Exerpt from NRC Inspection Report calling EOOS implementation "superior"
M1.5 Plant Safety Assessments Before Taking Equipment Out-of-Service

a. Inspection Scope (62706)

Paragraph (a)(3) of the Maintenance Rule states that the total impact of maintenance activities on plant safety should be taken into account before taking equipment out-of-service for monitoring or preventive maintenance. The inspectors reviewed the licensee's procedures and discussed the process with the Maintenance Rule coordinator, the reliability engineers, the expert panel members, plant operators, system schedulers, and work week supervisors.

b. Observations and Findings

The licensee imposed the requirement to assess the impact on plant safety when removing equipment from service through corporate policy. The policy stated that qualitative and quantitative reviews were required on proposed work schedules to verify that the scheduled activities did not present unacceptable risk to either personnel or plant safety. Administrative Procedure PLG-009-007, "Routine Scheduling of Station Activities," Revision 4, addressed the process for considering safety impact of on-line maintenance activities. This procedure provided guidance on qualitative and quantitative analyses of risk impact on the plant when removing equipment from service. Quantitative analysis of risk associated with on-line maintenance activities was accomplished using the equipment out-of-service monitor, which was a software code for calculating core damage frequency estimates of equipment outage configurations. Administrative Procedure PLG-009-014, "Conduct of Planned Outages," Revision 2, provided guidance for evaluating shutdown risk during plant refueling outages.

In September 1996, the equipment out-of-service monitor was installed in the control room as an advisory tool for operations personnel to evaluate the risk impact of changing plant configuration to support maintenance. The familiarity and use of the equipment out-of-service monitor were part of required initial and continuing training for senior reactor operators and shift technical advisors. The equipment out-of-service monitor in concert with Administrative Procedure PLG-009-007 provided backshift operations personnel with a method to assess the change in risk associated with emergent work or equipment failure, and determine if ongoing tasks should be postponed.

The equipment out-of-service monitor used four risk levels of green, yellow, orange, and, red, ranging from a baseline Plant Safety Index of 10 to zero, to identify safety impact. The orange condition indicated high risk level and senior management approval was required before voluntarily entering into the condition. Voluntary entry into the red condition was prohibited. Interviews with various operations staff personnel reflected a conservative approach to the removal of equipment from service during power operation.

The inspectors noted that a truncation level of 1E-7 was used in the equipment out-of-service monitor to speed up the risk calculations of various configurations. Additionally, the probabilistic risk assessment model implemented in the equipment out-of-service monitor was modularized such that single basic events on the same train were modularized into a supercomponent event, and each calculation was a full requantification of the risk model.

The inspectors interviewed scheduling personnel to evaluate the process of assessing risk associated with the maintenance work activities scheduled in the 12-week rolling schedule. Equipment out-of-service monitor risk assessments on the scheduled activities (frozen 10 days prior to the work implementation week) were provided to work week supervisors for making decisions on changes to the work schedule if high risk configurations were encountered. A licensee representative indicated that the probabilistic risk assessment group would be requested to validate equipment out-of-service calculations to assure consistency and adequacy of the risk results for scheduling plant activities. The licensee also used the outage risk assessment management code to evaluate the risk of plant configurations during outages.

The inspectors reviewed the control room operator logs to identify risk-significant "time windows" in which several structures, systems, and components were concurrently out-of-service. The inspectors identified time windows on September 4, December 4 and 5, 1996, where four or more structures, systems, or components were out-of-service concurrently. The licensee performed risk-profile calculations of the identified equipment-outage configurations using the equipment out-of-service monitor. The equipment-outage configuration on December 4, 1996, involving Technical Specification-required surveillance on the Component Cooling Fans 10A, 11A, and 12A, and Auxiliary Component Cooling Water Pump A, resulted in an index value of 8.1 (orange condition). However, the duration of the outage configuration was only 1/2 hour. The inspectors determined that there was no unacceptable risk due to changed configurations during the sampled time periods.

c. Conclusions for Safety Assessments

The inspectors determined that the licensee's process for the assessment of the safety impact of removing structures, systems, and components from service for monitoring and preventive maintenance was superior to manual and qualitative methods.