Maintenance Rule (a)(4) Experience

Leo ShanleyMay 26, 2011

10CFR 50.65(a)(4)

• “Before performing maintenance activities (including but not limited to surveillance, post-maintenance testing, corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities.”

2

Assessing Risk – Use Risk Monitor

• Applies in all modes – outage and online• Assessing risk means evaluating conditions to

determine a risk levelQuantitative – CDF/LERF (delta or as Risk

Increase Factor -- RIF); CDP/LERP; ICCDP/ICLERP

Qualitative – Defense-in-Depth• Safety Functions (SF)• Plant Transients (PT)

External conditions (Weather, Grid, etc.) Risk level typically represented as colors

• 4 color system: G/Y/O/R• 3 color system: G/Y/R or G/O/R

3

Managing Risk – Apply Actions

• Means applying Risk Management Actions (RMA) beyond normal work controls

• Actions commensurate with risk level and conditions – some examples include: Communicating risk conditions to personnel Identifying and protecting mitigating equipment Creating contingency plans or temporary

proceduresMinimizing time in configuration (e.g., work

around the clock) Stationing operators near key equipment

4

Risk-Informed Configuration Risk Management

5

10 CFR 50.65 (a)(4)Guidance:

NUMARC 93-01NUMARC 91-06

Site Procedures

Qualitative Tools:

• SFATs

• PTATs

Quantitative Tools:

• CDF/CDP

• LERF/LERP

Blended

Decision-making

Process

PARAGON

Capabilities

Regulatory/

Programmatic

Considerations

Optimized

Process

What is PARAGON®? - Risk Monitor

Developed by ERIN Engineering and Research, Inc.

Designed for use by Work Planning, Operations, and Risk Management personnel

Applies in all modes - Outage and Online

Analysis customized for each plant/unit

Equipment outages, internal/external conditions, etc.

Provides qualitative measure of safety Decision Trees (e.g., Safety Functions, Transients)

Provides quantitative measure of risk – PRA

Interface with plant scheduling tool

6

PARAGON Flow

8

• Configurations/ Equipment Availabilities set for Plant Variables in Schedule

• System Dependencies Captured in Fault Trees

• Color Levels Portray Relative Safety Levels

• Results Tracing

• What-Ifs Performed

EDG A

EDG B

FT EDG A

FT Bus B

SafetyFunction

G O R GY

PARAGON Qualitative Calculation

9

Typical PARAGON Blended CRM Model

10

Online OutageQuantitative Qualitative Quantitative Qualitative

Internal Events PRA • CDF/LERF• Cumulative • RIS/RTS Lists

Graphs/Profiles

Defense-in-Depth• Safety Functions• Plant Transients• Support Systems• RIS/RTS Lists

Guidance

Shutdown PRA/PSSA• CDF/RCS Boiling

Frequency/LERF• Cumulative• RIS/RTS Lists

Thermal-Hydraulic Calcs• Decay Heat Level• Time-To-Boil• Time-To-Core

Damage Graphs/Profiles

Defense-in-Depth• Safety Functions• Support Systems• RIS/RTS Lists• Other

Guidance

Qualitative Risk - Safety Functions

Evaluate safety in terms of Defense in Depth for Key Plant Safety Functions

Defense in Depth measured in terms of number and types of available systems/trains

Colors used to define level of safety for the configuration

Colors also determine the response to the configuration (e.g., normal controls, contingency plans)

11

Typical Online Safety Functions

BWR

» Containment Pressure Control / Secondary Containment

» Heat Removal» Pressure Control» Reactivity Control» High Pressure Injection» Low Pressure Injection» Electric Power» Service Water

PWR

» Containment Integrity» Core Cooling» Heat Sink» RCS Integrity» Reactivity Control» Inventory Control» Electric Power» Service Water /

Component Cooling

12

Qualitative - Online Plant Transients

Event-based qualitative assessments Important PRA initiating events or initiator

groups Measures the Defense in Depth of mitigation

systems for the specific initiator(s) Incorporates increased likelihood of events

(Higher Risk Evolutions - HRE) Colors used to represent risk level

13

Typical Online Plant Transients

BWR

» Loss of Offsite Power» Reactor / Turbine Trip» ATWS» LOCA» Loss of FW

PWR

» Loss of Offsite Power» Reactor / Turbine Trip» LOCA» Loss of Specific

Support System(s)

14

Safety Function Assessment• Degree of Defense In Depth

Plant Transient Assessment• Susceptibility to Plant Transient or

High Risk Evolution (HRE)• Combination of Transient Potential and/or

Safety Function Degradation

Probabilistic Assessment• CDF & LERF • Thresholds Based On Relative Risk Increase

Factor (RIF)• Cumulative Risk

Decision Basis:

“Blending” the Risk Assessment

15

Defense-in-Depth Limits (typical)

16

Red

Green

Yellow

Orange

>N+2

N+1

N

< N

Equipment Availability

(N = Minimum Equipment Required for each Safety Function or Plant Transient)

Risk Limit Color

Risk Management

17

COLOR CONSIDERATIONS

GREEN - Preserve operable equipment to the extent possible - Manage spatial issues that have the potential to impact defense- in-depth (preserve DID) - Consider small cumulative impacts of maintenance activities

YELLOW

- Correct the cause as soon as practical by considering the time in the configuration and resources available - Assess the return to service of selected equipment and return to service as soon as practical - Protect risk significant equipment - Employ a “return to GREEN” mindset

ORANGE

- Requires senior management review and approval prior to entering this condition - Minimize exposure using return to service priorities - Work around the clock - Develop and implement contingency actions - Protect risk significant equipment

RED - Never plan to enter “Red” if at all avoidable - Minimize the time in “Red” – transition to Orange/Yellow/Green - Extreme care should be taken to avoid trips or plant disturbances - Active monitoring of all Maintenance/I&C/Operations activities - Implement Contingencies

PARAGON Views -Synchronized Schedule/Results

• Risk Profile vs. Time

• Includes all defined assessments

• Overall Status is customized to plant processes

• Synchronized with Schedule View

• Traceable to underlying results by double-clicking on the desired result

18

PARAGON Views –Operators Panel

Shows status and results for a single ‘time slice’

Based on schedule and/or actual plant status, with what-if capability

Quantitative risk can be the actual value or a ratio compared to baseline (i.e., risk increase factor)

Traceable to underlying results by double-clicking on the desired result

Can be customized (e.g., different for online and outage)

19

Tabs and button not in default plant condition are highlighted. Status of button/contributor can be changed.

Status of plant displayed in tabs for equipment, configurations and higher risk evolutions.

Perform and save “Whatif” or analyze PRA for existing configuration.

Return-to-service, remain-in-service, guidance and current activities relevant to the current configuration readily available.

Up to seven overall status buttons can be displayed. Basis for the color and values of buttons user-definable.

Results of PRA, decision trees and group variables readily available and can traceable through contributing logic.

Tabs and button not in default plant condition are highlighted. Status of button/contributor can be changed.

Status of plant displayed in tabs for equipment, configurations and higher risk evolutions.

Perform and save “Whatif” or analyze PRA for existing configuration.

Return-to-service, remain-in-service, guidance and current activities relevant to the current configuration readily available.

Up to seven overall status buttons can be displayed. Basis for the color and values of buttons user-definable.

Results of PRA, decision trees and group variables readily available and can traceable through contributing logic.

PARAGON Views –Safety Function Decision Tree Result

20

Qualitative Result path is

highlighted in output color.

21

The Guidance View shows the

guidance and the technical basis

Configuration-Specific Guidance

Remain In Service (RIS) and Return to Service (RTS)

RIS answers the question: What risk color would the plant be in if additional equipment were unavailable? Qualitative – Overall or individual safety

functions/plant transients PRA – CDF, LERF, internal, fire, etc. PARAGON provides a ranked list, that can be

used to identify protected equipment

RTS answers the question: What risk color will result if I make equipment available? Same capabilities and flexibility as RIS

24

Remain In Service (RIS)

25

Cumulative Risk Calculation

ICDP and ICLERP calculations performed for each component unavailability window, including effect of other coincident unavailable components

26

RITS 4b Calculations

27

Calculates time to reach RMA and RICT thresholds based on ICDP and ICLERP

Provides date and time that thresholds are reached

Calculates incremental probabilities at the back stop

Can extrapolate based on last configuration or calculate based on proposed schedule

Online Examples - PWR

28

Components CDF RIF LERF RIF PRA SF PT Overall

Nuclear SW Pump 1B 1.0 1.1 G G Y Y

MD EFW Pumps A and B 4.7 6.0 Y Y Y Y

Inverters A and C 1.2 1.1 G G G G

SBO DG 1.3 1.0 G G Y Y

EDG 1A and SBO DG 9.3 2.7 Y Y O O

DH P1A 3.7 2.5 Y O O O

RB Spray Pump A 1.0 1.0 G Y G Y

RB Spray Pump A and B 1.0 1.0 G O G O

TD EFW Pump 1.3 1.3 G G Y Y

TD EFW Pump with LOOP Potential (HRE) 1.3 1.3 G G O O

Fire Pump 1 1.8 1.5 G G G G

Fire Pump 1 w/Loss of RW Potential (HRE) 1.8 1.5 G G Y Y

Online Examples - BWR

29

Components CDF RIF LERF RIF PRA SF PT Overall

DG 0 1.5 1.2 G Y Y Y

DG SW Pump 0 5.7 2.8 Y Y Y Y

MDFW Pump and RCIC 1.8 1.4 G O Y O

DG 1A and RHR Pump 1B 5.5 2.7 Y Y Y Y

DG 1A and RHR Pump 1C 1.1 1.1 G Y G Y

DG 1A and RHR Pump 1B and 1C 7.3 3.5 Y Y Y Y

LPCS, Service Water Pumps 0, 1A and 1B 1.6 1.1 G Y Y Y

SBLC Pumps 1A and 1B 2.3 6.2 Y O Y O

U1 SBGT 1.0 1.0 G Y G Y

U1 and U2 SBGT 1.0 1.0 G R G R

SAC 0 and 1A 1.0 1.0 G G O O

SAC 0 and 1A with B/U Compressor Avail 1.0 1.0 G G Y Y

External Events

PARAGON is capable of implementing any method from NUMARC 93-01, [Draft] Rev. 4 for assessing and managing fire risk Determine change or cumulative CDF separately

from internal events CDF Determine change or cumulative CDF based on

aggregate of fire and internal events CDF Evaluate impact on individual fire scenarios with

equipment OOS and provide qualitative results Provide guidance for managing risk

PARAGON can include any additional number of external events in either qualitative or quantitative assessments

30

Conclusions

Online risk monitors are capable of assessing the risk associated with single or multiple components unavailable, including the impact of activities that increase the likelihood of an initiating event

Online risk monitors can incorporate external events risk (to varying degrees)

The Blended Approach to risk assessment and management takes into account Defense in Depth, which can provide additional insights beyond PRA results

32