ML12241A355

From kanterella
Jump to navigation Jump to search
E-mail Miller to Riley Re Latest Draft Integrated Assessment ISG
ML12241A355
Person / Time
Issue date: 08/24/2012
From: Geoffrey Miller
Containment and Balance of Plant Branch
To: Jeffrey Riley
Nuclear Energy Institute
Miller G, NRR/JLD 301-415-2481
Shared Package
ML12226A476 List:
References
Download: ML12241A355 (46)
v  d  e


Text

From:

Miller, Ed To:

jhr@nei.org

Subject:

FW: PDF of latest draft Integrated Assessment ISG Date:

Friday, August 24, 2012 8:26:58 PM Attachments:

IntegratedAssessmentISG_FrontMatter_ForReview_2012_08_24.pdf IntegratedAssessmentISG_Attachment_ForReview_2012_08_24.pdf

Jim, Attached is the latest version of the Integrated Assessment ISG for discussion at the public meeting on August 28th.

Ed Miller 415-2481 From: Bensi, Michelle Sent: Friday, August 24, 2012 7:54 PM To: Miller, Ed Cc: Cook, Christopher; Chokshi, Nilesh

Subject:

PDF of latest draft Integrated Assessment ISG Ed, PDF of the latest draft of the Integrated Assessment ISG is attached.

Thanks, Michelle (Shelby) Bensi, Ph.D.

(301)-251-7570 Michelle.Bensi@nrc.gov

DRAFT -08/24/2012 Date ML#

JAPAN LESSONS-LEARNED PROJECT DIRECTORATE JLD-ISG-2012-##

Guidance for Performing the Integrated Assessment for Flooding DRAFT Interim Staff Guidance Revision 0 (Draft for use at public meeting on August 28, 2012)

DRAFT -08/24/2012 Date ML#

JAPAN LESSONS-LEARNED PROJECT DIRECTORATE JLD-ISG-2012-##

Guidance for Performing the Integrated Assessment for Flooding DRAFT Interim Staff Guidance Revision 0 (Draft for use at public meeting on August 28, 2012)

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 2 DRAFT DRAFT INTERIM STAFF GUIDANCE JAPAN LESSONS-LEARNED PROJECT DIRECTORATE GUIDANCE FOR PERFORMING THE INTEGRATED ASSESSMENT FOR EXTERNAL FLOODING JLD-ISG-12-##

PURPOSE This interim staff guidance (ISG) is being issued to describe to stakeholders methods acceptable to the staff of the U.S. Nuclear Regulatory Commission (NRC) for performing the Integrated Assessment for external flooding as described in NRCs March 12, 2012 request for information (Ref. (1)) issued pursuant to Title 10 of the Code of Federal Regulations (10 CFR) 50.54(f) regarding Recommendation 2.1 of SECY-11-0093, Recommendations for Enhancing Reactor Safety in the 21st Century, the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident (Ref. (2)). Among other actions, the March 12, 2012 letter requests that respondents reevaluate flood hazards at each site and compare the reevaluated hazard to the current design basis at the site for each flood mechanism.

Addressees are requested to perform an Integrated Assessment if the current design basis flood hazard does not bound the reevaluated flood hazard for all mechanisms. This ISG will assist operating power reactor respondents and holders of construction permits under 10 CFR Part 50 with performance of the Integrated Assessment. It should be noted that the guidance provided in this ISG is not intended to describe methods for use in regulatory activities beyond the scope of the March 12, 2012, 50.54(f) letter.

BACKGROUND Following the events at the Fukushima Dai-ichi nuclear power plant, the NRC established a senior-level agency task force referred to as the Near-Term Task Force (NTTF). The NTTF conducted a systematic and methodical review of the NRC regulations and processes and determined if the agency should make additional improvements to these programs in light of the events at Fukushima Dai-ichi. As a result of this review, the NTTF developed a comprehensive set of recommendations, documented in SECY-11-0093(Ref. (2)). These recommendations were enhanced by the NRC staff following interactions with stakeholders.

Documentation of the NRC staffs efforts is contained in SECY-11-0124, Recommended Actions To Be Taken Without Delay From the Near Term Task Force Report, dated September 9, 2011 (Ref. (3)), and SECY-11-0137, Prioritization of Recommended Actions To Be Taken in Response to Fukushima Lessons Learned, dated October 3, 2011(Ref. (4)).

As directed by the staff requirements memorandum for SECY-11-0093 (Ref. (2)), the NRC staff reviewed the NTTF recommendations within the context of the NRCs existing regulatory framework and considered the various regulatory vehicles available to the NRC to implement the recommendations. SECY-11-0124 and SECY-11-0137 established the staffs prioritization of the recommendations based upon the potential safety enhancements.

As part of the staff requirements memorandum for SECY-11-0124, dated October 18, 2011 (Ref. (5)), the Commission approved the staff's proposed actions, including the development of

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 3 DRAFT three information requests under 10 CFR 50.54(f). The information collected would be used to support the NRC staff's evaluation of whether further regulatory action should be pursued in the areas of seismic and flooding design, and emergency preparedness.

In addition to Commission direction, the Consolidated Appropriations Act, Public Law 112-074, was signed into law on December 23, 2011. Section 402 of the law requires a reevaluation of licensees' design basis for external hazards.

In response to the aforementioned Commission and Congressional direction, the NRC issued a request for information to all power reactor licensees and holders of construction permits under 10 CFR Part 50 on March 12, 2012 (Ref. (1)). The March 12, 2012 50.54(f) letter includes a request that respondents reevaluate flooding hazards at nuclear power plant sites using updated flooding hazard information and present-day regulatory guidance and methodologies. The letter also requests the comparison of the reevaluated hazard to the current design basis at the site for each potential flood mechanism. If the reevaluated flood hazard at a site is not bounded by the current design basis, respondents are requested to perform an Integrated Assessment. The Integrated Assessment will evaluate the total plant response to the flood hazard, considering multiple and diverse capabilities such as physical barriers, temporary protective measures, and operational procedures. The NRC staff will review the responses to this request for information and determine whether regulatory actions are necessary to provide additional protection against flooding.

RATIONALE On March 12, 2012, NRC issued a request for information to all power reactor licensees and holders of construction permits under 10 CFR Part 50. The request was issued in accordance with the provisions of Sections 161.c, 103.b, and 182.a of the Atomic Energy Act of 1954, as amended (the Act), and NRC regulation in Title 10 of the Code of Federal Regulations, Part 50, Section 50.54(f). Pursuant to these provisions of the Act or this regulation, respondents were required to provide information to enable the staff to determine whether a nuclear plant license should be modified, suspended, or revoked.

The information request directed respondents to submit an approach for developing an Integrated Assessment Report including criteria for identifying vulnerabilities. This ISG describes an approach for developing the Integrated Assessment Report that is acceptable to the staff.

APPLICABILITY This ISG shall be implemented on the day following its approval. It shall remain in effect until it has been superseded or withdrawn.

PROPOSED GUIDANCE This ISG is applicable to holders of operating power reactor licensees and construction permits under 10 CFR Part 50 from whom an Integrated Assessment is requested (i.e., sites for which the current design basis flood hazard does not bound the reevaluated hazard for all potential flood mechanisms). For combined license holders under 10 CFR Part 52, the

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 4 DRAFT issues in NTTF Recommendation 2.1 and 2.3 regarding seismic and flooding reevaluations and walkdowns are resolved and thus this ISG is not applicable.

IMPLEMENTATION Except in those cases in which a licensee or construction permit holder under 10 CFR Part 50 proposes an acceptable alternative method for performing the Integrated Assessment, the NRC staff will use the methods described in this ISG to evaluate responses to the portions of the March 12, 2012 request for information related to the Integrated Assessment.

BACKFITTING DISCUSSION Licensees and construction permit holders under 10 CFR Part 50 may use the guidance in this document to meet the intent of the portions of the March 12, 2012 request for information related to the Integrated Assessment. Accordingly, the NRC staff issuance of this ISG is not considered backfitting, as defined in 10 CFR 50.109(a)(1), nor is it deemed to be in conflict with any of the issue finality provisions in 10 CFR Part 52.

FINAL RESOLUTION The contents of this ISG, or a portion thereof, may subsequently be incorporated into other guidance documents, as appropriate.

ATTACHMENTS

1. Guidance for performance of Integrated Assessment REFERENCES [#INCOMPLETE AND UNFORMATTED]
1. USNRC. #INSERT Reference to NRC 50.54(f) letter. ML #.
2. U.S. Nuclear Regulatory Commission. Recommendations for Enhancing Reactor Safety in the 21st Century, The Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident, SECY-11-0093. July 12, 2011. ADAMS Accession No. ML111861807.
3. USNRC. #INSERT Reference to SECY-11-0124, Recommended Actions To Be Taken Without Delay From the Near Term Task Force Report. September 9, 2011.
4.. #INSERT Reference to SECY-11-0137, Prioritization of Recommended Actions To Be Taken in Response to Fukushima Lessons Learned. October 3, 2011.
5.. #INSERT Reference to SRM for SECY-11-0124. ADAMS Accession No. ML112911571.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 1 GUIDANCE FOR PERFORMANCE OF INTEGRATED ASSESSMENT Guidance for performance of integrated assessment..................................................................................... 1 Guidance for performance of integrated assessment..................................................................................... 2

1.

Introduction........................................................................................................................................... 2 1.1 Organization of guidance..................................................................................................................... 3 1.2 Recommendation 2.3 Flood Walkdowns and Relationship to Integrated Assessment........................ 3 1.3 Recommendation 2.1 Flood Hazard Reevaluations and Relationship to Integrated Assessment........ 4 1.4 Actions and Information Requested..................................................................................................... 5 1.5 Scope of Integrated Assessment.......................................................................................................... 5

2.

Terms and definitions............................................................................................................................ 5

3.

Framework for Integrated Assessment.................................................................................................. 9 3.1 Key assumptions................................................................................................................................. 10 3.1.1 Protection and mitigation.............................................................................................................. 10 3.1.2 Modes of operation and concurrent conditions............................................................................ 10 3.1.3 Flood frequencies........................................................................................................................... 10

4.

Information collection and compilation................................................................................................11 4.1 Critical plant elevations and protection of equipment...................................................................... 11 4.2 Applicable flood mechanisms and plant conditions........................................................................... 11

5.

Evaluation guidance..............................................................................................................................12 5.1 Overview of evaluation procedure..................................................................................................... 12 5.2 Peer review......................................................................................................................................... 12 5.3 Controlling flood parameters............................................................................................................. 13 5.4 Effectiveness of flood protection....................................................................................................... 13 5.5 Plant mitigation capability.................................................................................................................. 15

6.

Report Documentation.........................................................................................................................16 6.1 Documentation of evaluation............................................................................................................. 16 6.2 Results................................................................................................................................................ 17 6.2.1 Evaluation of available margin....................................................................................................... 17 6.2.2 Identification of vulnerabilities...................................................................................................... 17 6.2.3 Cliff-edge effects............................................................................................................................ 18 6.2.4 Risk insights and defense-in-depth................................................................................................ 18

7.

References [#incomplete and unformatted].........................................................................................21 APPENDIX A: Evaluation of flood protection.................................................................................................22 A.1 Procedure overview.......................................................................................................... 22 A.2 Evaluating components of flood protection systems....................................................... 22 A.3 Evaluating flood protection systems................................................................................. 25 APPENDIX B: Evaluation of plant mitigation capability..................................................................................28 B.1 Procedure Overview......................................................................................................... 28 B.2 Margins-type evaluation of mitigation capability............................................................. 28 B.3 Scenario-based evaluation of mitigation capability.......................................................... 29 B.4 PRA-based evaluation of mitigation capability................................................................. 30 APPENDIX C: Evaluation of operator manual actions....................................................................................33 APPENDIX D: Peer Review.............................................................................................................................38 APPENDIX E: Examples..................................................................................................................................40

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 2 GUIDANCE FOR PERFORMANCE OF INTEGRATED ASSESSMENT

1. Introduction The Integrated Assessment evaluates the total plant response to external flood hazards, considering both the protection and mitigation capabilities of the plant. The purpose of the Integrated Assessment is to: (1) evaluate the effectiveness of the current licensing basis, (2) identify plant-specific vulnerabilities, and (3) assess the effectiveness of existing or planned plant systems and procedures in protecting against flood conditions and mitigating consequences for the entire duration of a flooding event.

There are two fundamental aspects to the Integrated Assessment. The first aspect involves evaluation of the flood protection capabilities at a specific nuclear power plant site to meet their intended safety functions when considering multiple and diverse features such as physical flood protection barriers, temporary protective measures, and operational procedures, individually or in combination. In addition to evaluating the performance of individual flood protection features, the evaluation of flood protection effectiveness considers the site flood protection as a set of systems with interdependent components and subsystems (including dependence on procedures). The second aspect of the Integrated Assessment involves evaluation of the plants ability to maintain key safety functions during a flood in the event that the flood protection systems are compromised and unable to perform their intended safety functions. Thus, by considering the ways in which the system can fail and the likelihood of various failure modes, the Integrated Assessment should demonstrate whether the site flood protection system is reliable. Moreover, the Integrated Assessment evaluates the capability of the plant to respond to and mitigate the consequences of such a failure by maintaining key safety functions using all credited resources.

In general, the types and attributes of flood protection features (including procedures) utilized at nuclear power plants are diverse due to differences in factors such as:

hazard characteristics (e.g., flood mechanisms, flood durations, and debris quantity) site topography and surrounding environment other site-specific considerations (e.g., available warning time)

As a result, this guidance must be capable of accommodating the unique environments and characteristics of nuclear power plant sites while ensuring that the information gathered as part of the NRCs March 12, 2012 50.54(f) letter provides a sufficient basis (including reliability insights) to determine if any additional regulatory actions are necessary to provide additional protection against external flood hazards.1 1 Recommendation 2.1 of the NTTF is being implemented in two phases. Phase 1 of Recommendation 2.1 implementation comprises the issuance of the 10 CFR 50.54(f) letters to addressees to request that they reevaluate the flooding hazard at their sites using updated hazard information and present-day regulatory guidance and methodologies. If necessary, respondents are also requested to perform an Integrated Assessment for external flooding. Phase 2 uses the Phase 1 results to determine whether additional regulatory actions are necessary (e.g., update the design basis and SSCs important to safety).

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 3 The objective of this guidance is to provide a framework for the Integrated Assessment that helps facilitate consistent and informative responses to NRCs March 12, 2012 50.54(f) letter, while being flexible and adaptable to accommodate the site-specific characteristics of nuclear power plant sites.

1.1 Organization of guidance This guidance document begins with an overview of the relationship between the Integrated Assessment and other activities requested under NRCs March 12, 2012 50.54(f), a summary of the information requested by the letter, and review of the Integrated Assessment scope (ISG Section 1). A list of terms and definitions is provided (ISG Section 2), Next, an overview of the framework and key assumptions of the Integrated Assessment is presented (ISG Section 3).

The guidance for performing the Integrated Assessment provided in this ISG is comprised of three distinct components:

1. information collection and compilation (ISG Section 4)
2. evaluation (ISG Section 5)
3. report documentation (ISG Section 6)

Section 4 describes the information that should be collected and compiled to facilitate the performance of the Integrated Assessment, including:

- key plant elevations and protection of equipment

- applicable flood mechanisms Section 5 (in conjunction with the Appendices to this ISG) provides guidance on the evaluations expected under the Integrated Assessment. The evaluations consist of:

- determination of controlling flood parameters

- evaluation of the effectiveness of flood protection systems

- evaluation of plant mitigation capability Section 6 describes the documentation of the Integrated Assessment and provides guidance on the results that should be reported based on the evaluations performed using this guidance. Results that should be documented include:

- description of available margin

- identification of vulnerabilities

- cliff-edge effects

- risk-insights and defense-in-depth considerations 1.2 Recommendation 2.3 Flood Walkdowns and Relationship to Integrated Assessment As part of the 50.54(f) letter issued by the NRC on March 12, 2012, licensees were requested to perform flood protection walkdowns to verify that plant features credited in the current licensing basis for protection and mitigation from external flood events are available, functional, and properly maintained. These walkdowns are interim actions to be performed while the longer-term hazard reevaluations and integrated assessments actions are performed. NRC and NEI worked collaboratively to develop guidelines for performing the

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 4 walkdowns, resulting in NEI 12-07, Guidelines for Performing Verification Walkdowns of Plant Flood Protection Features (Ref. (7)), which NRC endorsed on May 31, 2012 (Ref.

(1)).

As part of the walkdowns, respondents will verify that permanent structures, systems, and components (SSC) as well as temporary or portable flood protection and mitigation equipment will perform their intended safety functions as credited in the current licensing basis. Verification activities will ensure that changes to the plant (e.g., security barrier installations and topography changes) do not adversely affect flood protection and mitigation equipment. In addition, the walkdown will verify that procedures needed to install and operate equipment needed for flood protection or mitigation can be performed as credited in the current licensing basis. The walkdown will also verify that the execution of procedures will not be impeded by adverse weather conditions that could be reasonably expected to simultaneously occur with a flood event. As part of the walkdowns, observations of potential deficiencies, as well as observations of flood protection features with small margin and potentially significant safety consequences if lost, were entered into the licensees corrective action program.

It is anticipated that the walkdowns will be a valuable source of information that will be useful during the performance of the Integrated Assessment. In particular, the walkdowns will provide information on available physical margin (APM) under the current design basis hazard, the condition of flood protection features, the feasibility of procedures, SSCs that are subjected to flooding, and the potential availability of systems to mitigate flood events.

However, it is emphasized that the walkdowns are performed to the current licensing basis.

The reevaluated flood hazards performed under Recommendation 2.1 (see Section 1.3) may be associated with higher water surface elevations and different associated effects when compared to the current licensing basis. Therefore, some of the information from the walkdowns may not be directly applicable as part of the Integrated Assessment. It is expected that any additional information related to the impact of the flooding hazard reassessment will be considered as part of the Integrated Assessment, and that this information would be available to effectively consider the flood protection capabilities in light of potential additional flooding impacts to the site (i.e., higher elevations, accessibility issues) that may not have been fully considered during the implementation of Recommendation 2.3 walkdown.

1.3 Recommendation 2.1 Flood Hazard Reevaluations and Relationship to Integrated Assessment NRCs March 12, 2012 50.54(f) letter requests that respondents reevaluate all appropriate external flooding sources, including the effects from local intense precipitation on the site, probable maximum flood (PMF) on stream and rivers, storm surges, seiche, tsunami, and dam failures. It is requested that the reevaluation apply present-day regulatory guidance and methodologies used for early site permit (ESP) and combined license (COL) reviews including current techniques, software, and methods used in present-day standard engineering practice.

For the sites where the reevaluated flood is not bounded by the current design basis hazard for all flood mechanisms applicable to the site, respondents are requested to submit an interim action plan with the hazard report that documents actions planned or taken to address the reevaluated hazard. Subsequently, respondents are also asked to perform an Integrated Assessment. In light of the reevaluated hazard, the Integrated Assessment will

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 5 evaluate the capability of the current licensing basis (i.e., flood protection and mitigation systems), identify plant-specific vulnerabilities, and assess the effectiveness of existing or planned systems and procedures for protecting against and mitigating the effects of the reevaluated hazard for the entire duration of the flood event.

1.4 Actions and Information Requested For the sites where the reevaluated flood is not bounded by the current design basis for all flood-causing mechanisms, the March 12, 2012 letter requests that respondents perform an Integrated Assessment of the plant to identify vulnerabilities and actions to address them.

Respondents are requested to provide the following as part of the Integrated Assessment report (Ref. (2), Encl. 2, p. 8-9):

a) Description of the integrated procedure used to evaluate integrity of the plant for the entire duration of flood conditions at the site.

b) Results of the plant evaluations describing the controlling flood mechanisms and its effects, and how the available or planned measures will provide effective protection and mitigation. Discuss whether there is margin beyond the postulated scenarios.

c) Description of any additional protection and/or mitigation features that were installed or are planned, including those installed during course of reevaluating the hazard.

The description should include the specific features and their functions.

d) Identify other actions that have been taken or are planned to address plant-specific vulnerabilities.

This ISG provides guidance on methods considered acceptable to NRC for performing the Integrated Assessment as requested by the March 12, 2012 50.54(f) letter.

1.5 Scope of Integrated Assessment In accordance with the 50.54(f) letter, the scope of the Integrated Assessment includes full-power operations and other plant configurations that could be susceptible to damage due to the status of the flood protection features. The scope also includes flood-induced loss of an ultimate heat sink (UHS) water source (e.g., due to failure of a downstream dam) that could be caused by the flood conditions. (The loss of UHS from causes other than flooding are not included.) The March 12, 2012 50.54(f) letter also requests that the Integrated Assessment address the entire duration of the flood conditions.

2. Terms and definitions

[#list needs to be alphabetized]

Available Physical Margin (APM): The term available physical margin describes the flood margin available for applicable flood protection features at a site (not all flood protection features have APMs). The APM for each applicable flood protection feature is the difference between licensing basis flood protection height and the flood height at which water could affect an SSC important to safety. Determination of APM for local intense precipitation may not be possible (Additional details are provided in Section 3.13 of the flooding design basis walkdown guidance, NEI 12-07, Ref. (1).). [#definition may be expanded based on recent discussions related to APM]

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 6 Plant-specific vulnerability: As defined in Ref. (2), plant-specific vulnerabilities are those features important to safety that when subject to an increased demand due to the newly calculated hazard evaluation have not been shown to be capable of performing their intended safety functions.

Flood event duration: The length of time in which the flood event affects the site, beginning with notification of an impending flood (e.g., a flood forecast or notification of dam failure),

including preparation for the flood and period of inundation, and ending when water has receded from the site and the plant has reached a stable state. [#figure to be generated]

Variety of site conditions: The site conditions considered in the Integrated Assessment should be all modes of operation (e.g., full power operations, startup, shutdown, and refueling) and adverse weather conditions that could reasonably be expected to occur concurrent with a flood event.

Flood protection feature: An individual incorporated, exterior and temporary structure, system, component (e.g., barrier) or associated procedure that protects against the effects of external floods.

Flood protection system: In the context of the Integrated Assessment, a flood protection system is a set of flood protection features that are intended to protect a specific SSC or group of SSCs (e.g., features used to protect the intake structure) or the entire plant (e.g., a levee around an entire site) and that are primarily separate and independent from the flood protection features used to protect other SSCs. See Appendix A, Section # for additional discussion.

Total plant response: The total plant response is the capability of the plant to (1) protect against flood events (considering diverse flood protection features) and (2) mitigate consequences, if the flood protection system is compromised, by maintaining key safety functions using all credited resources.

Flood height and associated effects: Maximum stillwater surface elevation plus factors such as:

wind waves and run-up effects hydrodynamic loading, including debris effects due to sediment deposition and erosion concurrent site conditions, including adverse weather conditions other pertinent factors Key safety functions: The minimum set of safety functions that must be maintained to prevent core damage and large early release. These include reactivity control, reactor pressure control, reactor coolant inventory control, decay heat removal, and containment integrity in appropriate combinations to prevent core damage and large early release. (Ref.

(3))

Flood parameter scenario(s): A set(s) of flood parameters that should be considered as part of the Integrated Assessment. (see Section 0 for additional details).

Fault tree: A deductive logic diagram that depicts how a particular undesired event can occur as a logical combination of other undesired events (Ref. (3)).

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 7 Event tree: A logic diagram that begins with an initiating event or condition and progresses through a series of branches that represent expected system or operator performance that either succeeds or fails and arrives at either a successful or failed end state (Ref. (3)).

Human reliability analysis (HRA): A structured approach used to identify potential human failure events and to systematically estimate the probability of those events using data, models, or expert judgment (Ref. (3)). In the context of the Integrated Assessment, HRA approaches and concepts are used to evaluate whether operator manual actions are feasible and reliable.

Passive (flood protection) feature: [#definition under development] Incorporated, exterior, or temporary flood protection features that do not require the change of state of a component in order to perform as intended. Examples include dikes, berms, sumps, drains, basins, yard drainage systems, walls, removable wall and roof panels, floors, structures, penetration seals, temporary water tight barriers, barriers exterior to the immediate plant area that are under licensee control, and cork seals.

Active (flood protection) feature: [#definition under development] Incorporated, exterior, or temporary flood protection features that require the change of state of a component in order to perform as intended. Examples include sump pumps, portable pumps, isolation and check valves, flood detection (e.g., level switches), and flood doors (e.g., watertight doors).

Incorporated (flood protection) feature: Engineered passive or active flood protection features that are permanently installed in the plant that protect safety related systems, structures and components from inundation and static/dynamic effects of external flooding.

Examples include pumps, seals, valves, gates, etc. that are permanently incorporated into a plant structure (Ref. (4)).

Temporary (flood protection) feature: Passive or active flood protection features within the immediate plant area that protect safety-related systems, structures and components from inundation and static/dynamic effects of external flooding and are temporary in nature (i.e.,

they must be installed prior to the advent of the design basis external flood). Examples include portable pumps, sandbags, plastic sheeting, and portable panels (Ref. (4)).

Exterior (flood protection) feature: Engineered passive or active flood protection features external to the immediate plant area and credited to protect safety related systems, structures and components from inundation and static/dynamic effects of external floods.

Examples include levees, dikes, floodwalls, flap gates, sluice gates, duckbill valves and pump stations (Ref. (4)).

Operator manual action (for flooding): Proceduralized activity carried out by plant personnel outside of the control room to prepare for or respond to an external flood event.

Failure modes and effects analysis (FMEA): A process for identifying failure modes of specific components and evaluating their effects on other components, subsystems, and systems (Ref. (3)).

Critical elevation: The elevation at which a piece or group of equipment will fail to function, or a transient will be induced, due to flood height and associated effects.

Cliff-edge effect: An elevation at which safety consequences of a flood event may increase sharply with a small increase in the flood height and associated effects.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 8 Mitigation capability: In the context of the Integrated Assessment, mitigation capability refers to the capability of the plant to prevent loss of key safety functions in the event that a flood protection system(s) is not capable of performing its intended function(s).

Feasible action: An action that is analyzed and demonstrated as being able to be performed within an available time to avoid a defined undesirable outcome. As compared to a reliable action (see definition), an action is considered feasible if it is shown that it is possible to be performed within the available time (considering relevant uncertainties in estimating the time available); but it does not necessarily demonstrate that the action is reliable. For instance, performing an action successfully one time out of three attempts within the available time shows that the action is feasible, but not necessarily reliable (Ref. (5)).

Reliable action: A feasible action that is analyzed and demonstrated as being dependably repeatable within an available time, so as to avoid a defined adverse consequence, while considering varying conditions that could affect the available time and/or the time to perform the action. As compared to an action that is only feasible (see definition), an action is considered to be reliable as well if it is shown that it can be dependably and repeatably performed within the available time, by different crews, under somewhat varying conditions that typify uncertainties in the available time and the time to perform the action, with a high success rate. All reliable actions need to be feasible, but not all feasible actions will be reliable (Ref. (5)).

Reasonable simulation: a walk-through of a procedure or activity to verify the procedure or activity can be executed as specified/written. This simulation requires verification that:

all resources needed to complete the actions will be available. (Note that staffing assumptions must be consistent with site access assumptions in emergency planning procedures.)

any credited time dependent activities can be completed in the time required considering the time required for detection, recognition and communication to initiate action for the applicable flood hazard.

specified equipment/tools are properly staged and in good working condition.

connection/installation points are accessible.

the execution of the activity will not be impeded by the event it is intended to mitigate or prevent (for example, access to the site and movement around it can be accomplished during the flood).

the execution of the activity will not be impeded by other adverse conditions that could reasonably be expected to simultaneously (Ref. (4))

Design bases: As defined by 10 CFR 50.2, the design bases are information that identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals.

Current Licensing Basis (CLB): As defined by 10 CFR 54.3, the current licensing basis is the set of NRC requirements applicable to a specific plant, plus a licensees docketed and currently effective written commitments for ensuring compliance with, and operation

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 9 within, applicable NRC requirements and the plant-specific design basis, including all modifications and additions to such commitments over the life of the facility operating license. It also includes the plant-specific design basis information, defined by 10 CFR 50.2, as documented in the most recent UFSAR as required by 10 CFR 50.71. The set of NRC requirements applicable to a specified plant CLB includes:

- NRC regulations in 10 CFR Parts 2, 19, 20, 21, 26, 30, 40, 50, 51, 54, 55, 70, 72, 73 and 100 and appendices thereto

- Commission Orders

- License Conditions

- Exemptions

- Technical Specifications

- Plant-Specific design basis information defined in 10 CFR 50.2 and documented in the most recent UFSAR (as required by 10 CFR 50.71)

- Licensee Commitments remaining in effect that were made in docketed licensing correspondence (such as licensee responses to NRC bulletins, License Event Reports, Generic Letters and Enforcement Actions)

- Licensee Commitments documented in NRC safety evaluations

[#terms to be added or modified, as appropriate]

[#list of acronyms to be added]

3. Framework for Integrated Assessment This Integrated Assessment guidance utilizes a graded approach so that the type of analysis performed for a plant is commensurate with the site characteristics. In particular, for a given plant, the types of assessments and methodologies considered appropriate for performing the Integrated Assessment vary based on two key factors:
1. the relationship between the re-evaluated flood hazard (including flood height and associated effects) and the existing flood protection at the plant,
2. the type(s) of flood protection utilized at the plant Under the graded approach, it may be appropriate to perform conventional, engineering evaluations of individual flood protection features at some plants while application of PRA techniques2 (e.g., system logic models) may be appropriate for other sites. Figure 1 provides a conceptual illustration of the graded approach. The figure demonstrates that the type of evaluation appropriate for performing the Integrated Assessment depends jointly on the relationship between the revaluated hazard and the existing flood protection as well as the type of flood protection utilized at the site. The inherent reliability of flood protection features may differ substantially from plant-to-plant, and, as illustrated by the x-axis in Figure 1, the Integrated Assessment procedure described herein accounts for the differences in characteristics of flood protection. The y-axis in Figure 1 is a function of the reevaluated flood hazard in comparison to the existing flood protection. Moving upward on the y-axis in Figure 1 represents the increasing utility associated with the use of PRA-type techniques as the available margin under the reevaluated hazard becomes small or 2 This guide describes the use of PRA-techniques, however the approaches described in this document are not intended to be compliant with guidance provided in Ref. (14).

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 10 negative (i.e., the site flood protection is not able to accommodate the reevaluated flood elevation or associated effects for the flood event duration).

3.1 Key assumptions The following subsections provide information on key assumptions applicable to the Integrated Assessment.

3.1.1 Protection and mitigation The Integrated Assessment evaluates the current licensing basis protection and mitigation capability of plants in response to the reevaluated flood hazards as well as additional in-place or planned resources. In assessing the protection and mitigation capability of a plant, credit can be taken for all available resources (onsite and offsite) as well as the use of systems, equipment, and personnel in nontraditional ways. Temporary protection and mitigation measures as well as non-safety related SSCs can also be credited with sufficient technical bases. In crediting use of systems, equipment, and personnel in non-traditional ways, non-safety related SSCs, temporary mitigation and protection features, or similar resources, the Integrated Assessment should account for the potentially reduced reliability of such resources relative to permanent, safety-related equipment (Ref.(6)). Moreover, if credit is taken for these resources, sufficient justification should be provided that they will be available and functional when required for the flood event duration. Justification should consider of the time required to acquire these resources and place them in service.

Guidance on evaluation of flood protection and mitigation capability is available in Sections 5.4 and 5.5 and Appendices A and B.

3.1.2 Modes of operation and concurrent conditions As described in Section 1.5, the scope of the Integrated Assessment includes full power operations and other plant configurations that could be susceptible due to the status of the flood protection features. The Integrated Assessment should evaluate the effectiveness of flood protection and mitigation capability of the plant for the mode(s) of operation that the plant will be in for the entire flood event duration.3 In addition, the Integrated Assessment should include a description of the expected total plant response under other modes of operation, including a discussion of controls that are in place in the event that a flood occurs during any of these modes (e.g., during refueling). The Integrated Assessment should also consider whether specific vulnerabilities may arise during modes of operation other than full-power (e.g., conditions where flood protection features may be bypassed or defeated for maintenance or refueling activities).

Finally, the Integrated Assessment should consider concurrent plant conditions, including adverse weather that could reasonably be expected to simultaneously occur with an external flood event4 as well as equipment that may be directly affected by the flood event (e.g., loss of the switchyard due to inundation).

3.1.3 Flood frequencies 3 See Section 2 for definition of flood event duration.

4 Ref. (13) provides guidance on combined events that should be considered as part of the Integrated Assessment. As part of the Recommendation 2.1 hazard reevaluations (see Section 1.3), Ref. (13) should have been used in establishing the combined events applicable to a site.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 11 Due to the limitations of the current state of practice in hydrology, widely-accepted and well-established methodologies are not available to assign initiating event frequencies for most flood mechanisms using probabilistic flood hazard assessment for floods as severe as those specified in the design basis hazards for nuclear power plants (Ref. (7)). Because of these limitations, the Integrated Assessment does not require the computation of initiating flood-hazard frequencies and guidance to compute these frequencies is not provided in this ISG.

Furthermore, it is not acceptable to use initiating event frequencies to screen-out flood events in lieu of evaluation of flood protection features at the site. However, within the Integrated Assessment, flood event frequency is acceptable for use as part of a PRA to evaluate mitigation strategies. As discussed in this ISG, mitigation strategies should be evaluated should flood protection features fail during the duration of the flood event.

4. Information collection and compilation 4.1 Critical plant elevations and protection of equipment To facilitate the performance of the Integrated Assessment the following information should be collected or otherwise understood:

the critical elevations5 of plant equipment and the safety functions affected when the critical elevation of the equipment is reached the flood protection features or systems used to protect each piece or group of critical plant equipment (e.g., a site levee, a category 1 wall and flood doors, or a sandbag barrier) and any procedures required to install, construct, or otherwise implement the flood protection the manner by which the equipment could be subjected to flooding (e.g., site inundation, building leakage)

In lieu of a defining a discrete critical elevation associated with each piece of equipment, it may be appropriate to define the equipment failure probability as a function of flood elevation or other associated effect (i.e., a flood fragility). Justification for fragility parameters should be provided.

4.2 Applicable flood mechanisms and plant conditions The hazard reevaluations performed under Recommendation 2.1 (see Section 1.3) identify the external flood mechanisms applicable to a site. Prior to performing the Integrated Assessment, the flood height and associated effects6 for all applicable flood mechanisms from the hazard review should be collected or reviewed for use in the Integrated Assessment.

In addition, for each flood mechanism, the following information should be collected for use in the Integrated Assessment:7 the expected plant mode(s) during the flood event duration 5 See Section 2 for definition of critical elevations.

6 See Section 2 for definition of flood height and associated effects.

7 This information may be available, in part, from the Recommendation 2.3 walkdown report or licensee walkdown records (see Section 1.2)

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 12 available instrumentation and communication mechanisms associated with each flood mechanism, if applicable (e.g. river forecasts, dam condition reports, river gauges) the availability of and access to onsite and offsite resources and consumables accessibility considerations to/from and around the site that may impact protective and mitigating actions

5. Evaluation guidance 5.1 Overview of evaluation procedure The Integrated Assessment is intended to identify site-specific vulnerabilities and provide other important insights, including evaluation of available margin, defense-in-depth, and cliff-edge effects (see Section 6). As described in Section 3, the Integrated Assessment is based on a graded approach to ensure the type of assessment performed is appropriate for the unique characteristics of a given site. Depending on site characteristics, the graded approach supports assessments ranging from engineering evaluations of individual flood protection features to evaluations based on PRA-techniques (e.g., system logic models and risk-insights).

The evaluation performed as part of the Integrated Assessment consists of four steps:

1. assembly of a peer review team
2. determination of controlling flood parameters
3. evaluation of the effectiveness of flood protection systems
4. evaluation of mitigation capability These steps are illustrated in Figure 2 and briefly described below.

The first step involves assembling the peer review team as described in Section 5.2 and Appendix D. The next step involves determination of the flood parameter scenario(s) that should be considered as part of the evaluation. Additional guidance on determining the flood parameter scenario(s) that should be considered is provided in Section 5.3. Third, based on the controlling flood parameter scenario(s), an evaluation of the effectiveness of the flood protection system at the site is performed. Additional information on the appropriate type of flood protection evaluation to perform as part of the Integrated Assessment (e.g.,

engineering evaluation of individual flood protection features or evaluation using PRA-techniques) is provided in Section 5.4. The fourth step is the evaluation of the capability of the plant to mitigate a loss of the flood protection system or individual flood protection features, as described Section 5.5.

5.2 Peer review An independent peer review is an important element of ensuring technical adequacy. The technical adequacy of the Integrated Assessment is measured in terms of the appropriateness with respect to scope, level of detail, methodologies employed, and plant representation, which should be consistent with this guidance and commensurate with the site-specific hazard and inherent flood protection reliability. The licensees Integrated Assessment submittal should include a discussion of measures used to ensure technical adequacy, including documentation of peer review. Additional details on peer review for the Integrated Assessment are provided in Appendix D.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 13 5.3 Controlling flood parameters The flood parameters considered as part of the Integrated Assessment for a plant are based on the Recommendation 2.1 hazard reevaluations (see Section 1.3). Flood hazards do not need to be considered individually as part of the Integrated Assessment. Instead, the Integrated Assessment should be performed for a set(s) of flood parameters defined based on the results of the Recommendation 2.1 hazard reevaluations (see Section 4.2). This set of parameters is referred to as a flood parameter scenario(s) in this ISG.

The flood parameters that should be defined in a flood parameter scenario and considered as part of the Integrated Assessment include:

flood height and associated effects flood event duration, including warning time and intermediate water surface elevations that trigger actions by plant personnel plant mode(s) of operation during the flood event duration In some cases, there is one controlling flood hazard for a site. In this case, the flood parameter scenario should be defined based on this controlling flood hazard. However, at some sites, due the diversity of flood hazards to which the site is exposed, it may be necessary to define multiple flood parameter scenarios to capture the different plant effects from the diverse flood parameters associated with applicable hazards. In addition, sites may utilize different flood protection systems to protect against or mitigate different flood hazards. In such instances, the Integrated Assessment should define multiple flood parameter scenarios.

If appropriate, instead of considering multiple flood parameter scenarios as part of the Integrated Assessment, it is acceptable to develop an enveloping scenario (e.g., the maximum water surface elevation and inundation duration with the minimum warning time generated from different hazard scenarios). For simplicity, these flood parameters may be combined to generate a single bounding scenario of flood parameters for use in the Integrated Assessment.

5.4 Effectiveness of flood protection There are vast differences from plant to plant with regard to the flood protection measures utilized. Site flood protection may include incorporated, exterior, and temporary features with passive and active functions credited to protect against the effects of external floods. In addition to physical barriers, flood protection at nuclear power plants may involve a variety of operator manual actions. These operator manual actions may be associated with installation of features (e.g., floodgates, portable panels, placement of portable pumps in service), construction of barriers (e.g., sandbag barriers), and other actions.

The Integrated Assessment differentiates between simple and complex flood protection systems.8 Simple flood protection systems include exterior or incorporated barriers that are permanent and passive. Simple flood protection systems are not associated with significant reliance on active components or operator manual actions and have few feature system interdependencies and interactions. Simple flood protection systems are not associated with significant uncertainties with respect to the construction or characteristics of flood protection 8 See definition of flood protection system in Section 2.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 14 features. Complex systems include all flood protection systems that do not meet the definition of a simple flood protection system (e.g., complex flood protection systems may include temporary protective measures, procedures with significant reliance on operator manual actions, or active components).

As part of the Integrated Assessment, an evaluation should be performed of the capability of the site flood protection to prevent loss of key safety functions due to flood height and associated effects for each flood parameter scenario.

Simple flood protection systems should be evaluated against quantitative and qualitative performance criteria. The flood protection evaluation of a simple flood protection system should provide an understanding of potential failure modes of the flood protection system.

The evaluation should quantitatively determine whether the barrier can withstand the loads due to flood height and associated effects under a flood parameter scenario(s). The performance of the barrier should be compared against appropriate design codes and standards (e.g., ##Add reference) to determine whether the barrier conforms to best practices and is sufficiently robust (e.g., demonstrates an appropriate factor of safety).

Qualitative evaluation of operational requirements such as surveillance, inspection, design control, maintenance, and testing is appropriate to provide confidence in the reliability of a barrier. Quantitative evaluation of the reliability of a simple flood protection features under a flood parameter scenario(s) is also acceptable.

The evaluation of a complex flood protection system should provide an understanding of potential failure modes of the individual flood protection features as well as the complete flood protection system. The evaluation of complex flood protection should include evaluation of individual flood protection features using the quantitative and qualitative performance criteria described above for simple flood protection systems. Quantitative evaluation of the reliability of active features (based on operating experience or other available data) is appropriate. Operator manual actions associated with complex flood protection systems should be evaluated using human reliability analysis (HRA) concepts and approaches,9 as described in Appendix C. Quantification of the reliability of operator manual actions under a flood parameter scenario(s) is appropriate if conservative, qualitative evaluations do not demonstrate that an operator manual action can be performed with sufficiently high reliability when accounting for the considerations in Appendix C. To account for system dependencies,10 evaluation of the flood protection system as a whole (e.g., using system logic models) is appropriate. Sensitivity studies are appropriate if there is uncertainty about the construction or characteristics of a flood protection feature or system.

Additional guidance on evaluating flood protection features and systems is provided in Appendix A.

If, based on the flood protection evaluation, a flood protection system is deemed capable of withstanding the flood height and associated effects for a flood parameter scenario, the 9 [#text under development] At the time of publication of this ISG, HRA methodologies have not been extensively used specifically for evaluation of procedures associated human actions during the flood event duration. However, HRA approaches and concepts can be used to evaluate whether and operator manual action is feasible and reliable such that it may be relied upon during a severe flood event.

10 For example, the protection of a room may be dependent on a sump pump to remove water leaking through a barrier and the performance of a temporary barrier is dependent on the construction of the barrier based on procedures.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 15 Integrated Assessment should provide sufficient justification to support this conclusion. The Integrated Assessment should also demonstrate that the flood protection system integrity is maintained with sufficiently high reliability under the flood parameter scenario(s) based on available performance criteria. In addition, the limiting margin associated with the flood protection system as well as the margin associated with individual flood protection features should be identified. Margin should be identified with respect to physical barrier dimensions as well as time margin associated with performance of operator manual actions.

Demonstration of the aforementioned items requires an understanding of the capability of flood protection systems for a range of flood heights and associated effects (including reasonable variation in warning time and flood event duration). Physical margin can be demonstrated by incrementally increasing the flood elevation (while accounting for associated effects) and showing the elevation beyond which the system is no longer capable of reliably performing its intended function. Temporal margin can be demonstrated through reasonable variation in warning time and flood event duration as a function of flood height and associated effects. The effect of bounding conservatisms considered as part of the NTTF Recommendation 2.1 hazard reevaluation may be considered when evaluating the margin available under a flood parameter scenario.

The Integrated Assessment should identify any flood protection features or systems that are unable to accommodate the flood height and associated effects for a flood parameter scenario(s) with sufficiently high reliability. Any flood protection feature or system determined not to be capable of performing its intended function under the reevaluated hazard should be documented as a vulnerability (see Section 6.2.2). Vulnerabilities should be documented for all susceptible plant configurations. In addition, if a flood protection feature or system is not able to accommodate a flood parameter scenario, the flood protection evaluation should determine at what flood height and under what associated effects, the flood protection feature or system is able to accommodate a flood with sufficiently high reliability. If modifications are proposed to address vulnerabilities, improve margin, or otherwise improve the effectiveness of site flood protection, the Integrated Assessment should provide justification that the modified flood protection meets established performance criteria.

5.5 Plant mitigation capability The plant mitigation capability refers to the capability of the plant to prevent loss of key safety functions in the event that a flood protection system(s) is not capable of performing its intended function(s) (e.g., due to structural failure of a barrier, excessive leakage through a barrier, or erroneous barrier installation or construction).

While all sites should evaluate the effectiveness of their flood protection, it is not necessary for all sites to evaluate the mitigation capabilities of the plant. For example, an evaluation of mitigation capability is not necessary if the flood protection at a site can be shown to have high reliability and margin under the flood parameter scenarios associated with the reevaluated hazard. In addition, if a site is not affected by flood mechanisms other than local intense precipitation (including safety-related structures if located below site grade) and the drainage system is capable of handling the event, it is not necessary to evaluate plant mitigation capability. Instead, at sites meeting these conditions, a limited evaluation and documentation of available margin and cliff-edge effects is sufficient (see Section 6.2).

An extensive evaluation of plant mitigation capability is appropriate for sites that have not demonstrated that flood protection systems have high reliability and margin (either by

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 16 meeting established performance criteria or through quantification of flood protection reliability). In addition, sites that allow water to enter seismic category 1 equipment by procedure or design should perform an evaluation of mitigation capability. Plant mitigation capability should be evaluated for credible flood protection failure modes, including concurrent failures, identified based on the evaluation described in Section 5.4 and Appendix A. For each scenario involving the compromise of flood protection under a flood parameter scenario, the mitigation capability of the plant should be evaluated for the entire flood event duration considering all available resources. Appendix B provides guidance on evaluating the mitigation capability of a plant.

6. Report Documentation As indicated in the March 12, 2012 50.54(f) letter, the Integrated Assessment report should provide the following (Ref. (2), Encl. 2, p. 8-9):

a) Description of the integrated procedure used to evaluate integrity of the plant for the entire duration of flood conditions at the site.

b) Results of the plant evaluations describing the controlling flood mechanisms and its effects, and how the available or planned measures will provide effective protection and mitigation. Discuss whether there is margin beyond the postulated scenarios.

c) Description of any additional protection and/or mitigation features that were installed or are planned, including those installed during course of reevaluating the hazard.

The description should include the specific features and their functions.

d) Identify other actions that have been taken or are planned to address plant-specific vulnerabilities.

This section provides additional guidance on documenting the assumptions, evaluations, and results of the Integrated Assessment.

6.1 Documentation of evaluation

[#text under development]

Using the guidance provided in this document, the Integrated Assessment submittal should:

1. describe the procedure and methodologies used to perform the Integrated Assessment
2. document the applicable flood mechanisms and the flood parameter scenario(s) considered as part of the Integrated Assessment, including flood height and associated effects
3. document the overall site conditions that may be realized during a flood parameter scenario(s), including identification of risk-significant SSCs that are affected by the flood event
4. document the evaluation performed of the effectiveness of the current licensing basis flood protection, including:
a. a description and technical justification of the methodologies and assumptions (including input parameters and failure modes considered) used to demonstrate the effectiveness of flood protection features and systems
b. a description of performance criteria used when evaluating the effectiveness of each flood protection feature (including operator manual actions) and each system

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 17

c. the results of evaluations, including sensitivity studies, if appropriate
d. a detailed list of available margins for flood protection features and systems, including a description of how margins were derived
5. document the evaluation of the effectiveness of the current licensing basis mitigation capability, including:
a. a description and technical justification of the methodologies and assumptions used to quantify the mitigation capability of the plant
b. a summary of system models, including a description of modifications made to existing internal event PRA models or models that have been developed specifically for the evaluation of mitigation capability
c. a summary and justification of evaluations performed of operator manual actions, if applicable
d. the results of evaluations, including sensitivity studies, if appropriate
6. document the effectiveness of additional in-place and planned protective and mitigation measures (if applicable), including:
a. a description and technical justification of the methodologies and assumptions used to quantify the effectiveness of additional in-place and planned protective and mitigation measures
b. a description of performance criteria used when evaluating the effectiveness of each protective or mitigative feature or system
c. the results of evaluations, including sensitivity studies, if appropriate
d. a detailed list of available margins for in-place or planned flood protection features and systems, including a description of how margins were derived
7. document identified vulnerabilities, available margin, cliff-edge effects, and additional risk-insights and defense-in-depth, as described in Section 6.2
8. identify other actions that have been taken or are planned to address plant-specific vulnerabilities 6.2 Results 6.2.1 Evaluation of available margin The Integrated Assessment report should include a description of available margin under the reevaluated hazards (i.e., flood parameter scenario(s), see Section 5.3) for all flood protection systems at the site. The report should also discuss the significance of this margin in terms of the additional severity in flood hazard that would be required to eliminate the margin. In addition, the Integrated Assessment report should discuss the effects of exceeding the available margin on maintenance of key safety functions.

6.2.2 Identification of vulnerabilities The Integrated Assessment report should describe identified vulnerabilities.11 The Integrated Assessment report should also describe all safety functions that may be affected by identified vulnerabilities. The description should indicate the combined effect of vulnerabilities on key safety functions. In addition, the description should identify the flood elevation at which each SSC has been compromised.

11 See Section 2 for definition.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 18 The Integrated Assessment report should also describe all deficiencies identified during the Recommendation 2.3 walkdowns (see Section 1.2) that have not yet been resolved (i.e.,

closed) by the licensees corrective action program.

6.2.3 Cliff-edge effects The Integrated Assessment should evaluate if, and at what elevation, a cliff-edge effect may occur. The Integrated Assessment report should document the elevation at which cliff-edge effects are expected and the potential safety consequences of exceeding that elevation. The report should also document the effect of all available resources on reducing the safety consequences associated with rising water surface elevations.

In addition, sites not requiring an extensive evaluation of mitigation capability,12 should provide a qualitative description of the mitigation resources at the site (if available),

including:

- the location of mitigation equipment relative to the flood height associated with the reevaluated hazard

- the reliability and redundancy of equipment

- the pedigree of equipment (e.g., commercial, augmented quality, safety-related)

- whether operator manual actions are feasible and reliable

- controls in place, including surveillance, inspection, design control, maintenance, and testing 6.2.4 Risk insights and defense-in-depth Risk-significant insights should be documented as part of the Integrated Assessment.

Examples of insights include:

- Specific flood protection features that, if unavailable or degraded, would result in a significant increase in the overall risk to the plant as a result of the reassessed flood hazard. This should include specific actions, procedures, systems and components that are relied on to maintain the plant in a safe condition.

- Observations of plant safety consequences or substantial increases in risk associated with flood elevations below the maximum water surface elevation for a flood parameter scenario (e.g., loss of offsite power at elevations below the maximum flood height associated with the reevaluated hazard)

- Risk-significant SSCs that are affected by the reevaluated flood but previously were not (i.e., SSCs that were dry under the design basis hazard but are wet under the reevaluated hazard)

[#text under development]The defense-in-depth philosophy is applied in reactor design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material. It is an effective way to account for uncertainties in equipment and human performance and, in particular, to account for the potential for unknown and unforeseen failure mechanisms or phenomena, which (because they are unknown or unforeseen) are not reflected in evaluations based either on PRA-techniques or traditional engineering analyses. Therefore, to address these unknown and unforeseen failure 12 Sites requiring an extensive evaluation of mitigation capability should provide documentation as described in Section 6.1.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 19 mechanisms and phenomena, the Integrated Assessment report should document if and how defense-in-depth considerations are used and maintained for flood events at the site.

Figure 1: Illustration of graded approach Component-level evaluation using conventional engineering methods System-level evaluation of flood protection and mitigation Pexisting > Hnew Pexisting Hnew Pexisting < Hnew Flood protection from locally-intense precipitation only Flood protection strategies with operator manual actions Flood protection type Relationship between Pexistingand Hnew Pexisting = existing flood protection Hnew = reevaluated hazard

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 20 Figure 2: Evaluation flowchart Identification of flood parameter scenario(s)

Evaluation of flood protection Evaluation of mitigation capability Flood protection demonstrates high reliability and margin?

Documentation of evaluation, results, and peer review no yes Assembly of peer review team

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 21

7. References [#incomplete and unformatted]
1. USNRC. #INSERT Reference to NRC endorsement letter of NEI 12-07.
2.. #INSERT Reference to NRC 50.54(f) letter. ML #.
3. ANS. #INSERT Reference to ANS PRA document.
4. NEI. #INSERT Reference to NEI 12-07. ML12173A215.
5. U.S. Nuclear Regulatory Commission. Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire. October 2007. NUREG-1852.
6. USNRC. #INSERT Reference to STAFF REQUIREMENTS - SECY-12-0025.
7.. #INSERT Reference to NUREG/CR-7046.
8. Gregory B. Baecher, John T. Christian. Reliability and Statistics in Geotechnical Engineering. West Sussex, England : John Wiley & Sons, Ltd., 2003.
9. U.S. Army Corps of Engineers, St. Paul District. Flood-Fight Handbook - Preparing for a Flood.

2009.

http://www.mvp.usace.army.mil/docs/disaster_response/CEMVP_Flood-Fight_Handbook_2009.pdf.

10.

U.S.

Army Corps of Engineers.

Sandbag Construction.

http://www.mvp.usace.army.mil/docs/flood_fight2009/5Sandbag_Construction_2009_JRL.p df.

11.. Laboratory Testing of Flood Fighting Products. Coastal and Hydraulics Laboratory.

[Online]

[Cited:

August 23, 2012.]

http://chl.erdc.usace.army.mil/chl.aspx?p=s&a=Projects;182.

12. USNRC. #INSERT Reference to Regulatory Guide 1.200, "AN APPROACH FOR DETERMINING THE TECHNICAL ADEQUACY OF PROBABILISTIC RISK ASSESSMENT RESULTS FOR RISK-INFORMED ACTIVITIES".
13. U.S. Nuclear Regulatory Commission. EPRI/NRC-RES Fire Human Reliability Analysis Guidelines. July 2012. NUREG-1921.
14.. Good Practices for Implementing Human Reliability Analysis (HRA). April 2005.

NUREG-1792.

15. USNRC. #INSERT Reference to NUREG 1852.
16. ANSI/ANS. #INSERT referene to ANS/ANSI 2.8-1992, Determining Design Basis Flooding...

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 22 APPENDIX A: Evaluation of flood protection The goal of this appendix is to provide guidance on the evaluation of flood protection features. This appendix begins with an overview of an acceptable procedure for evaluating flood protection (Section A.1). Section A.2 provides on guidance on evaluating individual components of a flood protection system. Section A.3 provides guidance on evaluating a complete flood protection system.

A.1 Procedure overview An acceptable procedure for use in evaluating flood protection is illustrated by the flowchart in Figure 3. The evaluation begins with definition of the flood protection systems13 that should be evaluated as part of the Integrated Assessment (box 1). A site may have multiple and diverse flood protection systems. For example, a site may be protected by a levee around the entire site as well as incorporated barriers at the structure/environment interface for each individual building. The site levee would constitute one flood protection system while a set of barriers that protects an individual building, which can be isolated from other buildings (either through separation by location or flood protection features), would comprise a separate flood protection system.

Next, as demonstrated in Figure 3, a flood parameter scenario and flood protection system are selected for evaluation (boxes 2 and 3, respectively). An evaluation is then performed of the selected flood protection system under the flood parameter scenario (box 4). As described in Section 5.4, the type of methodology considered appropriate for evaluating a flood protection system is based on the types of flood protection features employed in the flood protection system (i.e., whether the system is simple or complex). Simple flood protection systems should be evaluated at the component-level. The assessment of complex flood protection systems involves the evaluation of individual features and then evaluation of the complete flood protection system. Sections A.2 and A.3 of this Appendix provide guidance on the evaluation of various types of flood protection features at the component and system levels, respectively.

If it can be shown that the flood protection can reliability accommodate the flood parameter scenario with large margin (boxes 5 and 6), then the integrity of the system is documented and justified (box 7) and the evaluation is repeated for the next flood protection system.

Conversely, if the flood protection system is not able to accommodate the flood parameter scenario with sufficient reliability (based on available performance criteria or quantification of flood protection reliability) and modifications will not be made, the credible failure modes and vulnerabilities should be documented (box 8) along with the direct consequences (e.g.,

inundation of a room) of each failure mode (box 9). The analysis is then repeated for the next flood protection system (as directed by box 12). If modifications to the flood protection system are proposed (box 10) in response to identification of low reliability or margin, the modified flood protection system should be defined (box 11) and evaluated. Flood protection systems should be evaluated under all flood parameter scenarios (as directed by boxes 12 and 13).

A.2 Evaluating components of flood protection systems 13 A flood protection system is defined in Section 2 of this ISG.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 23 This section provides guidance on evaluating components of flood protection systems.

Section A.2.1 and A.2.2 of this Appendix provides guidance on the evaluation of permanent and incorporated, passive flood protection features. Section A.2.3 provides guidance on the evaluation of active flood protection features. Section A.2.4 provides guidance on the evaluation of temporary protective measures. Section A.2.5 provides guidance on evaluation of operator manual actions.

A.2.1 Evaluation of exterior, passive flood protection features As described in Section 5.4, use of conventional engineering evaluations are generally considered acceptable for demonstrating the capability of permanent, passive flood protection systems to perform their intended functions. The following steps should be considered in the flood protection assessment:

- analysis of potential failure modes

- determination of capacities

- comparison against performance criteria It is appropriate to systematically consider the potential failure modes when evaluating a permanent, passive flood protection system. Use of PRA techniques (e.g., FMEA) may provide a useful structure for understanding failure modes and sequences. For example, Ref. (8) provides examples of use of PRA techniques in evaluating geotechnical structures.

The evaluation of exterior, passive flood protection features should demonstrate whether the flood protection barrier can withstand the loads associated with a flood parameter scenario(s) and should include a demonstration that the barrier is in satisfactory condition and structurally adequate based on engineering evaluations. The performance of the barrier should be compared against appropriate design codes and standards to determine whether the barrier conforms to best practices and is sufficiently robust (e.g., demonstrates an appropriate factor of safety). Qualitative evaluation of operational requirements such as surveillance, inspection, design control, maintenance, and testing is appropriate to provide confidence in the reliability of a barrier. In addition, the following sections provide points of consideration in evaluating soil structures (embankment, levees, and berms) and concrete barriers. In evaluating these types of barriers, licensees should refer to the guidance below, referenced documents [#references to be added], and appropriate codes and standards

[#insert references] to assess whether in place or planned systems conform to best practices.

A.2.1.1 Soil embankments, levees, and berms The foundation and subsurface design of an embankment, levee, or berm should be evaluated to determine whether the following factors were considered in its design:

- foundation stability

- positive control of seepage

- minimum adverse deformation via good contact between flood protection structure and foundation

- use of cut off walls and drainage systems to control seepage paths through foundation The materials used in construction of the structure should be evaluated to determine whether the following factors were considered in its design:

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 24

- use of filter materials to preclude migration of soil materials through the embankment and foundation

- erosion control against surface runoff, wave action, hydrodynamic forces, and debris The maintenance and inspection regime of the embankment, levee, or berm should be evaluated to assess whether:

- the embankment, levee, or berm is inspected at regular intervals

- written procedures are in place for proper maintenance

- personnel responsible for inspecting the structure have been trained in inspection techniques, implementing preventative and compensatory measures, and correcting or repairing deterioration

- suitable instrumentation is being used to obtain information on the performance and condition of the structure A.2.1.2 Concrete barriers In assessing whether the concrete barrier can support flood loads, the foundation and subsurface design of the barrier should be evaluated to determine whether the following factors were considered in design of the structure:

- static loads from stillwater elevation

- hydrodynamic loading from wave effects and debris

- Foundation design and treatment, including good contact between the flood protection structure and foundation

- removal of problem soils

- increasing seepage paths through the foundation by use of deep cut off walls, if necessary The material properties of the concrete barrier should be evaluated to assess whether:

- there was a competent investigation of material sources

- adequate testing was performed of materials in accordance with accepted standards

- proper proportioning of concrete was performed to improve strength and durability The design of the concrete barrier should be evaluated to ensure it is safe against overturning and sliding without exceeding the allowable stress of the foundation and concrete for the loading conditions imposed by the flood and all associated flood effects The maintenance and inspection regime of the concrete barrier should be evaluated to assess whether:

- the barrier is inspected at regular intervals

- written procedures are in place for proper maintenance

- personnel responsible for inspecting flood control structures have been trained in inspection techniques, implementing preventative and compensatory measures, and correcting or repairing deterioration

- suitable instrumentation is being used to obtain information on the performance and condition of the structure A.2.2 Evaluation of incorporated, passive flood protection features

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 25

[#text under development]

A.2.3 Evaluation of active flood protection features

[#text under development]

A.2.4 Evaluation of temporary barriers Temporary barriers should be quantitatively evaluated to demonstrate whether they are able to withstand the flood height and associated effects due to a flood parameter scenario(s).

The evaluation should also consider intermediate water surface elevations that trigger emergency action levels or that are associated with discontinuities in the flood protection system. The performance of the barrier should be compared against appropriate design codes and standards to determine whether the barrier conforms to best practices and is sufficiently robust. Qualitative evaluation of operational requirements such as surveillance, inspection, design control, maintenance, and testing is appropriate to provide confidence in the reliability of a barrier. In addition, standards, codes, and guidance documents (e.g., Ref.

(9) and (10)) should be consulted to determine whether the temporary barrier (e.g.,

configuration of a sandbag wall) conforms to best practices. Operator manual actions associated with construction or installation of temporary protective measures should be evaluated using HRA concepts and approaches. Quantification of the reliability of operator manual actions under a flood parameter scenario(s) is appropriate if conservative, qualitative evaluations do not demonstrate that an operator manual action can be performed with sufficiently high reliability based on considerations in Appendix C. Quantitative evaluation of the reliability of active features (based on operating experience or other available data) is appropriate. If conventional engineering assessments augmented by operational requirements and evaluation of associated operator manual actions, do not demonstrate a temporary barrier is robust and reliable, it is appropriate to quantitatively estimate the reliability of temporary protective features under a flood parameter scenario(s).

Quantification of feature reliability may require laboratory or field testing (e.g., Ref. (11)),

analytical modeling, or demonstrations.

A.2.5 Evaluation of operator manual actions associated with flood protection features Operator manual actions associated with flood protection features should be evaluated as described in Appendix C.

A.3 Evaluating flood protection systems This section describes the evaluation of flood protection systems as a whole. System evaluation should begin with the definition of the flood parameter to which the system is subjected. Next, criteria defining failure of the flood protection system should be defined. In the context of the Integrated Assessment, failure may be defined as loss of barrier integrity, a leakage rate into a room exceeding a specified threshold, or other effects. Failure modes and effects analysis (FMEA) is a common tool for systematically identifying possible failure modes of a SSC and evaluating the effects of the failure on other SSCs. Once failure criteria have been defined, individual flood protection barriers within the flood protection system should be evaluated at the component level under the loads resulting from the flood parameter scenario. Finally, the flood protection system must be evaluated, accounting for interactions and dependencies between components.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 26 The system evaluation should begin with the flood parameter scenario and progress though the sequence of subsequent events that can ultimately lead to end states corresponding to failure (or damage) of the flood protection system and subsequent adverse consequences (e.g., leakage of water past a barrier or inundation of a room). Logic structures, such as event trees, provide a way to represent the various outcomes that can occur as a result of a flood parameter scenario. An event tree starts with the flood parameter and develops sequences based on whether a feature (including an operator manual action) succeed or fail in performing the intended functions. The system level evaluation should account for factors such as:

the feasibility and reliability of operator manual actions that must be performed to install or construct barriers (e.g., flood gates, sandbag walls), including factors that can influence operator performance, as described in Appendix C the duration of the flood event14 the time available to carry out procedures and perform required actions, including consideration of the reliability of communication mechanisms and instrumentation that trigger actions by plant personnel the reliability of active components (e.g., pumps that are required to remove water that bypasses flood barriers) the effect of flood height and associated flood effects on the performance of barriers potential hindrances to movement of personnel and equipment around the site the robustness of barriers, particularly temporary barriers 14 For some hazards, flood conditions could persist for a significant amount of time. Extended inundation on or near the site could present concerns such as site and building access, travel around the site, equipment operating times, and supplies of consumables (Ref. (4)). Flood protection feature limitations based on flood duration should be evaluated. For example, if the duration of the design basis flood is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and a diesel driven pump is credited with removing water from an area, the total amount of fuel available for the pump and the operating time it represents should be determined and included in the assessment.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 27 Figure 3: Flood protection evaluation procedure flowchart yes yes yes yes no no no Define flood protection systems 1

Select a flood parameter scenario 2

Select a flood protection system 3

Evaluate flood protection system 4

Flood protection system can reliably accommodate flood parameter scenario?

5 The flood protection demonstrates large margin?

6 Document and justify flood protection integrity 7

Document credible failure modes and vulnerabilities 8

Document consequences of credible failure modes 9

All flood protection systems evaluated for the flood parameter scenario?

12 All flood parameter scenarios evaluated?

13 Flood protection evaluation complete 14 yes Modification of flood protection system?

10 no Define modified flood protection system 11 yes

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 28 APPENDIX B: Evaluation of plant mitigation capability This goal of this appendix is to provide guidance on the evaluation of the capability of the plant to mitigate the consequences of the loss of one or more flood protection system(s).

B.1 Procedure Overview The mitigation capability of a plant may be demonstrated using one of three potential methods, depending on site characteristics and information needed for decisions:

- Scenario-based evaluation

- Margins-type evaluation

- Full PRA A margins-type evaluation and full PRA are acceptable for evaluating plant mitigation capability at all sites. A scenario-based evaluation is only acceptable for evaluating the mitigation capability of plants for which (1) the plant systems affected by flood protection failure are not associated with complex interactions and interdependencies, (2) any credited mitigation actions are not associated with significant reliance on operator manual actions, and, (3) the mitigation capability is sufficiently reliable (e.g., the conditional core damage probability given flood protection failure is less than 10-2 [#numerical criteria to be discussed]).

If use of resources (including equipment and personnel) in non-traditional ways is credited as part of the mitigation evaluation, the assessment must account for the reduced reliability of equipment (relative to in-place safety-related equipment), human errors, and similar factors. Use of resources in non-traditional ways is subject to the same performance criteria as conventional, in-place equipment.

B.2 Margins-type evaluation of mitigation capability

[#order to be switched: scenario-based evaluation should be described first]

Figure 4 provides a flowchart illustrating an acceptable margins-based procedure for evaluation of plant mitigation capability. The mitigation evaluation begins with selection of a flood parameter scenario (box 1 of Figure 4). Next, a credible flood protection failure mode(s) is selected (box 2) based on the flood parameter scenario under consideration.

Credible failure modes of flood protection systems for a given flood parameter scenario are identified as part of the evaluation of flood protection systems (see Section 5.4 and Appendix A). Concurrent failures of multiple flood protection systems (along with associated consequences) should be considered if a flood parameter scenario could adversely affect multiple flood protection systems. For each credible failure mode(s), the direct consequences (e.g., inundation of a room) from the flood protection system failure (box 3) should be defined along with the equipment that could be adversely affected by the direct consequences of flood protection failure (e.g., failure of equipment due to submersion) (box 4). Typically, flood-caused failure of equipment will be due to inundation (e.g., submerged equipment is typically assumed to be unable to perform its intended function). However, associated flood effects (e.g., debris, dynamic loads) may also adversely affect equipment.

The dependencies among external flood-caused failures should be considered. If appropriate, failure probabilities of the equipment may be defined as a function of the flood height and associated effects. Next, the plant conditions are defined (box 5). Examples of

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 29 plant conditions that should be identified include the availability of offsite power and ##.

Once the plant conditions have been specified along with affected equipment, the plant systems models should be updated to reflect the current plant state and available equipment. Given the equipment affected by the flood protection system failure and associated consequences, the CCDP and conditional large early release probability (CLERP) should be calculated (boxes 6 and 7, respectively). The evaluation of mitigation capability should be repeated until all flood protection failure modes and flood parameter scenarios have been evaluated (as directed by boxes 9 and 10).

The internal events PRA model, with appropriate modifications, can be used as the basis for the assessment of plant mitigation capability to external floods. Basic failure events are added to the internal events PRA model to modify it for use in evaluating the mitigation capability of the plant. However, it may be acceptable to develop a systems model specifically intended to model the flood parameter scenario and flood protection failure mode(s) being analyzed rather than adapting the existing internal events PRA model. If such a model is developed, it should be consistent with the internal events systems model with respect to plant response and cause-effect relationships of failures. Failures from non-flood caused failures may be screened out of the model if the contribution to the results are demonstrably negligible.

If modifications to the plant are proposed, the effectiveness of the modification on plant mitigation capability should be evaluated as described above.

B.3 Scenario-based evaluation of mitigation capability

[#Methodology under development]

Figure 5 provides a flowchart depicting the process for a scenario-based evaluation of mitigation capability. The evaluation begins with definition of the scenario to be evaluated.

The scenario consists of: the flood parameter scenario (box 1); the credible flood protection failure mode(s)15 (box 2); the direct consequences of flood protection failure (e.g., inundation of a room) (box 3); and specification of the plant conditions (e.g., identification of whether offsite power is available) and equipment affected by the consequences of flood protection failure (box 4). Next, the key safety functions that must be maintained are defined (box 5) and equipment available for use in maintaining key safety functions are identified (box 6).

The evaluation of plant capability to maintain key safety functions using available resources (box 7) should demonstrate that there is high confidence that the conditional core damage probability (CCDP) is less than 10-2 [#numerical criteria to be discussed]. If this cannot be demonstrated, then a scenario-based evaluation is not sufficient and a margin-type evaluation or PRA is appropriate. The evaluation of mitigation capability using a scenario-based approach should provide adequate justification that the CCDP is less than 10-2

[#numerical criteria to be discussed]. The evaluation should be repeated until all flood protection failure modes and flood parameter scenarios have been evaluated (as directed by boxes 8 and 9).

15 Credible failure modes of flood protection systems for a given flood parameter scenario are identified as part of the evaluation of flood protection systems (see Section 5.4 and Appendix A).

Concurrent failures of multiple flood protection systems (along with associated consequences) should be considered if a flood parameter scenario could adversely affect multiple flood protection systems.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 30 If modifications to the plant are proposed, the effectiveness of the modification on plant mitigation capability should be evaluated as described above.

B.4 PRA-based evaluation of mitigation capability If a PRA-based evaluation is used to assess the mitigation capability of a plant, the evaluation should be consistent with guidance contained in Refs. (3) and (12). The requirements contained in these documents are considered applicable to the mitigation evaluation required by the Integrated Assessment if a PRA-based evaluation of mitigation capability is used. [#exceptions and qualifications to be added as appropriate]

If modifications to the plant are proposed, the effectiveness of the modification on plant mitigation capability should be evaluated as described above.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 31 Figure 4: Margins-based mitigation evaluation procedure flowchart yes yes no no Select a flood parameter scenario 1

Select a credible flood protection failure mode(s) 2 Specify direct consequences of flood protection failure mode(s) 3 Compute CLERP 8

All flood credible protection failure modes evaluated for the flood parameter scenario?

9 All flood parameter scenarios evaluated?

10 Mitigation capability evaluation complete 11 Specify equipment affected by direct consequences 4

Define plant conditions 5

Compute CCDP 7

Plant systems models 6

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 32 Figure 5: Scenario-based mitigation evaluation procedure flowchart yes yes no no Select a flood parameter scenario 1

Select a credible flood protection failure mode(s) 2 Specify direct consequences of flood protection failure mode(s) 3 Evaluate capability to maintain key safety functions using available equipment 7

All flood credible protection failure modes evaluated for the flood parameter scenario?

8 All flood parameter scenarios evaluated?

9 Mitigation capability evaluation complete 10 Specify site conditions and equipment affected by direct consequences 4

Define key safety functions that must be maintained 5

Identify available equipment 6

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 33 APPENDIX C: Evaluation of operator manual actions This appendix provides guidance on evaluating operator manual actions associated with flooding based on concepts and approaches used in human reliability analysis (HRA). This appendix is not intended to provide prescriptive guidance on the performance of HRA.

Instead, this appendix is intended to provide qualitative points of consideration and guidance on using existing HRA concepts and approaches in the context of flooding to evaluate whether operator manual actions are feasible and reliable.16 Much of this appendix is based on the adaptation of existing guidance related to the evaluation of operator manual actions in response to fire (Refs. (5) and (13)). Thus, in addition to the primarily qualitative considerations described in this Appendix, guidance documents related to the evaluation of operator manual actions for fire provide a valuable resource when evaluating operator manual actions as part of the Integrated Assessment. In addition, general guidance on the application of HRA may also be applicable. For example, while Ref. (14) is developed for HRAs associated with full-power and internal events applications, the document states that most of the guidance should be useful for other applications (e.g., external events and other operating modes) (Ref. (14), p. 2-1). While this appendix provides points of consideration for applying existing HRA concepts and approaches to flooding, this appendix is not a comprehensive guide for evaluation of the feasibility and reliability of operator manual actions and considerations beyond those provided here are appropriate.

C.1 Overview If a flood protection system or mitigation action requires operator manual actions, the Integrated Assessment should evaluate whether operator manual actions are feasible and reliable. Consistent with the definitions provided in Ref. (5) and Section 2 of this ISG, an action is considered feasible if it is analyzed and demonstrated as being able to be performed within an available time so as to avoid a defined undesirable outcome.

Reasonable simulation17 performed as part of the NTTF Recommendation 2.3 walkdowns (see Section 1.2) may provide useful information for assessing whether an action is feasible.

A feasible action that is analyzed and demonstrated as being dependably repeatable within an available time (while considering varying conditions that could affect the available time and/or the time required to perform the action) is considered reliable. All reliable actions need to be feasible, but not all feasible actions will be reliable (Ref. (5)). Determination of whether an action is feasible and reliable should account for the following factors:

adequacy of available time accessibility environmental factors the functionality, availability, and accessibility of required equipment the availability of indications or cues communications the availability and quality of procedures and training available personnel (staffing)

Each of the above factors is further described in the subsequent sections of this Appendix.

16 See Section 2 for definitions of feasible and reliable actions.

17 See definition in Section 2.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 34 C.2 Adequacy of available time An important component of establishing whether an operator manual action is feasible involves determination of whether the time available to complete the action exceeds the time required to perform the action. For each operator manual action, the analysis should show that there is adequate time to diagnose, perform, and confirm actions before an undesired consequence occurs. This evaluation includes three key elements:

1) estimation of the time available to perform the manual action
2) estimation of the time required to diagnose the need for action and to implement the action
3) comparison of the times in (1) and (2) above along with appropriate justification for any conclusions If an action requires more time to diagnose, perform, and confirm than is available, the action is considered infeasible.

To establish whether an action is reliable, it is necessary to consider the uncertainties associated with the time available and the time required to diagnose and execute the required action. Uncertainties are particularly important when there is a small difference between the time available and time required to perform actions. In the context of flooding, potential uncertainties include:

variations in plant state and concurrent environmental conditions (e.g., adverse weather, hazards to personnel) unexpected difficulties encountered by operators (e.g., inundated rooms, locked doors, loss of lighting, communication failures, and underwater hazards) factors that cannot be re-created as part of a demonstration (e.g., reasonable simulation performed as part of the NTTF Recommendation 2.3 walkdowns, see Section 1.2) such as the presence of floodwater on site and stress placed on operators due to the site conditions or concurrent offsite events (e.g., effect of a large flood event on the homes and families of operators) obstructions to movement of personnel or resources on site due to floodwaters and associated effects (including adverse weather) actions the cannot be practiced or demonstrated due to normal plant status, physical limitations (e.g., it is not possible to simulate actual flood waters on site), or other safety considerations variations between individuals and crews, including differences in size and strength, cognitive differences, different emotional responses to water or adverse weather conditions, differences in performance under pressure, and differences in crew characteristics or dynamics failure of communication mechanisms (e.g., failure to receive timely notification of an imminent dam failure)

C.3 Accessibility Actions that must be performed in inundated areas or requiring personnel to travel through inundated areas, should be considered infeasible unless it can be shown that elevated pathways or other means are available to enable movement through the inundated areas and significant hazards to personnel (e.g., electrical hazards due to presence of water or low temperatures) are not present. This criterion is particularly important when evaluating protection or mitigation actions that must be performed after the onset of flood conditions.

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 35 Potential uncertainties in accessibility should be considered when evaluating whether an operator manual action is reliable.

C.4 Environmental factors Environmental conditions may affect an operators physical or mental performance. As a result, the capability of the operator to perform the required actions may be degraded or precluded by environmental factors. Environmental conditions associated with flood events include:

adverse weather (e.g., lightning, hail, wind, precipitation) temperatures (e.g., air and water temperatures, particularly if personnel must enter water) conditions hazardous to the health and safety of personnel (e.g., electrical hazards, hazards beneath the water surface, drowning) lighting humidity radiation noise C.5 Equipment Equipment necessary to facilitate performance of operator manual actions should be functional, available, and accessible when required. The availability of special equipment required for the performance of protective or mitigative actions should be considered.

In crediting the availability of equipment for use by operators, the following criteria should be considered:

Equipment should not be damaged or otherwise adversely effected by the flood event (e.g., due to direct inundation, humidity, hydrodynamic forces, or debris) or adverse environmental conditions (see Section C.4).

Equipment should not be located in an area exposed to the flood (including any associated effects), unless there is strong justification for the continued functionality of the equipment.

All needs of the equipment should be met, including supporting electrical power, cooling, and ventilation.

Equipment should be easily located and all operator aids should be readily available.

Physical access and manipulation constraints should be considered in evaluating whether equipment is available for use.

Operators should have experience using the equipment.

No credit for operator manual actions should be given if equipment is not functional, available, and accessible to operators. The operators should be able to find and reach the equipment and should be able to perform the required actions using the equipment.

Therefore, if any of the above criteria are not met, the associated operator manual actions should be considered infeasible.

In evaluating whether operator manual actions are feasible and reliable, consideration should be given to special and portable equipment that may be required to facilitate performance of required actions. Special equipment may include keys to open locked doors (doors may fail closed in the event of a loss of power), ladders, and special purpose tools

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 36 (e.g., equipment required to fill sandbags, portable generators, tools to manipulate equipment manually) and equipment necessary to cope with environmental conditions (e.g.,

flashlights and protective equipment such as personal floatation devices). Equipment should be easily located and readily available so as not to impede or delay the performance of required actions. Equipment should be controlled and routinely verified. Personnel should be trained to locate and use the required equipment. Any delays associated with acquisition and use of portable equipment should be considered.

C.6 Indications and cues Indications or cues provide the following functions:

1) enable operators to determine that manual actions are required or appropriate
2) direct or guide personnel performing actions
3) provide feedback to operators In the context of flooding, indications should be available to provide notification that a flood event is imminent if operator actions are required to provide protection against the flood event. Examples of indications include river forecasts, dam condition reports, and river gauges. Durable agreements should be in place if indications rely on offsite entities to provide notification of an impending flood event. If durable agreements are not in place to ensure communication from offsite entities and the plant does not have independent capability to obtain the same information onsite, any operator manual action initiated by the indication should be considered infeasible. In assessing the reliability of operator manual actions, consideration should be given to the quality of the agreements in place between offsite entities and operators at the nuclear power plant site as well as the potential for the communication mechanisms to fail.

In the context of mitigation actions, indications should be available to alert operators to the failure of flood protection features and presence of water in locations that are intended to be kept dry or otherwise protected from flood effects. For cases in which indications are not available, the evaluation can consider compensatory measures (e.g., local operator observations). Evaluations of adequacy of time should account for the frequency of manual checks in the absence of continuous monitoring. If cues or indications are not available to operators, the mitigation actions should be considered infeasible.

C.7 Communications Equipment (e.g., two-way radios) may be required to support communication between personnel to ensure the proper performance of manual actions (e.g., to support the performance of sequential actions and to verify procedural steps). Due to the substantial amount of warning that may be present for some flood mechanisms, efficiency of communication may be less important when evaluating the feasibility and reliability of operator manual actions associated with preemptive protective measures. However, mitigation may require actions for which the time available to diagnose, perform, and confirm actions is short. Communications methods should be checked to ensure prevailing conditions do not challenge their effectiveness. Consideration should be given to whether personnel are trained to ensure effective communication and coordination during a flood event.

C.8 Procedures and training

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 37 In evaluating the feasibility of an operator manual action, the quality of procedures should be assessed based on its ability to accomplish the following objectives:

Assist operators in correctly diagnosing an impending flood event (i.e., flood height and associated effects) or the compromise of a flood protection feature Identifying the appropriate preventative (or mitigation) actions Account for prevailing current conditions, if applicable (e.g., high wind or lightning that makes it difficult for personnel to work outdoors)

Except under special circumstances involving skill-of-the-craft,18 operator manual actions that are not associated with procedures should be considered infeasible. Written and maintained plant procedures must be available to cover all credited manual actions. Even if procedures are available, actions should be considered infeasible if the associated procedures do not meet the above objectives.

If credit is taken for operator manual actions, personnel performing required actions should have been trained in their individual responsibilities. In evaluating the effectiveness of training on improving the reliability of operator manual actions, the following factors should be considered:

Operator training should establish familiarity with procedures and required actions including operation of equipment (including special purpose equipment).

Training should engender operator familiarity with potential adverse conditions arising from a flood event (e.g., dangerous weather).

Training should prepare operators to handle departure from the expected sequence of events Training should provide the opportunity to practice operator response (e.g.,

construction of barriers using special equipment).

C.9 Staffing In assessing the feasibility and reliability of an operator manual action, the persons involved in performing the operator manual action should qualified. The feasibility assessment should consider the availability of a sufficient number of trained personnel without collateral duties during a flood event such that the required operator action can be completed as needed.

Required staff may be normally onsite or available from offsite, if sufficient warning time is available and the flood event does not inhibit access to the site. Consideration should to given to whether task assignments (or task loads) subject one or more operators to excessive physical or mental stress or if concurrent tasks challenge the ability of the person to perform as required. If there are insufficient qualified staff members to complete the required actions (considering actions that must be performed concurrently), the action should be considered infeasible. In evaluating the reliability of an operator manual action, uncertainties in the number of staff onsite (or that can be brought in from offsite) should be considered.

C.10 Documentation

[#text under development]

18 #definition to be added

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 38 APPENDIX D: Peer Review An independent peer review is an important element of the Integrated Assessment. The peer review increases confidence and assurance that the results of the Integrated Assessment are reliable and provide a sound basis for regulatory decisions. Additional details about the peer review attributes, team composition, and documentation are provided below.

D.1 Peer review attributes Peer review should include the following attributes:

The peer review should be a participatory peer review, as opposed to a late-stage review.

Peer reviewers on various technical elements should have the opportunity to interact with each other when performing the reviews. The peer review should be conducted as a team for critical items, including evaluation of the reliability of: (1) operator manual actions, (2) temporary protective measures, and (3) non-safety-related equipment used for event mitigation.

In conducting the peer review, particular attention should be paid to justifications for use of models or methods that are novel or not consistent with current practice.

D.2 Peer review team The peer review team should be assembled based on the following considerations:

Peer reviewers should be independent of those who are performing the Integrated Assessment. At least one reviewer should be external to the licensees organization.

[#number of people in team?]

The peer review team should cover areas of expertise important to the Integrated Assessment. The peer review team members should have combined experience in the areas of systems engineering, flood hazard assessment, flood protection engineering (e.g., structural and geotechnical engineering), human reliability analysis (if used), and application of PRA methodologies.

Reviewers focusing on the evaluation of flood protection features should have demonstrated experience consistent with the types of flood protection utilized at the site.

o At sites utilizing permanent flood protection barriers, the peer reviewer(s) should have demonstrated experience in flood walkdowns as well as structural and geotechnical engineering.

o At sites utilizing temporary protective measures, reviewers should have demonstrated experience constructing or inspecting temporary barriers.

o At sites relying significantly on operator manual actions, reviewers should have experience in human reliability analysis for the assessment of operator manual actions. Individuals with experience assessing operator manual actions (e.g., for fire, as described in Ref. (15)) should be considered when assembling the peer review team at sites relying on operator manual actions to protect against or mitigate a flood event.

D.3 Peer review documentation

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 39 The peer review process should be clearly documented in the Integrated Assessment report. Documentation in the Integrated Assessment report should include the following:

a description of the peer review process the names and qualifications of the peer review team members, including the areas reviewed by each participant.

a discussion of the key findings and a discussion as to how the findings were addressed information regarding the disposition of comments made by peer reviewers a review of the final Integrated Assessment report the conclusions of the peer review

DRAFT - 08/24/2012 (Draft for use at public meeting on August 28, 2012)

Page 40 APPENDIX E: Examples

[#text under development]

Retrieved from "https://kanterella.com/w/index.php?title=ML12241A355&oldid=5252934"