unique conditions.
4. When recommended in NEI 99-02, such as in response to unplanned power changes due to
environmental conditions.
Proposed changes to the guidance are not a reason to submit an FAQ. A formal process exists
for changing the guidance, which usually includes analysis and piloting before being
implemented. White papers that are submitted for guidance changes, if approved by the
Industry/NRC working group, are converted into an FAQ for use and inclusion in the next
revision of NEI 99-02. In some circumstances, while reviewing an FAQ, the Industry/NRC
working group may determine that a change in the guidance is necessary.
The FAQ process is not the arena in which to resolve interpretation issues with any other NRC
regulatory documents. In addition, the FAQ process is not used to make licensing or engineering
decisions.
Process
1. Issue identification
Either the licensee or the NRC may identify the need for an interpretation of the guidance.
FAQ
FAQs should be submitted as soon as possible, but generally no later than the quarter
Whitepaper
May 2013
following identification of the issue requiring interpretation. Once the licensee and
resident inspector or region have identified an issue on which there is either disagreement
or where both parties agree that guidance clarification is necessary, an FAQ should be
submitted as soon as possible. The FAQ should be provided to the ROP Task Force by the next
scheduled ROP Task Force meeting, if practical, but no later than its subsequent meeting. The
ROP Task Force should submit the FAQ to the ROP Working Group by the following month’s
meeting, if practical. If both the resident inspector and licensee agree that the issue is complex
and more time is required (e.g., to complete a causal evaluation, obtain a vendor report, perform
E-1
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
a simulator run, etc.), the FAQ submittal may be delayed until the issue is sufficiently
understood.once the licensee and resident inspector or region has identified an issue on which
there is not agreement.
The licensee submits the FAQ by email to pihelp@nei.org. The email should include “FAQ” as
part of the subject line and should provide the name and phone number of a contact person. If the
licensee is not sure how to interpret a situation and the quarterly report is due, an FAQ should be
submitted and a comment in the PI comment field would be appropriate. If the licensee has
reasonable confidence that its position will be accepted, it is under no obligation to report the
information (e.g., unavailability). Conversely, if the licensee is not confident that it will succeed
in its FAQ, the information should be included in the submitted data. In either case, the report
can be amended, if required, at a later date.
2. Expeditiousness, Completeness and Factual Agreement
In order for the performance indicators to be a timely element of the ROP, it is incumbent on
NRC and the licensee to work expeditiously and cooperatively, sharing concerns, questions and
data in order that the issue can be resolved quickly. Where possible, agreement should be
achieved prior to submittal of the FAQ on the factual elements of the FAQ, e.g., the engineering,
maintenance, or operational situation. The FAQ must describe the situation clearly and
concisely and must be complete and accurate in all respects. If agreement cannot be reached on
the wording of the FAQ, NRC will provide its alternate view to the licensee for inclusion in the
FAQ.
3. FAQ Format
See Figure E-1 for the format for submitting an FAQ. It is important to provide contact
information and whether the FAQ should be considered generic to all plants, or only specific to
the licensee submitting the FAQ. In most cases the FAQ will become effective as soon as
possible; however, the licensee can recommend an effective date. The question section of the
FAQ includes the specific wording of the guidance which needs to be interpreted, the
circumstances involved, and the specific question. All relevant information should be included
and should be as complete as possible. Incomplete or omitted information will delay the
resolution of the FAQ. The licensee also provides a proposed response to the FAQ. The
response should answer the question and provide the reasoning for the answer. (There must not
be any new information presented in the response that was not already discussed in the question.)
The NRC may or may not opt to request that the FAQ include an alternative response. Finally,
the FAQ may include proposed wording to revise the guidance in the next revision.
4. Screening of licensee FAQs
Typically, FAQs are forwarded to and reviewed by NEI. New FAQs should be submitted at least
one week prior to the ROP meeting, revisions to previously accepted FAQs can be submitted at
any time. NEI may request that the FAQ be revised. After acceptance by NEI, the FAQ is
reviewed by the industry’s ROP Task Force (Formerly SPATF). Additional wording may be
suggested to the licensee. In some cases, the task force may believe the FAQ is without merit
and may recommend that the FAQ be withdrawn. An accepted FAQ is entered in the FAQ log
which includes all unresolved FAQs. All open FAQs and the log are forwarded to NRC and the
E-2
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
task force members approximately one week prior to the (approximately) monthly ROP meeting
between the task force and NRC or as soon as reasonably practical.
5. Public Meeting Discussions of FAQs
The FAQ log is reviewed at each monthly ROP meeting, and the Industry/NRC working group is
responsible for achieving a consensus response, if possible. In most cases, the licensee is
expected to present and explain the details of its FAQ. Licensee and resident/regional NRC staff
are usually available (at the meeting or by teleconferencing) to respond to questions posed by the
Industry/NRC) working group. The new FAQ is introduced by the licensee to ensure the
working group understands the issues, but discussion of the FAQ may be referred to the next
meeting if participants have not had an opportunity to research the issues involved. The FAQ
will be discussed in detail, until all of the facts have been resolved and consensus has been
reached on the response. The FAQ will then be considered “Tentatively Approved,” and
typically one additional month will be allowed for reconsideration. At the following meeting the
FAQ becomes “Final.” Typically, an FAQ is introduced one month; the facts are discussed for
two or three months and a tentative decision reached; and it goes final the following month.
In cases where minor changes are necessary after final or tentative approval has occurred, the
changes can be made if representatives from both industry and NRC concur on the final wording
prior to FAQ issuance on the NRC website.
In some limited cases (involving an issue with no contention and where exigent resolution is
needed), it is possible for the ROP working group to reach immediate consensus and take the
FAQ to Final; however, this will generally be an exception.
6. Withdrawal of FAQs
A licensee may withdraw an FAQ after it has been accepted by the joint ROP Working Group.
Withdrawals must occur during an ROP Working Group monthly (approximately) meeting.
However, the ROP Working Group should further discuss and decide if a guidance issue exists in
NEI 99-02 that requires additional clarification. If additional clarification is needed then the
original FAQ should be revised to become a generic FAQ. In many cases, there are lessons
learned from the resources expended by the ROP Working Group that should be captured. In
those cases, the FAQ will be entered in the FAQ log as a generic FAQ. If there is disagreement
between the staff and industry, both positions should be articulated in the FAQ. These
withdrawn FAQs should be considered as historical and are not considered to be part of NEI 9902. Although they do not establish precedenceprecedent, they do offer insights into perspectives
of both industry and NRC staff and, as such, can inform future decisions to submit an FAQ.
7. Appeal Process
Once the facts and circumstances are agreed upon, if consensus cannot be reached after two
consecutive working group meetings, the FAQ will be referred to the NRC Director of the
Division of Inspection & Regional Support (DIRS). The director will conduct a public meeting
at which both the licensee and NRC will present their positions as well as respond to any
questions from the director. The director then will make the determination. Any additional
E-3
FAQ470
(10-01)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
appeal to higher management is outside of this process and is solely at the licensee’s discretion
and initiative.
8. Promulgation and Effective Date of FAQs
Once approved by NRC, the accepted response will be posted on the NRC Website and is treated
as an extension of this guideline.
For the licensee that submitted the FAQ, the FAQ is effective when the event occurred. Unless
otherwise directed in an FAQ response, for other licensees, FAQs are to be applied to the data
submittal for the quarter following the one in which the FAQ was posted and beyond. For
example, an FAQ with a posting date of 9/30/2009 would apply to 4th quarter 2009 PI data,
submitted in January 2010 and subsequent data submittals. However, an FAQ with a posting
date of 10/1/2009 would apply on a forward fit basis to first quarter 2010 PI data submitted in
April 2010. Licensees are encouraged to check the NRC Web site frequently, particularly at the
end of the reporting period, for FAQs that may have applicability for their sites.
At the time of a revision of NEI 99-02, active FAQs will be reviewed for inclusion in the text.
These FAQs will then be placed in an “archived” file. Archived FAQs are for historical
purposes and are not considered to be part of NEI 99-02.
E-4
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
FAQ TEMPLATE
Plant:
Date of Event:
Submittal Date:
Licensee Contact:
NRC Contact:
_________________________
_________________________
_________________________
_________________________ Tel/email: __________________
_________________________ Tel/email: __________________
Performance Indicator:
Site-Specific FAQ (see Appendix D)? (__)Yes or (__) No
FAQ requested to become effective (__) when approved or (other date) ____________
Question Section
NEI 99-02 Guidance needing interpretation (include page and line citation):
Event or circumstances requiring guidance interpretation:
If licensee and NRC resident/region do not agree on the facts and circumstances, explain:
Potentially relevant FAQs:
Response Section
Proposed Resolution of FAQ:
If appropriate, provide proposed rewording of guidance for inclusion in next revision:
Zimmerman
11/15/11
PRA update required to implement this FAQ?
MSPI Basis Document update required to implement this FAQ?
Figure E-1
[This page left intentionally blank.]
E-5
NEI 99-02 [Revision 7]
08/31/2013
1
APPENDIX F
2
3
4
5
6
7
8
METHODOLOGIES FOR COMPUTING THE UNAVAILABILITY INDEX,
THE UNRELIABILITY INDEX AND COMPONENT PERFORMANCE LIMITS
This appendix provides the details of three calculations: the System Unavailability Index, the
System Unreliability Index, and component performance limits.
F 1. SYSTEM UNAVAILABILITY INDEX (UAI) DUE TO TRAIN UNAVAILABILITY
9
10
11
12
13
14
15
16
17
18
19
20
21
Unavailability is monitored at the train/segment level for the purpose of calculating UAI. The
process for calculation of the System Unavailability Index has three major steps:
• Identification of system trains/segments
• Collection of plant data
• Calculation of UAI
The first of these steps is performed for the initial setup of the index calculation (and if there are
significant changes to plant configuration or at the licensee’s discretion. The second step has
some parts that are performed initially and then only performed again when a revision to the
plant specific-specific PRA is made or changes are made to the normal preventive maintenance
practices. Other parts of the calculation are performed periodically to obtain the data elements
reported to the NRC. This section provides the detailed guidance for the calculation of UAI.
22
23
24
25
26
27
28
The identification of system trains/segments is accomplished in two steps:
• Determine the system boundaries
• Identify the trains/segments within the system boundary
The use of simplified P&IDs can be used to document the results of this step and will also
facilitate the completion of the directions in section F2.1.1 later in this document.
29
30
31
32
33
34
35
36
37
38
39
40
41
F 1.1. IDENTIFICATION OF SYSTEM TRAINS/SEGMENTS
F 1.1.1.
Linthicum
3/3/12
Linthicum
3/3/12
MONITORED FUNCTIONS AND SYSTEM BOUNDARIES
The first step in the identification of system trains is to define the monitored functions and
system boundaries. Include all components within the system boundary that are required to
satisfy the monitored functions of the system.
The cooling water support system is a system that is calculated separately in MSPIError!
Bookmark not defined.; however, trains/segments of other support systems (e.g., HVAC room
coolers, DC power, instrument air, etc.) that may be needed to satisfy a monitored function are
not monitored in MSPI for unavailability if the components within those trains/segments are not
included within the boundary of a monitored train/segment or the supported system.
Additional guidance for determining the impact on availability and unreliability from
unmonitored component failures can be found in Section F.2.2.2.
F-1
FAQ486
(10-06)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
The monitored functions of the system are those functions in section F5 of this appendix that
have been determined to be risk-significant functions per NUMARC 93-01 and are reflected in
the PRAError! Bookmark not defined.. If none of the functions listed in section fiveSection F5
for a system are determined to be risk significant, then:
•
If only one function is listed for a system, then this function is the monitored function (for
example, CE NSSS designs use the Containment Spray system for RHR but this system is
redundant to the containment coolers and may not be risk significant. The Containment Spray
system would be monitored.)
•
If multiple functions are listed for a system, the most risk significant function is the
monitored function for the system. Use the Birnbaum Importance values to determine which
function is most risk significant.
For fluid systems the boundary should extend from and include the water source (e.g., tanks,
Linthicum
3/3/12
sumps, etc.) to the injection point (e.g., RCS, Steam Generators). For example, high-pressure
injection may have both an injection mode with suction from the refueling water storage tank
and a recirculation mode with suction from the containment sump. For Emergency AC systems,
the system consists of all class 1E generators at the station (for multi-unit sites, see Unit Crosstie
Capability below).
Additional system specific guidance on system boundaries can be found in section Section 5
titled “Additional Guidance for Specific Systems” at the end of this appendix.
Some common conditions that may occur are discussed below.
System Interface Boundaries
For water connections from systems that provide cooling water to a single component in a
monitored system, the final connecting valve is included in the boundary of the frontline system
rather than the cooling water system. For example, for service water that provides cooling to
support an AFW pump, only the final valve in the service water system that supplies the cooling
water to the AFW system is included in the AFW system scope. This same valve is not included
in the cooling water support system scope. The equivalent valve in the return path, if present,
will also be included in the frontline system boundary.
The impact of room cooling or other related HVAC supports is excluded from the system/train
boundary. Unavailability of these systems/components is not counted as unavailability of a
monitored system/train. The only exception to this areis EDG ventilation systems that have a
shared function of both providing room cooling/ventilation that also provide a flow path for EDG
combustion or exhaust. In these cases, unavailability of components that result in unavailability
of an EDG due to not having a combustion or exhaust flow path is included in EDG
unavailability.
For control functions and electrical power, the system/train boundary includes all system
dedicated relays, controllers, and contactors that support the monitored system functions, and all
dedicated voltage supply breakers (both motive and control power) and their associated control
F-2
FAQ486
(10-06)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
circuits (relay contacts for normally auto actuated components, control board switches for
normally operator actuated components). If a relay, breaker, or contactor exists solely to support
the operation of a monitored train/segment, it should be considered part of the train’s/segment’s
boundary. If a relay, breaker, or contactor supports multiple trains/segments, it should not be
considered as part of the monitored train’s/segment’s boundary. For turbine driven pumps, the
system/train boundary includes the associated control system (relay contacts for normally auto
actuated components, control board switches for normally operator actuated components), the
control valve, and its voltage supply breaker. Failure or unavailability of components outside of
the system/train boundary is not counted as unavailability of the impacted system/train.
Water Sources and Inventory
Water tanks are not considered to be monitored components. As such, they do not contribute to
URI. However, since tanks can be in the train/segment boundary, periods of insufficient water
inventory contribute to UAI if they result in loss of the monitored train/segment function for the
required mission time. If additional water sources are required to satisfy train/segment mission
times, only the connecting active valve from the additional water source is considered as a
monitored component for calculating UAIURI. If there are valves in the primary water source
that must change state to permit use of the additional water source, these valves are considered
monitored and should be included in UAI for the system.
Unit Cross-Tie Capability
At multiple unit sites cross ties between systems frequently exist between units. For example at a
two unit site, the Unit 1 Emergency Diesel Generators may be able to be connected to the Unit 2
electrical bus through cross tie breakers. In this case the Unit 1 EAC system boundary would end
at the cross tie breaker in Unit 1 that is closed to establish the cross-tie. The similar breaker in
Unit 2 would be the system boundary for the Unit 2 EAC system. Similarly, for fluid systems the
fluid system boundary would end at the valve that is opened to establish the cross-tie.
Common Components
Some components in a system may be common to more than one system/train/segment, in which
case the unavailability of a common component is included in all affected
systems/trains/segments.
F 1.1.2.
Identification of Trains within the System
Each monitored system shall then be divided into trains/segments to facilitate the monitoring of
unavailability.
A train consists of a group of components that together provide the monitored functions of the
system described in the “additional guidance for specific mitigating systems”. The number of
trains in a system is generally determined as follows:
•
For systems that provide cooling of fluids, the number of trains is determined by the number
of parallel heat exchangers, or the number of parallel pumps, or the minimum number of
parallel flow paths, whichever is fewer.
F-3
FAQ486
(10-06)
Linthicum
3/3/12
FAQ486
(10-06)
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
•
For emergency AC power systems the number of trains is the number of class 1E emergency
(diesel, gas turbine, or hydroelectric) generators at the station that are installed to power
shutdown loads in the event of a loss of off-site power. (For example, this does not include
the diesel generator dedicated to the BWR HPCS system, which is included in the scope of
the HPCS system.)
6
7
8
9
10
11
12
13
14
Some components or flow paths may be included in the scope of more than one train. For
example, one set of flow regulating valves and isolation valves in a three-pump, two-steam
generator system are included in the motor-driven pump train with which they are electrically
associated, but they are also included (along with the redundant set of valves) in the turbinedriven pump train. In these instances, the effects of unavailability of the valves should be
reported in all affected trains. Similarly, when two trains provide flow to a common header, the
effect of isolation or flow regulating valve failures in paths connected to the header should be
considered in both trains.
15
16
Additional system specific guidance on train definition can be found in section Section F5 titled
“Additional Guidance for Specific Systems” at the end of this appendix.
17
18
Additional guidance is provided below for the following specific circumstances that are
commonly encountered:
19
•
Cooling Water Support Systems and Trains
20
•
Swing Trains and Components Shared Between Units
21
•
Maintenance Trains and Installed Spares
22
•
Trains or Segments that Cannot Be Removed from Service.
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Cooling Water Support Systems and Trains
The cooling water function is typically accomplished by multiple systems, such as service water
and component cooling water. A separate value for UAI will be calculated for each of the
systems in this indicator and then they will be added together to calculate an overall UAI value.
In addition, cooling water systems are frequently not configured in discrete trains. In this case,
the system should be divided into logical segments and each segment treated as a train. This
approach is also valid for other fluid systems that are not configured in obvious trains. The way
these functions are modeled in the plant-specific PRA will determine a logical approach for
train/segment determination. For example, if the PRA modeled separate pump and line segments
(such as suction and discharge headers), then the number of pumps and line segments would be
the number of trains.
Unit Swing trains and components shared between units
Swing trains/components are trains/components that can be aligned to any unit. To be credited
as such, their swing capability must be modeled in the PRA to provide an appropriate FussellVesely value.
Maintenance Trains and Installed Spares
F-4
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Some power plants have systems with extra trains to allow preventive maintenance to be
carried out with the unit at power without impacting the monitored function of the system.
That is, one of the remaining trains may fail, but the system can still perform its monitored
function. To be a maintenance train, a train must not be needed to perform the system’s
monitored function.
36
37
38
39
40
41
42
43
44
Plant data for the UAI portion of the index includes:
Linthicum
3/3/12
Linthicum
3/3/12
An "installed spare" is a component (or set of components) that is used as a replacement for other
equipment to allow for the removal of equipment from service for preventive or corrective
maintenance without impacting the number operability of trains available to achieve the
monitored function of the system. To be an "installed spare," a component must not be needed
for any train of the system to perform the monitored function. A typical installed spare
configuration is a two train system with a third pump that can be aligned to either train (both
from a power and flow perspective), but is normally not aligned and when it is not aligned
receives no auto start signal. In a two train system where each train has two 100% capacity
pumps that are both normally aligned, the pumps are not considered installed spares, but are
redundant components within that train.
Unavailability of an installed spare is not monitored unless the system is monitored in segments,
rather than trains. Trains in a system with an installed spare are not considered to be unavailable
when the installed spare is aligned to that train. In the example above, a train would be
considered to be unavailable if neither the normal component nor the spare component is aligned
to the train.
Linthicum
3/3/12
Linthicum
3/3/12
Trains or Segments that Cannot Be Removed from Service
In some normally operating systems (e.g. Cooling Water Systems), there may exist trains or
segments of the system that cannot physically be removed from service while the plant is
operating at power for the following reasons:
• Directly causes a plant trip
• Procedures direct a plant trip
• Technical Specifications requires immediate shutdown (LCO 3.0.3)
These should be documented in the Basis Document and not included in unavailability
monitoring.
F 1.2. Collection of Plant Data
•
•
•
Actual train total unavailability (planned and unplanned) data for the most recent 12 quarter
period collected on a quarterly basis,
Plant specific-specific baseline planned unavailability, and
Generic baseline unplanned unavailability.
Each of these data inputs to UAI will be discussed in the following sections.
F-5
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
F 1.2.1.
ACTUAL TRAIN/SEGMENT UNAVAILABILITY
The Consolidated Data Entry (CDE) inputs for this parameter are Train Planned Unavailable
Hours and Train Unplanned Unavailable Hours. Critical hours are derived from reactor startup
and shutdown occurrences. The actual calculation of Train Unavailability is performed by CDE.
Train/Segment Unavailability: Train/Segment unavailability is the ratio of the hours the
train/segment was unavailable to perform its monitored functions due to planned or unplanned
maintenance or test during the previous 12 quarters while critical to the number of critical hours
during the previous 12 quarters.
Train/Segment unavailable hours: The hours the train/segment was not able to perform its
monitored function while critical. Fault exposure hours are not included; unavailable hours are
counted only for the time required to recover the train’s/segment’s monitored functions. In all
cases, a train/segment that is considered to be OPERABLE is also considered to be available.
Trains/segments that are not OPERABLE must be returned to service in order to be considered
available. Unavailability must be by train/segment; do not use average unavailability for each
train/segment because trains/segments may have unequal risk weights.
Return to Service: Return to service is the transition from unavailable to available. A
train/segment is “returned to service” when the following conditions are met: clearance tags have
been removed, the train/segment has been aligned and prepared for operation, (e.g., valve line-up
complete, system filled and vented), further adjustment of associated equipment is not required
or expected as the result of the unavailability period, and operators concur that the train/segment
is able to perform its expected functions. For standby equipment, automatic functions are
aligned or can be promptly restored by an operator consistent with the requirements for crediting
operator recovery stated later in this section.
Planned unavailable hours: These hours include time a train or segment is removed from service
for a reason other than equipment failure or human error. Examples of activities included in
planned unavailable hours are preventive maintenance, testing, equipment modification, or any
other time equipment is electively removed from service to correct a degraded condition that had
not resulted in loss of function. Based on the plant history of previous three years, planned
baseline hours for functional equipment that is electively removed from service but could not
be planned in advance can be estimated and the basis documented. When used in the calculation
of UAI, if the planned unavailable hours are less than the baseline planned unavailable hours, the
planned unavailable hours will be set equal to the baseline value.
Unplanned unavailable hours: These hours include elapsed time between the discovery and the
restoration to service of an equipment failure or human error (such as a misalignment) that
makes the train/segment unavailable. Time of discovery of a failed monitored component is
when the licensee determines that a failure has occurred or when an evaluation determines that
the train would not have been able to perform its monitored function(s). In any case where a
monitored component has been declared inoperable due to a degraded condition, if the
component is considered available, there must be a documented basis for that determination,
otherwise a failure will be assumed and unplanned unavailability would accrue. If the component
is degraded but considered operable, timeliness of completing additional evaluations would be
F-6
Linthicum
3/3/12
FAQ472
(09-08)
FAQ472
(09-08)
Linthicum
3/3/12
Linthicum
3/3/12
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
addressed through the inspection process. Unavailable hours to correct discovered conditions
that render a monitored component train/segment incapable of performing its monitored function
are counted as unplanned unavailable hours. An example of this is a condition discovered by an
operator on rounds, such as an obvious oil leak, that was determined to have resulted in the
equipment being non-functional even though no demand or failure actually occurred.
Unavailability due to mis-positioning of components that renders a train incapable of performing
its monitored functions is included in unplanned unavailability for the time required to recover
the monitored function.
No Cascading of Unavailability: The failure or unavailability of an SSC that is not within the
boundary of the monitored MSPIError! Bookmark not defined. system that it supports does
not cause the supported monitored system to accrue unavailability. Although such a failure or
condition may require a monitored train or segment of the supported system to be declared
inoperable, the monitored train or segment of the supported system would not accrue
unavailability. If the monitored component of the supported system is rendered non-functional
through tag out or physical plant conditions (other than as discussed below), then unavailable
time should be accrued for the monitored train or segment of the supported system. Otherwise,
unavailability is not accrued.
Plants will sometimes disable the autostart of a supported monitored system when its support
system is out of service. For example, a diesel generator may have the start function inhibited
when the service water system that provides diesel generator cooling is removed from service.
This is done for the purposes of equipment protection. This could be accomplished by putting a
supported system’s monitored train/segmentcomponent in "maintenance" mode or by pulling the
control fuses of the supported component. If no maintenance is being performed on a component
that’s within a supported system’s monitored train/segment, and the supported system’s
train/segment is only unavailable because of a monitored support system being out of service, no
unavailability should be reported for the supported system’s train/segment. If, however,
maintenance is performed on the supported system’s monitored train/segment, then the
unavailability must be counted.
FAQ486
(10-06)
FAQ486
(10-06)
RRL
3/3/12
For example, if an Emergency Service Water train/segment (i.e., a monitored support system FAQ486
(10-06)
train/segment) is under clearanceunavailable, and the autostart of the associated High
Pressure Safety Injection (HPSI) pump (a monitored supported system) is disabled, there is no
unavailability to be reported for the HPSI pump; however, the ESW train/segment does accrue
unavailability. If a maintenance task to collect a lube oil sample is performed and it can be
performed with no additional tag out, no unavailability has to be reported for the HPSI pump. If
however, the sample required an additional tag out that would make the HPSI pump unavailable,
then the time that the additional tag out was in place must be reported as planned unavailable
hours for the HPSI pump.
Additional guidance on the following topics for counting train unavailable hours is provided
below.
• Short Duration Unavailability
F-7
NEI 99-02 [Revision 7]
08/31/2013
1
•
Credit for Operator Recovery Actions to Restore the Monitored Function
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Short Duration Unavailability
Trains are generally considered to be available during periodic system or equipment
Linthicum
3/3/12
realignments to swap components or flow paths as part of normal operations. Evolutions or
surveillance tests that result in less than 15 minutes of unavailable hours per train/segment at
a time need not be counted as unavailable hours. Licensees should compile a list of surveillances
or evolutions that meet this criterion and have it available for inspector review. The intent is to
minimize unnecessary burden of data collection, documentation, and verification because these
short durations have insignificant risk impact.
Credit for Operator Recovery Actions to Restore the Monitored Functions
1. During testing or, operational alignment or return to service:
Unavailability of a monitored function during testing, or operational alignment or return to
service need not be included if the test or operational alignment configuration is
automatically overridden by a valid starting signal, or the function can be promptly restored
either by an operator in the control room or by a designated operator 1 stationed locally for
that purpose. Restoration actions must be contained in a written procedure 2, must be
uncomplicated (a single action or a few simple actions), must be capable of being restored in
time to satisfy PRA success criteria, and must not require diagnosis or repair. Credit for a
designated local operator can be taken only if (s)hethe operator is positioned at the proper
location throughout the duration of the test or operational alignment for the purpose of
restoration of the train should a valid demand occur. The intent of this paragraph is to allow
licensees to take credit for restoration actions that are virtually certain to be successful (i.e.,
probability nearly equal to 1) during accident conditions.
The individual performing the restoration function can be the person conducting the test or
operational alignment and must be in communication with the control room. Credit can also
be taken for an operator in the main control room provided (s)hethe operator is in close
proximity to restore the equipment when needed. Normal staffing for the test or operational
alignment may satisfy the requirement for a dedicated designated operator, depending on
work assignments. In all cases, the staffing must be considered in advance and an operator
identified to perform the restoration actions independent of other control room actions that
may be required.
Under stressful, chaotic conditions, otherwise simple multiple actions may not be
accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and
landing wires; or clearing tags). In addition, some manual operations of systems designed to
operate automatically, such as manually controlling HPCI turbine to establish and control
injection flow, are not virtually certain to be successful. These situations should be resolved
on a case-by-case basis through the FAQ process.
1
“Operator” in this circumstance refers to any plant personnel qualified and designated to perform the restoration function.
Including restoration steps in an approved test procedure.
2
F-8
FAQ472
(09-08)
Slider
Slider
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
2. During Maintenancemaintenance
Unavailability of a monitored function during maintenance need not be included if the
monitored function can be promptly restored either by an operator in the control room or by a
designated operator (see footnote 1 below) stationed locally for that purpose. Restoration
actions must be contained in an approved procedure, must be uncomplicated (a single
Linthicum
3/3/12
action or a few simple actions), must be capable of being restored in time to satisfy PRA
success criteria and must not require diagnosis or repair. Credit for a designated local
operator can be taken only if (s)hethe operator is positioned at a proper location throughout
the duration of the maintenance activity for the purpose of restoration of the train should a
valid demand occur. The intent of this paragraph is to allow licensees to take credit for
restoration of monitored functions that are virtually certain to be successful (i.e., probability
nearly equal to 1).
The individual performing the restoration function can be the person performing the
maintenance and must be in communication with the control room. Credit can also be taken
for an operator in the main control room provided (s)hethe operator is in close proximity to
restore the equipment when needed. Normal staffing for the maintenance activity may
satisfy the requirement for a dedicated designated1 operator, depending on work
assignments. In all cases, the staffing must be considered in advance and an operator
identified to perform the restoration actions independent of other control room actions that
may be required.
Linthicum
3/3/12
Under stressful chaotic conditions otherwise simple multiple actions may not be
accomplished with the virtual certainty called for by the guidance (e.g., lifting test leads and
landing wires, or clearing tags). These situations should be resolved on a case-by-case basis
through the FAQ process.
3. During degraded conditions
In accordance with current regulatory guidance, licensees may credit limited operator actions
to determine that degraded equipment remains operable in accordance with Technical
Specifications. If a train/segment is determined to be operable, then it is also available.
Beyond this, no credit is allowed for operator actions during degraded conditions that render
the train/segment unavailable to perform its monitored functions.
Linthicum
3/3/12
Counting Unavailability when Planned and Unplanned Maintenance are Performed in the Same
Work Window
All maintenance performed in the work window should be classified with the classification for
which the work window was entered. For example, if the initial work window was caused by
unplanned maintenance then the duration of the entire work window would be classified as
unplanned even if some additional planned maintenance were added that extended the work
window. Another example is if a planned maintenance work window results in adding additional
unplanned work due to a discovered condition during the maintenance, the entire work window
Linthicum
3/3/12
F-9
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
duration would be classified as planned maintenance. If, however, maintenance is performed on
the monitored component, then the unavailability must be counted.
13
14
15
16
17
18
19
20
21
22
23
24
The initial baseline planned unavailability is based on actual plant-specific values for the period
2002 through 2004. (Plant specific-specific values of the most recent data are used so that the
indicator accurately reflects deviation from expected planned maintenance.) These values are
expected tomay change if the plant maintenance philosophy is substantially changed with
respect to on-line maintenance or preventive maintenance. In these cases, the planned
unavailability baseline value should be adjusted to reflect the current maintenance practices,
including low frequency maintenance evolutions.
For example, if an Emergency Service Water train/segment is under clearance, and the autostart
of the associated High Pressure Safety Injection (HPSI) pump is disabled, there is no
unavailability to be reported for the HPSI pump. If a maintenance task to collect a lube oil
sample is performed and it can be performed with no additional tag out, no unavailability has to
be reported for the HPSI pump. If however, the sample required an additional tag out that would
make the HPSI pump unavailable, then the time that the additional tag out was in place must be
reported as planned unavailable hours for the HPSI pump.
F 1.2.2.
PLANT PLANT-SPECIFIC BASELINE PLANNED UNAVAILABILITY
Linthicum
3/3/2012
Prior to implementation of an adjustment to the planned unavailability baseline value, the
impact of the adjusted values on all MSPI PRA inputs should be assessed. A change to the
PRA model and associated changes to the MSPI PRA inputs values is required prior to
changing the baseline unavailability if ∆CDF > 1E-8, where:
25
∆CDFbaseline = ∑(ΔUAi * Birnbaumi)
26
ΔUAi = UAcurrent – UAbaseline for segment i
27
28
UAcurrent = proposed unavailability (expressed as a probability) to be used as the new
baseline
29
UAbaseline = the base unavailability (expressed as a probability) for 2002 – 2004
30
31
32
Birnbaumi = Birnbaum value of segment i
FAQ468
(09-07)
The following changes are considered a “change in plant maintenance philosophy:”
33
34
•
A change in frequency or scope of a current preventative maintenance activity or
surveillance test.
35
•
The addition of a new preventative maintenance activity or surveillance test.
36
37
38
39
40
41
•
The occurrence of a periodic maintenance activity at a higher or lower frequency during a
three year data window (e.g., a maintenance overhaul that occurs once every 24 months
will occur twice two-thirds of the time and once one-third of the time). If the
unavailability hours required for the additional maintenance activity are included in the
PRA modeled unavailability, the baseline unavailability can be changed without further
assessment.
F-10
FAQ468
(09-07)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
•
Planned maintenance activities that occur less than once every three years (e.g., five- or
10-year overhauls). If the unavailability hours required for the additional maintenance
activity are included in the PRA-modeled unavailability, the baseline unavailability can
be changed without further assessment.
5
6
•
The performance of maintenance in response to a condition-based preventive
maintenance activity.
7
8
9
10
11
12
•
Performance of an on-line modification that has been determined to be consistent with
the unavailability values contained in the PRA in that the PRA includes unavailability
hours for the proposed modification, and current maintenance and testing programs; and
the hours in the MSPI UA baseline do not reflect this total unavailability.
The following changes are not considered a “change in plant maintenance philosophy:”
13
14
15
•
The performance of maintenance in response to a degraded condition (even when it is
taken out of service to address the degraded condition) unless this action is in response to
a condition-based preventive maintenance activity.
16
•
Planned maintenance activity that exceeds its planned duration.
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
•
The performance of an online modification that does not meet the change in plant
maintenance philosophy online modification criterion.
Note: Condition-based maintenance consists of periodic preventive maintenance tasks or online
monitoring of the health or condition of a component (e.g., vibration analysis, oil analysis,
MOVAT) and predefined acceptance criteria where corrective action is to be taken on exceeding
these criteria. Condition-based maintenance does not include discovery of a degraded condition
as a result of actions that are outside of the maintenance programs.
Some significant maintenance evolutions, such as EDG overhauls, are performed at an interval
greater than the three year monitoring period (5 or 10 year intervals). The baseline planned
unavailability should be revised as necessary in the basis document during the quarter prior to
the planned maintenance evolution and then removed after twelve quarters. A comment should
be placed in the comment field of the quarterly report to identify a substantial change in planned
unavailability. The comments automatically generated by CDE when PRA coefficients are
changed do not fulfill this requirement. The plant must generate a plant-specific comment that
describes what was changed. The baseline value of planned unavailability is changed at the
discretion of the licensee to ensure the baseline is consistent with the current maintenance
philosophy of the plant. Revised values will be used in the calculation the quarter following the
basis document revision.
To determine the initial value of planned unavailability:
1) Record the total train unavailable hours reported under the Reactor Oversight Process for
2002-2004.
42
2) Subtract any fault exposure hours still included in the 2002-2004 period.
43
3) Subtract unplanned unavailable hours.
F-11
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
4) Add any on-line overhaul hours 1 and any other planned unavailability previously excluded
under SSU in accordance with NEI 99-02, but not excluded under the MSPI. Short duration
unavailability, for example, would not be added back in because it is excluded under both
SSU and MSPI.
5
6
5) Add any planned unavailable hours for functions monitored under MSPI which were not
monitored under SSU in NEI 99-02.
7
6) Subtract any unavailable hours reported when the reactor was not critical.
8
9
7) Subtract hours cascaded onto monitored systems by support systems. (However, do not
subtract any hours already subtracted in the above steps.)
10
11
8) Divide the hours derived from steps 1-7 above by the total critical hours during 2002-2004.
This is the baseline planned unavailability.
12
13
14
15
16
17
18
19
20
21
22
Support cooling planned unavailability baseline data is based on plant specific-specific
maintenance rule unavailability for years 2002-2004. Maintenance Rule practices do not
typically differentiate planned from unplanned unavailability. However, best efforts will be made
to differentiate planned and unplanned unavailability during this time period.
23
24
25
26
27
28
29
30
31
The unplanned unavailability values are contained in Table 1 and remain fixed. They are based
on ROP PI industry data from 1999 through 2001. (Most baseline data used in PIs come from
the 1995-1997 time period. However, in this case, the 1999-2001 ROP data are preferable,
because the ROP data breaks out systems separately. Some of the industry 1995-1997 INPO data
combine systems, such as HPCI and RCIC, and do not include PWR RHR. It is important to
note that the data for the two periods is very similar.)
If maintenance practices at a plant have changed since the baseline years (e.g. increased
planned online maintenance due to extended AOTs), then the baseline values should be
adjusted to reflect the current maintenance practices and the basis for the adjustment
documented in the plant’s MSPI Basis Document.
F 1.2.3.
GENERIC BASELINE UNPLANNED UNAVAILABILITY
Table 1. Historical Unplanned Unavailability Train Values
(Based on ROP Industry-wide Data for 1999 through 2001)
SYSTEM
UNPLANNED UNAVAILABILITY/TRAIN
EAC *
1.7 E-03
PWR HPSI
6.1 E-04
PWR AFW (TD)
9.1 E-04
PWR AFW (MD)
6.9 E-04
PWR AFW (DieselD)
7.6 E-04
PWR (except CE) RHR 4.2 E-04
CE RHR
1.1 E-03
BWR HPCI**
3.3 E-03
BWR HPCS
5.4 E-04
BWR FWCI
Use plant-specific Maintenance Rule data for 2002-2004
1
Note: The plant-specific PRA should model significant on-line overhaul hours.
F-12
Linthicum
3/3/2012
NEI 99-02 [Revision 7]
08/31/2013
SYSTEM
BWR RCIC
BWR IC
BWR RHR
Support Cooling
UNPLANNED UNAVAILABILITY/TRAIN
2.9 E-03
1.4E-03
1.2 E-03
Use plant-specific Maintenance Rule data for 2002-2004
1
* Oconee to use EAC plant specific-specific Maintenance Rule data for 2002-2004
2
3
** Oyster Creek to use Core Spray plant specific-specific Maintenance Rule data for
2002-2004
4
5
6
Generic Baseline Unplanned Unavailability for Front Line systems divided into segments for
unavailability monitoring
7
8
If a front line system is divided into segments rather than trains, the following approach is
followed for determining the generic unplanned unavailability:
9
10
1. Determine the number of trains used for SSU unavailability reporting that was in use
prior to MSPI.
11
2. Multiply the appropriate value from Table 1 by the number of trains determined in (1).
12
13
3. Take the result and distribute it among the MSPI segments, such that the sum is equal to
(2) for the whole MSPI system.
14
15
16
17
18
19
20
Unplanned unavailability baseline data for the support cooling systems should be developed
from plant specific-specific Maintenance Rule data from the period 2002-2004. Maintenance
Rule practices do not typically differentiate planned from unplanned unavailability. However,
best efforts will be made to differentiate planned and unplanned unavailability during this time
period. NOTE: The sum of planned and unplanned unavailability cannot exceed the total
unavailability.
21
22
F 1.3. CALCULATION OF UAI
23
24
25
26
27
28
29
The specific formula for the calculation of UAI is provided in this section. Each term in the
formula will be defined individually and specific guidance provided for the calculation of each
term in the equation. Required inputs to the INPO Consolidated Data Entry (CDE) System will
be identified.
Calculation of System UAI due to train/segment unavailability is as follows:
UAI =
n
∑UAItj
Eq. 1
j =1
30
31
32
33
Linthicum
3/3/2012
where the summation is over the number of trains/segments (n) and UAIt is the unavailability
index for a train/segment.
Calculation of UAIt for each train/segment due to actual train/segment unavailability is as
follows:
F-13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
FVUAp
UAIt = CDFp
(UAt − UABLt )
UAp max
,
Eq. 2
where:
CDFp is the plant-specific Core Damage Frequency,
Linthicum
3/3/2012
FVUAp is the train/segment-specific Fussell-Vesely value for unavailability,
UAP is the plant-specific PRAError! Bookmark not defined. value of unavailability
for the train/segment,
UAt is the actual unavailability of train/segment t, defined as:
Unavailable hours (planned and unplanned) during the previous 12 quarters while critical
UAt =
Critical hours during the previous 12 quarters
and, determined in section 1.2.1
UABLt is the historical baseline unavailability value for the train/segment (sum of
planned unavailability determined in section 1.2.2 and unplanned unavailability in
section 1.2.3)
A method for calculation of the quantities in equation 2 from importance measures calculated
using cutsets from an existing PRA solution is discussed in sections F 1.3.1 through F 1.3.3.
An alternate approach, based on re-quantification of the PRA model, and calculation of the
importance measures from first principles is also an acceptable method. Guidance on this
alternate method is contained in section F6 of this appendix. A plant using this alternate
approach should use the guidance in section F6 and skip sections F 1.3.1 through F 1.3.3.
F 1.3.1. TRUNCATION LEVELS
The values of importance measures calculated using an existing cutset solution are influenced by
the truncation level of the solution. The truncation level chosen for the solution should be 7
orders of magnitude less than the baseline CDF for the alternative defined in sections F 1.3.2 and
F 1.3.3.
As an alternative to using this truncation level, the following sensitivity study may be performed
to establish the acceptability of a higher (e.g. 6 orders of magnitude) truncation level.
1. Solve the model at the truncation level you intend to use (e.g. 6 orders of magnitude
below the baseline CDF).
2. Identify the limiting Birnbaum value for each train/component (this is the case 1
Linthicum
3/3/2012
value).
3. Solve the model again with a truncation 10 times larger (e.g. 5 orders of magnitude
below the baseline CDF).
4. Identify the limiting Birnbaum value for each train/component (this is the case 2 value. Linthicum
3/3/12
For each component with Birnbaum-case 1 greater than 1.0E-06 calculate the ratio
[(Birnbaum-case 2)/(Birnbaum-case 1)].
5. If the value for the calculated ratio is greater than 0.8 for all components with Birnbaumcase 1 value greater than 1.0E-06, then the case 1 truncation level may be used for this
analysis.
F-14
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
This process may need to be repeated several times with successively lower truncation levels to
achieve acceptable results.
F 1.3.2.
CALCULATION OF CORE DAMAGE FREQUENCY (CDFP)
6
7
8
9
10
11
The Core Damage Frequency is a CDE input value. The required value is the internal events,
average maintenance, at power value. Internal flooding and external events, including
internal fire are not included in this calculated value. In general, aAll inputs to this indicator
from the PRA are calculated from the internal events model only.
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
FV and UA are separate CDEError! Bookmark not defined. input values. Equation 2 includes
a term that is the ratio of a Fussell-Vesely importance value divided by the related
unavailability or probability. This ratio is calculated for each train/segment in the system and
both the FV and UA are CDE inputs. (It may be recognized that the quantity [FV/UA]
multiplied by the CDF is the Birnbaum importance measure, which is used in section 2.3.3.)
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
F 1.3.3.
Linthicum
3/3/2012
CALCULATION OF [FV/UA]MAX FOR EACH TRAIN
Linthicum
3/3/2012
Calculation of these quantities is generally complex, but in the specific application used here, can
be greatly simplified.
The simplifying feature of this application is that only those components (or the associated
Linthicum
basic events) that can make a train unavailable are considered in the performance index. A
3/3/2012
simplifying assumption is made that Components components within a train that can each
make the train unavailable are logically equivalent and the ratio FV/UA is a constant value for
any basic event in that train. It can also be shown that for a given component or train represented
by multiple basic events, the ratio of the two values for the component or train is equal to the
ratio of values for any basic event within the train. Or:
FVbe FVUAp
=
= Constant
UAbe
UAp
Thus, the process for determining the value of this ratio for any train/segment is to identify a
Linthicum
3/3/2012
basic event that fails the train, determine the probability for the event, determine the associated
FV value for the event and then calculate the ratio.
The set of basic events to be considered for use in this section will obviously include any test
and maintenance (T&M) events applicable to the train/segment under consideration. Basic
events that represent failure on demand that are logically equivalent to the test and maintenance
events should also be considered. (Note that many PRAs use logic that does not allow T&M
events for multiple trains to appear in the same cutset because this condition is prohibited by
Technical specifications. For PRAs that use this approach, failure on demand events will not be
logically equivalent to the T&M events, and only the T&M events should be considered.)
Failure to run events and valve transfer open/close events should not be considered as they are
often not logically equivalent to test and maintenance events. Use the basic event from this set
that results in the largest ratio (hence the maximum notation on the bracket) to minimize the
effects of truncation on the calculation. If all events for the train/segment have been truncated,
either a lower truncation value or the method provided in section F.6 should be used.
F-15
Linthicum
3/3/2012
Linthicum
3/3/2012
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Some systems have multiple modes of operation, such as PWR HPSI systems that operate in
injection as well as recirculation modes. In these systems all monitored components are not
logically equivalent; unavailability of the pump fails may fail all operating modes while
unavailability of the sump suction valves only failsmay only fail the recirculation mode. In
cases such as these, if unavailability events exist separately for the components within a train,
the appropriate ratio to use is the maximum.
F 1.3.4.
Linthicum
3/3/2012
Linthicum
3/3/2012
CORRECTIONS TO FV/UA RATIO
Treatment of PRA Modeling Asymmetries
In systems with rotated normally running pumps (e. g. cooling water systems), the
Linthicum
PRAError! Bookmark not defined. models may assume one pump is always the running
3/3/2012
and another is in standby. For example, a service water system may have two 100% capacity
pumps in one train, an A and B pump. In practice the A and B pumps are rotated and each one is
the running pump 50% of the time. In the PRA model however, the A pump is assumed to be
always running and the B pump is always in assumed to be in standby. This will result in one
pump appearing to be more important than the other when they are, in fact, of equal importance.
This asymmetry in importance is driven by the assumption in the PRA, not the design of the
plant.
In the case where the system is known to be symmetric in importance, for calculation of UAI, the
importance measures for each train, or segment, should be averaged and the average applied to
each train or segment. Care should be taken when applying this method to be sure the system is
actually symmetric.
If the system is not symmetric and the capability exists to specify a specific alignment in the
PRAError! Bookmark not defined. model, the model should be solved in each specific
alignment and the importance measures for the different alignments combined by a weighted
average based on the estimated time each specific alignment is used in the plant.
Cooling Water and Service Water System [FV/UA]max Values
Component Cooling Water Systems (CCW) and Service Water Systems (SWS) at some nuclear
stations contribute to risk in two ways. First, the systems provide cooling to equipment used for
the mitigation of events and second, the failures (and unavailability) in the systems may also
result in the initiation of an event. The contribution to risk from failures to provide cooling to
other plant equipment is modeled directly through dependencies in the PRA model. The
contribution to risk from failures to provide cooling to other plant equipment is modeled
directly through dependencies in the PRA model. However, the contribution due to event
initiation is treated in four general ways in current PRAs:
1) The use of linked initiating event fault trees for these systems with the same basic event
names used in the initiator and mitigation trees.
2) The use of linked initiating event fault trees for these systems with different basic event
names used in the initiator and mitigation trees.
F-16
Linthicum
3/3/2012
NEI 99-02 [Revision 7]
08/31/2013
1
2
3) Fault tree solutions are generated for these systems external to the PRA and the calculated
value is used in the PRA as a point estimate
3
4
4) A point estimate value is generated for the initiator using industry and plant specific-specific
event data and used in the PRAError! Bookmark not defined..
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Each of these methods is discussed below.
Modeling Method 1
If a PRA uses the first modeling option, then the FV values calculated will reflect the total
contribution to risk for a component in the system. No additional correction to the FV values is
required.
Modeling Methods 2 and 3
The corrected ratio may be calculated as described for modeling method 4 or by the method
described below.
If a linked initiating event fault tree with different basic events used in the initiator and
mitigation trees is the modeling approach taken, or fault tree solutions are generated for these
systems external to the PRA and the calculated value is used in the PRA as a point estimate, then
the corrected ratio is given by:
i
FVc
IEm, n(1) − IEm, n(0)
+ ∑
[ FV / UA]corr =
* FViem .
IEm, n(qn)
UAc m=1
In this expression the summation is taken over all system initiators i that involve component n,
where
FVc is the Fussell-Vesely for component C as calculated from the PRA Model. This does
not include any contribution from initiating events,
UAc is the basic event probability used in computing FVc; i.e. in the system response
models,
IEm,n(qn) is the system initiator frequency of initiating event m when the component n
unreliability basic event is qn. The event chosen in the initiator tree should represent the
same failure mode for the component as the event chosen for UAc,
IEm,n(1) is as above but qn=1,
IEm,n(0) is as above but qn=0
and
FViem is the Fussell-Vesely importance contribution for the initiating event m to the
CDF.
Since FV and UA are separate CDE inputs, use UAc and calculate FV from
FV = UAc * [FV / UA]corr
Modeling Method 4
If a point estimate value is generated for the initiator using industry and plant specific-specific
event data and used in the PRA, then the corrected [FV/UA] MAX for a component C is calculated
from the expression:
[ FV / UA]MAX = [( FVc + FVie * FVsc) / UAc]
F-17
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Where:
FVc is the Fussell-Vesely for CDF for component C as calculated from the PRA Model.
This does not include any contribution from initiating events.
FVie is the Fussell-Vesely contribution for the initiating event in question (e.g. loss of
service water).
FVsc is the Fussell-Vesely within the system fault tree only for component C (i.e. the
ratio of the sum of the cut sets in the fault tree solution in which that component appears
to the overall system failure probability). Note that this may require the construction of a
“satellite” system fault tree to arrive at an exact or approximate value for FVsc depending
on the support system fault tree logic.
UAc is the basic event probability used in computing FVc, i.e., in the system response
models.
FV and UA are separate CDEError! Bookmark not defined. input values.
F-18
Linthicum
3/3/2012
NEI 99-02 [Revision 7]
08/31/2013
1
2
F 2. SYSTEM UNRELIABILITY INDEX (URI) DUE TO COMPONENT
UNRELIABILITY
3
4
Calculation of the URI is performed in three major steps:
5
•
Identification of the monitored components for each system,
6
•
Collection of plant data, and
7
•
Calculation of the URI.
8
9
10
11
12
13
Only the most risk significant components in each system are monitored to minimize the burden
for each utility. It is expected that most, if not all the components identified for monitoring are
already being monitored for failure reporting to INPO and are also monitored in accordance with
the maintenance rule.
14
15
16
17
18
19
20
21
22
23
24
25
Monitored Component: A component whose failure to change state or remain running renders
the train incapable of performing its monitored functions. In addition, all pumps and diesels in
the monitored systems are included as monitored components.
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
F 2.1. IDENTIFY MONITORED COMPONENTS
The identification of monitored components involves the use of the system boundaries and
success criteria, identification of the components to be monitored within the system boundary
and the scope definition for each component. Note that the system boundary defined in section
1.1.1 defines the scope of equipment monitored for unavailability. Only selected components
within this boundary are chosen for unreliability monitoring. The first step in identifying these
selected components is to identify the system success criteria.
F 2.1.1.
SUCCESS CRITERIA
The system boundaries and monitored functions developed in section F 1.1.1 should be used to
complete the steps in the following section.
For each system, the monitored functions shall be identified. Success criteria used in the PRA
shall then be identified for these functions.
If the licensee has chosen to use success criteria documented in the plant specific-specific
PRA that are different from design basis success criteria, examples of plant specific-specific
performance factors that should be used to identify the required capability of the train/system
to meet the monitored functions are provided below.
Actuation
o Time
o Auto/manual
o Multiple or sequential
• Success requirements
o Numbers of components or trains
•
F-19
Linthicum
3/3/2012
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
o Flows
o Pressures
o Heat exchange rates
o Temperatures
o Tank water level
• Other mission requirements
o Run time
o State/configuration changes during mission
• Accident environment from internal events
o Pressure, temperature, humidity
• Operational factors
o Procedures
o Human actions
o Training
o Available externalities (e.g., power supplies, special equipment, etc.)
17
18
19
20
If the licensee has chosen to use design basis success criteria in the PRA, it is not required to
separately document them other than to indicate that is what was used. If success criteria from
the PRA are different from the design basis, then the specific differences from the design basis
success criteria shall be documented in the basis document.
21
22
If success criteria for a system vary by function or initiator, the most restrictive set will be used
for the MSPI. Success criteria related to ATWS need not be considered.
23
24
25
26
27
28
29
30
31
PRAError! Bookmark not defined. analyses (e.g. operator action timing requirements) are
sometimes based on thermal-hydraulic calculations that account for the best estimate physical
capability of a system. These calculations should not be confused with calculations that are
intended to establish system success criteria. For example a pump’s flow input for PRA thermalhydraulic calculations may be based on its actual pump curve showing 12,000 gpm at runout
while the design basis minimum flow for the pump is 10,000 gpm. The 10,000 gpm value should
be used for determination of success or failure of the pump for this indicator. This prevents the
scenario of a component or system being operable per Technical Specifications and design basis
requirements but unavailable or failed under this indicator.
32
33
34
35
If the licensee has chosen to use design basis success criteria in the PRA, it is not required to
separately document them other than to indicate that is what was used. If success criteria from
the PRA are different from the design basis, then the specific differences from the design basis
success criteria shall be documented in the basis document.
36
37
38
39
40
41
42
43
If success criteria for a system vary by function or initiator, the most restrictive set will be used
for the MSPI. Success criteria related to ATWS need not be considered.
Examples of plant-specific performance factors that should be used to identify the required
capability of the train/system to meet the monitored functions are provided below.
•
Actuation
o Time
o Auto/manual
F-20
Linthicum
3/3/2012
Linthicum
3/3/2012
Linthicum
3/3/2012
Linthicum
3/3/2012
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
•
•
•
•
o Multiple or sequential
Success requirements
o Numbers of components or trains
o Flows
o Pressures
o Heat exchange rates
o Temperatures
o Tank water level
Other mission requirements
o Run time
o State/configuration changes during mission
Accident environment from internal events
o Pressure, temperature, humidity
Operational factors
o Procedures
o Human actions
o Training
o Available externalities (e.g., power supplies, special equipment, etc.)
F 2.1.2.
Linthicum
3/3/2012
SELECTION OF COMPONENTS
21
22
23
24
25
For unreliability, use the following process for determining those components that should be
monitored. These steps should be applied in the order listed.
26
27
28
29
30
31
2) Identify all AOVs, SOVs, HOVs and MOVs that change state to achieve the monitored
functions for the system as potential monitored components. Solenoid and Hydraulic valves
identified for potential monitoring are only those in the process flow path of a fluid system.
Solenoid valves that provide air to AOVs are considered part of the AOV. Hydraulic valves
that are control valves for turbine driven pumps are considered part of the pump and are not
monitored separately. Check valves and manual valves are not included in the index.
1) INCLUDE all pumps (except EDG fuel oil transfer pumps, which are part of the EDG
super-component) and emergency power generatorsdiesels.
32
33
34
a. INCLUDE those valves from the list of valves from step 2 whose failure alone can
fail a train/segment. The success criteria used to identify these valves are those
identified in the previous section. (See Figure F-5)
35
36
37
38
39
b. INCLUDE redundant valves from the list of valves from step 2 within a multi-train
system, whether in series or parallel, where the failure of both valves would prevent
all trains/segments in the system from performing a monitored function. The success
criteria used to identify these valves are those identified in the previous section.(See
Figure F-5)
FAQ484
(11-07)
Linthicum
3/3/12
40
41
3) INCLUDE components that cross tie monitored systems between units (i.e. Electrical
Breakers and Valves) if they are modeled in the PRA.
42
43
4) EXCLUDE those valves and breakers from steps 2 and 3 above whose Birnbaum importance,
(See section F 2.3.5) as calculated in this appendix (including adjustment for support system
F-21
Linthicum
3/3/12
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
initiator, if applicable, and common cause), is less than 1.0E-06. This rule is applied at the
discretion of the individual plant. A balance should be considered in applying this rule
between the goal to minimize the number of components monitored and having a large
enough set of components to have an adequate data pool. If a decision is made to exclude
some valves based on low Birnbaum values, but not all, to ensure an adequate data pool, then
the valves eliminated from monitoring shall be those with the smallest Birnbaum values.
Symmetric valves in different trains should be all eliminated or all retained.
F 2.1.3.
DEFINITION OF COMPONENT BOUNDARIES
Table 2 defines the boundaries of components, and Figures F-1, F-2, F-3 and F-4 provide
examples of typical component boundaries as described in Table 2.
Table 2. Component Boundary Definition
Component
Diesel Generators
Motor-Driven Pumps
Turbine-Driven Pumps
Motor-Operated Valves
Solenoid Operated
Valves
Hydraulic Operated
Valves
Air-Operated Valves
14
15
16
17
18
Component boundary
The diesel generator boundary includes the generator body, generator actuator, lubrication
system (local), fuel system (local), fuel oil transfer pumps/valves, 1 cooling components
(local), startup air system receiver, exhaust and combustion air system, dedicated diesel
battery (which is not part of the normal DC distribution system), individual diesel generator
control system, cooling water isolation valves, circuit breaker for supply to safeguard buses
and their associated control circuit (relay contacts for normally auto actuated components,
control board switches for normally operator actuated components*).
The pump boundary includes the pump body, motor/actuator, lubrication system, cooling
components of the pump seals, the voltage supply breaker, and its associated control circuit
(relay contacts for normally auto actuated components, control board switches for normally
operator actuated components*).
The turbine-driven pump boundary includes the pump body, turbine/actuator, lubrication
system (including pump), extractions, turbo-pump seal, cooling components, and associated
control system (relay contacts for normally auto actuated components, control board
switches for normally operator actuated components*) including the control valve.
The valve boundary includes the valve body, motor/actuator, the voltage supply breaker
(both motive and control power) and its associated control circuit (relay contacts for
normally auto actuated components, control board switches for normally operator actuated
components*).
The valve boundary includes the valve body, the operator, the supply breaker (both power
and control) or fuse and its associated control circuit (relay contacts for normally auto
actuated components, control board switches for normally operator actuated components*).
The valve boundary includes the valve body, the hydraulic operator, associated local
hydraulic system, associated solenoid operated valves, the power supply breaker or fuse for
the solenoid valve, and its associated control circuit (relay contacts for normally auto
actuated components, control board switches for normally operator actuated components*).
The valve boundary includes the valve body, the air operator, associated solenoid-operated
valve, the power supply breaker or fuse for the solenoid valve, and its associated control
circuit (relay contacts for normally auto actuated components, control board switches for
normally operator actuated components.*)
*Note: If the control circuit for any normally auto actuated component includes the control board switch and a failure of the control
board switch prevents auto actuation of the component, it is considered to be a failure of the control circuit within the component
boundary.
For control and motive power, supporting components as described in INPO 98-01 should be
included in the monitored component boundary. In other words, if the relay, breaker or contactor
exists solely to support the operation of the monitored component, it should be considered part of
the component boundary. If a relay, breaker or contactor supports multiple components, it
1
The word “valves” is included here for plants with a gravity-fed fuel oil transfer system. For these designs, the valve serves the function
fulfilled by the FOTP in pump-fed designs.
F-22
FAQ484
(11-07)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
should not be considered as part of the monitored component boundary. If a relay/switch
supports operation of several monitored components, failure of relay/switch would not be
considered an MSPI failure. However, failure of individual contacts on the relay/switch, which
each support a single monitored component, would be considered a failure of the monitored
component.
Example 1: If a limit switch in an MOV fails to make-up, which fails an interlock and prevents a
monitored pump from starting, and the limit switch has no other function, a failure to start should
be assigned to the pump. If the limit switch prevents both the pump and another monitored valve
from functioning, no MPSI failures would be assigned.
Example 2: If a relay prevents an MOV from closing and the relay performs no other function,
an MOV failure would be assigned, assuming failure to close is a monitored function of the
valve. If the MOV also has a limit switch interlocked with another monitored component, the
presence of the limit switch should not be interpreted as the relay having multiple functions to
preclude assigning a failure. If, in addition to the relay failure, there were a separate failure of
the limit switch, both an MOV and pump failure would be assigned.
Example 3: If a relay/switch supports operation of several monitored components, failure of
relay/switch would not be considered an MSPI failure. However, failure of individual contacts
on the relay, which each support a single monitored component, would be considered a failure of
the monitored component.
If a system is designed to auto start, and a control circuit failure results in the monitored
component not being capable of auto starting (whatever component actually fails) it is a failure
to start. If a system is designed to auto start, and a manual start fails, it is not an MSPI failure
unless the auto start feature would also have been affected (discovered condition). Control
switches (either in the control room or local) that provide the primary means for actuating a
component are monitored as part of the component it actuates.
Linthicum
3/3/12
Each plant will determine its monitored components and have them available for NRC
inspection.
F 2.2. COLLECTION OF PLANT DATA
35
36
Plant data for the URI includes:
• Demands and run hours
37
•
Failures
38
39
F 2.2.1.
DEMANDS AND RUN HOURS
40
41
42
43
44
There are two methods that can be used to calculate the number of demands and run hours for
use in the URI. These two methods are use of actual demands and run hours and estimated
demands and run hours. Best judgment should be used to define each category of demands. But
strict segregation of demands between each category is not as important as the validity of total
number of demands and run hours.
F-23
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
For MSPI monitored components, the duty cycle (demand or run hour) categories shown in
Table 3 are reported to CDE to support the URI derivation.
Table 3. Required Duty Cycle Categories by Component Type
Component Type
All valves and circuit breakers
All pumps
All Emergency Power Generators (both diesel
and hydro electric)
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Duty Cycle Categories Required
Demands
Demands
Run Hours
Start Demands
Load Run Demands
Run Hours
Demands (including start demands for the emergency power generators) are defined as any
requirements for the component to successfully start (pumps and emergency power generators)
or open or close (valves and circuit breakers). Exclude post maintenance test demands, unless in
case of a failure, the cause of the failure was independent of the maintenance performed. In this
case the demand may be counted as well as the failure. Post maintenance tests are tests
performed following maintenance but prior to declaring the train/component operable, consistent
with Maintenance Rule implementation. Some monitored valves will include a throttle function
as well as open and close functions. One should not include every throttle movement of a valve
as a counted demand. Only the initial movement of the valve should be counted as a demand.
Demands for valves that do not provide a controlling function are based on a full duty cycle.
Load run demands (emergency power generators only) are defined as any requirements for the
output breaker to close given that the generator has successfully started and reached rated speed
and voltage. Exclude post maintenance test load run demands, unless in case of a failure, the
cause of the failure was independent of the maintenance performed. In this case, the load run
demand should be counted, depending on whether the actual or estimated demand method will
be used, as well as the failure.
Run hours (pumps and emergency power generators only) are defined as the time the component
is operating. For pumps, Run run hours include the first hour of operation of the component.
For EDGsemergency diesel generators, exclude all hours before the output breaker is closed (or
EDG hours when the EDGemergency diesel generator is run unloaded) and the first hour after
the breaker is closed (the first hour of operation after the breaker is closed is considered part of
the load/run demand). Failures during shutdown of an emergency generation after the output
breaker is opened are included as a failure to run. Exclude post maintenance test run hours,
unless in case of a failure, the cause of the failure was independent of the maintenance
performed. In this case, the run hours may be counted as well as the failure. Pumps that remain
running for operational reasons following the completion of post- maintenance testing, accrue
run hours from the time the pump was declared operable.
F-24
Linthicum
3/3/12
2/19/13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Table 4. Duty Cycle Data Types
Type
Actual ESF (ESF Nontest
Actual in CDE)
Operational/Alignment
(Operational Nontest in
CDE)
Test
Definition
Any demands or run hours incurred as a result of a valid ESF signal.
Any demands or run hours incurred supporting normal plant
operations not associated with test activities or as a result of a valid
ESF signal.
Any demands or run hours incurred supporting test activities.
Normally return to service tests and test for which a component is not
expected to fully cycle (e.g., bumps for rotation checks after pump
maintenance) are not included.
For each type of duty cycle data, the three data types defined in Table 4 are reported to CDE.
Best judgment should be used to define each type of demand or run hour data, but strict
segregation of data between types is not as important as the validity of the total number (ESF
nontest + operational nontest + test).
The duty cycle data category types may be reported as either actual or estimated data. Since
valid ESF signals are essentially random in frequency, actual ESF demands (start demands, load
run demands, and run hours) are always reported as actual data. Operational/Alignment and test
data, however, can be reasonably estimated based on plant scheduled test frequencies and
operating history. Therefore, either or both operational/alignment and test data may be reported
as estimated data if so designated in the unit’s MSPI basis document. Optionally, either or both
operational/alignment and test data may be reported as actual data if so designated in the unit’s
MSPI basis document.
An actual ESF demand (also start demand, load run demand, or run hour) is any condition that
results in valid actuation, manual or automatic, of any of the MSPI systems due to actual or
perceived plant conditions requiring the actuation. These conditions should be counted in MSPI
as actual ESF demands except when:
1) The actuation resulted from and was part of a pre-planned sequence during testing or
reactor operation; or
2) The actuation was invalid; or
3) Occurred while the system was properly removed from service; or
4) Occurred after the safety function had been already completed.
Valid actuations are those actuations that result from "valid signals" or from intentional manual
initiation, unless it is part of a preplanned test. Valid signals are those signals that are initiated in
response to actual plant conditions or parameters satisfying the requirements for initiation of the
safety function of the system. They do not include those which are the result of other signals.
Invalid actuations are, by definition, those that do not meet the criteria for being valid. Thus,
invalid actuations include actuations that are not the result of valid signals and are not intentional
manual actuations.
F-25
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
For preplanned actuations, operation of a system as part of a planned test or operational
evolution should not be counted in MSPI as actual ESF demands, but rather as
operational/alignment or test demands. Preplanned actuations are those which are expected to
actually occur due to preplanned activities covered by procedures. Such actuations are those for
which a procedural step or other appropriate documentation indicates the specific actuation is
actually expected to occur. Control room personnel are aware of the specific signal generation
before its occurrence or indication in the control room. However, if during the test or evolution,
the system actuates in a way that is not part of the planned evolution, that actuation should be
counted.
Actual ESF demands occur when the setpoints for automatic safety system actuation are met or
exceeded and usually include the actuation of multiple trains and systems. Automatic actuation
of standby trains on a failure of a running train should not be considered as an actual ESF
demand. Actuations caused by operator error, maintenance errors, etc. that are not due to actual
plant requirements should be considered as “invalid” actuations and not counted in MSPIError!
Bookmark not defined. as actual ESF demands.
CDE will use the actual ESF data, the actual/estimated operational data, and the actual/estimated
test data to derive a total number of demands (start demand, load run demands, and run hours as
required) for each MSPI monitored component for use in the URI derivation for the applicable
MSPI system.
Reporting of Actual DemandsData: Actual demands data is a count of the number of demands,
start demands, load run demands, and run hours occurring in the specific month (or quarter
prior to April 2006). For the reporting of Actual demands, Table 5 shows the requirements for
data to be reported each month if actual demands will be reported (or quarter prior to April
2006), for all actual ESF demands, operational/alignment demands, and test duty cycle data.
Reporting of Estimated DemandsData: Estimated demands and run hours can be derived based
on the number of times a procedure or maintenance activity is performed, or based on the
historical data over an operating cycle or more. Table 6 shows the requirements for estimated
data to be reported to CDE.
Estimated demands data are not reported to CDE on a periodic (monthly or quarterly) basis,
rather, they are entered initially, typically for the period of a refueling cycle (e.g., 48 demands
in 24 months) then updated as required. An update is required if a change to the basis for the
estimate results in a >25% change in the estimate of the total (operational/alignment + test) value
for a group of components within an MSPI system. For example, a single MOV in a system may
have its estimated demands change by greater than 25%, but revised estimates are not required
unless the total number of estimated demands for all MOVs in the system changes by >25%.
The new estimate will be used in the calculation the quarter following the input of the updated
estimates into CDE.
F-26
Linthicum
3/3/12
Linthicum
3/3/12
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
Table 5. Required Reporting by Component Type (Actual Demands Commitment)
Component Type
All valves and circuit breakers
All pumps
Report Each Month (or Quarter Prior to April
2006)
Actual ESF Demands
Actual Operational/Alignment Demands
Actual Test Demands
Actual ESF Demands
Actual Operational/Alignment Demands
Actual Test Demands
Actual ESF Run Hours
Actual Operational/Alignment Run Hours
Actual Test Run Hours
All Emergency Power Generators (both Actual ESF Start Demands
diesel and hydroelectric)
Actual Operational/Alignment Start Demands
Actual Test Start Demands
Actual ESF Load Run Demands
Actual Operational/Alignment Load Run Demands
Actual Test Load Run Demands
Actual ESF Run Hours
Actual Operational/Alignment Run Hours
Actual Test Run Hours
3
F-27
NEI 99-02 [Revision 7]
08/31/2013
1
2
Table 6. Required Reporting by Component Type (Estimated Data Commitment)
Component Type
All valves and circuit breakers
All pumps
Report
Actual ESF Demands1
Estimated Operational/Alignment Demands
Estimated Test Demands
Actual ESF Demands1
Estimated Operational/Alignment Demands
Estimated Test Demands
Actual ESF Run Hours1
Estimated Operational /Alignment Run Hours
Estimated Test Run Hours
All Emergency Power Generators (both Actual ESF Start Demands1
diesel and hydro electric)
Estimated Operational /Alignment Start Demands
Estimated Test Start Demands
Actual ESF Load Run Demands1
Estimated Operational/Alignment Load Run Demands
Estimated Test Load Run Demands
Actual ESF Run Hours1
Estimated Operational /Alignment Run Hours
Estimated Test Run Hours
3
4
5
6
7
8
9
10
11
Note 1 for Table 6: For plants that have elected to use estimated test and operational/alignment demands
and run hours, the reporting of ESF demands and run hours should be either “zero” or the actual
demands/run hours.” If there were no actual ESF demands and run hours for the quarter, a "zero"
12
13
14
15
16
17
18
19
20
21
22
23
24
In general, a failure of a component for the MSPI is any circumstance when the component is
not in a condition to meet the performance requirements defined by the PRA success criteria or
mission time for the functions monitored under the MSPI. For EDGsemergency power
generators, the mission time for failure determinations should be the maximum mission time
considered in the PRA model (generally 24 hours), even if a shorter mission time is used for
input into CDE. Note that a run failure that occurs beyond 24 hoursthe mission time after the
EDG emergency power generator or pump is started is still counted as a MSPI failure. This
accounts for the time during which the EDG component was in an unknown condition when it
would have been unable to run for a full 24 hoursmission time. In addition, such failures are
included in the data used to generate the baseline failure rates.
must be entered into CDEError! Bookmark not defined. for actual ESF demands and run
hours.
F 2.2.2.
FAILURES
Failures for the MSPI are not necessarily equivalent to failures in the maintenance
rule. Specifically, the MSPI failure determination does not depend on whether a failure is
F-28
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
maintenance preventable. Additionally, the functions monitored for the MSPI are normally a
subset of those monitored for the maintenance rule.
EDG Emergency power generator failure to start: A failure to start includes those failures up
to the point when the EDG emergency power generator output breaker has received a signal to
close. has achieved required speed and voltage. (Exclude post maintenance tests (PMTs), unless
the cause of failure was independent of the maintenance performed. Include all failures that
result from a non-PMT demand following return to service. If a PMT failure occurs following
return to service and was dependent ofcaused by the maintenance performedactivity, then this
failure is excluded and the train, during the period from the completion of the maintenance
activity to the declaration of return to service, is counted as unavailable.) (See the
EDGemergency power generator1 failure to run definition for treatment of fuel oil transfer
pump/valve failures. 1)
EDG Emergency power generator failure to load/run: Given that it the EDGemergency power
generator has successfully started and the output breaker has received a signal to close, a failure
of the EDG generator output breaker to close, to successfully load sequence and or a failure to
run/operate for one hour to perform its monitored functionsafter breaker closure. The
EDGemergency power generator does not have to be fully loaded to count the failure. Failure to
load/run also includes failures of the EDGemergency power generator output breaker to re-close
following a grid disturbance if the EDGemergency power generator was running paralleled to the
grid, provided breaker closure is required by plant design. This failure mode is treated as a
demand failure for calculation purposes. (Exclude post maintenance tests, unless the cause of
failure was independent of the maintenance performed. Include all failures that result from a
non-PMT demand following return to service. If a PMT failure occurs following return to
service and was dependent oncaused by the maintenance performedactivity, then this failure is
excluded and the train, during the period from the completion of the maintenance activity to the
declaration of return to service, is counted as unavailable. )
EDG Emergency power generator failure to run: A failure after the EDGemergency power
generator has successfully started, the output breaker has closed and the EDGgenerator has run
for an hour after the breaker has closed. The EDGgenerator does not have to be fully loaded to
count the failure. Given that it has successfully started and loaded and run for an hour, a failure
of an EDG to run/operate. (Exclude post maintenance tests, unless the cause of failure was
independent of the maintenance performed. Failures of the EDG fuel oil transfer
pump(s)/valve(s) are considered to be EDG failures to run if the failure of the EDG fuel oil
transfer pump/valve results in the failure of the EDG to be able to run for 24 hours (e.g., no
redundant transfer pump/valve is available 2, or the redundant pump/valve is disabled in a manner
preventing it from performing its intended function). Regardless of when the fuel oil transfer
pump/valve(s) fails, this counts as a run failure. In the case where a fuel oil transfer
pump/valve(s) failure results in more than 1one EDG to not be able to run for 24 hours, a failure
is counted for each affected EDG.
1
Information Systems Laboratories, Inc. performed a review for the NRC of EDG and FOTP failures to support the changes made to EDG failure
definitions in 2011. See Accession No. ML11259A101 in NRC’s Agencywide Documents Access and Management System (ADAMS).
2
In order for a redundant fuel oil transfer pump/valve to be credited in a failure determination, it must either automatically actuate or be able to
be manually actuated in the time needed to satisfy the PRAError! Bookmark not defined. success criteria. If the pump/valve requires manual
actuation, indication must be available to alert the operating staff of the need to actuate the pump/valve in in the time required.
F-29
FAQ472
(09-08)
Linthicum
3/3/12
FAQ472
(09-08)
FAQ 487
(11-08)
Linthicum
3/3/12
FAQ472
(09-08)
FAQ 487
(11-08)
FAQ472
(09-08)
RRL
3/3/12
FAQ 487
(11-08)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Include all failures that result from a non-PMT demand following return to service. If a PMT
failure occurs following return to service and was dependent oncaused by the maintenance
performedactivity, then this failure is excluded and the train, during the period from the
completion of the maintenance activity to the declaration of return to service, is counted as
unavailable.)
FAQ472
(09-08)
RRL
3/2/12
Slider
12/27/12
Pump failure on demand: A failure to start and run for at least one hour is counted as failure on
demand. (Exclude post maintenance tests, unless the cause of failure was independent of the
maintenance performed. Include all failures that result from a non-PMT demand following
FAQ472
(09-08)
return to service. If a PMT failure occurs following return to service and was dependent on
Slider
12/27/12
caused by the maintenance performedactivity, then this failure is excluded and the train,
during the period from the completion of the maintenance activity to the declaration of return
to service, is counted as unavailable.)
Pump failure to run: Given that it has successfully started and run for an hour, a failure of a
pump to run/operate. (Exclude post maintenance tests, unless the cause of failure was
independent of the maintenance performed. Include all failures that result from a non-PMT
demand following return to service. If a PMT failure occurs following return to service and
was dependent oncaused by the maintenance performedactivity, then this failure is excluded
and the train, during the period from the completion of the maintenance activity to the
declaration of return to service, is counted as unavailable.)
Valve failure on demand: A failure to transfer to the required monitored state (open, close, or
throttle to the desired position as applicable) is counted as failure on demand. (Exclude post
maintenance tests, unless the cause of failure was independent of the maintenance performed.
Include all failures that result from a non-PMT demand following return to service. If a PMT
failure occurs following return to service and was caused by the maintenance
performedactivity, then this failure is excluded and the train, during the period from the
completion of the maintenance activity to the declaration of return to service, is counted as
unavailable.)
Breaker failure on demand: A failure to transfer to the required monitored state (open or close
as applicable) is counted as failure on demand. (Exclude post maintenance tests, unless the
cause of failure was independent of the maintenance performed. Include all failures that result
from a non-PMT demand following return to service. If a PMT failure occurs following return
to service and was dependent oncaused by the maintenance performedactivity, then this failure is
excluded and the train, during the period from the completion of the maintenance activity to the
declaration of return to service, is counted as unavailable.)
Treatment of Demand and Run Failures
Failures of monitored components on demand or failures to run, either actual or test are included
in unreliability. Failures on demand or failures to run while not critical are included unless an
evaluation determines the failure would not have affected the ability of the component to
perform it’s monitored at power function. In no case can a postulated action to recover a failure
be used as a justification to exclude a failure from the count.
F-30
FAQ472
(09-08)
Slider
12/27/12
FAQ472
(09-08)
Slider
12/27/12
FAQ472
(09-08)
Slider
12/27/12
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Human errors/component trips, inadvertent actuations or unplanned unavailability introduced as
part of a test or maintenance activity are not indicative of the reliability of the equipment had the
activity not been performed, and should NOT be counted as failures as long as they are
immediately revealed and promptly reported to the control room.
This applies to human errors which result in tripping an MSPI component that:
1.
2.
3.
4.
5.
Occur while the MSPI train/segment is considered available;
Do not result in actual equipment damage;
Are immediately revealed through clear and unambiguous indication;
Are promptly reported to the control room without delay prior to the performance
of corrective actions, and;
Are clearly associated with a test or maintenance activity such that the failure
sequence would not have occurred and cannot occur if the test or maintenance
activity was not being performed.
Unplanned unavailability should be counted from the time of the event until the equipment is
returned to service.
Latent failures (failures that existed prior to the maintenance) that are discovered as part of
maintenance or test activity are considered failures.
Treatment of Failures Discovered During Post Maintenance Tests
Failures identified during post maintenance tests (PMT) are not counted unless the cause of the
failure was independent of the maintenance performed. The maintenance scope of work includes
the activities required to be performed to conduct the maintenance, including support activities,
the actual maintenance activities, and the activities required for restoration of the monitored
component(s) to their available and operable conditions. This includes, but is not limited to,
typical tasks such as scaffolding erection and removal, coatings applications, insulation removal
and installation, rigging activities, health physics activities, interference removal and restoration,
as required to support and perform the required maintenance activity. Support activities may be
planned, scheduled and implemented on separate work orders from the work order for the
monitored component(s). System or component failures introduced during the scope of work are
not indicative of the reliability of the equipment, since they would not have occurred had the
maintenance activity not been performed. In addition, the potential exists that components or
devices not included in the direct scope of work may be affected by the ongoing activities. Such
failures are not counted providing:
•
•
•
They are identified during or prior to the post-maintenance testing and are corrected
prior to the component(s) being returned to operable status,
The repair is documented in a work package, and
The critical components not directly in the scope of work, but that have the potential
to be affected by the maintenance activity, are noted by means such as cautions in the
procedures, inclusion in the pre-job briefings, protection by signs, placards or
padding, and
F-31
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
•
The licensee uses the corrective action program to document the basis for the
determination that the cause of the failure was dependent on the maintenance
performed. This determination must establish a clear relationship between the
maintenance performed and the failure.
Treatment of Discovered Conditions that Result in the Inability to Perform a Monitored Function
Discovered conditions of monitored components (conditions within the component boundaries
defined in section F 2.1.3) that render a monitored component incapable of performing its
monitored function are included in unreliability as a failure, even though no actual failure on
demand or while running existed. This treatment accounts for the amount of time that the
condition existed prior to discovery, when the component was in an unknown failed state.
In accordance with current regulatory guidance, licensees may credit limited operator actions
to determine that degraded equipment remains operable in accordance with Technical
Specifications. If a component is determined to be operable, then no failure is counted.
Beyond this, no credit is allowed for operator actions during degraded conditions that render the
component unable to perform its monitored function.
Linthicum
3/3/12
Conditions that render a monitored component incapable of performing its monitored function
that are immediately annunciated in the control room without an actual demand occurring are a
special case of a discovered condition. In this instance the discovery of the condition is
coincident with the failure. This condition is applicable to normally energized control circuits
that are associated with monitored components, which annunciate on loss of power to the control
circuit. For this circumstance there is no time when the component is in an unknown failed state.
In this instance appropriate train unavailable hours will be accounted for, but no additional
failure will be counted.
For other discovered conditions where the discovery of the condition is not coincident with the
failure, the appropriate failure mode must be accounted for in the following manner:
30
31
•
For valves and breakers a demand failure would be assumed and included. An additional
demand may also be counted.
32
33
34
•
For pumps and dieselsemergency power generators, if the discovered condition would
have prevented a successful start, a start failure is included, but there would be no run
time hours or run failure. An additional demand may also be counted.
35
36
37
38
•
For emergency power generatorsdiesels, if it was determined that the diesel generator would
start, but would fail to load (e.g. a condition associated with the output breaker), a load/run
failure would be assumed and included. An additional start demand and load/run demand
may also be counted.
39
40
41
42
43
•
For pumps and emergency power generatorsdiesels, if it was determined that the
pump/diesel generator would start and load run, but would fail sometime prior to
completing its mission time, a run failure would be assumed. A start demand and a load/run
demand would also be assumed and included. The evaluated failure time may be included in
run hours.
F-32
Linthicum
3/3/12
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
For a running component that is secured from operation due to observed degraded performance,
but prior to failure, then a run failure shall be assumed unless evaluation of the condition shows
that the component would have continued to operate for the mission time starting from the time
the component was secured.
Unplanned unavailability would accrue in all instances from the time of discovery or
annunciation consistent with the definition in section F 1.2.1.
Loss of monitored function(s) is assumed to have occurred if the established success criteria have
not been met. If subsequent analysis identifies additional margin for the success criterion, future
impacts on URI or UAI for degraded conditions may be determined based on the new criterion.
However, the current quarter’s URI and UAI must be based on the success criteria of record at
the time the degraded condition is discovered. If the new success criteria causes a revision to the
PRA affecting the numerical results (i.e. CDF and FV), then the change must be included in the
PRA model and the appropriate new values calculated and incorporated in the MSPI Basis
Document prior to use in the calculation of URI and UAI. If the change in success criteria has no
effect on the numerical results of the PRA (representing only a change in margin) then only the
MSPI Basis Document need be revised prior to using the revised success criteria.
If the degraded condition is not addressed by any of the pre-defined success criteria, an
engineering evaluation to determine the impact of the degraded condition on the monitored
function(s) should be completed and documented. The use of component failure analysis, circuit
analysis, or event investigations is acceptable. Engineering judgment may be used in
conjunction with analytical techniques to determine the impact of the degraded condition on the
monitored function. The engineering evaluation should be completed as soon as practical. If it
cannot be completed in time to support submission of the PI report for the current quarter, a
Linthicum
3/3/12
preliminary determination should be reported and the comment field shall note that an
evaluation is pending. The evaluation must be completed in time to accurately account for
unavailability/unreliability in the next quarterly report. Exceptions to this guidance are expected
to be rare and will be treated on a case-by-case basis. Licensees should identify these situations
to the resident inspector.
Failures and Discovered Conditions of Non-Monitored Structures, Systems, and Components
(SSC)
FAQ486
Failures of SSCs that are not included in the performance index will not be counted as a
(10-06)
failure or a demand. Failures of SSCs that would have caused an SSC within the scope of the
Heffner
2/6/13
performance index to fail will not be counted as a failure or demand. An example could be a
manual suction isolation valve left closed which would have caused a pump to fail. This would
not be counted as a failure of the pump. Unmonitored components within a monitored
train/segment boundary do not contribute to unreliability. If an unmonitored component within a
monitored train/segment fails, unreliability is not accrued if the unmonitored component does not
cause an actual demand and/or actual failure of a monitored component within the monitored
train/segment. If the unmonitored component causes a monitored component within the
monitored train/segment to actually fail when demanded, then the monitored component demand
and failure are counted for unreliability. The failure of an unmonitored component within a
F-33
FAQ486
(10-06)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
monitored train/segment can cause unavailability of that train/segment to be counted if the
train/segment is rendered unavailable.
Unmonitored components outside a monitored train/segment boundary do not contribute to
unreliability of monitored components or to unavailability of the monitored train/segment. If
an unmonitored component outside a monitored train/segment fails, unreliability is not
accrued regardless whether the unmonitored component causes an actual demand and/or actual
failure of a monitored component. The failure of an unmonitored component outside a
monitored train/segment cannot cause unavailability of that train/segment to be counted.
For example, a manual suction isolation valve (an unmonitored component within the train
boundary) is left closed, which would have caused a pump to fail. The closed valve would
not be counted as a failure of the pump, nor would unavailability be accrued. Any mispositioning of the valve that caused the train to be unavailable would be counted as
unavailability from the time of discovery. The significance of the mis-positioned valve prior to
discovery would be addressed through the inspection process. (Note, however, in the above
example, if the shut manual suction isolation valve resulted in an actual pump failure, the pump
failure would be counted as a demand and failure of the pump and unplanned unavailability
would be counted against the appropriate train/segment.)
FAQ486
(10-06)
FAQ486
(10-06)
F 2.3. CALCULATION OF URI
Unreliability is monitored at the component level and calculated at the system level. URI is
proportional to the weighted difference between the plant specific-specific component
unreliability and the industry average unreliability. The Birnbaum importance is the weighting
factor. Calculation of system URI due to this difference in component unreliability is as follows:
BDj (URDBCj − URDBLj )
URI = ∑ + BLj (URLBCj − URLBLj )
j =1
+ BRj (URRBCj − URRBLj )
m
Eq. 3
Where the summation is over the number of monitored components (m) in the system, and:
BDj, BLj and BRj are the Birnbaum importance measures for the failure modes fail on
demand, fail to load and fail to run respectively,
URDBC, URLBC, and URRBC are Bayesian corrected plant specific-specific values of
unreliability for the failure modes fail on demand, fail to load and fail to run respectively,
and
URDBL, URLBL, and URRBL are Baseline values of unreliability for the failure modes fail on
demand, fail to load and fail to run respectively.
F-34
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
The Birnbaum importance for each specific component failure mode is defined as
FVURc
Eq. 4
B = CDFp
URpc MAX
Where,
CDFp is the plant-specific internal events, at power, core damage frequency,
FVURc is the component and failure mode specific Fussell-Vesely value for unreliability,
URPc is the plant-specific PRA value of component and failure mode unreliability,
Failure modes defined for each component type are provided below. There may be several basic
events in a PRA that correspond to each of these failure modes used to collect plant specificspecific data. These failure modes are used to define how the actual failures in the plant are
categorized.
Valves and Breakers:
Fail on Demand (Open/Close)
15
16
17
Pumps:
Fail on Demand (Start)
Fail to Run
18
19
20
21
Emergency Diesel Generators:
Fail on Demand (Start)
Fail to Load/Run
Fail to Run
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
A method for calculation of the quantities in equation 3 and 4 from importance measures
calculated using cutsets from an existing PRA solution is discussed in sections F 2.3.1 through F
2.3.3.
An alternate approach, based on re-quantification of the PRA model, and calculation of the
importance measures from first principles is also an acceptable method. Guidance on this
alternate method is contained in section F6 of this appendix. A plant using this alternate
approach should use the guidance in section F6 and skip sections F 2.3.1 through F 2.3.3.
F 2.3.1.
TRUNCATION LEVELS
The values of importance measures calculated using an existing cutset solution are influenced by
the truncation level of the solution. The truncation level chosen for the solution should be 7
orders of magnitude less than the baseline CDF for the alternative defined in sections F 2.3.2 and
F 2.3.3.
As an alternative to using this truncation level, the following sensitivity study may be performed
to establish the acceptability of a higher (e.g. 6 orders of magnitude) truncation level.
1. Solve the model at the truncation level you intend to use. (e.g. 6 orders of magnitude
below the baseline CDF)
2. Identify the limiting Birnbaum value for each component. (this is the case 1 value)
F-35
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
3. Solve the model again with a truncation 10 times larger (e.g.. 5 orders of magnitude
below the baseline CDF)
4. Identify the limiting Birnbaum value for each component. (this is the case 2 value)
5. For each component with Birnbaum-case 1 greater than 1.0E-06 calculate the ratio
[(Birnbaum-case 2)/(Birnbaum-case 1)]
6. If the value for the calculated ratio is greater than 0.8 for all components with Birnbaumcase 1 value greater than 1.0E-06, then the case 1 truncation level may be used for this
analysis.
This process may need to be repeated several times with successively lower truncation levels to
achieve acceptable results.
F 2.3.2.
CALCULATION OF CORE DAMAGE FREQUENCY (CDFP)
14
15
16
17
The Core Damage Frequency is a CDE input value. The required value is the internal events
average maintenance at power value. Internal flooding and external events, including
internal firesfire are not included in this calculated value. In general, all inputs to this
indicator from the PRA are calculated from the internal events model only.
18
19
F 2.3.3.
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Linthicum
3/3/12
CALCULATION OF [FV/UR]MAX
The FV, UR and common cause adjustment values developed in this section are separate CDE
input values.
Equation 4 includes a term that is the ratio of a Fussell-Vesely importance value divided by the
related unreliability. The calculation of this ratio is performed in a similar manner to the ratio
calculated for UAI, except that the ratio is calculated for each monitored component. One
additional factor needs to be accounted for in the unreliability ratio that was not needed in the
unavailability ratio, the contribution to the ratio from common cause failure events. The
discussion in this section will start with the calculation of the initial ratio and then proceed with
directions for adjusting this value to account for the cooling water initiator contribution, as in the
unavailability index, and then the common cause correction.
It can be shown that for a given component represented by multiple basic events, the ratio of the
two values for the component is equal to the ratio of values for any basic event representing the
component. Or,
FVbe FVURc
=
= Constant
URbe URPc
as long as the basic events under consideration are logically equivalent.
Note that the constant value may be different for the unreliability ratio and the unavailability
ratio because the two types of events are frequently not logically equivalent. For example
recovery actions may be modeled in the PRA for one but not the other. This ratio may also be
different for fail on demand and fail to run events for the same component. This is particularly
true for cooling water pumps that have a trip initiation function as well as a mitigation function.
F-36
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
There are two options for determining the initial value of this ratio: The first option is to identify
one maximum ratio that will be used for all applicable failure modes for the component. The
second option is to identify a separate ratio for each failure mode for the component. These two
options will be discussed next.
Option 1
Identify one maximum ratio that will be used for all applicable failure modes for the component.
The process for determining a single value of this ratio for all failure modes of a component is to
identify all basic events that fail the monitored function of the component (excluding
Linthicum
3/3/12
common cause events and test and maintenance events). It is typical, given the component
scope definitions in Table 2, that there will be several plant components modeled separately in
the plant PRA that make up the MSPI component definition. For example, it is common that in
modeling an MOV, the actuation relay for the MOV and the power supply breaker for the MOV
are separate components in the plant PRA. Ensure that the basic events related to all of these
individual components are considered when choosing the appropriate [FV/UR] ratio.
Determine the failure probabilities for the events, determine the associated FV values for the
events and then calculate the ratios, [FV/UR] ind, where the subscript refers to independent
failures. Choose from this list the basic event for the component and its associated FV value that
results in the largest [FV/UR] ratio. This will typically be the event with the largest failure
probability to minimize the effects of truncation on the calculation. If all events for the
Linthicum
component have been truncated, either a lower truncation value or the method provided in
3/3/12
sSection F.6 should be used.
Option 2
Identify a separate ratio for each failure mode for the component The process for determining a
ratio value for each failure mode proceeds similarly by first identifying all basic events
Linthicum
related to each monitored function of the component. After this step, each basic event must
3/3/12
be associated with one of the specific defined failure modes for the component. Proceed as
in option 1 to find the values that result in the largest ratio for each failure mode for the
component. In this option the CDE inputs will include FV and UR values for each failure mode
of the component.
F 2.3.4.
CORRECTIONS TO FV/UR RATIO
Treatment of PRA Modeling Asymmetries
In systems with rotated normally running pumps (e. g. cooling water systems), the PRA models
may assume one pump is always the running and another is in standby. For example, a service
water system may have two 100% capacity pumps in one train, an A and B pump. In practice the
A and B pumps are rotated and each one is the running pump 50% of the time. In the PRA model
however, the A pump is assumed to be always running and the B pump is always in assumed to
be in standby. This will result in one pump appearing to be more important than the other when
they are, in fact, of equal importance. This asymmetry in importance is driven by the assumption
in the PRA, not the design of the plant.
F-37
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
When this is encountered, the importance measures may be used as they are calculated from the
PRA model for the component importance used in the calculation of URI. Although these are not
actually the correct importance values, the method used to calculate URI will still provide the
correct result because the same value of unreliability is used for each component as a result of
the data being pooled. Note that this is different from the treatment of importance in the
calculation of UAI.
Cooling Water and Service Water System [FV/UR]ind Values
Ensure that the correction term in this section is applied prior to the calculation of the common
cause correction in the next section. Component Cooling Water Systems (CCW) and Service
Water Systems (SWS) at some nuclear stations contribute to risk in two ways. First, the systems
provide cooling to equipment used for the mitigation of events and second, the failures in the
systems may also result in the initiation of an event. Depending on the manner in which the
initiator contribution is treated in the PRA, it may be necessary to apply a correction to the
FV/UR ratio calculated in the section above.
The correction must be applied to each FV/UR ratio used for this index. If the option to use
separate ratios for each component failure mode was used in the section above then this
correction is calculated for each failure mode of the component.
The contribution to risk from failures to provide cooling to other plant equipment is modeled
directly through dependencies in the PRA model. However, the contribution due to event
initiation is treated in four general ways in current PRAs:
1)
The use of linked initiating event fault trees for these systems with the same basic
events used in the initiator and mitigation trees.
2)
The use of linked initiating event fault trees for these systems with different basic
events used in the initiator and mitigation trees.
3)
Fault tree solutions are generated for these systems external to the PRA and the
calculated value is used in the PRA as a point estimate
4)
A point estimate value is generated for the initiator using industry and plant specificspecific event data and used in the PRA.
Each of these methods is discussed below.
Modeling Method 1
If a PRA uses the first modeling option, then the FV values calculated will reflect the total
contribution to risk for a component in the system. No additional correction to the FV values is
required.
Modeling Methods 2 and 3
The corrected ratio may be calculated as described for modeling method 4 or by the method
described below.
If a linked initiating event fault tree with different basic events used in the initiator and
mitigation trees is the modeling approach taken, or fault tree solutions are generated for these
systems external to the PRA and the calculated value is used in the PRA as a point estimate, then
the corrected ratio is given by:
F-38
NEI 99-02 [Revision 7]
08/31/2013
FVc i IEm, n(1) − IEm, n(0)
+ ∑
[ FV / UR]corr =
* FViem .
IEm, n(qn)
URc m=1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
In this expression the summation is taken over all system initiators i that involve component n,
where
FVc is the Fussell-Vesely for component C as calculated from the PRA Model. This does
not include any contribution from initiating events,
URc is the basic event unreliability used in computing FVc; i.e. in the system response
models,
IEm,n(qn) is the system initiator frequency of initiating event m when the component n
unreliability basic event is qn. The event chosen in the initiator tree should represent the
same failure mode for the component as the event chosen for URc,
IEm,n(1) is as above but qn=1,
IEm,n(0) is as above but qn=0
and
FViem is the Fussell-Vesely importance contribution for the initiating event m to the
CDF.
Since FV and UR are separate CDE inputs, use URc and calculate FV from
FV = URc * [FV / UR ]corr
Modeling Method 4
If a point estimate value is generated for the initiator using industry and plant specific-specific
event data and used in the PRA, then the corrected [FV/UR] MAX for a component C is calculated
from the expression:
[ FV / UR]MAX = [( FVc + FVie * FVsc) / URc]
Where:
FVc is the Fussell-Vesely for CDF for component C as calculated from the PRA Model.
This does not include any contribution from initiating events.
FVie is the Fussell-Vesely contribution for the initiating event in question (e.g. loss of
service water).
FVsc is the Fussell-Vesely within the system fault tree only for component C (i.e. the
ratio of the sum of the cut sets in the fault tree solution in which that component appears
to the overall system failure probability). Note that this may require the construction of a
“satellite” system fault tree to arrive at an exact or approximate value for FVsc depending
on the support system fault tree logic.
Linthicum
URc is the basic event unreliability used in computing FVc; i.e., in the system
3/3/12
response models.
FV and UR are separate CDE input values.
Including the Effect of Common Cause in [FV/UR]max
Be sure that the correction factors from the previous section are applied prior to the common
cause correction factor being calculated.
F-39
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Changes in the independent failure probability of an SSC imply a proportional change in the
common cause failure probability, even though no actual common cause failures have occurred.
The impact of this effect on URI is considered by including a multiplicative adjustment to the
[FV/UR]ind ratio developed in the section above. This multiplicative factor (A) is entered into
CDE as “CCF.”
Two methods are provided for including this effect, a simple generic approach that uses
bounding generic adjustment values and a more accurate plant specific-specific method that uses
values derived from the plant specific-specific PRA. Different methods can be used for different
systems. However, within an MSPI system, either the generic or plant specific-specific method
must be used for all components in the system, not a combination of different methods. For the
cooling water system, different methods may be used for the subsystems that make up the
cooling water system. For example, component cooling water and service water may use
different methods.
The common cause correction factor is only applied to components within a system and does not
include cross system (such as between the BWR HPCI and RCIC systems) common cause. If
there is only one component within a component type within the system, the adjustment value is
1.0. Also, if all components within a component type are required for success, then the
adjustment value is 1.0.
Generic CCF Adjustment Values
Generic values have been developed for monitored components that are subject to common
cause failure. The correction factor is used as a multiplier on the [FV/UR] ratio for each
component in the common cause group. This method may be used for simplicity and is
recommended for components that are less significant contributors to the URI (e.g. [FV/UR] is
small). The multipliers are provided in table Table 7.
The EDG is a “super-component” that includes valves, pumps and breakers within the supercomponent boundary. The EDG generic adjustment value should be applied to the EDG “supercomponent” even if the specific event used for the [FV/UR] ratio for the EDG is a valve or
breaker failure.
F-40
NEI 99-02 [Revision 7]
08/31/2013
Table 7. Generic CCF Adjustment Values
1
2
EPS
EDG
Arkansas 1
Arkansas 2
Beaver Valley 1
Beaver Valley 2
Braidwood 1 & 2
Browns Ferry 1, 2 & 3
Browns Ferry 2
Browns Ferry 3
Brunswick 1 & 2
Byron 1 & 2
Callaway
Calvert Cliffs 1 & 2
Catawba 1 & 2
Clinton 1
Columbia Nuclear
Comanche Peak 1 & 2
Cook 1 & 2
Cooper Station
Crystal River 3
Davis-Besse
Diablo Canyon 1 & 2
Dresden 2 & 3
Duane Arnold
Farley 1 & 2
Fermi 2
Fitzpatrick
Fort Calhoun
Ginna
Grand Gulf
Harris
Hatch 1 & 2
Hope Creek
Indian Point 2
Indian Point 3
Kewaunee
LaSalle 1 & 2
Limerick 1 & 2
McGuire 1 & 2
Millstone 2
Millstone 3
Monticello
Nine Mile Point 1
1.25
1.25
1.25
1.25
3
1.25
1.25
1.25
1.25
3
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
2
1.25
1.25
2
1.25
3
1.25
1.25
1.25
1.25
2
1.25
1.25
1.25
1.25
1.25
3
1.25
1.25
1.25
1.25
1.25
HPI
MDP
MDP
Running or Standby
Alternating+
2
1
1
2
2
1
2
1
1.25
1.25
1
1
1
1
1
1
1
1
1.25
1.25
1.25
1.25
1
2
1.25
1.25
1
1
1
1
1.25
1.25
1.25
1.25
1
1
2
1
1.25
1.25
1.25
1.25
3
1
1
1
2
1
1
1
1
1
1
2
1
2
1
1
2
1
1
1
1
1
1
2
1
2
1
1.25
1
1
1
1
1.25
1.25
1
2
2
1.25
1
1
3
1
F-41
HRS/
MDP
Standby
1
1
1.25
1.25
1
1
1
1
1
1
1.25
1.25
1.25
1
1
1.25
1.25
1
1
1
1.25
1
1
1.25
1
1
1
1.25
1
1.25
1
1
1.25
1.25
1.25
1
1
1.25
1.25
1.25
1
1
TDP
**
1
1
1
1
1
1
1
1
1
1
1
1.5
1
1
1
1
1
1
1
1.5
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
RHR
MDP
Standby
1.5
1.5
1.5
1.5
1.5
3
3
3
3
1.5
1.5
1.5
1.5
1.5
1.5
1.5
1.5
3
1.5
1.5
1.5
3
3
1.5
3
3
1.5
1.5
1.5
1.5
3
1.5
1.5
1.5
1.5
1.5
3
1.5
1.5
1.5
3
3
FAQ473
(10-04)
NEI 99-02 [Revision 7]
08/31/2013
EPS
EDG
1
2
3
4
5
6
7
Nine Mile Point 2
North Anna 1 & 2
Oconee 1, 2 & 3
Oyster Creek
Palisades
Palo Verde 1, 2 & 3
Peach Bottom 2 & 3
Perry
Pilgrim
Point Beach 1 & 2
Prairie Island 1 & 2
Quad Cities 1 & 2
River Bend
Robinson 2
Salem 1 & 2
San Onofre 2 & 3
Seabrook
Sequoyah 1 & 2
South Texas 1 & 2
St. Lucie 1
St. Lucie 2
Summer
Surry 1 & 2
Susquehanna 1 & 2
Three Mile Island 1
Turkey Point 3 & 4
Vermont Yankee
Vogtle 1 & 2
Waterford 3
Watts Bar 1
Wolf Creek
1.25
1.25
3*
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
1.25
2
1.25
1.25
1.25
1.25
3
1.25
1.25
1.25
1.25
1.25
1.25
1.25
HPI
MDP
MDP
Running or Standby
Alternating+
1
1
2
1
2
1
1
3
1
1.25
1
1.25
1
1
1
1
1
1
1
1.25
1
1.25
1
1
1
1
1
1.25
1.25
1.25
1
2
1.25
1.25
1.25
1.25
1
2
1
1.25
1
1.25
2
1
2
1
1
1
2
1
1
3
1
1
1.25
1.25
1
2
1.25
1.25
1.25
1.25
HRS/
MDP
Standby
1
1.25
1.25
1
1.25
1.25
1
1
1
1.25
1
1
1
1.25
1.25
1.25
1
1.25
2
1.25
1.25
1.25
1.25
1
1.25
1
1
1.25
1.25
1.25
1.25
TDP
**
RHR
MDP
Standby
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
3
1
1
1
1
1
1.5
1.5
1.5
3
1.5
1.5
3
1.5
3
1.5
1.5
3
1.5
1.5
1.5
1.5
1.5
1.5
1.5
1.5
1.5
1.5
1.5
3
1.5
1.5
3
1.5
1.5
1.5
1.5
FAQ479
(11-05)
* hydroelectric units
** as applicable
+
Alternating pumps are redundant pumps where one pump is normally running, that are
operationally rotated on a periodic basis.
SWS
CCW
MDP
MDP
DDP **
MDP
MDP
Running or Standby
Running or Standby
Alternating
Alternating
3
1.5
1.25
1.5
2
All
Plants
** as applicable
F-42
All
MOVs
and
Breakers
2
All
AOVs,
SOVs,
HOVs
1.5
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
Plant Specific-specific Common Cause Adjustment
The plant specific-specific correction factor should be calculated for each FV/UR ratio that is
used in the index. If the option to use a different ratio for each failure mode of a component is
used, then the ratio is calculated for each failure mode. The general form of a plant specificspecific common cause adjustment factor is given by the equation:
n
∑ FVi + FVcc
i =1
A=
.
Eq. 5
n
∑ FVi
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Where:
i =1
n = is the number of components in a common cause group,
FVi = the FV for independent failure of component i,
and
FVcc = the FV for the common cause failure of components in the group.
In the expression above, the FVi are the values for the specific failure mode for the component
group that was chosen because it resulted in the maximum [FV/UR] ratio. The FVcc is the FV
that corresponds to all combinations of common cause events for that group of components for
the same specific failure mode. Note that the FVcc may be a sum of individual FVcc values that
represent different combinations of component failures in a common cause group.
For cooling water systems that have an initiator contribution, the FV values used should be from
the non-initiator part of the model.
For example consider again a plant with three one hundred percent capacity emergency diesel
generators. In this example, three failure modes for the EDG are modeled in the PRA, fail to start
(FTS), fail to load (FTL) and fail to run (FTR). Common cause events exist for each of the three
failure modes of the EDG in the following combinations:
1) Failure of all three EDGs,
2) Failure of EDG-A and EDG-B,
3) Failure of EDG-A and EDG-C,
4) Failure of EDG-B and EDG-C.
This results in a total of 12 common cause events.
Assume the maximum [FV/UR] resulted from the FTS failure mode, then the FVcc used in
equation 5 would be the sum of the four common cause FTS events for the combinations listed
above.
It is recognized that there is significant variation in the methods used to model common cause. It
is common that the 12 individual common cause events described above are combined into a
fewer number of events in many PRAs. Correct application of the plant specific-specific method
would, in this case, require the decomposition of the combined events and their related FV
values into the individual parts. This can be accomplished by application of the following
proportionality:
F-43
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
URpart
Eq. 6
URtotal
Returning to the example above, assume that common cause was modeled in the PRA by
combining all failure modes for each specific combination of equipment modeled. Thus there
would be four common cause events corresponding to the four possible equipment groupings
listed above, but each of the common cause events would include the three failure modes FTS,
FTL and FTR. Again, assume the FTS independent failure mode is the event that resulted in the
maximum [FV/UR] ratio. The FVcc value to be used would be determined by determining the
FTS contribution for each of the four common cause events. In the case of the event representing
failure of all three EDGs this would be determined from
URFTSABC
FVFTSABC = FVABC ×
URABC .
Where,
FVFTSABC = the FV for the FTS failure mode and the failure of all three EDGs
FVABC = the event from the PRA representing the failure of all three EDGs due to all
failure modes
URFTSABC = the failure probability for a FTS of all three EDGs, and
URABC = the failure probability for all failure modes for the failure of all three EDGs.
FVpart = FVtotal ×
After this same calculation was performed for the remaining three common cause events, the
value for FVCC to be used in equation 5 would then be calculated from:
FVcc = FVFTSABC + FVFTSAB + FVFTSAC + FVFTSBC
This value is used in equation 5 to determine the value of A. The final quantity used in equation 4
is given by:
[FV/UR] max = A*[FV/UR]ind
In this case the individual values on the right hand side of the equation above are input to CDE.
F 2.3.5.
BIRNBAUM IMPORTANCE
One of the rules used for determining the valves and circuit breakers to be monitored in this
performance indicator permitted the exclusion of valves and circuit breakers with a Birnbaum
importance less than 1.0E-06. To apply this screening rule the Birnbaum importance is
calculated from the values derived in this section as:
B = CDF*A*[FV/UR] ind = CDF*[FV/UR] max
Ensure that the support system initiator correction (if applicable) and the common cause
correction are included in the Birnbaum value used to exclude components from monitoring.
F-44
NEI 99-02 [Revision 7]
08/31/2013
CALCULATION OF URDBC , URLBC
AND URRBC
1
F 2.3.6.
2
3
4
5
6
7
8
9
Equation 3 includes the three quantities URDBC , URLBC and URRBC which are the Bayesian
corrected plant specific-specific values of unreliability for the failure modes fail on demand,
fail to load/run and fail to run respectively. This section discusses the calculation of these
values. As discussed in section F 2.3 failure modes considered for each component type are
provided below.
Valves and Breakers:
Fail on Demand (Open/Close)
10
11
12
Pumps:
Fail on Demand (Start)
Fail to Run
13
14
15
16
Emergency Diesel Generators:
Fail on Demand (Start)
Fail to Load/Run
Fail to Run
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Linthicum
3/3/12
URDBC is calculated as follows. 1
( Nd + a )
.
Eq. 7
URDBC =
(a + b + D)
where in this expression:
Nd is the total number of failures on demand during the previous 12 quarters,
D is the total number of demands during the previous 12 quarters determined in
section 2.2.1
The values a and b are parameters of the industry prior, derived from
industry experience (see Table 48).
Dorathy
8/14/13
In the calculation of equation 7 the numbers of demands and failures is the sum of all demands
and failures for similar components within each system. Do not sum across units for a multi-unit
plant. For example, for a plant with two trains of Emergency Diesel Generators, the demands and
failures for both trains would be added together for one evaluation of equation 7 which would be
used for both trains of EDGs.
URLBC is calculated as follows.
( Nl + a )
.
URLBC =
(a + b + D)
Eq. 8
where in this expression:
Nl is the total number of failures to load (applicable to EDG only) during the
previous 12 quarters,
D is the total number of load demands during the previous 12 quarters determined
in section 2.2.1
1
Atwood, Corwin L., Constrained noninformative priors in risk assessment, Reliability Engineering and System Safety, 53 (1996; 37-46)
F-45
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
The values a and b are parameters of the industry prior, derived from industry
experience (see Table 4).
In the calculation of equation 8 the numbers of demands and failures is the sum of all demands
and failures for similar components within each system.
URRBC is calculated as follows.
( Nr + a )
Eq. 9
URRBC =
* Tm
(Tr + b)
where:
Nr is the total number of failures to run during the previous 12 quarters
(determined in section 2.2.2),
Tr is the total number of run hours during the previous 12 quarters (determined in
section 2.2.1)
Tm is the mission time for the component based on plant specific-specific PRA
model assumptions. For EDGs, the mission time associated with the Failure To
Run Basic Event with the highest Birnbaum value is to be used. 1 For all other
equipment, where there is more than one mission time for different initiating
events or sequences (e.g., turbine-driven AFW pump for loss of offsite power
with recovery versus loss of Feedwater), the longest mission time is to be used.
and
a and b are parameters of the industry prior, derived from industry experience (see
Table 4).
Note, however, that even though a PRA mission time can be less than 24 hours, when
determining if an MSPI failure has occurred, the monitored component must have been able to
perform its monitored function for a 24 hour run.
In the calculation of equation 9 the numbers of demands and run hours is the sum of all run hours
and failures for similar components within each system. Do not sum across units for a multi-unit
plant, unless the system is shared between multiple units. For example, a plant with two trains of
Emergency Diesel Generators, the run hours and failures for both trains would be added together
for one evaluation of equation 9 which would be used for both trains of EDGs.
Linthicum
3/3/12
Linthicum
3/3/12
NOTE: The basis document should be revised in 4Q2009 and applied for1Q2010 data. Though the Linthicum
3/3/12
PRA mission time used in the MSPI calculations can be less than 24 hours for the EDGs, when
determining if an MSPI failure has occurred, the EDG must have been able to perform its
monitored function for a 24 hour run.
1
F-46
NEI 99-02 [Revision 7]
08/31/2013
1
F 2.3.7.
BASELINE UNRELIABILITY VALUES
2
3
4
5
The baseline values for unreliability are contained in Table 8 and remain fixed.
Table 8. Industry Priors and Parameters for Unreliability
Component
Failure Mode
aa
ba
Circuit Breaker
Hydraulic-operated valve
Motor-operated valve
Solenoid-operated valve
Air-operated valve
Motor-driven pump,
standby
Motor-driven pump,
running or alternating
Turbine-driven pump,
AFWS
Turbine-driven pump, HPCI
or RCIC
Diesel-driven pump, AFWS
Fail to open (or close)
Fail to open (or close)
Fail to open (or close)
Fail to open (or close)
Fail to open (or close)
Fail to start
Fail to run
Fail to start
Fail to run
Fail to start
Fail to run
Fail to start
Fail to run
Fail to start
Fail to run
Fail to start
Fail to load/run
Fail to run
4.99E-1
4.98E-1
4.99E-1
4.98E-1
4.98E-1
4.97E-1
5.00E-1
4.98E-1
5.00E-1
4.85E-1
5.00E-1
4.78E-1
5.00E-1
4.80E-1
5.00E-1
4.92E-1
4.95E-1
5.00E-1
6.23E+2
4.98E+2
7.12E+2
4.98E+2
4.98E+2
2.61E+2
1.00E+4
4.98E+2
1.00E+5
5.33E+1
2.50E+3
3.63E+1
2.50E+3
3.95E+1
2.50E+3
9.79E+1
1.64E+2
6.25E+2
Emergency diesel generator
6
7
8
9
10
11
12
13
14
15
16
17
Industry
MeanValue b
URBLC
8.00E-4
1.00E-3
7.00E-4
1.00E-3
1.00E-3
1.90E-3
5.00E-5
1.00E-3
5.00E-6
9.00E-3
2.00E-4
1.30E-2
2.00E-4
1.20E-2
2.00E-4
5.00E-3
3.00E-3
8.00E-4
a. A constrained, non-informative prior is assumed. For failure to run events, a = 0.5 and b =
(a)/(mean rate). For failure upon demand events, a is a function of the mean probability:
Mean Probability
0.0 to 0.0025
>0.0025 to 0.010
>0.010 to 0.016
>0.016 to 0.023
>0.023 to 0.027
a
0.50
0.49
0.48
0.47
0.46
Then b = (a)(1.0 - mean probability)/(mean probability).
b. Failure to run events occurring within the first hour of operation are included within the
failure to start failure mode. Failure to run events occurring after the first hour of operation
(after the first hour following closure of the load breaker for emergency power generators)
are included within the failure to run failure mode.
F-47
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
F 3. ESTABLISHING STATISTICAL SIGNIFICANCE
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
This performance indicator establishes an acceptable level of performance for the monitored
systems that is reflected in the baseline reliability values in Table 4. Plant specific-specific
differences from this acceptable performance are interpreted in the context of the risk
significance of the difference from the acceptable performance level. It is expected that a system
that is performing at an acceptable performance level will see variations in performance over the
monitoring period. For example a system may, on average, see three failures in a three year
period at the accepted level of reliability. It is expected, due to normal performance variation,
that this system will sometimes experience two or four failures in a three year period. It is not
appropriate that a system should be placed in a white performance band due to expected
variation in measured performance. This problem is most noticeable for risk sensitive systems
that have few demands in the three year monitoring period.
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
The mitigating systems chosen to be monitored are generally the most important systems in
nuclear power stations. However, in some cases the system may not be as important at a specific
station. This is generally due to specific features at a plant, such as diverse methods of achieving
the same function as the monitored system. In these cases a significant degradation in
performance could occur before the risk significance reached a point where the MSPI would
cross the white boundary. In cases such as this it is not likely that the performance degradation
would be limited to that one system and may well involve cross cutting issues that would
potentially affect the performance of other mitigating systems.
A performance based criterion for determining declining performance is used as an additional
decision criterion for determining that performance of a mitigating system has degraded to the
white band. This decision is based on deviation of system performance from expected
performance. The decision criterion was developed such that a system is placed in the white
performance band when there is high confidence that system performance has degraded even
though MSPI ≤< 1.0E-06.
44
This problem is resolved by applying a limit of 5.0E-07 to the magnitude of the most significant
failure in a system. This ensures that one failure beyond the expected number of failures alone
cannot result in MSPI > 1.0E-06. A MSPI > 1.0E-06 will still be a possible result if there is
significant system unavailability, or failures in other components in the system.
This limit on the maximum value of the most significant failure in a system is only applied if the
MSPI value calculated without the application of the limit is less than or equal to 1.0E-05.
This calculation will be performed by the CDE software; no additional input values are required.
F 4.
CALCULATION OF SYSTEM COMPONENT PERFORMANCE LIMITS
The criterion is applied to each component type in a system. If the number of failures in a 36
month period for a component type exceeds a performance based limit, then the system is
considered to be performing at a white level, regardless of the MSPI calculated value. The
performance based limit is calculated in two steps:
1. Determine the expected number of failures for a component type and
2. Calculate the performance limit from this value.
F-48
Zimmerman
2/7/13
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
The expected number of failures is calculated from the relation
Fe = Nd * p + λ * Tr
Where:
Nd is the number of demands
p is the probability of failure on demand, from Table 8 (URLBC).
λ is the failure rate, from Table 8 (URLBC)
Tr is the runtime of the component
This value is used in the following expression to determine the maximum number of failures:
Fm = 4.65 * Fe + 4.2
If the actual number of failures (Fa) of a similar group of components (components that are
grouped for the purpose of pooling data) within a system in a 36 month period exceeds Fm, then
the system is placed in the white performance band or the level dictated by the MSPI calculation
if the MSPI calculation is > 1E-5.
This calculation will be performed by the CDE software, no additional input values are required.
F 5. ADDITIONAL GUIDANCE FOR SPECIFIC SYSTEMS
This section identifies the potential monitored functions for each system and describes typical
system scopes and train determinations.
Emergency AC Power Systems
Scope
The function monitored for the emergency AC power system is the ability of the emergency
generators to provide AC power to the class 1E buses following a loss of off-site power. The
emergency AC power system is typically comprised of two or more independent emergency
generators that provide AC power to class 1E buses following a loss of off-site power. The
emergency generator dedicated to providing AC power to the high pressure core spray system in
BWRs is not within the scope of emergency AC power.
The EDG component boundary includes the generator body, generator actuator, lubrication
system (local), fuel system (local or day tank and fuel oil transfer pumps/valves 1), cooling
components (local), startup air system receiver, exhaust and combustion air system, dedicated
diesel battery (which is not part of the normal DC distribution system), individual diesel
generator control system, cooling water isolation valves, circuit breaker for supply to safeguard
buses and their associated control circuit. Air compressors are not part of the EDG component
boundary.
The fuel oil transfer pumps required to meet the PRA mission time are within the system EDG
component boundary, but are not considered to be a separate monitored component for reliability
monitoring in the EDG system. Additionally they are monitored for contribution to train
unavailability only if the fuel oil transfer pump(s) is (are) required to meet the EDG mission time
1
The word “valves” is included here for plants with a gravity-fed fuel oil transfer system. For these designs, the valve(s) provide the functional
equivalent of the FOTP in pump-fed designs.
F-49
FAQ484
(11-07)
FAQ484
(11-07)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(as specified in Section F.2.2.2 and as defined in the MSPI Definition of Terms section). an EDG
train can only be supplied from a single transfer pump. Where the capability exists to supply an
EDG from redundant transfer pumps, the contribution to the EDG MSPI from these components
is expected to be small compared to the contribution from the EDG itself. Monitoring the transfer
pumps for reliability is not practical because accurate estimations of demands and run hours are
not feasible (due to the auto start and stop feature of the pump) considering the expected small
contribution to the index. (See also the EDG Failure-to-Run definition in Section F.2.2.2 as
revised by FAQ 11-08.)
19
2. One or more EDGs are available to “swing” to either unit
20
3. All EDGs can supply all units
21
22
23
24
25
26
27
28
29
30
For configuration 1, the number of trains for a unit is equal to the number of EDGs dedicated to
the unit. For configuration 2, the number of trains for a unit is equal to the number of dedicated
EDGs for that unit plus the number of “swing” EDGs available to that unit (i.e., The “swing”
EDGs are included in the train count for each unit). For configuration 3, the number of trains is
equal to the number of EDGs.
Emergency generators that are not safety grade, or that serve a backup role only (e.g., an
alternate AC power source), are not included in the performance reporting.
Train Determination
The number of emergency AC power system trains for a unit is equal to the number of class 1E
emergency generators that are available to power safe-shutdown loads in the event of a loss of
off-site power for that unit. There are three typical configurations for EDGs at a multi-unit
station:
1. EDGs dedicated to only one unit.
Clarifying Notes
An EDG is not considered to have failed due to any of the following events:
• spurious operation of a trip that would be bypassed in a loss of offsite power event
31
32
•
malfunction of equipment that is not required to operate during a loss of offsite power event
(e.g., circuitry used to synchronize the EDG with off-site power sources)
33
34
35
•
failure to start because a redundant portion of the starting system was intentionally disabled
for test purposes, if followed by a successful start with the starting system in its normal
alignment
36
37
F-50
FAQ484
(11-07)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
BWR High Pressure Injection Systems
(High Pressure Coolant Injection, High Pressure Core Spray, and Feedwater Coolant
Injection)
Scope
These systems function at high pressure to maintain reactor coolant inventory and to remove
decay heat.
The function monitored for the indicator is the ability of the monitored system to take suction
from the suppression pool (and from the condensate storage tank, if required to meet the PRA
success criteria and mission times) and inject into the reactor vessel. . The mitigation of ATWS
events with a high pressure injection system is not considered a function to be monitored by the
MSPI. (Note, however, that the FV values will include ATWS events).
Plants should monitor either the high-pressure coolant injection (HPCI), the high-pressure core
spray (HPCS), or the feedwater coolant injection (FWCI) system, whichever is installed. The
turbine and governor and associated piping and valves for turbine steam supply and exhaust are
within the scope of the HPCI system. The flow path for the steam supply to a turbine driven
pump is included from the steam source (main steam lines) to the pump turbine. The motor
driven pump for HPCS and FWCI are in scope along with any valves that must change state such
as low flow valves in FWCI. Valves in the feedwater line are not considered within the scope of
these systems because they are normally open during operation and do not need to change state
for these systems to operate. However waterside valves up to the feedwater line are in scope if
they need to change state such as the HPCI injection valve.
The emergency generator dedicated to providing AC power to the high-pressure core spray
system is included in the scope of the HPCS. The HPCS system typically includes a "water leg"
pump to prevent water hammer in the HPCS piping to the reactor vessel. The "water leg" pump
and valves in the "water leg" pump flow path are ancillary components and are not included in
the scope of the HPCS system. Unavailability is not included while critical if the system is below
steam pressure specified in technical specifications at which the system can be operated.
Oyster Creek
For Oyster Creek the design does not include any high pressure injection system beyond the
normal feedwater system. For the BWR high pressure injection system, Oyster Creek will
monitor the Core Spray system, a low pressure injection system.
Train Determination
The HPCI and HPCS systems are considered single-train systems. The booster pump and other
small pumps are ancillary components not used in determining the number of trains. The effect
of these pumps on system performance is included in the system indicator to the extent their
failure detracts from the ability of the system to perform its monitored function. For the FWCI
system, the number of trains is determined by the number of feedwater pumps. The number of
condensate and feedwater booster pumps are not used to determine the number of trains. It is
recommended that the DG that provides dedicated power to the HPCS system be monitored as a
F-51
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
separate “train” (or segment) for unavailability as the risk importance of the DG is less
different than the fluid parts of the system.
Linthicum
3/3/12
Reactor Core Isolation Cooling
(or Isolation Condenser)
Scope
This system functions at high pressure to remove decay heat. The RCIC system also functions to
maintain reactor coolant inventory.
The function monitored for the indicator is the ability of the RCIC system to cool the reactor
vessel core and provide makeup water by taking suction from the suppression pool (and from the
condensate storage tank, if required to meet the PRA success criteria and mission times) and
inject into the reactor vessel
The Reactor Core Isolation Cooling (RCIC) system turbine, governor, and associated piping and
valves for steam supply and exhaust are within the scope of the RCIC system. Valves in the
feedwater line are not considered within the scope of the RCIC system because they are normally
open during operation and do not have to change state for RCIC to perform its function.
The function monitored for the Isolation Condenser is the ability to cool the reactor by
transferring heat from the reactor to the Isolation Condenser water volume. The Isolation
Condenser and inlet valves are within the scope of Isolation Condenser system along with the
connecting active valve for isolation condenser makeup. Unavailability is not included while
critical if the system is below steam pressure specified in technical specifications at which the
system can be operated.
Train Determination
The RCIC system is considered a single-train system. The condensate and vacuum pumps are
ancillary components not used in determining the number of trains. The effect of these pumps on
RCIC performance is included in the system indicator to the extent that a component failure
results in an inability of the system to perform its monitored function.
For Isolation Condensers, a train is a flow path from the reactor to the isolation condenser back
to the reactor. The connecting active valve for isolation condenser makeup is included in the
train.
BWR Residual Heat Removal Systems
Scope
The function monitored for the BWR residual heat removal (RHR) system is the ability of the
RHR system to provide suppression pool cooling. The pumps, heat exchangers, and associated
piping and valves for this function are included in the scope of the RHR system. If an RHR
system has pumps that do not perform a heat removal function (e.g. cannot connect to a heat
exchanger, dedicated LPCI pumps) they are not included in the scope of this indicator.
46
F-52
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Train Determination
The number of trains in the RHR system is determined as follows. If the number of heat
exchangers and pumps is the same, the number of heat exchangers determines the number of
trains. If the number of heat exchangers and pumps are different, the number of trains should be
that used by the PRA model. Typically this would be two pumps and one heat exchanger
forming a train where the train is unavailable only if both pumps are unavailable, or two pumps
and one heat exchanger forming two trains with the heat exchanger as a shared component where
a train is unavailable if a pump is unavailable and both trains are unavailable if the heat
exchanger is unavailable.
PWR High Pressure Safety Injection Systems
Scope
These systems are used primarily to maintain reactor coolant inventory at high RCS pressures
following a loss of reactor coolant. HPSI system operation involves transferring an initial supply
of water from the refueling water storage tank (RWST) to cold leg piping of the reactor coolant
system. Once the RWST inventory is depleted, recirculation of water from the reactor building
emergency sump is required. The function monitored for HPSI is the ability of a HPSI train to
take a suction from the primary water source (typically, a borated water tank), or from the
containment emergency sump, and inject into the reactor coolant system.
The scope includes the pumps and associated piping and valves from both the refueling water
storage tank and from the containment sump to the pumps, and from the pumps into the reactor
coolant system piping. For plants where the high-pressure injection pump takes suction from the
residual heat removal pumps, the residual heat removal pump discharge header isolation valve to
the HPSI pump suction is included in the scope of HPSI system. Some components may be
included in the scope of more than one train. For example, cold-leg injection lines may be fed
from a common header that is supplied by both HPSI trains. In these cases, the effects of testing
or component failures in an injection line should be reported in both trains.
Train Determination
In general, the number of HPSI system trains is defined by the number of high head injection
paths that provide cold-leg and/or hot-leg injection capability, as applicable.
For Babcock and Wilcox (B&W) reactors, the design features centrifugal multi-stage pumps
used for high pressure injection (about 2,500 psig) and no hot-leg injection path. Recirculation
from the containment sump requires lining up the HPI pump suctions to the Low-Pressure
Injection (LPI) pump discharges for adequate NPSH. This is typically a two-train system, with
an installed spare pump (depending on plant-specific design) that can be aligned to either train.
For two-loop Westinghouse plants, the pumps operate at a lower pressure (about 1600 psig) and
there may be a hot-leg injection path in addition to a cold-leg injection path (both are included as
a part of the train).
F-53
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
For Westinghouse three-loop plants, the design features three centrifugal pumps that operate at
high pressure (about 2500 psig), a cold-leg injection path through the BIT (with two trains of
redundant valves), an alternate cold-leg injection path, and two hot-leg injection paths. One of
the pumps is considered an installed spare. Recirculation is provided by taking suction from the
RHR pump discharges. A train consists of a pump, the pump suction valves and boron injection
tank (BIT) injection line valves electrically associated with the pump, and the associated hot-leg
injection path. The alternate cold-leg injection path is required for recirculation, and should be
included in the train with which its isolation valve is electrically associated. This represents a
two-train HPSI system.
For Four-loop Westinghouse plants, the design features two centrifugal pumps that operate at
high pressure (about 2500 psig), two centrifugal pumps that operate at an intermediate pressure
(about 1600 psig), a BIT injection path (with two trains of injection valves), a cold-leg safety
injection path, and two hot-leg injection paths. Recirculation is provided by taking suction from
the RHR pump discharges. Each of two high pressure trains is comprised of a high pressure
centrifugal pump, the pump suction valves and BIT valves that are electrically associated with
the pump. Each of two intermediate pressure trains is comprised of the safety injection pump, the
suction valves and the hot-leg injection valves electrically associated with the pump. The coldleg safety injection path can be fed with either safety injection pump, thus it should be associated
with both intermediate pressure trains. This HPSI system is considered a four-train system for
monitoring purposes.
For Combustion Engineering (CE) plants, the design features two or three centrifugal pumps that
operate at intermediate pressure (about 1300 psig) and provide flow to four cold-leg injection
paths or two hot-leg injection paths. In most designs, the HPSI pumps take suction directly from
the containment sump for recirculation. In these cases, the sump suction valves are included
within the scope of the HPSI system. This is a two-train system (two trains of combined cold-leg
and hot-leg injection capability). One of the three pumps is typically an installed spare that can
be aligned to either train or only to one of the trains (depending on plant-specific design).
PWR Auxiliary Feedwater Systems
Scope
The function of the AFW system is to provide decay heat removal via the steam generators to
cool down and depressurize the reactor coolant system following a reactor trip. The mitigation of
ATWS events with the AFW system is not considered a function to be monitored by the MSPI.
(Note, however, that the FV values will include ATWS events).
The function monitored for the indicator is the ability of the AFW system to autostart, take
a suction from a water source (typically, the condensate storage tank and if required to meet
the PRA success criteria and mission time, from an alternate source) and to inject into at least
one steam generator.
The scope of the auxiliary feedwater (AFW) or emergency feedwater (EFW) systems includes
the pumps, the condensate storage tank (CST), and the components in the flow paths from
between the pumps and the condensate storage tankCST, and, if required, the valve(s) that
F-54
FAQ486
(10-06)
FAQ486
(10-06)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
connect the alternative water source to the auxiliary feedwater system. The flow path for the
steam supply to a turbine driven pump is included from the steam source (main steam lines) to
the pump turbine. Pumps included in the Technical Specifications (subject to a Limiting
Condition for Operation) are included in the scope of this indicator. Some initiating events, such
as a feedwater line break, may require isolation of AFW flow to the affected steam generator to
prevent flow diversion from the unaffected steam generator. This function should be considered
a monitored function if it is required.
Train Determination
The number of trains is determined primarily by the number of parallel pumps. For example, a
system with three pumps is defined as a three-train system, whether it feeds two, three, or four
injection lines, and regardless of the flow capacity of the pumps. Some components may be
included in the scope of more than one train. For example, one set of flow regulating valves and
isolation valves in a three-pump, two-steam generator system are included in the motor-driven
pump train with which they are electrically associated, but they are also included (along with the
redundant set of valves) in the turbine-driven pump train. In these instances, the effects of testing
or failure of the valves should be reported in both affected trains. Similarly, when two trains
provide flow to a common header, the effect of isolation or flow regulating valve failures in
paths connected to the header should be considered in both trains.
PWR Residual Heat Removal System
Scope
The function monitored for the PWR residual heat removal (RHR) system is the long term decay
heat removal function to mitigate those transients that cannot rely on the steam generators alone
for decay heat removal. These typically include the low-pressure injection function and the
recirculation mode used to cool and recirculate water from the containment sump following
depletion of RWST inventory to provide decay heat removal. The pumps, heat exchangers, and
associated piping and valves for those functions are included in the scope of the RHR system.
Containment spray function should be included if it provides a risk significant decay heat
removal function. Containment spray systems that only provide containment pressure control are
not included.
33
34
35
36
37
38
39
40
41
42
43
44
45
46
CE Designed NSSS
CE ECCS designs differ from the description above. CE designs run all ECCS pumps during the
injection phase (Containment Spray (CS), High Pressure Safety Injection (HPSI), and Low
Pressure Safety Injection (LPSI)), and on Recirculation Actuation Signal (RAS), the LPSI
pumps are automatically shutdown, and the suction of the HPSI and CS pumps is shifted to the
containment sump. The HPSI pumps then provide the recirculation phase core injection, and the
CS pumps by drawing inventory out of the sump, cooling it in heat exchangers, and spraying the
cooled water into containment, support the core injection inventory cooling.
For the RHR function the CE plant design uses HPSI to take a suction from the sump, CS to cool
the fluid, and HPSI to inject at low pressure into the RCS. Due to these design differences, CE
plants with this design should monitor this function in the following manner. The two
containment spray pumps and associated coolers should be counted as two trains of RHR
F-55
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
providing the recirculation cooling. Therefore, for the CE designed plants two trains should be
monitored, as follows:
• Train 1 (recirculation mode) Consisting of the "A" containment spray pump, the required
spray pump heat exchanger and associated flow path valves.
•
Train 2 (recirculation mode) Consisting of the "B" containment spray pump, the required
spray pump heat exchanger and associated flow path valves.
Surry, North Anna and Beaver Valley Unit 1
The at power RHR function, is provided by two 100% low head safety injection pumps taking
suction from the containment sump and injecting to the RCS at low pressure and with the heat
exchanger function (containment sump water cooling) provided by four 50% containment
recirculation spray system pumps and heat exchangers.
The RHR Performance Indicator should be calculated as follows. The low head safety injection
and recirculation spray pumps and associated coolers should be counted as two trains of RHR
providing the recirculation cooling, function as follows:
• “A” train consisting of the “A” LHSI pump, associated MOVS and the required “A” train
recirculation spray pumps heat exchangers, and MOVS.
•
“B” train consisting of the “B” LHSI pump, associated MOVS and the required “B” train
recirculation spray pumps, heat exchangers, and MOVS.
Beaver Valley Unit 2
The at power RHR function, is provided by two 100% containment recirculation spray pumps
taking suction from the containment sump, and injecting to the RCS at low pressure. The heat
exchanger function is provided by two 100% capacity containment recirculation spray system
heat exchangers, one per train. The RHR Performance Indicator should be calculated as follows.
The two containment recirculation spray pumps and associated coolers should be counted as two
trains of RHR providing the recirculation cooling.
Two trains should be monitored as follows:
• Train 1 (recirculation mode) Consisting of the containment recirculation spray pump
associated MOVS and the required recirculation spray pump heat exchanger and MOVS.
•
Train 2 (recirculation mode) Consisting of containment recirculation spray pump
associated MOVS and the required recirculation spray pump heat exchanger, and MOVS.
Train Determination
The number of trains in the RHR system is determined by the number of parallel RHR heat
exchangers. Some components are used to provide more than one function of RHR. If a
component cannot perform as designed, rendering its associated train incapable of meeting one
of the monitored functions, then the train is considered to be failed. Unavailable hours would be
reported as a result of the component failure.
F-56
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Cooling Water Support System
Scope
The functions monitored for the cooling water support system are those functions that are
necessary (i.e. Technical Specification-required) to provide for direct cooling of the components
in the other monitored systemstrains or segments of systems supported by the cooling water
system. It does not include indirect cooling provided by room coolers or other HVAC features.
Systems that provide this function typically include service water and component cooling water
or their cooling water equivalents. Service water systems are typically open “raw water”
systems that use natural sources of water such as rivers, lakes, or oceans. Component cooling
water systems are typically closed “clean water” systems.
Pumps, valves, heat exchangers and line segments that are necessary to provide cooling to the
other monitored trains or segments of system(s) supported by the cooling water system systems
are included within the cooling water system scope boundary up to, but not including, the last
isolation valve(s) that connects the cooling water support system to components in a single
monitored train or segment of the supported system. This last isolation valve is included within
the other boundary of the monitored train or segment of the supported system boundary. If
theThe last valve(s) that provides cooling to SSCs in more than one monitored train or segment
of supported system(s), then it is included within the boundary of the cooling water support
system. All valves (e.g., manual isolation valves or motor operated valves) in a cooling water
line to a single monitored train or segment of a supported system are included within the
boundary of the monitored train or segment of the supported system. Figure F-6 depicts this
concept and the treatment of multiple isolation valves. The SSCs outside the dashed boxes are
included within the boundary of the cooling water system. The SSCs within the dashed boxes
are included within the boundaries of the supported systems.Service water systems are typically
open “raw water” systems that use natural sources of water such as rivers, lakes or oceans.
Component Cooling Water systems are typically closed “clean water” systems.
Valves in the cooling water support system that must close to ensure sufficient cooling to the
other monitored system components to meet risk significant functions are included in the system
boundary.
If a cooling water system provides cooling to only one monitored system, then it should be
included in the scope of that monitored system. Systems that are dedicated to cooling RHR heat
exchangers only are included in the cooling water support system scope.
Train Determination
The number of trains in the Cooling Water Support System will vary considerably from plant to
plant. The way these functions are modeled in the plant-specific PRA will determine a logical
approach for train determination. For example, if the PRA modeled separate pump and line
segments, then the number of pumps and line segments would be the number of trains.
F-57
FAQ482
(11-01)
FAQ482
(11-01)
FAQ482
(11-01)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
Clarifying Notes
Service water pump strainers, cyclone separators, and traveling screens are not considered to be
monitored components and are therefore not part of URI. However, clogging of strainers and
screens that render the train unavailable to perform its monitored cooling function (which
includes the mission times) are included in UAI. Note, however, if the service water pumps fail
due to a problem with the strainers, cyclone separators, or traveling screens, the failure is
included in the URI.
11
12
13
This section provides an alternative to the method outlined in sections F 1.3.1-F 1.3.3 and F
2.3.1-F 2.3.3. If you are using the method outlined in this section is used, do not perform the
calculations outlined in sections F 1.3.1-F 1.3.3 and F 2.3.1-F 2.3.3 are not applicable.
14
15
16
The truncation level used for the method described in this section should be sufficient to
provide a converged value of CDF. CDF is considered to be converged when decreasing the
truncation level by a decade results in a change in CDF of less than 5%.
17
The Birnbaum importance measure can be calculated from:
F 6. CALCULATION OF THE BIRNBAUM IMPORTANCE BY REQUANTIFICATION
18
B = CDF 1 − CDF 0
19
or
20
B=
21
Linthicum
3/3/12
CDF 1 − CDFB
1− p
Where
22
23
CDF1 is the Core Damage Frequency with the failure probability for the component (any
representative basic event) set to one,
24
25
CDF0 is the Core Damage Frequency with the failure probability for the component (any
representative basic event) set to zero,
26
CDFB is the Base Case Core Damage Frequency,
27
and
28
p is the failure probability of the representative basic event.
29
As a special case, if the component is truncated from the base case then
CDFB = CDF 0
30
31
32
33
34
35
36
37
38
and
B = CDF 1 − CDFB
With the Birnbaum importance calculated directly by re-quantification, the CDE input values
must be calculated from this quantity.
The CDF value input to CDE for this method is the value of CDFB from the baseline
quantification.
F-58
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
The value of UA or UR is taken from the representative basic event (p) used in the
quantification above. The FV value is then calculated from the expression
FV =
B* p
.
CDF
F-59
NEI 99-02 [Revision 7]
08/31/2013
1
Figure F-1
ESFAS/Sequencer
DC Power
Class 1E Bus
Lubrication System
Control and
Protection System
EDG
Breaker
Exhaust
System
Governor and
Control System
Diesel Engine
Generator
Starting Air System
Receiver
Combustion Air
System and Supply
EDG Component Boundary
Room Cooling
2
3
Jacket
Water
Fuel Oil
System
Isolation
Valve
Fuel Oil Day
Tank
Exciter and
Voltage
Regulator
Fuel Oil Transfer
Pump/Valve*
Cooling Water
* The Fuel Oil Transfer Pump(s)/Valve(s) are is included in the EDG System Component Boundary.
See Section 5 for monitoring requirements.
F-60
FAQ 484
(11-07)
NEI 99-02 [Revision 7]
08/31/2013
Controls
ESFAS
Breaker
Controls
Breaker
Motor Operator
Motor Operator
Pump
MOV Boundary
Motor Driven Pump Boundary
1
2
Figure F-3
Figure F-2
F-61
ESFAS
NEI 99-02 [Revision 7]
08/31/2013
1
2
Figure F-4
Controls
ESFAS
Turbine and Control
Valve
Pump
Turbine Driven Pump Boundary
3
4
F-62
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
Figure F-5
Non-monitored
Components
Monitored
Components
Monitored
Components
T
A
N
K
(1 of 2 valves per train
success criteria)
(1 of 2 valves per system
success criteria)
5
6
7
8
F-63
NEI 99-02 [Revision 7]
08/31/2013
1
2
Figure F-6
System 1
Train A
Return
System 2
Train A
Return
System 3
Train A
Return
Train Boundary
Supply
Pump
Train Boundary
3
4
5
Train Boundary
F-64
FAQ 482
(11-01)
NEI 99-02 [Revision 7]
08/31/2013
1
APPENDIX G
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
MSPI Basis Document Development
To implement the Mitigating Systems Performance Index (MSPI), Licensees will develop a plant
specific-specific basis document that documents the information and assumptions used to
calculate the Reactor Oversight Program (ROP) MSPI. This basis document is necessary to
support the NRC inspection process, and to record the assumptions and data used in developing
the MSPI on each site. A summary of any changes to the basis document are noted in the
comment section of the quarterly data submission to the NRC.
The Basis document will have two major sections. The first described below will document the
information used in developing the MSPI. The second section will document the conformance
of the plant specific PRA to the requirements that are outlined in this appendix.
G 1. MSPI Data
The basis document provides a separate section for each monitored system as defined in Section
2.2 of NEI 99-02. The section for each monitored system contains the following subsections:
G 1.1 System Boundaries
This section contains a description of the boundaries for each train of the monitored system. A
plant drawing or figure (training type figure) should be included and marked adequately (i.e.,
highlighted trains) to show the boundaries. The guidance for determining the boundaries is
provided in Appendix F, Section 1.1 of NEI 99-02.
G 1.2 Risk Significant Functions
This section lists the risk significant functions for each train of the monitored system. Risk
Significant Functions are defined in section 2.2 of NEI 99-02. Additional detail is given in
Appendix F, Section 1.1.1 and Section 5 “Additional Guidance for Specific Systems”. A single
list for the system may be used as long as any differences between trains are clearly identified.
This section may also be combined with the section on Success Criteria if a combination of
information into a table format is desired. If none of the functions for the system are considered
risk significant, identify the monitored function as defined in section F 1.1.1
G 1.3 Success Criteria
This section documents the success criteria as defined in Section 2.2 of NEI 99-02 for each of the
identified monitored functions for the system. Additional detail is given in Appendix F, Section
2.1.1. The criteria used are the documented PRA success criteria.
•
•
If the licensee has chosen to use design basis success criteria in the PRA, then provide a
statement in this section that states the PRA uses design basis success criteria.
If success criteria from the PRA are different from the design basis, then the specific
differences from the design basis success criteria shall be documented in this section.
G-1
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Provide the actual values used to characterize success such as: The time required in the
PRA for the EDG to successfully reach rated speed and voltage is 15 seconds.
Where there are different success criteria for different monitored functions or different success
criteria for different initiators within a monitored function, all should be recorded and the most
restrictive shown as the one used, with the exception of ATWS-related success criteria which
are not in the scope of MSPI.
Linthicum
3/3/12
G 1.4 Mission Time
This section documents the risk significant mission time, as defined in Section 2.3.6 of
Appendix F, for each of the identified monitored functions identified for the system. The
following specific information should be included in support of the EDG mission time if a value
less than 24 hours is used:
•
•
•
•
•
•
•
•
•
EDG Mission Time with highest Birnbaum
Basic Event and Description (basis for Birnbaum)
Other Emergency Power Failure to Run Basic Events, Descriptions, mission time and
Birnbaums (those not selected)
Method for reduced mission time (e.g., Convolution, Multiple Discrete LOOP (Loss of
Offsite Power) Initiating Events, Other)
Loss of Offsite Power (LOOP) Initiating Events, Description and Frequency
Basis for LOOP Frequency (Industry/NRC Reference)
Basis for LOOP Non-recovery Failure (Industry/NRC Reference)
Credit for Emergency Power Repair (Yes/No)
If repair credited, failure probability of repair and basis
G 1.5 Monitored Components
This section documents the selection of monitored components as defined in Appendix F,
Section 2.1.2 of NEI 99-02 in each train of the monitored system. A listing of all monitored
pumps, breakers and EDGs emergency power generators should be included in this section. A
listing of AOVs, HOVs , SOVs and MOVs that change state to achieve the monitored
functions should be provided as potential monitored components. The basis for excluding valves
and breakers in this list from monitoring should be provided. Component boundaries as
described in Appendix F, Section 2.1.3 of NEI 99-02 should be included where appropriate.
G 1.6 Basis for Demands/Run Hours (estimate or actual)
The determination of reliability largely relies on the values of demands, run hours and failures of
components to develop a failure rate. This section documents how the licensee will determine
the demands on a component. Several methods may be used.
• Actual counting of demands/run hours during the reporting period
• An estimate of demands/run hours based on the number of times a procedure or other
activities are performed plus either actual ESF demands/run hours or “zero” ESF
demands/run hours
• An estimate based on historical data over a year or more averaged for a quarterly average
plus either actual ESF demands/run hours or “zero” ESF demands/run hours
The method used, either actual or estimated values, shall be stated. If estimates are used for test
or operational demands or run hours then the process used for developing the estimates shall be
G-2
Linthicum
3/3/12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
described and estimated values documented. If the estimates are based on performance of
procedures, list the procedures and the frequencies of performance that were used to develop the
estimates.
G 1.7 Short Duration Unavailability
This section provides a list of any periodic surveillances or evolutions of less than 15 minutes of
unavailability that the licensee does not include in train unavailability. The intent is to minimize
unnecessary burden of data collection, documentation, and verification because these short
durations have insignificant risk impact.
G 1.8 PRA Information used in the MSPI
G 1.8.1 Unavailability FV and UA
This section includes a table or spreadsheet that lists the basic events for unavailability for each
train of the monitored systems. This listing should include the probability, FV, and
FV/probability ratio and text description of the basic event or component ID. An example format
is provided as Table 1 at the end of this appendix. If the event chosen to represent the train is not
the event that results in the largest ratio, provide information that describes the basis for the
choice of the specific event that was used.
G 1.8.1.1
Unavailability Baseline Data
This section includes the baseline unavailability data by train for each monitored system. The
discussion should include the basis for the baseline values used. The detailed basis for the
baseline data may be included in an appendix to the MSPI Basis Document if desired.
The basis document should include the specific values for the planned and unplanned
unavailability baseline values that are used for each train or segment in the system.
G 1.8.1.2
Treatment of Support System Initiator(s)
This section documents whether the cooling water systems are an initiator or not. This section
provides a description of how the plant will include the support system initiator(s) as described
in Appendix F of NEI 99-02. If an analysis is performed for a plant specific-specific value, the
calculation must be documented in accordance with plant processes and referred to here. The
results should also be included in this section. A sample table format for presenting the results of
a plant specific-specific calculation for those plants that do not explicitly model the effect on the
initiating event contribution to risk is shown in Table 4 at the end of this appendix.
G 1.8.2 Unreliability FV and UR
There are two options described in Appendix F for the selection of FV and UR values, the
selected option should be identified in this section. This section also includes a table or
spreadsheet that lists the PRA information for each monitored component. This listing should
include the Component ID, event probability, FV, the common cause adjustment factor and
FV/probability ratio and text description of the basic event or component ID. An example format
is provided as Table 2 at the end of this appendix. If individual failure mode ratios (vice the
maximum ratio) will be used in the calculation of MSPI, then each failure mode for each
component will be listed in the table.
G-3
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
A separate table should be provided in an appendix to the basis document that provides the
complete set of basic events for each component. An example of this for one component is
shown in Table 3 at the end of this appendix. Only the basic event chosen for the MSPI
calculation requires completion of all table entries.
G 1.8.2.1
Treatment of Support System Initiator(s)
This section documents whether the cooling water systems are an initiator or not. This section
provides a description of how the plant will include the support system initiator(s) as described
in Appendix F of NEI 99-02. If an analysis is performed for a plant specific-specific value, the
calculation must be documented in accordance with plant processes and referred to here. The
results should also be included in this section. A sample table format for presenting the results of
a plant specific-specific calculation for those plants that do not explicitly model the effect on the
initiating event contribution to risk is shown in Table 4 at the end of this appendix.
G 1.8.2.2
Calculation of Common Cause Factor
This section contains the description of how the plant will determine the common cause factor as
described in Appendix F of NEI 99-02. If an analysis is performed for a plant specific-specific
value, the calculation must be documented in accordance with plant processes and referred to
here. The results should also be included in this section.
G 1.9 Assumptions
This section documents any specific assumptions made in determination of the MSPI
information that may need to be documented. Causes for documentation in this section could be
special methods of counting hours or runtimes based on plant specific-specific designs or
processes, or other instances not clearly covered by the guidance in NEI 99-02.
G 2. PRA Requirements
G 2.1 Discussion
The MSPI application can be considered a Phase 2 application under the NRC’s phased approach
to PRA quality. The MSPI is an index that is based on internal initiating events, full-power
PRA, for which the ASME Standard has been written. The Standard has been endorsed by the
staff in RG 1.200, which has been issued for trial use.
Licensees should assure that their PRA is of sufficient technical adequacy to support the MSPI
application by one of the following alternatives:
G 2.1.1
a)
Alternative A (Consistent with MSPI PRA Task Group recommendations)
Resolve the peer review Facts and Observations (F&Os) for the plant PRA that are
classified as being in category A or B, or document the basis for a determination that any
open A or B F&Os will not significantly impact the MSPI calculation. Open A or B F&Os
are significant if collectively their resolution impacts any Birnbaum values used in MSPI
by more than a factor of 3. Appropriate sensitivity studies may be performed to quantify
G-4
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
the impact. If an open A or B F&O cannot be resolved by April 1, 2006 and significantly
impacts the MSPI calculation, a modified Birnbaum value equal to a factor of 3 times the
median Birnbaum value from the associated cross comparison group for pumps/diesels and
3 times the plant values for valves/breakers should be used in the MSPI calculation at the
index, system or component level, as appropriate, until the F&O is resolved.
And
b)
Perform a self assessment using the NEI-00-02 process as modified by Appendix B of RG
1.200 for the ASME PRA Standard supporting level requirements identified by the MSPI
PRA task group and resolve any identified issues or document the basis for a determination
that any open issues will not significantly impact the MSPI calculation. Identified issues
are considered significant if they impact any Birnbaum values used in MSPI by more than a
factor of 3. Appropriate sensitivity studies may be performed to quantify the impact. If an
identified issue cannot be resolved by April 1, 2006 and significantly impacts the MSPI
calculation, a modified Birnbaum value equal to a factor of 3 times the median Birnbaum
value from the associated cross comparison group for pumps/diesels and 3 times the plant
value for valves/breakers should be used in the MSPI calculation at the index, system or
component level, as appropriate, until the issue is resolved.
G 2.1.2
a)
Alternative B (Consistent with RG 1.174 guidance)
Resolve the peer review Facts and Observations (F&Os) for the plant PRA that are
classified as being in category A or B, or document the basis for a determination that any
open A or B F&Os will not significantly impact the MSPI calculation. Open A or B F&Os
are significant if collectively their resolution impacts any Birnbaum values used in MSPI
by more than a factor of 3. Appropriate sensitivity studies may be performed to quantify
the impact. If an open A or B F&O cannot be resolved by April 1, 2006 and significantly
impacts the MSPI calculation, a modified Birnbaum value equal to a factor of 3 times the
median Birnbaum value from the associated cross comparison group for pumps/diesels and
3 times the plant values for valves/breakers should be used in the MSPI calculation at the
index, system or component level, as appropriate, until the F&O is resolved.
And
b)
Disposition any candidate outlier issues identified by the industry PRA cross comparison
activity. The disposition of candidate outlier issues can be accomplished by:
•
•
•
Correcting or updating the PRA model;
Demonstrating that outlier identification was due to valid design or PRA modeling
methods; or
Using a modified Birnbaum value equal to a factor of 3 times the median value from the
associated cross comparison group for pumps/diesels and 3 times the plant value for
valves/breakers until the PRA model is corrected or updated.
G-5
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
G 2.2 PRA MSPI Documentation Requirements
A.
Licensees should provide a summary of their PRA models to include the following:
1. Approved version and date used to develop MSPI data
2. Plant base CDF for MSPI
3. Truncation level used to develop MSPI data
B.
Licensees should document the technical adequacy of their PRA models, including:
1. Justification for any open category A or B F&Os that will not be resolved prior to
April 1, 2006.
2. Justification for any open issues from:
a. the self-assessment performed for the supporting requirements (SR) identified in
Table 5, taking into consideration Appendix B of RG 1.200 (trial), with particular
attention to the notes in Table 4 of the MSPI PRA task group report.
-- OR -b. identification of any candidate outliers for the plant from the group crosscomparison studies.
C.
Licensees should document in their PRA archival documentation:
1. A description of the resolution of the A and B category F&Os identified by the peer
review team.
2. Technical bases for the PRA.
G-6
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
G 3. TABLES
Table G 1 Unavailability Data HPSI (one table per system)
Train
5
6
7
Basic Event Name
Basic Event Description
A
1SIAP02----MP6CM
B
1SIBP02----MP6CM
HPSI Pump A Unavailable Due to
Mntc
HPSI Pump B Unavailable Due to
Mntc
Basic Event
Probability (UAP)
3.20E-03
Basic Event
FVUAP 1
3.19E-03
3.20E-03
3.85E-03
FVUAP/UAP
9.97E-01
1.20E+00
1. Adjusted for IEF correction if used
Table G 2 – AFW System Monitored Component PRA Information
Component
Basic Event
Description
Basic
Basic
CC
CC
Event
Adjusted
Event [FV/UR]ind Adjustment Adjustment
Probability
Birnbaum
FVURC
Factor (A)
Used
(URPC)
1MAFAP01
1AFASYS---AFACM
Train A Auxiliary Feedwater 2.75E-03
Pump Fails to Start
2.33E-02
8.49E+00
1
Generic
1.1E-04
1MAFBP01
1AFBP01---MPAFS
Train B Auxiliary Feedwater 6.73E-04
Pump Fails to Start
4.44E-02
6.59E+01
1.25
Generic
1.1E-03
1MAFNP01
1AFNSYS---AFNCM
Train N Auxiliary Feedwater 1.05E-03
Pump Fails to Start
1.10E-02
1.05E+01
1.25
Generic
1.7E-04
1JCTAHV0001 1CTAHV001-MV-FO
CST to AFW Pump N Supply 3.17E-03
Valve HV1 Fails to Open
(Local Fault)
2.48E-02
7.83E+00
2
Generic
2.0E-04
1JCTAHV0004 1CTAHV004-MV-FO
CST to AFW Pump N Supply 3.17E-03
Valve HV4 Fails to Open
(Local Fault)
2.48E-02
7.83E+00
2
Generic
2.0E-04
8
9
10
G-7
NEI 99-02 [Revision 7]
08/31/2013
1
2
Table G 3 - Unreliability Data (one table per monitored component)
Component Name and ID: HPSI Pump B - 1SIBP02
Basic Event Name
1SIBP02--XCYXOR
1SIBP02---MPAFS
1SIBP02----MP-FR
1SABHPK125RXAFT
1SIBP02---CB0CM
1SIBP02----CBBFT
3
4
5
Basic Event Description
HPSI Pump B Fails to Start
Due to Override Contact
Failure
HPSI Pump B Fails to Start
(Local Fault)
HPSI Pump B Fails to Run
HPSI Pump B Fails to Start
Due to K125 Failure
HPSI Pump B Circuit Breaker
(PBB-S04E) Unavailable Due
to Mntc
HPSI Pump B Circuit Breaker
(PBB-S04E) Fails to Close
(Local Fault)
Basic
Event
FVURC
[FV/UR]in
d
Common
Cause
Adjustment
Factor
(CCF)
6.81E-04
7.71E-04
1.13E+00
3.0
6.73E-04
7.62E-04
1.13E+00
4.80E-04
3.27E-04
5.33E-04
3.56E-04
1.11E+00
1.09E+00
2.20E-04
2.32E-04
1.05E+00
2.04E-04
2.14E-04
1.05E+00
Basic Event
Probability
(URPC)
1
Common
Cause
Adjustment
Generic or
Plant Specificspecific
Generic
Adjusted
Birnbaum
5.0E-05
1. Adjusted for IEF correction if used
Table G 4 Cooling Water Support System FV Calculation Results (one table per train/component/failure mode)
FVa (or FVc)
FVie
FVsa (orFVsc)
UA (or UR)
6
G-8
Calculated FV (per appendix F)
(result is put in Basic Event column of table 1
or table 2 as appropriate)
NEI 99-02 [Revision 7]
08/31/2013
TABLE G 5. ASME PRA Standard Supporting Requirements Requiring Self-Assessment
Comments
1Supporting
Requirement
IE-A4
Focus on plant specific-specific initiators and special initiators, especially loss of DC
bus, Loss of AC bus, or Loss of room cooling type initiators
IE-A7
Category I in general. However, precursors to losses of cooling water systems in
particular, e.g., from fouling of intake structures, may indicate potential failure
mechanisms to be taken into account in the system analysis (IE-C6, 7, 8, 9)
IE-A9
Category II for plants that choose fault trees to model support systems. Watch for
initiating event frequencies that are substantially (e.g., more than 3 times) below generic
values.
IE-C1
Focus on loss of offsite power (LOOP) frequency as a function of duration
IE-C2
Focus on LOOP and medium and small LOCA frequencies including stuck open
PORVs
IE-C6
For plants that choose fault trees for support systems, attention to loss of cooling
systems initiators.
IE-C9
Category II for plants that choose fault trees for support systems. Pay attention to
initiating event frequencies that are substantially (i.e., more than 3 times) below generic
values
AS-A3
Focus on credit for alternate sources, e.g., gas turbines, CRD, fire water, SW cross-tie,
recovery of FW
AS-A4
Focus on credit for alternate sources, e.g., gas turbines, CRD, fire water, SW cross-tie,
recovery of FW
AS-A5
Focus on credit for alternate sources, e.g., gas turbines, CRD, fire water, SW cross-tie,
recovery of FW
AS-A9
Category II for MSPI systems and components and for systems such as CRD, fire
water, SW cross-tie, recovery of FW
AS-A10
Category II in particular for alternate systems where the operator actions may be
significantly different, e.g., more complex, more time limited.
AS-B3
Focus on credit for injection post-venting (NPSH issues, environmental survivability,
etc.)
AS-B6
Focus on (a) time phasing in LOOP/SBO sequences, including battery depletion, and (c)
adequacy of CRD as an adequate injection source.
SC-A4
Focus on modeling of shared systems and cross-ties in multi-unit sites
SC-B1
Focus on proper application of the computer codes for T/H calculations, especially for
LOCA, IORV, SORV, and F&B scenarios.
SC-C1
Category II
G-9
NEI 99-02 [Revision 7]
08/31/2013
TABLE G 5. ASME PRA Standard Supporting Requirements Requiring Self-Assessment
Comments
1Supporting
Requirement
SY-A4
Category II for MSPI systems and components
SY-A11
Focus on (d) modeling of shared systems
SY-A20
Focus on credit for alternate injection systems, alternate seal cooling
SY-B1
Should include EDG, AFW, HPI, RHR CCFs
SY-B5
Focus on dependencies of support systems (especially cooling water systems) to the
initiating events
SY-B9
Focus on credit for injection post-venting (NPSH issues, environmental survivability,
etc.)
SY-B15
Focus on credit for injection post-venting (NPSH issues, environmental survivability,
etc.)
HR-E1
Focus on credit for cross ties, depressurization, use of alternate sources, venting, core
cooling recovery, initiation of F&B
HR-E2
Focus on credit for cross ties, depressurization, use of alternate sources, venting, core
cooling recovery, initiation of F&B
HR-G1
Category II , though Category I for the critical HEPs would produce a more sensitive
MSPI (i.e., fewer failures to change a color)
HR-G2
Focus on credit for cross ties, depressurization, use of alternate sources, venting, core
cooling recovery, initiation of F&B
Category I. See note on HR-G1. Attention to credit for cross ties, depressurization, use
of alternate sources, venting, core cooling recovery, initiation of F&B
Category II. See note on HR-G1.
HR-G3
HR-G5
HR-H2
Focus on credit for cross ties, depressurization, use of alternate sources, venting, core
cooling recovery, initiation of F&B
HR-H3
The use of some systems may be treated as a recovery action in a PRA, even though the
system may be addressed in the same procedure as a human action modeled in the
accident sequence model (e.g., recovery of feedwater may be addressed in the same
procedure as feed and bleed). Neglecting the cognitive dependency can significantly
decrease the significance of the sequence.
DA-B1
Focus on service condition (clean vs. untreated water) for SW systems
DA-C1
Focus on LOOP recovery
DA-C15
Focus on recovery from LOSP and loss of SW events
DA-D1
For BWRs with isolation condenser, focus on the likelihood of a stuck open SRV
QU-B2
Truncation limits should be chosen to be appropriate for F-V calculations.
G-10
NEI 99-02 [Revision 7]
08/31/2013
TABLE G 5. ASME PRA Standard Supporting Requirements Requiring Self-Assessment
Comments
1Supporting
Requirement
QU-B3
This is an MSPI implementation concern and should be addressed in the guidance
document. Truncation limits should be chosen to be appropriate for F-V calculations.
QU-D3
Understanding the differences between plant models, particularly as they affect the
MSPI, is important for the proposed approach to the identification of outliers
recommended by the task group.
QU-D5
Category II for those who have used fault tree models to address support system
initiators.
QU-E4
Category II for the issues that directly affect the MSPI
G-11
NEI 99-02 [Revision 7]
08/31/2013
[This page left intentionally blank.]
G-12
NEI 99-02 [Revision 7]
08/31/2013
1
APPENDIX H
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
USwC Basis Document
The USwC PI will monitor the following six conditions that either have the potential to
complicate the operators’ scram recovery response actions or involve the unavailability of or
inability to recover main feedwater during the scram response.
1.
2.
3.
4.
5.
6.
FAQ481
(10-02)
Reactivity Control
Pressure Control (BWRs)/Turbine Trip (PWRs)
Power available to Emergency Busses
Need to actuate emergency injection sources
Availability of Main Feedwater
Utilization of scram recovery Emergency Operating Procedures (EOPs)
Since the complicating conditions are not the same for Pressurized Water Reactors (PWRs)
versus Boiling Water Reactors (BWRs), a separate flow chart for each type has been developed.
If any one of the conditions in the appropriate flow chart is met the condition must be counted as
a USwC event.
H1
PWR Flowchart Basis Discussion
H 1.1 Did two or more control rods fail to fully insert?
This question is designed to verify that the Reactor did actually trip. As long as a plant
uses the EOP questions to verify that the reactor tripped without entering a “response not
obtained” or “contingency actions” requirement this question should be answered as “No”.
Some specific examples from plant EOPs are provided below.
Some CE plant EOPs use the following checks:
•
•
•
Check that reactor power is dropping.
Check that start-up rate is negative.
Check that no more than one full strength CEA is NOT inserted.
If the operations staff determines that one of these questions is not satisfied then they must
perform a contingency action. The requirement to perform that contingency action would
be considered as a complication for the Unplanned Scrams with Complications metric.
Some Westinghouse plant EOPs verify the following items:
•
Verify Reactor Trip
o Rod bottom lights – LIT
o Reactor trip and bypass breakers – OPEN
o Neutron flux - LOWERING
H-1
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
If the operations staff determines that one of these questions is not satisfied then they must
perform a response not obtained action. The requirement to perform that contingency
action would be considered as a complication for the Unplanned Scrams with
Complications metric. There is an exception in this question for Westinghouse plants using
the question structure given in this example. A single rod bottom light not lit would be
acceptable in the Unplanned Scrams with Complications metric even though it would
require a response not obtained action. This exception is allowed to make the metric
consistent between vendor procedures, also the reactor analysis allows for the single most
reactive control rod to be stuck in the full out position.
Some B&W plants EOPs verify the following:
•
Verify Alternate Rod Insertion and reactor power dropping
If the operations staff determines that this question is not satisfied then they must perform a
contingency action. The requirement to perform that contingency action would be
considered as a complication for the Unplanned Scrams with Complications metric. There
is an exception in this question for B & W plants using the question structure given in this
example. A single rod not fully inserted would be acceptable in the Unplanned Scrams
with Complications metric even though it would require a contingency action. This
exception is allowed to make the metric consistent between vendor procedures, also the
reactor analysis allows for the single most reactive control rod to be stack in the full out
position
H 1.2 Did the turbine fail to trip?
This question is designed to verify that the Turbine did actually trip. As long as a plant
uses the EOP questions to verify that the turbine tripped without entering a “response not
obtained” or “contingency actions” requirement this question should be answered as “No”.
There is one exemption to this step that allows an Operator to use the manual turbine trip
handswitch/pushbutton as an acceptable alternative. The simplicity of the action and the
fact that Operators are specifically trained on this action provide the basis for this
exception. It is NOT an acceptable alternative for the Operators to close individual
governor or throttle valves, main steam isolation valves, or secure hydraulic control pumps.
The failure of a generator output breaker to trip with the turbine is considered as a
complication. Any actions beyond the use of one handswitch/pushbutton would need to be
considered as a complication for this question. For reactor trips that occur prior to the
turbine being placed in service or “latched” this specific question should be answered as
“No” since the turbine is already tripped. Some specific examples from plant EOPs are
provided below:
Some CE plant EOPs use the following checks:
•
•
Check that the main turbine is tripped
Check that the main generator output breakers are open
H-2
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
The use of the contingency action to manually trip the turbine is an acceptable alternative.
Performance of any other contingency actions would require answering this question as
“Yes”.
Some Westinghouse plant EOPs verify the following items:
•
•
Verify all turbine throttle valves – CLOSED
Main generator output breaker - OPEN
The use of the contingency action to manually trip the turbine is an acceptable alternative.
Performance of any other response not obtained actions would require answering this
question as “Yes”.
Some B&W plant EOPs verify the following:
•
Verify turbine throttle and governor valve closed
The use of the contingency action to manually trip the turbine is an acceptable alternative.
Performance of any other contingency actions would require answering this question as
“Yes”.
H 1.3 Was power lost to any ESF bus?
Most EOP versions check that power is available in response to the reactor trip. This
question is designed to verify that electric power was available after the reactor trip. As
long as a plant uses the EOP questions to verify that power was available without entering
a “response not obtained” or “contingency actions” requirement this question should be
answered as “No”. There is an exemption to this step that allows an Operator to manually
restore power within 10 minutes as an acceptable alternative. The exception is limited to
those actions necessary to close a breaker from the main control board. Actions requiring
access to the back of the control boards or any other remote location would require
answering this question as “Yes”. It is acceptable to manipulate more than one switch,
such as a sync switch, in the process of restoring power to the bus. It is acceptable to close
more than one breaker. It is acceptable to restore power from the emergency AC source,
such as diesel generators, or from off-site power. This exception is allowed since most
EOPs are configured to check that power is available to at least one of the safety busses
which will satisfy plant safety concerns. If power is not available to at least one safety bus
most EOPs will direct transition to another EOP to mitigate this condition. The additional
operator action to restore power to additional busses has been discussed and considered
acceptable as long as it can be completed within the time limitations of 10 minutes (chosen
to limit the complexity) and the constraints of switch operation from the main control
board. Any actions beyond these would need to be considered as a complication for this
question. Because of the wide variation in power distribution designs, voltage, and
nomenclature across the PWR fleet, no specific EOP examples are given here.
H-3
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
H 1.4 Was a Safety Injection signal received?
This question is designed to verify that the plant conditions are stable and do not require
the actuation of the emergency injection system (safety injection for Westinghouse plants,
SIAS for CE). Plant conditions that result from a loss of inventory or loss of pressure
control in the RCS or Steam Generator (SG) would likely require actuation of the
emergency injection systems and would be considered a complication. Conversely, plant
conditions following the reactor trip that do not result in a safety injection actuation would
not be considered as complications. An exception to this is the existence of a severe steam
generator tube leak. In those limited circumstances where a steam generator tube leak
exists that is severe enough to require a reactor trip but can be controlled by starting
additional inventory control pumps that are not normally running during normal power
operations without initiating a safety injection signal should result in a “Yes” answer and
considered as a complication. A small steam generator tube leak where inventory can be
maintained using the already running inventory control pumps would NOT be considered
as complicated even if the reactor was tripped. Those instances where a safety injection
was not required by actual plants conditions but occurred due to operator error, spurious
actuations, or set-point error should be considered as complications and this question
answered as “Yes”.
H 1.5 Was Main Feedwater unavailable or not recoverable using approved plant
procedures following during the scram response?
This section of the indicator is a holdover from the Scrams with Loss of Normal Heat
Removal indicator which the USwC indicator is replacingreplaced. Since all PWR
designs have an emergency Feedwater system that operates if necessary, the availability
of the normal or main Feedwater systems is as a backup in emergency situations can be
important for managing risk following a reactor scram. This portion of the indicator is
designed to measure assess that backup availability or ability to recover main feedwater as
directed by approved plant procedures (e.g., the EOPs) on a loss of all emergency
Feedwater.
FAQ481
(10-02)
FAQ481
(10-02)
It is not necessary for the main Feedwater system to continue operating following a
FAQ481
(10-02)
reactor trip. Some plants, by design, have certain features to prevent main feedwater
from continued operation or from allowing it to be restarted unless certain criteria are met.
The system must be free from damage or failure that would prohibit restart of the system if
necessary. Since some plant designs do not include electric electric-driven main Feedwater
pumps (steam steam-driven pumps only), it may not be possible to restart main Feedwater
pumps without a critical reactor. Those plants should answer this question as “No” and
move on. Additionally, someSome other plant designs have interlocks in place and signals
to that prevent feeding the steam generators with main Feedwater unless reactor coolant
temperature is greater than the no-load average temperature. In both cases, These these
plants should also answermay be justified in answering this question as “No” if Main
Feedwater is free from damage or failure that can prevent it from performing its intended
function and is available for use. and move on.
H-4
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Licensees should rely on the material condition availability of the equipment to reach the
decision for this question. Condenser vacuum, cooling water, and steam pressure values
should be evaluated based on the requirements to operate the pumps and may be lower than
normal if procedures allow pump operation at that lower value. As long as these support
systems are able to be restarted (if not running) to support main feedwater restart within
the estimated 30 30-minute timeframe they can be considered as available. These
requirements apply until the completion or exit of the scram response procedure.
FAQ481
(10-02)
The availability of steam dumps to the condenser does NOT enter into this indicator at all.
Use of atmospheric steam dumps following the reactor trip is acceptable for any duration.
Loss of one feed pump does not cause a loss of main feedwater. Only one is needed to
remove residual heat after a trip. As long as at least one pump can still operate and provide
Feedwater to the minimum number of steam generators required by the EOPs to satisfy the
heat sink criteria, main feedwater should be considered available.
The failure in a closed position of a feedwater isolation valve to a steam generator is a loss
of feed to that one steam generator. As long as the main feedwater system is able to feed
the minimum number of steam generators required by the EOPs to satisfy the heat sink
criteria, the loss of ability to feed other steam generators should not be considered a loss of
feedwater. Isolation of the feedwater regulating or isolation valves does not constitute a
loss of feedwater if nothing prevents them from being reopened in accordance with
procedures.
A Steam Generator Isolation Signal or Feedwater Isolation Signal does not constitute a loss
of main feedwater as long as it can be cleared and feedwater restarted. If the isolation
signal was caused by a high steam generator level, the 30 minute estimate for restart
timeframe should start once the high level isolation signal has cleared.
The estimated 30 30-minute timeframe for restart of main Feedwater was chosen based
on restarting from a hot and filled condition. Since this timeframe will not be measured
directly it should be an estimation developed based on the material condition of the plants
systems following the reactor trip. If no abnormal material conditions exist the 30 minutes
should be met. If plant procedures and design would require more than 30 minutes even if
all systems were hot and the material condition of the plants systems following the reactor
trip were normal, that routine time should be used in the evaluation of this question,
provided SG dry-out cannot occur on an uncomplicated trip if the time is longer than 30
minutes. The opinion judgment of the on-shift licensed SRO during the reactor trip
should be accepted used in determining if this timeframe was met.
H 1.6 Was the scram response procedure unable to be completed without entering another
EOP?
When a scram occurs plant operators enter the EOPs to respond to the condition. In the
case of a routine scram the procedure entered will be exited fairly rapidly after verifying
H-5
FAQ481
(10-02)
FAQ481
(10-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
that the reactor is shutdown, excessive cooling is not in progress, electric power is
available, and reactor coolant pressures and temperatures are at expected values and
controlled. Once these verifications are done and the plant conditions are considered
“stable” operators may exit the initial procedure to another procedure that will stabilize and
prepare the remainder of the plant for transition to the normal operating procedures. The
plant could then be maintained in Hot Standby, to perform a controlled normal cool down,
or to begin the restart process. The criteria in this question is used to verify there were no
other conditions that developed during the stabilization of the plant in the scram response
that required re-entry into the EOPs or transition to a follow on EOP.
There are some EOPs that are used specifically at the operator discretion and are not
required to be used. In the Westinghouse EOP suite these are Yellow Path functional
restoration procedures and the re-diagnosis procedures. These procedures typically verify
that the operator is taking the correct action (re-diagnosis) or the stabilization of some
minor plant parameters (Yellow path). Use of these procedures is an allowed exception to
this step. The transition out of these procedures to an EOP different from the current
procedure in effect, i.e. a new procedure or the base procedure, would count as a
complication.
H2
PWR Case Studies
H 2.1 PWR Case Study 1
At approximately 100% steady state reactor power, Control Room operators initiated a manual
reactor trip as a result of indications that multiple Control Rods (CRs) had dropped into the
reactor core. All Reactor Trip (RT) breakers opened but all rod bottom lights did not illuminate.
Rod Cluster Control Assemblies (RCCA) L7, J13, F6, F10, K10, C5, and C13 were not
considered fully inserted because the rod bottom lights for these RCCAs did not illuminate. The
Plant Information Computer System indicated all RCCAs were fully inserted. In accordance
with plant procedures, operators re-initiated a manual RT. Operations verified the reactor was
tripped and all RCCAs were fully inserted.
Prior to the event all CRs were withdrawn from the reactor core and in Automatic, both Main
Boiler Feedwater Pumps (MBFPs) were in service, the Auxiliary Feedwater Pumps (AFWPs)
were in standby, the EDGs were in standby, and off-site power was in service. At 1435 hours,
indicated reactor power decreased from approximately 99.87% to 50% (based on the Nuclear
Instrumentation System power range neutron flux monitors) as a result of 12 CRs dropping into
the core. Of the twelve CRs that dropped into the core, four (4) CRs (M-12, M-4, D-12, and D-4)
went from 223 steps to 150 steps out and eight (8) control rods (N-13, L-13, N-5, N-3, E-3, C-3,
C13, and C-11) went from 223 steps out to 0 steps. Reactivity control is achieved by a
combination of 53 CRs [29 RCCAs are in control banks (CB) and 24 in shutdown banks (SDBs)]
and chemical shim (boric acid). The CRs are divided into 1) a shutdown (SD) group comprised
of two SDBs of eight rod clusters each and two SDBs of four rod clusters each, and 2) a control
group comprised of four CBs containing eight, four, eight, and nine rod clusters.
H-6
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
After the manual RT, seven (7) rod bottom lights for CR SDB A, Rod L7, SDB 3, Rod J12, SDB
D, Rods F6, F10, K10, CB A, Rod C5, and CB C, Rod C13 did not illuminate. All other
reactivity indications were normal. As a result of the manual RT, the Main Turbine-Generator
tripped, and the AFWPs automatically started. The EDGs did not start as off-site power
remained in service. An alarm for low pressurizer pressure annunciated as a result of a reduction
of the RCS pressure to the normal trip setpoint (1985 psig). The decrease in pressure was due to
the negative reactivity from the initial rod insertion. All primary safety systems functioned
properly. Unexpected responses included: both MBFP suction relief valves lifted (reset at
approximately 1458 hours), a "Not in Sync" alarm was received for the 24 Static Inverter
(adjusted and cleared), and a low oil level alarm on upper reservoir was received for the 23
Reactor Coolant Pump (RCP). Power for the rod control system is distributed to five power
cabinets from two motor-generator sets connected in parallel through two series of Reactor Trip
Breakers (RTBs). The ac power distribution lines downstream of the RTBs are routed above the
power cabinets through a fully enclosed three-phase, four wire plug-in, bus duct assembly.
The ac power to each cabinet is carried by the bus duct assembly through three plug-in fused
disconnect switches for the stationary, movable and lift coil circuits of the mechanisms
associated with that cabinet. During the investigation of the event the disconnect switch (JSI on
top of rod control power cabinet (CAB) lAC was discovered to be open. Opening the disconnect
switch caused loss of power to the stationary coils for twelve (12) CRs. The switch that was
placed in the open position was for power cabinet lAC which controls the rods for CB A, Group
1, CB C, Group 1, and SDB A, Group 1. Loss of power to these CRs caused the rods to drop into
the reactor core per design. Four (4) CRs partially inserted (223 steps in to 150 steps). CR power
cabinet (lAC) disconnect switch was inadvertently bumped open by a contractor erecting
scaffolding around the CR power cabinets in the cable spreading room of the Control Building
(NA). The disconnect switch to rod control power cabinet lAC was re-closed. An assessment of
the condition by reactor engineering concluded that power was removed from the CR stationary
gripper coils when the disconnect switch was opened. When no motion is demanded and rods are
stationary, current is sent to the coils, which keeps the grippers engaged on the CR. The CR
system sensed the power loss condition and transmitted a high current order to the movable
gripper coils which had not lost their power. The movable gripper coils were able to catch four of
the CRs as they were falling but did not catch the remaining CRs in the other CR groups. The
cause of the failure of seven (7) rod bottom lights to illuminate after the dropped rod event was
due to failed light bistables.
In answering the questions for this indicator, some additional information beyond that gathered
for the LER will be required. In this case the usage history of the EOPs will be required. For
this example consider that there were no additional EOPs used beyond the normal procedures.
1. Did two or more control rods fail to fully insert?
Did control rods that are required to move on a reactor trip fully insert into the core as
evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an
example for some PWRs using rod bottom light indications, if more than one-rod bottom
light is not illuminated, this question must be answered "Yes." The basis of this step is to
determine if additional actions are required by the operators as a result of the failure of all
H-7
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rods to insert. Additional actions, such as emergency boration, pose a complication beyond
the normal scram response that this metric is attempting the measure. It is allowable to
have one control rod not fully inserted since core protection design accounts for one control
rod remaining fully withdrawn from the core on a reactor trip. This question must be
evaluated using the criteria contained in the plant EOP used to verify that control rods
inserted. During performance of this step of the EOP the licensee staff would not need to
apply the “Response Not Obtained” actions. Other means not specified in the EOPs are not
allowed for this metric.
Answer:
YES. This question should be answered as “YES” and the trip counted as a Scram with
Complications since the rod bottom lights did not indicate fully inserted control rods. If
the EOP allows the use of the plant computer indications instead of rod bottom lights this
question should be answered as “NO.” To qualify the plant computer indication must not
be considered as a “Response Not Obtained” step but rather as a listed normal indication.
2.Did the turbine fail to trip?
Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To
be a successful trip, steam flow to the main turbine must have been isolated by the turbine
trip logic actuated by the reactor trip signal, or by operator action from a single switch or
pushbutton. The allowance of operator action to trip the turbine is based on the operation
of the turbine trip logic from the operator action if directed by the EOP. Operator action to
close valves or secure pumps to trip the turbine beyond use of a single turbine trip switch
would count in this indicator as a failure to trip and a complication beyond the normal
reactor trip response. Trips that occur prior to the turbine being placed in service or
“latched” should have this question answered as “No”.
c
Answer:
NO. The turbine tripped per design,
3. Was power lost to any ESF bus?
During a reactor trip or during the period operators are responding to a reactor trip using
reactor trip response procedures, was power lost to any ESF bus that was not restored
automatically by the Emergency Alternating Current (EAC) power system and remained
de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from
the main control board is allowed as an acceptable action to satisfy this metric. This
question is looking for a loss of power at any time for any duration where the bus was not
energized/re-energized within 10 minutes. The bus must have:
•
•
•
remained energized until the scram response procedure was exited, or
been re-energized automatically by the plant EAC power system (i.e., EDG), or
been re-energized from normal or emergency sources by an operator closing a
breaker from the main control board.
H-8
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
The question applies to all ESF busses (switchgear, load centers, motor control centers and
DC busses). This does NOT apply to 120-volt power panels. It is expected that operator
action to re-energize an ESF bus would not take longer than 10 minutes.
Answer:
NO. Emergency diesels were not required to start. Offsite power remained available
throughout the trip response. All ESF busses remained energized throughout the trip
response.
4.
Was a Safety Injection signal received?
Was a Safety Injection signal generated either manually or automatically during the reactor
trip response? The questions purpose is to determine if the operator had to respond to an
abnormal condition that required a safety injection or respond to the actuation of additional
equipment that would not normally actuate on an uncomplicated scram. This question
would include any condition that challenged Reactor Coolant System (RCS) inventory,
pressure, or temperature severely enough to require a safety injection. A severe steam
generator tube leak that would require a manual reactor trip because it was beyond the
capacity of the normal at power running charging system should be counted even if a safety
injection was not used since additional charging pumps would be required to be started.
Answer:
NO. No SI signal was required or received.
5.
Was Main Feedwater unavailable or not recoverable using approved plant
procedures following during the scram response?
If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be
restarted during the reactor scram response? The consideration for this question is whether
Main Feedwater could be used to feed the steam generators if necessary. The qualifier of
“not recoverable using approved plant procedures” will allow a licensee to answer “No” to
this question if there is no physical equipment restraint to prevent the operations staff from
starting the necessary equipment, aligning the required systems, or satisfying required logic
using plant procedures approved for use and in place prior to the reactor scram occurring.
The operations staff must be able to start and operate the required equipment using
FAQ481
normal alignments and approved emergency, normal and off-normal operating
(10-02)
procedures to feed the minimum number of steam generators required by the EOPs to
satisfy the heat sink criteria. Manual operation of controllers/equipment, even if normally
automatic, is allowed if addressed by procedure. Situations that require maintenance or
repair activities or non-proceduralized operating alignments require an answer of “Yes.”
Additionally, the restoration of Feedwater must be capable of feeding the Steam Generators
in a reasonable period of time. Operations should be able to start a Main Feedwater pump
and start feeding Steam Generators with the Main Feedwater System within about 30
FAQ481
(10-02)
minutes from the time it was recognized that Main Feedwater was needed. During
startup conditions where Main Feedwater was not placed in service prior to the scram this
H-9
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
question would not be considered and should be skipped. If design features or procedural
prohibitions prevent restarting Main Feedwater this question should be answered as “No”.
Answer:
NO. Main feedwater pumps were available and the feedwater system could have been
operated to supply feedwater to all steam generators.
6.
Was the scram response procedure unable to be completed without entering another
EOP?
The response to the scram must be completed without transitioning to an additional EOP
after entering the scram response procedure (e.g., ES01 for Westinghouse). This step is
used to determine if the scram was uncomplicated by counting if additional procedures
beyond the normal scram response required entry after the scram. A plant exiting the
normal scram response procedure without using another EOP would answer this step as
“No”. The discretionary use of the lowest level Function Restoration Guideline (Yellow
Path) by the operations staff is an approved exception to this requirement. Use of the Rediagnosis Procedure by Operations is acceptable unless a transition to another EOP is
required.
Answer:
NO. The reactor trip response procedures were completed without re-entering another
EOP.
H 2.2 PWR Case Study 2
At 100% steady state reactor power, Operators manually tripped the reactor as a result of
oscillating Feedwater (FW) flow and SG level with flow perturbations and FW pipe movement
in the Auxiliary FW (AFW) Pump Building. Prior to the transient, while operating at 100%
reactor power, with SG level control in AUTO, 22 SG Narrow Range (NR) level records show
two cycles of level changes of approximately 2% and correction in automatic with no operator
action. Subsequently, operators observed 22 SG NR level starting to decrease from a normal
value of 49% to 30% with a deviation alarm annunciating at 44%. CR operators observed
oscillating FW flow and erratic behavior of the 22 Main FW regulating valve FCV-427.
Operators entered Abnormal Operating Procedure 2AOP-FW-1 and placed the FW regulating
valve (FCV-427) in manual and attempted to increase FW flow in 22 SG without success.
Excessive FW flow oscillations continued. Operators then opened low flow bypass valve FCV427L to increase SG level which started 22 SG level increasing at a level of 30%. At
approximately 35% SG level valve FCV- 427L was returned to closed. A Nuclear Plant Operator
(NPO) in the AFW Pump Building reported to the control room loud noises due to flow
perturbations and pipe movement. Based on plant conditions, the Control Room Supervisor
(CRS) directed a manual reactor trip. All control rods fully inserted and all primary systems
functioned properly. The 22 FW regulating valve FCV-427 failed to fully close. Operators
initiated FW isolation by closing FW motor operated isolation valves (MOV) BFD-5-1 and
BFD-90-1. A 22 SG high level trip was actuated at 73% SG level, initiating automatic closure of
the Main FW Pump motor operated discharge valves (BFD-2-21 and BFD-2-22), Main FW and
H-10
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Low Flow FW regulating and isolation valves, and trip of the turbine driven Main FW Pumps.
The plant was stabilized in hot standby with decay heat being removed by the main condenser.
Offsite power remained available and therefore the EDGs did not start. The AFW System
automatically started as a result of a SG low level normally experienced on trips from full power.
FW regulating valve FCV-427 is a Copes-Vulcan globe valve with Copes-Vulcan actuator
Model D-1000-160. The valve has a positioner to perform its modulating function and 3
solenoids attached to the actuator for fast closure. CR operators observed the rod bottom lights,
RT First Out Annunciator (Manual Trip). The plant was stabilized in hot standby with decay heat
being released to the main condenser through the steam dump valves. A post transient
evaluation was performed. A non-intrusive inspection was performed of the remaining FW
regulating valves (FCV-417, FCV-437, FCV-447) to verify that their valve cages had not
unthreaded from the valve body webs. The verification was done by obtaining the maximum
stroke capability of the FCVs and relating that to a point at which the valve stem is connected
into the actuator yoke (Measurements of the FCVs exposed stem threads and actuator posts were
compared to the available actuator travel). These measurements provided reasonable assurance
that the remaining FCV cages were properly threaded into their body webs. Following plant
shutdown a walk down was performed of the four (4) FW lines inside containment and FW and
AFW piping outside containment for any impacts of the FW flow perturbations. There were no
indications of excessive movement or damage to the insulation, supports or piping above the 95
foot elevation of containment nor was there any observed signs of excessive movements, support
damage, support impacts/scarring, or insulation damage on FW lines to SG-21, SG-22, SG-23,
SG-24 on any containment elevations. For FW and AFW piping outside containment, no piping
or support damage was evident due to pipe movements from the flow perturbations. FW piping
inside and outside containment showed some light powder insulation dust on the floor indicative
of pipe vibration.
In answering the questions for this indicator, some additional information beyond that gathered
for the LER will be required. In this case the usage history of the EOPs will be required. For
this example consider that there were no additional EOPs used beyond the normal procedures.
1.
Did two or more control rods fail to fully insert?
Did control rods that are required to move on a reactor trip fully insert into the core as
evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an
example for some PWRs using rod bottom light indications, if more than one-rod bottom
light is not illuminated, this question must be answered "Yes." The basis of this step is to
determine if additional actions are required by the operators as a result of the failure of all
rods to insert. Additional actions, such as emergency boration, pose a complication beyond
the normal scram response that this metric is attempting the measure. It is allowable to
have one control rod not fully inserted since core protection design accounts for one control
rod remaining fully withdrawn from the core on a reactor trip. This question must be
evaluated using the criteria contained in the plant EOP used to verify that control rods
inserted. During performance of this step of the EOP the licensee staff would not need to
apply the “Response Not Obtained” actions. Other means not specified in the EOPs are not
allowed for this metric.
H-11
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Answer:
NO. All control rods fully inserted as indicated by the rod bottom lights.
2.
Did the turbine fail to trip?
Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To
be a successful trip, steam flow to the main turbine must have been isolated by the turbine
trip logic actuated by the reactor trip signal, or by operator action from a single switch or
pushbutton. The allowance of operator action to trip the turbine is based on the operation
of the turbine trip logic from the operator action if directed by the EOP. Operator action to
close valves or secure pumps to trip the turbine beyond use of a single turbine trip switch
would count in this indicator as a failure to trip and a complication beyond the normal
reactor trip response. Trips that occur prior to the turbine being placed in service or
“latched” should have this question answered as “No”.
Answer:
NO. The turbine tripped per design,
3. Was power lost to any ESF bus?
During a reactor trip or during the period operators are responding to a reactor trip using
reactor trip response procedures, was power lost to any ESF bus that was not restored
automatically by the Emergency Alternating Current (EAC) power system and remained
de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from
the main control board is allowed as an acceptable action to satisfy this metric. This
question is looking for a loss of power at any time for any duration where the bus was not
energized/re-energized within 10 minutes. The bus must have:
•
•
•
remained energized until the scram response procedure was exited, or
been re-energized automatically by the plant EAC power system (i.e., EDG), or
been re-energized from normal or emergency sources by an operator closing a
breaker from the main control board.
The question applies to all ESF busses (switchgear, load centers, motor control centers and
DC busses). This does NOT apply to 120-volt power panels. It is expected that operator
action to re-energize an ESF bus would not take longer than 10 minutes.
Answer:
NO. Emergency diesels were not required to start. Offsite power remained available
throughout the trip response. All ESF busses remained energized throughout the trip
response.
4.
Was a Safety Injection signal received?
Was a Safety Injection signal generated either manually or automatically during the reactor
trip response? The questions purpose is to determine if the operator had to respond to an
H-12
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
abnormal condition that required a safety injection or respond to the actuation of additional
equipment that would not normally actuate on an uncomplicated scram. This question
would include any condition that challenged Reactor Coolant System (RCS) inventory,
pressure, or temperature severely enough to require a safety injection. A severe steam
generator tube leak that would require a manual reactor trip because it was beyond the
capacity of the normal at power running charging system should be counted even if a safety
injection was not used since additional charging pumps would be required to be started.
Answer:
NO. No SI signal was required or received.
5.
Was Main Feedwater unavailable or not recoverable using approved plant
procedures following during the scram response?
FAQ481
(10-02)
If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be
restarted during the reactor scram response? The consideration for this question is whether
Main Feedwater could be used to feed the steam generators if necessary. The qualifier of
“not recoverable using approved plant procedures” will allow a licensee to answer “No” to
this question if there is no physical equipment restraint to prevent the operations staff from
starting the necessary equipment, aligning the required systems, or satisfying required logic
using plant procedures approved for use and in place prior to the reactor scram occurring.
The operations staff must be able to start and operate the required equipment using normal
alignments and approved emergency, normal and off-normal operating procedures to feed
the minimum number of steam generators required by the EOPs to satisfy the heat sink
criteria. Manual operation of controllers/equipment, even if normally automatic, is
allowed if addressed by procedure. Situations that require maintenance or repair activities
or non-proceduralized operating alignments require an answer of “Yes.” Additionally, the
restoration of Feedwater must be capable of feeding the Steam Generators in a reasonable
period of time. Operations should be able to start a Main Feedwater pump and start feeding
Steam Generators with the Main Feedwater System within about 30 minutes from the time
it was recognized that Main Feedwater was needed. During startup conditions where Main
Feedwater was not placed in service prior to the scram this question would not be
considered and should be skipped. If design features or procedural prohibitions prevent
restarting Main Feedwater this question should be answered as “No”.
Answer:
NO. Main FW was the cause of the manual reactor trip: one of four feed regulating
valves (FRV-447) was unavailable for FW addition to SGs. FW pumps were available to
be restarted and three FW loops could have been operated to supply FW to 3 of 4 SGs.
6.
Was the scram response procedure unable to be completed without entering another
EOP?
The response to the scram must be completed without transitioning to an additional EOP
after entering the scram response procedure (e.g., ES01 for Westinghouse). This step is
H-13
FAQ481
(10-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
used to determine if the scram was uncomplicated by counting if additional procedures
beyond the normal scram response required entry after the scram. A plant exiting the
normal scram response procedure without using another EOP would answer this step as
“No”. The discretionary use of the lowest level Function Restoration Guideline (Yellow
Path) by the operations staff is an approved exception to this requirement. Use of the Rediagnosis Procedure by Operations is acceptable unless a transition to another EOP is
required.
Answer:
NO. The reactor trip response procedures were completed without re-entering another
EOP.
H 2.3 PWR Case Study 3
The An automatic reactor trip was initiated due to a low reactor coolant flow condition following
a trip of the 'B' Reactor Coolant Pump (RCP) motor. The RCP trip was initiated by a current
imbalance sensed by the motor's protective relay. The current imbalance was a result of a
transmission system disturbance. At the time of the event, the plant was operating in Mode 1
(Hot Full Power) at 100 percent power. The system disturbance was initiated by a transmission
line fault within a neighboring electric cooperative's transmission system. Due to a defective
electrical connection within the electric cooperative's protective relaying scheme, the
transmission line breakers protecting the affected line did not receive a trip signal to clear the
fault. Since the breaker failure relaying scheme utilized the same circuitry containing the
defective electrical connection, breaker failure logic was not initiated to trip the next breakers
upstream of the transmission line fault. In addition, there was no redundant line relaying or local
backup relaying on the substation transformer. As a result, the fault was not properly cleared
from the electric cooperative's transmission system. For approximately the next eight minutes,
multiple subsequent faults were introduced onto the system as the transmission line incurred
damage and fell to the ground over an approximate distance of six miles. Ultimately, the fault
condition was cleared following the failure of the distribution system transformer supplying the
faulted transmission line. Approximately one minute into the event, the "B" RCP tripped due to
a motor current imbalance, which resulted from the transmission system disturbance. The
automatic reactor trip was initiated for a low reactor coolant flow condition due to the RCP trip.
Shortly after the reactor trip, the three remaining RCPs and all main condenser circulating water
pumps also tripped because of motor current imbalance. Due to the tripping of all RCPs, the
pressurizer spray system was unavailable. Additionally, the tripping of all main condenser
circulating water pumps affected the ability to use the main condenser as a heat sink. This
resulted in reliance on the atmospheric steam dumps causing reactor coolant system average
temperature (RCS Tavg) to increase from 557 to 562 degrees F. The combination of establishing
natural circulation due to the loss of all RCPs and increasing RCS Tavg, caused a pressurizer insurge raising RCS pressure to the pressurizer power-operated relief valve (PORV) set point.
Prior to re-establishing the pressurizer spray system, both PORVs momentarily lifted once,
relieving RCS pressure to the pressurizer relief tank. RCPs were restored approximately 32
minutes after initiation of the event. During this entire event, all safety-related and non safetyrelated systems and components functioned in accordance with design.
H-14
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
In answering the questions for this indicator, some additional information beyond that gathered
for the LER will be required. In this case the usage history of the EOPs will be required. For
this example consider that there were no additional EOPs used beyond the normal procedures.
1.
Did two or more control rods fail to fully insert?
Did control rods that are required to move on a reactor trip fully insert into the core as
evidenced by the Emergency Operating Procedure (EOP) evaluation criteria? As an
example for some PWRs using rod bottom light indications, if more than one-rod bottom
light is not illuminated, this question must be answered "Yes." The basis of this step is to
determine if additional actions are required by the operators as a result of the failure of all
rods to insert. Additional actions, such as emergency boration, pose a complication beyond
the normal scram response that this metric is attempting the measure. It is allowable to
have one control rod not fully inserted since core protection design accounts for one control
rod remaining fully withdrawn from the core on a reactor trip. This question must be
evaluated using the criteria contained in the plant EOP used to verify that control rods
inserted. During performance of this step of the EOP the licensee staff would not need to
apply the “Response Not Obtained” actions. Other means not specified in the EOPs are not
allowed for this metric.
Answer:
NO. All control rods fully inserted as indicated by rod bottom lights.
2.
Did the turbine fail to trip?
Did the turbine fail to trip automatically/manually as required on the reactor trip signal? To
be a successful trip, steam flow to the main turbine must have been isolated by the turbine
trip logic actuated by the reactor trip signal, or by operator action from a single switch or
pushbutton. The allowance of operator action to trip the turbine is based on the operation
of the turbine trip logic from the operator action if directed by the EOP. Operator action to
close valves or secure pumps to trip the turbine beyond use of a single turbine trip switch
would count in this indicator as a failure to trip and a complication beyond the normal
reactor trip response. Trips that occur prior to the turbine being placed in service or
“latched” should have this question answered as “No”.
Answer:
NO. The turbine tripped per design.
3.
Was power lost to any ESF bus?
During a reactor trip or during the period operators are responding to a reactor trip using
reactor trip response procedures, was power lost to any ESF bus that was not restored
automatically by the Emergency Alternating Current (EAC) power system and remained
de-energized for greater than 10 minutes? Operator action to re-energize the ESF bus from
the main control board is allowed as an acceptable action to satisfy this metric. This
H-15
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
question is looking for a loss of power at any time for any duration where the bus was not
energized/re-energized within 10 minutes. The bus must have:
•
•
•
remained energized until the scram response procedure was exited, or
been re-energized automatically by the plant EAC power system (i.e., EDG), or
been re-energized from normal or emergency sources by an operator closing a
breaker from the main control board.
The question applies to all ESF busses (switchgear, load centers, motor control centers and
DC busses). This does NOT apply to 120-volt power panels. It is expected that operator
action to re-energize an ESF bus would not take longer than 10 minutes.
Answer:
NO. All ESF busses remained energized throughout the trip response.
4.
Was a Safety Injection signal received?
Was a Safety Injection signal generated either manually or automatically during the reactor
trip response? The questions purpose is to determine if the operator had to respond to an
abnormal condition that required a safety injection or respond to the actuation of additional
equipment that would not normally actuate on an uncomplicated scram. This question
would include any condition that challenged Reactor Coolant System (RCS) inventory,
pressure, or temperature severely enough to require a safety injection. A severe steam
generator tube leak that would require a manual reactor trip because it was beyond the
capacity of the normal at power running charging system should be counted even if a safety
injection was not used since additional charging pumps would be required to be started.
Answer:
NO. No SI signal was required or received.
5.
Was Main Feedwater unavailable or not recoverable using approved plant
procedures following during the scram response?
FAQ481
(10-02)
If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be
restarted during the reactor scram response? The consideration for this question is whether
Main Feedwater could be used to feed the steam generators if necessary. The qualifier of
“not recoverable using approved plant procedures” will allow a licensee to answer “No” to
this question if there is no physical equipment restraint to prevent the operations staff from
starting the necessary equipment, aligning the required systems, or satisfying required logic
using plant procedures approved for use and in place prior to the reactor scram occurring.
The operations staff must be able to start and operate the required equipment using normal
alignments and approved emergency, normal and off-normal operating procedures to
feed the minimum number of steam generators required by the EOPs to satisfy the heat
sink criteria. Manual operation of controllers/equipment, even if normally automatic, is
allowed if addressed by procedure. Situations that require maintenance or repair activities
H-16
FAQ481
(10-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
or non-proceduralized operating alignments require an answer of “Yes.” Additionally, the
restoration of Feedwater must be capable of feeding the Steam Generators in a reasonable
period of time. Operations should be able to start a Main Feedwater pump and start
feeding Steam Generators with the Main Feedwater System within about 30 minutes.
During startup conditions where Main Feedwater was not placed in service prior to the
scram this question would not be considered and should be skipped. If design features or
procedural prohibitions prevent restarting Main Feedwater this question should be
answered as “No”.
Answer:
YES. The loss of power resulted in a complete loss of circulating water and the ability of
main feedwater pump turbines to exhaust to the condenser. This question could be
answered as “NO” if circulating water, condenser vacuum, and main feedwater could be
restored within the 30 minute timeframe, or if an electric driven main feedwater pump
was available that did not required condenser vacuum to feed steam generators.
6.
Was the scram response procedure unable to be completed without entering another
EOP?
The response to the scram must be completed without transitioning to an additional EOP
after entering the scram response procedure (e.g., ES01 for Westinghouse). This step is
used to determine if the scram was uncomplicated by counting if additional procedures
beyond the normal scram response required entry after the scram. A plant exiting the
normal scram response procedure without using another EOP would answer this step as
“No”. The discretionary use of the lowest level Function Restoration Guideline (Yellow
Path) by the operations staff is an approved exception to this requirement. Use of the Rediagnosis Procedure by Operations is acceptable unless a transition to another EOP is
required.
Answer:
NO. The reactor trip response procedures were completed without re-entering another
EOP.
H3
BWR Flowchart Basis Discussion
H 3.1 Did an RPS actuation fail to indicate / establish a shutdown rod pattern for a cold
clean core?
The purpose of this question is to verify that the reactor actually tripped and had sufficient
indication for operations to verify the trip. As long as a plant uses the EOP questions to
verify that the reactor tripped without entering the level/pressure control leg of the EOPs, the
response to this question should be “No”.
The generic BWROG EPG/SAG Revision 2 Appendix B statement is offered as an example:
H-17
FAQ481
(10-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Any control rod that cannot be determined to be inserted to or beyond position [02
(Maximum Subcritical Banked Withdrawal Position)] and it has not been determined that the
reactor will remain shutdown under all conditions without boron, enter Level/Power Control.
For example:.
Are all control rods inserted to or beyond position 02 (if no then this is a yes for this PI)?
Will the reactor remain subcritical under all conditions without boron (if no then this is a
“Yes” for this PI)?
For example:.
All rods not fully inserted; and, the reactor will not remain shutdown under all conditions
without boron then enter level/pressure control (if yes then this is a “Yes” for this PI).
H 3.2 Was pressure control unable to be established following the initial transient?
This question is designed to verify the ability to transfer reactor energy to the environment
using the normal pressure control system. The initial cycling of SRVs is typical for some
transients in which there was no failure of the normal pressure control system. Initial
operation of the SRVs is not indicative of pressure control problems with the normal pressure
control system. Therefore, cycling may occur post-trip until the pressure is controlled. Any
subsequent cycling after pressure has been controlled would result in a “YES” answer. Some
plant designs also may have a setpoint setdown of SRVs which would open additional SRVs
and reduce reactor pressure below the normal SRV closing setpoint. Any additional opening
of SRVs to control reactor pressure either automatically or manually indicates the inability of
the normal pressure control system to operate properly. Stuck open SRV(s) bypass the
normal pressure control system and would result in a “YES” for this PI.
For example:
A turbine trip occurs and SRVs open to control reactor pressure. The setpoint setdown
actuates and reduces reactor pressure from a normal 1025 psig to 930 psig. Following
closure of SRVs reactor pressure increases due to decay heat and bypass valves open. This
question would be answered “NO”.
For example:
A pressure controller failure occurs with scram on high reactor pressure. The SRVs open to
control reactor pressure. The setpoint setdown actuates and reduces reactor pressure from a
normal 1025 psig to 930 psig. Following closure of SRVs reactor pressure increases due to
decay heat and SRVs open again to control reactor pressure. The operator takes manual
control of bypass valves and opens the bypass valves to maintain reactor pressure. This
question would be answered “YES”. The yes answer is a result of SRVs opening after
pressure control was established from the initial transient.
For example:
The pressure controller failure occurs with scram on high reactor pressure. The SRVs open to
control reactor pressure. Setpoint setdown actuates and reduces reactor pressure from a
normal 1025 psig to 930 psig. Following closure of SRVs reactor pressure does not increase
H-18
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
because the scram occurred with low decay heat load and Main Steam Line drains were open.
This question would be answered “NO”.
H 3.3 Was power lost to any Class 1E Emergency / ESF bus?
Plants with a dedicated High Pressure Core Spray (HPCS) bus do not count the HPCS ESF
bus in this PI.
The purpose of this question is to verify that electric power was available after the reactor
trip. Loss of electrical power may result in other criteria being met in this PI. This question
deals only with electrical power. Should electrical power be maintained or restored within
the allowed 10 minutes, the response to this question should be ”No”. There is an exemption
to this step that permits an Operator to manually restore power within 10 minutes as an
acceptable alternative. The exception is limited to those actions necessary to close a
breaker(s) or switch(es) from the main control board. Actions requiring access to the back of
the control boards or any other remote location would require answering this question as
“Yes”. It is acceptable to manipulate more than one switch, such as a sync switch, in the
process of restoring power to the bus. It is acceptable to close more than one breaker. It is
acceptable to restore power from the emergency AC source, such as the diesel generators, or
from off-site power. The additional operator action to restore power to additional buses has
been discussed and considered acceptable as long as it can be completed within the time
limitations of 10 minutes (chosen to limit the complexity) and the constraints of breaker or
switch operation from the main control board. Any actions beyond these would need to be
considered as a complication for this question. Because of the wide variation in power
distribution designs, voltage, and nomenclature in various plant designs no specific examples
are given here. There is an exception for a plant designed with a dedicated High Pressure
Core Spray Pump (HPCS) ESF bus. If a plant has a dedicated (only provides power to
HPCS equipment) then the HPCS ESF bus does not have to be considered in this question.
This would be similar to a scram with a loss of HPCI which in of itself would not count in
this PI.
H 3.4 Was a Level 1 Injection signal received?
The consideration of this question is whether or not the operator had to respond to abnormal
conditions that required a low pressure safety injection or if the operator had to respond to
the actuation of additional equipment that would not normally actuate on an uncomplicated
scram. For some plant designs some events result in a high pressure injection signal on
vessel level. Automatic or manual initiation of low pressure ECCS indicates the inability of
high pressure systems to operate properly or that a significant leak has occurred. Alternately,
the question would be plants that do not have a separate high pressure ECCS level signal
from their Low level ECCS signal an allowance is made to deviate from this question and
answer “Yes” if the system injected.
H-19
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
H 3.5 Was Main Feedwater not available or not recoverable using approved plant
procedures during the scram response?
FAQ481
(10-02)
If operating prior to the scram, did Main Feedwater cease to operate and was it unable to be
restarted during the reactor scram response? The consideration for this question is whether
Main Feedwater could be used to feed the reactor vessel if necessary. The qualifier of “not
recoverable using approved plant procedures” will allow a licensee to answer “NO” to this
question if there is no physical equipment restraint to prevent the operations staff from
starting the necessary equipment, aligning the required systems, or satisfying required logic
circuitry using plant procedures approved for use that were in place prior to the scram
occurring.
The operations staff must be able to start and operate the required equipment using normal
alignments and approved emergency, normal and off-normal operating procedures.
Manual operation of controllers/equipment, even if normally automatic, is allowed if
addressed by procedure. Situations that require maintenance or repair activities or nonproceduralized operating alignments will not satisfy this question. Additionally, the
restoration of Main Feedwater must be capable of being restored to provide feedwater to the
reactor vessel in a reasonable period of time. Operations should be able to start a Main
Feedwater pump and start feeding the reactor vessel with the Main Feedwater System within
about 30 minutes from the time it was recognized that Main Feedwater was needed. During
startup conditions where Main Feedwater was not placed in service prior to the scram, this
question would not be considered, and should be skipped.
FAQ481
(10-02)
H 3.6 Following initial transient, did stabilization of reactor pressure/level and drywell
pressure meet the entry conditions for EOPs?
Since BWR designs have an emergency high pressure system that operates automatically
between a vessel-high and vessel-low level, it is not necessary for the Main Feedwater
System to continue operating following a reactor trip. However, failure of the Main
Feedwater System to be available is considered to be risk significant enough to require a
“Yes” response for this PI. To be considered available, the system must be free from damage
or failure that would prohibit restart of the system. Therefore, there is some reliance on the
material condition or availability of the equipment to reach the decision for this question.
Condenser vacuum, cooling water, and steam pressure values should be evaluated based on
the requirements to operate the pumps, and may be lower than normal if procedures allow
pump operation at that lower value.
The estimated 30-minute timeframe for restart of Main Feedwater was chosen based on
restarting from a hot condition with adequate reactor water level. Since this timeframe
will not be measured directly, it should be an estimation developed based on the material
condition of the plants systems following the reactor trip. If no abnormal material conditions
exist, the 30 minutes should be capable of being met. If plant procedures and design would
require more than 30 minutes, even if all systems were hot and the material condition of the
systems following the reactor trip were normal, a routine time should be used in the
H-20
FAQ481
(10-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
evaluation of this question. The considered opinionjudgment of an on-shift licensed SRO
should be used in determining if in meeting this timeframe is acceptablemet.
When a scram occurs plant operators will enter the EOPs to respond to the condition. In the
case of a routine scram the procedure entered will be exited fairly rapidly after verifying that
the reactor is shutdown, excessive cooling is not in progress, electric power is available, and
reactor coolant pressures and temperatures are at expected values and controlled. Once these
verifications are done and the plant conditions considered “stable” (see guidance in the
Definition of Terms section under scram response) operators will exit the initial procedure
to another procedure that will stabilize and prepare the remainder of the plant for transition
for the use of normal operating procedures. The plant would then be ready be maintained in
Hot Standby, to perform a controlled normal cool down, or to begin the restart process. The
criteria in this question is used to verify that there were no other conditions that developed
during the stabilization of the plant in the scram response related vessel parameters that
required continued operation in the EOPs or re-entry into the EOPs or transition to a followon EOP. Maintaining operation in EOPs that are not related to vessel and drywell parameters
do not count in this PI.
For example:
Suppression Pool level high or low require entry into an EOP on Containment Control.
Meeting EOP entry conditions for this EOP do not count in this PI.
H4
BWR Case Studies
H 4.1 BWR Case Study 1
A plant experienced an automatic reactor scram as a result of a breaker tripping due to a
ground fault on the 34.5kv bus work downstream of the Service Transformer. Loss of
service transformer resulted in the loss of power to 2 of 4 balance of plant main busses and
one of 3 ESF busses. Emergency Diesel Generator Division 1 started on a loss of power and
connected to the ESF bus.
The Main Generator tripped on reverse power and the turbine bypass valves opened to
control pressure. No SRVs opened during this event.
Both RPS actuation systems actuated, although for different reasons. The “A” RPS system
actuated on loss of power to the Balance of Plant (BOP) (power to RPS “A” MG set) bus
since it was powered from a service transformer. With the accompanying loss of power to
the condensate/feedwater system components, the “B” RPS system actuated on low reactor
water level of 11.4 inches. All control rods inserted to 00 position.
Reactor water level dropped to approximately -75 inches on wide range level instrumentation
before the High Pressure Core Spray (HPCS) and Reactor Core Isolation Cooling (RCIC)
systems initiated at -41.6 and restored level to the EOP specified band. Level control was
transferred to the startup level controller and both HPCS and RCIC were secured.
H-21
FAQ481
(10-02)
FAQ481
(10-02)
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Primary, secondary, and drywell isolations occurred as designed at -41.6 inches along with
the start of the Division III (HPCS) diesel.
15
16
1. Did RPS actuation fail to indicate/establish a shutdown rod pattern for a cold clean
core.
17
Answer: “No”. As indicated Alternate Rod Insertion was not indicated or required.
A walk down of the switchyard following the reactor scram discovered that a raccoon had
entered the service transformer area and caused the ground fault.
Prior to the scram power was 100% with both main feedwater pumps in service.
Feedwater was unavailable to control level.
Vessel level was restored to the EOP level band (+11.4 inches [low level scram setpoint]
to +53.5 inches [high level feedpump trip setpoint]) without any additional scram signals.
Drywell pressure was not affected noticeably by this event.
18
Alternate yes / no answers as examples:
19
20
21
Answer: “No”. While all rods did not fully insert, reactor engineering, using an approved
procedure, ran a computer calculation that determined the reactor would remain shutdown
under cold clean conditions.
22
23
24
Answer: “Yes”. All rods did not insert, reactor engineering could not be contacted so
operations entered the ATWS leg of EOPs. Subsequent calculation by reactor engineering
determined the reactor would remain shutdown under cold clean conditions.
25
Answer: “Yes”. All rods failed to fully insert.
26
2. Was pressure control unable to be established following initial transient?
27
28
29
Answer: “No”. The Main Turbine did not trip as a result of the switchyard transient.
The turbine did eventually trip on reverse power at which time the turbine bypass valves
operated to control reactor pressure.
30
Alternate yes / no answers as examples.
31
32
33
Answer: “No”. The main turbine tripped resulting in opening of one or more SRVs.
Following the initial opening of the SRVs, the main turbine bypass valves opened to
control pressure.
34
35
36
Answer: “Yes”. The main turbine tripped resulting in opening of all 20 SRVs. As a result
of pressure controller problems operations subsequently manually opened an additional
SRV to control reactor pressure.
H-22
NEI 99-02 [Revision 7]
08/31/2013
1
2
3
Answer: “Yes”. The main turbine tripped and as a result of loss of condenser vacuum,
one or more SRVs were used to control reactor pressure.
3. Was power lost to any class 1E Emergency/ESF bus?
4
5
Answer: “No”. While an ESF bus (Division I) did lose power, the EDG started and
restored power to the ESF bus.
6
Alternate yes / no answers as examples.
7
8
Answer: “No”. Power was lost to an ESF bus. The EDG was out of service and power
was restored by closing an alternate feed breaker from the control room.
9
10
11
12
Answer: “Yes”. Power was lost to an ESF bus. The EDG was out of service. Power was
restored to the ESF bus by resetting a lockout in the back panels and closing the breaker
from the control room.
4. Was a level 1 Injection signal received?
13
14
Answer: “No”. Vessel level did decrease to approximately -75 inches resulting in the
automatic start of RCIC and HPCS. However, for this plant Level 1 is -150.3 inches.
15
Alternate yes / no answers as examples,
16
17
Answer: “No”. HPCS and RCIC failed to start/run. Level dropped to -110 inches but was
stabilized by use of Control Rod Drive (CRD) pumps.
18
19
Answer: “Yes”. HPCS and RCIC failed to start/run. Vessel level decreased to
near -150.3 inches and operators manually initiated low pressure.
20
21
5. Was main feedwater unavailable or not recoverable using approved plant
procedures following during the scram response?
FAQ481
(10-02)
22
23
24
Answer: “No”. While some of the condensate system pumps lost power resulting in
both feedwater pumps tripping, the feedwater system was restored by use of normal
procedures. Feedwater was restored, and RCIC/HPCS was secured.
25
Alternate yes / no answers as examples
26
27
28
Answer: “No”. Level was restored by RCIC. A condensate and condensate booster
pump remained operating. While both feedwater pumps tripped there were no known
issues with either pump that would prevent restarting if needed.
29
30
31
Answer: “Yes”. Level was restored by RCIC. A condensate and condensate booster
pump remained operating. Both feedwater pumps tripped and problems with condenser
vacuum prevented restart of the feedpumps if they had been needed.
H-23
NEI 99-02 [Revision 7]
08/31/2013
1
2
6. Following initial transient did stabilization of reactor pressure/level and drywell
pressure meet the entry conditions for EOPs?
3
4
5
6
7
8
Answer: “No”. Following the initial event, reactor pressure was controlled by the
turbine pressure control system to less than the high reactor pressure entry condition of
1064.7 psig [reactor high pressure scram setpoint]. Vessel level was restored to the EOP
level band (+11.4 inches[low level scram setpoint] to +53.5 inches [high level feedpump
trip setpoint]) without any additional scram signals. Drywell pressure was not affected
noticeably by this event.
9
Alternate yes / no answers as examples.
10
11
12
13
14
15
16
17
Answer: “No”. Following the initial event, reactor pressure was controlled by the turbine
pressure control system to less than the high reactor pressure entry condition of 1064.7
psig [reactor high pressure scram setpoint]. Vessel level was restored to the EOP level
band (+11.4 inches [low level scram setpoint] to +53.5 inches [high level feedpump trip
setpoint]) without any additional scram signals. The vessel was overfed twice, resulting
in a high level trip of the feedpump. However, when level decreased to less than the high
level trip setpoint, the feed pump was restored to operation by procedure. Drywell
pressure was not affected noticeably by this event.
18
19
20
21
22
23
Answer: “Yes”. Following the initial event, reactor pressure was controlled by the
turbine pressure control system to less than the high reactor pressure entry condition of
1064.7 psig [reactor high pressure scram setpoint]. Vessel level was restored to the EOP
level band (+11.4 inches[low level scram setpoint] to +53.5 inches [high level feedpump
trip setpoint]) but startup level control valve problems resulted in an additional low level
scram signal.
24
25
26
27
28
29
30
31
32
H 4.2 BWR Case Study 2
A plant received an automatic scram on a Turbine Control Valve Fast Closure as a result of a
load reject. The initiating event for the automatic scram was closure of a 500 kV disconnect
which was open for maintenance. High winds contributed to the disconnect closing and
contacting the energized bus. The pressure exerted by the wind on the disconnect blades
overcame the spring counterbalance of the disconnect switch. Additionally, the “Open”
position lock bracket on the motor operator was broken. A low impedance ground fault was
created through the installed maintenance grounds.
33
34
35
36
37
38
39
The fault resulted in actuation of the Service Transformer differential lockout and the West
500 kV buss differential lockout. Breakers opened as designed due to the Service
transformer lockouts and the West Bus lockouts. This resulted in the loss of one of the 2
service transformers and all plant busses normally powered from this transformer, including
safety related busses Division 2 and 3 which were powered from the service transformer.
The Division 2 & 3 EDGs subsequently started and appropriately re-energized the ESF
buses.
40
41
Within 3-5 cycles of the ground fault, breakers opened at a nearby substation de-energizing
the remaining 500 kV incoming power to the switchyard. This left the main generator
H-24
NEI 99-02 [Revision 7]
08/31/2013
1
2
supplying power to some of the in-house loads including Balance of Plant and Division I
Safety Related Bus (ESF Division I)
3
4
5
6
7
8
The load reject relays then actuated producing a Turbine Control Valve Fast Closure
(TCV/FC) signal and a subsequent reactor scram. Approximately 4 seconds later the turbine
speed increased to 1900 rpm and generator output frequency increased to 63.5 Hz.
Subsequently, the turbine tripped as the generator remained excited and the turbine-generator
began coasting down into an under-frequency condition. Generator output voltage remained
constant.
9
10
11
12
As the turbine coasted down an under frequency condition occurred resulting in the turbine
output breaker opening. This resulted in loss of the Division 1 ESF bus as well as loss of the
2nd service transformer and all remaining balance of plant loads about 2-3 minutes following
the initial scram.
13
14
15
In summary the loss of power to the plant BOP, which resulted in loss of Feedwater and
normal pressure control, occurred in stages over several minutes, but still within the initial
transient. The ESF buses also lost power but were restored automatically by the D/Gs.
16
17
18
1. Did RPS actuation fail to indicate/establish a shutdown rod pattern for a cold clean
core?
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Answer: “No”. Alternate Rod Insertion was not indicated or required.
2. Was pressure control unable to be established following initial transient?
Answer: “Yes”. While SRVs open once on the load reject and steam pressure decreased
as the turbine coasted down, the loss of all balance of plant power several minutes later
when the main generator tripped, resulted in loss of pressurized fluid for the hydraulic
bypass valves. This resulted in the use of the SRVs to control reactor pressure following
the initial scram. Additionally, the loss of the balance of plant power resulted in loss of
main condenser cooling which prevented use of the main condenser as a heat sink.
3. Was power lost to any class 1E Emergency/ESF bus?
Answer: “No”. While all ESF busses lost power the EDGs started and restored power
automatically to the ESF busses.
4. Was a level 1 Injection signal received?
Answer: “No”. Vessel level did drop to about -42 inches resulting in auto start of
RCIC. The level 1setpoint is -150.3 inches.
5. Was main feedwater unavailable or not recoverable using approved plant
procedures following during the scram response?
Answer: “Yes”. The loss of balance of plant power after several minutes resulted in loss
of all condensate and condensate booster pumps as well as loss of power to condensate
H-25
NEI 99-02 [Revision 7]
08/31/2013
1
2
and feedwater valves, preventing the use of feedwater to control level. Level was
controlled by RCIC.
3
4
6. Following initial transient did stabilization of reactor pressure/level and drywell
pressure meet the entry conditions for EOPs?
5
6
7
8
9
10
11
12
13
Answer: “No”. Following the initial event, reactor pressure was controlled by the SRVs
to maintain the reactor pressure below the EOP entry setpoint of 1067.5 psig [reactor
high pressure scram setpoint]. The vessel level was restored to the EOP level band
(+11.4 inches[low level scram setpoint] to + 53.5 inches [high level feedpump trip
setpoint]) by use of RCIC with one additional scram signal on high level Drywell
pressure did increase slightly as a result of loss of cooling but never exceeded the EOP
setpoint of 1.23 psig. The EOP for containment control was entered as a result of high
suppression pool level due to swell from the heat/mass addition from the operation of
systems (e.g.RCIC, SRVs).
H-26
File Type | application/pdf |
File Title | NEI 99-02 Revision 7 |
Author | NEI;jes@nei.org |
File Modified | 2013-09-12 |
File Created | 2013-09-12 |