SSC categorization and its pitfalls16 September 2013
Categorizing systems, structures and components (SSCs) in a nuclear environment simplifies administrative processes that deliver maintenance by removing the licensing details from routine work order processes. Done wrong, it can create a huge burden on nuclear component costs, conservatively quadrupling the cost of nuclear safety components in pedigrees, quality programmes and documentation. By James August
The methods of licensing nuclear plants vary from country to country, but in the US they depend on principally three things: a plant's design, its Probabilistic Risk Assessment, and the Safety Analyses that backup a specific set of equipment, termed 'safety related' (SR) equipment.
In licensing a nuclear plant, the part of interest is the safety design. Because nuclear plant design ultimately depends on its SR equipment, SR equipment is special. SR equipment needs to provide an especially high degree of assurance that it will perform to design (In the US, additional requirements include 10 CFR 50 Appendix A Design Requirements and Appendix B Quality Assurance Requirements, with other related rules and guides). SR equipment must be designed, fabricated, procured and installed so that it has a very high probability of performing to expectation when called upon to perform. Then it must be maintained over the life of the plant that way to continue to do that as long as the plant operates. For that reason, SR equipment falls under the special nuclear regulatory design and quality programmes that give that performance assurance, while also raising its cost. Nuclear equipment is thus 'pedigreed' and different from other off-the-shelf commercial grade equipment.
Workers not in a programme management position, need only follow the cookbook; they do not need to worry about how nuclear assurance programmes work. Processes are well-established by now. If someone can determine the equipment's classification -- SR (or not) -- it's purely a matter of applying the right rules for that equipment to assure its performance. In the end, the only questions are (1) how to procure materials and parts for systems, structures and components (SSC) equipment work and (2) how to administer the proper levels of quality assurance controls as one does so.
The key is applying the right rules, which depends on classification, which in turn depends on the initial programme setup. If the cookbook list of SR equipment is wrong, the wrong rules are applied. This either (1) focuses nuclear safety efforts where they don't need to be, raising costs or (2) leaves gaps in assuring nuclear SR equipment performance in critical plant applications. The former is conservative, the latter is not. In early nuclear plants in the US, the first case occurred far too often. Nuclear safety systems of thousands of SSCs, only some of which had safety functions, were treated as entirely SR, so all their equipment was bought, installed, and maintained to the highest nuclear grade. These plants still operate with huge embedded costs, principally because once a design is frozen, changing anything is very difficult. Those who operate the plants lack the design knowledge and licensing understanding (generally) to recode and correct it.
Coding SSC classification into a unique numeric identification scheme facilitates routine use. Coding organizes classification information. Coding may be an out-of-sight, out-of-mind activity done as an afterthought. Coding is not easy; it requires an intimate knowledge of the design basis (DB) and its analyzed design basis accidents (DBAs). Coding of a plant design is ideally done once to a very high degree of quality in the original plant; then it shouldn't change. The process needs to be understood so that as new information or needs develop, those in a position to manage a nuclear design can change it, effectively.
For nuclear plants, SSC categorization uniquely identifies equipment by system, purpose and type. In the US, 10 CFR 50.69 tells how to code SSC for nuclear safety category. Institute of Electrical and Electronics Engineers, IEEE 803, 'Recommended Practice for Unique Identification in Power Plants and Related Facilities,' 1983, cited by the NRC in 10 CFR 50.73(b)(2)(ii)(F)(1) supports one categorization method. There are others; the systems are not wholly consistent and can overlap and conflict with each other. The IEEE standard is part of a series of recommended practices, entitled the Energy Industry Identification System (EIIS), which presents a common language that permits users to code a system, structure, or component to correlate with that of another organization for reporting, comparison, or general communication purposes. A significant feature of the unique identification code is that it identifies the function at the component level and not just the hardware itself.
Safety basis of coding
Safety functions in a nuclear power plant protect the public from radiation exposure from nuclear operations or events. Although design theory can get quite complex, generally design of nuclear safety equipment includes protecting the barriers to fission product releases during normal events, and protecting various mitigating systems against releases with primary and secondary containment during 'design basis' events. All events considered in the design establish basic design requirements for nuclear safety.
Coverage of SSCs in US laws such as 10 CFR Part 50 (especially Part 50.34, 'Contents of applications; technical information' and Appendices A and B (Design Requirements and Quality Assurance Requirements) for US operating nuclear plants is based primarily on selected design-basis events evaluation, as described in final safety analysis reports (FSARs). These postulated events represent a small fraction of the potential accident sequences treated in risk assessments, but they are the worst. A risk-informed method of defining 'safety-related' and 'important to safety' has been developed. This changes the scope of what receives special operational and qualification treatment for new nuclear plants, such as the Westinghouse AP1000. This new licensed category called RTNSS -- for 'regulatory treatment of nonsafety systems' -- is similar to the category for safety related equipment. Its inclusion in the licensed PRA provides additional safety function assurance, for defence in depth.
Most of a nuclear plant is built with off-the-shelf or 'commercial grade' equipment. Being commercial grade doesn't exclude off-the-shelf equipment from nuclear pedigree requirements that assure its safety performance. Those pedigrees are developed by performing verification tasks called special treatments (see SECY98-0200, NEI 00-04 and ANS 53.1). When performed in conjunction with commercial grade equipment, those processes are termed nuclear 'dedication.'
The inability to perform various design functions leads to functional failures. Functional failure identification begins at equipment, so considering the ways that functions can be lost typically starts by looking at how the components that make up systems, contributing their functionality, can fail. The effects of potential equipment failures that can occur determine what failures need to be managed and prioritized to prevent system functional failures. Prevention requires eventually identifying tangible tasks -- things people do -- that manage failures. Assigning tasks that do are central to reliability planning. Coding supports infrastructure over the life of the plant. Coding allows operators to assess equipment deterioration or failure significance, quickly. It then allows support personnel to quickly manage the failure to restore the plant. That reduces the time required to operate with degraded modes or equipment, for both nuclear and non-nuclear equipment. It influences what parts are stocked, how quickly SSC can be repaired, and the staff required to do it.
Coding SSC in a plant identifies all safety-related SSC uniquely for problem reporting, failure identification, tracking, maintenance, work management (tag-out) calibration and cost controls. Another purpose is prioritization of work by nuclear safety risk. Uniquely tagging each plant item allows tracking its pedigree, and problems, costs, performance issues, planned maintenance and other activities as well. The 'partition' may also be known by other names, such as the 'master equipment list', the plant register (from its construction cost accounting), tag list (the list of tagged equipment, from operations for tag-out control), takeoff list (from construction 'takeoff' on drawings) or the plant systems-equipment hierarchy. It uniquely correlates every component or item identified on the plant's architect-engineer P&ID (process & instrumentation drawings) with a unique identifier, code or 'tag'. Component inventory can total between 30,000-100,000 items, depending on the level of detail. Often the coding is done in conjunction with creating a hierarchy of systems (subsystems), component types (and subtypes) and their tags. In this manner, higher-level systems (and their functions) establish the components providing functions that contribute towards their roles.
As a coded sequence, the tag number will include the unit, system code, component code and sequential tag number off the P&ID, at least. Complex coding schemes may add other information such as drawing number, key identifier and other types of information. Long tags are not convenient to hang as a tag in the plant. Tags hung in the plant need to be simple to read and mnemonic for mental simplicity. Effective tagging schemes must uniquely identify plant components. They should also be simple, additive, hierarchical in design and consistent. They are the very key to a design's related information. The best analogy in the US would be an individual's social security number: they uniquely identify a piece of equipment from birth to death, and all of its roles in the plant.
Coding has a huge impact on nuclear plant operating costs. Over- or under-coding can increase the requirements for SSC components and parts, not just once, but every time the part is maintained, used or even procured. The term 'gold plated' nuclear parts may stem from past overuse of nuclear grade components and parts. Reanalysis and dedication should be used to adjust nuclear SSC classifications over the life of a plant, with better analysis. In an ideal world, the next generation of nuclear plants licensed under Part 52 in the US would come with consistently, accurately-coded nuclear SSC and their parts at the start. Doing that requires accurately partitioning and dedicating SR SSC parts from the initial design well in advance of construction and initial operation. The percentage of safety-related components in US BWRs can range between 10-20%; for PWRs between 30-40%. SSC that could be more effectively coded into another safety classification, such as the lesser categories of 'safety significant' or 'non-safety related' could range from 20-40% for a Generation II plant in the US. Effectively coding nuclear SSC could save as much as 15% of total nuclear costs (operating costs plus amortized construction costs).
Literally, 'tagging' is done by hanging an identification tag, like a 'dog tag,' on the equipment in the plant. In the past tags were made of metal with an equipment name and identifier code. Today, a durable plastic label typically serves as a tag. They are resistant to heat and damage, embed information for operators in readable coded transponders for PDAs, so that the computer maintenance management systems (CMMS) and the operators' PDAs, which are all computerized and automated in modern plants, tie in with them. This makes many activities, like hanging tag outs or clearances, much easier or even completely automated.
The isolation of equipment for some operational reason, usually to perform maintenance, is 'tag-out.' Tag-out is also known as 'clearing' equipment, so tag-out control is also handling clearances. Operating equipment isolation groups -- isolation points, redundancies, system fluid and energy boundaries, controls and other considerations -- depend on design. Tag-out schemes must support them. Generally the tag-out goal is isolating energy from equipment so that it can be safely accessed for work. What constitutes 'energy' and 'safe' varies; tag-out philosophy also varies from country to country and from industry to industry.
CMMS work control systems often integrate a tag-out control system with work management and engineering equipment design control. In non-nuclear plants it may interface with a Distributed Control System (DCS), for seamless work control integration. Future nuclear plants will probably offer similar features, once regulatory authorities approve them.
The computer maintenance management information database contains the electronic data repository of equipment tags. Its purpose is to automatically perform many common maintenance management functions. These include tagging equipment out, tracking performance history and reporting other issues. The CMMS today replaces many former manual functions; however, it still requires component relationship with SSC to work effectively. It addition to including tag-out control, it may perform parts tracking, reorder, failure and time reporting, too. Rounds support condition-based maintenance derived from condition monitoring. Effectively designed rounds will allow operators to establish equipment conditions that should be further investigated to initiate maintenance. Very often today, effective alarms for control operators with distributed control systems can be built into rounds.
In summary, SSC categorization and coding helps manage costs over the life of a nuclear plant. Its proper performance should not be underestimated as a primary tool to manage total nuclear costs.
James August, professional engineer, VP operations at nuclear reliability plan developer CORE, Inc. Email: firstname.lastname@example.org, tel: +1 (303) 425-7408.