Reliability Engineering and System Safety 63 (1999) 243249

Probabilistic safety assessment support for the maintenance rule at

Duke Power Company
H. Duncan Brewer*, Ken S. Canady
Duke Power Company, Nuclear Generation Department, Mail Stop ECO8I, PO Box 1006, Charlotte, NC 28201-1006, USA

Abstract
The Nuclear Regulatory Commission (NRC) published the Maintenance Rule on July 10, 1991 with an implementation date of July 10,
1996 [1]. Maintenance rule implementation at the Duke Power Company has used probabilistic safety assessment (PSA) insights to help
focus the monitoring of structures, systems and components (SSC) performance and to ensure that maintenance is effectively performed.
This paper describes how the probabilistic risk assessment (PRA)1 group at the Duke Power Company provides support for the maintenance
rule by performing the following tasks: (1) providing a member of the expert panel; (2) determining the risk-signicant SSCs; (3) establishing
SSC performance criteria for availability and reliability; (4) evaluating past performance and its impact on core damage risk as part of the
periodic assessment; (5) providing input to the PRA matrix; (6) providing risk analyses of combinations of SSCs out of service; (7) providing
support for the SENTINEL program; and (8) providing support for PSA training. These tasks are not simply tied to the initial implementation
of the rule. The maintenance rule must be kept consistent with the current design and operation of the plant. This will require that the PRA
models and the many PSA calculations performed to support the maintenance rule are kept up-to-date. Therefore, support of the maintenance
rule will be one of the primary roles of the PSA group for the remainder of the life of the plant. q 1999 Elsevier Science Ltd. All rights reserved
Keywords: Maintenance rule; On-line maintenance; PRA matrix; Performance criteria; Probabilistic safety assessment; Expert panel

1. Introduction
The Nuclear Regulatory Commission (NRC) published
the Maintenance Rule on July 10, 1991, as 10 CFR Part
50.65, Requirements for Monitoring the Effectiveness of
Maintenance at Nuclear Power Plants, with an implementation date of July 10, 1996 [1]. The maintenance rule was
issued to address NRCs concern that maintenance was not
being performed accurately and consistently on structures,
systems and components (SSCs) important to plant safety.
However, the scope of the rule transcends maintenance
issues to prescribe an overall management program for
plant systems important to plant safety. Maintenance rule
implementation at the Duke Power Company has used probabilistic safety assessment (PSA) insights to help focus
monitoring of SSC performance and to ensure that maintenance is performed effectively. PSA is used to determine the
maintenance rule `risk-signicant SSCs' and to establish
performance criteria. It is also used to evaluate the balance
* Corresponding author
1
`PSA' generally denotes the assessment of accident frequencies, e.g.
core damage frequency (CDF), and not the quantication of accident consequences e.g. health effects, while PRA includes the quantication of
consequences.

of availability and reliability and to assess plant safety

impact prior to removing SSCs from service. This paper
focuses on how the probabilistic risk assessment (PRA)
group at the Duke Power Company provides support for
the maintenance rule by performing the following tasks:

Providing a member of the expert panel.

Determining the risk-signicant SSCs.
Establishing SSC performance criteria for availability
and reliability.
Evaluating past performance and its impact on core
damage risk as part of the periodic assessment.
Providing input to the PRA matrix.
Providing risk analyses of combinations of SSCs out of
service.
Providing support for the SENTINEL program.
Providing support for PSA training.

2. Member of the maintenance rule expert panel

The Duke Power maintenance rule expert panel is made
up of individuals with extensive knowledge of the plant
design, operations and maintenance. The panel consists of
representatives from operations, civil engineering, mechanical

0951-8320/99/$ - see front matter q 1999 Elsevier Science Ltd. All rights reserved
PI:I S0 95 1 -8 3 20 ( 98 ) 00 0 39 - 8

244

H.D. Brewer, K.S. Canady/Reliability Engineering and System Safety 63 (1999) 243249

and electrical systems engineering and PRA [2]. Duke

Power relies on the expert panel to: (1) make the nal determination of risk-signicance; (2) establish performance
criteria; and (3) develop the PRA matrix. The PRA representative is responsible for ensuring that both insights and
limitations of the PRA are thoroughly understood by the
panel. Expert panel meetings are called as necessary by
the maintenance rule coordinator. The PRA representative
must be very familiar with the maintenance rule, the PRA,
and the calculations that support implementation of the
maintenance rule.

risk-signicant. These basic events are then mapped to

maintenance rule SSC denitions. Additionally, insights
from the PRA are used to determine SSCs that would be
important in preventing or mitigating the release of ssion
products following a core damage accident. This list of
potentially risk-signicant SSCs are then used as input by
the expert panel, which makes the nal determination of
risk-signicance.

3. Determining the risk-signicant SSCs

NUMARC 93-01 requires that specic performance

criteria be established for all risk-signicant SSCs [1].
Duke Power has chosen system unavailability and maintenance preventable functional failures as the primary performance criteria for risk signicant SSCs [2]. The PRA is a
useful tool for determining system performance criteria that
are commensurate with the safety signicance of the SSC.

The maintenance rule requires each holder of an operating license to monitor the effectiveness of maintenance at
their nuclear power plant. NUMARC 93-01, `Industry
Guideline for Monitoring the Effectiveness of Maintenance
at Nuclear Power Plants', provides the implementation
guidelines for the maintenance rule [1]. One of the tasks
required by NUMARC 93-01 is the development of a list
of the risk-signicant SSCs. This support task uses the PRA
to develop a list of risk-signicant SSCs and their risksignicant functions. The list is used as one input to an
expert panel that has nal responsibility to develop the list
of risk-signicant SSCs and functions for implementing the
maintenance rule.
The plant PRA model is used to list and rank the basic
events by their importance measures. The following criteria
for determining risk-signicant SSCs are described in
NUMARC 93-01 [1]:

Report all systems with a risk reduction worth (RRW) of

1.005 or greater.
Report all systems that have a risk achievement worth
(RAW) of 2.0 or greater.
Report systems that appear in the top 90% of cutsets
contributing to core damage frequency (CDF).

The RRW is the ratio of the baseline risk level to the risk
level with the contributor probability set to zero. The RRW
is thus a measure of the signicance of a particular system
failure. The risk achievement worth (RAW) is the ratio of
risk level with the contributor probability set to one, over the
baseline risk level. The RAW is thus a measure of the risk
impact of a system being down. The risk level used for the
RRW and RAW is the core damage frequency (CDF). The
`cutsets' are the minimal cutsets which are the unique combination of an initiating event and component failure which
causes a core damage event.
To determine the risk-signicant SSCs, Duke Power has
chosen to use all three importance measures, i.e. CDF cutsets, RAW and RRW, to determine which PRA basic events
should be considered for risk-signicance [2]. Any basic
event e.g. a component failure, that is above any one of
the NUMARC 93-01 criteria is considered potentially

4. Establishing SSC performance criteria for availability

and reliability

4.1. System unavailability

Unavailability criteria are established for each risksignicant maintenance rule SSC. Unavailability is dened
as a measure of the time a specic system is not capable of
performing its intended maintenance rule function
expressed in either time or as a percentage relative to the
total time the function is required. For risk-signicant
systems with designated trains, unavailability is monitored
on the train level.
Risk-signicant maintenance rule SSCs are grouped
based on their relative importance to the safety functions
they provide. The maintenance rule expert panel makes the
nal determination as to which group the SSCs belong. The
PRA is used to provide insights where possible. The following groups are used:
Group 1, 0.0%
unavailability

Maintenance rule SSCs for functions

that cannot be or are not practical to be
removed from service without causing a
plant transient or an unacceptable
degradation in plant safety
Group 2, , 0.2% Maintenance rule SSCs for functions
unavailability
that have very high safety signicance
(PRA RAW signicantly greater than
5)
Group 3, , 2% Maintenance rule SSCs for functions
unavailability
that have high safety signicance (PRA
RAW . 5)
Group 4, , 4% Maintenance rule SSCs for functions
unavailability
that have medium safety signicance
(PRA # RAW , 5)
Group 5, , 6% Maintenance rule SSCs for functions
unavailability
that have low safety signicance (PRA
RAW , 2)

H.D. Brewer, K.S. Canady/Reliability Engineering and System Safety 63 (1999) 243249

The following process is used to determine which PRAbased availability performance criteria group is appropriate
for each maintenance rule risk-signicant SSC.
1. The RAW value is determined for each risk-signicant
SSC function. Basic events such as human errors and
common cause events may be excluded since they do
not represent equipment out of service. The basic event
and corresponding SSC function are placed in one of the
following RAW categories:
Very high RAW much greater than 5
High RAW $ 5
Medium 2 # RAW , 5
Low RAW , 2
2. Once the category for each risk signicant system function is determined, a sensitivity study is performed to
determine the potential total impact of unavailability
on risk. For each risk-signicant SSC, a basic event is
determined that will represent that SSCs unavailability.
The availability used for each performance criteria group
is as follows:
Very high $ 99.8% availability
High $ 98% availability
Medium $ 96% availability
Low $ 94% availability
For example, a two-train, high category SSC would have
to have both trains with at least 98% availability to have
an acceptable performance. SSCs that are within the
scope of the maintenance rule but are not considered
`risk-signicant' do not have specic availability
criteria.
3. The basic events representing the SSC unavailability
are then put into the PRA model to determine the
impact on risk. The risk impact is then evaluated against
the criteria provided in the Electric Power ResearchInstitute (EPRI) `PSA applications guide' [3]. An
additional sensitivity study is performed assuming half
the allowed unavailability. Since planned unavailability
is limited to one-half of the maintenance rule value,
this represents the expected impact of unavailability on
risk.
The results of the above process are used to demonstrate that the maintenance rule performance criteria
chosen are commensurate with the safety signicance of
the SSC.
4.2. System reliability
Reliability performance criteria are established for all
risk-signicant SSCs. Reliability of a SSC function is the
measure of the ability to perform its intended maintenance
rule function upon demand from the standby mode or to
continue to provide the function while in operating mode.

245

Maintenance preventable functional failures (MPFFs)2 are

used as a surrogate for reliability.
Risk-signicant maintenance rule SSCs are grouped
based on their relative importance to the safety functions
they provide. The maintenance rule expert panel determines
to which group the SSCs belong. The PRA is used to provide insights where possible. The following groups are used:
No MPFFs per
18 months

Maintenance rule SSCs for functions

that cannot be or are not practical to be
removed from service without causing a
plant transient or an unacceptable
degradation in plant safety.

No MPFFs per
18 months

Maintenance rule SSCs for functions

that have very high safety signicance
(PRA RAW signicantly greater than
5).

No more than
1 MPFF per
18 months

Maintenance rule SSCs for functions

that have high safety signicance (PRA
RAW $ 5)

No more than
2 MPFFs per
18 months

Maintenance rule SSCs for functions

that have medium safety signicance
(PRA 2 # RAW , 5)

No more than
2 MPFFs per
18 months

Maintenance rule SSCs for functions

that have low safety signicance (PRA
RAW , 2)

No more than
4 MPFFs per
18 months

Any specic combination of maintenance rule-grouped SSC functions,

whether risk-signicant or non-risksignicant.

The MPFF criteria are established to identify when maintenance improvements are needed to improve the reliability
of the SSC. The numerical values selected are based on
information contained in EPRI Technical Bulletin 96-1101, `Monitoring Reliability for the Maintenance Rule' [4].
Generally, the intent is to recognize that an eighteen month
period is inadequate to statistically determine the reliability
of an SSC and that even an adequately performing SSC will
occasionally experience one or two failures as random
events. No attempt has been made by Duke Power to
show the PRA impact of all maintenance rule SSCs having
the maximum allowed number of failures in a single cycle.
Instead, Duke Power has committed to perform a cyclespecic PRA update as part of the periodic assessment.
The calculation for unavailability performance criteria
also forms the basis for the reliability grouping of
2

A MPFF is a functional failure of a structure, system or train within the

scope of the maintenance rule in performing its intended function whether
in operation or standby and the cause of this failure is maintenancepreventable.

246

H.D. Brewer, K.S. Canady/Reliability Engineering and System Safety 63 (1999) 243249

Fig. 1. Example of a PRA matrix.

maintenance rule SSCs. In some special cases the maintenance rule coordinator may request system or component-specic reliability performance criteria that are
different from the criteria indicated by the grouping method.
These are performed on a case-by-case basis.
5. Evaluating past performance and its impact on core
damage risk as part of the periodic assessment
Part A(3) of the maintenance rule requires that a periodic
assessment of the effectiveness of the maintenance rule
program be performed [1]. As part of the maintenance
rule periodic assessment, the risk impact of actual SSC
unavailability and functional failures over the assessment
period are evaluated using the plant PRA models and appropriate statistical analysis methods [2]. This PRA assessment
considers:

The system and component reliability impact of functional failures experienced by maintenance rule SSCs
that are modeled in the plant PRA.

The recorded unavailability of the risk-signicant systems over the assessment period.

The risk impact is then evaluated against the criteria for a

`non-risk-signicant' change as described in the EPRI `PSA
Applications Guide' [3]. The PRA engineer provides to the
maintenance rule coordinator an assessment of the impact
on plant risk of actual SSC performance for the assessment
period. If the overall plant risk is signicantly impacted by
the actual performance, then the PRA engineer and the
maintenance rule coordinator determine if corrective
actions are necessary. This PRA assessment with an actual
historical performance also serves as verication that there
is an appropriate balance between availability and reliability
[2].
5.1. Providing input to the PRA matrix
A PRA matrix (Fig. 1) is used by the scheduling group
and by operations to identify combinations of equipment
that should not be removed from service at the same time
[5]. This review of out of service equipment and the

H.D. Brewer, K.S. Canady/Reliability Engineering and System Safety 63 (1999) 243249
Table 1
Increase in CDF (per hour)
7

5 3 10 1 3 10
1 3 10 7 1 3 10
1 3 10 8 1 3 10
1 3 10 9 1 3 10
,1 3 10 10

7
8
9
10

Allowable unavailability time

up
up
up
up
no

to 12 h
to 60 h
to 600 h
to 6000 h
particular limit

potential impact on safety is required by part A(3) of the

maintenance rule which states: `in performing monitoring
and preventive maintenance activities, an assessment of the
total plant equipment that is out of service should be taken
into account to determine the overall effect on performance
of safety functions'. The Duke Power PRA matrix was
developed by the maintenance rule expert panel. The
panel attempted to develop a matrix that will protect safety
function redundancy, will protect the ability to mitigate
transients and will protect against important PRA
sequences. The matrix identies combinations of systems
that should not be out of service at the same time (RED on
the matrix) and combinations of systems that would be
allowed out of service at the same time but are related in
some way that could affect safety (YELLOW on the
matrix). Generally, interactions that are blank (or WHITE)
were considered to be acceptable.
The PRA is a valuable tool to validate the PRA matrix.
The PRA model is used to quantify the risk when combinations of equipment are out of service at the same time. RAW
values for each intersection on the matrix are then calculated
and displayed.
The following guidelines are used to determine if the
plant PRA model suggests that the type of interaction identied is a risk-signicant combination that should be
avoided:

Does the combination of equipment out of service

(matrix intersection) produce a high CDF, .1 3
10 3? Intersections with a large CDF due to the combination of SSCs should be identied on the matrix.
Is the risk increase for the combination of SSCs due to
multiplication of impact of each individual SSC? The
risk increase (RAW) for A and B may be summed with
the following equation:
(ARAW

1) (BRAW

1) (CRAW

1)

In the above, ARAW is the relative risk increase for

function A, BRAW is the relative risk increase for function B, and CRAW is the relative risk increase for functions A and B. The above relationship is derived from
the denitions of the relative risk increase worth (RAW)
which is the sum of the minimal cutset contributions
containing the function with the function failed, divided
by the baseline risk values.
If the risk increase is due to addition, the two functions

247

have very little interaction with each other and it does not
matter whether they are taken out together or separately.
The total risk impact will be the same. However, if the
RAW for the combination of the two SSCs is greater than
would be obtained through addition, then there must be
some risk multiplying effect of having both out at the
same time. These intersections are identied as a risk
signicant combination that should be avoided.
6. Providing risk analyses of combinations of SSCS out
of service
From time to time, plant personnel may wish to perform
maintenance on combinations of equipment that are not
allowed by the PRA matrix. They may contact the PRA
group for an evaluation of the actual risk impact of the
proposed maintenance. To evaluate the impact, the PRA
engineer will do the following:
To better understand the interaction, the PRA engineer
will rst review the matrix interaction basis and system/
equipment functions list. The engineer will also ask questions to determine if there are any other factors to consider.
For example, in evaluating an interaction associated with
two sources of emergency power, the engineer should consider whether the other sources of emergency power are
available as well as the potential for severe weather that
would increase the likelihood of needing emergency
power during the time of the proposed maintenance. The
engineer should have a questioning attitude, so that no
pertinent data is overlooked.
The assessment will consider the three components of
risk:

initiating event frequency

core damage prevention capability, and
containment performance.

If the proposed unavailability affects an initiating event

frequency, this needs to be accounted for in the analysis.
The failure probability of the basic event representing the
equipment of interest is then set to a value of 1.0 and the
model is evaluated to determine the increase in CDF. The
analysis should also consider any effect on containment
performance and the potential for an increase in the likelihood of a large, early release.
Table 1 is used for evaluating the quantitative impact of a
proposed combination of equipment unavailabilities on the
change in core damage frequency.
Note that the total increase in risk is limited to 6 3 10 6.
This is the increase in core damage probability during the
allowable unavailability time. This is below the `potentially
risk-signicant threshold' of 1 3 10 5 for temporary changes
as listed in EPRI `PSA applications guide' [3], but close
enough that non-quantitative factors should be assessed.
Examples of non-quantitative arguments that might
inuence the decision to allow maintenance include any

248

H.D. Brewer, K.S. Canady/Reliability Engineering and System Safety 63 (1999) 243249

Fig. 2. Example of a PSA insights poster.

qualitative factors not accounted for in the PRA, recent

performance of key systems or components, or the safety
benet obtained but not accounted for in the PRA model.
A distinction should be made between activities that
are routine versus those that are non-routine. Routine
plant activities and congurations are generally well understood and analyzed. Non-routine activities and evolutions
are not well analyzed and require extra care and site
management review. `Extra care' may include identifying
compensatory measures (such as additional surveillance
testing, ensuring protection of an alternate mitigating
system, alternate alignments, etc.) which can be taken to
help control risk.

7. Providing support for the SENTINEL safety monitor

SENTINEL is an EPRI computer code designed to assist
nuclear station personnel in assessing and managing risk
during plant operations. One portion of SENTINEL provides an interface with the PRA models. This module is
referred to as the integrated safety assessment result
(ISAR) data base and contains quantitative PRA results
for various plant congurations. In order to populate this
data base, it is necessary to perform several solutions of a
station's PRA model. The PRA model determines the core
damage risk for all initiators except seismic (which is performed separately and then added to the plant model solve

H.D. Brewer, K.S. Canady/Reliability Engineering and System Safety 63 (1999) 243249

results). The purpose of this task is to support the population

of the ISAR data base by documenting the calculated
changes in core melt frequency when various components
are removed from service.
First, the plant fault tree is solved with all of its maintenance-downtime associated events set to zero in order to
establish a baseline group of cutsets. The new solution
represents the risk level without maintenance downtime
contributions. Second, the fault tree is subsequently solved
with several individual components/trains taken out of
service (i.e. basic event value 1) as well as with several
combinations of components/trains out of service. The
resulting cutsets are compared with the baseline cutsets
and reviewed to determine if there are any additional
recovery actions which would apply to the new cutsets.
Upon completion of the initial evaluations and development
of the master recovery rule le, the new cutsets are nalized
by applying nonrecovery probabilities to those failed events
for which repair or recovery is possible. Once the cutsets are
nalized, changes to the CDF are noted and risk importance
measures (RAW and RRW) are then determined for each
group of cutsets.

249

The PSA group must support the development of training

materials as requested by the maintenance rule coordinator
and the training groups. Although the specic items may
change, in the past they have included the following:

PSA posters (Fig. 2).

PSA pocket cards.
PSA overview computer-based reading package.
Other specic presentations as requested.

9. Conclusion
Maintenance rule implementation at the Duke Power
Company has used PSA insights to help focus the monitoring of SSC performance and to ensure that maintenance is
effectively performed. As changes are made to the plant, the
maintenance rule must be kept consistent with the current
design and operation of the plant. This requires that the PRA
models and the many PSA calculations performed to support the maintenance rule must also be kept up-to-date [6].
Therefore, support of the maintenance rule will be one of the
primary roles of the PSA group for the remainder of the life
of the plant.

8. PSA training for maintenance rule personnel

There are many support groups involved with maintenance rule implementation that must understand the role
that PRA plays in maintenance rule implementation at
Duke Power. These include system engineering, operations,
work control, the maintenance rule expert panel, and plant
management. In general, the training for these groups will
include the following topics:

PRA methods and tools.

Plant specic results and insights.
Important assumptions and limitations of PSA.
The role that PRA has played in maintenance rule implementation.

References
[1] NUMARC 93-01, Industry guideline for monitoring the effectiveness
of maintenance at nuclear power plants NUMARC, May 1993.
[2] Engineering Directives Manual 210, Requirements for monitoring the
effectiveness of maintenance at nuclear power plants or the Maintenance Rule.
[3] Electric Power Research Institute (EPRI) Technical Report-105396,
PSA applications guide, EPRI, August, 1995.
[4] Electric Power Research Institute (EPRI) Technical Bulletin 96-1101, Monitoring reliability for the Maintenance Rule EPRI, November
1996.
[5] Duke Power Company Work Process Manual, Procedure 607; Maintenance Rule assessment of equipment removed from service.
[6] Duke Power Company Procedure XSAA-106, Workplace procedure
for assessment of station `living PRA' validity.