U.S. NUCLEAR REGULATORY COMMISSION August 1998

REGULATORY GUIDEOFFICE OF NUCLEAR REGULATORY RESEARCH

REGULATORY GUIDE 1.176(Draft was Issued as DG-1064)

AN APPROACH FOR PLANT-SPECIFIC, RISK-INFORMEDDECISIONMAKING: GRADED QUALITY ASSURANCE

A. INTRODUCTION

Background

The NRC has established deterministic criteria fordetermining which commercial nuclear power plantequipment is considered safety-related (see Section50.2, "Definitions," of 10 CFR Part 50, "DomesticLicensing of Production and Utilization Facilities";Appendix A, "Seismic and Geologic Siting Criteria forNuclear Power Plants," to 10 CFR Part 100, "ReactorSite Criteria"; Section 50.65, "Requirements for

' Monitoring the Effectiveness of Maintenance atNuclear Power Plants," of 10 CFR Part 50; and Section50.49, "Environmental Qualification of ElectricEquipment Important to Safety for Nuclear PowerPlants,"of 10CFR Part 50). Because of the importanceof the safety-related equipment to protecting publichealth and safety, the NRC has additionally requiredthat a quality assurance (QA) program (described inAppendix B, "Quality Assurance Criteria for NuclearPower Plants and Fuel Reprocessing Plants," to 10CFR Part 50) be applied to all activities affecting thesafety-related functions of that equipment. The overallpurpose of the QA program is to establish a set ofsystematic and planned actions that are necessary toprovide adequate confidence that safety-related plant

equipment will perform satisfactorily in service. Therequirements delineated in Appendix B to 10 CFR Part50 recognize that QA program controls should beapplied in a manner consistent with the importance tosafety of the associated plant equipment. In the past,engineering judgment provided the general mecha-nism to determine the relative importance to safety ofplant equipment.

In recognition of advances made in the state of theart in the probabilistic risk assessment (PRA)technology area, the NRC has made the decision toexpand the use of PRA in the regulatory process. PRAprovides insights that may be utilized by licensees tosupport the determination of the relative safetysignificance of plant equipment. The probabilisticinsights help identify low safety-significant structures,systems, and components (SSCs) that are candidatesfor reductions in QA treatment. The end result of thisprocess could be that licensees would have plantequipment that is categorized as safety-related andhigh safety-significant; safety-related and low safety-significant; non-safety-related and high safety-significant; and non-safety-related and lowsafety-significant. Grading of QA controls would varycommensurate with these categorizations. Thisregulatory guide provides guidance that could be used

USNRC REGULATORY GUIDES The guides are Issued in the Wowing ten broad dvIslons:Regulatory Guides are Issued to describe and make available to She public such infamj*n-tion as methods acceptoable to the NRC staff for Implemenltng specific parts of the .Po0er9R1sctors 6. ProductsCommission's regulations. tochniques used by the staff In evaluating specific problems or 2. Research and Teat mactore 7. Transportationpostulated accidents, end data needed by the NRC staff In it review of applictions for 3. Fuels and Materials Facilties 8. Occupational Healthpewias and licnses. Regulatory uides am not substitutes for regula and ompl- 4. Environmental and Sting 9. Antitrust and Financial Review

once wet them Is not required. Methods and solutions diferent fom those so ad h the 5. Materials and Plant Protectlon 0. General

guides %All be acceptable i they provide a basis for the findings requisite to the issuance ofcontiuae of. pnrmt or icenee by the Commision.

Sinle coples of regulatory guides may be obtained free of charge by writing the Reproduc.This guide was issued alfter consIderation of commenms received from the publi. Com. tlion and Disribution Services Section. Office of the Chief Information Officer. U.S. Nuclearmants and suggestions for Improvements In these guides em encouraged at all times. and Regulatory Commission, Washington. DC 20555-0O0I; or by tax at (310)415-2280; or byguides wE be revised. as appropriate, to accommodate comments and to reflect new bilor. e-mal to tGRW1 @NRC.GOV.mation or eaperience.

Issued guides may also be purchased front the National Technical Information Service onWtlaen commewts may be submitted to the Ruls Review and Orectfves Branch, ADM. a standing order beass. Details on this service may be obtained by wrlmg NTIS. 5285 PortU.S. Nuclear Reguatory Cornmisvion. Washington. DC 20555-0001. Royal Road, Springfield. VA 22161.

by ýlicensees both to determine the relative safetysignificance of plant equipment and to adjust theapplication of QA controls accordingly.

Requirements related to QA programs for nuclearpower plants are set forth in Appendix B to 10 CFRPart 50. The general requirements contained inAppendix B are supplemented by industry standardsand NRC regulatory guides that describe specificpractices that have been found acceptable by theindustry and the NRC staff. Although both AppendixB and the associated industry standards allow a large

.degree of flexibility, the licensees and the NRC staffhave been reluctant to make major changes inestablished QA practices. Recently, however, changesin the nuclear industry have resulted in numerousproposals to revise QA practices. These changes.include the completion of construction projects,establishment of programs related to plant operationsand maintenance, maturation of licensee programs andpersonnel, and increased pressures to control plantoperating costs.

The information collections contained in thisregulatory guide are covered by the requirements of 10CFR Part 50, which were approved by the Office ofManagement and Budget, approval number 3150-0011. The NRC may not conduct or sponsor, and aperson is not required to respond to, a collection ofinformation unless it displays a.currently valid OMBcontrol number.

B. DISCUSSION

During the last several years, both the NRC and thenuclear industry have recognized that PRA hasevolved to the point that it may be used as a tool inregulatory decisionmaking so that the regulations canbe implemented more effectively. In 1995, the NRC

-issued a final policy statement on the use of PRAmethods in nuclear regulatory activities (Ref. I). In itsapproval of the policy statement, the Commissionarticulated its expectation that:

The use of PRA technology should beincreased in all regulatory matters to theextent supported by the state of the art inPRA methods and data and in a mannerthat complements the NRC's deterministicapproach and supports the NRC's tradi-tional defense-in-depth philosophy.

PRA and associated analyses (e.g.,bounding analyses, uncertainty analyses,and importance measures) should be usedin regulatory matters, where practical

within the bounds of the state of the art, toreduce unnecessary conservatism associ-ated with current regulatory requirements,regulatory guides, license commitments,.'and staff practices. When appropriate,PRA should be used to support theproposal of additional regulatory require-ments in accordance with 10 CFR 50.109(backfit rule). Appropriate procedures forincluding PRA in the process for changingregulatory requirements should be devel-oped and followed. It is, of course,understood that the intent of this policy isthat existing rules and regulations will becomplied with unless these rules andregulations are revised.

PRA evaluations in support of regulatorydecisions should be as realistic aspracticable, and appropriate supportingdata should be publicly available forreview.

The Commission's safety goals for nuclearpower plants and subsidiary numericalobjectives are to be used with appropriateconsideration of uncertainties in makingregulatory judgments on the need forproposing and backfitting new genericrequirements on nuclear power plantlicensees.

The staff's review of 10 CFR Part 50 indicates thatthe option of applying QA measures in a mannercommensurate with safety significance is clearlyavailable to licensees. That is, no exemptions fromcurrent regulations are expected to be needed toimplement a graded -quality assurance (GQA)program. The implementing industry QA standards(which licensees have committed to implement tofulfill the requirements of Appendix B) also containgeneral provisions for applying QA using a gradedapproach. However, when implementing suchchanges, licensees may need to submit a revisedQA program to the staff pursuant to 10 CFR 50.54(a).

Purpose and Scope

In this guide the staff describes an acceptableapproach for identifying the safety significance ofSSCs and assigning QA controls accordingly to ensurethat QA requirements are being graded commensuratewith safety. This regulatory guide contains guidanceon modifying current QA program controls based onthe safety categorization of the SSCs. This regulatoryguide also describes acceptable approaches for

1.176-2

monitoring the effectiveness of the GQA programimplementation and for determining when it may benecessary to make adjustments in QA practices andsafety-significance categorizations to ensure that SSCsremain capable of performing their intended functions.The guide also delineates the principles for risk-informed decisionmaking, or guiding features, of aGQA program that need to be dealt with by a licensee.In some cases, rather than articulating a prescriptivemethod that must be implemented by a licensee tofulfill these principles (or their subsidiary issues) forGQA, the staff has chosen to identify those issues thatmust be evaluated, and documented, by licensees whenformulating their particular approach to GQA. Thus,the burden would fall on the licensee to be able toinform the staff how the issues were addressed withinthe site-specific program. This guide has beenspecifically written for situations when the licensee'sGQA program will result in changes to the QAprogram that do reduce commitments in the programdescription previously accepted by the NRC.

Graded quality assurance (GQA) is intended toprovide a safety benefit by allowing licensees and theNRC to preferentially allocate resources based on thesafety significance of the item. The Commission hasarticulated its expectation that implementation of thepolicy to expand the use of PRA will improve theregulatory process in three areas: foremost throughsafety decisionmaking enhanced by the use of. PRAinsights, through more efficient use of agencyresources, and through a reduction in unnecessaryburdens on licensees. Background information aboutinitial efforts to implement GQA is in SECY-95-059,"Development of Graded Quality Assurance Method-ology" (March 10, 1995) (Ref. 2).

Relationship to Other Guidance DocumentApplications

Regulatory Guide L.174 (Ref. 3) describes ageneral approach to risk-informed, regulatory decision-making and includes a discussion of specific topicscommon to all regulatory applications. This regulatoryguide provides guidance specifically for GQAprograms, consistent with but more detailed than thegenerally applicable guidance given in RegulatoryGuide 1.174. Licensees may choose to use risk-informed decisionmaking in application areas otherthan GQA. It is anticipated that certain efficienciescould be realized in that situation.

Licensees developing GQA programs will adjusttheir QA programs to accommodate their individualneeds. The NRC conveyed its goals and expectations

I for an acceptable graded QA program to Nuclear

Energy Institute (NEI) in a letter dated June 15, 1994(Ref. 4). Irrespective of a licensee's specific approach,the NRC stated a graded QA program should have fouressential elements:

(I) A process that determines the safety significanceof SSCs in a reasonable and consistent manner,including the use of both traditional engineeringand probabilistic evaluations

(2) The implementation of appropriate QA controlsfor SSCs, or groups of SSCs, according to safetyfunction and safety significance to maintainreasonable confidence in equipment performanceand to support the GQA corrective action feedbackprocess

(3) An effective root-cause analysis and correctiveaction program

(4) A means for reassessing SSC safety significanceand QA controls when new information becomesavailable through operating experience, or basedon changes in plant design.

Organization and Content

Limited data are available to define the impact ofQA programs on SSC performance. Consequently,this regulatory guide emphasizes the classification ofequipment into safety-significance categories asdiscussed in Section 2.2 and Appendix A ofRegulatory Guide 1.174 (Ref. 3). Regulatory Guide1. 174 describes a general four-element process that iselaborated upon in the context of GQA in theDiscussion section of this regulatory guide. TheRegulatory Positions in this regulatory guide discussElement I, a definition of proposed changes to QAapplications; Element 2, which addresses engineeringevaluations applicable to GQA programs; Element 3,which provides specific guidance for an acceptableapproach for implementing GQA controls and fordeveloping performance monitoring strategies; andElement 4, documentation and submittal aspectsrelated to the change.

PROCESS OVERVIEW

As the nuclear industry incorporates risk insightsinto its QA programs, it is anticipated that the industrywill build upon its existing risk-informed activities,including the individual plant examination program.To provide the industry with the NRC's expectationsfor risk-informed decisionmaking, Regulatory Guide1.174 (Ref. 3) was developed. This guide establishesfive safety principles and describes a four-element

1.176-3

process for evaluating risk-informed regulatorychanges consistent with those principles, as illustratedin Figure 1. Regulatory Guide 1.174 providesadditional quantitative acceptance guidelines, discus-sion of defense in depth, and safety margins. Theprinciples are:

I. The proposed change meets the current regulationsunless it is explicitly related to a requestedexemption or rule change.

2. The proposed change is consistent with thedefense-in-depth philosophy.

3. The proposed change maintains sufficient safetymargins.

4. When the proposed changes result in an increase incore damage frequency or risk, the increasesshould be small and consistent with the intent ofthe Commission's Safety Goal Policy Statement.

5. The impact of the proposed change should be mon-itored using performance measurement strategies.

The individual elements of this process aredescribed in Regulatory Guide 1.174. Those generallyapplicable discussions are not repeated here. Instead,this guide describes a method acceptable to the NRCstaff for categorizing SSCs at nuclear power plants in amanner commensurate with their safety significance(using an integration of insights from traditionalengineering analyses, applicable qualitative consider-ations, and probabilistic analyses) and for applyingappropriate QA programs to each category of SSCs.

The process begins with a set of actions related toproposed changes in the QA categorization of certain

SSCs. The following is an overview, with greaterdetail provided in the Regulatory Positions. Theelements are (1) define the proposed change,(2) perform engineering analysis, (3) define imple-mentation and monitoring program, and (4) submitproposed change.

Element 1: Define the Proposed Change

The process for developing the initial proposal forthe changes is left to the licensee, but it should derivefrom an examination of both traditional engineeringand probabilistic information, and it should result incategorization of the plant's SSCs based on their safetysignificance so that an appropriate level of qualitycontrols can be applied. The licensee identifies thecandidate SSCs and associated activities for a risk-informed application of QA requirements. A risk-informed GQA submittal includes the QA programchange required by 10 CFR 50.54(a)(3)(ii), accompa-nied by the supplemental information described inRegulatory Position 4.1.2 of this guide, which will beused by the staff to determine the acceptability of theprogram. A licensee may elect to categorize a limitednumber of plant systems and apply GQA controls tothese selected plant systems. The SSCs included in thebounding analysis discussed in Regulatory Position2.2 determine which SSCs are candidates forcategorization. If all SSCs in the PRA are included inthe bounding analysis, all SSCs may be candidates forcategorization.

The licensee identifies the systems to be categorizedin the supplemental information. The licensee canchoose when to categorize each system and may choosenot to categorize all the systems identified in thesubmittal. If categorization of systems not included inthe supplemental information proves desirable, the

Figure 1. Principle Elements of Risk-Informed, Plant-Specific Decisionmaking

1.176-4

licensee prepares additional supplemental informationfor NRC approval prior to implementation. SSCs thatshould be considered as potential candidates include:

* Systems and components that are subject tocurrent QA requirements in Appendix B to I 0CFRPart 50,

* SSCs modeled in the PRA for the plant,

& Non-safety-related SSCs that are within the scopeof the Maintenance Rule ( 0 CFR 50.65), and

0 Non-safety-related equipment that has previouslyreceived augmented quality treatment (e.g.,anticipated transient without scram, stationblackout, fire protection).

The licensee should ensure that the QA programcommitments and other QA-related informationgermane to the contemplated changes in QA practicesare clearly understood and adhered to, unless modifiedor amended through the appropriate licensing orregulatory actions. The suitability of the plant-specificPRA should be assessed relative to its use in suppbrtingthe GQA decisionmaking process. In addition,available industry and plant-specific operationalexperience information relative to GQA shouldbe assessed.

Further, the licensee should identify the overallobjective and approach of the proposed changes to theQA program for the candidate SSCs. More details areprovided in Regulatory Position I of this document.

Element 2: Perform Engineering Analysis

In Element 2, the proposed changes in theapplication of QA controls for SSCs as a function ofcategorization commensurate with safety are exam-ined and assessed with respect to the relevant risk-informed decisionmaking safety principles. Anessential element of the evaluation is the categoriza-tion of SSCs into high and low safety-significantcategories. The impact of the QA program changeson defense in depth would be determined through theuse of both traditional engineering evaluations andPRA techniques. In addition, an assessment wouldensure that no more than insignificant risk increasesare introduced by the proposed changes, as describedin Regulatory Position 2. The engineering evaluationhelps to establish the safety significance of systemsand components and determines that the effects of thechanges in QA controls has a small impact on plantrisk. More details concerning Element 2 are containedin Regulatory Position 2.

Element 3: Define Implementation MonitoringProgram

The third element involves developing GQAcontrol implementation and monitoring plans. Theseplans should be formulated to ensure that appropriatesystem and component performance are maintained.For the safety-related SSCs in the high safety-significant category, no changes in QA controls areexpected to be proposed. For the non-safety-relatedSSCs that are found to be high safety-significant, anevaluation would be performed to determine whataugmentation of existing QA controls is appropriate.For low safety-significant SSCs that are safety-related,reductions in QA controls are anticipated. For non-safety-related SSCs that are low safety significant,licensees would continue to define their qualitycontrols. Means should be specified for monitoring theperformance of systems and components and ofquality-related activities and processes and forapplying corrective actions. Specific guidance forElement 3 is provided in Regulatory Position 3.

Element 4: Submit Proposed Change

The final element involves documenting theanalyses for NRC staff or independent review orinspection, and submitting the request to changeimplementation of QA commitments, as required by10 CFR 50.54(a) if the change involves a reduction inthe licensee's QA commitments (for example, adeviation from an NRC regulatory guide or AmericanNational Standards Institute (ANSI) standard). If theproposed change does not involve a reduction in thelicensee's QA commitments, prior NRC staff reviewand approval is not required and the change to the QAprogram is submitted in accordance with 10 CFR50.71 (e). The changes associated with the adoption ofGQA proposed by the licensee will be described in theQA Program. In addition, important assumptions thatplay a key role in supporting the acceptability of theQA program change should be identified by thelicensee in the QA program. Documentation necessaryto support the GQA effort is listed in RegulatoryPosition 4 of this regulatory guide.

C. REGULATORY POSITION

1. ELEMENT 1: DEFINE THE PROPOSEDCHANGE

The first element in the process of evaluating achange to QA programs involves providing a frilldefinition of the proposed change. The first step is toidentify the overall scope of the GQA program in termsof the SSCs that are covered. Additionally, the

1.176-5

licensee's PRA would be evaluated with respect to itsadequacy to support the GQA decisionmaking process.To accomplish this the licensee should:

I. Identify, and consider during the GQA process, theset of regulatory requirements and commitmentsthat are. directly related to the proposed QAimplementation changes as well as those that maybe impacted. This information is used todemonstrate that the proposed QA changes do notviolate existing regulatory requirements. Themajor regulatory requirements applicable to GQAprograms are set forth in Appendices A and B to 10CFR Part 50, 10 CFR 50.54(a), and 10 CFR 50.34.Changes to technical requirements are controlledunder existing processes such as 10 CFR 50.59,license amendments, relief requests, and exemp-tion requests, which are outside of the scope of thisdocument. Relevant quality commitments that areto be considered reside in a variety of licensingdocuments such as the QA program description,the Final Safety Analysis Report (FSAR),responses to generic communications, andresponses to enforcement actions.

2. Identify the structures, systems, and components(SSCs) and associated activities that are candi-dates for assessment within the risk-informedapplication of GQA. The SSCs selected for therisk-informed application of GQA need notinclude all systems within the scope of thisregulatory guide. A licensee may elect to onlycategorize and apply GQA controls to a limitednumber of SSCs. For those safety-related SSCsnot categorized, the licensee's full Appendix BQA program controls will continue to apply.

3.. Identify the expected revisions to existingimplementing guidance of QA requirements thatwill result from the GQA program. Although theNRC staff would consider an application forchanges to many areas of a licensee's QA programto support the GQA methodology, such anapplication is not necessary. A licensee mayinitially choose to apply GQA controls only toselected portions of its QA programs, such as in thearea of procurement. No exemptions from currentregulations are expected to be needed toimplement a GQA program. However, thecommitments of each licensee regarding QA areaddressed in a number of documents, including theFSAR, a QA topical report (if applicable), andother docketed correspondence (e.g., responses togeneric communications, inspection reports).

* Licensees are expected to maintain control of theirlicensing bases. Accordingly, changes in QA

program commitments should be identified andthe manner in which they are being changedshould be documented, reviewed, and approved bythe NRC as necessary in accordance with theapplicable regulatory requirements (such as 10CFR 50.54(a)).

4. Evaluate risk studies to determine the extent towhich quantitative and qualitative risk insightsmay be utilized. The quality, level of review, andaccuracy of plant representation of the risk studiesshould also be taken into account whendetermining the level of support the studies canprovide to the development and implementation ofthe GQA program. The licensee should alsoconsider how it may use risk-study models,computer programs, and personnel to support thelong-term performance monitoring programrequired as part of GQA implementation.

5. The licensee should not make any changes in theapplication of QA controls and processes prior tothe evaluation of the associated system orcomponent to determine its safety significance asdiscussed in Regulatory Position 2 and beforereceiving approval of the proposed QA changes bythe NRC, if required.

The definition of the change should be completedby categorizing the SSCs identified above according towhether they are high or low safety significant. Forthose safety-related SSCs that are categorized as highsafety significant, current QA practices would apply.For those non-safety-related SSCs that are high safetysignificant, some increase in QA controls may bewarranted and should be implemented as appropriate.For those safety-related SSCs that are low safetysignificant, relaxation in QA controls should beconsidered. For non-safety-related SSCs that are lowsafety significant, licensees would continue to definetheir quality controls without NRC approval.

2. ELEMENT 2: ENGINEERINGEVALUATION

In Regulatory Guide 1.174 (Ref. 3), Element 2 is toperform the engineering evaluation to supportdecisions to change a plant's licensing basis. Changesin the application of* QA controls do not lendthemselves to a quantitative assessment because therelationship between QA programs and equipmentperformance (and, hence, risk contribution) has notbeen explicitly established. Furthermore, only a smallfraction of components that are candidates forapplication of GQA controls are modeled in PRAs.This small percentage arises from PRA's emphasis on

1.176-6

the control and mitigation of severe accidents; tdexclusion of equipment, such as recombiners, usefionly for control of design basis accidents; dexclusion of most instrumentation and react4protection system equipment from the models; dexclusion of emergency preparedness and plamonitoring equipment from the models; the combinirof SSCs with identical failure consequences inigrouped basic events; and not including some high]reliable SSCs when other less reliable SSCs (of simil;impact) or operator actions are modeled.

Categorization of the safety significance of SS(for utilization in GQA uses quantitative PRA resultsupplemented by qualitative engineering evaluatiotto include SSCs not modeled in the PRA, to develop ainitial categorization referred to in this regulatoiguide as candidate high or low safety significancThese initial categories should be evaluated, modificas appropriate, and approved during a final tradition•engineering decisionmaking process. Suchcombined, integrated approach is necessary to utili2the strengths and avoid inherent limitations in bolprobabilistic and traditional engineering analysmethodologies.

2.1 Safety-Significance Categorization

A minimum of two levels of categorization shoul,/' be utilized, preferably labeled high and low safel

significant. At the prerogative of the licensee, a greatinumber of safety-significance levels can be define4such as three levels composed of high, medium, anlow safety significance. From a regulatory point (view, it is essential that high safety-significant itenare not inappropriately categorized as less than higisince these might then be inappropriate candidates fireduced QA requirements. Therefore, for regulatoipurposes, high safety significance may be assumed (assigned. Only assignments of low and medium safetsignificance must be justified.

Systems have a variety of operating modes anperform a variety of functions, with each functionwell-defined task requiring the proper operation csome subset of system equipment. Although certaiQA controls are applied at the component or evepiece-part level, safety-significance categorizationmost appropriately defined at the system functiolevel. Therefore, the guidance in this regulatory guidis based on determining the safety-significance csystem functions, identifying the components ancomponent operational modes required to support higsafety-significant functions, and determining thcategorization of the components based on thiinformation.

e IThe categorization process must also be capable ofal systematically tracking and documenting systemie functional boundaries, defined as the point (compo-or nent) at which a system operating in a particular modeie functionally interfaces with a connected system. Thent categorization of the safety significance of supportIg functions is generally determined by the categorizationto of the function being supported, augmented by aly quantitative or qualitative evaluation of the supportar system's aggregate safety significance. Interfacing

function categorization should be well documented,traceable, and internally consistent. Licensees who

's chose to implement GQA programs one system at as, time must ensure that support system interfaces areIs sufficiently well defined and documented that theMn safety significance of interfacing systems will alwaysry be explicitly considered as each system is evaluated.:e.

AThe scope, level of detail, and quality required ofal the PRA are commensurate with the application fora which it is used and commensurate with the role theZ PRA results play in the integrated decision process.th PRAs used to support a GQA application shouldis realistically reflect the actual design, construction,

operational practices, and operational experience ofthe plant and its operator. Furthermore, all calculationsusing the PRA model should be performed correctlyand in a manner that is consistent with accepted

Id practices. The licensee must demonstrate that the PRA,y and the calculations are of sufficient quality to support,r a decision on the acceptability of the proposed change.d1,id A well organized and documented safety-of significance categorization process, sensitivity andIs bounding studies performed with the PRA, andh, implementation of a robust monitoring and feedback)r program can provide reasonable assurance thaty implementation of GQA should result in an)r insignificant change in risk. Consequently, NRC staffy evaluation of the quality of the PRA may be directed

toward a finding that :the quality is sufficient forassigning SSCs into broad safety-significant catego-

d ries for consideration in an integrated decisionmakinga process.)f

n All operational modes and internal and externaln events should be included in the evaluation of theis safety significance of systems, functions, -andmn components. PRA models and results for core damageýe and large early release frequency for internal initiatingWf events at full power should be used to support thed categorization process. Licensees may use qualitativeh studies of other initiating events and operational modesie that identify and characterize scenarios that areis believed to be important, but without expending

significant resources in quantifying the frequencies of

1.176-7

I" I I t i Il

the scenarios. Seismic margin analysis and fire-induced vulnerability evaluations (FIVE) done to

* support the individual plant examination of externalevents (IPEEE) analyses and shutdown risk configura-tion control evaluations are examples of qualitativestudies that have been developed. Evaluations basedon quantitative external and shutdown studies may alsobe used. If importance measures from quantitativestudies are combined with measures generated frominternal event analyses, the licensee should ensure thatthe greater uncertainties inherent in the analysis ofexternal events and the modeling of shutdown eventsare fully considered during the final categorization.

2.1.1 Identification of System Functions

Definition of the proposed change includesidentification of all the functions a system mustperform. Although many system functions mayeventually be categorized as low safety significant,characterization of the proposed change begins with adescription of all functions a system must fulfill.System functions should include functions used duringnormal operation as well as all functions related to theprevention or mitigation of core damage, protection ofcontainment integrity, or reduction in the releaseprobability or consequence to the public fromaccidents and transients both within and beyond thedesign basis (e.g., risk analysis).

2.1.2 System Function Safety-SignificanceCategorization

Determination of the safety significance of systemfunctions is inherently a "top down" process, startingwith the front-line systems and system functionsdirectly involved in plant-level safety functions (suchas reactivity control, reactor pressure control, anddecay heat removal). The delivery of high-pressureprimary coolant from the reactor water storage tank tothe core may be categorized as a high safety-significantfunction. The pumps, valves, and other SSCs whoseproper operation is required to fulfill this functionderive their initial categorization from the significanceof the function. Therefore, any determination of anSSC's safety significance requires determination ofthe safety significance of all functions the SSCsupports. Similarly, determination of the safetysignificance of support system functions (whichshould be later pursued in the support system'sevaluation) is best performed by determining the safetysignificance of the function being supported.

Licensees may limit their evaluation to the systemlevel and assign all components to the same safety-significance category as the system. This will onlyreduce the burden on licensees if all the system

functions can be categorized as low or medium safetysignificant. To provide confidence that eventualdetermination of less than high system safetysignificance is made with full recognition of eachsystem's contribution to risk, system-level importanceshould be determined from importance measuresdeveloped from the PRA. If the system is not modeledin the PRA, the licensee should determine why thesystem was not modeled and, guided by thisdetermination, investigate through a traditionalengineering review whether any system functionalfailure will degrade the performance of any humanactions or any other systems' high safety-significantfunctions. A system-level safety significance may beassigned based on the documented results of thereview.

2.1.2.1 Quantitative Safety CategorizationInsights. Quantitative importance measures from riskstudies provide valuable insights about the relativeranking of the safety significance of PRA modelelements such as basic events, components, humanactions, functions, trains, or systems. At least twoquantitative measures of importance are needed, one(such as Fussell-Vesely (FV) or risk reduction worth(RRW)) illustrates the fraction of current riskinvolving the failure of the model element; the other(such as risk achievement worth (RAW) or Birnbaum)illustrates the margin of safety contributed by themodel element's proper operation. Other measuresmay be used, but at least two measures reflectingcurrent contribution and margin contribution areneeded to balance the risk insights.

Importance measures represent the risk sensitivityof an individual model element. Importance measuresshould be compared to some quantitative guidelinevalues. The specific values chosen as guidelinesshould be justified by the licensee and should reflectthe estimated risk levels at the plant. All modelelements characterized -by importance measuresgreater than (or less than, as appropriate) the guidelinesare identified as potentially high safety significant.Once one element is varied, the importance measuresfor the other elements will change. Consequently,while large or small importance measure valuesidentify candidate high or low safety-significant modelelements, final categorization is determined by anexpert panel during the integrated decisionmaking.

To ensure that the integrated decisionmaking ismade with adequate understanding of the sensitivity ofthe importance results to major PRA modelingassumptions, techniques, and data, the licensee shouldaddress the technical issues associated with the use ofrisk importance measures to categorize SSCsdiscussed in Regulatory Guide 1.174. For GQA

1.176-8

applications, a minimum of two sensitivity calcula-tions are expected; one in which recovery' actions areremoved (that is, recovery probabilities set to 0.0) andone in which all common cause failures (CCFs) are

) removed (that is, failure probabilities set to 0.0). Thestudies should be performed by modifying andquantifying the original PRA logic model to minimizetruncation effects. These sensitivity studies aredesirable since human actions and CCF probabilitiesare derived from models requiring extensiveinterpretation and manipulation of observable data.When an SSC moves into the high safety-significantcategory as the result of a sensitivity study, the expertpanel should consider the reasonableness of therecovery action or CCF event that caused the lowsafety significance in the original results and considerassigning the SSC into a higher safety-significantcategory. If the sensitivity studies are not performed,additional peer and NRC staff review of the humanerror and CCF probability development may benecessary to develop confidence that the quantitativeresults provided to the expert panel are sufficientlyrobust to support the categorization process.

When each SSC is categorized, the safetysignificance of all the functions that SSC supports mustbe known. Therefore, the PRA model element mostapplicable to the SSC grading process described in thisregulatory guide is a system function failure. System

,j function importance provides the expert panel clearand documented information referencing individualcomponent functions to plant safety functions.Developing system functional importance will assist inboth the risk categorization process and the NRC staffreview. If basic event (such as component failure)importance measures, rather than system functionimportance measures, are used to directly categorizeSSCs at the component level, the categorizationprocess becomes more dependent on PRA characteris-tics such as system success criteria, system modelingdetail, and component modeling guidance.

System functions generally require the properoperation of a group of SSCs and are represented in thePRA models as a set of logically linked basic events.Some PRA codes are not well suited to thedevelopment and quantification of system levelimportance measures. One alternative technique usesbasic event importance measures (readily calculatedby most PRA codes) to identify a set of systemfunctions that are clearly high safety significant. Thistechnique is based on recognition that system function

'Recovery actions include human actions performed to return a failedsystem or component to operability. Recovery actions may also includeusing systems In relatively unusual ways. 'The procedures for recoveryactions usually give only general guidance instead of step-by-stepprocedures and ae not part of the standard training routine.

RAW and FV importance measures will always be atleast as large as the RAW and FV for basic eventswhose failure will fail the function. If other importancemeasures are used with this technique, this propertyshould be validated for the measures used.

When basic events are "used to characterize theimportance of system functions, the relationshipbetween the failure of the basic events and the systemfunctions they support becomes a critical consider-ation. For example, the RAW of aCCF basic event thatfails a set of nominally identical pumps provides areasonable estimate of the m~rgin of safety the properoperation of the pumps is contributing. If the pumpsfulfill only one system function, the RAW of the CCFprovides a reasonable estimate of that function'scontribution to margin of safety. Any system functionmodeled in the PRA that is supported by one or morebasic events that have importance measures above theguideline values should be initially categorized as acandidate high safety-significant system function.Since it is possible that the system function's RAW andFV measures are much higher than those of anyindividual basic event, system functions not catego-rized as candidate high should, as a minimum, befurther evaluated as discussed below, and the licenseeshould describe technically how each issue wasaddressed.

The redundancy and reliability of trains withinsystems that are available to fulfill a criticallyimportant system function can have the result thateach individual basic event within the system hasvery low importance measure values or is eventruncated out of the results. A system-basedevaluation should be performed to determine theimpact of the failure of systems that are modeled inthe PRA but that have no single failure event (forexample, no CCF) and no basic event importancemeasure above the guideline values. Discrepan-cies in the form of high failure consequence forsome systems (automatic depressurization system,for example) but low or no basic event importancemeasures should be identified and the relevanthigh safety-significant functions defined andproperly categorized as high safety significant.

" Initiating events are often not modeled as basicevents or, if they are, are modeled as singlemodularized events. Some examples of suchinitiating events are the loss of instrument air, theloss of main feedwater, the loss of offsite power(through local switchyard faults), the loss ofalternating current (AC) or direct current (DC)buses. If components whose failure contributes tothese initiating events are modeled in otherinitiating events (e.g., loss of an air compressor

1.176-9

3 • 4 1'

leading to loss of pneumatic valves following aloss of component cooling), the importance of thebasic events will not include the contribution of thefailure to the initiating event frequency. Thus, theimportance of functions whose failure wouldcause both an initiating event and the partial loss ofmitigating function can be severely underesti-mated by surrogate basic event importancemeasures.

PRA's integrated models provide an excellentframework to characterize system and system functionimportance. One area relevant to GQA that PRAmodeling does not usually address is cross-systemdependencies arising, from nominally identicalcomponents used in different applications throughoutthe plant. This occurs because cross-systemdependencies are typically not modeled (betweennominally identical MOVs in different systems, forexample) and because the resolution of the PRAmodels may not be sufficiently detailed (the PRAanalyst may not be able to determine whether thecircuit breakers in two different systems are identicalmodels, for example). Cross-system dependencies arenot modeled in PRAs yet can have a significant impacton risk. Consequently, licensees must develop amonitoring program capable of timely identification ofrepetitive failures of nominally identical equipment forfurther investigation.

2.1.2.2 Qualitative Safety CategorizationInsights. PRA results are to be used in conjunctionwith traditional engineering, and the principlesassociated with defense in depth and safety marginsmust also be factored into the safety-significancedetermination. Consequently, the following qualita-tive factors should be applied to the quantitative PRAinsights developed in the previous section. Thelicensee is to be able to describe technically how eachissue was evaluated and resolved.

The diversity of systems that are able to fulfillcritical high level functions (e.g., reactivitycontrol, decay heat removal) can have the resultthat each individual system could meet allquantitative guidelines to be categorized in the lowsafety-significance group. It would be prudent,and the licensee is expected, to designate at leastone system associated with critical high-levelfunctions as high safety significant.

Screening analyses are used to dismiss somefunctional failures as insignificant. In many cases,credit for the redundancy or reliability of plant

* systems or structures is taken to bolster thearguments that the functional failure need not be

modeled. Thus, the importance of some systems.functions, and structures will not show up in thePRA results since the functional failure is screenedout. (For example, screening out certaincontainment penetrations because of the numberof isolation valves involved obscures theimportance of the containment isolation functionof the system.)

Risk insights from nonquantitative external eventand shutdown risk studies should also be used. Allthe system functions credited in these studiesshould initially be categorized as "high safety-significant" candidates. Final categorization into alower safety-significance category should includeconsideration of the initiating event's frequency ormagnitude and the ability of the SSC to respond tothe event.

Risk insights from the evaluation of theMaintenance Rule (10 CFR 50.65) should beincorporated to ensure the identification offunctions that are (I) relied upon to mitigateaccidents; (2) used in emergency operatingprocedures; (3) those whose failure could preventa safety-related SSC from performing its safety-related function; and (4) those whose failure couldcause a reactor scram or actuation of a safety-related system.

PRA importance measures do not fully address thesignificance of SSCs that support operator actionsfor emergency and severe accident management.Such systems can include environmental controls,lighting, alarms, communications, and annuncia-tors. Determination of the categorization of suchsystems should include consideration of whetherthe loss of such systems could cause short-term orlong-term problems, whether a system failurecoincident with an accident is likely, and whetherpersonnel could reasonably compensate for theloss of these support systems.

2.1.3 Identification of Components thatSupport Functions

QA controls are applied at the component levelwhile PRA basic events often represent groups ofcomponents. For example, a diesel failure basic eventin the PRA can represent a large number of plantequipment parts, including such items as the dieselmotor, oil pump, oil cooling fan, motor generator.Other components are. not included in PRA basicevents because their reliability is assumed to be highenough that their failure probability would have anegligible impact on the CDF and LERF. Therefore,

1.176-10

once the high safety-significant functions in a systefor which GQA is being implemented have beidentified, the plant equipment required to support thigh safety-significant functions must be identifi

, independently of the PRA basic event definitions.

An efficient format to identify this componeversus system function is a matrix that lists and cro.,references the high safety-significant system functioto all the components needed to support each functiiat the level of equipment specificity at which changin the application of QA controls will be pursueAlthough a matrix is not necessary, well-organizinformation to support the final deliberations andprovide a traceable record for future licensevaluations and for NRC inspections should coverhigh safety-significant system functions, all systecomponents that support the high safety-significafunctions, and all external system support functiorequired by any component. The licensee is to be atto describe technically how each issue was addressand resolved. Here are some examples that illustnareas of potential concern regarding the accuracy acompleteness of this information.

One component can directly support anothsystem's function. For example, some contalment sump recirculation valves are nominalassigned to the low-pressure injection system tdirectly support containment spray by providiithe recirculation flow path.

• Some instrumentation can belong to one systebut provide signals used in other systems, orused by the operators as a basis for proceduralizor unproceduralized actions. Instrumentation usto actuate and control system and plant functioneeds careful attention if grading of instrumenition is contemplated.

• Component failures could -lead to an initiatiievent such as loss of feedwater or losscomponent cooling water. Components whofailure could cause an initiating event shouldidentified in the matrix as being necessarysupport the normal operation function (e.g., aoperated feedwater control valves are requiredsupport feedwater at power).

Well organized and detailed information is alneeded to systematically propagate safety categoriztion through successive tiers of support systems nmodeled in the PRA. If systems are not graded in a todown sequence, it is particularly important that tlevaluation should include a traceable record of tipreviously assumed categorization of upper-tien

m functions requiring support from other systems.en Eventually, the categorization of all support functionshe should be consistent, e.g., the safety significance of theed functions requiring support in the upper-tiered system

corresponds to the relevant function in the supportsystem.

.ntss- 2.1.4 Safety-Significance Categorizationns of Componentson,es The final categorization of system functions andd. the components that support the high safety-significanted system function is selected by an integrated assessmentto of quantitative and qualitative risk insights asee described in Regulatory Position 2.3.allM The safety-significance categorization assigned tont components (and to support system functions that can bens treated as component functions for initial categoriza-Ple tion) is based on the safety significance of the functioned the component supports. Components that support onlytte low safety-significant functions should be classified lowrd safety significant. The safety significance of

components supporting high safety-significant func-tions need not always be high, but each such

ier categorization as low safety significant should ben- explicitly evaluated and documented and in conform-Ily ance with licensee-defined guidelines. Justification forlut categorizing a component's safety significance as lowng based on high reliability alone will not be acceptable,

because the high reliability may be the result of the QAcontrols applied. If it is not the quality controls that are

:im the cause of the high reliability, the justification shouldbe describe the source of the high reliability.eded 2.2 Demonstration of Conformance withns Safety Principlesta- .

Once the full set of low safety-significancecandidates has been identified, it is necessary to

ng demonstrate that the proposed changes to the QAof requirements for these candidates do not violate the,se safety principles. Guidelines for making: thatbe. demonstration with due consideration for the scope ofto the GQA program are summarized below. Otherir- equivalent guidelines are acceptable.to

GQA programs need to reflect the multiplicity ofcurrent regulations and programs to which some SSCsso are subject. For example, some SSCs may need to bea- excluded from certain reduced QA control categories ifot those SSCs are also governed by more stringentp- American Society of Mechanical Engineers (ASME)he Code provisions to meet the requirements of 10 CFRhe 50.55a. In such instances, the ASME Codeed requirements must be met.

1.176-11

, j I ; 1 1

2.2.1 Engineering Evaluation Guidelines

The engineering evaluation should assess whetherthe impact of the proposed change is consistent withthe defense-in-depth philosophy. An acceptable set ofguidelines for making that assessment is summarizedbelow. Other equivalent decision guidelines areacceptable.

* A reasonable balance among prevention of coredamage, prevention of containment failure, andconsequence mitigation is preserved.

" Over-reliance on programmatic activities tocompensate for weaknesses in plant design isavoided.

• System redundancy, independence, and diversityare preserved commensurate with the expectedfrequency and consequences of challenges to thesystem and uncertainties (e.g., no risk outliers).

Defenses against potential common cause failuresare preserved and the potential for introduction ofnew common cause failure mechanisms isassessed.

* Independence of barriers is not degraded.

* Defenses against human errors are preserved.

* The intent of the General Design Criteria inAppendix A to 10 CFR 50 is maintained.

The engineering evaluation should also assesswhether the impact of the proposed change isconsistent with the principle that sufficient safetymargins are maintained. An acceptable set ofguidelines for making that assessment is summarizedbelow. Other equivalent decision guidelines areacceptable.

" Codes and standards or alternatives approved foruse by the NRC are met.

" Safety analysis acceptance criteria in the licensingbasis (e.g., Final Safety Analysis Report (FSAR)and supporting analyses) are met, or proposedrevisions provide sufficient margin to account foranalysis and data uncertainty.

2.2.2 Guidelines for Defense In Depth and SafetyMargins

Defense in depth and safety margins are expectedto be addressed generally by considering thefollowing GQA program aspects.

* The GQA process will not result in changes to theplant configuration. Therefore, no existing* plantbarriers will be removed. Additionally, existingsystem redundancy, diversity, and independencewill be maintained.

I The GQA process will not result in changes to thetechnical requirements (e.g., design bases or

* operational parameters) associated with SSCs.

The resulting QA provisions will provide thenecessary level of assurance that low safety-significant, safety-related and high safety-significant, non-safety-related SSCs remain capableof performing their safety function.

The core damage frequency (CDF) and large earlyrelease frequency (LERF) figures of merit do not fullycover long-term containment overpressure protection.Functions credited in the PRA for long-termoverpressure protection, but which do not contain anySSCs with CDF or LERF based importance measuresabove the guideline values, should be identified andthe safety significance explicitly assigned. Forexample, the containment spray systems for PWRsmay not contribute to the prevention or mitigation ofcore damage or large early release.

An important factor to ensure that defense-in-depth and safety margin considerations are notdegraded during the implementation of GQA is controlof potential common mode failures. As discussed inRegulatory Position 2.1.2.1, groups of nominallyidentical SSCs, utilized in multiple systems throughoutthe plant, can as an aggregate have high safetysignificance.

Principle 4 in Regulatory Guide 1.174 (Ref. 3)states that any proposed increase in CDF and risk aresmall and are consistent with the intent of theCommission's Policy Statement (Ref. I). Although therisk impact of GQA changes on individual componentsis expected to be minimal, reduced QA oversight may beapplied to a large number of SSCs. It is recognized thatlimited data are available to define the impact of QAprograms on SSC reliability. Accordingly, the licenseeshould perform a bounding analysis in which the failurerates or probabilities for basic events representing SSCsthat may be subjected to reduced QA controls are set atsome increased level (chosen and justified by thelicensee). Alternatively, the licensee may choose toaddress the bounding analyses by modifying theuncertainty distributions in some manner (also chosenand justified by the licensee).

The bounding analysis should* include all SSCsmodeled in the PRA on which QA controls may .be

1.176-12

reduced in all systems that the licensee defines as beingwithin the scope of the GQA program. SSCs notmodeled in the PRA must be reviewed to verify thattheir failure will not impact any functions modeled inthe PRA. Any potential impact on systems modeled inthe PRA must be qualitatively addressed.

It is recognized that the categorization of SSCs for thebounding analysis will necessarily be an initialcategorization, most likely based on an evaluation ofbasic event importancemeasures augmented by a limiteddeterministic review. The purpose of such a study is notto estimate a new plant CDF and LERF, but to understandthe potential or bounding impact of the proposed changeand to assess the risk impact through boundingevaluations. The results should be compared to theacceptance guidelines in Regulatory Guide 1.174 andcontrasted with aspects of the. GQA programimplementation that are expected to provide anunquantifiable safety benefit. If, during the categori-zation process, it becomes apparent that the initialcategorization is modified to such an extent that thebounding results may be non-conservative (that is, SSCsthat were high during the bounding analysis are beingplaced in lower categories), a new bounding calculationshould be performed. If the original results are exceeded,the licensee should adjust the category of selected SSCscategorized or adjust the categorization criteria.

2.3 Integrated Assessment

Generally, the performance of, and integration of,the above described evaluations should be performedby a number of technically knowledgeable personnel.One acceptable approach to accomplish this function isto utilize a multi-disciplinary review group oftechnically proficient plant personnel, referred to hereas an expert panel.

If the integrated assessment function is performedby an expert panel, the expert panel determines safetysignificance and considers QA program adjustmentsfor SSCs accordingly. The panel would normallyinclude experienced representatives from variousdisciplines such as operations, maintenance, engineer-ing, safety analysis and licensing, and PRA. Thecomposition of the expert panel should be augmented,if necessary, to support the purpose of the safety-significance ranking and the grading of QA controls.For example, because of the emphasis on QAconsiderations in the GQA process, QA andprocurement engineering personnel may be assignedto the panel.

The expert panel is responsible for determining thesafety significance of the system functions and SSCs.The panel should evaluate traditional engineering,

probabilistic, and qualitative information availableregarding the systems and system functions within thedefined scope of the GQA program changes. Theevaluation should include either resolving orapproving the resolution of the quantitative, andqualitative issues addressed in Regulatory Positions2.1.2.1 and 2.1.2.2.

Safety significance may be determined usingguidelines related to prevention and mitigation of coredamage, as well as containment integrity and LERF.Factors such as potential common mode failures,human errors, defense in depth, the importance of plantequipment used for emergency preparedness and plantmonitoring functions, and the maintenance of safetymargins should also be fully considered.

3. ELEMENT 3: DEVELOP IMPLEMENTATIONAND MONITORINGSTRATEGIES

This section addresses the first, second, third andfifth principles for risk-informed decisionmaking. Theobjective of the GQA effort is to implement a GQAprogram that provides a reasonable level of confidencethat plant SSCs will be capable of performing theirintended functions. The extent of QA controls will bedetermined by the relative safety significance andsafety functions performed by the equipment to whichthose controls are applied. The licensee's revisedGQA program should specifically identify how thecriterion in Appendix B to 10 CFR Part 50 will besatisfied. The licensee may adjust the elements of theQA program as deemed necessary to provide areasonable level of confidence that the SSCs will becapable of performing their intended function. Thelicensee will demonstrate that the proposed program,in total, is sufficient to achieve this objective.

3.1 Grading of Quality Activities

The first step of the evaluation process is for thelicensee to identify specific elements of the QA programcontrols that will be adjusted for the set of plantequipment that is defined to be low safety significant.For example, a licensee may propose a change to itsverification practices and perform verifications bysampling. Additionally, the licensee should identify theapproach for evaluating the adequacy of QA controls fornon-safety-related SSCs determined to be high safetysignificant. Augmented quality controls will likely bewarranted for these items.

3.1.1 Regulations and Commitments

In accordance with the first principle, noexemptions from current regulations are expected to beneeded to implement a GQA program.

1.176-13

The licensee's QA program description should berevised to address GQA activities applicable to safety-related SSCs of low safety significance, including adiscussion of how the applicable requirements ofAppendix B to 10 CFR Part 50 will be satisfied for thatpart of the program in accordance with 10 CFR50.34(b)(6)(ii). This may be accomplished by adiscussion that identifies exceptions to applicableNRC regulatory guides and associated endorsedindustry standards or by including additional text thatdescribes how Appendix B will be satisfied (merely re-stating the Appendix B provisions will not beacceptable). The submittal should adequately describethe safety-significance determination process and theadjustments made. to the QA provisions associatedwith the 18 criteria of Appendix B to 10 CFR Part 50 todescribe how the requirements will be satisfied in agraded manner. While considerable flexibility may beexercised, the GQA program should be based onstandards of performance that are clear, definite, andenforceable.

Grading of QA activities will likely result inchanges that reduce QA program commitmentsrelating to SSCs of low safety significance. In thatevent, the NRC would expect the licensee to submit aQA program change to the NRC in accordance with10 CFR 50.54(a), as discussed further in this sectionand in Regulatory Position 4.

However, plant SSCs cannot be reclassified asnon-safety-related solely on risk considerations.Regulatory requirements in Section VI(a)(1) ofAppendix A to 10 CFR Part 100, 10 CFR 50.2,10CFR50.49(b)(l), and 10 CFR 50.65(b)(1) pre-scribe the criteria for determining which SSCs aresafety-related and are subject to the provisions ofAppendix B to 10 CFR Part 50. However, GQA doesallow for differences in QA controls for safety-relatedSSCs based upon their safety significance.

GQA programs should not result in either intendedor effective changes in the design, configuration, ortechnical requirements of plant systems. Such designor configuration changes would occur, for example, ifQA program reductions result in a loss of confidence ofthe SSC's ability to perform its safety function. Thelicensee should ensure that changes to technicalrequirements are only made in accordance withapplicable regulations.

Other regulations, such as the requirements of 10CFR Part 21, "Reporting of Defects and Noncompli-ance," including provisions related to basic compo-nents and commercial grade item dedication; 10 CFR50.55(a), "Codes and Standards"; and 10 CFR 50.36,

"Technical Specifications," remain in effect and maynot be changed by means of the GQA programdescription.

Licensee commitments regarding QA are ad-dressed in a number of documents, including theFSAR, the QA Topical Report; and other docketedcorrespondence (e.g., responses to generic communi-cations, inspection reports). Licensees are expected tomaintain control of their licensing bases. Accordingly,changes from current commitments to QA regulatoryguides that will be revised as part of the GQA programshould be identified, and the manner in which they arebeing changed should be documented, reviewed, andapproved as necessary by the NRC in accordance with10 CFR 50.54(a), as appropriate.

3.1.2 Grading of Quality Elements

After categorizing the system functions andsubsequently the SSCs into two or more safety-significance categories as described throughout thisregulatory guide, the licensee should apply appropriateQA controls for the various categories. This is acritical factor in achieving the goals of the GQAinitiative and is performed by an integratedassessment, for example, by an expert panel, asdiscussed in Regulatory Position 2.3.

For safety-related SSCs determined to be highsafety significant, or for safety-related SSCs that havenot yet been evaluated in accordance with the GQAprocess, the current QA practices contained in theNRC-approved QA program should be retained.

Licensees have the flexibility to define theprocesses used to achieve reasonable confidence inSSC performance commensurate with their safetysignificance. Therefore, the licensee may developreduced, or graded, quality assurance controls for thosesafety-related SSCs assigned to the low safety-significant category. Examples of areas in which thismay be possible are listed in Regulatory Position 3.2 ofthis regulatory guide. In proposing to reduce controls,two basic objectives should be kept in mind. These arethat the GQA program should be sufficient to ensurethe SSC's design integrity and ability to successfullyperform its safety function and that the GQA programshould include processes and documentation thatsupport an effective corrective action program asdiscussed in Regulatory Position 3.3.2. Accordingly,in reducing or enhancing the QA program for any SSC,the licensee must describe how the proposed changeswill achieve the objectives. Also, consideration shouldbe given to issues such as CCF, as discussed inRegulatory Position 2.2. K

1.176--14

It should be emphasized that a certain numberSSCs currently categorized as non-safety-relati(i.e., that have notpreviously been subjected toAppendix B QA program) may fall into the hil

) safety-significant category based on applicationthe methods described in this regulatory guikThese non-safety SSCs become important becauthe categorization of. safety-related SSCs as eithhigh safety significant or low safety significantderived either directly or indirectly from tflicensee's PRA or. from qualitative methods ticonsider the results of PRA when available.particular, PRA takes credit systematically for nosafety-related SSCs as (I) providing support to, (alternatives to, and (3) back-ups for safety-relatiSSCs. Thus, the categorization of safety-relatiSSCs as low safety significant depends upon tiproper operation and reliability attributed to nosafety-related SSCs as part of the safety-significandetermination process.

Licensees should evaluate whether augmentiQA practices are warranted for "high safetsignificant, non-safety-related" SSCs. The appliction of augmented controls provides reasonabconfidence that the reliability assumed in the rianalysis, or the associated qualitative decisionmakiiprocess, remains valid. Licensees may voluntariselect certain Appendix B QA program controls

2 augmented quality provisions. However, a licensmay determine that the amount of QA contrccurrently being applied to these high safetsignificant, non-safety-related SSCs are approprialIf there is reasonable assurance that the SSC wperform its intended function, there may be no needapply augmented QA. controls. The licensee shoube able to provide a documented basis concerning tladequacy of the QA controls applied to these hilsafety-significant, non-safety-related SSCs. T1discussion that QA controls will be applied to hilsafety-significant, non-safety-related SSCs, and t]delineation of the augmented quality controls thwill be applied to those SSCs must be documented Ithe licensee in the QA program. In the above manntrisk insights will be used in an integrated manneridentify areas in which improvements should Iimplemented.

If the PRA analysis assumed that certain noisafety-related SSCs would perform particular funtions under postulated design basis conditions (fexample, seismic, harsh environment, or fire), aMthese SSCs are categorized as high safety-significarthen GQA controls that address the equipmecharacteristics that support the credited functi(

I should be considered.

of 3.2 Potential Areas for Implementing GQAed Program Controlsangh Low safety-significant SSCs that are safety-of related, to which the QA program controls in Appendixle. B to 10 CFR Part 50 have previously been applied, arese candidates for grading subject to the guidanceier discussed earlier. In addition, for high safety-is significant SSCs that are non-safety-related, licenseehe evaluation should be performed to identify proposedLat augmented quality controls.Inn- Some areas that may be appropriate for applying2) GQA program controls for safety-related SSCs of lowed safety significance are discussed below. Therd functional areas discussed below are not all-inclusivehe and licensees may propose graded controls in othern- areas, provided it can be shown that the objectivesce discussed in Regulatory Position 3.1.2 are met. The

goal is to allow licensees flexibility to defineed acceptable QA controls that provide reasonable

confidence that the SSCs will perform their intendedy- functions. As discussed in Regulatory Position 3.3.2,a- the assignment of QA controls is dynamic in nature.le As part of the GQA process, it is necessary to considersk feedback information from the monitoring andng corrective action elements that may lead to a need toly reinstate controls that had been relaxed. Further detailsas of specific GQA practices that the staff has foundee3 acceptable for low safety-significant itemsIls are described in SECY-97-229, "Graded Quality

Y" Assurance/Probabilistic Risk Assessment.ill Implementation Plan for the South Texas Projecttol Electric Generating Station" (Ref. 5), the associated

Id licensee QA program change, and other documentshe referenced in the staff safety evaluation attached to

;h SECY-97-229.

egh When considering the application of GQAhe controls, the licensee should consider the essentialat elements of the process (such as the safety-significanceby determination, identification of GQA controls,.r, associated corrective action methods, and performanceto monitoring) to be high safety-significant activities thatbe are not subject to grading.

3.2.1 Procurement

c- Licensees may establish. less stringent QAor requirements for the procurement of low safety-id significant components than for high safety-It, significant components. In making these changes,nt licensees must consider requirements in 10 CFR Parton 21 and Appendix B to 10 CFR Part 50 and must

consider any still-current commitments based on the

1.176-15

use of withdrawn regulatory guides.2 Within thisarea, the technical requirements for commercialgrade item (CGI) dedication in accordance with 10CFR Part 21 (critical characteristics of an item for anapplication) are not subject to grading. However, forsafety-related items of low safety significance, theverification of critical characteristics may be graded(e.g, by reduced sampling plans or alternative testingtechniques). Other procurement-related activitiessuch as auditing, qualifying suppliers, and receiptinspection may also be graded. Licensees shouldconsider the role its procurement practices play inensuring the prevention of cross-system commoncause failures and implement the procurementactivities accordingly.

A licensee may choose to reduce currentcommitments regarding certificates of conformancethat are based upon regulatory guides that have beenwithdrawn. 2 The licensee would instead follow theguidance in sections 4.2.a, I 0.2.a through f, and 10.3.2in ANSI N45.2.13 (Ref. 6).

A licensee may choose to reduce commitments toANSI N45.2.13 (Ref. 6) regarding source verificationsand procurement program audits described in Sections7.2.1,7.3.1, 10.3. 1, and 12. The change of practices inthis area for low safety-significant items would beappropriate. However, licensee practices for receiptinspections, post-installation testing, and a compo-nent-level monitoring program will provide feedbackto identify any necessary corrective actions.

A licensee may reduce commitments associatedwith Regulatory Guide 1.38 (Ref. 7) and other(previously withdrawn) guides' and with ANSIN45.2.12 and N45.2.2 (Refs. 8 and 9) regarding theconduct of external supplier audits and supplierevaluations. For low safety-significant items, theexternal supplier audits could be done as deemednecessary on an unscheduled basis. The associatedsupplier evaluations could be done on a biennial basis.Overviews of suppliers will be based on performancemonitoring and trending of feedback from receiptinspections, post-installation tests and inspections, andplant operational results.

Licensees should also consider the results of theevaluations generated during the categorization

Several QA-related regulatory guides were withdrawn in 1991 because theANSI standards that they endorsed were incorporated into ANSI/ASMENQA-1-1983. "Quality Assurance Program Requirements for NuclearFacilities." The withdrawal of a regulatory guide does not alter any prioror existing licensee commitments based on the use of the withdrawnregulatory guides. At their discretion, licensees with prior or existingcommitments to withdrawn regulatory guides or standards may continueto implement those provisions, or revise their commitments to adopt theANSIIASME NQA-1-1983 standard.

process concerning the functions of SSCs, as they mayprovide useful insights for identifying criticalcharacteristics to be used during the dedication process

3.2.2 Inspections

The licensee may chose to reduce inspectionactivities related to low safety-significant SSCs andchoose to perform monitoring or surveillanceoversight to ensure that components can perform theirintended functions. Verifications by peer personnelmay be implemented for safety-related low safety-significant SSCs provided that the licensee usesindividuals who are qualified to do inspections andwho are independent from the actual performance ofthe work activity as discussed above. However, thesechanges cannot conflict with ASME Code-requiredinspections and examinations or other inspections andexaminations specified in NRC regulations (e.g., useof the Authorized Nuclear Inspector services).

The licensee may choose to reduce commitmentsto section 5.2.7 of ANS 3.2/ANSI N18.7 (Ref. 10) toperform post-work inspections for maintenance andmodification activities depending upon the complexityof the work. Post-work inspections would then beperformed for relatively complex maintenance andmodifications. Other verifications such as applicablesurveillance testing, receiving inspections, andinservice inspections would continue to be performedfor the low safety-significant item.

Licensees may propose to reduce their require-ments regarding personnel who'perform inspectionson low safety-significant items. Those inspectionpersonnel will need to be experienced, task-qualifiedjourneymen, or supervisors who did not perform ordirectly supervise the activity being inspected. Thesepersonnel will need to receive training in the qualityorganization's inspection procedures, processes, andmethods in accordance with a training programapproved by the quality organization. The qualityorganization will need to provide periodic oversight ofthese inspectors. This provision would also not beapplicable for staff who perform nondestructiveexaminations.

3.2.3 Records and Documentation

Documentation, such as procedures and design

packages, for low safety-significant SSCs niay be lessdetailed than for high safety-significant items. Inassessing the level of detail Specified in procedures oractual packages related to low safety-significant items,there should be enough evidentiary detail to maintainplant design and configuration control. Further,

1.176-16

sufficient records need to be maintained to evaluifailures, to perform root cause analyses, anddetermine appropriate corrective actions.

S 3.2.4 Audits

Processes and work associated with low safetsignificant SSCs may be audited less deeply and lefrequently than high safety-significant activititSurveillance, performance monitoring, self-asse.,ments, trend data, or other activities may in some casreplace formal audits in low safety-significant area,

3.2.5 Staff Training and QualificationRequirements

The licensees may establish different training a,qualification requirements for personnel performiitasks only on safety-related low safety-significaSSCs, however, those personnel would need to remssufficiently technically proficient in their assign,area of responsibility to provide reasonable confidenthat their tasks were adequately performed to ensuthat affected SSCs would be capable of performiltheir intended functions. The licensee must meet trequirements of the applicable regulations &technical specification requirements pertainingtraining programs and staff qualifications.

2 3.2.6 Corrective Action

The GQA effort will identify a population of lksafety-significant, safety-related items. In accordan.with Criterion XVI, "Corrective Action," of AppendB to 10 CFR Part 50, the timeliness of correcti,actions for these items can be prioritized commensrately with their safety significance.

3.2.7 Design

The licensee may choose to change selectcommitments to previously withdrawn regulatoguides' or ANSI Standard N45.2. 11 (Ref. 11) for Icsafety-significant items. These changes could relate(I) the need to consider all design input aspectsstated in Section 3.2 of ANSI N45.2.1 1, inste•replacing this need with the need to preparedocumented checklist for only these items deeminecessary; (2) the need to consider, and documewhen deemed necessary, the 19 design review iterdelineated in Section 6.3.1 of ANSI N45.2.1 I; and (the adoption of independent design verificati4provisions contained in section 6.1 of ANSI N45.2.'in lieu of the more restrictive position in previouswithdrawn regulatory guides.2 This would not obviathe need for inter-disciplinary design reviews.

kte 3.3 Integrated Performance Monitoring Processto

The implementation of an integrated performancemonitoring process is necessary to ensure that theobserved reliability and availability of SSCs followingimplementation of GQA remains consistent with the

ty- engineering evaluation developed to support thess categorization process. The elements of an effective

es. performance monitoring process are generally discussed;s- in Section 2.5 of Regulatory Guide 1.174 (Ref. 3).es

As discussed in this regulatory guide, GQAprograms do not follow in detail all the steps inherent inother risk-informed regulatory decisionmaking appli-cations as outlined in Regulatory Guide 1.174, becausemany of the SSCs of interest in GQA programs are not

nd modeled in the PRAs, and it may not be possible tong quantify the effects of changed QA programs on themt modeled SSCs' performance. For these reasons, atin larger portion of the decisionmaking is left to theed discretion and judgment of licensee personnel whoce perform the integrated assessment function (typicallyire an expert panel).nghe In the GQA program, the "operational feedback"rid and "corrective action" portions of the programto assume considerable importance, and their accept-

ability must be pivotal in the determination of theoverall program's acceptability and effectiveness.The licensee should develop criteria for monitoringthe reliability and availability of (i) safety-related,

iw low safety-significant and (2) non-safety-related,ce high safety-significant SSCs based upon risk insightslix developed during the safety-significance categoriza-ve tion process. The level of monitoring (e.g., SSC,u- train, system) should provide the capability to

determine whether and when the reliability andavailability of safety-related, low safety-significantand non-safety-related, high safety-significant SSCsdeteriorates to unacceptably low levels and should

r•d include trending aspects intended to identifyry deteriorating performance. As QA programs addressiw a broad spectrum of plant activities, the monitoringto process should address monitoring of both plantas hardware (SSCs) and the effectiveness of the processad and the organization.a

rd 3.3.1 Operational Feedback Process:ntns The GQA program should include a feedback3) process (which is generally performed by licenseeson irrespective of GQA) to evaluate plant and industryI I operational experience and the potential need to revisely SSC safety-significance categorizations or QAtte controls. Sources of information that should be used to

provide input to this feedback process include:

1.176-17

:" I l I " I . . . . . . .

Operating Experience: Sources of operatingexperience data include licensee performanceindicators, NRC generic communications, Insti-tute of Nuclear Power Operations (INPO) andElectric Power Research Institute (EPRI) designreliability data, Systematic Assessment of Lic-ensee Performance (SALP) reports, licensee eventreports (LERs), NRC inspection reports, equip-ment maintenance histories, plant performancereviews, reliability and unavailability data,equipment performance or condition trendingdata, and quality assurance assessments. Theindustry-wide data should be evaluated forconsistency with PRA assumptions, systemunavailabilities, and other plant-specific data.

Plant Modifications and SSC Replacements:Plant modifications, as well as SSC replacementsand parts thereof, might affect the safety-significance determination or selection of QAcontrols for low safety-significant SSCs. Accord-ingly, the GQA program should include provisionsto periodically review plant modifications withrespect to their potential impact on safety-significance determinations. Alternatively, thedesign change process may include provisions toverify that changes do not affect SSC safetysignificance or associated QA controls.

Reliability and Availability Monitoring: Thelicensee should develop a living PRA or defineperformance thresholds based on ensuring, to theextent possible, that the equipment performanceassumptions used in the PRA and upon which mostof the safety categorization is based remain valid.The staff expects that licensees will integrate, or atleast coordinate, their monitoring for risk-informed changes with existing programs formonitoring equipment performance and otheroperating experience on their site and throughoutthe industry. In particular, monitoring that isperformed as part of the Maintenance Ruleimplementation can be used when the monitoringperformed under the Maintenance Rule issufficient for the SSCs affected by GQA. As GQArequires monitoring of SSCs not included in theMaintenance Rule, or requires a greater resolutionof monitoring than the Maintenance Rule(component vs. train- or plant-level monitoring), itmay be advantageous for a licensee to adjust theMaintenance Rule monitoring program rather thanto develop additional monitoring programs forG UQA purposes. Section 2.3, "Element 3: DefineImplementation and Monitoring Program," of

.Regulatory Guide 1.174 provides amplifyingguidance in this area.

A program assessment, which could be accom-plished in conjunction with similar Maintenance Ruleprovisions, should be performed to ensure that theoverall GQA process (activities associated with safety-significance determination, grading of QA controls,.implementation of performance monitoring, andapplication of corrective actions) is being effectivelyimplemented and provides insights into whether theGQA program needs improvements. As part of theassessment, (I) plant deficiencies should be evaluated,and (2) the 'bases for (a) the safety-significancecategorizations (e.g.,.the PRA model and assumptions)and (b) the assignment of QA controls to each categoryshould be evaluated to determine whether theycontinue to reflect plant design and operatingpractices. This assessment should not be performed ina graded manner and should be considered to be ahigh safety-significant activity as it serves to confirmthe integrity of the GQA process implementation.

3.3.2 Corrective Actions

The licensee's GQA program should includecomprehensive and effective corrective action and rootcause analysis processes. Failures of safety-related,low safety-significant SSCs and non-safety-related,high safety-significant SSCs should be identifiedthrough operational feedback or trending processes sothat the licensee can ascertain whether the SSC'sunacceptable performance may be attributed todeficient QA controls or practices. Licensee correctiveaction or trending programs should identify anddetermine the apparent cause of failures of SSCs todetermine whether licensee-established performancecriteria or quality elements need to be changed. If thefailure is determined to apply generically to otherSSCs,.or the failure represents a potential commoncause concern for similar equipment installed inmultiple systems, or if an excessive number of failuresoccurs that exceed licensee-established thresholds,then further licensee evaluations are warranted. Anapparent cause determination is warranted to screenthe failures in order to ascertain the necessity toperform more in-depth evaluations.

The SSC risk-categorization methodology couldbe affected by the SSC reliability and unavailabilityassumptions. These assumptions also could affectfinal categorization decisions to the extent thatreliability and unavailability were used as a licenseecriterion for determining the safety significance of anSSC that fails or exhibits a declining performancetrend. Both the probabilistic and non-probabilisticmethods previously used should be re-evaluated whenthere is significant disparity between the analysisassumptions and the observed data. The GQA

1.176-18

program controls should be evaluated to determinewhether they need to be strengthened as a result of thefailures. Based upon positive performance monitoringresults, the licensee may further evaluate both safety-significance categorization and assignment of QAcontrols to identify situations in which they may befurther relaxed. Such changes would be evaluated andreviewed by the staff as necessary, as discussed inother sections of this guide.

When a safety-related SSC has been categorized aslow safety significant and, because of events such asplant modifications, reanalysis, or human errors, it isdetermined that the SSC should now be categorized ashigh safety significant, the licensee should takeappropriate corrective action and evaluate theacceptability of the GQA controls applied to the SSCwhile categorized as low safety significant. Thisevaluation should be documented and should addressthe impact, if any, on the SSC as a result of applyingGQA controls and should identify any GQA controlsthat need to be adjusted in order to provide assurancethat the SSC will perform its safety functions. Thelicensee should maintain documented justificationconcerning the adequacy of the GQA controls applied tothe SSC that is now categorized as high risk significant.

3.4 Change Control for ImplementingProcedures

The licensee QA program for GQA will provide ahigh-level characterization of the GQA programelements as further discussed in Regulatory Position4.1. As part of the implementation process for GQA, anumber of procedures will be developed by thelicensee for activities associated with elements of theGQA program. This would include procedures foraspects of the GQA program such as safety-significance determination, monitoring, workinggroup, and expert panel functions, as appropriate. Asthese procedures will be considering important aspectsof the GQA program that the staff will review, it isnecessary that the procedures have an appropriatechange control applied to them so the staff is informedof significant changes. Any procedure change thatimpacts on the QA program description must beassessed with respect to 10 CFR 50.54(a) (seeRegulatory Positions I and 3.1.1 of this guide). TheFSAR must incorporate by reference the GQAimplementing procedures so that procedure changeswill be controlled in accordance with 10 CFR 50.59.

4. ELEMENT 4: DOCUMENTATION

)J The recommended contents of a plant-specific,risk-informed GQA submittal are presented in this

section. The guidance is intended to help ensure the"completeness of the information provided and to aid inshortening the time needed for the review process.Additional guidance on style, composition, andspecifications of safety analysis reports is provided inthe Introduction of Revision 3 of Regulatory Guide1.70, "Standard Format and Content of Safety AnalysisReports for Nuclear Power Plants (LWR Edition)"(Ref. 12).

4.1 Licensee Submittal Documentation

To support the staff's conclusion that the proposedchange is consistent with the key principles of risk-informed regulation and NRC staff expectations, thefollowing information is expected to be submitted tothe NRC.

4.1.1 GQA Program Change

The licensee's existing QA program descriptioncontained in, or referenced by, the FSAR should berevised to describe the GQA program provisions. Thesubmittal containing the proposed GQA provisionsshould contain the following.

(1) A discussion of the essential implementationelements of the GQA program, the scope ofpotential SSCs that may be in the GQA program,and the basis for concluding that the overall GQAprogram provides reasonable confidence thatSSCs remain capable of performing their intendedfunction.

(2) An overview discussion of the process andguidelines developed by the licensee to determinethe safety-significance categorization of all SSCswithin the GQA program scope as defined in thisregulatory guide.

(3) A statement of the role of the staff who perform theintegrated assessment function (expert panel).

(4) The process for determining the QA controls beingapplied to each safety-significance category ofSSCs.

(5) A description of the adjustments proposed as partof the GQA program and how the requirements ofeach of the criterion of Appendix B to 10 CFR Part50 will be satisfied in a graded manner. Thedescription should identify any exceptions toexisting QA program commitments (such asregulatory guides).

1.176-19

(6) A discussion of how augmented QA controls fornon-safety-related SSCs categorized as high safetysignificant will be determined.

(7) A discussion of the operational feedback andenhanced corrective action mechanisms andprocesses to adjust both safety-significancecategorization of SSCs and the associated QAcontrols.

(8) A discussion of the performance monitoringprocess, along with the SSC functional perfor-mance and availability attributes that form thebasis of the proposed change.

4.1.2 Supplemental Information

In addition to the submittal of the QA programchange, the licensee should submit documentationthat, although not incorporated into the QA programitself, will be needed by the staff to help determine theacceptability of the program. These documents shouldinclude:

(I) A full set of the records and analyses related to thecategorization of one system. This documenta-tion should include all supporting informationdeveloped and used during the process, alldocumented deliberations and justificationsdeveloped by the relevant panels, and the resultsof the categorization for all SSCs in the system.The submitted information should only includedocumentation that the licensee intends tomaintain in support of future program changesand NRC inspections.

(2) Plant procedures and instructions that provide theprogrammatic guidance to the utility staff on theSSC categorization, monitoring, and feedback thatwill be implemented in support of the GQAprogram.

(3) The methodology, PRA change summary, andresults of the bounding analysis, augmented by adiscussion of the nonquantified aspects of theGQA program that are expected to provide a safetybenefit. The scope, in terms of systems included inthe bounding analysis, should be discussed. If thebounding analysis was performed on a limitednumber of systems, the systems should be clearlyidentified.

(4) A description of the licensee process to ensurePRA quality, a discussion as to why the PRA is ofsufficient quality to support the categorizationprocess, and the results of all peer or industryreviews of the PRA.

(5) Applicable documentation discussed in Section3.3, "Cumulative Risk," of Regulatory Guide1. 174 (Ref. 3).

(6) A description of how the proposed change impacts

any licensee commitments.

4.2 Plant Data and Engineering Evaluation

Licensees may submit the following informationas a separate document to support the proposed GQAsubmittal. This information should be available forstaff review at the licensee's offices.

4.2.1 Systems Pertinent to GQA

Summarize design and operating features ofsystems in which changes to the QA program areplanned, as well as systems supported by the systems inwhich changes to the QA program are planned. Foreach system, include a table summarizing the keydesign and operating data. Values that are used in theanalysis should be identified and justified. Refer toappendices or other documents (e.g., specific sectionsof the FSAR or design basis documents) as necessaryfor more details. Systems to be considered shouldinclude the pertinent portions of all systems modeled inthe plant-specific probabilistic analysis.

4.2.2 Status of SSCs

All SSCs whose QA program control is proposedto be changed should be listed and should include (at aminimum) the plant's SSC label, the current QAcategorization (by default all safety-related SSCs willinitially have a "high" QA categorization), theproposed QA categorization, associated correlationwith system functions, and a brief explanation of thejustification for the proposed change.

4.2.3 Plant Operating Experience

Summarize any major events involving failures ifthe occurrence was attributable to inadequate orimproperly applied QA controls at this plant. Includein this summary any lessons learned from these eventsand indicate actions taken to prevent or minimizerecurrence of the events.

4.2,4 Engineering Evaluation

The categorization process is considered anengineering analysis, and as such, the completedanalysis should be considered a quality record. Inaddition to the submittal documentation discussedin Regulatory Position 4.1, Regulatory Guide 1.174(Ref. 3) provides guidance on documentation that may

1.176-20

(6) A discussion of how augmented QA controls fornon-safety-related SSCs categorized as high safetysignificant will be determined.

(7) A discussion of the operational feedback andenhanced corrective action mechanisms andprocesses to adjust both safety-significancecategorization of SSCs and the associated QAcontrols.

(8) A discussion of the performance monitoringprocess, along with the SSC functional perfor-mance and availability attributes that form thebasis of the proposed change.

4.1.2 Supplemental Information

In addition to the submittal of the QA programchange, the licensee should submit documentationthat, although not incorporated into the QA programitself, will be needed by the staff to help determine theacceptability of the program. These documents shouldinclude:

(1) A full set of the records and analyses related to thecategorization of one system. This documenta-tion should include all supporting informationdeveloped and used during the process, alldocumented deliberations and justificationsdeveloped by the relevant panels, and the resultsof the categorization for all SSCs in the system.The submitted information should only includedocumentation that the licensee intends tomaintain in support of future program changesand NRC inspections.

(2) Plant procedures and instructions that provide theprogrammatic guidance to the utility staff on theSSC categorization, monitoring, and feedback thatwill be implemented in support of the GQAprogram.

(3) The methodology, PRA change summary, andresults of the bounding analysis, augmented by adiscussion of the nonquantified aspects of theGQA program that are expected to provide a safetybenefit. The scope, in terms of systems included inthe bounding analysis, should be discussed. If thebounding analysis was performed on a limitednumber of systems, the systems should be clearlyidentified.

(4) A description of the licensee process to ensurePRA quality, a discussion as to why the PRA is ofsufficient quality to support the categorizationprocess, and the results of all peer or industryreviews of the PRA.

(5) Applicable documentation discussed in Section3.3, "Cumulative Risk," of Regulatory Guide1.174 (Ref. 3).

(6) A description of how the proposed change impacts

any licensee commitments.

4.2 Plant Data and Engineering Evaluation

Licensees may submit the following informationas a separate document to support the proposed GQAsubmittal. This information should be available forstaff review at the licensee's offices.

4.2.1 Systems Pertinent to GQA

Summarize design and operating features ofsystems in which changes to the QA program areplanned, as well as systems supported by the systems inwhich changes to the QA program are planned. Foreach system, include a table summarizing the keydesign and operating data. Values that are used in theanalysis should be identified and justified. Refer toappendices or other documents (e.g., specific sectionsof the FSAR or design basis documents) as necessaryfor more details. Systems to be considered shouldinclude the pertinent portions of all systems modeled inthe plant-specific probabilistic analysis.

4.2.2 Status of SSCs

All SSCs whose QA program control is proposedto be changed should be listed and should include (at aminimum) the plant's SSC label, the current QAcategorization (by default all safety-related SSCs willinitially have a "high" QA categorization), theproposed QA categorization, associated correlationwith system functions, and a brief explanation of thejustification for the proposed change.

4.2.3 Plant Operating Experience

Summarize any major events involving failures ifthe occurrence was attributable to inadequate orimproperly applied QA controls at this plant. Includein this summary any lessons learned from these eventsand indicate actions taken to prevent or minimizerecurrence of the events.

4.2.4 Engineering Evaluation

The categorization process is considered anengineering analysis, and as such, the completedanalysis should be considered a quality record. Inaddition to the submittal documentation discussedin Regulatory Position 4.1, Regulatory Guide 1.174(Ref. 3) provides guidance on documentation that may

176-20

be required to support a risk-informed application.The licensee should review the guidance in RegulatoryGuide 1. 174 and either develop the documentation orensure that sufficient material is available that thedocumentation can be developed if requested.Additional documentation that should be available ifrequested includes:

Documentation describing the methods andtechniques used for developing quantitative andqualitative risk insights used to support the safety-significance categorization of SSCs.

* Documentation corresponding to the sampledocument submitted (described in (1) in Regula-

tory Position 4.1.2) for all systems that havebeen categorized.A description of how the importance measureswere calculated and used (including the guidelinesto categorize if applicable). This informationshould be augmented by technical description onhow the limitations associated with the use ofimportance measures were communicated to theexpert panel and resolved.

" Important assumptions, including SSC functionalcapabilities and performance attributes, that play akey role in supporting the acceptability of the QAprogram change and that are used in themonitoring and feedback program.

1.176-21

"-.5. *"1""

REFERENCES

1. USNRC, "Use of Probabilistic Risk AssessmentMethods in Nuclear Activities: Final PolicyStatement," Federal Register, Vol. 60, p. 42622(60 FR 42622), August 16, 1995.

2. "Development of Graded Quality AssuranceMethodology," SECY-95-059, March 10, 1995.'

3. USNRC, "An Approach for Using ProbabilisticRisk Assessment in Risk-Informed Decisions onPlant-Specific Changes to the Licensing Basis,"Regulatory Guide 1.174, July 1998.2

4. Letter from James L.Milhoan (NRC) to WilliamRasin (Nuclear Energy Institute), June 15, 1994.'

5. "Graded Quality Assurance/Probabilistic RiskAssessment Implementation Plan for the SouthTexas Project Electric Generating Station,"SECY-97-229, October 6, 1997.'

1 Copies are available for inspection or copying for a fee front the NRCPublic Document Room at 2120 L Street NW., Washington. Dr thePDR's mailing address is Mail Stop LL-6, Washington, DC 20555;telephone (202)634-3273; fax (202)634-3343.

2 Singje copies of regulatory guides, both active and draft, and draftNUREG documents may be obtained free of charge by writing theReproduction and Distribution Services Section, OCO, USNRC.Washington. DC 20555-000l, or by fax to (301)415-2289, orby email toGRWI@NRC.GOV. Active guides may also be purchased from theNational Technical Information Service on a standing order basis. Detailson this service may be obtained by writing NTIS. 5285 Port Royal Road.Springfield. VA 22161. Copies of active and draft guides amw available forinspection or copying for a fee from the NRC Public Document Room at2120 L Street NW., Washington. DC; the PDR's mailing address is MailStop LL-6A Washington, DC 20555; telephone (202)634-3273; fax(202)634-3343.

6. American National Standards Institute (ANSI),"Quality Assurance Requirements for Control ofProcurement of Items and Services for NuclearPower Plants," N45.2.13, published by theAmerican Society of Mechanical Engineers, 1976.

7. USNRC, "Quality Assurance Requirements forPackaging, Shipping, Receiving, Storage, andHandling of Items for Water-Cooled NuclearPower Plants," Regulatory Guide 1.38, Revision 2,May 1977.'

8. ANSI, "Requirements for Auditing of QualityAssurance Programs for Nuclear Power Plants,"ANSI N45.2.12, 1977.

9. ANSI, "Packaging, Shipping, Receiving, Storageand Handling of Items for Nuclear Power Plants(During the Construction Phase)," ANSI N45.2.2,1972.

10. American Nuclear Society (ANS), "Administra-tive Controls and Quality Assurance for theOperational Phase of Nuclear Power Plants," ANS3.2/ANSI 18.7, American Nuclear Society, 1976.

11. ANSI, "Quality Assurance Requirements for theDesign of Nuclear Power Plants," ANSI N45.2.11,1974.

12. USNRC, "Standard Format and Content of SafetyAnalysis Reports for Nuclear Power Plants (LWREdition)," Regulatory Guide 1.70, Revision 2,November 1978.2

K,

K

1.176-22

REGULATORY ANALYSIS

A draft regulatory analysis was published with the draft of this guide, DG-1064,when it was issued for public comment in June 1997. No significant changes werenecessary from the original draft, so a separate value/impact statement for this finalRegulatory Guide 1.176 has not been prepared. A copy of the draft regulatoryanalysis is available for inspection or copying for a fee in the Commission's PublicDocument Room at 2120 L Street NW, Washington, DC, under Task DG-I 064.

Federal Recycling Program

1.176-23

i A .

-1 -/

UNITED STATESNUCLEAR REGULATORY COMMISSION

WASHINGTON, DC 20555-0001

FIRST CLASS MAILPOSTAGE AND FEES PAID

USNRCPERMIT NO. 0-67

OFFICIAL BUSINESSPENALTY FOR PRIVATE USE, $300