August REGULATORY GUIDE - Nuclear Regulatory Commission · nuclear industry have recognized that PRA has evolved to the point that it may be used as a tool in regulatory decisionmaking

U.S. NUCLEAR REGULATORY COMMISSION August 1998

REGULATORY GUIDEOFFICE OF NUCLEAR REGULATORY RESEARCH

REGULATORY GUIDE 1.176(Draft was issued as DG-1064)

AN APPROACH FOR PLANT-SPECIFIC, RISK-INFORMEDDECISIONMAKING: GRADED QUALITY ASSURANCE

A. INTRODUCTION

Background

The NRC has established deterministic criteria fordetermining which commercial nuclear power plantequipment is considered safety-related (see Section50.2, "Definitions," of 10 CFR Part 50, "DomesticLicensing of Production and Utilization Facilities";Appendix A, "Seismic and Geologic Siting Criteria forNuclear Power Plants," to 10 CFR Part 100, "ReactorSite Criteria"; Section 50.65, "Requirements forMonitoring the Effectiveness of Maintenance atNuclear Power Plants," of 10 CFR Part 50; and Section50.49, "Environmental Qualification of ElectricEquipment Important to Safety for Nuclear PowerPlants," of 10 CFR Part 50). Because of the importanceof the safety-related equipment to protecting publichealth and safety, the NRC has additionally requiredthat a quality assurance (QA) program (described inAppendix B, "Quality Assurance Criteria for NuclearPower Plants and Fuel Reprocessing Plants," to 10CFR Part 50) be applied to all activities affecting thesafety-related functions of that equipment. The overallpurpose of the QA program is to establish a set ofsystematic and planned actions that are necessary toprovide adequate confidence that safety-related plant

equipment will perform satisfactorily in service. Therequirements delineated in Appendix B to 10 CFR Part50 recognize that QA program controls should beapplied in a manner consistent with the importance tosafety of the associated plant equipment. In the past,engineering judgment provided the general mecha-nism to determine the relative importance to safety ofplant equipment.

In recognition of advances made in the state of theart in the probabilistic risk assessment (PRA)technology area, the NRC has made the decision toexpand the use of PRA in the regulatory process. PRAprovides insights that may be utilized by licensees tosupport the determination of the relative safetysignificance of plant equipment. The probabilisticinsights help identify low safety-significant structures,systems, and components (SSCs) that are candidatesfor reductions in QA treatment. The end result of thisprocess could be that licensees would have plantequipment that is categorized as safety-related andhigh safety-significant; safety-related and low safety-significant; non-safety-related and high safety-significant; and non-safety-related and lowsafety-significant. Grading of QA controls would varycommensurate with these categorizations. Thisregulatory guide provides guidance that could be used

USNRC REGULATORY GUIDES

Regulatory Guides are issued to describe and make available to the public such informa-tion as methods acceptable to the NRC staff for implementing specific parts of theCommission's regulations, techniques used by the staff in evaluating specific problems orpostulated accidents, and data needed by the NRC staff in its review of applications forpermits and licenses. Regulatory guides are not substitutes for regulations, and compli-ance with them is not required. Methods and solutions different from those set out in theguides will be acceptable if they provide a basis for the findings requisite to the issuance ofcontinuance of a permit or license by the Commission.

This guide was issued after consideration of comments received from the public. Com-ments and suggestions for improvements in these guides are encouraged at all times, andguides will be revised, as appropriate, to accommodate comments and to reflect new infor-mation or experience.

Written comments may be submitted to the Rules Review and Directives Branch, ADM,U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.

The guides are issued in the following ten broad divisions:

1. Power Reactors2. Research and Test reactors3. Fuels and Materials Facilities4. Environmental and Siting5. Materials and Plant Protection

6. Products7. Transportation8. Occupational Health9. Antitrust and Financial Review

10. General

Single copies of regulatory guides may be obtained free of charge by writing the Reproduc-tion and Distribution Services Section, Office of the Chief Information Officer, U.S. NuclearRegulatory Commission, Washington, DC 20555-0001; or by fax at (310)415-2289; or bye-mail to GRW1 @ NRC.GOV.

Issued guides may also be purchased from the National Technical Information Service ona standing order basis. Details on this service may be obtained by writing NTIS, 5285 PortRoyal Road, Springfield, VA 22161.

by licensees both to determine the relative safetysignificance of plant equipment and to adjust theapplication of QA controls accordingly.

Requirements related to QA programs for nuclearpower plants are set forth in Appendix B to 10 CFRPart 50. The general requirements contained inAppendix B are supplemented by industry standardsand NRC regulatory guides that describe specificpractices that have been found acceptable by theindustry and the NRC staff. Although both AppendixB and the associated industry standards allow a largedegree of flexibility, the licensees and the NRC staffhave been reluctant to make major changes inestablished QA practices. Recently, however, changesin the nuclear industry have resulted in numerousproposals to revise QA practices. These changesinclude the completion of construction projects,establishment of programs related to plant operationsand maintenance, maturation of licensee programs andpersonnel, and increased pressures to control plantoperating costs.

The information collections contained in thisregulatory guide are covered by the requirements of 10CFR Part 50, which were approved by the Office ofManagement and Budget, approval number 3150-0011. The NRC may not conduct or sponsor, and aperson is not required to respond to, a collection ofinformation unless it displays a currently valid OMBcontrol number.

B. DISCUSSION

During the last several years, both the NRC and thenuclear industry have recognized that PRA hasevolved to the point that it may be used as a tool inregulatory decisionmaking so that the regulations canbe implemented more effectively. In 1995, the NRCissued a final policy statement on the use of PRAmethods in nuclear regulatory activities (Ref. I ). In itsapproval of the policy statement, the Commissionarticulated its expectation that:

" The use of PRA technology should beincreased in all regulatory matters to theextent supported by the state of the art inPRA methods and data and in a mannerthat complements the NRC's deterministicapproach and supports the NRC's tradi-tional defense-in-depth philosophy.

* PRA and associated analyses (e.g.,bounding analyses, uncertainty analyses,and importance measures) should be usedin regulatory matters, where practical

within the bounds of the state of the art, toreduce unnecessary conservatism associ-ated with current regulatory requirements,regulatory guides, license commitments,and staff practices. When appropriate,PRA should be used to support theproposal of additional regulatory require-ments in accordance with 10 CFR 50.109(backfit rule). Appropriate procedures forincluding PRA in the process for changingregulatory requirements should be devel-oped and followed. It is, of course,understood that the intent of this policy isthat existing rules and regulations will becomplied with unless these rules andregulations are revised.

" PRA evaluations in support of regulatorydecisions should be as realistic aspracticable, and appropriate supportingdata should be publicly available forreview.

* The Commission's safety goals for nuclearpower plants and subsidiary numericalobjectives are to be used with appropriateconsideration of uncertainties in makingregulatory judgments on the need forproposing and backfitting new genericrequirements on nuclear power plantlicensees.

The staff's review of 10 CFR Part 50 indicates thatthe option of applying QA measures in a mannercommensurate with safety significance is clearlyavailable to licensees. That is, no exemptions fromcurrent regulations are expected to be needed toimplement a graded quality assurance (GQA)program. The implementing industry QA standards(which licensees have committed to implement tofulfill the requirements of Appendix B) also containgeneral provisions for applying QA using a gradedapproach. However, when implementing suchchanges, licensees may need to submit a revisedQA program to the staff pursuant to 10 CFR 50.54(a).

Purpose and Scope

In this guide the staff describes an acceptableapproach for identifying the safety significance ofSSCs and assigning QA controls accordingly to ensurethat QA requirements are being graded commensuratewith safety. This regulatory guide contains guidanceon modifying current QA program controls based onthe safety categorization of the SSCs. This regulatoryguide also describes acceptable approaches for

1.176-2

monitoring the effectiveness of the GQA programimplementation and for determining when it may benecessary to make adjustments in QA practices andsafety-significance categorizations to ensure that SSCsremain capable of performing their intended functions.The guide also delineates the principles for risk-informed decisionmaking, or guiding features, of aGQA program that need to be dealt with by a licensee.In some cases, rather than articulating a prescriptivemethod that must be implemented by a licensee tofulfill these principles (or their subsidiary issues) forGQA, the staff has chosen to identify those issues thatmust be evaluated, and documented, by licensees whenformulating their particular approach to GQA. Thus,the burden would fall on the licensee to be able toinform the staff how the issues were addressed withinthe site-specific program. This guide has beenspecifically written for situations when the licensee'sGQA program will result in changes to the QAprogram that do reduce commitments in the programdescription previously accepted by the NRC.

Graded quality assurance (GQA) is intended toprovide a safety benefit by allowing licensees and theNRC to preferentially allocate resources based on thesafety significance of the item. The Commission hasarticulated its expectation that implementation of thepolicy to expand the use of PRA will improve theregulatory process in three areas: foremost throughsafety decisionmaking enhanced by the use of PRAinsights, through more efficient use of agencyresources, and through a reduction in unnecessaryburdens on licensees. Background information aboutinitial efforts to implement GQA is in SECY-95-059,"Development of Graded Quality Assurance Method-ology" (March 10, 1995) (Ref. 2).

Relationship to Other Guidance DocumentApplications

Regulatory Guide 1.174 (Ref. 3) describes ageneral approach to risk-informed, regulatory decision-making and includes a discussion of specific topicscommon to all regulatory applications. This regulatoryguide provides guidance specifically for GQAprograms, consistent with but more detailed than thegenerally applicable guidance given in RegulatoryGuide 1. 174. Licensees may choose to use risk-informed decisionmaking in application areas otherthan GQA. It is anticipated that certain efficienciescould be realized in that situation.

Licensees developing GQA programs will adjusttheir QA programs to accommodate their individualneeds. The NRC conveyed its goals and expectationsfor an acceptable graded QA program to Nuclear

Energy Institute (NEI) in a letter dated June 15, 1994(Ref. 4). Irrespective of a licensee's specific approach,the NRC stated a graded QA program should have fouressential elements:

(I) A process that determines the safety significanceof SSCs in a reasonable and consistent manner,including the use of both traditional engineeringand probabilistic evaluations

(2) The implementation of appropriate QA controlsfor SSCs, or groups of SSCs, according to safetyfunction and safety significance to maintainreasonable confidence in equipment performanceand to support the GQA corrective action feedbackprocess

(3) An effective root-cause analysis and correctiveaction program

(4) A means for reassessing SSC safety significanceand QA controls when new information becomesavailable through operating experience, or basedon changes in plant design.

Organization and Content

Limited data are available to define the impact ofQA programs on SSC performance. Consequently,this regulatory guide emphasizes the classification ofequipment into safety-significance categories asdiscussed in Section 2.2 and Appendix A ofRegulatory Guide 1.174 (Ref. 3). Regulatory Guide1. 174 describes a general four-element process that iselaborated upon in the context of GQA in theDiscussion section of this regulatory guide. TheRegulatory Positions in this regulatory guide discussElement 1, a definition of proposed changes to QAapplications; Element 2, which addresses engineeringevaluations applicable to GQA programs; Element 3,which provides specific guidance for an acceptableapproach for implementing GQA controls and fordeveloping performance monitoring strategies; andElement 4, documentation and submittal aspectsrelated to the change.

PROCESS OVERVIEW

As the nuclear industry incorporates risk insightsinto its QA programs, it is anticipated that the industrywill build upon its existing risk-informed activities,including the individual plant examination program.To provide the industry with the NRC's expectationsfor risk-informed decisionmaking, Regulatory Guide1.174 (Ref. 3) was developed. This guide establishesfive safety principles and describes a four-element

1.176-3

process for evaluating risk-informed regulatorychanges consistent with those principles, as illustratedin Figure 1. Regulatory Guide 1.174 providesadditional quantitative acceptance guidelines, discus-sion of defense in depth, and safety margins. Theprinciples are:

I. The proposed change meets the current regulationsunless it is explicitly related to a requestedexemption or rule change.

2. The proposed change is consistent with thedefense-in-depth philosophy.

3. The proposed change maintains sufficient safetymargins.

4. When the proposed changes result in an increase incore damage frequency or risk, the increasesshould be small and consistent with the intent ofthe Commission's Safety Goal Policy Statement.

5. The impact of the proposed change should be mon-itored using performance measurement strategies.

The individual elements of this process aredescribed in Regulatory Guide 1. 174. Those generallyapplicable discussions are not repeated here. Instead,this guide describes a method acceptable to the NRCstaff for categorizing SSCs at nuclear power plants in amanner commensurate with their safety significance(using an integration of insights from traditionalengineering analyses, applicable qualitative consider-ations, and probabilistic analyses) and for applyingappropriate QA programs to each category of SSCs.

The process begins with a set of actions related toproposed changes in the QA categorization of certain

SSCs. The following is an overview, with greaterdetail provided in the Regulatory Positions. Theelements are (I) define the proposed change,(2) perform engineering analysis, (3) define imple-mentation and monitoring program, and (4) submitproposed change.

Element 1: Define the Proposed Change

The process for developing the initial proposal forthe changes is left to the licensee, but it should derivefrom an examination of both traditional engineeringand probabilistic information, and it should result incategorization of the plant's SSCs based on their safetysignificance so that an appropriate level of qualitycontrols can be applied. The licensee identifies thecandidate SSCs and associated activities for a risk-informed application of QA requirements. A risk-informed GQA submittal includes the QA programchange required by 10 CFR 50.54(a)(3)(ii), accompa-nied by the supplemental information described inRegulatory Position 4.1.2 of this guide, which will beused by the staff to determine the acceptability of theprogram. A licensee may elect to categorize a limitednumber of plant systems and apply GQA controls tothese selected plant systems. The SSCs included in thebounding analysis discussed in Regulatory Position2.2 determine which SSCs are candidates forcategorization. If all SSCs in the PRA are included inthe bounding analysis, all SSCs may be candidates forcategorization.

The licensee identifies the systems to be categorizedin the supplemental information. The licensee canchoose when to categorize each system and may choosenot to categorize all the systems identified in thesubmittal. If categorization of systems not included inthe supplemental information proves desirable, the

- I s

2. Perform 4. SubmitChange Engineering Implementation/ ProposedAnalysis Monitoring Change

Program

Figure 1. Principle Elements of Risk-Informed, Plant-Specific Decisionmaking

1.176-4

licensee prepares additional supplemental informationfor NRC approval prior to implementation. SSCs thatshould be considered as potential candidates include:

" Systems and components that are subject tocurrent QA requirements in Appendix B to 10 CFRPart 50,

" SSCs modeled in the PRA for the plant,

• Non-safety-related SSCs that are within the scopeof the Maintenance Rule (10 CFR 50.65), and

" Non-safety-related equipment that has previouslyreceived augmented quality treatment (e.g.,anticipated transient without scram, stationblackout, fire protection).

The licensee should ensure that the QA programcommitments and other QA-related informationgermane to the contemplated changes in QA practicesare clearly understood and adhered to, unless modifiedor amended through the appropriate licensing orregulatory actions. The suitability of the plant-specificPRA should be assessed relative to its use in supportingthe GQA decisionmaking process. In addition,available industry and plant-specific operationalexperience information relative to GQA shouldbe assessed.

Further, the licensee should identify the overallobjective and approach of the proposed changes to theQA program for the candidate SSCs. More details areprovided in Regulatory Position I of this document.

Element 2: Perform Engineering Analysis

In Element 2, the proposed changes in theapplication of QA controls for SSCs as a function ofcategorization commensurate with safety are exam-ined and assessed with respect to the relevant risk-informed decisionmaking safety principles. Anessential element of the evaluation is the categoriza-tion of SSCs into high and low safety-significantcategories. The impact of the QA program changeson defense in depth would be determined through theuse of both traditional engineering evaluations andPRA techniques. In addition, an assessment wouldensure that no more than insignificant risk increasesare introduced by the proposed changes, as describedin Regulatory Position 2. The engineering evaluationhelps to establish the safety significance of systemsand components and determines that the effects of thechanges in QA controls has a small impact on plantrisk. More details concerning Element 2 are containedin Regulatory Position 2.

Element 3: Define Implementation MonitoringProgram

The third element involves developing GQAcontrol implementation and monitoring plans. Theseplans should be formulated to ensure that appropriatesystem and component performance are maintained.For the safety-related SSCs in the high safety-significant category, no changes in QA controls areexpected to be proposed. For the non-safety-relatedSSCs that are found to be high safety-significant, anevaluation would be performed to determine whataugmentation of existing QA controls is appropriate.For low safety-significant SSCs that are safety-related,reductions in QA controls are anticipated. For non-safety-related SSCs that are low safety significant,licensees would continue to define their qualitycontrols. Means should be specified for monitoring theperformance of systems and components and ofquality-related activities and processes and forapplying corrective actions. Specific guidance forElement 3 is provided in Regulatory Position 3.

Element 4: Submit Proposed Change

The final element involves documenting theanalyses for NRC staff or independent review orinspection, and submitting the request to changeimplementation of QA commitments, as required by10 CFR 50.54(a) if the change involves a reduction inthe licensee's QA commitments (for example, adeviation from an NRC regulatory guide or AmericanNational Standards Institute (ANSI) standard). If theproposed change does not involve a reduction in thelicensee's QA commitments, prior NRC staff reviewand approval is not required and the change to the QAprogram is submitted in accordance with 10 CFR50.71(e). The changes associated with the adoption ofGQA proposed by the licensee will be described in theQA Program. In addition, important assumptions thatplay a key role in supporting the acceptability of theQA program change should be identified by thelicensee in the QA program. Documentation necessaryto support the GQA effort is listed in RegulatoryPosition 4 of this regulatory guide.

C. REGULATORY POSITION

1. ELEMENT 1: DEFINE THE PROPOSEDCHANGE

The first element in the process of evaluating achange to QA programs involves providing a fulldefinition of the proposed change. The first step is toidentify the overall scope of the GQA program in termsof the SSCs that are covered. Additionally, the

1.176-5

licensee's PRA would be evaluated with respect to itsadequacy to support the GQA decisionmaking process.To accomplish this the licensee should:

I. Identify, and consider during the GQA process, theset of regulatory requirements and commitmentsthat are directly related to the proposed QAimplementation changes as well as those that maybe impacted. This information is used todemonstrate that the proposed QA changes do notviolate existing regulatory requirements. Themajor regulatory requirements applicable to GQAprograms are set forth in Appendices A and B to 10CFR Part 50, 10 CFR 50.54(a), and 10 CFR 50.34.Changes to technical requirements are controlledunder existing processes such as 10 CFR 50.59,license amendments, relief requests, and exemp-tion requests, which are outside of the scope of thisdocument. Relevant quality commitments that areto be considered reside in a variety of licensingdocuments such as the QA program description,the Final Safety Analysis Report (FSAR),responses to generic communications, andresponses to enforcement actions.

2. Identify the structures, systems, and components(SSCs) and associated activities that are candi-dates for assessment within the risk-informedapplication of GQA. The SSCs selected for therisk-informed application of GQA need notinclude all systems within the scope of thisregulatory guide. A licensee may elect to onlycategorize and apply GQA controls to a limitednumber of SSCs. For those safety-related SSCsnot categorized, the licensee's full Appendix BQA program controls will continue to apply.

3. Identify the expected revisions to existingimplementing guidance of QA requirements thatwill result from the GQA program. Although theNRC staff would consider an application forchanges to many areas of a licensee's QA programto support the GQA methodology, such anapplication is not necessary. A licensee mayinitially choose to apply GQA controls only toselected portions of its QA programs, such as in thearea of procurement. No exemptions from currentregulations are expected to be needed toimplement a GQA program. However, thecommitments of each licensee regarding QA areaddressed in a number of documents, including theFSAR, a QA topical report (if applicable), andother docketed correspondence (e.g., responses togeneric communications, inspection reports).Licensees are expected to maintain control of theirlicensing bases. Accordingly, changes in QA

program commitments should be identified andthe manner in which they are being changedshould be documented, reviewed, and approved bythe NRC as necessary in accordance with theapplicable regulatory requirements (such as 10CFR 50.54(a)).

4. Evaluate risk studies to determine the extent towhich quantitative and qualitative risk insightsmay be utilized. The quality, level of review, andaccuracy of plant representation of the risk studiesshould also be taken into account whendetermining the level of support the studies canprovide to the development and implementation ofthe GQA program. The licensee should alsoconsider how it may use risk-study models,computer programs, and personnel to support thelong-term performance monitoring programrequired as part of GQA implementation.

5. The licensee should not make any changes in theapplication of QA controls and processes prior tothe evaluation of the associated system orcomponent to determine its safety significance asdiscussed in Regulatory Position 2 and beforereceiving approval of the proposed QA changes bythe NRC, if required.

The definition of the change should be completedby categorizing the SSCs identified above according towhether they are high or low safety significant. Forthose safety-related SSCs that are categorized as highsafety significant, current QA practices would apply.For those non-safety-related SSCs that are high safetysignificant, some increase in QA controls may bewarranted and should be implemented as appropriate.For those safety-related SSCs that are low safetysignificant, relaxation in QA controls should beconsidered. For non-safety-related SSCs that are lowsafety significant, licensees would continue to definetheir quality controls without NRC approval.

2. ELEMENT 2: ENGINEERINGEVALUATION

In Regulatory Guide I. 174 (Ref. 3), Element 2 is toperform the engineering evaluation to supportdecisions to change a plant's licensing basis. Changesin the application of QA controls do not lendthemselves to a quantitative assessment because therelationship between QA programs and equipmentperformance (and, hence, risk contribution) has notbeen explicitly established. Furthermore, only a smallfraction of components that are candidates forapplication of GQA controls are modeled in PRAs.This small percentage arises from PRA's emphasis on

1.176-6

the control and mitigation of severe accidents; theexclusion of equipment, such as recombiners, usefulonly for control of design basis accidents; theexclusion of most instrumentation and reactorprotection system equipment from the models; theexclusion of emergency preparedness and plantmonitoring equipment from the models; the combiningof SSCs with identical failure consequences intogrouped basic events; and not including some highlyreliable SSCs when other less reliable SSCs (of similarimpact) or operator actions are modeled.

Categorization of the safety significance of SSCsfor utilization in GQA uses quantitative PRA results,supplemented by qualitative engineering evaluationsto include SSCs not modeled in the PRA, to develop aninitial categorization referred to in this regulatoryguide as candidate high or low safety significance.These initial categories should be evaluated, modifiedas appropriate, and approved during a final traditionalengineering decisionmaking process. Such acombined, integrated approach is necessary to utilizethe strengths and avoid inherent limitations in bothprobabilistic and traditional engineering analysismethodologies.

2.1 Safety-Significance Categorization

A minimum of two levels of categorization shouldbe utilized, preferably labeled high and low safetysignificant. At the prerogative of the licensee, a greaternumber of safety-significance levels can be defined,such as three levels composed of high, medium, andlow safety significance. From a regulatory point ofview, it is essential that high safety-significant itemsare not inappropriately categorized as less than high,since these might then be inappropriate candidates forreduced QA requirements. Therefore, for regulatorypurposes, high safety significance may be assumed orassigned. Only assignments of low and medium safetysignificance must be justified.

Systems have a variety of operating modes andperform a variety of functions, with each function awell-defined task requiring the proper operation ofsome subset of system equipment. Although certainQA controls are applied at the component or evenpiece-part level, safety-significance categorization ismost appropriately defined at the system functionlevel. Therefore, the guidance in this regulatory guideis based on determining the safety-significance ofsystem functions, identifying the components andcomponent operational modes required to support highsafety-significant functions, and determining thecategorization of the components based on thisinformation.

The categorization process must also be capable ofsystematically tracking and documenting systemfunctional boundaries, defined as the point (compo-nent) at which a system operating in a particular modefunctionally interfaces with a connected system. Thecategorization of the safety significance of supportfunctions is generally determined by the categorizationof the function being supported, augmented by aquantitative or qualitative evaluation of the supportsystem's aggregate safety significance. Interfacingfunction categorization should be well documented,traceable, and internally consistent. Licensees whochose to implement GQA programs one system at atime must ensure that support system interfaces aresufficiently well defined and documented that thesafety significance of interfacing systems will alwaysbe explicitly considered as each system is evaluated.

The scope, level of detail, and quality required ofthe PRA are commensurate with the application forwhich it is used and commensurate with the role thePRA results play in the integrated decision process.PRAs used to support a GQA application shouldrealistically reflect the actual design, construction,operational practices, and operational experience ofthe plant and its operator. Furthermore, all calculationsusing the PRA model should be performed correctlyand in a manner that is consistent with acceptedpractices. The licensee must demonstrate that the PRAand the calculations are of sufficient quality to supporta decision on the acceptability of the proposed change.

A well organized and documented safety-significance categorization process, sensitivity andbounding studies performed with the PRA, andimplementation of a robust monitoring and feedbackprogram can provide reasonable assurance thatimplementation of GQA should result in aninsignificant change in risk. Consequently, NRC staffevaluation of the quality of the PRA may be directedtoward a finding that the quality is sufficient forassigning SSCs into broad safety-significant catego-ries for consideration in an integrated decisionmakingprocess.

All operational modes and internal and externalevents should be included in the evaluation of thesafety significance of systems, functions, andcomponents. PRA models and results for core damageand large early release frequency for internal initiatingevents at full power should be used to support thecategorization process. Licensees may use qualitativestudies of other initiating events and operational modesthat identify and characterize scenarios that arebelieved to be important, but without expendingsignificant resources in quantifying the frequencies of

1.176-7

the scenarios. Seismic margin analysis and fire-induced vulnerability evaluations (FIVE) done tosupport the individual plant examination of externalevents (IPEEE) analyses and shutdown risk configura-tion control evaluations are examples of qualitativestudies that have been developed. Evaluations basedon quantitative external and shutdown studies may alsobe used. If importance measures from quantitativestudies are combined with measures generated frominternal event analyses, the licensee should ensure thatthe greater uncertainties inherent in the analysis ofexternal events and the modeling of shutdown eventsare fully considered during the final categorization.

2.1.1 Identification of System Functions

Definition of the proposed change includesidentification of all the functions a system mustperform. Although many system functions mayeventually be categorized as low safety significant,characterization of the proposed change begins with adescription of all functions a system must fulfill.System functions should include functions used duringnormal operation as well as all functions related to theprevention or mitigation of core damage, protection ofcontainment integrity, or reduction in the releaseprobability or consequence to the public fromaccidents and transients both within and beyond thedesign basis (e.g., risk analysis).

2.1.2 System Function Safety-SignificanceCategorization

Determination of the safety significance of systemfunctions is inherently a "top down" process, startingwith the front-line systems and system functionsdirectly involved in plant-level safety functions (suchas reactivity control, reactor pressure control, anddecay heat removal). The delivery of high-pressureprimary coolant from the reactor water storage tank tothe core may be categorized as a high safety-significantfunction. The pumps, valves, and other SSCs whoseproper operation is required to fulfill this functionderive their initial categorization from the significanceof the function. Therefore, any determination of anSSC's safety significance requires determination ofthe safety significance of all functions the SSCsupports. Similarly, determination of the safetysignificance of support system functions (whichshould be later pursued in the support system'sevaluation) is best performed by determining the safetysignificance of the function being supported.

Licensees may limit their evaluation to the systemlevel and assign all components to the same safety-significance category as the system. This will onlyreduce the burden on licensees if all the system

functions can be categorized as low or medium safetysignificant. To provide confidence that eventualdetermination of less than high system safetysignificance is made with full recognition of eachsystem's contribution to risk, system-level importanceshould be determined from importance measuresdeveloped from the PRA. If the system is not modeledin the PRA, the licensee should determine why thesystem was not modeled and, guided by thisdetermination, investigate through a traditionalengineering review whether any system functionalfailure will degrade the performance of any humanactions or any other systems' high safety-significantfunctions. A system-level safety significance may beassigned based on the documented results of thereview.

2.1.2.1 Quantitative Safety CategorizationInsights. Quantitative importance measures from riskstudies provide valuable insights about the relativeranking of the safety significance of PRA modelelements such as basic events, components, humanactions, functions, trains, or systems. At least twoquantitative measures of importance are needed, one(such as Fussell-Vesely (FV) or risk reduction worth(RRW)) illustrates the fraction of current riskinvolving the failure of the model element; the other(such as risk achievement worth (RAW) or Birnbaum)illustrates the margin of safety contributed by themodel element's proper operation. Other measuresmay be used, but at least two measures reflectingcurrent contribution and margin contribution areneeded to balance the risk insights.

Importance measures represent the risk sensitivityof an individual model element. Importance measuresshould be compared to some quantitative guidelinevalues. The specific values chosen as guidelinesshould be justified by the licensee and should reflectthe estimated risk levels at the plant. All modelelements characterized by importance measuresgreater than (or less than, as appropriate) the guidelinesare identified as potentially high safety significant.Once one element is varied, the importance measuresfor the other elements will change. Consequently,while large or small importance measure valuesidentify candidate high or low safety-significant modelelements, final categorization is determined by anexpert panel during the integrated decisionmaking.

To ensure that the integrated decisionmaking ismade with adequate understanding of the sensitivity ofthe importance results to major PRA modelingassumptions, techniques, and data, the licensee shouldaddress the technical issues associated with the use ofrisk importance measures to categorize SSCsdiscussed in Regulatory Guide 1. 174. For GQA

0

01.176-8

applications, a minimum of two sensitivity calcula-tions are expected; one in which recovery' actions areremoved (that is, recovery probabilities set to 0.0) andone in which all common cause failures (CCFs) areremoved (that is, failure probabilities set to 0.0). Thestudies should be performed by modifying andquantifying the original PRA logic model to minimizetruncation effects. These sensitivity studies aredesirable since human actions and CCF probabilitiesare derived from models requiring extensiveinterpretation and manipulation of observable data.When an SSC moves into the high safety-significantcategory as the result of a sensitivity study, the expertpanel should consider the reasonableness of therecovery action or CCF event that caused the lowsafety significance in the original results and considerassigning the SSC into a higher safety-significantcategory. If the sensitivity studies are not performed,additional peer and NRC staff review of the humanerror and CCF probability development may benecessary to develop confidence that the quantitativeresults provided to the expert panel are sufficientlyrobust to support the categorization process.

When each SSC is categorized, the safetysignificance of all the functions that SSC supports mustbe known. Therefore, the PRA model element mostapplicable to the SSC grading process described in thisregulatory guide is a system function failure. Systemfunction importance provides the expert panel clearand documented information referencing individualcomponent functions to plant safety functions.Developing system functional importance will assist inboth the risk categorization process and the NRC staffreview. If basic event (such as component failure)importance measures, rather than system functionimportance measures, are used to directly categorizeSSCs at the component level, the categorizationprocess becomes more dependent on PRA characteris-tics such as system success criteria, system modelingdetail, and component modeling guidance.

System functions generally require the properoperation of a group of SSCs and are represented in thePRA models as a set of logically linked basic events.Some PRA codes are not well suited to thedevelopment and quantification of system levelimportance measures. One alternative technique usesbasic event importance measures (readily calculatedby most PRA codes) to identify a set of systemfunctions that are clearly high safety significant. Thistechnique is based on recognition that system function

Recovery actions include human actions performed to return a failedsystem or component to operability. Recovery actions may also includeusing systems in relatively unusual ways. The procedures for recoveryactions usually give only general guidance instead of step-by-stepprocedures and are not part of the standard training routine.

RAW and FV importance measures will always be atleast as large as the RAW and FV for basic eventswhose failure will fail the function. If other importancemeasures are used with this technique, this propertyshould be validated for the measures used.

When basic events are used to characterize theimportance of system functions, the relationshipbetween the failure of the basic events and the systemfunctions they support becomes a critical consider-ation. For example, the RAW of a CCF basic event thatfails a set of nominally identical pumps provides areasonable estimate of the margin of safety the properoperation of the pumps is contributing. If the pumpsfulfill only one system function, the RAW of the CCFprovides a reasonable estimate of that function'scontribution to margin of safety. Any system functionmodeled in the PRA that is supported by one or morebasic events that have importance measures above theguideline values should be initially categorized as acandidate high safety-significant system function.Since it is possible that the system function's RAW andFV measures are much higher than those of anyindividual basic event, system functions not catego-rized as candidate high should, as a minimum, befurther evaluated as discussed below, and the licenseeshould describe technically how each issue wasaddressed.

The redundancy and reliability of trains withinsystems that are available to fulfill a criticallyimportant system function can have the result thateach individual basic event within the system hasvery low importance measure values or is eventruncated out of the results. A system-basedevaluation should be performed to determine theimpact of the failure of systems that are modeled inthe PRA but that have no single failure event (forexample, no CCF) and no basic event importancemeasure above the guideline values. Discrepan-cies in the form of high failure consequence forsome systems (automatic depressurization system,for example) but low or no basic event importancemeasures should be identified and the relevanthigh safety-significant functions defined andproperly categorized as high safety significant.

Initiating events are often not modeled as basicevents or, if they are, are modeled as singlemodularized events. Some examples of suchinitiating events are the loss of instrument air, theloss of main feedwater, the loss of offsite power(through local switchyard faults), the loss ofalternating current (AC) or direct current (DC)buses. If components whose failure contributes tothese initiating events are modeled in otherinitiating events (e.g., loss of an air compressor

1.176-9

leading to loss of pneumatic valves following aloss of component cooling), the importance of thebasic events will not include the contribution of thefailure to the initiating event frequency. Thus, theimportance of functions whose failure wouldcause both an initiating event and the partial loss ofmitigating function can be severely underesti-mated by surrogate basic event importancemeasures.

PRA's integrated models provide an excellentframework to characterize system and system functionimportance. One area relevant to GQA that PRAmodeling does not usually address, is cross-systemdependencies arising from nominally identicalcomponents used in different applications throughoutthe plant. This occurs because cross-systemdependencies are typically not modeled (betweennominally identical MOVs in different systems, forexample) and because the resolution of the PRAmodels may not be sufficiently detailed (the PRAanalyst may not be able to determine whether thecircuit breakers in two different systems are identicalmodels, for example). Cross-system dependencies arenot modeled in PRAs yet can have a significant impacton risk. Consequently, licensees must develop amonitoring program capable of timely identification ofrepetitive failures of nominally identical equipment forfurther investigation.

2.1.2.2 Qualitative Safety CategorizationInsights. PRA results are to be used in conjunctionwith traditional engineering, and the principlesassociated with defense in depth and safety marginsmust also be factored into the safety-significancedetermination. Consequently, the following qualita-tive factors should be applied to the quantitative PRAinsights developed in the previous section. Thelicensee is to be able to describe technically how eachissue was evaluated and resolved.

The diversity of systems that are able to fulfillcritical high level functions (e.g., reactivitycontrol, decay heat .removal) can have the resultthat each individual system could meet allquantitative guidelines to be categorized in the lowsafety-significance group. It would be prudent,and the licensee is expected, to designate at leastone system associated with critical high-levelfunctions as high safety significant.

" Screening analyses are used to dismiss somefunctional failures as insignificant. In many cases,credit for the redundancy or reliability of plantsystems or structures is taken to bolster thearguments that the functional failure need not be

modeled. Thus, the importance of some systems,functions, and structures will not show up in thePRA results since the functional failure is screenedout. (For example, screening out certaincontainment penetrations because of the numberof isolation valves involved obscures theimportance of the containment isolation functionof the system.)

" Risk insights from nonquantitative external eventand shutdown risk studies should also be used. Allthe system functions credited in these studiesshould initially be categorized as "high safety-significant" candidates. Final categorization into alower safety-significance category should includeconsideration of the initiating event's frequency ormagnitude and the ability of the SSC to respond tothe event.

" Risk insights from the evaluation of theMaintenance Rule (10 CFR 50.65) should beincorporated to ensure the identification offunctions that are (1) relied upon to mitigateaccidents; (2) used in emergency operatingprocedures; (3) those whose failure could preventa safety-related SSC from performing its safety-related function; and (4) those whose failure couldcause a reactor scram or actuation of a safety-related system.

* PRA importance measures do not fully address thesignificance of SSCs that support operator actionsfor emergency and severe accident management.Such systems can include environmental controls,lighting, alarms, communications, and annuncia-tors. Determination of the categorization of suchsystems should include consideration of whetherthe loss of such systems could cause short-term orlong-term problems, whether a system failurecoincident with an accident is likely, and whetherpersonnel could reasonably compensate for theloss of these support systems.

2.1.3 Identification of Components thatSupport Functions

QA controls are applied at the component levelwhile PRA basic events often represent groups ofcomponents. For example, a diesel failure basic eventin the PRA can represent a large number of plantequipment parts, including such items as the dieselmotor, oil pump, oil cooling fan, motor generator.Other components are not included in PRA basicevents because their reliability is assumed to be highenough that their failure probability would have anegligible impact on the CDF and LERF. Therefore,

0

1.176-10

once the high safety-significant functions in a systemfor which GQA is being implemented have beenidentified, the plant equipment required to support thehigh safety-significant functions must be identifiedindependently of the PRA basic event definitions.

An efficient format to identify this componentversus system function is a matrix that lists and cross-references the high safety-significant system functionsto all the components needed to support each functionat the level of equipment specificity at which changesin the application of QA controls will be pursued.Although a matrix is not necessary, well-organizedinformation to support the final deliberations and toprovide a traceable record for future licenseeevaluations and for NRC inspections should cover allhigh safety-significant system functions, all systemcomponents that support the high safety-significantfunctions, and all external system support functionsrequired by any component. The licensee is to be ableto describe technically how each issue was addressedand resolved. Here are some examples that illustrateareas of potential concern regarding the accuracy andcompleteness of this information.

One component can directly support anothersystem's function. For example, some contain-ment sump recirculation valves are nominallyassigned to the low-pressure injection system butdirectly support containment spray by providingthe recirculation flow path.

Some instrumentation can belong to one systembut provide signals used in other systems, or beused by the operators as a basis for proceduralizedor unproceduralized actions. Instrumentation usedto actuate and control system and plant functionsneeds careful attention if grading of instrumenta-tion is contemplated.

Component failures could lead to an initiatingevent such as loss of feedwater or loss ofcomponent cooling water. Components whosefailure could cause an initiating event should beidentified in the matrix as being necessary tosupport the normal operation function (e.g., air-operated feedwater control valves are required tosupport feedwater at power).

Well organized and detailed information is alsoneeded to systematically propagate safety categoriza-tion through successive tiers of support systems notmodeled in the PRA. If systems are not graded in a top-down sequence, it is particularly important that theevaluation should include a traceable record of thepreviously assumed categorization of upper-tiered

functions requiring support from other systems.Eventually, the categorization of all support functionsshould be consistent, e.g., the safety significance of thefunctions requiring support in the upper-tiered systemcorresponds to the relevant function in the supportsystem.

2.1.4 Safety-Significance Categorizationof Components

The final categorization of system functions andthe components that support the high safety-significantsystem function is selected by an integrated assessmentof quantitative and qualitative risk insights asdescribed in Regulatory Position 2.3.

The safety-significance categorization assigned tocomponents (and to support system functions that can betreated as component functions for initial categoriza-tion) is based on the safety significance of the functionthe component supports. Components that support onlylow safety-significant functions should be classified lowsafety significant. The safety significance ofcomponents supporting high safety-significant func-tions need not always be high, but each suchcategorization as low safety significant should beexplicitly evaluated and documented and in conform-ance with licensee-defined guidelines. Justification forcategorizing a component's safety significance as lowbased on high reliability alone will not be acceptable,because the high reliability may be the result of the QAcontrols applied. If it is not the quality controls that arethe cause of the high reliability, the justification shoulddescribe the source of the high reliability.

2.2 Demonstration of Conformance withSafety Principles

Once the full set of low safety-significancecandidates has been identified, it is necessary todemonstrate that the proposed changes to the QArequirements for these candidates do not violate thesafety principles. Guidelines for making thatdemonstration with due consideration for the scope ofthe GQA program are summarized below. Otherequivalent guidelines are acceptable.

GQA programs need to reflect the multiplicity ofcurrent regulations and programs to which some SSCsare subject. For example, some SSCs may need to beexcluded from certain reduced QA control categories ifthose SSCs are also governed by more stringentAmerican Society of Mechanical Engineers (ASME)Code provisions to meet the requirements of 10 CFR50.55a. In such instances, the ASME Coderequirements must be met.

1.176-1i

2.2.1 Engineering Evaluation Guidelines

The engineering evaluation should assess whetherthe impact of the proposed change is consistent withthe defense-in-depth philosophy. An acceptable set ofguidelines for making that assessment is summarizedbelow. Other equivalent decision guidelines areacceptable.

* A reasonable balance among prevention of coredamage, prevention of containment failure, andconsequence mitigation is preserved.

* Over-reliance on programmatic activities tocompensate for weaknesses in plant design isavoided.

" System redundancy, independence, and diversityare preserved commensurate with the expectedfrequency and consequences of challenges to thesystem and uncertainties (e.g., no risk outliers).

* Defenses against potential common cause failuresare preserved and the potential for introduction ofnew common cause failure mechanisms isassessed.

" Independence of barriers is not degraded.

* Defenses against human errors are preserved.

" The intent of the General Design Criteria inAppendix A to 10 CFR 50 is maintained.

The engineering evaluation should also assesswhether the impact of the proposed change isconsistent with the principle that sufficient safetymargins are maintained. An acceptable set ofguidelines for making that assessment is summarizedbelow. Other equivalent decision guidelines areacceptable.

• Codes and standards or alternatives approved foruse by the NRC are met.

" Safety analysis acceptance criteria in the licensingbasis (e.g., Final Safety Analysis Report (FSAR)and supporting analyses) are met, or proposedrevisions provide sufficient margin to account foranalysis and data uncertainty.

2.2.2 Guidelines for Defense in Depth and SafetyMargins

Defense in depth and safety margins are expectedto be addressed generally by considering thefollowing GQA program aspects.

* The GQA process will not result in changes to theplant configuration. Therefore, no existing plantbarriers will be removed. Additionally, existingsystem redundancy, diversity, and independencewill be maintained.

" The GQA process will not result in changes to thetechnical requirements (e.g., design bases oroperational parameters) associated with SSCs.

" The resulting QA provisions will provide thenecessary level of assurance that low safety-significant, safety-related and high safety-significant, non-safety-related SSCs remain capableof performing their safety function.

The core damage frequency (CDF) and large earlyrelease frequency (LERF) figures of merit do not fullycover long-term containment overpressure protection.Functions credited in the PRA for long-termoverpressure protection, but which do not contain anySSCs with CDF or LERF based importance measuresabove the guideline values, should be identified andthe safety significance explicitly assigned. Forexample, the containment spray systems for PWRsmay not contribute to the prevention or mitigation ofcore damage or large early release.

An important factor to ensure that defense-in-depth and safety margin considerations are notdegraded during the implementation of GQA is controlof potential common mode failures. As discussed inRegulatory Position 2.1.2.1, groups of nominallyidentical SSCs, utilized in multiple systems throughoutthe plant, can as an aggregate have high safetysignificance.

Principle 4 in Regulatory Guide 1.174 (Ref. 3)states that any proposed increase in CDF and risk aresmall and are consistent with the intent of theCommission's Policy Statement (Ref. 1). Although therisk impact of GQA changes on individual componentsis expected to be minimal, reduced QA oversight may beapplied to a large number of SSCs. It is recognized thatlimited data are available to define the impact of QAprograms on SSC reliability. Accordingly, the licenseeshould perform a bounding analysis in which the failurerates or probabilities for basic events representing SSCsthat may be subjected to reduced QA controls are set atsome increased level (chosen and justified by thelicensee). Alternatively, the licensee may choose toaddress the bounding analyses by modifying theuncertainty distributions in some manner (also chosenand justified by the licensee).

The bounding analysis should include all SSCsmodeled in the PRA on which QA controls may be

1.176-12

reduced in all systems that the licensee defines as beingwithin the scope of the GQA program. SSCs notmodeled in the PRA must be reviewed to verify thattheir failure will not impact any functions modeled inthe PRA. Any potential impact on systems modeled inthe PRA must be qualitatively addressed.

It is recognized that the categorization of SSCs for thebounding analysis will necessarily be an initialcategorization, most likely based on an evaluation ofbasic event importance measures augmented by a limiteddeterministic review. The purpose of such a study is notto estimate a new plant CDF and LERF, but to understandthe potential or bounding impact of the proposed changeand to assess the risk impact through boundingevaluations. The results should be compared to theacceptance guidelines in Regulatory Guide 1.174 andcontrasted with aspects of the GQA programimplementation that are expected to provide anunquantifiable safety benefit. If, during the categori-zation process, it becomes apparent that the initialcategorization is modified to such an extent that thebounding results may be non-conservative (that is, SSCsthat were high during the bounding analysis are beingplaced in lower categories), a new bounding calculationshould be performed. If the original results are exceeded,the licensee should adjust the category of selected SSCscategorized or adjust the categorization criteria.

2.3 Integrated Assessment

Generally, the performance of, and integration of,the above described evaluations should be performedby a number of technically knowledgeable personnel.One acceptable approach to accomplish this function isto utilize a multi-disciplinary review group oftechnically proficient plant personnel, referred to hereas an expert panel.

If the integrated assessment function is performedby an expert panel, the expert panel determines safetysignificance and considers QA program adjustmentsfor SSCs accordingly. The panel would normallyinclude experienced representatives from variousdisciplines such as operations, maintenance, engineer-ing, safety analysis and licensing, and PRA. Thecomposition of the expert panel should be augmented,if necessary, to support the purpose of the safety-significance ranking and the grading of QA controls.For example, because of the emphasis on QAconsiderations in the GQA process, QA andprocurement engineering personnel may be assignedto the panel.

The expert panel is responsible for determining thesafety significance of the system functions and SSCs.The panel should evaluate traditional engineering,

probabilistic, and qualitative information availableregarding the systems and system functions within thedefined scope of the GQA program changes. Theevaluation should include either resolving orapproving the resolution of the quantitative andqualitative issues addressed in Regulatory Positions2.1.2.1 and 2.1.2.2.

Safety significance may be determined usingguidelines related to prevention and mitigation of coredamage, as well as containment integrity and LERF.Factors such as potential common mode failures,human errors, defense in depth, the importance of plantequipment used for emergency preparedness and plantmonitoring functions, and the maintenance of safetymargins should also be fully considered.

3. ELEMENT 3: DEVELOP IMPLEMENTATIONAND MONITORINGSTRATEGIES

This section addresses the first, second, third andfifth principles for risk-informed decisionmaking. Theobjective of the GQA effort is to implement a GQAprogram that provides a reasonable level of confidencethat plant SSCs will be capable of performing theirintended functions. The extent of QA controls will bedetermined by the relative safety significance andsafety functions performed by the equipment to whichthose controls are applied. The licensee's revisedGQA program should specifically identify how thecriterion in Appendix B to 10 CFR Part 50 will besatisfied. The licensee may adjust the elements of theQA program as deemed necessary to provide areasonable level of confidence that the SSCs will be.capable of performing their intended function. Thelicensee will demonstrate that the proposed program,in total, is sufficient to achieve this objective.

3.1 Grading of Quality Activities

The first step of the evaluation process is for thelicensee to identify specific elements of the QA programcontrols that will be adjusted for the set of plantequipment that is defined to be low safety significant.For example, a licensee may propose a change to itsverification practices and perform verifications bysampling. Additionally, the licensee should identify theapproach for evaluating the adequacy of QA controls fornon-safety-related SSCs determined to be high safetysignificant. Augmented quality controls will likely bewarranted for these items.

3.1.1 Regulations and Commitments

In accordance with the first principle, noexemptions from current regulations are expected to beneeded to implement a GQA program.

1.176-13

The licensee's QA program description should berevised to address GQA activities applicable to safety-related SSCs of low safety significance, including adiscussion of how the applicable requirements ofAppendix B to 10 CFR Part 50 will be satisfied for thatpart of the program in accordance with 10 CFR50.34(b)(6)(ii). This may be accomplished by adiscussion that identifies exceptions to applicableNRC regulatory guides and associated endorsedindustry standards or by including additional text thatdescribes how Appendix B will be satisfied (merely re-stating the Appendix B provisions will not beacceptable). The submittal should adequately describethe safety-significance determination process and theadjustments made to the QA provisions associatedwith the 18 criteria of Appendix B to 10 CFR Part 50 todescribe how the requirements will be satisfied in agraded manner. While considerable flexibility may beexercised, the GQA program should be based onstandards of performance that are clear, definite, andenforceable.

Grading of QA activities will likely result inchanges that reduce QA program commitmentsrelating to SSCs of low safety significance. In thatevent, the NRC would expect the licensee to submit aQA program change to the NRC in accordance with10 CFR 50.54(a), as discussed further in this sectionand in Regulatory Position 4.

However, plant SSCs cannot be reclassified asnon-safety-related solely on risk considerations.Regulatory requirements in Section VI(a)(I) ofAppendix A to 10 CFR Part 100, 10 CFR 50.2,10CFR50.49(b)(I), and 10 CFR 50.65(b)(1) pre-scribe the criteria for determining which SSCs aresafety-related and are subject to the provisions ofAppendix B to 10 CFR Part 50. However, GQA doesallow for differences in QA controls for safety-relatedSSCs based upon their safety significance.

GQA programs should not result in either intendedor effective changes in the design, configuration, ortechnical requirements of plant systems. Such designor configuration changes would occur, for example, ifQA program reductions result in a loss of confidence ofthe SSC's ability to perform its safety function. Thelicensee should ensure that changes to technicalrequirements are only made in accordance withapplicable regulations.

Other regulations, such as the requirements of 10CFR Part 21, "Reporting of Defects and Noncompli-ance," including provisions related to basic compo-nents and commercial grade item dedication; 10 CFR50.55(a), "Codes and Standards"; and 10 CFR 50.36,

"Technical Specifications," remain in effect and maynot be changed by means of the GQA programdescription.

Licensee. commitments regarding QA are ad-dressed in a number of documents, including theFSAR, the QA Topical Report, and other docketedcorrespondence (e.g., responses to generic communi-cations, inspection reports). Licensees are expected tomaintain control of their licensing bases. Accordingly,changes from current commitments to QA regulatoryguides that will be revised as part of the GQA programshould be identified, and the manner in which they arebeing changed should be documented, reviewed, andapproved as necessary by the NRC in accordance with10 CFR 50.54(a), as appropriate.

3.1.2 Grading of Quality Elements

After categorizing the system functions andsubsequently the SSCs into two or more safety-significance categories as described throughout thisregulatory guide, the licensee should apply appropriateQA controls for the various categories. This is acritical factor in achieving the goals of the GQAinitiative and. is performed by an integratedassessment, for example, by an expert panel, asdiscussed in Regulatory Position 2.3.

For safety-related SSCs determined to be highsafety significant, or for safety-related SSCs that havenot yet been evaluated in accordance with the GQAprocess, the current QA practices contained in theNRC-approved QA program should be retained.

Licensees have the flexibility to define theprocesses used to achieve reasonable confidence inSSC performance commensurate with their safetysignificance. Therefore, the licensee may developreduced, or graded, quality assurance controls for thosesafety-related SSCs assigned to the low safety-significant category. Examples of areas in which thismay be possible are listed in Regulatory Position 3.2 ofthis regulatory guide. In proposing to reduce controls,two basic objectives should be kept in mind. These arethat the GQA program should be sufficient to ensurethe SSC's design integrity and ability to successfullyperform its safety function and that the GQA programshould include processes and documentation thatsupport an effective corrective action program asdiscussed in Regulatory Position 3.3.2. Accordingly,in reducing or enhancing the QA program for any SSC,the licensee must describe how the proposed changeswill achieve the objectives. Also, consideration shouldbe given to issues such as CCF, as discussed inRegulatory Position 2.2.

1.176-14

It should be emphasized that a certain number ofSSCs currently categorized as non-safety-related(i.e., that have not previously been subjected to anAppendix B QA program) may fall into the highsafety-significant category based on application ofthe methods described in this regulatory guide.These non-safety SSCs become important becausethe categorization of safety-related SSCs as eitherhigh safety significant or low safety significant isderived either directly or indirectly from thelicensee's PRA or from qualitative methods thatconsider the results of PRA when available. Inparticular, PRA takes credit systematically for non-safety-related SSCs as (1) providing support to, (2)alternatives to, and (3) back-ups for safety-relatedSSCs. Thus, the categorization of safety-relatedSSCs as low safety significant depends upon theproper operation and reliability attributed to non-safety-related SSCs as part of the safety-significancedetermination process.

Licensees should evaluate whether augmentedQA practices are warranted for "high safety-significant, non-safety-related" SSCs. The applica-tion of augmented controls provides reasonableconfidence that the reliability assumed in the riskanalysis, or the associated qualitative decisionmakingprocess, remains valid. Licensees may voluntarilyselect certain Appendix B QA program controls asaugmented quality provisions. However, a licenseemay determine that the amount of QA controlscurrently being applied to these high safety-significant, non-safety-related SSCs are appropriate.If there is reasonable assurance that the SSC willperform its intended function, there may be no need toapply augmented QA controls. The licensee shouldbe able to provide a documented basis concerning theadequacy of the QA controls applied to these highsafety-significant, non-safety-related SSCs. Thediscussion that QA controls will be applied to highsafety-significant, non-safety-related SSCs, and thedelineation of the augmented quality controls thatwill be applied to those SSCs must be documented bythe licensee in the QA program. In the above manner,risk insights will be used in an integrated manner toidentify areas in which improvements should beimplemented.

If the PRA analysis assumed that certain non-safety-related SSCs would perform particular func-tions under postulated design basis conditions (forexample, seismic, harsh environment, or fire), andthese SSCs are categorized as high safety-significant,then GQA controls that address the equipmentcharacteristics that support the credited functionshould be considered.

3.2 Potential Areas for Implementing GQAProgram Controls

Low safety-significant SSCs that are safety-related, to which the QA program controls, in AppendixB to 10 CFR Part 50 have previously been applied, arecandidates for grading subject to the guidancediscussed earlier. In addition, for high safety-significant SSCs. that are non-safety-related, licenseeevaluation should be performed to identify proposedaugmented quality controls.

Some areas that may be appropriate for applyingGQA program controls for safety-related SSCs of lowsafety significance are discussed below. Thefunctional areas discussed below are not all-inclusiveand licensees may propose graded controls in otherareas, provided it can be shown that the objectivesdiscussed in Regulatory Position 3.1.2 are met. Thegoal is to allow licensees flexibility to defineacceptable QA controls that provide reasonableconfidence that the SSCs will perform their intendedfunctions. As discussed in Regulatory Position 3.3.2,the assignment of QA controls is dynamic in nature.As part of the GQA process, it is necessary to considerfeedback information from the monitoring andcorrective action elements that may lead to a need toreinstate controls that had been relaxed. Further detailsof specific GQA practices that the staff has foundacceptable for low safety-significant itemsare described in SECY-97-229, "Graded QualityAssurance/Probabilistic Risk AssessmentImplementation Plan for the South Texas ProjectElectric Generating Station" (Ref. 5), the associatedlicensee QA program change, and other documentsreferenced in the staff safety evaluation attached toSECY-97-229.

When considering the application of GQAcontrols, the licensee should consider the essentialelements of the process (such as the safety-significancedetermination, identification of GQA controls,associated corrective action methods, and performancemonitoring) to be high safety-significant activities thatare not subject to grading.

3.2.1 Procurement

Licensees may establish less stringent QArequirements for the procurement of low safety-significant components than for high safety-significant components. In making these changes,licensees must consider requirements in 10 CFR Part21 and Appendix B to 10 CFR Part 50 and mustconsider any still-current commitments based on the

1.176-15

use of withdrawn regulatory guides..2 Within thisarea, the technical requirements for commercialgrade item (CGI) dedication in accordance with 10CFR Part 21 (critical characteristics of an item for anapplication) are not subject to grading. However, forsafety-related items of low safety significance, theverification of critical characteristics may be graded(e.g, by reduced sampling plans or alternative testingtechniques). Other procurement-related activitiessuch as auditing, qualifying suppliers, and receiptinspection may also be graded. Licensees shouldconsider the role its procurement practices play inensuring the prevention of cross-system commoncause failures and implement the procurementactivities accordingly.

A licensee may choose to reduce currentcommitments regarding certificates of conformancethat are based upon regulatory guides that have beenwithdrawn..2 The licensee would instead follow theguidance in sections 4.2.a, I 0.2.a through f, and 10.3.2in ANSI N45.2.13 (Ref. 6).

A licensee may choose to reduce commitments toANSI N45.2. 13 (Ref. 6) regarding source verificationsand procurement program audits described in Sections7.2.1,7.3.1, 10.3.1, and 12. The change of practices inthis area for low safety-significant items would beappropriate. However, licensee practices for receiptinspections, post-installation testing, and a compo-nent-level monitoring program will provide feedbackto identify any necessary corrective actions.

A licensee may reduce commitments associatedwith Regulatory Guide 1.38 (Ref. 7) and other(previously withdrawn) guides2 and with ANSIN45.2.12 and N45.2.2 (Refs. 8 and 9) regarding theconduct of external supplier audits and supplierevaluations. For low safety-significant items, theexternal supplier audits could be done as deemednecessary on an unscheduled basis. The associatedsupplier evaluations could be done on a biennial basis.Overviews of suppliers will be based on performancemonitoring and trending of feedback from receiptinspections, post-installation tests and inspections, andplant operational results.

Licensees should also consider the results of theevaluations generated during the categorization

' Several QA-related regulatory guides were withdrawn in 1991 because the

ANSI standards that they endorsed were incorporated into ANSI/ASMENQA-1-1983. "Quality Assurance Program Requirements for NuclearFacilities." The withdrawal of a regulatory guide does not alter any prioror existing licensee commitments based on the use of the withdrawnregulatory guides. At their discretion, licensees with prior or existingcommitments to withdrawn regulatory guides or standards may continueto implement those provisions, or revise their commitments to adopt theANSI/ASME NQA- 1- 1983 standard.

process concerning the functions of SSCs, as they mayprovide useful insights for identifying criticalcharacteristics to be used during the dedication process

3.2.2 Inspections

The licensee may chose to reduce inspectionactivities related to low safety-significant SSCs andchoose to perform monitoring or surveillanceoversight to ensure that components can perform theirintended functions. Verifications by peer personnelmay be implemented for safety-related low safety-significant SSCs provided that the licensee usesindividuals who are qualified to do inspections andwho are independent from the actual performance ofthe work activity as discussed above. However, thesechanges cannot conflict with ASME Code-requiredinspections and examinations or other inspections andexaminations specified in NRC regulations (e.g., useof the Authorized Nuclear Inspector services).

The licensee may choose to reduce commitmentsto section 5.2.7 of ANS 3.2/ANSI N18.7 (Ref. 10) toperform post-work inspections for maintenance andmodification activities depending upon the complexityof the work. Post-work inspections would then beperformed for relatively complex maintenance andmodifications. Other verifications such as applicablesurveillance testing, receiving inspections, andinservice inspections would continue to be performedfor the low safety-significant item.

Licensees may propose to reduce their require-ments regarding personnel who perform inspectionson low safety-significant items. Those inspectionpersonnel will need to be experienced, task-qualifiedjourneymen, or supervisors who did not perform ordirectly supervise the activity being inspected. Thesepersonnel will need to receive training in the qualityorganization's inspection procedures, processes, andmethods in accordance with a training programapproved by the quality organization. The qualityorganization will need to provide periodic oversight ofthese inspectors. This provision would also not beapplicable for staff who perform nondestructiveexaminations.

3.2.3 Records and Documentation

. Documentation, such as procedures and designpackages, for low safety-significant SSCs may be lessdetailed than for high safety-significant items. Inassessing the level of detail specified in procedures oractual packages related to low safety-significant items,there should be enough evidentiary detail to maintainplant design and configuration control. Further,

0

1.176-16

sufficient records need to be maintained to evaluatefailures, to perform root cause analyses, and todetermine appropriate corrective actions.

3.2.4 Audits

Processes and work associated with low safety-significant SSCs may be audited less deeply and lessfrequently than high safety-significant activities.Surveillance, performance monitoring, self-assess-ments, trend data, or other activities may in some casesreplace formal audits in low safety-significant areas.

3.2.5 Staff Training and QualificationRequirements

The licensees may establish different training andqualification requirements for personnel performingtasks only on safety-related low safety-significantSSCs, however, those personnel would need to remainsufficiently technically proficient in their assignedarea of responsibility to provide reasonable confidencethat their tasks were adequately performed to ensurethat affected SSCs would be capable of performingtheir intended functions. The licensee must meet therequirements of the applicable regulations andtechnical specification requirements pertaining totraining programs and staff qualifications.

3.2.6 Corrective Action

The GQA effort will identify a population of lowsafety-significant, safety-related items. In accordancewith Criterion XVI, "Corrective Action," of AppendixB to 10 CFR Part 50, the timeliness of correctiveactions for these items can be prioritized commensu-rately with their safety significance.

3.2.7 Design

The licensee may choose to change selectedcommitments to previously withdrawn regulatoryguides2 or ANSI Standard N45.2.1 I (Ref. I1) for lowsafety-significant items. These changes could relate to(I) the need to consider all design input aspects asstated in Section 3.2 of ANSI N45.2.11, insteadreplacing this need with the need to prepare adocumented checklist for only these items deemednecessary; (2) the need to consider, and documentwhen deemed necessary, the 19 design review itemsdelineated in Section 6.3.1 of ANSI N45.2. I1; and (3)the adoption of independent design verificationprovisions contained in section 6.1 of ANSI N45.2.1 Iin lieu of the more restrictive position in previouslywithdrawn regulatory guides.- This would not obviatethe need for inter-disciplinary design reviews.

3.3 Integrated Performance Monitoring Process

The implementation of an integrated performancemonitoring process is necessary to ensure that theobserved reliability and availability of SSCs followingimplementation of GQA remains consistent with theengineering evaluation developed to support thecategorization process. The elements of an effectiveperformance monitoring process are generally discussedin Section 2.5 of Regulatory Guide 1. 174 (Ref. 3).

As discussed in this regulatory guide, GQAprograms do not follow in detail all the steps inherent inother risk-informed regulatory decisionmaking appli-cations as outlined in Regulatory Guide I. 174, becausemany of the SSCs of interest in GQA programs are notmodeled in the PRAs, and it may not be possible toquantify the effects of changed QA programs on themodeled SSCs' performance. For these reasons, alarger portion of the decisionmaking is left to thediscretion and judgment of licensee personnel whoperform the integrated assessment function (typicallyan expert panel).

In the GQA program, the "operational feedback"and "corrective action" portions of the programassume considerable importance, and their accept-ability must be pivotal in the determination of theoverall program's acceptability and effectiveness.The licensee should develop criteria for monitoringthe reliability and availability of (i) safety-related,low safety-significant and (2) non-safety-related,high safety-significant SSCs based upon risk insightsdeveloped during the safety-significance categoriza-tion process. The level of monitoring (e.g., SSC,train, system) should provide the capability todetermine whether and when the reliability andavailability of safety-related, low safety-significantand non-safety-related, high safety-significant SSCsdeteriorates to unacceptably low levels and shouldinclude trending aspects intended to identifydeteriorating performance. As QA programs addressa broad spectrum of plant activities, the monitoringprocess should address monitoring of both planthardware (SSCs) and the effectiveness of the processand the organization.

3.3.1 Operational Feedback Process

The GQA program should include a feedbackprocess (which is generally performed by licenseesirrespective of GQA) to evaluate plant and industryoperational experience and the potential need to reviseSSC safety-significance categorizations or QAcontrols. Sources of information that should be used toprovide input to this feedback process include:

1.176-17

Operating Experience: Sources of operatingexperience data include licensee performanceindicators, NRC generic communications, Insti-tute of Nuclear Power Operations (INPO) andElectric Power Research Institute (EPRI) designreliability data, Systematic Assessment of Lic-ensee Performance (SALP) reports, licensee eventreports (LERs), NRC inspection reports, equip-ment maintenance histories, plant performancereviews, reliability and unavailability data,equipment performance or condition trendingdata, and quality assurance assessments. Theindustry-wide data should be evaluated forconsistency with PRA assumptions, systemunavailabilities, and other plant-specific data.

Plant Modifications and SSC Replacements:Plant modifications, as well as SSC replacementsand parts thereof, might affect the safety-significance determination or selection of QAcontrols for low safety-significant SSCs. Accord-ingly, the GQA program should include provisionsto periodically review plant modifications withrespect to their potential impact on safety-significance determinations. Alternatively, thedesign change process may include provisions toverify that changes do not affect SSC safetysignificance or associated QA controls.

Reliability and Availability Monitoring: Thelicensee should develop a living PRA or defineperformance thresholds based on ensuring, to theextent possible, that the equipment performanceassumptions used in the PRA and upon which mostof the safety categorization is based remain valid.The staff expects that licensees will integrate, or atleast coordinate, their monitoring for risk-informed changes with existing programs formonitoring equipment performance and otheroperating experience on their site and throughoutthe industry. In particular, monitoring that isperformed as part of the Maintenance Ruleimplementation can be used when the monitoringperformed under the Maintenance Rule issufficient for the SSCs affected by GQA. As GQArequires monitoring of SSCs not included in theMaintenance Rule, or requires a greater resolutionof monitoring than the Maintenance Rule(component vs. train- or plant-level monitoring), itmay be advantageous for a licensee to adjust theMaintenance Rule monitoring program rather thanto develop additional monitoring programs forGQA purposes. Section 2.3, "Element 3: DefineImplementation and Monitoring Program," ofRegulatory Guide 1.174 provides amplifyingguidance in this area.

A program assessment, which could be accom-plished in conjunction with similar Maintenance Ruleprovisions, should be performed to ensure that theoverall GQA process (activities associated with safety-significance determination, grading of QA controls,implementation of performance monitoring, andapplication of corrective actions) is being effectivelyimplemented and provides insights into whether theGQA program needs improvements. As part of theassessment, (I) plant deficiencies should be evaluated,and (2) the bases for (a) the safety-significancecategorizations (e.g., the PRA model and assumptions)and (b) the assignment of QA controls to each categoryshould be evaluated to determine whether theycontinue to reflect plant design and operatingpractices. This assessment should not be performed ina graded manner and should be considered to be ahigh safety-significant activity as it serves to confirmthe integrity of the GQA process implementation.

3.3.2 Corrective Actions

The licensee's GQA program should includecomprehensive and effective corrective action and rootcause analysis processes. Failures of safety-related,low safety-significant SSCs and non-safety-related,high safety-significant SSCs should be identifiedthrough operational feedback or trending processes sothat the licensee can ascertain whether the SSC'sunacceptable performance may be attributed todeficient QA controls or practices. Licensee correctiveaction or trending programs should identify anddetermine the apparent cause of failures of SSCs todetermine whether licensee-established performancecriteria or quality elements need to be changed. If thefailure is determined to apply generically to otherSSCs,-or the failure represents a potential commoncause concern for similar equipment installed inmultiple systems, or if an excessive number of failuresoccurs that exceed licensee-established thresholds,then further licensee evaluations are warranted. Anapparent cause determination is warranted to screenthe failures in order to ascertain the necessity toperform more in-depth evaluations.

The SSC risk-categorization methodology couldbe affected by the SSC reliability and unavailabilityassumptions. These assumptions also could affectfinal categorization decisions to the extent thatreliability and unavailability were used as a licenseecriterion for determining the safety significance of anSSC that fails or exhibits a declining performancetrend. Both the probabilistic and non-probabilisticmethods previously used should be re-evaluated whenthere is significant disparity between the analysisassumptions and the observed data. The GQA

1.176-18

program controls should be evaluated to determinewhether they need to be strengthened as a result of thefailures. Based upon positive performance monitoringresults, the licensee may further evaluate both safety-significance categorization and assignment of QAcontrols to identify situations in which they may befurther relaxed. Such changes would be evaluated andreviewed by the staff as necessary, as discussed inother sections of this guide.

When a safety-related SSC has been categorized aslow safety significant and, because of events such asplant modifications, reanalysis, or human errors, it isdetermined that the SSC should now be categorized ashigh safety significant, the licensee should takeappropriate corrective action and evaluate theacceptability of the GQA controls applied to the SSCwhile categorized as low safety significant. Thisevaluation should be documented and should addressthe impact, if any, on the SSC as a result of applyingGQA controls and should identify any GQA controlsthat need to be adjusted in order to provide assurancethat the SSC will perform its safety functions. Thelicensee should maintain documented justificationconcerning the adequacy of the GQA controls applied tothe SSC that is now categorized as high risk significant.

3.4 Change Control for ImplementingProcedures

The licensee QA program for GQA will provide ahigh-level characterization of the GQA programelements as further discussed in Regulatory Position4.1. As part of the implementation process for GQA, anumber of procedures will be developed by thelicensee for activities associated with elements of theGQA program. This would include procedures foraspects of the GQA program such as safety-significance determination, monitoring, workinggroup, and expert panel functions, as appropriate. Asthese procedures will be considering important aspectsof the GQA program that the staff will review, it isnecessary that the procedures have an appropriatechange control applied to them so the staff is informedof significant changes. Any procedure change thatimpacts on the QA program description must beassessed with respect to 10 CFR 50.54(a) (seeRegulatory Positions I and 3.1.1 of this guide). TheFSAR must incorporate by reference the GQAimplementing procedures so that procedure changeswill be controlled in accordance with 10 CFR 50.59.

4. ELEMENT 4: DOCUMENTATION

The recommended contents of a plant-specific,risk-informed GQA submittal are presented in this

section. The guidance is intended to help ensure thecompleteness of the information provided and to aid inshortening the time needed for the review process.Additional guidance on style, composition, andspecifications of safety analysis reports is provided inthe Introduction of Revision 3 of Regulatory Guide1.70, "Standard Format and Content of Safety AnalysisReports for Nuclear Power Plants (LWR Edition)"(Ref. 12).

4.1 Licensee Submittal Documentation

To support the staff's conclusion that the proposedchange is consistent with the key principles of risk-informed regulation and NRC staff expectations, thefollowing information is expected to be submitted tothe NRC.

4.1.1 GQA Program Change

The licensee's existing QA program descriptioncontained in, or referenced by, the FSAR should berevised to describe the GQA program provisions. Thesubmittal containing the proposed GQA provisionsshould contain the following.

(1) A discussion of the essential implementationelements of the GQA program, the scope ofpotential SSCs that may be in the GQA program,and the basis for concluding that the overall GQAprogram provides reasonable confidence thatSSCs remain capable of performing their intendedfunction.

(2) An overview discussion of the process andguidelines developed by the licensee to determinethe safety-significance categorization of all SSCswithin the GQA program scope as defined in thisregulatory guide.

(3) A statement of the role of the staff who perform theintegrated assessment function (expert panel).

(4) The process for determining the QA controls beingapplied to each safety-significance category ofSSCs.

(5) A description of the adjustments proposed as partof the GQA program and how the requirements ofeach of the criterion of Appendix B to 10 CFR Part50 will be satisfied in a graded manner. Thedescription should identify any exceptions toexisting QA program commitments (such asregulatory guides).

1.176-19

(6) A discussion of how augmented QA controls fornon-safety-related SSCs categorized as high safetysignificant will be determined.

(7) A discussion of the operational feedback andenhanced corrective action mechanisms andprocesses to adjust both safety-significancecategorization of SSCs and the associated QAcontrols.

(8) A discussion of the performance monitoringprocess, along with the SSC functional perfor-mance and availability attributes that form thebasis of the proposed change.

4.1.2 Supplemental Information

In addition to the submittal of the QA programchange, the licensee should submit documentationthat, although not incorporated into the QA programitself, will be needed by the staff to help determine theacceptability of the program. These documents shouldinclude:

(I) A full set of the records and analyses related to thecategorization of one system. This documenta-tion should include all supporting informationdeveloped and used during the process, alldocumented deliberations and justificationsdeveloped by the relevant panels, and the resultsof the categorization for all SSCs in the system.The submitted information should only includedocumentation that the licensee intends tomaintain in support of future program changesand NRC inspections.

(2) Plant procedures and instructions that provide theprogrammatic guidance to the utility staff on theSSC categorization, monitoring, and feedback thatwill be implemented in support of the GQAprogram.

(3) The methodology, PRA change summary, andresults of the bounding analysis, augmented by adiscussion of the nonquantified aspects of theGQA program that are expected to provide a safetybenefit. The scope, in terms of systems included inthe bounding analysis, should be discussed. If thebounding analysis was performed on a limitednumber of systems, the systems should be clearlyidentified.

(4) A description of the licensee process to ensurePRA quality, a discussion as to why the PRA is ofsufficient quality to support the categorizationprocess, and the results of all peer or industryreviews of the PRA.

(5) Applicable documentation discussed in Section3.3, "Cumulative Risk," of Regulatory Guide1. 174 (Ref. 3).

(6) A description of how the proposed change impacts

any licensee commitments.

4.2 Plant Data and Engineering Evaluation

Licensees may submit the following informationas a separate document to support the proposed GQAsubmittal. This information should be available forstaff review at the licensee's offices.

4.2.1 Systems Pertinent to GQA

Summarize design and operating features ofsystems in which changes to the QA program areplanned, as well as systems supported by the systems inwhich changes to the QA program are planned. Foreach system, include a table summarizing the keydesign and operating data. Values that are used in theanalysis should be identified and justified. Refer toappendices or other documents (e.g., specific sectionsof the FSAR or design basis documents) as necessaryfor more details. Systems to be considered shouldinclude the pertinent portions of all systems modeled inthe plant-specific probabilistic analysis.

4.2.2 Status of SSCs

All SSCs whose QA program control is proposedto be changed should be listed and should include (at aminimum) the plant's SSC label, the current QAcategorization (by default all safety-related SSCs willinitially have a "high" QA categorization), theproposed QA categorization, associated correlationwith system functions, and a brief explanation of thejustification for the proposed change.

4.2.3 Plant Operating Experience

Summarize any major events involving failures ifthe occurrence was attributable to inadequate orimproperly applied QA controls at this plant. Includein this summary any lessons learned from these eventsand indicate actions taken to prevent or minimizerecurrence of the events.

4.2.4 Engineering Evaluation

The categorization process is considered anengineering analysis, and as such, the completedanalysis should be considered a quality record. Inaddition to the submittal documentation discussedin Regulatory Position 4.1, Regulatory Guide 1.174(Ref. 3) provides guidance on documentation that may

0

1.176-20

be required to support a risk-informed application.The licensee should review the guidance in RegulatoryGuide i. 174 and either develop the documentation orensure that sufficient material is available that thedocumentation can be developed if requested.Additional documentation that should be available ifrequested includes:

Documentation describing the methods andtechniques used for developing quantitative andqualitative risk insights used to support the safety-significance categorization of SSCs.

* Documentation corresponding to the sampledocument submitted (described in (1) in Regula-

tory Position 4.1.2) for all systems that havebeen categorized.

" A description of how the importance measureswere calculated and used (including the guidelinesto categorize if applicable). This informationshould be augmented by technical description onhow the limitations associated with the use ofimportance measures were communicated to theexpert panel and resolved.

* Important assumptions, including SSC functionalcapabilities and performance attributes, that play akey role in supporting the acceptability of the QAprogram change and that are used in themonitoring and feedback program.

1.176-21

REFERENCES

1. USNRC, "Use of Probabilistic Risk AssessmentMethods in Nuclear Activities: Final PolicyStatement," Federal Register, Vol. 60, p. 42622(60 FR 42622), August 16, 1995.

2. "Development of Graded Quality AssuranceMethodology," SECY-95-059, March 10, 1995.1

3. USNRC, "An Approach for Using ProbabilisticRisk Assessment in Risk-Informed Decisions onPlant-Specific Changes to the Licensing Basis,"Regulatory Guide 1.174, July 1998.2

4. Letter from James L.Milhoan (NRC) to WilliamRasin (Nuclear Energy Institute), June 15, 1994.'

5. "Graded Quality Assurance/Probabilistic RiskAssessment Implementation Plan for the SouthTexas Project Electric Generating Station,"SECY-97-229, October 6, 1997.1

'Copies are available for inspection or copying for a fee from the NRCPublic Document Room at 2120 L Street NW., Washington. DC; thePDR's mailing address is Mail Stop LL-6, Washington, DC 20555;telephone (202)634-3273; fax (202)634-3343.

- Single copies of regulatory guides, both active and draft, and draftNUREG documents may be obtained free of charge by writing theReproduction and Distribution Services Section, OCIO, USNRC,Washington, DC 20555-0001, or by fax to (301)415-2289, or by email [email protected]. Active guides may also be purchased from theNational Technical Information Service on a standing order basis. Detailson this service may be obtained by writing NTIS, 5285 Port Royal Road,Springfield, VA 22161. Copies of active and draft guides are available forinspection or copying for a fee from the NRC Public Document Room at2120 L Street NW., Washington, DC; the PDR's mailing address is MailStop LL-6, Washington, DC 20555; telephone (202)634-3273: fax(202)634-3343.

6. American National Standards Institute (ANSI),"Quality Assurance Requirements for Control ofProcurement of Items and Services for NuclearPower Plants," N45.2.13, published by theAmerican Society of Mechanical Engineers, 1976.

7. USNRC, "Quality Assurance Requirements forPackaging, Shipping, Receiving, Storage, andHandling of Items for Water-Cooled NuclearPower Plants," Regulatory Guide 1.38, Revision 2,May 1977.'

8. ANSI, "Requirements for Auditing of QualityAssurance Programs for Nuclear Power Plants,"ANSI N45.2.12, 1977.

9. ANSI, "Packaging, Shipping, Receiving, Storageand Handling of Items for Nuclear Power Plants(During the Construction Phase)," ANSI N45.2.2,1972.

10. American Nuclear Society (ANS), "Administra-tive Controls and Quality Assurance for theOperational Phase of Nuclear Power Plants," ANS3.2/ANSI 18.7, American Nuclear Society, 1976.

11. ANSI, "Quality Assurance Requirements for theDesign of Nuclear Power Plants," ANSI N45.2.11,1974.

12. USNRC, "Standard Format and Content of SafetyAnalysis Reports for Nuclear Power Plants (LWREdition)," Regulatory Guide 1.70, Revision 2,November 1978.2

1.176-22

REGULATORY ANALYSIS

A draft regulatory analysis was published with the draft of this guide, DG- 1064,when it was issued for public comment in June 1997. No significant changes werenecessary from the original draft, so a separate value/impact statement for this finalRegulatory Guide 1.176 has not been prepared. A copy of the draft regulatoryanalysis is available for inspection or copying for a fee in the Commission's PublicDocument Room at 2120 L Street NW, Washington, DC, under Task DG- 1064.

n recycledpaper ' -

Federal Recycling Program

1.176-23

UNITED STATESNUCLEAR REGULATORY COMMISSION

WASHINGTON, DC 20555-0001

FIRST CLASS MAILPOSTAGE AND FEES PAID

USNRCPERMIT NO. G-67

OFFICIAL BUSINESSPENALTY FOR PRIVATE USE, $300

Documents

August REGULATORY GUIDE - Nuclear Regulatory Commission · nuclear industry have recognized that PRA has evolved to the point that it may be used as a tool in regulatory decisionmaking