Regulatory Guide 1.174

An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis

ML003740133
Person / Time
Issue date:	07/31/1998
From:	Office of Nuclear Regulatory Research
To:
References
-nr RG-1.174
Download: ML003740133 (28)
v • d • e

U.S. NUCLEAR REGULATORY COMMISSION

9REGULATORY GUI

OFFICE OF NUCLEAR REGULATORY RESEARCH

REGULATORY GUIDE 1.174 (Draft was Issued as DG-1061)

AN APPROACH FOR USING PROBABILSTIC RISK ASSESSMENT

IN RISK-INFORMED DECISIONS

ON PLANT-SPECIFIC CHANGES TO THE LICENSING BASIS

1. PURPOSE AND SCOPE

1.1 INTRODUCTION

The NRC's policy statement on probabilistic risk assessment (PRA) (Ref. I) encourages greater use of this analysis technique to improve safety decisionmak ing and improve regulatory efficiency. The NRC staff's PRA Implementation Plan (Ref 2) describes activities nowunderway or planned to expand this use. These ac tivities include, for example, providing guidance for NRC inspectors on focusing inspection resources on risk-important equipment, as well as reassessing plants with relatively high core damage frequencies for-pos sible backfits.

Another activity under way in response to the policy statement is using PRA to support decisions to modify an individual plant's licensing basis (LB).1 This regulatory guide provides guidance on the use of PRAfindings andriskinsights in supportof licensee re quests for changes to a plant's LB, as in requests for li cense amendments and technical specification changes under Sections 50.90-92of 10 CFR Part 50, "Domestic lThsaremodficaiotoaplan'sde,.o*.radon,orotheractivi ties that require N=C approval These modfcations could indude items such as exemption requests under 10 CFR 50.11 and license amendments under 10 CFR 50.90.

Licensing of Production and Utilization Facilities." It does not address licensee-initiated changes to the LB

that do NOT require NRC review and approval (e.g.,

changes to the facility as described in the final safety analysis report (FSAR), the subject of 10 CFR 50.59).

Licensee-initiated LB changes that are consistent with currently approved staff positions (e.g., regulatory guides, standard review plans, branch technical posi tions, orthe Standard Technical Specifications) are nor mally evaluated by the staff using traditional engineer ing analyses. A licensee would not be expected to submit risk information in support of the proposed change.

licensee-initiated LB change requests that go be yond current staff positions may be evaluated by the staff using traditional engineering analyses as well as the risk-informed approach set forth in this regulatory guide. A licensee may be requested to submit supple mental risk information if such information is not sub mitted by the licensee. If risk information on the pro posed LB change is not provided to the staff, the staff will review the information provided by the licensee to determine whether the application can be approved.

Based on the information provided, using traditional USCREWGULATO

=

GTE

he Cuidces we i In them ollowin en broed dsios:

Regu Q

ryGuides we rsued w desa1be wo mae aable lo Me pubitc such Mfra oxftieiodeacceptableto t NRC S for "en"*miTpecfic pat of*t*eCom-

1. Power Rec Products mls s~e,1*

queSusedbytremO

in.

..

u"~OcPmbWT.orpos"

2. Reserch ad Tas Reactors

7. Truupomdon Ulated cdets, and dataneeded bylel NRC staffinIts mvwew olcl onskper.

& Fuels nd Materals PadidesS

OI

onel Health tandlicbrses. Regutiengudeswrenotsutesfr

-g-l-bormtw. ad an t IMw*rAnalnW&Wd S.

=x-ust and PFPica Redvew Wthemi. knot Mrered. MW

etoft ar sobutoturartfromtvosesetoutintwguides

& Maerials ad MPlar Protecton la Genral wlill be -4raleiiy rvd a beas ~ieldis req~sistem totoIsuerc or cn Unac

e. aprl orV

fcatiea~t

%Ve copies of regulatory ldsmay be lobodnectedheatcWgeby wr~ing tae Repro ducLton and Disilutn Servces Seoon. Office al to Chef ffiftm1on fcer.

U'S.Nu lirm War~.

--

mDC2S-Ccol;erbytflcatPM)415.2299 rreres aid

• )rknpr ot t

rxow rm t into ui~ smam wouragedd or**

r an by r~o at R l CG *

gides vM be revised.

WsepoiMe, Wonsnodlae comwes and teroect new I-t, brmdton oraxperlence.

Ime udsim lob uzae rmt ainlTcrclkomm a

Wa5n eorments may be mIfled te 1w Rules Review a irecives &

tnd, ADM. ,

atandi'g derbsis" DetaIls

0

n

-s e

may be tled y NrIS.

m t

U

s. Nucler ReguI

atory Co r ,

iess on Washigtc DO 0C

555-CM .

R oyas Road.

maybegield, VAby N.

July 1998 DE

_

B.

methods, the NRC staff will either approve or reject the application.

This regulatory guide describes an acceptable method for assessing the nature and impact of LB

changes by a licensee when the licensee chooses to sup port (or is requested by the staff to support) these changes with risk information. The NRC staff would review these changes by considering engineering is sues and applying risk insights. Licensees submitting risk information (whether on their own initiative or at the request of the staff) should address each of the prin ciples of risk-informed regulation discussed in this reg ulatory guide. Licensees should identify how their cho sen approaches and methods (whether quantitative or qualitative, deterministic or probabilistic), data, and criteria for considering risk are appropriate for the deci sion to be made.

The guidance provided here does not preclude other approaches for requesting changes to the LB.

Rather, this regulatory guide is intended to improve consistency in regulatory decisions in areas in which the results of risk analyses are used to help justify regu latory action. As such, the principles, process, and ap proach discussed herein also provide useful guidance for the application ofriskinformation to abroader set of activities than plant-specific changes to a plant's LB

(i.e., generic activities), and licensees are encouraged to use this guidance in that regard.

1.2 BACKGROUND

Duringthe last several years, both the NRC and the nuclear industry have recognized that PRA has evolved to the point that it can be used increasingly as a tool in regulatory decisionmaking. In August 1995, the NRC

adopted the following policy statement (Ref. 1) regard ing the expanded use of PRA.

" The use of PRA technology should be in creased in all regulatory matters to the ex tent supported by the state of the art in PRA methods and data and in a manner that complements the NRC's determinis tic approach and supports the NRC's traditional defense-in-depth philosophy

" PRA and associated analyses (e.g., sensi tivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state of the art, to reduce unnecessary conservatism associated with current regulatory requirements, reg ulatory guides, license commitments, and staff practices. Where appropriate, PRA

should be used to support the proposal of additional regulatory requirements in ac cordance with 10 CFR 50.109 (Backfit Rule). Appropriate procedures for includ ing PRA in the process for changing regu latory requirements should be developed and followed. It is, of course, understood that the intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised.

• PRA evaluations in support of regulatory decisions should be as realistic as practi cable and appropriate supporting data should be publicly available for review.

-

The Commission's safety goals for nu clear power plants and subsidiary numeri cal objectives are to be used with appropriate consideration ofuncertainties in making regulatory judgments on need for proposing and backfittingnewgeneric requirements on nuclear power plant licensees.

In its approval of the policy statement, the Com mission articulated its expectation that implementation ofthe policy statement will improve the regulatorypro cess in three areas: foremost, through safety decision making enhanced by the use of PRA insights; through more efficient use of agency resources; and through a reduction in unnecessary burdens on licensees.

In parallel with the publication of the policy state ment, the staff developed an implementation plan to de fine and organize the PRA-related activities being un dertaken (Ref. 2). These activities cover awide range of PRA applications and involve the use of a variety of PRA methods (with variety including both. types of models used and the detail of modeling needed). For example, one application involves the use of PRA in the assessment of operational events in reactors. The characteristics of these assessments permit relatively simple PRA models to be used. In contrast, other ap plications require the use of detailed models.

The activities described in the PRA Implementa tion Plan (Ref. 2), which is updated quarterly, relate to a number of agency interactions with the regulated in dustry. With respect to reactor regulation, activities in clude, for example, developing guidance for NRC in spectors on focusing inspection resources: on risk-important equipment and reassessing plants with

1.174-2

relatively high core-damage frequencies (CDF) for possi'ble backfit.

This regulatory guide focuses on the use of PRA in a subset of the applications described in the staff's im plementation plan. Its principal focus is the use of PRA

findings and risk insights in decisions on proposed changes to a plant's LB.

This regulatory guide also makes use of the NRC's Safety Goal Policy Statement (Ref. 3). As discussed be low, one key principle in risk-informed regulation is that proposed increases in CDF and risk are small and are consistent with the intent of the Commission's Safety Goal Policy Statement The safety goals (and as sociated quantitative health objectives (QHOs)) define an acceptable level ofrisk that is a small fraction (0.1%)

of other risks to which the public is exposed. The accep tance guidelines defined in this regulatory guide (in Section 2.2.4) are based on subsidiary objectives de rived from the safety goals and their QHOs.

1.3 PURPOSE OF THIS REGULATORY GUIDE

QCanges to many of the activities and design char acteristics in a nuclear power plant's LB require NRC

review and approval. This regulatory guide provides the staff's recommendations for using risk information in support of licensee-initiated LB changes requiring such review and approval. The guidance provided here does not preclude other approaches for requesting LB

changes. Rather, this regulatory guide is intended to improve consistency in regulatory decisions in areas in whichthe results ofrisk analyses are usedto helpjustify regulatory action. As such, this regulatory guide, the use of which is voluntary, provides general guidance concerning one approach that the NRC has determined to be acceptable for analyzing issues associated with proposed changes to a plant's LB and for assessing the impact of such proposed changes on the risk associated with plant design and operation. This guidance does not address the specific analyses needed for each nuclear powerplant activity ordesign characteristic that maybe amenable to risk-informed regulation.

1.4 SCOPE OF THIS REGULAWRY GUIDE

This regulatory guide describes an acceptable ap proach for assessing the nature and impact of proposed LB changes by considering engineering issues and ap plying risk insights. Assessments should consider rele vant safety margins and defense-in-depth attributes, in cluding consideration of success criteria as well .as equipment functionality, reliability, and availability.

The analyses should reflect the actual design, construc tion, and operational practices of the plant. Acceptance guidelines for evaluating the results of such assess ments are provided. This guide also addresses imple mentationstrategiesandperformancemonitoringplans associated with LB changes that will help ensure that assumptions and analyses supporting the change are verified.

Consideration of the Commission's Safety Goal Policy Statement (Ref. 3) is an important element in regulatory decisionmaking. Consequently, this regula tory guide provides acceptance guidelines consistent with this policy statement In theory, one could construct a more generous reg ulatory framework for consideration of those risk informed changes that may have the effect of increasing risk to the public. Such a framework would include, of course, assurance of continued adequate protection (that level of protection of the public health and safety that must be reasonably assured regardless of economic cost). But it could also include provision for possible elimination of all measures not needed for adequate protection, which either do not effect a substantial re duction in overall risk or result in continuing costs that are not justified by the safety benefits. Instead, in this regulatory guide, the NRC has chosen a more restric tive policy that would permit only small increases in risk, and then only when it is reasonably assured, among other things, that sufficient defense in depth and sufficient margins are maintained. This policy is adopted because of uncertainties and to account for the fact that safety issues continue to emerge regarding de sign, construction, and operational matters notwith standing the maturity of the nuclear power industry.

These factors suggest that nuclear power reactors should operate routinely only at aprudent margin above adequate protection. The safety goal subsidiary objec tives are used as an example of such a prudent margin.

Finally, this regulatory guide indicates an accept able level of documentation that will enable the staff to reach a finding thatthe licensee has performed a suffi ciently complete and scrutable analysis and that the re suits of the engineering evaluations support the licens ee's request for a regulatory change.

L5 RELATIONSHIP TO OTHER GUIDANCE

DOCUMENTS

Directly relevant to this regulatory guide is the Standard Review Plan (SRP) designed to guide the NRC staff evaluations of licensee requests for changes to the LB that apply risk insights (Ref. 4), as well as guidance that is being developed in selected application-specific regulatory guides and the corre sponding standard review plan chapter

s. Related

1.174-3

regulatory guides are being developed on inservice testing, inservice inspection, graded quality assurance, and technical specifications (Refs. 5-8).An NRC con tractor report (Ref. 9) is also available that provides a simple screening method for assessing one measure used in the regulatory guide-large early release fre quency. The staff recognizes that the risk analyses nec essary to support regulatory decisionmaking may vary with the relative weight that is given to the risk assess ment element of the decisionmaking process. The bur den is on the licensee who requests a change to the LB

to justify that the chosen risk assessment approach, methods, and data are appropriate for the decision to be made.

The information collections contained in this regu latory guide are covered by the requirements of 10 CFR

Part 50, which were approved by the Office of Manage ment and Budget, approval number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information un less it displays a currently valid OMB control number.

2. AN ACCEPTABLE APPROACH TO

RISK-INFORMED DECISIONMAKING

In its approval of the policy statement on the use of PRA methods in nuclear regulatory activities (ReL 1),

the Commission stated an expectation that "the use of PRA technology should be increased in all regulatory matters...in a manner that complements the NRC's de terministic approach and supports the NRC's tradi tional defense-in-depth philosophy." The use of risk in sights in licensee submittals requesting LB changes will assist the staff in the disposition of such licensee proposals.

The staff has defined an acceptable approach to analyzing and evaluating proposed LB changes. This approach supports the NRC's desire to base its deci sions on the results of traditional engineering evalua tions, supported by insights (derived from the use of PRA methods) about the risk significance of the pro posed changes. Decisions concerning proposed changes are expected to be reached in an integrated fashion, considering traditional engineering and risk information, and may be based on qualitative factors as well as quantitative analyses and information.

In implementing risk-informed decisionmaking, LB changes are expected to meet a set of key principles.

Some of these principles are written in terms typically used in traditional engineering decisions (e.g., defense in depth). While written in these terms, it should be un derstood that risk analysis techniques can be, and are encouraged to be, used to help ensure and show that these principles are met. These principles are:

1. The proposed change meets the current regulations unless it is explicitly related to a requested exemp tion or rule change, i.e., a "specific exemption" un der 10 CFR 50.12 or a "petition for rulemaking"

under 10 CFR 2.802.

2. The proposed change is consistent with the defense-in-depth philosophy.

3. The proposed change maintains sufficient safety

4. When proposed changes result in an increase in core damage frequency orrisk, the increases should be small and consistent with the intent of the Com mission's Safety Goal Policy Statement (ReL 3).2

5. The impact of the proposed change should be mon itored using performance measurement strategies.

Each of these principles should be considered in the risk-informed, integrated decisionmaking process, as illustrated in Figure 1.

The staff's proposed evaluation approach and ac ceptance guidelines follow from these principles. In implementing these principles, the staff expects that:

"

All safety impacts ofthe proposed change are eval uated in an integrated manner as part of an overall risk management approach in which the licensee is using risk analysis to improve operational and en gineering decisions broadly by identifying and tak ing advantage of opportunities to reduce risk, and not just to eliminate requirements the licensee sees as undesirable. For those cases when risk increases are proposed, the benefits should be described and should be commensurate with the proposed risk in creases. The approach used to identify changes in requirements should be used to identify areas where requirements should be increased3 as well as where they can be reduced.

"

The scope and quality of the engineering analyses (including traditional and probabilistic analyses)

conducted to justify the proposed LB change should be appropriate for the nature and scope of the change, should be based on the as-built and as operated and maintained plant, and should reflect operating experience at the plant.

2Fopurposesof thisguide, a proposed LB change thatmeets the ac ceptance guidelines discussed in Section 2.4 is considered to have met the intent of the policy statement.

3"Te NRC staff is aware of but does not endorse guidelines that have been developed (eLg., by NEMUMARC) to assist in identifying po.

tenuanly beneficial changes to requirements.

1.174-4

Figure 1. Principles of Risk-Informed Integrated Decisionmaking

"

The plant-specific PRA supporting the licensee's proposals has been subjected to quality controls such as an independent peer review or certifica tion.4

"

Appropriate consideration of uncertainty is given in analyses and interpretation of findings, includ ing using a program of monitoring, feedback, and corrective action to address significant uncertain ties.

"

The use of core damage frequency (CDF) and large early release frequency (LERF) 5 as bases for PRA

acceptance guidelines is an acceptable approach to addressing Principle 4. Use of the Commission's Safety Goal QHOs in lieu of LERF is acceptable in principle, and licensees may propose their use.

However, in practice, implementing such an ap proach would require an extension to a Level 3 PRA, in which case the methods and assumptions used in the Level 3 analysis, and associated uncer tainties, would require additional attention.

4As discussed in Section 222below, such a peer review or certifica tionisnotareplacementforNRCreview. Certification isdefined asa mechanism for assuring that a PRA, and the process of developing and maintaining that PRA, meets a set of technical standards estab lished by a diverse group of personnel experienced in developing

1PRA modeL% performingPFRAs, and performing quality reviews of PRAs. Such a process hasbeen developed and integrated with &peer review process by, for example, the BWR Owners Group and imple mented for the purpose of enhancing the quality of PRAs at several BWR facilities.

SinthiscontextLERFisbeingusedasasu ogate forthe earlyfatality QHO. Itis defined asthe frequencyofthose accidentsleadingtosig nificant,mitigatedreleasesfromeontainmentinatimefrmeprior to effective evacuation of the close-in population such that there is a potentialforearlyhealtheffects. Such accidentsgeneraflyincdudeun scrubbed rleases associated with early isolation. This definition is onsistentwithaccidentanalyssusedainthesafetygoalscreemngcri

"teria discussed in the Commission's regulatory analysis guidelines.

• AnRCcontracto'srport(Ref.9)descnbesasimplesreeningap proacd for calculating LERE

Increases in estimated CDF and LERF resulting from proposed LB changes will be limited to small increments. The cumulative effect of such changes should be tracked and considered in the decision process.

• The acceptability of proposed changes should be evaluated by the licensee in an integrated fashion that ensures that all principles are met.6 ,

Data, methods, and assessment criteria used to sup port regulatory decisionmakingmustbe well docu mented and available for public review.

Given the principles of risk-informed decision making discussed above, the staff has identified a four element approach to evaluating proposed LB changes.

This approach, which is presented graphically in Fig ure 2, acceptably supports the NRC's decisionmaking process. This approach is not sequential in nature;

rather it is iterative.

2.1 ELEMENT 1: DEFINE THE PROPOSED

CHANGE

Element 1 involves three primary activities. First, the licensee should identify those aspects of the plant's licensing bases that may be affected by the proposed change, including but not limited to rules and regula tions, final safety analysis report (FSAR), technical specifications, licensing conditions, and licensing commitments. Second, the licensee should identify all

6One important element of integrated decisionmaking can be theuse of an "expert panel." Such a panel is not a necessary component of

-iskinformed decisiomakingbutwhen itis use the keyprinples andassociateddecisioncriteriapresentediftdisregulatorygmdestlll apply and must be shown to have been met or to be irrelevant to the issue at hand.

1.174-5

Figure 2. Principal Elements of Risk Informed, Plant-Specific Decisionmaking structures, systems, and components (SSCs), proce dures, and activities that are covered by the LB change being evaluated and should consider the original rea sons for including each program requirement.

When considering LB changes, a licensee may identify regulatory requirements or commitments in its LB that it believes are overly restrictive or unnecessary to ensure safety at the plant. Note that the corollary is also true; that is, licensees are also expected to identify design and operational aspects of the plant that should be enhanced consistent with an improved understand ing of their safety significance. Such enhancements should be embodied in appropriate LB changes that re flect these enhancements.

Third, with this staff expectation in mind, the li censee should identify available engineering studies, methods, codes, applicable plant-specific and industry data and operational experience, PRA findings, and re search and analysis results relevant to the proposed LB

change. With particular regard to the plant-specific PRA, the licensee should assess the capability to use, refine, augment, and update system models as needed to support arisk assessment of the proposed LB change.

The above information should be used collectively to describe the LB change and to outline the method of analysis. The licensee should describe the proposed change and how it meets the objectives of the NRC's PRA Policy Statement (Ref 1), including enhanced de cisionmaking, more efficient use of resources, and re duction of unnecessary burden. In addition to improve ments in reactor safety, this assessment may. consider benefits from the LB change such as reduced fiscal and personnel resources and radiation exposure. The licensee should affirm that the proposed LB change meets the current regulations unless the proposed change is explicitly related to a proposed exemption or rule change (i.e., a "specific exemption" under 10 CFR 50.12 or a "petition for rulemaking" under 10 CFR

2.802).

2.1.1 Combined Change Requests Licensee proposals may include several individual changes to the LB that have been evaluated and will be implemented in an integrated fashion. The staff expects that, with respect to the overall net change in risk, com bined change requests (CCRs) will fall in one of two broad categories, each of which may be acceptable:

1. CCRs in which any individual change increases risk;

2. CCRs in which each individual change decreases risk.

In the first category, the contribution of each indi vidual change in the CCR must be quantified in the risk assessment and the uncertainty of each individual change must be addressed. For CCRs in the second category, qualitative analysis may be sufficient for some or all individual changes. Guidelines for use in developing CCRs are discussed below.

2.1.2 Guidelines for Developing CCRs The changes that make up a CCR should be related to one another, for example, by affecting the same single system or activity, by affecting the same safety function or accident sequence or group of sequences, or by being of the same type (e.g., changes in outage time allowed by technical specifications). However, this does not preclude acceptance of unrelated changes.

When CCRs are submitted to the NRC staff for review, the relationships among the individual changes and how they have been modeled in the risk assessment should be addressed in detail, since this will control the characterization of the net result of the changes. Licen sees should evaluate not only the individual changes but also the changes taken together against the safety principles and qualitative acceptance guidelinesinSec tions 2 and 2.2.1, respectively, of this regulatory guide.

1.174-6

In addition, the acceptability of the cumulative impact of the changes that make up the CCR with respect to the quantitative acceptance guidelines discussed in Section

2.2.4 of this guide should be assessed.

In implementing CCRs in the first category, it is expected that the risk from significant accident se quences will not be increased and that the frequencies of the lower ranked contributors will not be increased so that they become significant contributors to risk. It is expected that no significant new sequences or cutsets will be created. In assessing the acceptability of CCRs,

(1) risk increases related to the more likely initiating events (e.g., steam generator tube ruptures) should not be traded against improvements related to unlikely events (e.g., earthquakes) even if, for instance, they in volve the same safety function, and (2) risk should be considered in addition to likelihood. The staff also ex pects that CCRs will lead to safety benefits such as sim plifying plant operations or focusing resources on the most important safety items.

Proposed changes that modify one or more individ ual components of a previously approved CCR must also address the impact on the previously approved CCR. Specifically, the question to be addressed is whether the proposed modification would cause the previously approved CCR to not be acceptable. If the answer is yes, the submittal should address the actions the licensee is taking with respect to the previously ap proved CCR.

2.2 Element 2: Perform Engineering Analysis The staff expects that the scope and quality of the engineering analyses conducted to justify the proposed LB change will be appropriate for the nature and scope of the change. The staff also expects that appropriate consideration will be given to uncertainty in the analy sis and interpretation of findings. The licensee is ex pectedto usejudgment on the complexity and difficulty of implementing the proposed LB change to decide upon appropriate engineering analyses to support regu latory decisionmaking. Thus, the licensee should con sider the appropriateness of qualitative and quantitative analyses, as well as analyses using traditional engineer ing approaches and those techniques associated with the use of PRA findings. Regardless of the analysis methods chosen, the licensee must show that the prin ciples set forth in Section 2 have been met through the use of scrutable acceptance guidelines established for making that determination.

SSome proposed LB changes can be characterized as involving the categorization of SSCs according to safety significance. An example is grading the applica tion of quality assurance controls commensurate with the safety significance of equipment Like other ap plications, the staff's review of LB change requests for applications involving safety categorization will be ac cording to the acceptance guidelines associated with each key principle presented in this regulatory guide, unless equivalent guidelines are proposed by the li censee. Since risk importance measures are often used in such categorizations, guidance on their use is pro vided in Appendix A to this regulatory guide. Other application-specific guidance documents address guidelines associated with the adequacy of programs (in this example, quality controls) implemented for dif ferent safety-significant categories (e.g., more safety significant and less safety significant). Licensees are encouraged to apply risk-informed findings and in sights to decisions (and potential LB requests).

As part of the second element, the licensee will evaluate the proposed LB change with regard to the principles that adequate defense-in-depth is main tained, that sufficient safety margins are maintained, and that proposed increases in core damage frequency and risk are small and are consistent with the intent of the Commission's Safety Goal Policy Statement

2.2.1 Evaluation of Defense-in-Depth Attributes and Safety Margins One aspect of the engineering evaluations is to show that the fundamental safety principles on which the plant design was based are not compromised. De sign basis accidents (DBAs) play a central role in nu clear power plant design. DBAs are a combination of postulated challenges and failure events against which plants are designed to ensure adequate and safe plant re sponse. During the design process, plant response and associated safety margins are evaluated using assump tions that are intended to be conservative. National standards and other considerations such as defense-in depth attributes and the single failure criterion consti tute additional engineering considerations that influ ence plant design and operation. Margins and defenses associatedwith these considerations maybe affected by the licensee's proposed LB change and, therefore, should be reevaluated to support a requested LB

change. As part of this evaluation, the impact of the pro posed LB change on affected equipment functionality, reliability, and availability should be determined.

2.2.1.1 Defense in Depth The engineering evaluation should evaluate whether the impact of the proposed LB change (indi vidually and cumulatively) is consistent with the

1.174-7

defense-in-depth philosophy. In this regard, the intent of the principle is to ensure that the philosophy of de fense in depth is maintained, not to prevent changes in the way defense in depth is achieved. The defense-in depth philosophy has traditionally been applied in reac tor design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material. It has been and continues to be an effective way to account for uncertainties in equipment and human performance. If a comprehensive risk anal ysis is done, it can be used to help determine the ap propriate extent of defense in depth (e.g., balance among core damage prevention, containment failure, and consequence mitigation) to ensure protection of public health and safety. When a comprehensive risk analysis is not or cannot be done, traditional defense-in depth considerations should be used or maintained to account for uncertainties. The evaluation should con sider the intent of the general design criteria, national standards, and engineering principles such as the single failure criterion. Further, the evaluation should consid er the impact of the proposed LB change on barriers (both preventive and mitigative) to core damage, containment failure or bypass, and the balance among defense-in-depth attributes. As stated earlier, the li censee should select the engineering analysis tech niques, whether quantitative or qualitative, traditional or probabilistic, appropriate to the proposed LB

change.

The licensee should assess whether the proposed LB change meets the defense-in-depth principle. De fense in depth consists of a number of elements, as sum marized below. These elements can be used as guide lines for making that assessment Other equivalent acceptance guidelines may also be used.

Consistency with the defense-in-depth philosophy is maintained if:

"* A reasonable balance is preserved among preven tion of core damage, prevention of containment failure, and consequence mitigation.

"* Over-reliance on programmatic activities to com pensate for weaknesses in plant design is avoided.

"* System redundancy, independence, and diversity are preserved commensurate withthe expected fre quency, consequences of challenges to the system, and uncertainties (e.g., no risk outliers).

"

Defenses against potential common cause failures are preserved, and the potential forthe introduction of new common cause failure mechanisms is assessed.

"* Independence of barriers is not degraded.

"* Defenses against human errors are preserved.

"* The intent of the General Design Criteria inAppen dix A to 10 CFR Part 50 is maintained.

2.L1.2 Safety Margins The engineering evaluation should assess whether the impact of the proposed LB change is consistent with the principle that sufficient safety margins are main tained. Here also, the licensee is expected to choose the method of engineering analysis appropriate for evaluat ing whether sufficient safety margins would be main tained if the proposed LB change were implemented.

An acceptable set of guidelines for making that assess ment is summarized below. Other equivalent accep tance guidelines may also be used. With sufficient safety margins:

"* Codes and standards or their alternatives approved for use by the NRC are met.

"

Safety analysis acceptance criteria in the LB (e.g.,

FSAR, supporting analyses) are met, or proposed revisions provide sufficient margin to account for analysis and data uncertainty.

Application-specific guidelines reflecting this general guidance are being developed and may be found in the application-specific regulatory guides (Refs. 5-8).

2.2.2 Evaluation of Risk Impact, Including Treatment of Uncertainties The licensee's risk assessment may be used to ad dress the principle that proposed increases in CDF and risk are small and are consistent with the intent of the NRC's Safety Goal Policy Statement (Ref, 3). For pur poses of implementation, the licensee should assess the expected change in CDF and LERF. The necessary so phistication of the evaluation, including the scope of the PRA (e.g., internal events only, full power only),

depends on the contribution the risk assessment makes to the integrated decisionmaking, which depends to some extent on the magnitude of the potential risk im pact. For LB changes that may have a more substantial impact, an in-depth and comprehensive PRA analysis, one appropriate to derive a quantified estimate of the to tal impact of the proposed LB change, will be necessary to provide adequate justification. In other applications, calculated risk importance measures or bounding esti-.

mates will be adequate. In still others, a qualitative as sessment of the impact of the LB change on the plant's risk may be sufficient.

1.174-8

The remainder of this section discusses the use of quantitative PRA results in decisionmaking. This dis cussion has three parts:

"

A fundamental element of NRC's risk-informed regulatory process is a PRA of sufficient quality and scope for the intended applicatio

n. Section

2.2.3 discusses the staff's expectations with re spect to the needed PRAks scope, level of detail, and quality.

"* PRA results are to be used in this decisionmaking process intwo ways--to assess the overall baseline CDF/LERF of the plant and to assess the CDF/

LERF impact of the proposed chang

e. Section

2.2.4 discusses the acceptance guidelines to be used by the staff for each of these measures.

"S One of the strengths of the PRA framework is its ability to characterize the impact of uncertainty in the analysis, and it is essential that these uncertain ties be recognized when assessing whether the piinciples are being met. Section 2.2.5 provides guidelines on how the uncertainty is to be ad dressed in the decisionmaking process.

The staff's decision on the proposed LB change will be based on its independent judgment and review of the entire application.

2.2.3 Scope, Level of Detail, and Quality of the PRA

The scope, level of detail, and quality of the PRAis to be commensurate with the application for which it is intended and the role the PRA results play in the inte grated decision process. The more emphasis that is put on the risk insights and on PRA results in the decision making process, the more requirements that have to be placed on the PRA, in terms of both scope and how well the risk and the change in risk is assessed.

Conversely, emphasis on the PRA scope and quali ty can be reduced ifa proposed change to the LB results in a risk decrease or is very small, or if the decision could be based mostly on traditional engineering argu ments, or if compensating measures are proposed such that it can be convincingly argued that the change is very small.

Since this Regulatory Guide 1.174 is intended for a variety of applications, the required quality and level of detail may vary. One o'ver-riding requirement is that the PRA should realistically reflect the actual design, construction, operational practices, and operational ex perience of the plant and its owner. This should include the licensee's voluntary actions as well as regulatory re- quirements, and the PRAusedto support risk-informed decisionmaking should also reflect the impact of pre vious changes made to the LB.

2.3.1 Scope Although the assessment of the risk implications in light of the acceptance guidelines discussed in Section

2.2.4 requires that all plant operating modes and initiat ing events be addressed, it is not necessary to have a PRA that treats all these modes and initiating events. A

qualitative treatment of the missing modes and initia tors may be sufficient in many cases. Section 2.2.5 dis cusses this further.

2.23.2 Level of Detail Required To Support an Application The level of detail required of the PRA is that which is sufficient to model the impact of the proposed change. The characterization of the problem should in dude establishing a cause-effect relationship to iden tify portions of the PRA affected by the issue being evaluated. Full-scale applications of the PRA should reflect this cause-effect relationship in a quantification of the impact on the PRA elements. For applications like component categorization, sensitivity studies on the effects of the change may be sufficient. For other ap plications it may be adequate to define the qualitative relationship of the impact on the PRA elements or only identify which elements are impacted.

If the impacts of a change to the plant cannot be as sociated with elements of the PRA, the PRA should be modified accordingly or the impact of the change should be evaluated qualitatively as part of the deci sionmaking process (or expert panel process). In any case, the effects of the changes on the reliability and un availability of systems, structures, and components or on operator actions should be appropriately accounted for.

2.233 PRA Quality In the current context, quality will be defined as measuring the adequacy ofthe actual modelin

g. APRA

used in risk-informed regulation should be performed correctly, in a manner that is consistent with accepted practices, commensurate with the scope and level of de tail required as discussed above. One approach a li censee could use to ensure quality is to perform a peer review of the PRA. In this case, the submittal should document the review process, the qualification of the reviewers, the summarized reviewfindings, and resolu tions to these findings where applicabl

e. Industry PRA

certification programs and PRA cross-comparison studies could also be used to help ensure appropriate

1.174-9

scope, level of detail, and quality of the PRA. If such programs or studies are to be used, a description of the program, includingthe approach and standard orguide lines to which the PRA is compared, the depth of the review, and the make-up and qualifications of the per sonnel involved should be provided for NRC review.

Based on the peer review or certificationprocess and on the findings from this process, the licensee should jus tify why the PRA is adequate for the present application in terms of scope and quality. A staff review cannot be replaced in its entirety by a peer review, a certification, or cross-comparison, although the more confidence the staff has in the review that has been performed for the licensee, the less rigor should be expected in the staff review.

The NRC has not developed its own formal stan dard nor endorsed an industry standard for a PRA sub mitted in support of applications governed by this regu latory guide. However, the NRC supports ongoing initiatives to develop a standard and expects that one will be available in the future. In the interim, the NRC

staff will evaluate PRAs submitted in support of spe cific applications using the guidelines given in Chapter

19 of its Standard Review Plan (Ref 4). The staff ex pects to feed back the experience gained from these re views into the standards development process so that ultimately a standard can be developed that is suitable for regulatory decisionmaking as described in this guide. In addition, the references and bibliography pro vide information that licensees may find useful in de ciding on the acceptability of their PRA.

22.4 Acceptance Guidelines The risk-acceptance guidelines presented in this regulatory guide are based on the principles and expec tations for risk-informed regulation discussed in Sec tion 2, and they are structured as follows. Regions are established in the two planes generated by a measure of the baseline risk metric (CDF or LERF) along the x axis, and the change in those metrics (ACDF or ALERF) along the y-axis (Figures 3 and 4), and accep tance guidelines are established for each region as dis cussed below. These guidelines are intended for com parison with a full-scope (including internal events, external events, full power, low power, and shutdown)

assessment of the change in risk metric, and when nec essary, as discussed below, the baseline value of the risk metric (CDF or LERF). However, it is recognized that many PRAs are not full scope and PRA information of less than full scope may be acceptable as discussed in Section 2.2.5 of this regulatory guide.

04

10-9

10c4 Fp-'

Figure 3. Acceptance Guidelines* for Core.

Damage Frequency (CDF)

1'

IL

'U

-J

.4

1O

104

104 LERF --)

Figure 4. Acceptance Guidelines* for Large Early Release Frequency (LERF)

• The analysiswill be subjecttoincreasedtechnical review and management attention as indicated by the darkness of the shading of the figure. In the context of the integrated decisionmaking, the boundaries between regions should not be interpreted as being definitive;

the numerical values associated with defining the re gions in the figure are to be interpreted as indicative values only. *

There are two sets of acceptance guidelines, one for CDF and one for LERF, and both sets should be used.

"

If the application clearly can be shown toresult in a decrease in CDF, the change will be considered to have satisfied the relevant principle of risk informed regulation with respectto CDF. (Because Figure 3 is drawn on a log scale, this region isnot explicitly indicated on the figure.)

"

When the calculated increase in CDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total CDF (Re gion III). While there is no requirement to calculate the total CDF, if there is an indication that the CDF

1.174--10

may be considerably higher than 10-4 per reactor year, the focus should be on finding ways to de crease rather than increase it. Such an indication would result, for example, if (1) the contribution to CDFcalculated from a limited scope analysis, such as the individual plant examination (IPE) or the in dividual plant examination of external events (IPEEE), significantly exceeds 10-4, (2) a potential vulnerability has been identified from a margins type analysis, or (3) historical experience at the plant in question has indicated a potential safety concern.

" Whenthe calculated increase in CDF is in the range of 10`6 per reactor year to i0-5 per reactor year, ap plications will be considered only if it can be rea sonably shown that the total CDF is less than 10-4 per reactor year (Region H).

"

Applications that result in increases to CDF above

10-5 per reactor year (Region I) would not nor mally be considered.

AND

"

If the application clearly can be shown to result in a decrease in LERF, the change will be considered to have satisfied the relevant principle of risk informed regulation with respect to LERF. (Be cause Figure 4is drawn with a log scale, this region is not explicitly indicated on the figure.)

"

When the calculated increase in LERF is very small, which is taken as being less than 10-7 per reactor year, the change will be considered regard less of whether there is a calculation of the total LERF (Region III). While there is no requirement to calculate the total LERF, ff there is an indication that the LERF may be considerably higher than

10°5 per reactor year, the focus should be on find ing ways to decrease rather than increase it. Such an indication would result, for example, if (1) the contribution to LERF calculated from a limited scope analysis, such as the IPE or the IPEEE, sig nificantly exceeds 105, (2) a potential vulnerabili ty has been identified from a margins-type analy sis, or (3) historical experience at the plant in question has indicated a potential safety concern.

When'the calculated increase in LERF is in the range of 10-7 per reactor year to 10-6 per reactor year, applications will be considered only if it can be reasonably shown that the total LERF is less than 10i5 per reactor year (Region H).

Applications that result in increases to LERF

above 10-6 per reactor year (Region I) would not normally be considered.

These guidelines are intended to provide assurance that proposed increases in CDF and LERF are small and are consistent with the intent of the Commission's Safety Goal Policy Statement.

As indicated by the shading on the figures, the change request will be subject to an NRC technical and management review that will become more intensive when the calculated results are closer to the region boundaries.

The guidelines discussed above are applicable for full power, low power, and shutdown operations. How ever, during certain shutdown operations when the con tainment function is not maintained, the LERF guide line as defined above is not practical. In those cases, licensees may use more stringent baseline CDF guide lines (e.g., 10-5 per reactor year) to maintain an equiva lent riskprofile or may propose an alternative guideline to LERF that meets the intent of Principle 4 (see Fig ure 1).

The technical review that relates to the risk evalua tion will address the scope, quality, and robustness of the analysis, including consideration ofuncertainties as discussed in the next section. Aspects covered by the management review are discussed in Section 2.2.6, In tegrated Decisionmaking, and include factors that are not amenable to PRA evaluation.

2.2.5 Comparison of PRA Results with the Acceptance Guidelines This section provides guidance on comparing the results of the PRA with the acceptance guidelines de scribed in Section 2.2.4. In the context of integrated de cisionmaking, the acceptance guidelines should not be interpreted as being overly prescriptive. They are in tended to provide an indication, in numerical terms, of what is considered acceptable. As such, the numerical values associated with defining the regions in Figures 3 and 4 of this regulatory guide are approximate values that provide an indication of the changes that are gener ally acceptable. Furthermore, the state of knowledge, or epistemic, uncertainties associated with PRA cal culations preclude a definitive decision with respect to which regionthe application belongs in based purely on the numerical results.

The intent of comparing the PRA results with the acceptance guidelines is to demonstrate with reason able assurance that Principle 4, discussed in Section 2, is being met. This decision must be based on a full un-

1.174-11

derstanding of the contributors to the PRA results and the impacts of the uncertainties, both those that are ex plicitly accounted for in the results and those that are not. This is a somewhat subjective process, and the rea soning behind the decisions must be well documented.

Guidance on what should be addressed follows in Sec tion 2.2.5.4; but first, the types of uncertainty that im pact PRA results and methods typically used for their analysis are briefly discussed. More information canbe found in some of the publications in the Bibliography.

2.2.5.1 Types of Uncertainty and Methods of Analysis There are two facets to uncertainty that, because of their natures, must be treated differently when creating models of complex systems. They have recently been termed aleatory and epistemicuncertainty. The aleatory uncertainty is that addressed when the events or phe nomena being modeled are characterized as occurring in a "random" or "stochastic" manner, and probabilistic models are adopted to describe their occurrences. It is this aspect of uncertainty that gives PRAthe probabilis ticpart ofits name. The epistemic uncertainty is that as sociated with the analyst's confidence in the predic tions of the PRA model itself, and it reflects the analyst's assessment of how well the PRA model re presents the actual system being modeled. This has been referred to as state-of-knowledge uncertainty. In this section, it is the epistemic uncertainty that is dis cussed; the aleatory uncertainty is built into the struc ture of the PRA model itself.

Because they are generally characterized and treated differently, it is useful to identify three classes of uncertainty that are addressed in and impact the results of PRAs: parameter uncertainty, model uncertainty, and completeness uncertainty. Completeness uncer tainty can be regarded as one aspect of model uncer tainty, but because of its importance, it is discussed sep arately. The Bibliography may be consulted for additional information on definitions of terms and ap

.proaches to the treatment of uncertainty in PRAs.

2.25.2 Parameter Uncertainty Each of the models that is used, either to develop the PRAlogic structure or to represent the basic events of that structure, has one or more parameters. Typically, each of these models (e.g., the Poisson model for initi ating events) is assumed to be appropriate. However, the parameter values for these models are often not known perfectly. Parameter uncertainties are those as sociated with the values of the fundamental parameters of the PRA model, such as equipment failure rates, ini- tiating event frequencies, and human errorprobabilities that are used in the quantification of the accident se quence frequencies. They are typically characterizedby establishing probability distributions on the parameter values. These distributions can be interpreted as ex pressing the analyst's degree of belief in the values these parameters could take, based on his state of knowledge and conditional on the underlying model being correct. It is straightforward and within the capa bility of most PRA codes to propagate the distribution representing uncertainty on the basic parameter values to generate a probability distribution on the results (e.g., CDF, accident sequence frequencies, LERF) of the PRA. However, the analysis must be done to corre late the sample values for different PRA elements from a group to which the same parameter value applies (the so-called state-of-knowledge dependency;

see Ref. 10).

2.2.53 Model Uncertainty The development of the PRA model is supported by the use of models for specific events or phenomena.

In many cases, the industry's state of knowledge is in complete, and there may be different opinions on how the models should be formulated. Examples include ap proaches to modeling human performance, common cause failures, and reactor coolant pump seal behavior upon loss of seal cooling. This gives rise to model un certainty. In many cases, the appropriateness of the models adopted is not questioned and these models have become, de facto, the standard models to use.

Examples include the use of Poisson and binomial models to characterize the probability of occurrence of component failures. For some issues with well formulated alternative models, PRAs have addressed model uncertainty by using discrete distributions over the alternative models, with the probability associated with a specific model representing the analyst's degree of belief that that model is the most appropriate. A good example isthe characterizationofseismichazard asdif ferent hypotheses lead to different hazard curveswhich can be used to develop a discrete probability distribu tion of the initiating event frequency for earthquakes.

Other examples can be found in the Level 2 analysis.

Another approach to addressing model uncertainty has been to adjust the results of a single model through the use of an adjustment factor. However it is formu lated, an explicit representation of model uncertainty can be propagated through the analysis in the same way as parameter uncertainty. More typically, however, par ticularly in the Level 1 analysis, the use of different models would result in the need for a different structure

1.174-12

(e.g., with different thermal hydraulic models used to determine success criteria). In such cases, uncertainties in the choice of an appropriate model are typically ad dressed by making assumptions and, as in the case of the component failure models discussed above, adop ting a specific model.

PRAs model the continuum ofpossible plant states in a discrete way, and are, by their very nature, approxi mate models of the world. This results in some random (aleatory) aspects of the 'world' not being addressed except in a bounding way, e.g., different realizations of an accident sequence corresponding to different LOCA

sizes (within a category) are treated by assuming a bounding LOCA, time of failure of an operating com ponent assumed to occur at the moment of demand.

These approximations introduce biases (uncertainties)

into the results.

In interpreting the results of a PRA, it is important to develop an understanding of the impact of a specific assumption or choice of model on the predictions of the PRA. This is true even when the model uncertainty is treated probabilistically, since the probabilities, or weights, given to different models would be subjective.

The impact of using alternative assumptions or models may be addressed by performing appropriate sensitiv ity studies, or they may be addressed using qualitative arguments, based on an understanding of the contribu tors to the results and how they are impacted by the change in assumptions or models. The impact of mak ing specific modeling approximations may be explored in a similar manner.

2.2.5.3 Completeness Uncertainty Completeness is not in itself an uncertainty, but a reflection of scope limitations. The result is, however, an uncertainty about where the true risk lies. The prob lem with completenessuncertainty isthatbecause itre flects an unanalyzed contribution, it is difficult (if not impossible) to estimate its magnitude. Some contribu tions are unanalyzed not because methods are not avail able, but because they have not been refined to the level of the analysis of internal events. Examples are the analysis of some external events and the low power and shutdown modes of operation. There are issues, how ever, for which methods of analysis have not been de veloped, and they have to be accepted as potential limi tations of the technology. Thus, for example, the impact on actual plant risk from unanalyzed issues such as the influences of organizational performance cannot now be explicitly assessed.

The issue of completeness of scope of aPRAcanbe addressed for those scope items for which methods are in principle available, and therefore some understand ing of the contribution to risk exists, by supplementing the analysis with additional analysis to enlarge the scope, using more restrictive acceptance guidelines, or by providing arguments that, for the application of con cern, the out-of-scope contributors are not significant.

Approaches acceptable to the NRC staff for dealing with incompleteness are discussed in the next section.

2.5.4 Comparisons with Acceptance Guidelines The different regions of the acceptance guidelines require different depths of analysis. Changes resulting in a net decrease in the CDF and LERF estimates do not require an assessment of the calculated baseline CDF

and LERF. Generally, it should be possible to argue on the basis of an understanding of the contributors and the changes that are being made that the overall impact is indeed a decrease, without the need for a detailed quan titative analysis.

If the calculated values of CDF and LERF are very small, as defined by Region M in Figures 3 and 4 , a de tailed quantitative assessment of the baseline value of CDF and LERF will not be necessary. However, ifthere is an indication that the CDF or LERF could consider ably exceed 10-4 and 10-5 respectively, in order for the change to be considered, the licensee may be required to present arguments as to why steps should not be tak en to reduce CDF or LERF. Such an indication would result, for example, if (1) the contribution to CDF or LERF calculated from a limited scope analysis, such as the IPE or the IPEEE, significantly exceeds 10-4 and

10-5 respectively, (2) there hasbeen an identification of a potential vulnerability from a margins-type analysis, or (3) historical experience at the plant in question has indicated a potential safety concern.

For larger values of ACDF and ALERF, which lie in the range used to define Region 1I, an assessment of the baseline CDF and LERF is required.

To demonstrate compliance with the numerical guidelines, the level of detail required in the assessment of the values and the analysis of uncertainty related to model and incompleteness issues will depend on both

(1) the LB change being considered and (2) the impor tance of the demonstration that Principle 4 has been met. In Region MI of Figures 3 and 4, the closer the esti mates of ACDF or ALERF are to their corresponding acceptance guidelines, the more detail will be required.

Similarly, in Region H of Figures 3 and 4, the closer the estimates of ACDF or ALERF and CDF and LERF are

1.174-13

to their corresponding acceptance guidelines, the more detail will be required. In a contrasting example, if the estimated value of a particular metric is very small compared to the acceptance goal, a simple bounding analysis may suffice with no need for a detailed uncer tainty analysis.

Because of the way the acceptance guidelines were developed, the appropriate numerical measures to use in the initial comparison of the PRA results to the ac ceptance guidelines are mean values. The mean values referred to are the means of the probability distributions that result from the propagation of the uncertainties on the input parameters and those model uncertainties ex plicitly represented inthe model. While a formal propa gation of the uncertainty is the best way to correctly ac count for state-of-knowledge uncertainties that arise from the use of the same parameter values for several basic event probability models, under certain circum stances, a formal propagation of uncertainty may not be required if it can be demonstrated that the state-of knowledge correlation is unimportant. This will in volve, for example, a demonstration that the bulk of the contributing scenarios (cutsets or accident sequences)

do not involve multiple events that rely on the same pa rameter for their quantification.

Consistent with the viewpoint that the guidelines are not to be used prescriptively, even if the calculated ACDF and ALERF values are such that they place the change in Region I or 11, it may be possible to make a case that the application should be treated as if it were in Region II or IH if, for example, it is shown that there are unquantified benefits that are not reflected in the quan titative risk results. However, care should be taken that there are no unquantified detrimental impacts of the change, such as an increase in operatorburden. In addi tion, if compensatory measures are proposed to counter the impact of the major risk contributors, even though the impact of these measures may not be estimated nu merically, such arguments will be considered in the de cision process.

While the analysis of parametric uncertainty is fairly mature, and is addressed adequately through the use of mean values, the analysis of the model and com pleteness uncertainties cannot be handled in such a for mal manner. Whether the PRA is full scope or only par tial scope, and whether it is only the change in metrics or both the change and baseline values that need to be estimated, it will be incumbent on the licensee to dem onstrate that the choice of reasonable alternative hy potheses, adjustment factors, or modeling approxima tions or methods to those adopted in the PRA model would not significantly change the assessment. This demonstration can take the form of well formulated sensitivity studies or qualitative arguments. In this con text, "reasonable" is interpreted as implying some pre cedent for the alternative, such as use by other analysts, and also that there is a physically reasonable basis for the alternative. It is not the intent that the search for al ternatives should be exhaustive and arbitrary. For the decisions that involve only assessing the change in met rics, the number of model uncertainty issues to be ad dressed will be smaller than for the case of the baseline values, when only a portion of the model is affected.

The alternatives that would drive the result toward un acceptableness should be identified and sensitivity studies performed or reasons given as to why they are not appropriate forthe current application orfor the par ticular plant. In general, the results of the sensitivity studies should confirm that the guidelines are still met even under the alternative assumptions (i.e., change generally remains in the appropriate region). Alterna tively, this analysis can be used to identify candidates for compensatory actions or increased monitoring. The licensee should pay particular attention to those as sumptions that impact the parts of the model being ex ercised by the change.

When the PRA is not full scope, it is necessary for the licensee to address the significance of the out-of scope items. The importance of assessing the contribu tion of the out-of-scope portions of the PRA to the base case estimates of CDF and LERF is related to the mar gin between the as-calculated values and the accep tance guidelines. When the contributions from the modeled contributors are close to the guidelines, the ar gument that the contribution from the missing items is not significant must be convincing, and in some cases may require additional PRA analyses. When the mar gin is significant, a qualitative argument may be suffi cient. The contribution of the out-of-scope portions of the model to the change in metric may be addressed by bounding analyses, detailed analyses, or by a demon stration that the change has no impact on the unmo deled contributors to risk. In addition, it should also be demonstrated that changes based on a partial PRA do not disproportionally change the risk associated with those accident sequences that arise from the modes of operation not included in the PRA.

One alternative to an analysis of uncertainty is to design the proposed LB change such that the major sources of uncertainty will not have an impact on the decisionmaking process. For example, in the region of the acceptance guidelines where small increases are al lowed regardless of the value of the baseline CDF or

1.174-14

LERF, the proposed change to the LB could be de signed such that the modes of operation or the initiating events that are missing from the analysis would not be affected by the change. In these cases, incompleteness would not be an issue. Similarly, in such cases, it would not be necessary to address all the model uncertainties, but only those that impact the evaluation of the change.

If only a Level 1 PRA is available, in general, only the CDF is calculated and not the LERF. An approachis presented in Reference 9 that allows a subset of the core damage accidents identified in the Level I analysis to be allocated to a release category that is equivalent to a LERF. The approach uses simplified event trees that can be quantified by the licensee on the basis of the plant configuration applicable to each accident se quence in the Level 1 analysis. The frequency derived from these event trees canbe compared to the LERF ac ceptance guidelines. The approach described in Refer ence 9 may be used to estimate LERF only in those cases when the plant is not close to the CDF and LERF

benchmark values.

2.2.6 Integrated Decisionmaking The results of the different elements of the engi neering analyses discussed in Sections 2.2.1 and 2.2.2 must be considered in an integrated manner. None of the individual analyses is sufficient in and of itself In this way, it can be seen that the decision will not be driven solely by the numerical results of the PRA. They are one input into the decisionmaking and help in build ing an overall picture of the implications of the propo sed change on risk. The PRA has an important role in putting the change into its proper context as it impacts the plant'as a whole. The PRA analysis is used to dem onstrate that Principle 4 has been.satisfied. As the dis cussion in the previous section indicates, both quantita tive and qualitative arguments may be brought to bear.

Even though the different pieces of evidence used to ar gue that the principle is satisfied may not be combined in a formal way, they need to be clearly documented.

In Section 2.2.4, it was indicated that the applica tion wouldbe given increased NRC management atten tion when the calculated values of the changes in the risk metrics, and their baseline values when appropri ate, approached the guidelines. Therefore, the issues in the submittal that are expected to be addressed by NRC

management include:

The cumulative impact of previous changes and the trend in CDF (the licensee's risk management approach);

"* The cumulative impact of previous changes and the trend in LERF (the licensee's risk management approach);

"* The impact of the proposed change on operational complexity, burden on the operating staff, and overall safety practices;

"* Plant-specific performance and other factors (for example, siting factors, inspection findings, per formance indicators, and operational events), and Level 3 PRA information, if available;

"* The benefit of the change in relation to its CDF/

LERF increase;

"* The practicality of accomplishing the change with a smaller CDF/LERF impact; and

"* The practicality of reducing CDFILERF when there is reason to believe that the baseline CDF/

LERF are above the guideline values (i.e., 10-4 and

10-5 per reactor year).

2.3 ELEMENT3: DEFINE

IMPLEMENTATION AND MONITORING

PROGRAM

Careful consideration should be given to imple mentation and performance-monitoring strategies. The primary goal for this element is to ensure that no ad verse safety degradation occurs because of the changes to the LB. The staff's principal concern is the possibil ity that the aggregate impact of changes that affect a large class of SSCs could lead to an unacceptable in crease in the number of failures from unanticipated degradation, including possible increases in common cause mechanisms. Therefore, an implementation and monitoring plan should be developed to ensure that the engineering evaluation conducted to examine the im pact of the proposed changes continues toreflect the ac tual reliability and availability of SSCs that have been evaluated. This will ensure that the conclusions that have been drawn fromthe evaluation remain valid. Fur ther details of acceptable processes for implementation in specific applications are discussed in application specific regulatory guides (Refs. 5-8).

Decisions concerning the implementation of changes should be made in light of the uncertainty asso ciated with the results of the traditional and probabilis tic engineering evaluations. Broad implementation within a limited time period may be justified when un certainty is shown to be low (data and models are ade quate, engineering evaluations are verified and vali dated, etc.), whereas a slower, phased approach to implementation (or other modes of partial implementa tion) would be expected when uncertainty in evaluation

1.174-15

findings is higher and where programmatic changes are being made that could impact SSCs across a wide spec trum of the plant, such as in inservice testing, inservice inspection, and graded quality assurance (IST, ISI, and graded QA). In such situations, the potential introduc tion of common cause effects must be fully considered and included in the submittal.

The staff expects licensees to propose monitoring programs that include a means to adequately track the performance of equipment that, when degraded, can af fect the conclusions of the licensee's engineering evalu ation and integrated decisionmaking that support the change to the LB. The program should be capable of trending equipment performance after a change has been implemented to demonstrate that performance is consistent with that assumed in the traditional engi neering and probabilistic analyses that were conducted to justify the change. This may include monitoring as sociated with non-safety-related SSCs, if the analysis determines those SSCs to be risk significant. The pro gram should be structured such that (1) SSCs are moni tored commensurate with their safety importance, i.e.,

monitoring for SSCs categorized as having low safety significance may be less rigorous than that for SSCs of high safety significance, (2) feedback of information and corrective actions are accomplished in a timely manner, and (3) degradation in SSC performance is de tected and corrected before plant safety can be compro mised. The potential impact of observed SSC degrada tion on similar components in different systems throughout the plant should be considered.

The staff expects that licensees will integrate, or at least coordinate, their monitoring for risk-informed changes with existing programs for monitoring equip ment performance and other operating experience on their site and throughout the industry. In particular, monitoring that is performed in conformance with the Maintenance Rule can be used when the monitoring performed under the Maintenance Rule is sufficient for the SSCs affected by the risk-informed application. If an application requires monitoring of SSCs that are not included in the Maintenance Rule, or have a greaterres olution ofmonitoringthan the Maintenance Rule (com ponent vs. train or plant-level monitoring), it may be advantageous for a licensee to adjust the Maintenance Rule monitoring program rather than to develop addi tional monitoring programs for risk-informed pur poses. In these cases, the performance criteria chosen should be shown to be appropriate for the application in question. It should be noted that plant or licensee per formance under actual design conditions may not be readily measurable. When actual conditions cannot be monitored or measured, whatever information most closely approximates actual performance data should be used. For example, establishing a monitoring pro gram with a performance-based feedback approach may combine some of the following activities.

"

Monitoring performance characteristics under ac tual design basis conditions (e.g., reviewing actual demands on emergency diesel generators, review ing operating experience)

"* Monitoring performance characteristics under test conditions that are similar to those expected during a design basis event

"

Monitoring and trending performance characteris tics to verify aspects of the underlying analyses, re search, or bases for a requirement (e.g., measuring battery voltage and specific gravity, inservice in spection of piping)

"* Evaluating licensee performance during training scenarios (e.g., emergency planning exercises, op erator licensing examinations)

"* Component quality controls, including developing pre- and post-component installation evaluations (e.g., environmental qualification inspections, reactor protection system channel checks, continu ity testing of boiling water reactor squib valves).

As part of the monitoring program, it is important that provisions for specific cause determination, trend ing of degradation and failures, and corrective actions be included. Such provisions should be applied to SSCs commensurate with their importance to safety as deter mined by the engineering evaluation that supports the LB change. A determination of cause is needed when performance expectations are not being met or when there is a functional failure of an application-specific SSC that poses a significant condition adverse to quali ty. The cause determination should identify the cause of the failure or degraded performance to the extent that corrective action can be identified that would preclude the problem or ensure that it is anticipated prior to be coming a safety concern. It should address failure sig nificance, the circumstances surrounding the failure or degraded performance, the characteristics of the fail ure, and whether the failure is isolated or has generic or common cause implications (as defined-in Ref. 11).

Finally, in accordance with Criterion XVI of Ap pendix B to 10 CFR Part 50, the monitoring program should identify any corrective actions to preclude the recurrence ofunacceptable failures or degraded perfor mance. The circumstances surrounding the failure may

1.174-16

indicate that the SSC failed because of adverse or harsh operating conditions (e.g., operating a valve dry, over pressurization of a system) or failure of another compo nent that caused the SSC failure. Therefore, corrective actions should also consider SSCs with similar charac teristics with regard to operating, design, or mainte nance conditions. The results of the monitoring need not be reported to the NRC, but should be retained on site for inspection.

2A ElEMENT 4: SUBMIT PROPOSED

CHANGE

Requests for proposed changes to the plant's LB

typically take the form of requests for license amend ments (including changes to or removal of license con ditions), technical specification changes, changes to or withdrawals of orders, and changes to programs pur suant to 10 CFR 50.54 (e.g., QA program changes un der 10 CFR 50.54(a)). licensees should (1) carefully review the proposed LB change in order to determine the appropriate form of the change request, (2) ensure that information required by the relevant regulations in support of the request is developed, and (3) prepare and submit the request in accordance with relevant proce dural requirements. For example, license amendments should meet the requirements of 10 CFR 50.90,50.91, and 50.92, as well as the procedural requirements in 10

CFR50.4. Risk information that the licensee submits in support of the LB change request should meet the guid ance in Section 3 of this regulatory guide.

licensees are free to decide whether to submit risk information in support of their LB change request. If the licensee's proposed change to the LB is consistent with currently approved staff positions, the staff's de termination will be based solely on traditional engi neering analyses without recourse to risk information (although the staff may consider any risk information submitted by the licensee). However, if the licensee's proposed change goes beyond currently approved staff positions, the staff normally will consider both infor mation based on traditional engineering analyses and information based on risk insights. If the licensee does not submit risk information in support of an LB change that goes beyond currently approved staff positions, the staff may request the licensee to submit such informa tion. If the licensee chooses not to provide the risk in formation, the staff will review the proposed applica tion using traditional engineering analyses and determine whether sufficient information has been pro vided to support the requested change.

In developing the risk information set forth in this regulatory guide, licensees will likely identify SSCs with high risk significance that are not currently subject to regulatory requirements, or are subject to a level of regulation that is not commensurate with their risk sig nificance. It is expected that licensees will propose LB

changes that will subject these SSCs to an appropriate level of regulatory oversight, consistent with the risk significance of each SSC. Specific information on the staff's expectations in this regard are set forth in the application-specific regulatory guides (Refs. 5-8).

2.5 QUALITY ASSURANCE

As stated in Section 2.2, the staff expects that the quality ofthe engineering analyses conducted to justify proposed LB changes will be appropriate for the nature ofthe change. In this regard, it is expected that fortradi tional engineering analyses (e.g., deterministic engi neering calculations) existing provisions for quality as surance (e.g., Appendix B to 10 CFR Part 50, for safety-related SSCs) will apply and provide the ap propriate quality needed. Likewise, when a risk assess ment ofthe plant is used to provide insights into the de cisionnakaing process, the staff expects that the PRA

wi have been subject to quality control.

To the extent that a licensee elects to use PRA in formation to enhance or modify activities affecting the safety-related functions of SSCs, the following, in con junction with the other guidance contained in this guide, describes methods acceptable to the NRC staff to ensure that the pertinent quality assurance require ments ofAppendix B to 10 CFR Part 50 are met and that the PRAis ofsufficient quality to be used for regulatory deisions.

"* Use personnel qualified for the analysis.

"* Use procedures that ensure control of documenta tion, including revisions, and provide for indepen dent review, verification, or checking of calcula tions and information used in the analyses (an hidependent peer review or certification program can be used as an important element in this pro cess).

"* Provide documentation and maintain records in ac cordance with the guidelines in Section 3 of this guide.

"* Provide for an independent audit function to verify quality (anindependentpeerrevieworcertification program can be used for this purpose).

"* Use procedures that ensure appropriate attention and corrective actions are taken if assumptions,

1.174-17

analyses, or information used in previous decision making is changed (e.g., licensee voluntary action)

or determined to be in error.

When performance monitoring programs are used in the implementation of proposed changes to the LB, it is expected that those programs will be implementedby using quality assurance provisions commensurate with the safety significance of affected SSCs. An existing PRA or analysis can be utilized to support a proposed LB change, provided it can be shown that the appropri ate quality provisions have been met.

3. DOCUMENTATION AND SUBMMTFAL

3.1 INTRODUCTION

To facilitate the NRC staff's review to ensure that the analyses conducted were sufficient to conclude that the key principles of risk-informed regulation have been met, documentation of the evaluation process and findings are expected to be maintained. Additionally, the information submitted should include a description of the process used by the licensee to ensure quality and some specific information to support the staff's conclu sion regarding the acceptability of the requested LB

change.

3.2 ARCHIVAL DOCUMENTATION

Archival documentation should include a detailed description of engineering analyses conducted and the results obtained, irrespective of whether they were quantitative or qualitative, or whether the analyses made use of traditional engineering methods or proba bilistic approaches. This documentation should be maintained by the licensee, as part of the normal quality assurance program, so that it is available for examina tion. Documentation of the analyses conducted to sup port changes to a plant's LB should be maintained as lifetime quality records in accordance with Regulatory Guide 1.33 (Ref. 12).

3.3 LICENSEE SUBM1TTAL

DOCUMENTATION

To support the NRC staff's conclusion that the pro posed LB change is consistent with the key principles of risk-informed regulation and NRC staff expecta tions, the staff expects the following information will be submitted to the NRC:

A description of how the proposed change will im pact the LB (relevant principle: LB changes meet regulations).

"* A description of the components and systems af fected by the change, the types of changes pro posed, the reason for the changes, and results and insights from an analysis of available data on equipment performance (relevant staff expecta tion: all safety impacts of the proposed LB change must be evaluated).

"* A reevaluation of the LB accident analysis and the provisions of 10 CFR Parts 20 and 100, if appropri ate (Relevant principles: LB changes meet the reg ulations, sufficient safety margins are maintained, defense-in-depth philosophy).

"

An evaluation of the impact of the LB change on the breadth or depth of defense-in-depth attributes of the plant (relevant principle: defense-in-depth philosophy).

"

Identification of how and where the proposed change will be documented as part of the plant's LB (e.g., FSAR, technical specifications, licensing conditions). This should include proposed changes or enhancements to the regulatory controls for high-risk-significant SSCs that are not subject to any requirements or the requirements are not com mensurate with the SSC's risk significance.

The licensee should also identify:

"

Key assumptions in the PRA that impact the ap plication (e.g., voluntary licensee actions), ele ments of the monitoring program, and commit ments made to support the application.

"* SSCs for which requirements should be increased.

"* The information to be provided as part of the plant's LB (e.g., FSAR, technical specifications, licensing condition).

As discussed in Section 2.5 of this guide, if a li censee elects to use PRA as an element to enhance or modify its implementation of activities affecting the safety-related functions of SSCs subject to the provi sions of Appendix B to 10 CFR Part 50, the pertinent requirements of Appendix B will also apply to the PRA. In this context, therefore, a licensee would be ex pected to control PRA activity in a manner commensu rate with its impact on the facility's design and licens ing basis and in accordance with all applicable regulations and its QA program description. An inde pendent peer review can be an important element of en suring this quality. The licensee's submittal should dis cuss measures used to ensure adequate quality, such as a report ofapeer review (when performed) that addresses the appropriateness of the PRA model for supporting a risk assessment of the LB change under consideration.

1.174-18

.

I

The report should address any analysis limitations that are expectedtoimpact the conclusion regarding accept ability of the proposed change.

The licensee's resolution of the findings of the peer review, certification, or cross comparison, when per formed, should also be submitted. For example, this re sponse could indicate whether the PRA was modified or could justify why no change was necessary to sup port decisionmaking for the LB change under consider ation. As discussed in Section 2.2.2, the staff's decision on the proposed license amendment will be based onits independent judgment and review, as appropriate, of the entire application.

3.3.1 Risk Assessment Methods In order to have confidence that the risk assessment conducted is adequate to support the proposed change, a summary of the risk assessment methods used should be submitted. Consistent with current practice, infor mation submitted to the NRC for its consideration in making risk-informed regulatory decisions will be made publicly available, unless such information is deemed proprietary and justified as such. The follow ing information should be submitted and is intended to illustrate that the scope and quality of the engineering analyses conducted to justify the proposed LB change are appropriate to the nature and scope of the change.

"* A description of risk assessment methods used,

"* The key modeling assumptions that are necessary to support the analysis or that impact the applica tion,

"* The event trees and fault trees necessary to support the analysis of the LB change, and

"* A list of operator actions modeled in the PRA that impact the application and their error probabilities.

The submitted information that summarizes the re sults of the risk assessment should include:

SThe effects of the change on the dominant se quences (sequences that contribute more than five percent to the risk) in order to show that the LB

change does not create risk outliers and does not exacerbate existing risk outliers.

An assessment of the change to CDF and LERF, in cluding a description of the significant contribu tors to the change.

Information related to assessment of the total plant CDF--the extent of the information required will depend on whether the analysis of the change in CDF is in Region 11 or Region-i of Figure 3. The information could include quantitative (e.g., IPE

or PRA results for internal initiating events, exter nal event PRA results if available) and qualitative or semi-quantitative information (results of mar gins analyses, outage configuration studies).

Information related to assessment of total plant LERF--the extent of the information required will depend on whether the analysis of the change in LERFisin Region 1 or Region II of Figure 4. The information could include quantitative (e.g., WiE

or PRA results for internal initiating events, exter nal event PRA results if available) and qualitative or semi-quantitative information (results of mar gins analyses, outage configuration studies).

"

Results of analyses that show that the conclusions regarding the impact of the LB change on plant risk will not vary significantly under a different set of plausible assumptions.

"

A description of the licensee process to ensure PRA quality and a discussion as to why the PRA is of sufficient quality to support the current applica tion.

3.3.2 Cumulative Risks As part of evaluation of risk, licensees should un derstand the effects of the present application in light of past applications. Optimally, the PRA used for the cur rent application should already model the effects ofpast applications. However, qualitative effects and syner gistic effects are sometimes difficult to model. Track ing changes in risk (both quantifiable and nonquantifi able) that are due to plant changes would provide a mechanism to account for the cumulative and synergis tic effects of these plant changes and would help to demonstrate that the proposing licensee has a risk man agement philosophy in which PRA is not just used to systematically increase risk, but is also used to help re duce risk where appropriate and where it is shown to be cost effective. The tracking of cumulative risk will also help the NRC staff in monitoring trends.

Therefore, as part of the submittal, the licensee should track and submit the impact of all plant changes that have been submitted for NRCreview and approval.

Documentation should include:

"

The calculated change in risk for each application (CDF and LERF) and the plant elements (e.g.,

SSCs, procedures) affected by each change,

"

Qualitative arguments that were used tojustify the change (if any) and the-plant elements affected by these arguments,

1.174-19

Compensatory measures or other commitments used to help justify the change (if any) and the plant elements affected, and Summarized results from the monitoring programs (where applicable) and a discussion of how these results have been factored into the PRA or into the current application.

As an option, the submittal could also list (but not submit to the NRC) past changes to the plant that re duced the plant risk, especially those changes that are related to the current application. A discussion of whether these changes are already included in the base PRA model should also be included.

3

A. IMPLEMENTATION

PLAN AND

PERFORMANCE MONITORING

DOCUMENTATION

As described in Section 2.3, a key principle of risk informed regulation is that proposed performance im plementation and monitoring strategies reflect uncer tainties in analysis models and data. Consequently, the submittal should include a description and rationale for the implementation and performance monitoring strat egy for the proposed LB change.

1.174-20

REFERENCES

1.

USNRC, "Use of Probabilistic Risk Assessment Methods in NuclearActivities: Final Policy State ment,"FederalRegister, Vol. 60, p. 42622 (60 FR

42622), August 16, 1995.

2.

"Quarterly Status Update for the Probabilistic Risk Assessment Implementation Plan,"

SECY-97-234, October 14, 1997.1

3.

USNRC, "Safety Goals for the Operations of Nu clear Power Plants; Policy Statement," Federal Register, Vol. 51, p. 30028 (51 FR 30028), Au gust 4, 1986.

4.

USNRC, "Use of Probabilistic Risk Assessment in Plant-Specific, Risk-Informed Decisionmak ing:. General Guidance," Chapter 19 of the Stan dard Review Plan, July 1998.2

5.

USNRC, "Au Approach for Plant-Specific, Risk Informed Decisionmaking: Inservice Testing,"

Draft Regulatory Guide DG-1062, June 1997.2 (lo be issued as Regulatory Guide 1.175)

6.

USNRC, "An Approach for Plant-Specific, Risk Informed Decisionmaking: Inservice Inspection ICopesareavallabkfor inspectionorcopyingforafeefromtheNRC

PublicDocument Room at 2120 LStreet NW, Washington, DQ the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555;

telephone (202)634-3343.

2Single copies of regulatory guides, both active and draft, and draft NUREG documents maybe obtained free of charge by writing the Reproduction and Distribution Services Section, OCIO, USNRC,

Washington, DC 20555-0001, or by fax to (301)415-2289, or by email to GRW1@NRC.GOV Active guides may be also purchased fromtheNational Technical Information Service on astanding order basis. Details of this service maybe obtained by writing NTrS, 5285 Port Royal Road, Springfield, VA22161. Copies of active and draft gtddes are avaiable forinspection orcopying for afee from the NRC

PublicDocumentRoom at2120Lstreet, NW, Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555;

telephone (202)634-3273; fax (202)634-3343.

of Piping," Draft Regulatory Guide DG-1063, October 1997.2 (Tobe issued as Regulatory Guide

1.178)

7.

USNRC, "An Approach for Plant-Specific, Risk Informed Decisionmaking: Graded Quality As surance," Draft Regulatory Guide DG-1064, June

1997.2 (ro be issued as Regulatory Guide 1.176)

8.

USNRC, "An Approach for Plant-Specific, Risk Informed Decisionmaking: Technical Specifica tions," Draft Regulatory Guide DG-1065, June

1997.2 (To be issued as Regulatory Guide 1.177)

9.

W.T. Pratt et al., "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," Draft NUREG/

CR-6595, December 1997.2

10. G. Apostolakis and S. Kaplan, "Pitfalls in Risk Calculations," Relability Engineering, Vol. 2, pages 135-145,1981.

11. A. Mosleh et al., "Procedures for Treating Com mon Cause Failures in Safety and Reliability Studies," NUREG/CR-4780, Vol. 2, January

1989.3

12. USNRC, "Quality Assurance Program Require ments," Regulatory Guide 1.33, Revision 2, Feb Mary 1978.2

3Copiesare available at current ratesfrom the U.S. GovermentPrint ing Office, P.O. Box 37082, Washington, DC2040-9328 (telephone

(202)512-2249) orfrom the Nadonal Technical Information Service by writing NTIS at 5285 Fort Royal Road, Springfield, VA 22161.

Copiesareavailable forinspecton orcopyingforafee from the NRC

Public Document Room at 2120Lstreet NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555;

telephone (202)634-3273; fax (202)634-3343.

1.174-21

BIBLIOGRAPHY

The citations in this bibliography provide an over view of uncertainty analysis in PRA; many also contain extensive references for further reading.

Apostolakis, GA,"Probability and Risk Assessment:

The Subjectivist Viewpoint and Some Suggestions,"

Nuclear Safety, 19(3), pages 305-315,1978.

Bohn, M.P., TA. Wheeler, G.W. Parry, "Approaches to Uncertainty Analysis in Probabilistic Risk Assess ment," NUREG/CR-4836, USNRC, January 1988.1 Hickman, J.W., "PRA Procedures Guide," NUREG/

CR-2300, USNRC, January 1983.1 Kaplan, S., and BJ. Garrick, "On the Quantitative Def inition of Risk," Risk Analysis, Vol. 1, pages 11-28, March 1981.

tCopies aeavailable at currentratftfrom the U.S. Goverment Print ig Ofice, P.O. Box3702, Wshington, DC 20402-9328 (telephone

(2()512-2249);orfrmtheNaonalTechnicalInformationService by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161.

CopiesareavailableforinspectionorcopyingforafeefromtheNRC

PublicDocument Room at 2120 L sut NW., Washington, DC; the PDRIs mailing address is Mail Stop LL-6, Washington, DC 20555;

telephone (202)634-3273; fax (202)634-3343.

Mosleh, A., et al., "Proceedings of Workshop I in Ad vanced Topics in Risk and Reliability Analysis, Model Uncertainty: Its Characterization and Quantification"

(held in Annapolis, Maryland, October 20-22,1993),

USNRC, NUREG/CP-0138, October 1994.1 Parry, G.W., and P.W. Winter, "Characterization and Evaluation of Uncertainty in Probabilistic Risk Analy sis," Nuclear Safety, 22(1), pages 28-42, 1981.

Reliability Engineering and Syste" Safety (Special Is sue on the Meaning of Probability in Probabilistic Safety Assessment), Vol. 23, 1988.

Reliability Engineering and System Safety (Special Is sue on Treatment of Aleatory and Epistemic Uncer tainty), VoL 54, nos. 2 and 3, November/December

1996.

USNRC, "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-1150,

Vol. 3, January 1991.1 USNRC, "A Review of NRC Staff Uses of Probabflis tic Risk Assessment," NUREG-1489, Appendix C.6, March 1994.1

1.174-22

APPENDIX A

USE OF RISK-IMPORTANCE MEASURES TO CATEGORIZE STRUCTURES, SYSTEMS, AND

COMPONENTS WITH RESPECT TO SAFETY SIGNIFICANCE

Introduction Forseveral of the proposed applications of the risk informed regulation process, one of the principal activ ities is the categorization of structures, systems, and components (SSCs) and human actions according to safety significance. The purpose of this appendix is to discuss one way that this categorization may be per formed to be consistent with Principle 4 and the expec tations discussed in Section 2.1 of Regulatory Guide

1.174.

Safety significance of an SSC can be thought of as being related to the role the SSC plays in preventing the occurrence of the undesired end state. Thus the posi tion adopted in this regulatory guide is that all the SSCs and human actions considered when constructing the PRA model (including those that do not necessarily ap pear in the final quantified model, because they have been screened initially, assumed to be inherently reli able, or have been truncated from the solution of the model) have the potential to be safety significant since they play a role in preventing core damage.

In establishing the categorization, it is important to recognize the purpose behind the categorization, which is, generally, to sort the SSCs and human actions into groups such as those for which some relaxation of re quirements is proposed, and those for which no such change is proposed. It is the proposed application that is the motivation for the categorization, and it is the po tential impact of the application on the particular SSCs and human actions and on the measures of risk that ulti mately determines which of the SSCs and human ac tions must be regarded as safety significant within the context of the application. This impact on overall risk should be evaluated in light of the principles and deci sion criteria identified in this guide. Thus, the most ap propriate way to address the categorization is through a requantification of the risk measures.

However, the feasibility of performing such risk quantification has been questioned when a method for evaluating the impact of the change on SSC unavail ability is not available for those applications. An ac ceptable alternative to requantification of risk is for the licensee to perform the categorization of the SSCs and human actions in an integrated manner, making use of an analytical technique, based on the use of PRA im portance measures, as input. This appendix discusses the technical issues associated with the use of PRAim portance measures.

Technical Issues Associated with the Use of Importance Measures In the implementation of the Maintenance Rule and in industry guides for risk-informed applications (for example, the PSA Applications Guide), the Fussell-Vesely Importance, Risk Reduction Worth, and Risk Achievement Worth are the most commonly iden tified measures in the relative risk ranking of SSCs.

However, in the use of these importance measures for risk-informed applications, there are several issues that should be addressed. Most of the issues are related to technical problems that can be resolved by the use of sensitivity studies or by appropriate quantification techniques. These issues are discussed in detail below.

In addition, there are two issues, namely (1) that risk rankings apply only to individual contributions and not to combinations or sets of contributors, and (2) that risk rankings are not necessarily related to the risk changes that result from those contributor changes; the licensee should be aware of these issues and ensure that they have been addressed adequately. When performed and interpreted correctly, component-level importance measures can provide valuable input to the licensee.

Risk-ranking results fromaPRA canbe affectedby many factors, the most important being model assump tions and techniques (e.g., for modeling of human reli ability or common cause failures), the data used, or the success criteria chosen. The licensee should therefore make sure that the PRA is of sufficient quality.

In addition to the use of a "quality" PRA, the ro bustness of categorization results should also be dem onstrated for conditions and parameters that might not be addressed in the base PRA. Therefore, when impor tance measures are usedto group components or human actions as low-safety-significant contributors, the in formation to be provided to the analysts performing qualitative categorization should include sensitivity studies or other evaluations to demonstrate the sensitiv ity of the importance results to the important PRAmod eling techniques, assumptions, and data. Issues that should be considered and addressed are listed here.

Truncation Limit: The licensee should determine that the truncation limit has been set low enough so that the truncated set of minimal cutsets contains all the

1.174-23

significant contributors and their logical combinations for the application in question and is low enough to cap ture at least 95 percent of the CDF. Depending on the PRA level of detail (module level, component level, or piece-part level), this may translate into a truncation limit from 10-12 to 10-8 per reactor year. In addition, the truncated set of minimal cutsets should be deter mined to contain the important application-specific contributors and their logical combinations.

RiskMetrics: The licensee should ensure that risk in terms of both CDF and LERF is considered in the ranking process.

Completeness of Risk Model: The licensee should ensure that the PRA model is sufficiently com pleteto address all important modes of operation for the SSCs being analyzed. Safety-significant contributions from internal events, external events, and shutdown and low power initiators should be considered by using PRA or other engineering analyses.

Sensitivity Analysis for Component Data Un certainties: The sensitivity of component categoriza tions to uncertainties in the parameter values should be addressedby the licensee. Licensees should be satisfied that SSC categorization is not affected by data uncer tainties.

Sensitivity Analysis for Common Cause Fail ures: CCFs are modeled in PRAs to account for depen dent failures of redundant components within a system.

The licensee should determine that the safety significant categorization has taken into account the combined effect of associated basic PRA events, such as failure to start and failure to run, including indirect contributions through associated CCF event probabili ties. CCF probabilities can affect PRA results by en hancing or obscuring the importance of components. A

component may be ranked as a high risk contributor mainly because of its contribution to CCFs, or a com ponent may be ranked as a low risk contributor mainly because it has negligible or no contribution to CCFs.

Sensitivity Analysis for Recovery Actions:

PRAs typically model recovery actions, especially for dominant accident sequences. Quantification of recov ery actions typically depends on the time available for diagnosis and for performing the action, as well as the training, procedures, and knowledge of operators.

There is a certain degree of subjectivity involved in es timating the success probability for the recovery ac tions. The concerns in this case stem from situations in which very high success probabilities are assigned to a sequence, resultingin related components being ranked as low risk contributors. Furthermore, it is not desirable for the categorization of SSCs to be affected by re covery actions that sometimes are only modeled for the dominant scenarios. Sensitivity analyses can be used to show how the SSC categorization would change if all recovery actions were removed. The licensee should ensure that the categorization has not been unduly af fected by the modeling of recovery actions.

Multiple Component Considerations: As dis cussed previously, importance measures are typically evaluated on an individual SSC or human action basis.

One potential concern raised by this is that singie-event importance measures have the potential to dismiss all the elements of a system or group despite the fact that the system or group has a high importance when taken as a whole. (Conversely, there may be grounds for screening out groups of SSCs, owing to the unimpor tance of the systems of which they are elements.) There are two potential approaches to addressing the multiple component issue. The first is to define suitable mea sures of system or group importance. The second is to choose appropriate criteria for categorization based on component-level importance measures. In both cases, it will be necessary for the licensee to demonstrate that the cumulative impact of the change has been ade quately addressed.

While there are no widely accepted definitions of system or group importance measures, if any are pro posed the licensee should make sure that the measures are capturing the impact of changes to the group in a logical way. As an example of the issues that arise, con sider the following. For front-line systems, one possi bility would be to define a Fussell-Vesely type measure of system importance as the sum of the frequencies of sequences involving failure of that system, divided by the sum of all sequence frequencies. Such a measure would need to be interpreted carefully if the numerator included contributions from failures of that system caused by support systems. Similarly, a Birnbaum-like measure could be defined by quantifying sequences in volving the system, conditional on its failure, and sum ming up those quantities. This would provide a mea sure of how often the system is critical. However, again the support systems make the situation more complex.

To take a two-division plant as an example, front-line failures can occur as a result of failure of support divi sion A in conjunction with failure of front-line division B. Working with a figure of merit based on "total failure of support system" would miss contributions of this type.

1.174-24

In the absence of appropriately defined group-level importance measures, reliance must be on a qualitative categorization by the licensee, as part of the integrated decisionmaking process, to make the appropriate deter relation.

Relationship of Importance Measures to Risk Changes: Importance measures do not directly relate to changes in rs Instead, the risk impact is indirectly reflected in the choice of the value of the measure used to determine whetheranSSCshouldbe classified asbe ing of high and low safety significance. This is a con cern whether importances are evaluated at the compo nent or at the group level. The PSAApplications Guide suggested values of Fussell-Vesely importance of 0.05 at the system level and 0.005 at the component level, for example. However, the criteria for categorization into low and high significance should be related to the acceptance criteria for changes in CDF and LERF. This implies that the criteria should be a function of the base case CDF and LERF rather than being fixed for all plants. Thus the licensee should demonstrate how the chosen criteria are related to, and conform with, the ac ceptance guidelines described in this document. If component-level criteria are used, they shouldbe estab lished taking into account that the allowable risk in crease associated with the change should be based on simultaneous changes to all members of the category.

SSCs Not Included In the Final Quantified Cut set Solution: Importance measures based on the quan tified cutsets will not factor in those SSCs that have ei therbeen truncated or were not included in the fault tree models because they were screeneld on the basis of high reliability. SSCs that have been screened because their credible failure modes would not fail the system func tion canbe argued to be unimportant. The licensee must make sure that these SSCs are considered.

1.174-25

REGULATORY ANALYSIS

A draft regulatory analysis was published with the draft of this guide when it was published for public comment (Task DG-1061, June 1997).

No changes were necessary, so a separate regulatory analysis for Regula tory Guide 1.174 has not been prepared. A copy of the draft regulatory analysis is available for inspection or copying for a fee in the NRC's Pub lic Document Room at 2120 L Street NW., Washington, DC, under Task DG-1061.

1.174-26

p a Wper Fiederal Recycling Program

UNITED STATES

NUCLEAR REGULATORY COMMISSION

WASHINGTON, DC 20555-0001 FIRST CLASS MAIL

POSTAGE AND FEES PAID

USNRC

PERMIT NO. G-67 OFFICIAL BUSINESS

PENALTY FOR PRIVATE USE, $300