Text

Draft Regulatory Guide DG-1061 an Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis (for Comment)
	ML003739197
Person / Time
Issue date:	06/30/1997
From:	; Office of Nuclear Regulatory Research
To:	;
References
	-nr, DG-1061
	Download: ML003739197 (52)
	v • d • e

U.S. NUCLEAR REGULATORY COMMISSION June 1997 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 1 Draft DG-1061 DRAFT REGULATORY GUIDE

Contact:

M. A. Cunningham (301)415-6189 DRAFT REGULATORY GUIDE DG-1O61 AN APPROACH FOR USING PROBABILISTIC RISK ASSESSMENT IN RISK-INFORMED DECISIONS ON PLANT-SPECIFIC CHANGES TO THE CURRENT LICENSING BASIS This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area.

It has not received complete staff review and does not represent an official NRC staff position.

Public comments are being solicited on the draft guide (including any implementation schedule) and its associated regulatory analysis or valuelimpact statement. Comments should be accompanied by appropriate supporting data. Written comments may be submitted to the Rules and Directives Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. Copies of comments received may be examined at the NRC Public Document Room, 2120 L Street NW., Washington, DC. Comments will be most helpful if received by September 30, 1997.

Requests for single copies of draft or active regulatory guides (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made in writing to the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, Attention: Printing, Graphics and Distribution Branch, or by fax to (301)415-5272.

1. INTRODUCTION The NRC's Policy Statement (Ref. 1) on probabilistic risk analysis (PRA) encourages greater use of this analysis technique to improve safety decisionmaking and improve regulatory efficiency. The NRC staff's PRA Implementation Plan describes activities now under way or planned to expand this use. These activities include, for example, providing guidance for NRC inspectors on focusing inspection resources on risk-important equipment, as well as reassessing plants with relatively high core damage frequencies for possible backfits.

Another activity under way in response to the policy statement is the use of PRA in support of decisions to modify an individual plant's current licensing basis (CLB). This regulatory guide provides guidance on the use of PRA findings and risk insights in support of licensee requests for changes to a plant's current licensing basis (e.g., request for license amendments and technical specification changes under 10 CFR 50.90-92). It does not address licensee-initiated changes to the current licensing basis which do NOT require NRC review and approval (e.g., changes to the facility as described in the FSAR which are the subject of 10 CFR 50.59). Licensee-initiated CLB changes which are consistent with currently approved Staff positions (e.g., regulatory guides, standard review plans, branch technical positions, or the Standard Technical Specifications) are normally evaluated by the staff using traditional, deterministic engineering analyses. A licensee would not be expected to submit risk information in support of the proposed change. Licensee-initiated CLB change requests that go beyond current Staff positions may be evaluated by the Staff using traditional deterministic engineering analyses as well as the risk-informed approach set forth in this regulatory guide. A licensee may be requested to submit supplemental risk information or deterministic information if such information is not submitted by the licensee.

If risk information on the proposed CLB change is not provided to the Staff, the Staff will review the information provided by the licensee to determine if the application can be approved based upon the information provided using traditional deterministic methods and will either approve or reject the application based upon the Staff's review. For those licensee-initiated CLB changes which a licensee chooses to support (or is requested by the staff to support) with risk information, this regulatory guide describes an acceptable method for assessing the nature and impact of proposed CLB changes by considering engineering issues and applying risk insights. Licensees submitting risk information (whether on their own initiative or at the request of the staff) should address each of the principles of risk informed regulation discussed in this regulatory guide. Licensees should identify how chosen approaches and methods (whether they are quantitative or qualitative, and deterministic or probabilistic), data, and criteria for considering risk are appropriate for the decision to be made.

Finally, the guidance provided here does not preclude other approaches for requesting changes to the CLB. Rather, this Regulatory Guide is intended to improve consistency in regulatory decisions in areas in which the results of risk analyses are used to help justify regulatory action. As such, the principles, process, and approach discussed herein also provide useful guidance for the application of risk information to a broader set of activities than plant-specific changes to a plant's CLB (i.e., generic activities), and licensees are encouraged to utilize this guidance in that regard.

3

1.1 Background During the last several years, both the NRC and the nuclear industry have recognized that probabilistic risk assessment (PRA) has evolved to the point where it can be used increasingly as a tool in regulatory decisionmaking. In August 1995, the NRC adopted the following policy statement (Ref. 1) regarding the expanded use of PRA.

The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data and in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy.

PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments, and staff practices. Where appropriate, PRA should be used to support the proposal of additional regulatory requirements in accordance with 10 CFR 50.109 (Backfit Rule).

Appropriate procedures for including PRA in the process for changing regulatory requirements should be developed and followed. It is, of course, understood that the intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised.

0 PRA evaluations in support of regulatory decisions should be as realistic as practicable and appropriate supporting data should be publicly available for review.

The Commission's safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgments on need for proposing and backfitting new generic requirements on nuclear power plant licensees.

In its approval of the policy statement, the Commission articulated its expectation that implementation of the policy statement will improve the regulatory process in three areas:

foremost, through safety decisionmaking enhanced by the use of PRA insights; through more efficient use of agency resources; and through a reduction in unnecessary burdens on licensees.

In parallel with the publication of the policy statement, the staff developed an implementation plan to define and organize the PRA-related activities being undertaken.

These activities cover a wide range of PRA applications and involve the use of a variety of PRA methods (with variety including both types of models used and the detail of modeling needed). For example, one application involves the use of PRA in the assessment of operational events in reactors. The characteristics of these assessments permit relatively simple PRA models to be used. In contrast, other applications require the use of detailed models.

The activities described in the PRA Implementation Plan (Ref. 2) relate to a number of agency interactions with the regulated industry. With respect to reactor regulation, activities include, for example, guidance development for NRC inspectors on focusing inspection resources on risk-important equipment, and a reassessment of plants with relatively high core damage frequencies for possible backfit.

4

This regulatory guide focuses on the use of PRA in a subset of the applications described in the staff's implementation plan. Its principal focus, and that of the supporting staff document (draft NUREG-1602, Ref. 3), is the use of PRA findings and risk insights in 1

decisions on proposed changes to a plant's CLB. Such CLB changes are expected to result in improved reactor safety by incorporating advances in technology and lessons learned from operating experience, or fixing vulnerabilities identified through analysis or other means and, in addition, may result in the removal of unnecessarily burdensome regulatory practices.

The regulatory guide also makes use of the Commission's Safety Goal Policy Statement Ref.

4). As discussed below, one key principle in risk-informed regulation is that increases in risk be small and do not cause the NRC Safety Goals to be exceeded.. The Commission's Safety Goals (and associated quantitative health objectives (OHOs)) define an acceptable level of risk which is a small fraction (0.1%) of other risks to which the public is exposed. The acceptance guidelines defined in this regulatory guide (in Section 2.4.2) are based on subsidiary objectives derived from the Safety Goals and their QHOs.

1.2 Purpose of the Regulatory Guide Changes to many of the activities and design characteristics in a nuclear power plant's current licensing basis require NRC review and approval. This regulatory guide provides the Staff's recommendations for utilizing risk informaiton in support of licensee-initiated CLB changes requiring such review and approval. The guidance provided here does not preclude other approaches for requesting CLB changes. Rather, this regulatory guide is intended to improve consistency in regulatory decisions in areas in which the results of risk analyses are used to help justify regulatory action. As such, this regulatory guide, the use of which is voluntary, provides general guidance concerning one approach that the NRC has determined to be acceptable for analyzing issues associated with proposed changes to a plants's current licensing bases (CLB) and for assessing the impact of such proposed changes on the risk associated with plant design and operation. This guidance does not address the specific analyses needed for each nuclear power plant activity or design characteristic that may be amenable to risk-informed regulation.

1.3 Scope of this Regulatory Guide This regulatory guide describes an acceptable approach for assessing the nature and impact of proposed CLB changes by considering engineering issues and applying risk insights.

Assessments should consider relevant safety margins and defense-in-depth attributes, including consideration of success criteria as well as equipment functionality, reliability, and availability. The analyses should reflect the actual design, construction, and operational practices of the plant. Acceptance guidelines for evaluating the results of such assessments 1

This regulatory guide uses the definition of current licensing basis in 10 CFR 54.3. That is, "Current Licensing Basis (CLB) is the set of NRC requirements applicable to a specific plant and a licensee's written commitments for ensuring compliance with and operation with in applicable NRC requirements and the plant-specific design basis (including all modifications and additions to such commitments over the life of the license) that are 30, docketed and in effect. The CLB includes the NRC regulations contained in 10 CFR Parts 2, 19, 20, 21, 26, 40, 50, 51, 54, 55, 70, 72, 73, 100 and appendices thereto; orders; license conditions; exemptions; and as technical specifications. It also includes the plant-specific design-basis information defined in 10 CFR 50.2 final safety analysis report (FSAR) as required by 10 CFR 50.71 and the documented in the most recent as licensee's commitments remaining in effect that were made in docketed licensing correspondence such actions, as well as licensee commitments licensee responses to NRC bulletins, generic letters, and enforcement documented in NRC safety evaluations or licensee event reports."

5

are provided also. This guide also addresses implementation strategies and performance monitoring plans associated with CLB changes that will help ensure assumptions and analyses supporting the change are verified.

Consideration of the Commission's Safety Goal Policy Statement is an important element in regulatory decisionmaking. Consequently, this regulatory guide provides acceptance guidelines consistent with the Commission's Safety Goal Policy Statement.

In theory, one could construct a more generous regulatory framework for consideration of those risk-informed changes which may have the effect of increasing risk to the public.

Such a framework would include, of course, assurance of continued adequate protection (that level of protection of the public health and safety which must be reasonably assured regardless of economic cost). But it could also include provision for possible elimination of all measures not needed for adequate protection which either do not effect a substantial reduction in overall risk or result in continuing costs which are not justified by the safety benefits. Instead NRC has chosen, in this regulatory guide, a more restrictive policy which would permit only small increases in risk, and then only when it is reasonably assured, among other things, that sufficient defense in depth and sufficient margins are maintained.

This policy is adopted because of the inherent uncertainties in PRA and to account for the fact that safety issues continue to emerge regarding design, construction, and operational matters notwithstanding the maturity of the nuclear power industry. These factors suggest that nuclear power reactors should operate routinely only at a prudent margin above adequate protection. The safety goal subsidiary objectives are used as an example of such a prudent margin.

Finally, this regulatory guide indicates an acceptable level of documentation that will enable the staff to reach a finding that the licensee has performed a sufficiently complete and scrutable analysis and that the results of the engineering evaluations support the licensee's request for a regulatory change.

1.4 Relationship to Other Guidance Documents Directly relevant to this regulatory guide is the Standard Review Plan (SRP) designed to guide the NRC staff evaluations of licensee requests for changes to the CLB that apply risk insights, as well as selected application-specific regulatory guides and the corresponding Standard Review Plan chapters. Related regulatory guides include DG-1062 (Ref. 5) on inservice testing, DG-1064 (Ref. 6) on graded quality assurance, and DG-1065 (Ref. 7) on technical specifications. Guidance is being developed on inservice inspection of piping and will soon be issued for public comment. Draft NUREG-1 602 contains reference material on issues and methods for PRA that can be used to support regulatory decisionmaking. The staff recognizes that the risk analyses necessary to support regulatory decisionmaking may vary with the relative weight that is given to the risk assessment element of the decisionmaking process. The burden is on the licensee requesting a change to their CLB to justify why the chosen risk assessment approach, methods, and data are appropriate for the decision to be made.

Regulatory guides are issued to describe to the public methods acceptable to the NRC staff for implementing specific parts of the NRC's regulations, to explain techniques used by the staff in evaluating specific problems or postulated accidents, and to provide guidance to applicants. Regulatory guides are not substitutes for regulations, and compliance with regulatory guides is not required. Regulatory guides are issued in draft form for public 6

comment to involve the public in the early stages of developing the regulatory positions.

Draft regulatory guides have not received complete staff review; they therefore do not represent official NRC staff positions.

The information collections contained in this draft regulatory guide are covered by the requirements of 10 CFR Part 50, which were approved by the Office of Management and Budget, approval number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.

2. AN ACCEPTABLE APPROACH TO RISK-INFORMED DECISIONMAKING 2.1 Risk-Informed Philosophy In its approval of the policy statement on the use of PRA methods in nuclear regulatory activities, the Commission stated an expectation that "the use of PRA technology should be increased in all regulatory matters.. .in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy." The use of risk insights in licensee submittals requesting CLB changes will assist the staff in the disposition of such licensee proposals.

The staff has defined an acceptable approach to analyzing and evaluating proposed CLB changes. This approach supports the NRC's desire to base its decisions on the results of traditional engineering evaluations, supported by insights (derived from the use of PRA methods) about the risk significance of the proposed changes. Decisions concerning proposed changes are expected to be reached in an integrated fashion, considering traditional engineering and risk information, and may be based on qualitative factors as well as quantitative analyses and information.

In implementing risk-informed decisionmaking, changes are expected to meet a set of key principles. Some of these principles are written in terms typically used in traditional engineering decisions (e.g., defense-in-depth). While written in these terms, it should be understood that risk analyses techniques can be, and are encouraged to be, used to help ensure and show that they are met. These principles are:

1. The proposed change meets the current regulations. This principle applies unless the proposed change is explicitly related to a requested exemption or rule change (i.e., a 50.12 "specific exemption" or a 2.802 "petition for rulemaking").

2. Defense-in-depth is maintained.

7

3. Sufficient safety margins are maintained.

4. Proposed increases in risk, and their cumulative effect, are small and do not cause the NRC Safety Goals to be exceeded.

5. Performance-based implementation and monitoring strategies are proposed that address uncertainties in analysis models and data and provide for timely feedback and corrective action.Each of these principles should be considered in the risk-informed, integrated decisionmaking process, as illustrated in Figure 1 below.

FF D Addml sin sft impacts of the be eas Figure 1. Principles of Risk-informed Regulation The staff's proposed evaluation approach and acceptance guidelines follow from these principles. In implementing these principles, the staff expects that:

0 All safety impacts of the proposed change are evaluated in an integrated manner as part of an overall risk management approach in which the licensee is using risk analysis to improve operational and engineering decisions broadly and not just to eliminate requirements the licensee sees as undesirable. The approach used to identify changes in requirements should be used to identify areas where requirements should be increased.,' as well as where they could be reduced.

1 The staff is aware of, but does not endorse here, guidelines which have been developed (e.g., by NEI/NUMARC ) to assist in identifying potentially beneficial changes to requirements.

8

0 The acceptability of proposed changes should be evaluated by the licensee in an integrated fashion that ensures that all principles are met.2 3

0 Core damage frequency (CDF) and large early release frequency (LERF) can be used as suitable metrics for making risk-informed regulatory decisions.

0 Increases in estimated CDF and LERF resulting from proposed CLB changes will be limited to small increments.

0 The scope and quality of the engineering analyses (including traditional and probabilistic analyses) conducted to justify the proposed CLB change should be appropriate for the nature and scope of the change and should be based on the as-built and as-operated and maintained plant.'

0 Appropriate consideration of uncertainty is given in analyses and interpretation of findings.

The plant-specific PRA supporting licensee proposals has been subjected to quality 5

controls such as an independent peer review.

Data, methods, and assessment criteria used to support regulatory decisionmaking must be scrutable and available for public review.

2.2 A Four-Element Approach to Integrated Decisionmaking Given the principles of risk-informed decisionmaking discussed above, the staff has identified a four-element approach to evaluating proposed CLB changes. This approach, which is presented graphically in Figure 2, acceptably supports the NRC's decisionmaking process. This approach is not sequential in nature; rather it is iterative.

2 One important element of integrated decisionmaking can be the use of an "expert panel." Such a panel is not a necessary component guide of risk-informed decisionmaking; but when it is used, the key principles and associated decision criteria presented in this regulatory still apply and must be shown to have been met or to be irrelevant to the issue at hand.

3 In this context, LERF is being used as a surrogate for the early fatality QHO. It is defined as the frequency of those accidents leading to significant, unmitigated releases from containment in a time frame prior to effective evacuation of the close-in population such that there is a potential for early health effects. Such accidents generally include unscrubbed releases associated with early containment failure at or shortly after vessel breach, containment bypass events, and loss of containment isolation. This definition is consistent with accident analysis used in the safety goal screening criteria discussed in the Commission's Regulatory Analysis Guidelines.

4 Draft NUREG-1602 provides supplemental information on PRA attributes.

5 As discussed in Section 2.4.2 below, such a peer review is not a replacement for NRC review.

9

Trdln& ý PRA

\\ / //

\ / 11 N\I f--I, I_ Dft AnalDot beq Figure 2. Principal Elements of Risk-Informed, Plant-Specific Decisionmaking 2.3 Element 1: Define the Proposed Change Element 1 involves three primary activities. Eirt, the licensee should identify those aspects of the plant's licensing bases that may be affected by the proposed change, including, but not limited to, rules and regulations, final safety analysis report (FSAR), technical specifications, licensing conditions, and licensing commitments. Second, the licensee should identify all SSCs, procedures, and activities that are covered by the CLB change under evaluation and consider the original reasons for inclusion of each program requirement.

When considering CLB changes, a licensee may identify regulatory requirements or commitments in its licensing bases that it believes are overly restrictive or unnecessary to ensure safety at its plant. Note that the corollary is also true; that is, licensees are expected also to identify possible cases where design and operational aspects of the plant should be enhanced consistent with an improved understanding of their safety significance.

Such enhancements should be embodied in appropriate CLB changes which reflect these enhancements. With this staff expectation in mind, the licensee should, third, identify available engineering studies, methods, codes, applicable plant-specific and industry data and operational experience, PRA findings, and research and analysis results relevant to the proposed CLB change. With particular regard to the plant-specific PRA, the licensee should assess the capability to use, refine, augment, and update system models as needed to support a risk assessment of the proposed CLB change.

The above information should be used collectively to provide a description of the CLB change and to outline the method of analysis. The licensee should describe the proposed change and how it meets the objectives of the Commission's PRA Policy Statement, including enhanced decisionmaking, more efficient use of resources, and reduction of unnecessary burden.

In addition to improvements in reactor safety, this assessment may consider benefits from the CLB change such as reduced fiscal and personnel resources and radiation exposure. In addition, the licensee should affirm that the proposed CLB change meets the current regulations, unless the proposed change is explicitly related to a proposed exemption or rule change (i.e., a 50.12 "specific exemption" or a 2.802 "petition for rulemaking").

10

2.4 Element 2: Perform Engineering Analysis As part of the second element, the licensee will evaluate the proposed CLB change with regard to the principles that adequate defense-in-depth is maintained, that sufficient safety margins are maintained, and that proposed increases in risk, and their cumulative effect, are small and do not cause the NRC Safety Goals to be exceeded.

The staff expects that the scope and quality of the engineering analyses conducted to justify the proposed CLB change will be appropriate for the nature and scope of the change. The staff also expects that appropriate consideration will be given to uncertainty in the analysis and interpretation of findings. The licensee is expected to use its judgment, drawing from the appropriate technical disciplines for the CLB change being considered, of the complexity and difficulty of implications of the proposed CLB change to decide upon adequate engineering analyses to support regulatory decisionmaking. Thus, the licensee should consider the appropriateness of qualitative and quantitative analyses, as well as analyses using traditional engineering approaches and those techniques associated with the use of PRA findings.

Regardless of the analysis methods chosen, the licensee must show that the principles set forth in Section 2.1 have been met through the use of scrutable acceptance guidelines established for making that determination.

Some proposed CLB changes can be characterized as involving the categorization of SSCs according to safety significance. An example is grading the application of quality assurance controls commensurate with the safety significance of equipment. The licensee's analyses of the impact of the proposed CLB change should address each of the key principles of risk informed regulation (discussed previously in Section 2.1 of this regulatory guide). Like other applications, the staff's review of CLB change requests for applications involving safety categorization will be according to the acceptance guidelines which are associated with each key principle and which are presented in this regulatory guide (see Sections 2.4.1, 2.4.2, and 2.5), unless equivalent guidelines are proposed by the licensee. Since risk importance measures are often used in such categorizations, guidance on their use is provided in Appendix A of this regulatory guide. For such CLB changes, guidelines associated with the adequacy of programs (in this example, quality controls) implemented for different safety significant categories (e.g., more safety significant and less safety significant) are addressed in other application-specific regulations and guidance documents. Licensees are encouraged to apply risk-informed findings and insights to decisions (and potential CLB requests) associated with what are appropriate, for instance, test methods, surveillance intervals, or quality controls.

2.4.1 Evaluation of Defense-in-Depth Attributes & Safety Margins One aspect of the engineering evaluations is to show that the fundamental safety principles on which the plant design was based are not compromised. Design basis accidents (DBAs) play a central role in nuclear power plant design. DBAs are a combination of postulated challenges and failure events against which plants are designed to ensure adequate and safe plant response. During the design process, plant response and associated safety margins are evaluated using assumptions which are intended to be conservative. National standards and 11

other considerations such as defense-in-depth attributes and the single failure criterion constitute additional engineering considerations that influence plant design and operation.

Margins and defenses associated with these considerations may be affected by the licensee's proposed CLB change and, therefore, should be reevaluated to support a requested CLB change.

As part of this evaluation, the impact of the proposed CLB change on affected equipment functionality, reliability, and availability should be determined.

2.4.1.1 Defense-in-Depth The engineering evaluation conducted should evaluate whether the impact of the proposed CLB change (individually and cumulatively) is consistent with the principle that defense-in-depth is maintained. In this regard, the intent of the principle is to assure that the philosophy of defense-in-depth is maintained, not to prevent changes in the way defense-in-depth is achieved. The defense-in-depth philosophy has traditionally been applied in reactor design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material. It has been and continues to be an effective way to account for uncertainties in equipment and human performance. Where a comprehensive risk analysis can be done, it can be used to help determine the appropriate extent of defense-in-depth (e.g.,

balance among core damage prevention, containment failure and consequence mitigation) to ensure protection of public health and safety. Where a comprehensive risk analysis is not or cannot be done, traditional defense-in-depth considerations should be used or maintained to account for uncertainties. The evaluation should consider the intent of the general design criteria, national standards, and engineering principles such as the single failure criterion.

Further, the evaluation should consider the impact of the proposed CLB change on barriers (both preventive and mitigative) to core damage, containment failure or bypass, and the balance among defense-in-depth attributes. As stated earlier, the licensee should select the engineering analysis techniques, whether quantitative or qualitative and traditional or probabilistic, appropriate to the proposed CLB change.

The licensee should assess whether the proposed CLB change meets the defense-in-depth principle. Defense-in-depth consists of a number of elements, as summarized below. These elements can be used as guidelines for making that assessment. Other equivalent acceptance guidelines may also be used.

0 Defense-in-depth is maintained 0 a reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved

over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided 0 system redundancy, independence, and diversity are preserved commensurate with the expected frequency and consequences of challenges to the system (e.g., no risk outliers) 12

0 defenses against potential common cause failures are preserved and the potential for introduction of new common cause failure mechanisms is assessed

independence of barriers is not degraded

defenses against human errors are preserved 2.4.1.2 Safety Margins proposed CLB The engineering evaluation conducted should assess whether the impact of the Here also, change is consistent with the principle that sufficient safety margins are maintained.

analysis appropriate for evaluating the licensee is expected to choose the method of engineering change were whether sufficient safety margins would be maintained if the proposed CLB are summarized implemented. An acceptable set of guidelines for making that assessment below. Other equivalent acceptance guidelines may also be used.

Sufficient safety margins are maintained 0 codes and standards or alternatives approved for use by the NRC are met 0 safety analysis acceptance criteria in the current licensing basis (e.g., FSAR, to supporting analyses) are met, or proposed revisions provide sufficient margin account for analysis and data uncertainty Application-specific guidelines reflecting this general guidance may be found in the application-specific regulatory guides.

2.4.2 Evaluation of Risk Impact, Including Treatment of Uncertainties the principle As noted in Section 2.1, the licensee's risk assessment should be used to address do not cause the NRC that proposed increases in risk, and their cumulative effect, are small and assess the Safety Goals to be exceeded. For purposes of implementation, the licensee should The expected change in core damage frequency (CDF) and large early release frequency (LERF).

events necessary sophistication of the evaluation, including the scope of the PRA (e.g., internal only, full power only), depends on the contribution the risk assessment makes to the integrated impact.

decision-making, which depends to some extent on the magnitude of the potential risk and For some CLB changes for which a more substantial impact is possible, an in-depth scope to derive a quantified estimate of the total comprehensive PRA analysis of appropriate impact of a proposed CLB change will be necessary to provide adequate justification. In other In applications, calculated risk importance measures or bounding estimates will be adequate.

risk may still others, a qualitative assessment of the impact of the CLB change on the plant's be sufficient.

The PRA performed should realistically reflect the actual design, construction, and operational practices. Consequently, the PRA used to support risk-informed decisionmaking is expected to reflect the impact of previous changes made to the CLB.

13

The remainder of this section discusses the use of quantitative PRA results in decisionmaking.

One of the strengths of the PRA framework is its ability to provide a means of characterizing the impact of analytical uncertainty, and it is essential that these uncertainties be recognized when assessing whether the principles are being met. To provide a vehicle for consistency between submittals and the review of those submittals, the following guidelines on how to address uncertainty in the decisionmaking process are provided. The first step is the definition of a set of quantitative acceptance guidelines. Second, the role of uncertainty analysis in decisionmaking is discussed. The staff's decision on the proposed license amendment will be based on its independent judgment and review, as appropriate, of the entire application.

2.4.2.1 Acceptance Guidelines The risk acceptance guidelines presented in this regulatory guide are based on the principles and expectations for risk-informed regulation discussed in Section 2.1. For the purposes of establishing guidelines for risk-informed decisionmaking, a core damage frequency (CDF) guideline of 1E-4 per reactor year (annual average of CDF) has been adopted in this regulatory guide. (with additional management attention for the 1E-5 to 1E-4 per reactor year range). A large early release frequency (LERF) of 1 E-5 per reactor year (annual average of LERF) has been adopted as a containment performance guideline.(with additional management attention for the 1E-5 to 1E-6 per reactor year range). These guidelines are intended for comparison with a full scope PRA (including internal events, external events, full power, low power and shutdown).

However, it is recognized that many PRAs are not full scope and the use of less than full scope PRA information may be acceptable as discussed in Section 2.4.2.2 of this regulatory guide.

The acceptance guidelines have the following elements:

For a plant with a mean core damage frequency at or above 1 E-4 per reactor year (the Commission's subsidiary core damage frequency objective) or with a mean LERF at or above 1E-5 per reactor year, it is expected that applications will result in a net decrease in risk or be risk neutral.

0 For a plant with a mean core damage frequency of less than 1E-4 per reactor year, applications will be considered which, when combined with, the LERF guidelines described below:

Result in a net decrease in CDF or are CDF-neutral;

Result in increases in calculated CDF that are very small (e.g., CDF increase of less than 1 E-6 per reactor year); or 0 Result in an increase in calculated CDF in the range of 1E-6 to 1E-5 per reactor year, subject to increased NRC technical and management review and considering the following factors:

0 The scope, quality, and robustness of the analysis (including, but not limited to, the PRA), including consideration and quantification of uncertainties; 0 The base CDF and LERF of the plant; 14

The cumulative impact of previous changes (the licensee's risk management approach);

Consideration of the Safety Goal screening criteria in the staff's Regulatory Analysis Guidelines, which define what changes in CDF and containment performance would be needed to consider potential backfits; 0 The impact of the proposed change on operational complexity, burden on the operating staff, and overall safety practices; and

Plant-specific performance and other factors, including, for example, siting factors, inspection findings, performance indicators, and operational events.

AND 0 For a plant with a mean LERF of between 1E-6 and 1E-5 per reactor year:

Result in a net decrease in LERF or are LERF-neutral;

Result in an increase in calculated LERF of up to 1 E-6 per reactor year, subject to increased NRC technical and management review, as described above; OR 0 For a plant with a mean LERF of less than 1 E-6 per reactor year:

0 Result in a net decrease in LERF or are LERF-neutral; 0 Result in increases in calculated LERF that are very small (e.g., LERF increase of less than 1E-7 per reactor year); or 0 Result in an increase in calculated LERF of up to 1 E-6 per reactor year, subject to increased NRC technical and management review, as described above.

in The rigor of analyses needed to support the different types of applications is discussed Section 2.4.2.2 below.

2.4.2.2 Comparison of PRA Results with the Acceptance Guidelines in these In comparing estimates of plant risk (i.e., calculated plant CDF and LERF) and changes metrics as a result of CLB changes with the acceptance guidelines, it is necessary to take into account the uncertainties in the analysis. This section provides guidance on the comparison of of the PRA results with the acceptance guidelines with particular reference to the role uncertainty analysis.

Types of Uncertainty and Methods of Analysis Because they are generally characterized and treated differently, it is useful to identify three classes of uncertainty: parameter uncertainty, model uncertainty, and completeness uncertainty.

15

Parameter Uncertainty Parameter uncertainties are those associated with the values of the fundamental parameters of the PRA model, such as equipment failure rates, initiating event frequencies, and human error probabilities that are used in the quantification of the accident sequence frequencies. They are typically characterized by establishing probability distributions on the parameter values. It is straightforward and within the capability of most PRA codes to propagate the distribution representing uncertainty on the basic parameter values to generate a probability distribution on the results (CDF, accident sequence frequencies, etc.) of the PRA.

This is in fact the only practical way of generating a mean value of the CDF. However, the analysis must be done carefully to correlate the sample values for different components from a group to which the same parameter value applies (the so-called state of knowledge dependency).

Parameter uncertainties can be explicitly represented and propagated through the PRA model, and the probability distribution of the relevant metrics (i.e., CDF and ACDF, and LERF and ALERF) can be generated. Various measures of central tendency, such as the mean, median and mode, can be evaluated. In principle, the distributions can be used to assess the confidence with which the guidelines are met. However, it is also instructive to study the contributors to see whether it can be determined whether the tails of the distributions are being determined by uncertainties on a few significant elements of the model.

If so, these elements can be identified as candidates for compensatory measures and/or monitoring during integrated decisionmaking.

Model Uncertainty There are also uncertainties as to how to model certain elements of the PRA. Model uncertainty may be analyzed in different ways. It is possible to include some model uncertainty by incorporating within the PRA model a discrete probability distribution over a set of models for a particular issue. This has been done for the modeling of seismic hazard, for example, where the result is a discrete probability distribution on the frequencies of earthquakes. This uncertainty can then be propagated in the same way as the parameter uncertainties. Other methods are also available. For most Level 1 PRAs, there are few model uncertainties explicitly represented in the model structure. Instead, where it is necessary to address issues that are uncertain, e.g., success criteria, it is more usual for the analysts to adopt a specific assumption or modeling approach. Thus the effect of model uncertainties is generally to introduce some type of bias into the results.

There are significant model uncertainties in Level 2 PRAs, particularly in the modeling of the phenomenology of accident progression and the mechanisms for the release of fission products.

Again, some uncertainties are addressed by making specific assumptions.

However, others may be incorporated in the level 2 analysis by, for example, including within the structure of the containment event trees a set of possible outcomes for the uncertain issues. NUREG-1 150 (Ref. 8) provides examples of an attempt to characterize the full impact of the uncertainty.

In many PRAs, however, the conditional containment probabilities or large early release fractions represent an average over these outcomes.

It is often instructive to understand the impact of a specific assumption on the predictions of the model. The impact of using alternate assumptions or models may be addressed by performing appropriate sensitivity studies, or they may be addressed using qualitative arguments.

16

an uncertainty, but a reflection of Completeness Uncertainty Completeness is not in itself about where the true risk lies. The scope limitations. The result is, however, an uncertainty reflects an unanalyzed contribution, it problem with completeness uncertainty is that, because Thus, for example, the impact on it is difficult (if not impossible) to estimate its magnitude.

influences of organizational performance actual plant risk from unanalyzed issues such as the cannot now be explicitly assessed.

be addressed by either supplementing the The issue of completeness of scope of a PRA can using more restrictive acceptance analysis with additional analysis to enlarge the scope, application of concern, the out-of-scope guidelines, or by providing arguments that, for the to dealing with incompleteness are contributors are not significant. Acceptable approaches discussed in the next section.

Comparisons with Acceptance Guidelines on how to compare the results of the PRA The purpose of this section is to provide guidance 2.4.2.1. In the context of decisionmaking, with the acceptance guidelines described in Section as being overly prescriptive. They are the acceptance guidelines should not be interpreted of what is considered acceptable. As intended to provide an indication, in numerical terms, guide are approximate values that such, the numerical guidelines described in this regulatory acceptable. Furthermore, the epistemic provide an indication of the changes that are generally a definitive decision of acceptability or uncertainties associated with PRA calculations preclude The intent in making the comparison of unacceptability based purely on the numerical results.

to demonstrate with reasonable assurance the PRA results with the acceptance guidelines is This decision must be made based on that Principle 4, discussed in Section 2.1, is being met.

both those that are explicitly accounted a full understanding of the impacts of the uncertainties, a somewhat subjective process, and the for in the results and those that are not. This is reasoning behind the decisions must be well documented.

as follows to demonstrate reasonable The three types of uncertainty can be addressed quantified in the model (parameter assurance: 1) those uncertainties that are explicitly produce a probability distribution on the uncertainties and some model uncertainties) do not of confidence that the goal is met; estimated value of CDF or LERF that results in a low level results in favor of the change and the

2) the adoption of specific modeling does not overly bias not alter the decision (model assumptions would alternate, but reasonable, modeling modeled would not alter the decision uncertainty); and, 3) the contributors to risk that are not presented here addresses quantitative significantly (completeness uncertainty). The discussion appropriate for specific CLB changes.

analyses of uncertainties; qualitative arguments may be will depend on the CLB change being The level of detail required in the analysis of uncertainty the potential impact of the change considered, the base case estimates of CDF or LERF, and and the estimates of the impact of the on those metrics. The closer the base case estimates the more detail will be required. In change are to their corresponding acceptance guidelines, 17

contrast, if, as an example, the estimated change in a particular metric is very small compared to the acceptance goal, a simple bounding analysis or even a qualitative analysis may suffice.

Changes resulting in a net decrease in the CDF and LERF estimates are allowed irrespective of the calculated baseline CDF and LERF. Generally, it should be possible to argue on the basis of an understanding of the contributors and the changes that are being made that the overall impact is indeed a decrease, without the need for a detailed uncertainty analysis.

In the initial comparison of the PRA results to the acceptance guidelines, the appropriate numerical measures to use are mean values. In general, if the change is such that it would result in either the point estimate or mean value of the CDF or LERF or the corresponding increase (ACDF or ALERF) exceeding its guideline, the change will not be approved unless, for example, it is shown that there are unquantified benefits that are not reflected in the quantitative risk results. In addition, if convincing qualitative arguments are made that the analysis is conservative, or compensatory measures are proposed to counter the impact of the major risk contributors, even though the impact of these measures may not be estimated numerically, then such arguments will be considered in the decision process. Finally, changes which result in very small increases in the estimates of CDF or LERF might be allowable even for plants for which the base case approaches the guidelines, but again, only if additional qualitative arguments can be made as discussed above.

If the mean value of a measure were to lie near the corresponding guideline a full parametric, uncertainty analysis will allow an assessment of the confidence with which the guideline is met.

Because of the nature of PRA analyses, it is not reasonable to be so prescriptive about the acceptable level of confidence; changes could still be allowed when lower levels of confidence are calculated when, as discussed above, convincing qualitative arguments that the true values are less than the calculated values can be brought to bear. Such arguments can only be made with a full understanding of the contributors to uncertainty.

While the analysis of parametric uncertainty is fairly mature, the analysis of the model and completeness uncertainties cannot be handled in such a formal manner. Whether the PRA is full scope or only partial scope, it will be incumbent on the licensee to demonstrate that the choice of reasonable alternate hypotheses or modeling approximations or methods to those adopted in the PRA model would not significantly change the assessment. The alternates that would drive the result towards unacceptability should be identified and reasons given as to why they are not appropriate for the current application or for the particular plant. Alternatively, this analysis can be used to identify candidates for compensatory actions or increased monitoring.

The licensee should concentrate its attention on those assumptions which impact the parts of the model being exercised by the change.

When the PRA is not full scope, then it is necessary for the licensee to address the significance of the out-of-scope items. The importance of assessing the contribution of the out-of-scope portions of the PRA to the base case estimates of CDF and LERF is related to the margin between the as-calculated values and the acceptance guidelines.. When the contributions from the modeled contributors are close to the guidelines, the argument that the contribution from the missing items is not significant must be convincing, and in some cases may require additional PRA analyses. . When the margin is significant, a qualitative argument may be 18

sufficient. The contribution of the out-of-scope portions of the model to the change in metric may be addressed by bounding analyses, detailed analyses, or by a demonstration that the change has no impact on the unmodeled contributors. In addition, it should also be demonstrated that changes based on a partial PRA do not disproportionally change the risk associated with those accident sequences that arise from the modes of operation not included in the PRA.

If just a level 1 PRA is available, in general only the CDF is calculated and not the LERF. An approach is presented in Appendix B to this regulatory guide which allows a subset of the core damage accidents identified in the Level 1 analysis to be allocated to a release category that is equivalent to a LERF. The approach uses simplified event trees that can be quantified by the licensee on the basis of the plant configuration applicable to each accident sequence in the Level 1 analysis. The frequency derived from these event trees can be compared to the LERF acceptance guidelines. The guidance in Appendix B may be used to estimate LERF in only those cases when the plant is not close to the CDF and LERF benchmark values.

2.4.3 Integrated Decision-Making The results of the different elements of the engineering analysis discussed in Sections 2.4.1 and 2.4.2 must be considered in an integrated manner. None of the individual analyses is sufficient in and of itself. In this way, it can be seen that the decision is not driven solely by the numerical results of the PRA. They are one input into the decisionmaking and help in building up an overall picture of the implications of the proposed change on risk. The PRA has an important role in putting the change into its proper context as it impacts the plant as a whole.

2.5 Element 3: Define Implementation and Monitoring Program Careful consideration should be given to implementation and performance-monitoring strategies.

The primary goal for this element is to assess SSC performance under the proposed CLB change by establishing performance-monitoring strategies to confirm the assumptions and analyses that were conducted to justify the CLB change.

The implementation of the regulatory changes should ensure that no unexpected adverse safety degradation occurs because of the changes. Based on the findings of the engineering evaluations conducted to examine the impact of the proposed changes, an implementation plan should be developed to ensure that any unexpected problems and deficiencies are detected and corrected prior to becoming a significant safety problem. Further details of an acceptable process for implementation in specific application areas are discussed in the application-specific guides.

Decisions concerning implementation of changes should be made in light of the uncertainty associated with the results of the traditional and probabilistic engineering evaluations. Broad implementation within a limited time period may be justified when uncertainty is shown to be low (data and models are adequate, engineering evaluations are verified and validated, etc.),

whereas a slower, phased approach to implementation (or other modes of partial 19

implementation) would be expected when uncertainty in evaluation findings is higher. In applications where programmatic changes are being made which potentially impact SSCs across a wide spectrum of the plant, such as in IST, ISl and graded QA, the potential introduction of common cause effects must be fully considered and included in the submittal. In such situations, a carefully planned approach to the selected mode of implementation should be identified and justified.

A monitoring program, utilizing appropriate performance-based feedback criteria, is an important element of many risk informed application approaches. This performance-based approach should have the following attributes: there are measurable parameters to monitor plant performance; objective criteria are established to assess performance based on a combination of risk insights, traditional engineering analysis, and performance history; and parameters are selected for monitoring such that, if exceeded, they will provide early indication of problems prior to being a safety concern.

Specifically, the proposed monitoring program should establish a means to adequately track the performance of equipment covered by the proposed licensing changes. The program should be capable of trending equipment performance after a change has been implemented to demonstrate that performance is consistent with that predicted by the traditional engineering and probabilistic analyses that were conducted to justify the change. It is desirable that definitive and quantitative performance criteria be established which are consistent with analysis assumptions and expectations in such areas as SSC functionality and reliability/availability. The monitoring plan should be structured such that performance degradation is detected and corrected before plant safety can be compromised. The potential impact of observed SSC degradation on similar components in different systems throughout the plant should be considered.

Monitoring that is performed as part of the Maintenance Rule implementation can be used in cases where the SSCs affected by the application are also covered under the Maintenance Rule.

In these cases, the performance criteria chosen should be shown to be appropriate for the application in question. It should be noted that plant or licensee performance under actual design conditions may not be readily measurable. In cases where actual conditions cannot be monitored or measured, an approach should be implemented by striving to use whatever information most closely approximates actual performance data. For example, a hierarchy for establishing a monitoring program with a performance based-feedback approach may consist of a combination of the following:

1. Monitoring performance characteristics under actual design bases conditions (e.g.,

reviewing actual demands on EDGs, reviewing operating experience)

2. Monitoring performance characteristics under test conditions that are similar to those expected during a design basis event

3. Monitoring and trending performance characteristics to verify aspects of the underlying analysis, research, or bases for a requirement (e.g., measuring battery voltage and specific gravity, inservice inspection of piping) 20

training scenarios (e.g., emergency planning

4. Evaluating licensee performance during exercises, operator licensing examinations) pre- and post- component installation

5. Component quality controls including developing inspections, RPS channel checks, evaluations (e.g., environmental qualification continuity testing of BWR squib valves) actual (e.g., monitoring, measurement) where

6. Establishing performance-based elements elements be impractical (i.e., performance-based performance-based measurements may reviewing programs) of a QA program observing activities vs.

cause it is important that provisions for specific As part of the monitoring program, falls below be included in cases when performance determination and corrective actions criteria is not being met needed when a performance expected levels. Cause determination is if performance criteria application-specific SSC, even or when there is a functional failure of an or degraded identify the cause of the failure is met. The cause determination should the application.

degraded performance was a result of performance, and whether the failure or the failure or degraded the circumstances surrounding It should address failure significance, or has generic and whether the failure is isolated performance, the characteristics of the failure, 0 , Ref. 9).

in NUREG/CR-478 or common cause implications (as defined recurrence identify any corrective actions to preclude Finally, the monitoring program should The circumstances performance below expectations.

of unacceptable failures or degraded operating the SSC failed because of adverse or harsh surrounding the failure may indicate that of another over-pressurization of a system) or failure conditions (e.g., operating a valve dry, consider Therefore, corrective actions should also component which caused the SSC failure. or maintenance conditions.

to operational, design, SSCs with similar characteristics with regard NRC the proposed monitoring program, subsequent It is expected that upon initial approval of review.

results rather than on a programmatic oversight will focus on evaluating performance 2.6 Element 4: Submit Proposed Change for license CLB typically take the form of requests Requests for proposed change to the plant's technical changes, removal of license conditions),

amendments (including changes to or 50.54 (e.g.,

to programs pursuant to 10 CFR changes to or withdrawals of orders, and changes Licensees should: (I) carefully review the QA program changes under 10 CFR 50.54(a)). and CLB change in order to determine the appropriate form of the change request, proposed request is relevant regulations(s) in support of the (ii) assure that information required by the procedural the request in accordance with relevant developed; and (iii) prepare and submit should meet the requirements of 10 CFR requirements. For example, license amendments Where procedural requirements in 10 CFR §50.4.

§§50.90, 50.91 and 50.92, as well as the request, that information of the CLB change the licensee submits risk information in support guide.

of this regulatory should meet the guidance in Section 3 21

Licensees are free to decide whether to submit risk information-in support of their CLB request. Where the licensee's proposed change change to the CLB is consistent with currently approved staff positions, the staff's determination will be based solely on traditional deterministic engineering analysis without recourse to risk information (although the staff may consider any risk information which is submitted by the licensee). However, where the licensee's proposed change goes beyond currently-approved staff positions, the staff will normally consider both information based upon traditional deterministic engineering analysis well as information based upon risk insights. as If the licensee does not submit risk information in support of a CLB change which goes beyond currently-approved staff positions, the staff may request the licensee to submit such information.

Such an information request is not a backfit under 10 CFR 50.109. If the licensee chooses not to provide the risk information, staff will review the proposed application using the deterministic engineering analysis and determine whether sufficient information has been provided to support the requested change.

In developing the risk information set forth in this regulatory guide, licensees will likely identify SSCs with high risk significance which are not currently subject to regulatory requirements, are subject to a level of regulation which is not or commensurate with their risk significance. It is expected that licensees will propose CLB changes that will subject these SSCs to appropriate level of regulation, consistent with the risk significance of each SSC. Specific information on the staff's expectations in this regard are set forth in the application-specific regulatory guides.

2.7 Quality Assurance As stated in Section 2.4, the staff expects tht the quality of the engineering analyses conducted to justify proposed CLB changes will be appropriate for the nature of the change.

In this regard, it is expected that for traditional engineering analyses (e.g., deterministic engineering calculations) existing provisions for quality assurance (e.g., 10CFR50, Appendix for safety-related SSCs) will apply and provide B the appropriate quality needed. Likewise, when a risk assessment of the plant is used to provide insights into the decisionmaking process, the staff expects that the PRA will have been subject to quality control.

To the extent that a licensee elects to use PRA information to enhance or modify activities affecting the safety-related functions of SSCs, the following, in conjunction with the other guidance contained in this guide, describe an acceptable way to ensure that the pertinent quality assurance requirements of 10CFR50, Appendix B are met and that the PRA is of sufficient quality to be used for regulatory decisions:

utilize personnel qualified for the analysis

utilize procedures that ensure control of documentation, including revisions, and provide for independent review, verification or checking of calculations and information used in the analyses (an independent peer review can be used as an important element in this process) provide documentation and maintain records in accordance with the guidelines in Section 3 of this guide provide for an independent audit function to verify quality (an independent peer review can be used for this purpose) 22

utilize procedures that ensure appropriate attention and corrective actions are taken if analyses or information used in previous decision making is determined to be in error.

change Where performance monitoring programs are used in the implementation of proposed utilizing quality provisions to the CLB, it is expected that those programs will be implemented or analyses can commensurate with the safety significance of affected SSCs. An existing PRA the appropriate be utilized to support a proposed CLB change, provided it can be shown that quality provisions have been met.

3. DOCUMENTATION AND SUBMITTAL 3.1 Introduction to conclude To permit the staff's audit to ensure that the analyses conducted were sufficient of the that the key principles of risk-informed regulation have been met, documentation Additionally, information evaluation process and findings are expected to be maintained.

ensure quality submitted should include a description of the process used by the licensee to acceptability of and some specific information to support the staff's conclusion regarding the the requested CLB change.

3.2 Documentation Archival documentation should include a detailed description of engineering analyses or conducted and the results obtained, irrespective of whether they were quantitative or qualitative, or whether the analyses made use of traditional engineering methods should be maintained by the licensee, as part probabilistic approaches. This documentation of the normal quality assurance program, so that it is available for examination.

CLB should be Documentation of the analyses conducted to support changes to a plant's 1.33 (Ref. 10).

maintained as lifetime quality records in accordance with Regulatory Guides Typical PRA documentation is described in draft NUREG-1602 (Ref. 2).

3.3 Licensee Submittal with the key To support the staff's conclusion that the proposed CLB change is consistent following information is principles of risk-informed regulation and NRC staff expectations, the expected to be submitted to the NRC:

A description of how the proposed change will impact the CLB (Relevant principle:

CLB changes meet regulations.)

of A description of the components and systems affected by the change, the types insights from an changes proposed, the reason for the changes, and results and All analysis of available data on equipment performance (Relevant staff expectation:

safety impacts of the proposed CLB change shall be evaluated.)

23

A tabulation of the current licensing basis accident parameters that are affected by the change and an assessment of the expected changes (Relevant principles: CLB changes meet the regulations; sufficient safety margins are maintained; defense-in depth is maintained.)

A reevaluation of the licensing basis accident analysis and the provisions of 10 CFR Parts 20 and 100, if appropriate (Relevant principles: CLB changes meet the regulations; sufficient safety margins are maintained; defense-in-depth is maintained.)

An evaluation of the impact of the change in licensing bases on the breadth or depth of defense-in-depth attributes of the plant (Relevant principle: Defense-in-depth is maintained.)

Identification of how and where the proposed change will be documented as part of the plants licensing basis (e.g., FSAR, TS, licensing conditions). This should include proposed changes and/or enhancements to the regulatory controls for high risk significant SSCs which an not subject to any requirements, or where the requirements are not commensurate with the SSCs risk-significance.

The licensee should also identify:

Those key assumptions in the PRA, elements of the monitoring program, and commitments made to support the application SSCs for which requirements should be increased A description of the information to be provided as part of the plant's licensing basis (e.g., FSAR, TS, licensing condition)

To the extent that a licensee elects to use PRA as an element to enhance or modify its implementation of activities affecting the safety-related functions of SSCs subject to the provisions of Appendix B to 10 CFR Part 50, the pertinent requirements of Appendix B will also apply to the PRA. In this context, therefore, a licensee would be expected to control PRA activity in a manner commensurate with its impact on the facility's design and licensing basis and in acccordance with all applicable regulations and its QA program description.

An independent peer review can be an important element of ensuring this quality. The licensee's submittal should discuss measures used to ensure adequate quality, such as a report of a peer review (when performed) that addresses the appropriateness of the PRA model for supporting a risk assessment of the CLB change under consideration. The report should address any analysis limitations that are expected to impact the conclusion regarding acceptability of the proposed change. The licensee's resolution of the findings of the peer review, when performed, should also be submitted. For example, this response could indicate whether the PRA was modified or a justification as to why no change was necessary to support decisionmaking for the CLB change under consideration. As discussed in Section 2.4.2, the staff's decision on the proposed license amendment will be based on its independent judgment and review, as appropriate, of the entire application.

In order to have confidence that the risk assessment conducted is adequate to support the conclusion that there is no more than an insignificant increase in risk to health and safety of 24

the public has been met, a summary of the risk assessment methods used should be submitted. Consistent with current practice, information submitted to the NRC for its consideration in making risk-informed, regulatory decisions will be made publicly available, unless such information is deemed proprietary and justified as such. The following information should be submitted and is intended to illustrate that the scope and quality of the engineering analyses conducted to justify the proposed CLB change is appropriate to the nature and scope of the change:

a A description of risk assessment methods used a The key modeling assumptions a The success criteria and the basis for each a A list of initiators considered and their frequencies, as well as the basis for excluding any initiators from the risk assessment a A list of systems and components addressed in the risk assessment, the failures considered for each and the basis for excluding failures, and the dependencies between systems and components a The event trees and fault trees as necessary to support the analysis 0 A list of operator actions modeled in the PRA (and the basis for excluding operator actions) and their error probabilities 0 A list describing all events included in the risk assessment Submitted information summarizing the results of the risk assessment should include:

A description of dominant sequences An estimate of total plant CDF (including a qualitative or quantitative assessment of uncertainty) before and after implementing the proposed CLB change An estimate of containment performance as described by plant damage states and the frequencies of the high and low consequence categories (if a simplified Level 2 PRA analysis was performed such as is described in Appendix B to this regulatory guide); or frequencies of accident progression pathways (including a qualitative or quantitative assessment of uncertainty), as grouped for source term calculations, if a full Level 2 PRA was conducted The definition of source terms and an identification of their frequencies and magnitudes (including uncertainty) if a full Level 2/3 PRA was performed The frequencies of individual early and latent fatalities, if a full Level 2/3 analysis was performed 25

Information that should be submitted as part of the justification for the specific CLB change includes:

a A description of the analyses performed to assess the impact of the change on risk

& An estimate of plant CDF and LERF and changes in those estimates if the proposed CLB change were implemented a Identification of all minimal cutsets affected by the change, any success criteria that are affected by the change, and any changes in dominant risk contributors a Results of analyses that show that the conclusions regarding the impact of the CLB change on plant risk will not vary significantly under a different set of assumptions.

(See NUREG-1 602 for a discussion of the uses and limitations of importance measures and sensitivity studies.)

The staff also expects licensees to track and consider the cumulative impact of all plant changes, including those not submitted for NRC review and approval.

3.4 Implementation Plan and Performance Monitoring Process As described in Section 2.5 above, a key principle of risk-informed regulation is that proposed performance implementation and monitoring strategies reflect uncertainties in analysis models and data . Consequently, the submittal should include a description and rationale for the implementation and performance monitoring strategy for the proposed CLB change.

26

REFERENCES 1 USNRC, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement," FederalRegister, Vol. 60, p. 42622, August 16, 1995.

2. "PRA Implementation Plan," SECY-97-076, April 3, 1997.1

3. USNRC, "Use of PRA in Risk-Informed Applications," Draft NUREG-1602, June 1997.2

4. USNRC, "Safety Goals for the Operations of Nuclear Power Plants; Policy Statement,"

Federal Register, 51 FR 30028, August 4, 1986.

5. USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Testing," Draft Regulatory Guide DG-1062, June 1997.2

6. USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Graded June 1997.2 Quality Assurance," Draft Regulatory Guide DG-1064,

7. USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," Draft Regulatory Guide DG-1065, June 1997.2

8. USNRC, "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants,"

NUREG-1150, December 1990.3

9. A. Mosleh et al., "Procedures for Treating Common Cause Failures in Safety and 1989.3 Reliability Studies," NUREG/CR-4780, Volume 2, January

10. USNRC, "Quality Assurance Program Requirements," Regulatory Guide 1.33, Revision 2, February 1978.2 1

Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (202)634-3343.

2 Requests for single copies of draft or active regulatory guides or of draft NUREG documents (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made in writing to the U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, Attention: Printing, Graphics and Distribution Branch, or by fax to (301)415-5272.

3 Copies are available at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (telephone (202)512-2249); or from the National Technical Information Service by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (202)634-3343.

27

APPENDIX A USE OF RISK IMPORTANCE MEASURES TO CATEGORIZE STRUCTURES, SYSTEMS, AND COMPONENTS WITH RESPECT TO SAFETY SIGNIFICANCE Introduction For several of the proposed applications of the risk-informed regulation process, one of the principal activities is the categorization of SSCs and human actions according to safety significance. The purpose of this Appendix is to discuss one way that this categorization may be performed to be consistent with principle 4 and the expectations discussed in Section 2.1.

Safety-significance of an SSC can be thought of as being related to the role the SSC plays in preventing the occurrence of the undesired end state. Thus the position adopted in this regulatory guide is that all the SSCs and human actions considered when constructing the PRA model (including those that do not necessarily appear in the final quantified model, either because they have been screened initially, assumed to be inherently reliable or have been truncated from the solution of the model) have the potential to be safety significant, since they play a role in preventing core damage.

In establishing the categorization, it is important to recognize the purpose behind the categorization, which is, generally, to sort the SSCs and human actions into groups such as those for which some relaxation of requirements is proposed, and those for which no such change is proposed. It is the proposed application that is the motivation for the categorization, and it is the potential impact of the application on the particular SSCs and human actions and on the measures of risk which ultimately determines which of the SSCs and human actions must be regarded as safety-significant within the context of the application. This impact on overall risk should be evaluated in light of the principles and decision criteria identified in this draft guide. Thus, the most appropriate way to address the categorization is through a requantification of the risk measures.

However, the feasibility of performing such risk quantification has been questioned for those applications for which a method for the evaluation of the impact of the change on SSC unavailability is not available. An acceptable alternative to requantification of risk is for the licensee to perform the categorization of the SSCs and human actions in an integrated manner, making use of an analytical technique, based on the use of PRA importance measures, as input. This appendix discusses the technical issues associated with the use of PRA importance measures. NUREG-1602, "Use of PRA in Risk-Informed Applications,"

includes more detailed discussion of this subject.

Technical Issues Associated with the Use of Importance Measures In the implementation of the Maintenance Rule and in industry guides for the risk-informed applications (for example, the PSA Applications Guide), the Fussell-Vesely Importance, Risk Reduction Worth, and Risk Achievement Worth are the most commonly identified measures in A-1

the relative risk ranking of SSCs. However, in the use of these importance measures for risk informed applications, there are several issues that should be addressed. Most of the issues are related to technical problems which can be resolved by the use of sensitivity studies or by appropriate quantification techniques. These issues are discussed in detail in the sub-section below. In addition, there are two issues, namely a) that risk rankings apply only to individual contributions and not to combinations or sets of contributors, and b) that risk rankings are not necessarily related to the risk changes which result from those contributor changes, that the licensee should be aware of and should make sure that they have been addressed adequately. When performed and interpreted correctly, component-level importance measures can provide valuable input to the licensee.

Risk ranking results from a PRA can be affected by many factors, the most important being model assumptions and techniques (e.g., for modeling of human reliability or common cause failures), the data used, or the success criteria chosen. The licensee should therefore make sure that the PRA is of sufficient quality.

In addition to the use of a "quality" PRA, the robustness of categorization results should also be demonstrated for conditions and parameters that might not be addressed in the base PRA.

Therefore, when importance measures are used to group components or human actions as low safety-significant contributors, the information to be provided to the analysts performing qualitative categorization should include sensitivity studies and/or other evaluations to demonstrate the sensitivity of the importance results to the important PRA modeling techniques, assumptions, and data. Issues that should be considered and addressed are listed below.

Truncation limit: The licensee should determine that the truncation limit has been set low enough so that the truncated set of minimal cutsets contain all the significant contributors and their logical combinations for the application in question and be low enough to capture at least 95 percent of the CDF. Depending on the PRA level of detail (module level, component level, or piece-part level), this may translate into a truncation limit from 1E-12 to 1E-8 per reactor year. In addition, the truncated set of minimal cutsets should be determined to contain the important application-specific contributors and their logical combinations.

Risk metrics: The licensee should ensure that risk in terms of both CDF and LERF is considered in the ranking process.

Completeness of risk model: The licensee should ensure that the PRA model is sufficiently complete to address all important modes of operation for the SSCs being analyzed. Safety significant contributions from internal events, external events, and shutdown and low power initiators should be considered either by using PRA or other engineering analyses. (NUREG 1602 provides a discussion of model completeness.)

Sensitivity analysis for component data uncertainties: The sensitivity of component categorizations to uncertainties in the parameter values should be addressed by the licensee.

Licensees should be satisfied that SSC categorization is not affected by data uncertainties.

Sensitivity analysis for common cause failures: CCFs are modeled in PRAs to account for dependent failures of redundant components within a system. The licensee should determine that the safety significant categorization has been performed taking into account the A-2

combined effect of associated basic PRA events, such as failure to start and failure to run, including indirect contributions through associated CCF event probabilities. CCF probabilities can affect PRA results by enhancing or obscuring the importance of components. A component may be ranked as a high risk contributor mainly because of its contribution to CCFs, or a component may be ranked as low risk contributor mainly because it has negligible or no contribution to CCFs.

Sensitivity analysis for recovery actions: PRAs typically model recovery actions especially for dominant accident sequences. Quantification of recovery actions typically depends on the time available for diagnosis and performing the action, training, procedure, and knowledge of operators. There is a certain degree of subjectivity involved in estimating the success probability for the recovery actions. The concerns in this case stem from situations where very high success probabilities are assigned to a sequence, resulting in related components being ranked as low risk contributors. Furthermore, it is not desirable for the categorization of SSCs to be affected by recovery actions that sometimes are only modeled for the dominant scenarios. Sensitivity analyses can be used to show how the SSC categorization would change if all recovery actions were removed. The licensee should ensure that the categorization has not been unduly affected by the modeling of recovery actions.

Multiple component considerations: As discussed previously, importance measures are typically evaluated on an individual SSC or human action basis. One potential concern raised by this is that single-event importance measures have the potential of dismissing all elements of a system or group despite the system or group having a high importance when taken as a whole. (Conversely, there may be grounds for screening out groups of SSCs, owing to the unimportance of the systems of which they are elements.) There are two potential approaches to addressing the multiple component issue. The first is to define suitable measures of system or group importance. The second is to choose appropriate criteria for categorization based on component-level importance measures. In both cases, it will be necessary for the licensee to demonstrate that the cumulative impact of the change has been adequately addressed.

While there are no widely accepted definitions of system or group importance measures, if any are proposed, the licensee should make sure that the measures are capturing the impact of changes to the group in a logical way. As an example of the issues that arise consider the following. For front-line systems, one possibility would be to define a Fussell-Vesely type measure of system importance as the sum of the frequencies of sequences involving failure of that system, divided by the sum of all sequence frequencies. Such a measure would need to be interpreted carefully if the numerator included contributions from failures of that system due to support systems. Similarly, a Birnbaum-like measure could be defined by quantifying sequences involving the system, conditional on its failure, and summing up those quantities.

This would provide a measure of how often the system is critical. However, again the support systems make the situation more complex. To take a two-division plant as an example, front-line failures can occur as a result of failure of support division A in conjunction with failure of front-line division B. Working with a figure of merit based on "total failure of support system" would miss contributions of this type.

In the absence of appropriately defined group level importance measures, reliance must be made on a qualitative categorization by the licensee, as part of the integrated decisionmaking process, to make the appropriate determination.

A-3

Relationship of Importance Measures to risk changes: Importance measures do not directly relate to changes in risk. Instead, the risk impact is indirectly reflected in the choice of the value of the measure used to determine whether an SSC should be classified as being of high and low safety significance. This is a concern whether importances are evaluated at the component or at the group level. The PSA Applications Guide suggested values of Fussell Vesely importance of .05 at the system level, and .005 at the component level for example.

However, the criteria for categorization into low and high significance should be related to the acceptance criteria for changes in CDF and LERF. This implies that the criteria should be a function of the base case CDF and LERF rather than being fixed for all plants. Thus the licensee should demonstrate how the choice of criteria are related to, and conform with, the acceptance guidelines described in this document. If component level criteria are used, they should be established taking into account that the allowable risk increase associated with the change should be based on simultaneous changes to all members of the category.

SSCs not included in the final quantified cutset solution: Importance measures based on the quantified cutsets will not factor in those SSCs that have either been truncated, or were not included in the fault tree models because they were screened on the basis of high reliability.

SSCs that have been screened because their credible failure modes would not fail the system function can be argued to be unimportant. The licensee must make sure that these SSCs are considered. This subject is discussed in more detail in NUREG-1602.

A-4

APPENDIX B AN APPROACH FOR ESTIMATING THE FREQUENCIES OF VARIOUS CONTAINMENT FAILURE MODES AND BYPASS EVENTS B.1 Introduction This appendix describes an approach for estimating the frequencies of various containment failure modes and bypass events. This approach is designed to supplement Level 1 PRAs submitted in support of risk-informed decisionmaking. The intent is to use accident sequence information provided in the Level 1 PRA to estimate the frequencies of various plant damage states (PDSs) and hence the frequencies of containment failure and bypass. The containment failure mode classes are defined at the end of this Appendix B.

Accident sequences leading to core damage are usually grouped into PDSs for the purpose of assessing the subsequent accident progression. A PDS is defined in such a way that all accident sequences binned into it can be treated identically on the accident progression analysis. That is, the PDS definition must recognize all distinctions that matter in the accident progression analysis. Once a set of PDSs is defined for a given reactor, containment performance is calculated for each PDS. It is clear that some PDSs will be more challenging to containment integrity than others (pressure, temperature, mechanical loading, etc.), and some PDSs will completely bypass containment. For example, an interfacing systems LOCA has the potential to completely bypass containment, while a transient event with loss of a

containment heat removal (CHR) will pose more of a challenge to containment integrity than LOCA with the CHR systems operating. The PDSs are distributed into various containment failure modes (CFMs) to allow for assessment of the likely outcomes of the accident progression.

For the purpose of the simplified approach, sufficient Level 2 PRAs have been completed to permit the allocation of core damage accident sequences to appropriate CFMs. To allow comparison to the acceptance guidelines identified in this appendix, the approach has to distinguish between containment failure modes that might lead to early fatalities vs. those failure modes that will not cause early fatalities. Consequently, the failure modes were categorized as follows::

"* Early containment failure or bypass (potentially leading to large early release, i.e.,

early fatalities likely)

"* Late containment failure or containment intact (potentially not leading to large early release, i.e., early fatalities unlikely)

Once established, the frequencies of these categories can be determined and changes in the frequencies compared against the acceptance guidelines. A key advantage of this approach is that each accident sequence is allocated to a risk category based on the status of the plant. A scheme for allocating the various accident sequences to the categories is described below. An event tree has been developed for each containment type that allocates accident sequences to one of the categories. The intent is that each licensee will develop split fractions for most of the questions in the trees based on plant-specific accident sequences and characteristics. These trees prescribe a single question concerning the likelihood of early containment failure.

B-1

Each accident sequence from the Level 1 analysis can be processed through the trees with individual frequencies allocated to the various release categories. The sum of these individual accident frequencies determines the total frequency for each release category.

B.2 PWRs With Large Volume Containments Figure B-1 presents an event tree that allows allocation of accident sequences to one of two categories for use with PRAs for PWRs with large dry or subatmospheric containments. Each accident sequence in a Level 1 PRA would be allocated to one of these categories based on the plant status as defined by the various accident sequences. This approach prescribes only a single question concerning the likelihood of containment failure at vessel breach (i.e.,

Question 5). The split fraction for this question reflects a reasonable estimate of the likelihood of early containment failure for large-volume containments given a high-or-low pressure core meltdown accident. However, if a licensee has justification for an alternative split fraction, this could be provided to support changes in the event tree quantification.

Containment ECC Restored No No Potential Isolated or Not Before Vessel Containment for Early Large Early Core Damage Bypassed RCS Depress. Failure Failure at VB Fatalities Path Release 1 2 3 4 5 6 I NO 2 NO 3 No 4 Yes y 5 No

/%6 0o 7 No

\I8 Yes N

9 No 10 Yes Figure B-1 PWR Large Dry Containments

Note: In the case of seismic initiators, there is a possibility that effective warning and evacuation may be precluded due to the disruption of warning systems and evacuation paths. If the containment structure is predicted to survive the event, the likelihood of long-term containment heat removal should be investigated. If CHR is predicted to fail (for any set of reasons) the containment will eventually fail due to over pressurization and, the consequence category should be "yes" since it is unlikely that evacuation will occur.

B-2

Question 1: Core Damage Frequency?

This is simply the entry point for the tree. The frequency for the accident sequence under consideration is entered here.

Question 2: Containment Isolated or Not Bypassed?

This question includes accidents in which the containment fails to isolate, as well as accidents initiated by containment bypass (such as interfacing systems LOCAs and steam generator tube ruptures). This category is intended to apply only to accidents that bypass containment at accident initiation. Accident sequences that cause containment bypass (such as induced steam generator tube rupture (SGTR) during accident progression after core damage are not included in this category. Accidents in which the containment is initially open have been found important during shutdown and would also be included in this category.

Question 3: RCS Depressurized?

For accidents initiated by transients and small break LOCAs, the reactor coolant system (RCS) will remain at high pressure unless the operators depressurize the RCS or the RCS pressure boundary fails. If the operators cannot depressurize the RCS the accident sequence would be allocated to the "not depressurized branch" in the event tree. However, a licensee may wish to take credit for hot leg failure as a cause of RCS depressurization before vessel breach.

Justification should be provided if such a failure mechanism is assumed. Intermediate- and large-break LOCAs and accidents in which the operators depressurize the primary system to below 200 psi would be allocated to the depressurized branch.

Question 4: ECC Restored Before Vessel Breach?

Accidents in which ECC is restored within 30 minutes of the start of core damage are assumed to arrest the accident progression without vessel breach. For these accidents, subsequent questions related to containment failure at vessel breach and the potential for early fatalities are not pertinent. If the ECC is not restored within 30 minutes, vessel breach is assumed to occur and all subsequent questions are pertinent.

Credit for in-vessel arresting of the accident will only be given for cases where recovering AC power will lead to the restoration of ECCS within 30 minutes of the onset of core damage.

For example, no credit will be given for an operator manually depressurizing the reactor and using a low-pressure system between core damage and vessel breach. If cooling is restored within 30 minutes, the probability of successful arrest is assumed to be 1.0; if cooling is restored after 30 minutes, the probability of successful arrest is assumed to be 0.0.

Question 5: No Containment Failure at Vessel Breach?

The likelihood of containment failure at vessel breach depends on several factors, such as the pressure in the primary system, the amount and temperature of the core debris exiting the vessel, the size of the hole in the vessel, the amount of water in the cavity, the configuration of the cavity, and the structural capability of the containment building. In the simplified event tree, only the pressure in the primary system is distinguished so that all other B-3

considerations have to be folded into the split fractions for high- and low-pressure sequences.

Each possibility is discussed below.

Low-pressure Sequences?

Under these circumstances, various mechanisms could challenge containment integrity.

These include in-vessel steam explosions, rapid steam generation caused by core debris contacting water in the cavity, and hydrogen combustion. On the basis of previous PRAs, the probability of early containment failure is assumed to be 0.01. If a licensee does not consider this probability to be appropriate because of plant-specific considerations, the probability can be changed, but justification for the change should be provided.

High-Pressure Sequences?

Several mechanisms could challenge containment under these circumstances. In-vessel steam explosions are a potential failure mechanism, but it is more difficult to trigger steam explosions at high pressure than at low pressure. SGTR is also possible because of high temperatures and pressures during core meltdown. If induced SGTR occurs, a potential bypass of containment can result if the secondary system is open. However, the most important failure mechanisms for high-pressure core meltdown sequences are associated with high pressure melt ejection (HPME). Ejection of the core debris at high-pressure can cause the core debris to form fine particles that can directly heat the containment atmosphere (i.e.,

DCH) and cause rapid pressure spikes. During HPME, the hot particles could also ignite any combustible gases in containment, thereby adding to the pressure pulse. The potential for DCH to cause containment failure depends on several factors, such as the primary system pressure, the size of the opening in the vessel, the temperature and composition of the core debris exiting the vessel, the amount of water in the cavity, and the dispersive characteristics of the reactor cavity. The probability of early containment failure is, therefore, a composite of each of these potential failures modes and is assumed to be 0.1. Again, a licensee can change this probability, provided that appropriate justification is provided.

The fraction of low- or high-pressure sequences that result in early containment failure at the time of the vessel breach have the potential to be allocated to the high-release category. The remaining fractions of the accident sequences (in which the containment remains intact) are allocated to the low-release category.

Question 6: No Potential for Early Fatalities?

The potential for early fatalities depends on the magnitude and timing of the release relative to two factors:

(1) the time elapsed from reactor scram to the time at which the release starts (particularly relevant to shutdown accidents).

(2) the time from the declaration of a general emergency to the time of the start of the release compared to the time required to effectively warn and evacuate the population in the vicinity of the plant.

During shutdown, for example, the early health risk from many internally initiated accidents is greatly reduced simply by the decay of the short-lived isotopes that affect early fatalities.

B-4

CHR or At full-power operation, this question allows long-term sequences, such as loss of in the low-release category without the other late over pressurization sequences to be placed since it is assumed that need for a detailed evaluation of the ultimate containment response, from seismic initiators evacuation will occur before the release starts. Sequences originating event tree. In should all be associated with the potential for early fatality branch on the fatalities, a licensee order to place a sequence on the branch labeled no potential for early when a general emergency should provide information, specific to the sequence, concerning the population.

would be declared and the expected time required to warn and evacuate the time available For shutdown accidents, where the containment is essentially unisolated, to the onset of core for evacuation is the time from declaration of a general emergency is the time from the damage. For accidents at full power, the time available for evacuation justified, the licensee declaration of a general emergency to vessel breach. Unless otherwise should use one hour from onset of core damage to vessel breach.

All Other Accidents assumed not to fail All accident sequences that do not fall into the above categories are consequence bin containment and, therefore, are allocated to the no "large early release" category.

B.3 PWR Ice Condenser Containments plants. As Figure B-2 provides a high-level containment event tree (CET) for ice condenser plants are placed in a with large dry containments, outcomes of the CET for ice condenser for early fatalities.

high consequence category if early failure occurs and the potential exists CHR systems, and Late failures, which generally occur as a result of failure of the long-term is considerable on all other accidents are assigned a low consequence category. (There containments, and many of the similarity in the event trees for large dry and ice condenser questions are similar.)

Question 1: Core Damage Frequency?

sequence This is simply the entry point for the event tree. The frequency of the accident under consideration is entered here.

Question 2: Containment Isolated or Not Bypassed?

dry This top event is similar to the first question asked in the event tree for large to be allocated to containments; a negative answer results in an outcome with the potential the "large early release" consequence category.

Question 3: Hydrogen Igniters Operating Before Core Damage?

dependent on the The smaller volume containments, such as ice condensers, are critically loads resulting from hydrogen combustion availability of hydrogen igniters to control pressure the ice compartments lends involving both static and dynamic loads. The annular design of of a hydrogen itself to build up of hydrogen concentrations. There is a significant probability operating (regardless of combustion event causing containment failure if the igniters are not whether core cooling was restored).

B-5

Question 4: RCS Depressurized?

If the RCS cannot be depressurized by operator action, core melt with the RCS remaining at high pressure will pose a severe threat to the containment integrity. For ice condenser plants, this can lead to HPME and DCH or impingement of the core debris on the containment wall in the seal table room, provided this vulnerability exists at the plant.

Question 5: ECC Restored Before Vessel Failure?

All accidents in which ECC is restored within 30 minutes of the start of core damage are assumed to arrest the accident progression without vessel breach. For these accidents, if the igniters are not operating there is the possibility of containment failure due to hydrogen combustion even if the core is retained in the vessel. If the igniters are operating, then it is assumed that the containment does not fail due to hydrogen combustion. If the ECC is not restored within 30 minutes, then vessel breach is assumed to occur. Credit for in-vessel arrest of the accident will only be given for cases where recovering AC power will lead to the restoration of ECCS within 30 minutes of the onset of core damage. For example, no credit will be given for an operator manually depressurizing the reactor and using a low pressure system to inject water between core damage and vessel breach. If cooling is restored within 30 minutes, the probability of successful arrest is assumed to be 1.0, and if cooling is restored after 30 minutes, the probability of successful arrest is assumed to be 0.0.

B-6

Igniters No Containment Operating ECCS Restored Containment No Potential Isolated or Not Before Core Before Vessel Failure at or for Early Large Early Bypassed Damage RCS Depress. Failure Before VB Fatalities Path Release Core Damnage 1 2 3 4 5 6 7 N No 2 No r3 NO 4 Yes 5 No 6 No 7 No~e 9 No 10 No II Yes 12 No 13 No S14 Yes 15 No 16 No N

17 Ye s 18 No 19 No 20 Yes 21 No 22 Yes Figure B-2 PWR Ice Condenser Containments

Note: In the case of seismic initiators, there is a possibility that effective warning and evacuation may be precluded due to the disruption of warning systems and evacuation paths. If the containment structure is predicted to survive the event, the likelihood of long-term containment heat removal should be investigated. If CHR is predicted to fail (for any set of reasons) the containment will eventually fail due to over pressurization and, the consequence category should be "yes" since it is unlikely that evacuation will occur.

Question 6: No Containment Failure at or Before Vessel Breach?

If the igniters are not operating, the potential exists for failure of the containment as a result of hydrogen combustion before the vessel breach. This failure can, therefore, occur even if the core damage is arrested in the vessel. The probability of a hydrogen combustion event B-7

causing containment failure before the vessel breach was determined to be 0.04. Again, if a licensee wishes to change this probability, appropriate justification should be provided. If the igniters are operating, the containment is assumed not to fail before the vessel.

As for the large dry containments, the likelihood of containment failure at vessel breach depends on several factors, such as the pressure in the primary system, the amount and temperature of the core debris exiting the vessel, the size of the hole in the vessel, whether or not the igniters are operating, the amount of ice left in the ice chests, the amount of water in the cavity, the configuration of the cavity, and the structural capability of the containment building. In the simplified event tree in Figure B-2, the pressure in the primary system, and the operability of the igniters, are considered so that all other considerations have to be folded into the appropriate split fractions in the event tree. Each possibility is discussed below.

Low-Pressure Sequences?

Under these circumstances, various mechanisms could challenge containment integrity including in-vessel steam explosions, rapid steam generation caused by core debris contacting water in the cavity, and hydrogen combustion. For ice condenser containments, the likelihood of these failure modes depends upon the operability of the igniters and the availability of ice in the condenser. On the basis of previous PRAs, the probabilities of early containment failure at or before vessel breach, with and without the igniters operating are given below:

Igniters Igniters Failed Operating Probability of Early Containment 0.01 0.1 Failure If a licensee considers either of these probabilities to be inappropriate because of plant specific considerations, the probabilities can be changed, but justification for the changes should be provided.

High-Pressure Sequences?

Ice condenser containments can be challenged by failure modes similar to those considered for large volume containments. In-vessel steam explosions are a potential failure mechanism, but it is more difficult to trigger steam explosions at high pressure than at low pressure.

SGTR is also possible because of high temperatures and pressures during core meltdown. If induced SGTR occurs, a potential bypass of containment can result if the secondary system is open. However, two important failure mechanisms are associated with HPME in ice condenser containments. The potential for DCH to cause failure of ice condenser containments depends on those factors found important for large volume containments.

However, ice remaining in the ice chest was also found to mitigate DCH for ice condenser containments. The second failure mechanism associated with HPME in ice condenser containments is impingement of corium on the containment wall, which can lead to failure and a direct path out of containment. Another important failure mechanism for ice condenser B-8

of this containments is hydrogen combustion at the time of vessel failure. The importance failure mechanism depends on the operability of the igniters.

therefore, a The probability of early containment failure at or before vessel breach is, composite of each of these potential failure modes as indicated below.

Igniters Igniters Failed Operating Conditional Probability of Early 0.05 0.2 Containment Failure justification is Again, a licensee can change the above probabilities, provided that appropriate furnished.

failure at the The fraction of low- or high-pressure sequences that result in early containment category.

time of vessel breach have the potential to be allocated to the large early release (in which the containment remains intact)

The remaining fractions of the accident sequences are allocated to the no "large early release" consequence category.

Question 7: No Potential for Early Fatalities?

on the timing of The potential for early fatalities depends on the magnitude of the release and reactor scram to the time at the release relative to two factors: (1) the time elapsed from from which the release starts (particularly relevant to shutdown accidents) and (2) the time to the the declaration of a general emergency to the time of the start of the release compared the plant.

time required to effectively warn and evacuate the population in the vicinity of internally initiated accidents During shutdown, for example, the early health risk from many affect early is greatly reduced due simply to the decay of the short-lived isotopes which as loss of fatalities. At full power operation, this question allows long-term sequences, such CHR or other late over pressurization sequences to be placed in the low release category since it is without the need for a detailed evaluation of the ultimate containment response, originating from assumed that evacuation will occur before the release starts. Sequences the event seismic initiators should all be placed on the potential for early fatality branch on a

tree. In order to place a sequence on the branch labeled no potential for early fatalities, to the sequence, concerning when a general licensee should provide information, specific the emergency would be declared and the expected time required to warn and evacuate unisolated, the population. For shutdown accidents, where the containment is essentially to the onset time available for evacuation is the time from declaration of a general emergency is the time of core damage. For accidents at full power, the time available for evacuation Unless otherwise justified, the from the declaration of a general emergency to vessel breach.

licensee should use one hour from onset of core damage to vessel breach (VB).

B.4 BWR Mark I Containment two Figure B-3 provides an event tree allowing allocation of accident sequences to one of The structure consequence categories for use with PRAs for BWRs with Mark I containments.

by the of the event tree is based on the premise that all early releases that are scrubbed will not result in individual early suppression pool are sufficiently low that by themselves B-9

fatality risk. Hence, if an early failure occurs with the functionality of the suppression pool intact, it is assumed-that the early scrubbed releases will not pose an early fatality threat to the population within one mile of the plant boundary, and that this population will evacuate before substantial core concrete interaction releases or late iodine releases from pools are of a magnitude to cause individual early fatality risk (except in the case of a seismic event, as noted in Figure B-3). Each top event question in the event tree is discussed below.

The licensee would be expected to provide the split fractions for all questions with the exception of Question 7.

Question 1: Core Damage Frequency?

This is simply the entry point for the event tree. The frequency for the accident sequence under consideration is entered here.

Question 2: Containment Failed/Vented Prior to VB (Releases not scrubbed by suppression pool)?

This question involves the fraction of the core damage frequency where the containment is failed at the start of the accident or prior to vessel failure. Failures at the start of the accident include bypass sequences (Event V), containment isolation failures, and sequences where the containment is initially open. For example, during cold shutdown and refueling, if the containment is open and the vessel head is removed, no credit should be given for closing the containment in the presence of the radioactive environment within the containment.

Failures after the start of the accident can also occur due to insufficient containment heat removal, e.g., during an anticipated transient without scram (ATWS) or loss of containment heat removal. Loss of containment heat removal or other non-ATWS sequences where the only breach of containment integrity prior to vessel failure is through wetwell vents should be put into the "OK" category.

Question 3: Core Damage Arrested Prior to Vessel Failure?

This question accounts for the fact that some sequences may be arrested in-vessel without significant releases from the reactor pressure vessel (RPV). All arrested sequences are assigned to the low consequence category. Shutdown events where the vessel head has been removed should all be placed in the "Breach" category. Credit for in-vessel arresting of the accident will only be given for cases where recovering AC power will lead to the restoration of ECCS within 30 minutes of the onset of core damage. For example, no credit will be given for an operator manually depressurizing the reactor and using a low pressure system between core damage and vessel breach. If cooling is restored within 30 minutes, the probability of successful arrest is assumed to be 1.0, and if cooling is restored after 30 minutes, the probability of successful arrest is assumed to be 0.0. The inclusion of this event in the tree and the assignment of the success path to the low consequence category are based on the premise that the time window is sufficiently short that minimal in-vessel releases will occur and that they will have a high probability of being scrubbed by the suppression pool, including those from ATWS.

Question 4: No Potential for Early Fatalities?

Early fatalities are largely precluded if an effective evacuation has occurred; only a small fraction of the population is expected to remain behind. Therefore, this question considers B-10

No Unscrubbed Containment Core Damage No Unscrubbed Failure/Vent Arrested No Potential for Water on Containment Large Early Before VB Without VB Early Fatailities RPV Depress. Drywell Floor Failure at VB Path Release Core Damage 1 2 3 4 5 6 7 1 No 2 No 3 NoiWo y 5 No

/\6 Yes N 8 Yes 9 No 10 Yes 11 No 12 No 13 ýYes Figure B-3 BWR Mark I Containments Note: In the case of seismic initiators, there is a possibility that effective warning and evacuation may be precluded due to the disruption of warning systems and evacuation paths. If the containment structure is predicted to survive the event, the likelihood of long-term containment heat removal should be investigated. If CHR is predicted to fail (for any set of reasons) the containment will eventually fail due to over pressurization and, the consequence category should be "yes" since it is unlikely that evacuation will occur.

the fraction of the remaining core damage frequency (excluding sequences that were arrested, as accounted for in the previous question) that involves an effective evacuation.

This question allows long-term sequences, such as loss of containment heat removal sequences (TW) or long-term boiloff sequences during shutdown, to be placed in the no "large early release" category without the need for a detailed evaluation of the ultimate containment response. Seismic sequences should all be placed in the potential for early fatality branch on the event tree. Note that to place a sequence on the branch labeled no potential for early fatalities, a licensee should provide information concerning when a general emergency would actually be declared and the expected evacuation time required. For shutdown sequences with the vessel head removed, the time available for evacuation is the time from declaration of a general emergency to the onset of core damage. For other sequences, the time available is the time from declaration of a general emergency to vessel breach. The licensee should use one hour for the time from onset of core damage to vessel breach.

B-Il

Question 5: RPV Depressurization?

The containment failure probability will be impacted by the RPV pressure at vessel breach.

This question addresses the fraction of the remaining core damage frequency (excluding sequences accounted for by previous questions) that are at low versus high pressure. The top branch is the fraction at low pressure, and the bottom branch is the fraction at high pressure.

It is considered reasonable to use the pressure at the time of core damage, rather than the pressure at vessel breach, if the latter is not readily available. High pressure is considered to be anything above 200 psig in the vessel.

Question 6: Water on the Drywell Floor?

Water in the drywell will affect both the likelihood of ex-vessel steam explosions and the likelihood and consequences of liner meltthrough. Small amounts of water will have limited mitigating effects. It is believed that water levels in excess of 12" will be effective in substantially reducing the probability of meltthrough and/or partially scrubbing the releases.

In taking credit for such water, factors, such as the height of the downcomers, pumping capacity, and power availability, must be considered. For this question, the top branch is the fraction of the remaining sequences (excluding sequences accounted for by previous questions) in which at least 12" of water will be available, and the bottom branch is the fraction where 12" of water will not be available.

Question 7: Containment Failure At VB (Releases not scrubbed by suppression pool)?

Depending on the answers to Questions 5 and 6, the containment failure probability is assigned. These failure probabilities implicitly account for the following phenomena: alpha mode failure, ex-vessel steam explosions, vessel blowdown, liner meltthrough, and direct heating. They do not consider long-term failure modes, such as core-concrete interactions or long-term drywell heatup. Bypass events have been accounted for previously. The branch probabilities for these questions are predetermined (refer to Table B-1 below) and not calculated by the licensee. The licensee could change the probabilities by providing a suitable argument that plant-specific features affect the quantification. The licensee should consider plant-specific features that increase the containment failure and not only those plant-specific features that mitigate severe accidents.

Table B-1. Mark I Conditional Probabilities of Unscrubbed Containment Failure at Vessel Breach Path RPV Pressure Water Total Failure Prob 4 Lo Yes 0.4 6 Lo No 0.7 8 Hi Yes 0.6 10 Hi No 1.0 B-12

B.5 BWR Mark II Containment "Figure B-4 provides an event tree which allows accident sequences to be allocated to one of two consequence categories for use with PRAs for BWRs with Mark II containments. The structure of the event tree is based on the premise that all early releases that are scrubbed by the suppression pool are sufficiently low that by themselves will not result in individual early fatality risk. Hence, if an early failure occurs with the functionality of the suppression pool intact, it is assumed that the early scrubbed releases will not pose an early fatality threat to the population within one mile of the plant boundary, and that this population will evacuate before substantial core concrete interaction releases or late iodine releases from pools are of a magnitude to cause individual early fatality risk (except in the case of a seismic event, as noted in Figure B-4). Each top event question in the event tree is discussed below.

The licensee would be expected to provide the split fractions for all questions with the exception of Question 7.

Question 1: Core Damage Frequency?

This is simply the entry point for the event tree. The frequency for the accident sequence under consideration is entered here.

Question 2: Containment Failed/Vented Prior to Vessel Breach (Releases not scrubbed by suppression pool)?

This question involves the fraction of the core damage frequency where the containment is failed or vented at the start of the accident or prior to vessel failure. Failures at the start of the accident include bypass sequences (Event V), containment isolation failures, and sequences where the containment is initially open. For example, during cold shutdown and refueling, if the containment is open and the vessel head is removed, no credit is given for closing the containment in the presence of the radioactive environment within the containment. Failures after the start of the accident can also occur due to insufficient containment heat removal, e.g., during ATWS or loss of containment heat removal. Loss of containment heat removal accompanied by drywell venting should be put into the "failed" category. Sequences where the only breach of containment integrity prior to vessel failure is through wetwell vents should be put into the "OK" category.

Question 3: Core Damage Arrested Prior to Vessel Failure?

This question accounts for the fact that some sequences may be arrested in-vessel without significant releases from the RPV. All arrested sequences are assigned to the no "large early release" consequence category. Shutdown events where the vessel head has been removed should all be placed in the "Breach" category. Credit for in-vessel arresting of the accident will only be given for cases where recovering AC power will lead to the restoration of ECCS within 30 minutes of the onset of core damage. For example, no credit will be given for an operator manually depressurizing the reactor and using a low pressure system between core damage and vessel breach. If cooling is restored within 30 minutes, the probability of successful arrest is assumed to be 1.0, and if cooling is restored after 30 minutes, the probability of successful arrest is assumed to be 0.0. The inclusion of this event in the tree and the assignment of the success path to the no "large early release" consequence category are based on the premise that the time window is sufficiently short that minimal in-vessel B-13

releases will occur and that they will have a high probability of being scrubbed by the suppression pool, including those from ATWS.

Question 4: No Potential for Early Fatalities?

Early fatalities are largely precluded if an effective evacuation has occurred; only a small fraction of the population is expected to remain behind. Therefore, this question considers the fraction of the remaining core damage frequency (excluding sequences that were arrested, as accounted for in the previous question) that involves an effective evacuation.

This question allows long-term sequences, such as loss of containment heat removal sequences (TW) or long-term boil off sequences during shutdown, to be placed in the no "large early release" category without the need for a detailed evaluation of the ultimate containment response. Seismic sequences should all be placed in the potential for early fatality branch on the event tree. Note that to place a sequence on the branch labeled no potential for early fatality, a licensee should provide information concerning when a general emergency would actually be declared and the expected evacuation time required. For shutdown sequences with the vessel head removed, the time available for evacuation is the time from declaration of a general emergency to the onset of core damage. For other sequences, the time available is the time from declaration of a general emergency to vessel breach. The licensee should use one hour for the time from onset of core damage to vessel breach.

Question 5: RPV Depressurization?

The containment failure probability will be impacted by the RPV pressure at vessel breach.

This question addresses the fraction of the remaining core damage frequency (excluding sequences accounted for by previous questions) that are at low versus high pressure. The top branch is the fraction at low pressure, and the bottom branch is the fraction at high pressure. It is considered reasonable to use the pressure at the time of core damage, rather than the pressure at vessel breach, if the latter is not readily available. High pressure is considered to be anything above 200 psig in the vessel.

Question 6: Water on the Pedestal or Drywell Floor?

Water in the pedestal will affect the likelihood of ex-vessel steam explosions in the pedestal and drain line (and downcomers, when located directly below the vessel). For this question, the top branch is the fraction of the remaining sequences (excluding sequences accounted for by previous questions) in which the pedestal is flooded, and the bottom branch is the fraction where the pedestal is not flooded.

Question 7: Containment Failure At Vessel Breach (Unscrubbed by Suppression Pool)?

Depending on the answers to Questions 5 and 6, the containment failure probability is assigned. These failure probabilities implicitly account for the following phenomena: alpha mode failure, ex-vessel steam explosions in-pedestal and drain lines or downcomers), vessel blowdown, and direct heating. These failure probabilities do not include steel shell failure by melt impingement from core debris ejected from the pedestal cavity nor do they include failures in free standing steel shell containments from dynamic loads as a result of ex-vessel steam explosions in the suppression pool that can potentially occur if molten core debris exits the pedestal cavity and enters the pool through the downcomers (this latter failure mode was B-14

No Unscrubbed Containment Core Damage No Unscrubbed Failure/Vent Arrested No Potential for Water on Containment Large Early Early Fatailities RPV Depress. Drywell6 Floor Failure7 at VB Path Release Core Damage 1 2 VB Before 3 VB Wilhout 4 5 1 No 2 No 3 No 4 Yes Y5 No

/\6 Yes

\*7 No N 8 Yes 10 Yeso 11 No 12 No 13 Yes Figure B-4 BWR Mark 11 Containments

Note: In the case of seismic initiators, there is a possibility that effective warning and evacuation may be precluded due to the disruption of warning systems and evacuation paths. If the containment structure is predicted to survive the event, the likelihood of long-term containment heat removal should be investigated. If CHR is predicted to fail (for any set of reasons) the containment will eventually fail due to over pressurization and, the consequence category should be "yes" category since it is unlikely that evacuation will occur.

addressed by the Containment Loads Working Group and is discussed in NUREG-10791).

Plants that are vulnerable to these failures should modify the failure probabilities, taking into account the plant specific features that contribute to the vulnerability. The failure probabilities also do not consider long-term failure modes, such as core-concrete interactions or long-term drywell heatup. Bypass and events with containment failure or drywell venting have been accounted for previously. The branch probabilities for these questions are predetermined and are not calculated by the licensee. The licensee could change the probabilities by providing a suitable argument that plant-specific features affect the 1Estimates of Early Containment Loads from Core Melt Accidents,' Draft NUREG-1079, USNRC, December 1985. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555; telephone (202)634-3273; fax (202)634-3343.

B-15

quantification. The licensee should consider plant-specific features that increase the containment failure such as for the steel shelled containment and not only those plant specific features that mitigate severe accidents.

Table B-2. Mark II Conditional Containment Failure Probabilities Path Pressure Water Total Failure Probability 4 Lo Yes 0.1 6 Lo No 0.3 8 Hi Yes 0.3 10 Hi No 0.3 B.6 BWR Mark III Containment Figure B-5 provides an event tree which allows accident sequences to be allocated to one of two consequence categories for use with PRAs for BWRs with Mark III containments. The structure of the event tree is based on the premise that all early releases that are scrubbed by the suppression pool are sufficiently low that by themselves will not result in individual early fatality risk. Hence, if an early failure occurs with the functionality of the suppression pool intact, it is assumed that the early scrubbed releases will not pose an early fatality threat to the population within one mile of the plant boundary, and that this population will evacuate before substantial core concrete interaction releases or late iodine releases from pools are of a magnitude to cause individual early fatality risk (except in the case of a seismic event, as noted in Figure B-5). Each top event question in the event tree is discussed below.

The licensee would be expected to provide the split fractions for all questions with the exception of Question 7.

Special Note for Mark III Containments:

Mark III containments essentially have a double layer containment, with the drywell and suppression pool forming one layer and the outer containment structure forming the other layer. In the questions below, the term containment failure refers to containment functional failure and requires the following two conditions to both be met:

1. The outer containment is breached and

2. Either the drywell pressure boundary integrity is breached (e.g., by stuck-open drywell vacuum breaker, overpressure failure, or failure to isolate) or the suppression pool drains sufficiently to negate the scrubbing function of the suppression pool.

B- 16

No Unscrubbed Igniters No Unscrubbed Containment Operating Core Damage Containment Before Core Arrested No Potential for Failure Before Large Early Failure/Vent Damage Without VB Early Fatailities RPV Depress. or at VB Path Release Core Damage Before VB 2 3 4 5 6 7 1

1 No 2 No 3 No~e 5 No 6 Yes 7 No y

/\8 No

\!9 No N 10 Yes 11 No 12 Yes 13 No 14 No S1 5 Y es Figure B-5 BWR Mark III Containments evacuation may

Note: In the case of seismic initiators, there is a possibility that effective warning and be precluded due to the disruption of warning systems and evacuation paths. If the containment structure is predicted to survive the event, the likelihood of long-term containment heat removal will should be investigated. If CHR is predicted to fail (for any set of reasons) the containment eventually fail due to over pressurization and, the consequence category should be "yes" category since it is unlikely that evacuation will occur.

Question 1: Core Damage Frequency?

This is simply the entry point for the event tree. The frequency for the accident sequence under consideration is entered here.

Question 2: Containment Failed/Vented Prior to VB (Releases not scrubbed by suppression pool)?

VB.

This question addresses a containment that failed at the start of the accident or prior to Failures at the start of the accident include bypass sequences (Event V), containment isolation failures, and sequences where the containment is initially open. For example, during no cold shutdown and refueling, if the containment is open and the vessel head is removed, B-17

credit is given for closing the containment in the presence of the radioactive environment within the containment. Failures after accident initiation that are addressed here include those due to insufficient containment heat removal, e.g., during ATWS or loss of containment heat removal. Loss of containment heat removal or other non-ATWS sequences where the only breach of containment integrity prior to vessel failure is through wetwell vents should be put into the UOK" category. Containment failure due to uncontrolled hydrogen burns during core damage are considered in Question 7.

Question 3: Hydrogen Igniters Before CD?

This question involves the fraction of the core damage frequency in which the igniters are operating prior to core damage (CD). Nonactuation of the igniters prior to core damage increases the probability of an uncontrolled hydrogen burn.

Question 4: Core Damage Arrested Prior to Vessel Failure?

This question accounts for the fact that some sequences may be arrested in-vessel without significant releases from the RPV. All arrested sequences are assigned to the Low consequence category. Shutdown events where the vessel head has been removed should all be placed in the "Breach" category. Credit for in-vessel arresting of the accident will only be given for cases where recovering AC power will lead to the restoration of ECCS within 30 minutes of the onset of core damage. For example, no credit will be given for an operator manually depressurizing the reactor and using a low pressure system between core damage and vessel breach. If cooling is restored within 30 minutes, the probability of successful arrest is assumed to be 1.0, and if cooling is restored after 30 minutes, the probability of successful arrest is assumed to be 0.0. The inclusion of this event in the tree and the assignment of the success path to the no "large early release" consequence category are based on the premise that the time window is sufficiently short that minimal in-vessel releases will occur and that they will have a high probability of being scrubbed by the suppression pool, including those from ATWS.

Question 5: No Potential for Early Fatalities?

Early fatalities are largely precluded if an effective evacuation has occurred; only a small fraction of the population is expected to remain behind. Therefore, this question considers the fraction of the remaining core damage frequency (excluding sequences that were arrested, as accounted for in the previous question) that involves an effective evacuation.

This question allows long-term sequences, such as loss of containment heat removal sequences (TW) or long-term boiloff sequences during shutdown, to be placed in the Low category without the need for a detailed evaluation of the ultimate containment response.

Seismic sequences should all be placed in the potential for early fatality branch on the event tree. Note that to place a sequence on the branch labeled no potential for early fatality, a licensee should provide information concerning when a general emergency would actually be declared and the expected evacuation time required. For shutdown sequences with the vessel head removed, the time available for evacuation is the time from declaration of a general emergency to the onset of core damage. For other sequences, the time available is the time from declaration of a general emergency to vessel breach. The licensee should use one hour for the time from onset of core damage to vessel breach.

B-1I

Question 6: RPV Depressurization?

The containment failure probability will be impacted by the RPV pressure at vessel breach.

This question addresses the fraction of the remaining core damage frequency (excluding sequences accounted for by previous questions) that are at low versus high pressure. The top branch is the fraction at low pressure, and the bottom branch is the fraction at high pressure. It is considered reasonable to use the pressure at the time of core damage, rather than the pressure at vessel breach, if the latter is not readily available. High pressure is considered to be anything above 200 psig in the vessel.

Question 7: Containment Failure Before or At VB (Releases not scrubbed by suppression pool)?

Depending on the answer to Questions 2 and 6, the containment failure probability is assigned. These failure probabilities (refer to Table B-3 below) implicitly account for the following phenomena: hydrogen burns before and at vessel failure, alpha-mode failure, ex vessel steam explosions, vessel blowdown, and direct heating. They do not consider long term failure modes, such as core-concrete interactions or long-term pedestal erosion. Bypass events have been accounted for previously. The branch probabilities for these questions are predetermined and are not calculated by the licensee. The licensee could change the probabilities by providing a suitable argument that plant-specific features affect the quantification. The licensee should consider plant-specific features that increase the containment failure and not only those plant-specific features that mitigate severe accidents.

Table B-3. Mark III Conditional Containment Failure Probabilities Path Igniters Pressure Total Failure Prob 4 Yes Low 0.2 6 Yes High 0.2 10 No Low 0.2 12 No High 0.3 B-19

Definition of Containment Failure Mode Classes Early Structural Failure Involves failure of the containment structure before, during, or slightly after reactor vessel failure, usually within a few hours of the start of core damage. A variety of mechanisms can cause early structure failure such as direct contact of the core debris with steel containments, rapid pressure and temperature loads, hydrogen combustion and missiles generated by fuel coolant interactions.

Containment Bypass Involves failure of the pressure boundary between the high-pressure reactor coolant system and a low-pressure auxiliary system. For PWRs it can also occur because of the failure of the steam generator tubes, either as an initiating event or as a result of severe accident conditions. In these scenarios, if core damage occurs, a direct path to the environment can exist.

Containment Isolation Failure Failure to isolate lines that penetrate the containment (the frequency of containment isolation failure includes the frequency of pre-existing unisolable leaks).

Late Structural Failure Involves failure of the containment structureseveral hours after reactor vessel failure. A variety of mechanisms can cause late structure failure such as gradual pressure and temperature increases, hydrogen combustion, and basemat melt-through by the core debris.

Containment Venting Venting is classified as either late or early containment failure depending upon when the vents are opened.

B-20

Regulatory Analysis

1. Rtatpmpnt nf the p rnhltm During the past several years, both the Commission and the nuclear industry have recognized that probabilistic risk assessment (PRA) has evolved to the point that it can be used increasingly as a tool in regulatory decisionmaking. In August 1995 the Commission published a policy statement that articulated the view that increased use of PRA technology would 1) enhance regulatory decisionmaking, 2) allow for a more efficient use of agency resources, and

3) allow a reduction in unnecessary burdens on licensees. In order for this change in regulatory approach to occur, guidance must be developed describing acceptable means for increasing the use of PRA information in the regulation of nuclear power reactors.

2. Ohiective To provide guidance to power reactor licensees and NRC staff reviewers on acceptable approaches for utilizing risk information (PRA) to support requests for changes in a plant's current licensing basis (CLB). It is intended that the regulatory changes addressed by this guidance should allow a focussing of both industry and NRC staff resources on the most important regulatory areas while providing for a reduction in burden on the resources of licensees. Specifically, guidance is to be provided in several areas that have been identified as having potential for this application. These applications include risk-informed inservice testing, technical specifications, and graded quality assurance.

3. Altemrnativ-as The increased use of PRA information as described in the draft regulatory guides being developed for this purpose is voluntary. Licensees can continue to operate their plants under the existing procedures defined in their CLB. It is expected that licensees will choose to make changes in their current licensing bases to use the new approaches described in the draft regulatory guides only if it is perceived to be to their benefit to do so.

4. CnnsaqnlerPs Acceptance guidelines included in the draft regulatory guides state that only small increases in overall risk are to be allowed under the risk-informed program. Reducing the test frequency of valves identified to represent low risk as provided for under this program is an example of a potential contributor to a small increase in plant risk. However, an improved prioritization of industry and NRC staff resources, such that the most important areas associated with plant safety receive increased attention, should result in a corresponding contributor to a reduction in risk. Some of the possible impacts on plant risk cannot be readily quantified using present PRA techniques and must be evaluated qualitatively. The staff believes that the net effect of the risk changes associated with the risk-informed programs, as allowed using the guidelines in the draft regulatory guides, should result in a very small increase in risk, maintain a risk-neutral condition, or result in a net risk reduction in some cases.

5. IPrisinn Ratinnalp It is believed that the changes in regulatory approach provided for in the draft regulatory guides being developed will result in a significant improvement in the allocation of resources both for the NRC and for the industry. At the same time, it is believed that this program can be implemented while maintaining an adequate level of safety at the plants that choose to implement risk-informed programs.

6. Imnlpemntatinn It is intended that the set of risk-informed regulatory guides be published by the end of CY 1997.

} ) )

UNITED STATES FIRST CLASS MAIL NUCLEAR REGULATORY COMMISSION POSTAGE AND FEES PAID WASHINGTON, DC 20555-0001 USNRC PERMIT NO. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300

ML003739197

Text

Contact:

Navigation menu

Search