ML12314A172
| ML12314A172 | |
| Person / Time | |
|---|---|
| Issue date: | 11/07/2012 |
| From: | Geoffrey Miller Containment and Balance of Plant Branch |
| To: | Jeffrey Riley Nuclear Energy Institute |
| Miller G, NRR/JLD 301-415-2481 | |
| Shared Package | |
| ML12300A315 | List: |
| References | |
| JLD-ISG-2012-05 | |
| Download: ML12314A172 (83) | |
Text
From:
Miller, Ed To:
"RILEY, Jim"
Subject:
Files from Nov 7 2012 Public Meeting Date:
Wednesday, November 07, 2012 4:37:00 PM Attachments:
IntegratedAssessmentISG_Attachment_2012_11_07_DraftForUseAtMeeting.docx IntegratedAssessmentISG_FrontMatter_2012_11_07_DraftForUseAtMeetingx.docx
- Jim, Attached are the two files that we displayed on the screen during the public webinar today. Please let me know if you have any questions. Thanks.
Ed Miller 415-2481
September 20, 2012 ML12235A319 JAPAN LESSONS-LEARNED PROJECT DIRECTORATE JLD-ISG-2012-05 Guidance for Performing the Integrated Assessment for Flooding DRAFT Interim Staff Guidance Revision 0 (Draft Issue for use at Nov 7 2012 Public Meeting)
September 20, 2012 ML12235A319 JAPAN LESSONS-LEARNED PROJECT DIRECTORATE JLD-ISG-2012-05 Guidance for Performing the Integrated Assessment for Flooding DRAFT Interim Staff Guidance Revision 0 (Draft Issue for use at Nov 7 2012 Public Meeting)
DRAFT Page 1 DRAFT INTERIM STAFF GUIDANCE JAPAN LESSONS-LEARNED PROJECT DIRECTORATE GUIDANCE FOR PERFORMING THE INTEGRATED ASSESSMENT FOR EXTERNAL FLOODING JLD-ISG-12-05 PURPOSE This interim staff guidance is being issued to describe to stakeholders methods acceptable to the staff of the U.S. Nuclear Regulatory Commission (NRC) for performing the Integrated Assessment for external flooding as described in NRCs March 12, 2012 request for information (Ref. (1)) issued pursuant to Title 10, Code of Federal Regulations, Part 50, Section 54 (10 CFR 50.54) regarding Recommendation 2.1 of the enclosure to SECY-11-0093, Recommendations for Enhancing Reactor Safety in the 21st Century, the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident (Ref. (2)).
Among other actions, the March 12, 2012 letter requests that respondents reevaluate flood hazards at each site and compare the reevaluated hazard to the current design basis at the site for each flood mechanism. Addressees are requested to perform an Integrated Assessment if the current design basis flood hazard does not bound the reevaluated flood hazard for all mechanisms. This ISG will assist operating power reactor respondents and holders of construction permits under 10 CFR Part 50 with performance of the Integrated Assessment. The guidance provided in this ISG describes methods for use in performing the Integrated Assessment requested in Enclosure 2 of the March 12, 2012 letter. This guidance is not intended for use in design basis applications or in regulatory activities beyond the scope of performing the Integrated Assessment.
BACKGROUND Following the events at the Fukushima Dai-ichi nuclear power plant, the NRC established a senior-level agency task force referred to as the Near-Term Task Force (NTTF). The NTTF conducted a systematic and methodical review of the NRC regulations and processes and determined if the agency should make additional improvements to these programs in light of the events at Fukushima Dai-ichi. As a result of this review, the NTTF developed a comprehensive set of recommendations, documented in the enclosure to SECY-11-0093 (Ref. (2)). These recommendations were enhanced by the NRC staff following interactions with stakeholders. Documentation of the NRC staffs efforts is contained in SECY-11-0124, Recommended Actions to Be Taken without Delay from the Near-Term Task Force Report, dated September 9, 2011 (Ref.(3)), and SECY-11-0137, Prioritization of Recommended Actions To Be Taken in Response to Fukushima Lessons Learned, dated October 3, 2011(Ref. (4)).
As directed by the staff requirements memorandum for the enclosure to SECY-11-0093 (Ref. (2)), the NRC staff reviewed the NTTF recommendations within the context of the NRCs existing regulatory framework and considered the various regulatory vehicles available to the NRC to implement the recommendations. SECY-11-0124 and
DRAFT Page 2 SECY-11-0137 established the staffs prioritization of the recommendations based upon the potential safety enhancements.
As part of the staff requirements memorandum for SECY-11-0124, dated October 18, 2011 (Ref.(3)), the Commission approved the staff's proposed actions, including the development of three information requests under 10 CFR 50.54(f). The information collected would be used to support the NRC staff's evaluation of whether further regulatory action should be pursued in the areas of seismic and flooding design, and emergency preparedness.
In addition to Commission direction, the Consolidated Appropriations Act, Public Law 112-074, was signed into law on December 23, 2011. Section 402 of the law requires a reevaluation of licensees' design basis for external hazards.
In response to the aforementioned Commission and Congressional direction, the NRC issued a request for information to all power reactor licensees and holders of construction permits under 10 CFR Part 50 on March 12, 2012 (Ref.(1)). The March 12, 2012 50.54(f) letter includes a request that respondents reevaluate flooding hazards at nuclear power plant sites using updated flooding hazard information and present-day regulatory guidance and methodologies. The letter also requests the comparison of the reevaluated hazard to the current design basis at the site for each potential flood mechanism. If the reevaluated flood hazard at a site is not bounded by the current design basis, respondents are requested to perform an Integrated Assessment. The Integrated Assessment will evaluate the total plant response to the flood hazard, considering multiple and diverse capabilities such as physical barriers, temporary protective measures, and operational procedures. The NRC staff will review the responses to this request for information and determine whether regulatory actions are necessary to provide additional protection against flooding.
RATIONALE On March 12, 2012, NRC issued a request for information to all power reactor licensees and holders of construction permits under 10 CFR Part 50. The request was issued in accordance with the provisions of Sections 161.c, 103.b, and 182.a of the Atomic Energy Act of 1954, as amended (the Act), and NRC regulation in Title 10 of the Code of Federal Regulations, Part 50, Paragraph 50.54(f). Pursuant to these provisions of the Act or this regulation, respondents were required to provide information to enable the staff to determine whether a nuclear plant license should be modified, suspended, or revoked.
The information request directed respondents to submit an approach for developing an Integrated Assessment Report including criteria for identifying vulnerabilities. This ISG describes an approach for developing the Integrated Assessment Report that is acceptable to the staff.
APPLICABILITY This ISG shall be implemented on the day following its approval. It shall remain in effect until it has been superseded or withdrawn.
PROPOSED GUIDANCE
DRAFT Page 3 This ISG is applicable to holders of operating power reactor licenses and construction permits under 10 CFR Part 50 from whom an Integrated Assessment is requested (i.e., sites for which the current design basis flood hazard does not bound the reevaluated hazard for all potential flood mechanisms). For combined license holders under 10 CFR Part 52, the issues in NTTF Recommendation 2.1 and 2.3 regarding seismic and flooding reevaluations and walkdowns are resolved and thus this ISG is not applicable.
IMPLEMENTATION Except in those cases in which a licensee or construction permit holder under 10 CFR Part 50 proposes an acceptable alternative method for performing the Integrated Assessment, the NRC staff will use the methods described in this ISG to evaluate the results of the Integrated Assessment.
BACKFITTING DISCUSSION Licensees and construction permit holders under 10 CFR Part 50 may use the guidance in this document to perform the Integrated Assessment. Accordingly, the NRC staff issuance of this ISG is not considered backfitting, as defined in 10 CFR 50.109(a)(1), nor is it deemed to be in conflict with any of the issue finality provisions in 10 CFR Part 52.
FINAL RESOLUTION The contents of this ISG, or a portion thereof, may subsequently be incorporated into other guidance documents, as appropriate.
ENCLOSURE
- 1. Guidance for Performance of Integrated Assessment REFERENCES
- 1. U.S. Nuclear Regulatory Commission. Request for information pursuant to Title 10 of the Code of Federal Regulations 50.54(f) regarding Recommendations 2.1, 2.3, and 9.3, of the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident.
March 12, 2012. ADAMS Accession No. ML12053A340.
- 2.. "Recommendations for Enhancing Reactor Safety in the 21st Century, The Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident," Enclosure to SECY-11-0093. July 12, 2011. ADAMS Accession No. ML111861807.
- 3.. "Recommended Actions To Be Taken Without Delay From the Near Term Task Force Report," SECY-11-0124. September 9, 2011. ADAMS Accession No. ML11245A158.
- 4.. "Prioritization of Recommended Actions to Be Taken in Response to Fukushima Lessons Learned," SECY-11-0137. October 2011. ADAMS Accession No. ML11272A111.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 1 GUIDANCE FOR PERFORMANCE OF INTEGRATED ASSESSMENT
- 1.
Introduction.......................................................................................................................................... 3 1.1 Integrated Assessment concept........................................................................................................... 3 1.2 Scope of Integrated Assessment.......................................................................................................... 4
- 2.
Background........................................................................................................................................... 5 2.1 Actions and information requested..................................................................................................... 5 2.2 NTTF Recommendation 2.3 flood walkdowns...................................................................................... 5 2.3 NTTF Recommendation 2.1 flood hazard reevaluations...................................................................... 6
- 3.
Framework of Integrated Assessment................................................................................................... 7 3.1 Integrated Assessment process............................................................................................................ 7 3.2 Key assumptions................................................................................................................................... 8 3.2.1 Use of available resources for protection and mitigation................................................................ 8 3.2.2 Modes of operation and concurrent conditions.............................................................................. 8 3.2.3 Flood frequencies............................................................................................................................. 9 3.2.4 Human Performance........................................................................................................................ 9
- 4.
Peer review..........................................................................................................................................10
- 5.
Hazard definition..................................................................................................................................11 5.1 Identification of applicable flood mechanisms and plant conditions................................................. 11 5.2 Identification of controlling flood parameters................................................................................... 11 5.3 Collection of critical plant elevations and protection of equipment.................................................. 12
- 6.
Evaluation of effectiveness of flood protection....................................................................................13 6.1 Process overview................................................................................................................................ 13 6.2 Performance criteria.......................................................................................................................... 13 6.3 Justification of flood protection performance................................................................................... 14
- 7.
Evaluation of mitigation capability.......................................................................................................16 7.1 Process Overview............................................................................................................................... 16 7.2 Scenario-based evaluation of mitigation capability........................................................................... 17 7.3 Margins-type evaluation of mitigation capability.............................................................................. 19 7.4 Use of PRA to evaluate total plant response, including mitigation capability................................... 20
- 8.
Documentation.....................................................................................................................................22
- 9.
Terms and definitions...........................................................................................................................26
- 10. Figures..................................................................................................................................................31
- 11. References............................................................................................................................................37 APPENDIX A: Evaluation of flood protection.................................................................................................40 A.1 Individual flood protection features.....................................................................................................40 A.1.1 Exterior and incorporated flood protection features......................................................................... 40 A.1.1.1 Earthen Embankments (earth dams, levees and dikes)............................................................ 40 A.1.1.2 Floodwalls.................................................................................................................................. 42 A.1.1.3 Seawalls..................................................................................................................................... 43 A.1.1.4 Concrete barriers....................................................................................................................... 43 A.1.1.5 Plugs and penetration seals....................................................................................................... 44 A.1.1.6 Storm drainage systems............................................................................................................ 44 A.1.2 Active features................................................................................................................................... 44 A.1.3 Temporary features............................................................................................................................ 45 A.1.4 Equipment necessary to perform human actions.............................................................................. 45 A.2 Flood protection systems......................................................................................................................46 APPENDIX B: Peer Review.............................................................................................................................50 B.1 Peer reviewer attributes.......................................................................................................................50 B.2 Peer review attributes..........................................................................................................................50 B.3 Peer review documentation.................................................................................................................51 C.1 Overview..............................................................................................................................................53
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 2 C.
1.1 Purpose and Scope
............................................................................................................................. 53 C.1.2 Organization of the Appendix............................................................................................................ 53 C.2 Identify and Define the Human Actions................................................................................................54 C.3 Evaluate human action feasibility.........................................................................................................54 C.3.1 Timing analysis................................................................................................................................... 55 C.3.1.1 Timing elements........................................................................................................................ 55 C.3.1.2 Calculate Time Margin............................................................................................................... 56 C.3.2 Performance shaping factors............................................................................................................. 56 C.3.2.1 Cues and indications.................................................................................................................. 57 C.3.2.2 Complexity of the required action............................................................................................. 58 C.3.2.3 Special equipment..................................................................................................................... 60 C.3.2.4 Human-system interfaces.......................................................................................................... 60 C.3.2.5 Procedures................................................................................................................................. 61 C.3.2.6 Training and experience............................................................................................................ 63 C.3.2.7 Workload, pressure and stress.................................................................................................. 64 C.3.2.8 Environmental factors............................................................................................................... 65 C.3.2.9 Special fitness issues.................................................................................................................. 66 C.3.2.10 Staffing.................................................................................................................................. 66 C.3.2.11 Communications................................................................................................................... 67 C.3.2.12 Accessibility........................................................................................................................... 68 C.3.2.13 Scenario-specific PSFs........................................................................................................... 68 C.4 Evaluate manual action reliability.........................................................................................................69 C.5 Adjustments.........................................................................................................................................70 C.6 Documentation.....................................................................................................................................70 APPENDIX D: Existing references and resources............................................................................................75 D.1 Evaluations performed under the NRC Significance Determination Process.........................................75 D.2 Evaluations performed under Task Action Plan A-45............................................................................75 D.3 NUREG/CR-5042, Evaluation of External Hazards to Nuclear Power Plant in the United States............76 D.4 Individual Plant Examination of External Events (IPEEE) Program.........................................................77
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 3
- 1. Introduction The objective of this document is to provide guidance for performance of the Integrated Assessment. Based on the results of the site-specific flood hazard assessments, the Integrated Assessment evaluates the total plant response to external flood hazards, considering both the protection and mitigation capabilities of the plant. The purpose of the Integrated Assessment is to: (1) evaluate the effectiveness of the current licensing basis, (2) identify plant-specific vulnerabilities, and (3) assess the effectiveness of existing or planned plant systems and procedures in protecting against flood conditions and mitigating consequences for the entire duration of a flooding event.
In general, the types and attributes of flood protection features used at nuclear power plants are diverse due to differences in factors such as: hazard characteristics (e.g., flood mechanisms, flood durations, and debris quantity), site topography and surrounding environment, and other site-specific considerations (e.g., available warning time). As a result, this guidance must be capable of accommodating the unique environments and characteristics of nuclear power plant sites while ensuring that the information gathered as part of the NRCs March 12, 2012 50.54(f) letter provides a sufficient technical basis to determine if any additional regulatory actions are necessary to protect against external flood hazards.
Recommendation 2.1 of the NTTF is being implemented in two phases. In Phase 1 licensees and construction permit holders will reevaluate the flooding hazard(s) at each site using present-day regulatory guidance and methodologies. If the reevaluated hazard is not bounded by the design basis flood at the site, licensees and construction permit holders are also requested to perform an Integrated Assessment for external flooding. Phase 2 uses the Phase 1 results to determine whether additional regulatory actions are necessary (e.g.,
update the licensing basis and SSCs important to safety).
1.1 Integrated Assessment concept Figure 1 provides a conceptual illustration of the Integrated Assessment process. The outcomes of the hazard reviews performed under the Near-Term Task Force (NTTF)
Recommendation 2.1 flood hazard reevaluations1 If the site flood protection can be shown to be reliable and have margin, the licensee should proceed to documentation and justification of results. If site flood protection cannot be shown to be reliable and have margin, licensees should evaluate the plants ability to maintain key safety functions during a flood in the event that one or more flood protection systems are compromised and unable to perform their intended functions. In the Integrated Assessment, this step of the process is referred to as an evaluation of mitigation capability and strategies. Upon evaluation of the mitigation capability of the plant, the process proceeds to documentation and justification of results.
provide input into the Integrated Assessment process. Upon entry into the Integrated Assessment process, licensees should evaluate the capability of flood protection systems to meet their intended safety functions under the reevaluated hazard.
1 See Section 2.3 for additional details on the NTTF Recommendation 2.1 hazard reevaluations and the relationship to the Integrated Assessment.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 4 In lieu of flood protection, some sites may allow water to enter buildings (or other areas housing structures, systems, or components that are important to safety) by procedure or design. If the presence of water in these locations may adversely affect structures, systems, or components that are important to safety, then the Integrated Assessment process should proceed directly into the evaluation of the mitigation capability of the plant. This is represented by the large arrow on the rightmost side of Figure 1.
Additional details on the Integrated Assessment process are provided in subsequent sections of this document.
1.2 Scope of Integrated Assessment In accordance with the March 12, 2012 letter, the scope of the Integrated Assessment includes full-power operations and other plant configurations that could be susceptible to damage due to the status of the flood protection features. The scope also includes flood-induced loss of an ultimate heat sink (UHS) water source (e.g., due to failure of a downstream dam) that could be caused by the flood conditions. (The loss of the UHS from causes other than flooding, such as seismic failure, are not included.) The March 12, 2012 50.54(f) letter also requests that the Integrated Assessment address the entire duration of the flood conditions.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 5
2. Background
2.1 Actions and information requested For the sites where the reevaluated flood is not bounded by the current design basis for all flood-causing mechanisms, the March 12, 2012 letter requests that licensees and construction permit holders perform an Integrated Assessment of the plant to identify vulnerabilities and actions to address them. This ISG provides guidance on methods the NRC considers acceptable for performing the Integrated Assessment as requested by the March 12, 2012 50.54(f) letter.
Consistent with the March 12, 2012 letter (Enclosure 2, p. 8-9), licensees and construction permit holders are requested to provide the following as part of the Integrated Assessment report:
a) Description of the integrated procedure used to evaluate integrity of the plant for the entire duration of flood conditions at the site.
b) Results of the plant evaluations describing the controlling flood mechanisms and its effects, and how the available or planned measures will provide effective protection and mitigation. Discuss whether there is margin beyond the postulated scenarios.
c) Description of any additional protection and/or mitigation features that were installed or are planned, including those installed during course of reevaluating the hazard.
The description should include the specific features and their functions.
d) Identify other actions that have been taken or are planned to address plant-specific vulnerabilities.
This ISG provides guidance on methods considered acceptable to NRC for performing the Integrated Assessment as requested by the March 12, 2012 50.54(f) letter.
2.2 NTTF Recommendation 2.3 flood walkdowns As part of the 50.54(f) letter issued by the NRC on March 12, 2012, licensees were requested to perform flood protection walkdowns to verify that plant features credited in the current licensing basis for protection and mitigation from external flood events are available, functional, and properly maintained. These walkdowns are interim actions to be performed while the longer-term hazard reevaluations and Integrated Assessments are performed.
NRC and NEI worked collaboratively to develop guidelines for performing the walkdowns, resulting in NEI 12-07, Guidelines for Performing Verification Walkdowns of Plant Flood Protection Features (Ref.(1)), which NRC endorsed on May 31, 2012 (Ref. (2)).
As part of the walkdowns, licensees and construction permit holders will verify that permanent structures, systems, and components (SSC) as well as temporary or portable flood protection and mitigation equipment will perform their intended safety functions as credited in the current licensing basis. Verification activities will ensure that changes to the plant (e.g., security barrier installations and topography changes) do not adversely affect flood protection and mitigation equipment. In addition, the walkdown will verify that procedures needed to install and operate equipment needed for flood protection or mitigation can be performed as credited in the current licensing basis. The walkdown will also verify that the execution of procedures will not be impeded by adverse weather conditions that could be reasonably expected to simultaneously occur with a flood event. As part of the walkdowns, observations of potential deficiencies, as well as observations of
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 6 flood protection features with small margin and potentially significant safety consequences if lost, will be entered into the licensees corrective action program.
It is anticipated that the walkdowns will be a valuable source of information that will be useful during the performance of the Integrated Assessment. In particular, the walkdowns will provide information on available physical margin (APM) under the current design basis hazard, the condition of flood protection features, the feasibility of procedures, SSCs that are subjected to flooding, and the potential availability of systems to mitigate flood events.
However, it is emphasized that the walkdowns are performed to the current licensing basis.
The reevaluated flood hazards performed under Recommendation 2.1 (see Section 2.3) may be associated with higher water surface elevations and different associated effects when compared to the current licensing basis. Therefore, some of the information from the walkdowns may not be directly applicable as part of the Integrated Assessment. It is expected that any additional information related to the impact of the flooding hazard reassessment will be considered as part of the Integrated Assessment, and that this information would be available to effectively consider the flood protection capabilities in light of potential additional flooding impacts to the site (i.e., higher elevations, accessibility issues) that may not have been fully considered during the implementation of Recommendation 2.3 walkdown.
2.3 NTTF Recommendation 2.1 flood hazard reevaluations NRCs March 12, 2012 50.54(f) letter requests that licensees and construction permit holders reevaluate all appropriate external flooding sources, including the effects from local intense precipitation on the site, probable maximum flood (PMF) on stream and rivers, storm surges, seiche, tsunami, and dam failures. It is requested that the reevaluation apply present-day regulatory guidance and methodologies used for early site permit (ESP) and combined license (COL) reviews including current techniques, software, and methods used in present-day standard engineering practice.
For the sites where the reevaluated flood is not bounded by the current design basis hazard for all flood mechanisms applicable to the site, licensees and construction permit holders are requested to submit an interim action plan with the hazard report that documents actions planned or taken to address the reevaluated hazard. Subsequently, licensees and construction permit holders are also asked to perform an Integrated Assessment. In light of the reevaluated hazard, the Integrated Assessment will evaluate the effectiveness of the current licensing basis (i.e., flood protection and mitigation systems), identify plant-specific vulnerabilities, and assess the effectiveness of existing or planned systems and procedures for protecting against and mitigating the effects of the reevaluated hazard for the entire duration of the flood event.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 7
- 3. Framework of Integrated Assessment 3.1 Integrated Assessment process The Integrated Assessment is intended to identify site-specific vulnerabilities and provide other important insights.2 As described above, the Integrated Assessment is based on a graded approach to ensure the assessment performed is appropriate for the unique characteristics of a given site. Depending on site characteristics, the graded approach supports assessments ranging from engineering evaluations of individual flood protection features to evaluations based on PRA-techniques3
- 1. definition of peer review scope and assembly of a peer review team (e.g., system logic models and risk-insights). The Integrated Assessment process consists of up to five possible steps, depending on site characteristics:
- 2. determination of controlling flood parameters
- 3. evaluation of flood protection systems (if applicable4
- 4. evaluation of mitigation capability (if appropriate)
)
- 5. documentation of results The Integrated Assessment process is illustrated by the flowchart in Figure 2 and described below.
The first step of the Integrated Assessment process involves assembly of a participatory peer review team. Section 4 and Appendix B provide additional details on the peer review and composition of the peer review team.
The second step in the Integrated Assessment process involves determination of the flood scenario parameters that should be considered based on the results produced as part of the NTTF Recommendation 2.1 flood hazard reevaluations (represented by box 2 in Figure 2).
Section 5 provides additional guidance on determining the flood scenario parameters that should be considered as part of the Integrated Assessment.
Box 3 of Figure 2 represents a decision point. If a site has flood protection to prevent the entry of water into buildings or other areas containing SSCs that are important to safety, the process proceeds to Step 3, which involves an evaluation of the effectiveness of the flood protection system at the site. Section 6 provides additional guidance on the evaluation of flood protection. Conversely, if a site allows water to enter buildings or other areas with SSCs that are important to safety (by procedure or design) with potential effects on those SSCs, the Integrated Assessment process skips Step 3 and proceeds directly to Step 4.
Step 4 involves the evaluation of the capability of the plant to maintain key safety functions5 2 It is expected that the Integrated Assessment will yield insights related to available margin, defense-in-depth, and cliff-edge effects.
during a flood event.
3 This guide describes the use of PRA-techniques, however the approaches described in this document are not intended to be compliant with guidance provided in Ref. (8).
4 Some sites may have little or no flood protection, in which case a flood protection evaluation would not be applicable.
5 See Section 9 for definition of key safety functions.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 8 Following the performance of the flood protection evaluation (Step 3), there is another decision point, as shown by Box 5 of Figure 2. If the on-site flood protection is reliable and has margin, the Integrated Assessment process proceeds directly to Step 5 (documentation of results). However, if the on-site flood protection cannot be shown to be reliable and have margin, the process proceeds to Step 4 and the capability of the plant to mitigate a loss of one or more flood protection systems by maintaining key safety functions is evaluated (represented by box 6 in Figure 2). Section 7 provides additional information on evaluating the capability of a plant to mitigate the loss of one more flood protection systems. Section 8 provides guidance on documentation of results.
3.2 Key assumptions The following subsections provide information on key assumptions applicable to the Integrated Assessment.
3.2.1 Use of available resources for protection and mitigation The Integrated Assessment evaluates the current licensing basis protection and mitigation capability of plants in response to the reevaluated flood hazards as well as additional in-place or planned resources. In assessing the protection and mitigation capability of a plant, credit can be taken for all available resources (onsite and offsite) as well as the use of systems, equipment, and personnel in nontraditional ways. Temporary protection and mitigation measures as well as non-safety related SSCs can also be credited with sufficient technical bases. In crediting use of systems, equipment, and personnel in non-traditional ways, non-safety related SSCs, temporary mitigation and protection features, or similar resources, the Integrated Assessment should account for the potentially reduced reliability of such resources relative to permanent, safety-related equipment (Ref.(3)). Moreover, if credit is taken for these resources, the licensee or construction permit holder should justify that the resources will be available and functional when required for the flood event duration.6 6
The assessment should consider the time required to acquire these resources and place them in service. Sections and 7 provide guidance on evaluation of flood protection and mitigation capability.
3.2.2 Modes of operation and concurrent conditions As described in Section 1.2, the scope of the Integrated Assessment includes full power operations and other plant configurations that could be susceptible due to the status of the flood protection features. The Integrated Assessment should evaluate the effectiveness of flood protection and mitigation capability of the plant for the mode(s) of operation that the plant will be in for the entire flood event duration. The Integrated Assessment should describe the expected total plant response under other modes of operation, including a discussion of controls (e.g., programmatic controls) that are in place in the event that a flood occurs during any of these modes (e.g., during refueling). The Integrated Assessment should also consider whether specific vulnerabilities may arise during modes of operation or configurations other than normal and configuration full-power (e.g., conditions where flood protection features may be bypassed or defeated for maintenance or refueling activities).
6 See Section 9 for definition of flood event duration and Figure 3 for an illustration of flood event duration.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 9 Finally, the Integrated Assessment should consider concurrent plant conditions, including adverse weather that could reasonably be expected to simultaneously occur with an external flood event7 3.2.3 Flood frequencies as well as equipment that may be directly affected by the flood event (e.g., loss of the switchyard due to inundation).
For most flood mechanisms, widely accepted and well-established methodologies are not available to assign initiating event frequencies to severe floods using probabilistic flood hazard assessment (Ref. (4)). For this reason, the Integrated Assessment does not require the computation of initiating flood-hazard frequencies. It is not acceptable to use initiating event frequencies to screen out flood events in lieu of evaluation of flood protection features at the site. However, if desired and given appropriate justification, the use of flood event frequency is deemed acceptable for use as part of a PRA.
3.2.4 Human Performance Human performance take on added importance during flooding events compared to normal operations. Establishment of flood protection features may rely heavily on manual actions (e.g., constructing sandbag barriers, deploying and operating portable pumps, or relocating equipment). Significant manual actions may also be associated with mitigation actions, including actions that may leverage equipment, personnel, or other resources in non-traditional ways. In addition, the operating crew s ability to monitor and control the plant to ensure that key safety functions are maintained may be challenged by failed or degraded instrumentation and controls in the main control room (MCR) as well as system and equipment unavailabilities. Access to and the functionality of local or remote control stations may also be compromised. Personnel workload may be increased with the addition of responsibilities to oversee and manage flood response activities 7 Ref. (37) provides guidance on combined events that should be considered as part of the Integrated Assessment. As part of the Recommendation 2.1 hazard reevaluations (see Section 2.3), Ref. (37) should have been used in establishing the combined events applicable to a site.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 10
- 4. Peer review An independent peer review is an important element of ensuring technical adequacy. The technical adequacy of the Integrated Assessment is measured in terms of the appropriateness with respect to scope, level of detail, methodologies employed, and plant representation, which should be consistent with this guidance and commensurate with the site-specific hazard and inherent flood protection reliability. The licensees Integrated Assessment submittal should discuss measures used to ensure technical adequacy, including documentation of peer review. Appendix B provides additional details on peer review for the Integrated Assessment.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 11
- 5. Hazard definition 5.1 Identification of applicable flood mechanisms and plant conditions The hazard reevaluations performed under Recommendation 2.1 (see Section 2.3) identify the external flood mechanisms applicable to a site. Before performing the Integrated Assessment, the flood height and associated effects8 In addition, for each flood mechanism, the following information should be collected for use in the Integrated Assessment:
for all applicable flood mechanisms from the hazard review should be collected or reviewed for use in the Integrated Assessment.
9 the expected plant mode(s) during the flood event duration available instrumentation and communication mechanisms associated with each flood mechanism, if applicable (e.g. river forecasts, dam condition reports, river gauges) the availability of and access to onsite and offsite resources (including personnel) and consumables (e.g., fuel) accessibility considerations to/from and around the site that may impact protective and mitigating actions effect of flood conditions on the availability of the UHS 5.2 Identification of controlling flood parameters The flood parameters considered as part of the Integrated Assessment for a plant are based on the Recommendation 2.1 hazard reevaluations (see Section 2.3). Flood hazards do not need to be considered individually as part of the Integrated Assessment. Instead, the Integrated Assessment should be performed for a set(s) of flood scenario parameters defined based on the results of the Recommendation 2.1 hazard reevaluations.
The flood scenario parameters that should be defined and considered as part of the Integrated Assessment include:
flood height and associated effects10 flood event duration, including warning time and intermediate water surface elevations that trigger actions by plant personnel plant mode(s) of operation during the flood event duration In some cases, there is one controlling flood hazard for a site. In this case, the flood scenario parameters should be defined based on this controlling flood hazard. However, at some sites, due the diversity of flood hazards to which the site is exposed, it may be necessary to define multiple sets of flood scenario parameters to capture the different plant effects from the diverse flood parameters associated with applicable hazards. In addition, sites may use different flood protection systems to protect against or mitigate different flood 8 See Section 9 for definition of flood height and associated effects.
9 This information may be available, in part, from the Recommendation 2.3 walkdown report or licensee walkdown records (see Section 2) 10 See definition of flood height and associated effects in Section 9.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 12 hazards. In such instances, the Integrated Assessment should define multiple sets of flood scenario parameters.
If appropriate, instead of considering multiple sets of flood scenario parameters as part of the Integrated Assessment, it is acceptable to develop an enveloping scenario (e.g., the maximum water surface elevation and inundation duration with the minimum warning time generated from different hazard scenarios). For simplicity, these flood parameters may be combined to generate a single bounding set of flood scenario parameters for use in the Integrated Assessment.
5.3 Collection of critical plant elevations and protection of equipment To facilitate the performance of the Integrated Assessment the following information should be collected or otherwise understood:
the critical elevations11 the flood protection features or systems used to protect each piece or group of critical plant equipment (e.g., a site levee, a category 1 wall and flood doors, or a sandbag barrier) and any procedures required to install, construct, or otherwise implement the flood protection of plant equipment that is important to safety and the safety functions affected when the critical elevation of the equipment is reached the manner by which the equipment could be subjected to flooding (e.g., site inundation, building leakage) potential pathways for ingress of water (e.g., through conduits or ducts) 11 See Section 9 for definition of critical elevations.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 13
- 6. Evaluation of effectiveness of flood protection As part of the Integrated Assessment, an evaluation should be performed of the capability of the site flood protection to protect SSCs important to safety from flood height and associated effects for each set of flood scenario parameters.
Site flood protection may include incorporated, exterior, and temporary features with passive and active functions credited to protect against the effects of external floods. In addition to physical barriers, flood protection may involve a variety of manual actions performed by personnel. These manual actions may be associated with installation of features (e.g.,
floodgates, portable panels, placement of portable pumps in service), construction of barriers (e.g., sandbag barriers), and other actions.
6.1 Process overview An acceptable process to evaluate flood protection is illustrated by the flowchart in Figure 4.
The evaluation begins by selecting a set flood scenario parameters for evaluation. Next, a flood protection system12 6.2 is selected for evaluation. An evaluation is then performed of the selected flood protection system under the flood scenario parameters. The type of methodology considered appropriate for evaluating a flood protection system is based on the types of flood protection features employed in the flood protection system. The flood protection evaluation should assess the performance of the flood protection at both the feature-and system-levels. Additional information on the evaluation of flood protection is provided in Sections and 6.3 as well as Appendix A.
If it can be shown that the flood protection can reliably accommodate the flood scenario parameters with margin (Figure 4, box 4) based on available performance criteria (see Section 6.2) or quantification of flood protection reliability, then the integrity of the system is documented and justified (box 5) and the evaluation is repeated for the next flood protection system. Conversely, if the flood protection system is not able to reliably accommodate the flood scenario parameters with margin, and modifications will not be made (box 6), the credible failure modes and vulnerabilities should be documented along with the direct consequences (e.g., inundation of a room) of each failure mode and vulnerability. The analysis is then repeated for the next flood protection system. If modifications to the flood protection system are in-place or planned (box 6), the modified flood protection system should be defined (box 7) and the evaluation repeated for the modified flood protection system.
6.2 Performance criteria To provide confidence in the reliability and margin of flood protection, considering both qualitative and quantitative performance criteria, the flood protection evaluation should do the following:
12 Section 9 defines the term flood protection system. A site may have multiple and diverse flood protection systems. For example, a site may be protected by a levee around the entire site as well as incorporated barriers at the structure/environment interface for each individual building. The site levee would constitute one flood protection system while a set of barriers that protects an individual building, which can be isolated from other buildings (either through separation by location or flood protection features), would comprise a separate flood protection system.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 14 provide an understanding of potential failure modes of the flood protection system, including consideration of potential ingress pathways for floodwaters (e.g., through conduits or ducts) demonstrate the soundness of the individual features comprising the flood protection system under the loads (i.e., flood height and associated effects) due to the flood scenario parameters and confirm that the features are:
in satisfactory condition higher than the reevaluated flood height structurally adequate based on quantitative engineering evaluations compare the performance, characteristics, and configuration of the flood protection feature(s) against appropriate, present-day design codes and standards (including Standard Review Plan Sections 3.4.1 and 3.4.2, Refs. (5) and(6)) to determine that the feature(s) conforms to good practices and is sufficiently robust (e.g.,
demonstrates an appropriate factor of safety) perform qualitative assessment of operational requirements such as surveillance, inspection, design control, maintenance, procurement, and testing include sensitivity studies, if there is uncertainty about the construction or characteristics of a flood protection feature or system (e.g., uncertainty about the parameters of concrete used in construction of a concrete wall) ensure capacity of pumping or drainage systems is sufficient to handle any inflow through flood protection features for the entire flood event duration quantify the reliability of the active features, other than flood doors and hatches,13 evaluate the feasibility and reliability of necessary manual actions (including construction, installation, or other actions) through comparison against criteria described in Appendix C as well as the continued ability of the operating crew to monitor and control the plant to maintain key safety functions based on operating experience and other available data or information using traditional PRA or statistical techniques demonstrate necessary consumables are available and will remain accessible for the entire flood event duration demonstrate temporary features can be moved to the location where needed and installed evaluate the flood protection system as a whole Additional information on the evaluation of individual flood protection features (including feature-specific performance criteria) is provided in Section A.1 of Appendix A. Guidance on the evaluation of a flood protection system as a whole is provided in Section A.2 of Appendix A.
Probabilistic evaluation of the fragility of exterior and incorporated features under the flood scenario parameters is also acceptable, given adequate justification.
6.3 Justification of flood protection performance If, based on the flood protection evaluation, a flood protection system is deemed capable of withstanding the flood height and associated effects for a set of flood scenario parameters, the Integrated Assessment should justify this conclusion. In addition, the limiting margin 13 Flood doors and hatches should be evaluated as described in Appendix A.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 15 associated with the flood protection system as well as the margin associated with individual flood protection features should be identified.
Margin should be characterized with respect to physical barrier dimensions,14 The Integrated Assessment should identify any flood protection features or systems that are unable to reliably accommodate the flood height and associated effects for a set of flood scenario parameters with margin. Any flood protection feature or system determined not to be capable of performing its intended safety function under the reevaluated hazard should be documented as a vulnerability (see Section structural or other performance capacity, as well as time and staffing associated with performance of manual actions to establish flood protection systems. Demonstration of the aforementioned items requires an understanding of the capability of flood protection systems for a range of flood heights and associated effects (including reasonable variation in warning time and flood event duration). Physical margin and structural capacity can be demonstrated by increasing the flood elevation (while accounting for associated effects) and showing the elevation beyond which the system is no longer capable of reliably performing its intended function.
- 8) for all susceptible plant configurations. In addition, if a flood protection feature or system is not able to accommodate the flood scenario parameters, the flood protection evaluation should determine at what flood height and under what associated effects, the flood protection feature or system is able to reliably accommodate a flood. If modifications are proposed to address vulnerabilities, improve margin, or otherwise improve the effectiveness of site flood protection, the Integrated Assessment should justify that the modified flood protection is reliable and has margin through comparison against established performance criteria or quantification of reliability (as appropriate).
14 Margin with respect to physical barrier dimensions is analogous to the concept of available physical margin (APM) defined under the NTTF Recommendation 2.3 flood walkdowns (see Ref.(1)).
However, APM was computed as part of the NTTF Recommendation 2.3 flood walkdowns with respect to the current licensing basis flood protection height. In the context of the Integrated Assessment, margin with respect to physical barriers in defined with respect to the reevaluated hazard (including flood height and associated effects).
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 16
- 7. Evaluation of mitigation capability Mitigation capability refers to the capability of the plant to maintain key safety functions15 An evaluation of mitigation capability is required for sites that have not demonstrated that the flood protection systems are reliable and have margin. Mitigation capability should be evaluated for credible flood protection failure modes, including concurrent failures, identified based on the evaluation described in Section in the event that a flood protection system(s) fails or a site does not have flood protection under the flood scenario parameters.
- 6. For each scenario involving the compromise of flood protection under the flood scenario parameters, the mitigation capability of the plant should be evaluated for the entire flood event duration considering all available resources.
In addition, as described in Section 3.1, sites that allow water to enter buildings or other areas with SSCs important to safety by procedure or design (and resulting in the potential compromise of those SSCs) should evaluate mitigation capability.
7.1 Process Overview The mitigation capability of a plant may be demonstrated using one of three potential methods, depending on site characteristics and information needed for decisions:
scenario-based evaluation margins-type evaluation full PRA The scenario-based evaluation is a systematic, rigorous, and conservative, though primarily qualitative, evaluation used to demonstrate that there is high confidence that key safety functions can be maintained. A margins-type evaluation is quantitative and uses conditional core damage probability (CCDP) and conditional large early release probability (CLERP) as figures of merit. The margins-type assessment will be more conservative and will typically utilize logic models that are simpler than models utilized as part of a full PRA. The full PRA evaluation utilizes a conventional PRA based approach to evaluate the mitigation capability of the plant. Each of these methods is further described below.
A margins-type evaluation and full PRA are acceptable for evaluating mitigation capability at all sites. However, licensees may opt to perform a scenario-based evaluation or use a scenario-based evaluation as a starting point before proceeding to a margins-type evaluation or full PRA. When using a scenario-based evaluation to assess mitigation capability, the licensee is responsible for justifying that the scenario-based evaluation provides sufficient detail and supporting information (e.g., captures dependencies, interactions, and total flood impact) to demonstrate that there is high confidence that key safety functions can be maintained. For example, if the logic structure developed under a scenario-based evaluation becomes too complex, it would become apparent that a scenario-based evaluation is not capable of reaching a justifiable conclusion and a margins-15 See Section 9 for definition of key safety functions.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 17 type or full PRA would be required. As another example, if the use of conservative, deterministic engineering evaluations, logic structures, and conservative performance criteria using a scenario-based approach do not demonstrate that there is high confidence that key safety functions can be maintained, the licensee may choose to make modifications (e.g., to the plant or procedures) or proceed to an evaluation of mitigation capability using a margins-type evaluation. The margins-type evaluation can account for more complicated interactions and dependencies. In addition, the margins-type evaluation, quantitatively evaluates the reliability of manual actions and active components. If greater detail is required than is possible in a margins-type evaluation, an external flood PRA is appropriate.
7.2 Scenario-based evaluation of mitigation capability The scenario-based evaluation is used to demonstrate that there is high confidence that key safety functions can be maintained using qualitative and quantitative information and insights. While the scenario-based evaluation does not require the computation of risk-based metrics (e.g., conditional core damage probability and conditional large early release probability), it should use a systematic, rigorous, and conservative approach to demonstrate that key safety functions can be maintained with high confidence under the flood scenario parameters. A scenario-based evaluation must include the following key elements:
a detailed description of the scenario and its key components description of the mitigating strategies timeline showing necessary manual actions evaluation of the reliability of active components evaluation of manual actions development of logic structures (i.e., event and fault trees) that include each SSC that must change state and each manual action, to capture dependencies between SSCs as well as manual actions conclusion of the overall reliability of mitigation strategies Additional details on these key elements are provided below.
Figure 5 provides a flowchart depicting the process for a scenario-based evaluation of mitigation capability. The evaluation begins by defining the scenario to be evaluated (boxes 1-4 of Figure 5), which consists of specifying:
the flood scenario parameters the credible flood protection failure mode(s)16 all direct consequences of flood protection failure (e.g., particular rooms inundated) the plant conditions (e.g., identification of whether onsite and offsite power are available) and all equipment affected by the consequences of flood protection failure Typically, inundation of equipment will cause failure. However, associated flood effects (e.g.,
debris, dynamic loads) may also adversely affect equipment and should be considered. The 16 Credible failure modes of flood protection systems for a given set of flood scenario parameters are identified as part of the evaluation of flood protection systems (see Section 6 and Appendix A).
Concurrent failures of multiple flood protection systems (along with associated consequences) should be considered if the flood scenario parameters could adversely affect multiple flood protection systems.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 18 scenario-based evaluation should concurrently consider all failures of flood protection features and equipment that could result from the flood scenario parameters.
Once the scenario has been defined, the following steps should be performed:
the key safety functions that must be maintained are defined (Figure 5, box 5) equipment available for use in maintaining key safety functions (Figure 5, box 6) is specified, including a detailed description of the mitigating strategy(ies) an evaluation of mitigation capability using available resources (Figure 5, box 7) should demonstrate whether there is high confidence that key safety functions can be maintained, as described below In demonstrating that there is high confidence that key safety functions can be maintained, the evaluation should:
demonstrate that any credited equipment will be functional, available, and accessible when needed (e.g., is located above the flood elevation or protected by flood protection that is reliable and has margin), throughout the entire flood event duration, and can be deployed when necessary (see Section A.1.2 of Appendix A) justify the reliability of active components using operational data, performance criteria (e.g., see Table A 1), and based on consideration of operational requirements (e.g., performance of surveillance, testing intervals) and incorporation of equipment in plant programs (e.g., whether the component is included in the maintenance rule or subject to 10 CFR Appendix B to Part 50) if information is available, quantitatively evaluate and document the reliability of active components (e.g., mean time to failure) based on operating experience, testing, and other available information using traditional PRA or statistical techniques, evaluate the feasibility and reliability of credited manual actions using Appendix C qualitatively assess of operational requirements such as surveillance, inspection, design control, maintenance, procurement, and testing (e.g., whether or not equipment is included in the maintenance rule) demonstrate that all credited equipment and features (e.g., engineered structures, pumps, and other components) are capable of performing their design function and have appropriate factors of safety demonstrate sufficient consumables (e.g., fuel) on site and their continued accessibility demonstrate and document redundancy and diversity in mitigating strategies consider other quantitative and qualitative attributes that provide confidence in the reliability of equipment, availability of resources, and feasibility and reliability of any credited actions To capture interactions dependencies, and overall flooding impact, the scenario-based evaluation should be structured and documented using logic tools (i.e., event trees and fault trees) and timelines. The following provides guidance on development of logic models and timelines:
Logic structures should be developed in sufficient detail to demonstrate that there is high confidence that key safety functions can be maintained.
The scenario-based evaluation should be conservative and simplifications made in logic models should result in bounding analyses.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 19 Diversity, redundancy, and other considerations that support the robustness of mitigating strategies (e.g., robustness against single failures) provide increased confidence that key safety functions can be maintained.
Failure branches of event trees should be shown but need not be fully developed if not required to justify the conclusions of the assessment.
Timelines should illustrate all required actions and capture dependencies such as actions that must be performed in series or in parallel and actions that depend on the availability of resources or site access.
If it can be demonstrated that there is high confidence that key safety functions can be maintained, the results must be documented and justified. If the evaluation cannot demonstrate with high confidence that key safety functions can be maintained, then either (1) a scenario-based evaluation is not sufficient and a margins-type evaluation or PRA is necessary or, (2) modifications should be made to the plant to improve mitigation capability such that there is high confidence that key safety functions can be maintained.
The evaluation should be repeated until all flood protection failure modes and sets of flood scenario parameters have been evaluated (as directed by boxes 11 and 12 of Figure 5).
7.3 Margins-type evaluation of mitigation capability The margins-type assessment evaluates mitigation capability given set(s) of flood scenario parameters and credible flood protection failures(s).17 Figure 6 illustrates the margins-type method for the evaluation of mitigation capability. Like the scenario-based mitigation evaluation, the margins-type mitigation evaluation begins by specifying:
the flood scenario parameters the credible flood protection failure mode(s)18 all direct consequences of flood protection failure (e.g., particular rooms inundated) the plant conditions (e.g., identification of whether onsite and offsite power are available) and all equipment affected by the consequences of flood protection failure Typically, inundation of equipment will cause failure. However, associated flood effects (e.g.,
debris, dynamic loads) may also adversely affect equipment and should be considered.
Once the plant conditions have been specified along with equipment affected by the flood protection failure, plant system models19 17 The margins-type assessment should be performed assuming the failure of flood protection.
However, it is acceptable to include additional sensitivity studies in which the probability of flood protection failure is considered, if justified by data or other engineering evaluations. If the margins-type evaluation is performed assuming bounding flood protection failure modes, sensitivity studies should include the failure probability of the bounding failure modes as well as lesser failure modes that are more likely.
should be updated, enhanced, or developed to 18 Credible failure modes of flood protection systems for a given set of flood scenario parameters are identified as part of the evaluation of flood protection systems (see Section 6). Concurrent failures of multiple flood protection systems (along with associated consequences) should be considered if the flood scenario parameters could adversely affect multiple flood protection systems. Because the margins-type assessment is performed assuming the failure of flood protection, it is acceptable to consider bounding failures modes (i.e., extreme failure modes that bound lesser failure modes) if the associated mitigation strategies are the same and the effects of timing or other key features of the mitigation strategy are similar.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 20 reflect the current plant state and available equipment. In updating system models, the evaluation should:
consider equipment failures caused directly by the flood event as well as all random failures of remaining plant equipment (e.g., failure to start, failure to run) quantitatively evaluate the reliability of active components based on operating experience, testing, and other available information using traditional PRA techniques20 quantify the reliability of credited human actions using human factors engineering and human reliability concepts and approaches In addition, for all credited resources and actions, the evaluation should:
demonstrate that any credited equipment will be functional, available, and accessible (e.g., is located above the flood elevation or protected by flood protection that is reliable and has margin) when needed, throughout the entire flood event duration, and can be deployed when necessary (see Section A.1.2 of Appendix A) qualitatively assess operational requirements such as surveillance, inspection, design control, maintenance (e.g., document whether a component is covered by the Maintenance Rule, 10 CFR 50.65(b)), procurement, and testing demonstrate sufficient consumables (e.g., fuel) are on site and accessible consider other quantitative and qualitative attributes that provide confidence in the reliability of equipment, availability of resources, and feasibility and reliability of any credited actions Given the updated system models, the CCDP and CLERP should be calculated using plant system models. The evaluation of mitigation capability should be repeated until all flood protection failure modes and sets of flood scenario parameters have been evaluated.
If modifications to the plant are proposed, the effectiveness of the modification on mitigation capability should be evaluated as described above.
7.4 Use of PRA to evaluate total plant response, including mitigation capability If a PRA is used to assess total plant response, including the mitigation capability of a plant, the evaluation should be consistent with guidance contained in Section 8 of Ref. (7) as well as Ref. (8). However, it is noted that Section 8 of Ref. (7) establishes technical requirements when a reactor is at power. As part of the Integrated Assessment, it is necessary to consider mitigation capability during other modes of operation.
19 The internal events PRA model, with appropriate modifications, can be used to model plant systems. Basic failure events are added to the internal events PRA model for evaluating the mitigation capability of the plant during a flood event. Alternatively, it may be acceptable to develop a system model(s) specifically intended to compute CCDP and CLERP under the flood scenario parameters and flood protection failure mode(s) being analyzed rather than adapting the existing internal events PRA model. If such a model is developed, it should be consistent with the internal events systems model with respect to plant response.
20 If the reliability of an active component cannot be quantified, CCDP and CLERP should be calculated without taking credit for the component. However, the component should be retained in the model. Qualitative arguments may be later used to provide justification for taking credit for the component.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 21 If modifications to the plant are proposed, the effectiveness of the modification on mitigation capability should be evaluated as described above.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 22
- 8. Documentation The Integrated Assessment submittal should provide the following (Ref. (9), Encl. 2, p. 8-9):
a) Description of the integrated procedure used to evaluate integrity of the plant for the entire duration of flood conditions at the site.
Describe the methodologies used to demonstrate the effectiveness of:
flood protection features and systems mitigation strategies Describe any plant system models, including modifications made to existing internal event model(s), for the evaluation of the plants flood protection and mitigation capability b) Results of the plant evaluations describing the controlling flood mechanisms and its effects, and how the available or planned measures will provide effective protection and mitigation. Discuss whether there is margin beyond the postulated scenarios.
Controlling Flood Mechanism(s)
Discuss the applicable flood mechanism(s) and the flood scenario parameters, including flood height and associated effects, evaluated as part of the Integrated Assessment Discuss the site conditions during the entire flood event duration for each set of flood scenario parameters, including:
the plant mode(s), including the duration of time the plant is expected to remain in each mode available water gauges, meteorological gauges, weather and tsunami forecasting tools, or similar instrumentation and communication mechanisms the availability of and access to onsite and offsite resources and consumables (e.g., diesel fuel) accessibility considerations to/from and around the site that may impact protective and mitigating actions (e.g., scaffolding) the condition and access to the ultimate heat sink availability of offsite power structures and systems important to safety affected by the flood scenario parameters availability of staff and accessibility to/from the site for staff augmentation
[Optional] If useful to aid understanding the scenario parameters, describe the conservatisms associated with the flooding analysis that led to the scenario parameters Evaluation of Flood Protection Describe all site flood protection system(s), including all manual actions necessary for the implementation of flood protection Describe the number of staff necessary to implement flood protection procedures, any necessary qualifications/training, and the ability of off-site staff to return to the site under the anticipated conditions Describe performance criteria used to evaluate flood protection, including any codes or standards used in the evaluation
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 23 Provide technical justification for assumptions (including failure modes considered) used to demonstrate the effectiveness of flood protection features.
For each set of flood scenario parameters and flood protection system, document the following:
credible flood protection modes identified and justification for any flood protection modes deemed not credible the condition of flood protection features results of quantitative engineering evaluations results of comparisons against appropriate present-day codes and standards (including Standard Review Plan Sections 3.4.1 and 3.4.2, if applicable) description of operational requirements applicable to flood protection features (surveillance, inspection, design control, maintenance, procurement, and testing) the reliability of active features expected leakage through barriers justification of whether the capacity of pumping or drainage systems is sufficient to handle any inflow through flood protection features for the entire flood event duration results of evaluations of manual actions against the criteria contained in Appendix C, including a detailed description justifying whether all criteria are met to ensure manual actions are feasible and reliable whether necessary consumables are available and accessible for the entire flood event duration results of sensitivity studies, if appropriate results of system-level evaluations performed of flood protection systems, including justification Provide a discussion of any defense-in-depth considerations that are maintained under each set of flood scenario parameters Discuss any additional margin beyond the postulated scenarios for the flood protection system(s). Margin should be characterized with respect to physical barrier dimensions, structural and other performance capacity, and time and staffing associated with performance of manual actions.
If flood protection features are not shown to be reliable and have margin, document and describe at what flood height and under what associated effects, the flood protection feature or system is able to reliably accommodate a flood.
Evaluation of Mitigation Capability Describe the equipment and manual actions, if applicable, associated with the mitigation capability of the plant Describe the performance criteria used to evaluate the mitigation capability of the plant Provide an evaluation (including sensitivity studies, if appropriate) regarding the effectiveness of the total mitigation capability If a scenario-based evaluation of mitigation capability is used, document the following:
scenarios evaluated, including:
the flood scenario parameters the flood protection failure modes considered all direct consequences of flood protection failure
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 24 plant conditions and all equipment affected by the consequences of flood protection failure key safety functions that must be maintained demonstration that key safety functions can be maintained with high confidence under each scenario, including:
demonstration that any credited equipment will be functional, available, and accessible when needed, throughout the entire flood event duration, and can be deployed when necessary the reliability of active components results of evaluation of manual actions against the criteria contained in Appendix C, including a detailed description justifying whether all criteria are met (including time available and categorization of each PSF) description of operational requirements applicable to mitigation equipment (surveillance, inspection, design control, maintenance, procurement, and testing) demonstration of sufficient consumables on site and that consumables are accessible other quantitative and qualitative attributes that provide confidence in the reliability of equipment, availability of resources, and feasibility and reliability of any credited manual actions document and describe logic structures and timelines developed to support the scenario-based evaluation If a margins-based evaluation of mitigation capability is used, document the following:
scenarios evaluated, including:
the flood scenario parameters the flood protection failure modes considered all direct consequences of flood protection failure plant conditions and all equipment affected by the consequences of flood protection failure a summary of system models developed specifically for evaluation of mitigation capability or modifications made to existing PRA models justification for equipment, actions, and resources credited for mitigation, including:
the reliability of active components results of evaluation of manual actions, including a detailed description of the method used to assess manual actions demonstration that any credited equipment will be functional, available, and accessible when needed, throughout the entire flood event duration, and can be deployed when necessary description of operational requirements applicable to mitigation equipment (surveillance, inspection, design control, maintenance, procurement, and testing) demonstration of sufficient consumables on site and that consumables are accessible other quantitative and qualitative attributes that provide confidence in the reliability of equipment, availability of resources, and feasibility and reliability of any credited manual actions CCDP and CLERP calculated for each scenario dominant sequences and contributors identified
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 25 If a PRA is performed, the analysis and results should be documented as described in Ref. (7), with appropriate additional considerations to account for all modes of operation considered as part of the Integrated Assessment Provide a discussion of any defense-in-depth considerations that are maintained under each set of flood scenario parameters Discuss any additional margin beyond the postulated scenarios for the mitigation capability of the plant. Margin should be characterized with respect to physical barrier dimensions, structural and other performance capacity, and time and staffing associated with performance of manual actions Peer Review Include the peer review documentation, as described in Section B.3 of Appendix B.
c) Description of any additional protection and/or mitigation features that were installed or are planned, including those installed during course of reevaluating the hazard. The description should include the specific features and their functions.
Describe any flood protection or mitigation capabilities discussed in item (b) above that are credited in the plants current licensing basis but were modified during the course of the hazard reevaluation or Integrated Assessment. The description should include specific features and their functions.
Describe any flood protection or mitigation capabilities discussed in item (b) above that are not credited in the plants current licensing basis. The description should include specific features and their functions.
Describe any flood protection or mitigation capabilities discussed in item (b) above that are planned and have not yet been installed. The description should include specific features and their functions.
Provide a timeline for completion of all planned actions credited as part of the Integrated Assessment.
Describe any interim actions that are in place until planned actions are completed.
d) Identify other actions that have been taken or are planned to address plant-specific vulnerabilities.
Describe any vulnerabilities (see definition in Section 9) identified during the review, including the key safety functions that may be affected Describe any actions that have been taken to address these plant-specific vulnerabilities.
Separately, describe any actions that are planned to address these plant-specific vulnerabilities.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 26
- 9. Terms and definitions Active (flood protection) feature: Incorporated, exterior, or temporary flood protection features that require the change of state of a component in order to perform as intended.
Examples include sump pumps, portable pumps, isolation and check valves, flood detection (e.g., level switches), and flood doors (e.g., watertight doors).
Available Physical Margin (APM): The term available physical margin describes the flood margin available for applicable flood protection features at a site (not all flood protection features have APMs). The APM for each applicable flood protection feature is the difference between licensing basis flood protection height and the flood height at which water could affect an SSC important to safety. Determination of APM for local intense precipitation may not be possible. Additional details are provided in Section 3.13 of the flooding design basis walkdown guidance, NEI 12-07, Ref. (2).
Cliff-edge effect: An elevation at which safety consequences of a flood event may increase sharply with a small increase in the flood height and associated effects.
Critical elevation: The elevation at which a piece or group of equipment will fail to function, or a transient will be induced, due to flood height and associated effects.
Current Licensing Basis (CLB): As defined by 10 CFR 54.3, the current licensing basis is the set of NRC requirements applicable to a specific plant, plus a licensees docketed and currently effective written commitments for ensuring compliance with, and operation within, applicable NRC requirements and the plant-specific design basis, including all modifications and additions to such commitments over the life of the facility operating license. It also includes the plant-specific design basis information, defined by 10 CFR 50.2, as documented in the most recent UFSAR as required by 10 CFR 50.71. The set of NRC requirements applicable to a specified plant CLB includes:
NRC regulations in 10 CFR Parts 2, 19, 20, 21, 26, 30, 40, 50, 51, 54, 55, 70, 72, 73 and 100 and appendices thereto Commission Orders License Conditions Exemptions Technical Specifications Plant-Specific design basis information defined in 10 CFR 50.2 and documented in the most recent UFSAR (as required by 10 CFR 50.71)
Licensee Commitments remaining in effect that were made in docketed licensing correspondence (such as licensee responses to NRC bulletins, License Event Reports, Generic Letters and Enforcement Actions)
Licensee Commitments documented in NRC safety evaluations (Ref. (1))
Design bases: As defined by 10 CFR 50.2, the design bases are information that identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals (Ref. (1)).
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 27 Event tree: A logic diagram that begins with an initiating event or condition and progresses through a series of branches that represent expected system or human performance that either succeeds or fails and arrives at either a successful or failed end state (Ref. (7)).
Exterior (flood protection) feature: Engineered passive or active flood protection feature that is external to the immediate plant area and credited to protect safety-related SSCs from inundation and static/dynamic effects of external floods. Examples include levees, dikes, floodwalls, flap gates, sluice gates, duckbill valves and pump stations (Ref. (1)).
Failure modes and effects analysis (FMEA): A process for identifying failure modes of specific components and evaluating their effects on other components, subsystems, and systems (Ref. (7)).
Fault tree: A deductive logic diagram that depicts how a particular undesired event can occur as a logical combination of other undesired events (Ref. (7)).
Feasible manual action: A manual action that is analyzed and demonstrated as being able to be performed within an available time to avoid a defined undesirable outcome. As compared to a reliable manual action (see definition), an action is considered feasible if it is shown that it is possible to be performed within the available time (considering relevant uncertainties in estimating the time available); but it does not necessarily demonstrate that the action is reliable. For instance, performing an action successfully one time out of three attempts within the available time shows that the action is feasible, but not necessarily reliable (Ref. (10)).
Flood event duration: The length of time in which the flood event affects the site, beginning with conditions being met for entry into a flood procedure or notification of an impending flood (e.g., a flood forecast or notification of dam failure), including preparation for the flood and the period of inundation, and ending when water has receded from the site and the plant has reached a safe and stable state that can be maintained indefinitely. Figure 3 provides an illustration of flood event duration.
Flood height and associated effects: Maximum stillwater surface elevation plus factors such as:
wind waves and run-up effects hydrodynamic loading, including debris effects due to sediment deposition and erosion concurrent site conditions, including adverse weather conditions groundwater ingress other pertinent factors Flood scenario parameters: A set(s) of flood parameters that should be considered as part of the Integrated Assessment. (see Section 5.2 for additional details).
Flood protection feature: An individual incorporated, exterior or temporary structure, system, component (e.g., barrier), or associated procedure that protects safety-related SSCs against the effects of external floods, including flood height and associated effects.
Flood protection system: In the context of the Integrated Assessment, a flood protection system is a set of flood protection features that are intended to protect a specific SSC or group of SSCs (e.g., features used to protect the intake structure) or the entire plant (e.g., a
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 28 levee around an entire site) and that are primarily separate and independent from the flood protection features used to protect other SSCs.
Human reliability analysis (HRA): A structured approach used to identify potential human failure events and to systematically estimate the probability of those events using data, models, or expert judgment (Ref. (7)). In the context of the Integrated Assessment, HRA approaches and concepts are used to evaluate whether manual actions are feasible and reliable (see Appendix C).
Incorporated (flood protection) feature: Engineered passive or active flood protection feature that is permanently installed in the plant to protect safety-related SSCs from inundation and static/dynamic effects of external flooding. Examples include pumps, seals, valves, gates, etc. that are permanently incorporated into a plant structure (Ref. (1)).
Important to safety: In accordance with the Appendix A to Part 50, the phrase, structures, systems, and components (SSCs) important to safety, refers to SSCs that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public.
Key safety functions: The minimum set of safety functions that must be maintained to prevent core damage and large early release. These include reactivity control, reactor pressure control, reactor coolant inventory control, decay heat removal, and containment integrity in appropriate combinations to prevent core damage and large early release. (Ref.
(7)).
Mitigation capability: In the context of the Integrated Assessment, mitigation capability refers to the capability of the plant to maintain key safety functions in the event that a flood protection system(s) fails (or is otherwise not available).
Manual action (for flooding): Proceduralized activity carried out by plant personnel to prepare for or respond to an external flood event.
Passive (flood protection) feature: Incorporated, exterior, or temporary flood protection features that do not require the change of state of a component in order to perform as intended. Examples include dikes, berms, sumps, drains, basins, yard drainage systems, walls, removable wall and roof panels, floors, structures, penetration seals, temporary water tight barriers, barriers exterior to the immediate plant area that are under licensee control, and cork seals.
Performance criteria (for flood protection): In the context of the Integrated Assessment, performance criteria refer to criteria or standards that are used, in part, to demonstrate that a flood protection feature is reliable and has margin.
Performance shaping factor (PSF): A factor that influences human performance and human error probabilities (definition adapted from Ref. (11)). In the context of the Integrated Assessment for flooding, the following performance shaping factors are considered:
indications or cues complexity special equipment human-system interface procedures
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 29 training workload, pressure, and stress environmental factors special fitness issues staffing communications accessibility other scenario-specific performance shaping factors Plant-specific vulnerability: As defined in Ref. (9), plant-specific vulnerabilities are those features important to safety that when subject to an increased demand due to the newly calculated hazard evaluation have not been shown to be capable of performing their intended safety functions.Reasonable simulation: a walk-through of a procedure or activity to verify the procedure or activity can be executed as specified/written. This simulation requires verification that:
- 1) all resources needed to complete the actions will be available. (Note that staffing assumptions must be consistent with site access assumptions in emergency planning procedures.)
- 2) any credited time dependent activities can be completed in the time required considering the time required for detection, recognition and communication to initiate action for the applicable flood hazard.
- 3) specified equipment/tools are properly staged and in good working condition.
- 4) connection/installation points are accessible.
- 5) the execution of the activity will not be impeded by the event it is intended to mitigate or prevent (for example, access to the site and movement around it can be accomplished during the flood).
- 6) the execution of the activity will not be impeded by other adverse conditions that could reasonably be expected to simultaneously (Ref. (12))
Reliable manual action: A feasible manual action that is analyzed and demonstrated as being dependably repeatable within an available time, so as to avoid a defined adverse consequence, while considering varying conditions that could affect the available time and/or the time to perform the action. As compared to an action that is only feasible (see definition), an action is considered to be reliable as well if it is shown that it can be dependably and repeatably performed within the available time, by different crews, under somewhat varying conditions that typify uncertainties in the available time and the time to perform the action, with a high success rate. All reliable actions need to be feasible, but not all feasible actions will be reliable (Ref. (10)).
Temporary (flood protection) feature: Passive or active flood protection feature within the immediate plant area that protects safety-related SSCs from inundation and static/dynamic effects of external flooding and is temporary in nature (i.e., they must be installed prior to the advent of the design basis external flood). Examples include portable pumps, sandbags, plastic sheeting, and portable panels (Ref. (1)).
Total plant response: The total plant response is the capability of the plant to (1) protect against flood events (considering diverse flood protection features) and (2) mitigate consequences, if the flood protection system is compromised (or otherwise not available),
by maintaining key safety functions using all credited resources.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 30 Variety of site conditions: The site conditions considered in the Integrated Assessment should be all modes of operation (e.g., full power operations, startup, shutdown, and refueling) and adverse weather conditions that could reasonably be expected to occur concurrent with a flood event.
Vulnerability: See definition for plant-specific vulnerability.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 31
- 10. Figures Figure 1: Conceptual illustration of Integrated Assessment process Hazard Evaluation Evaluate Flood Protection Evaluate Mitigation Strategies Integrated Assessment Process Results Some protection failures and any SSCs important to safety are compromised.
Protection systems reliably withstand the flood event with margin.
By procedure, flood waters allowed to enter buildings and any SSCs important to safety are compromised.
- or -
- or -
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 32 Figure 2: Integrated Assessment process flowchart Step 2: Identification of flood scenario parameters Step 3: Evaluation of flood protection systems Step 4: Evaluation of mitigation capability of plant Flood protection systems is reliable and has margin?
Step 5: Documentation of flood parameters, evaluations, results, and peer review no yes Step 1: Define peer review scope and assemble participatory peer review team Water enters buildings by procedure or design and affects any SSCs important to safety?
no yes 1
2 3
4 6
7 5
Results of NTTF Recommendation 2.1 hazard reevaluations
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 33 Figure 3: Illustration of flood event duration Conditions are met for entry into flood procedures or notification of impending flood flood event duration site preparation for flood event period of inundation recession of water from site Arrival of flood waters on site Water begins to recede from site Water completely receded from site and plant in safe and stable state that can be maintained indefinitely
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 34 Figure 4: Flood protection evaluation procedure flowchart yes yes no no no Select a set of flood scenario parameters 1
Select a flood protection system relied upon under flood scenario 2
Evaluate flood protection system 3
Flood protection system is reliable and has margin?
4 Document and justify flood protection integrity 5
Document credible failure modes and vulnerabilities 8
Document consequences of credible failure modes and vulnerabilities 9
All flood protection systems evaluated under the flood scenario parameters?
10 All sets of flood scenario parameters evaluated?
11 Flood protection evaluation complete 12 yes Modification of flood protection system?
6 no Define modified flood protection system 7
yes
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 35 Figure 5: Scenario-based mitigation evaluation flowchart yes yes no no Select a set of flood scenario parameters 1
Select a credible flood protection failure mode(s) 2 Specify direct consequences of flood protection failure mode(s) 3 Evaluate capability to maintain key safety functions using available equipment 7
All flood credible protection failure modes evaluated for the flood scenario parameters?
10 All sets of flood scenario parameters evaluated?
11 Evaluation complete 12 Specify plant conditions and equipment affected by direct consequences 4
Define key safety functions that must be maintained 5
Identify available equipment 6
High confidence that key safety functions maintained?
8 Justify high confidence that key safety functions maintained 9
Perform margins-type evaluation or full PRA 14 yes no no yes Modification of plant to improve mitigation capability?
13
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 36 Figure 6: Margins-based mitigation evaluation flowchart yes yes no no Select a set of flood scenario parameters 1
Select a credible flood protection failure mode(s) 2 Specify direct consequences of flood protection failure mode(s) 3 Compute CLERP 8
All flood credible protection failure modes evaluated for the flood scenario parameters?
10 All sets of flood scenario parameters evaluated?
11 Mitigation capability evaluation complete 12 Specify equipment affected by direct consequences 4
Define plant conditions 5
Compute CCDP 7
Incorporate flood impacts and plant conditions in plant system models 6
Modifications proposed?
9 yes no
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 37
- 11. References
- 1. Nuclear Energy Institute. "Guidelines for Performing Verification Walkdowns of Plant Flood Protection Features," NEI 12-07, Rev. 0-A. May 2012. ADAMS Accession No. ML12173A215.
- 2. U.S. Nuclear Regulatory Commission. Endorsement of Nuclear Energy Institute (NEI) 12-07, "Guidelines for Performing Verification Walkdowns of Plant Flood Protection Features". June 14, 2012. Agencywide Document Access and Management System (ADAMS) Accession No. ML12159A290.
- 3.. "Proposed Orders and Requests For Information In Response To Lessons Learned From Japan's March 11, 2011, Great Tohoku Earthquake And Tsunami," SECY 0025. February 22, 2012. ADAMS Accession No. ML12039A103.
- 4.. "Design-Basis Flood Estimation for Site Characterization at Nuclear Power Plants in the United States of America," NUREG/CR-7046. November 2011. ADAMS Accession No. ML11321A195.
- 5.. "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition," NUREG-0800, Section 3.4.1: Internal Flood Protection for Onsite Equipment Failures, Rev. 3. March 2007.
- 6.. "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition," NUREG-0800, Section 3.4.2: Analysis Procedures, Rev. 3. March 2007.
- 7. The American Society of Mechanical Engineers. Addenda to ASME/ANS RA-S-2008, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications. 2009. ASME/ANS RA-Sa-2009.
- 8. U.S. Nuclear Regulatory Commission. "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,"
Regulatory Guide 1.200, Rev. 2. March 2009. ADAMS Accession No. ML090410014.
- 9.. Request for Information Pursuant to Title 10 of the Code of Federal Regulations 50.54(f) regarding Recommendations 2.1, 2.3, and 9.3, of the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident. March 12, 2012. ADAMS Accession No. ML12053A340.
- 10.. "Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire," NUREG-1852. October 2007.
- 11.. "The SPAR-H Human Reliability Analysis Method," NUREG/CR 6883. August 2005.
- 12. Nuclear Energy Institute. "Guidelines for Performing Verification Walkdowns of Plant Flood Protection Featuresk," NEI 12-07, Rev. 0-A. May 2012. ADAMS Accession No. ML12173A215.
- 13. U.S. Army Corps of Engineers. "Engineering and Design - Retaining and Flood Walls,"
EM 1110-2-2502. 1989.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 38
- 14.. "Engineering and Design - Waterstops and Other Preformed Joint Materials for Civil Works Structures," EM 1110-2-2102. 1985.
- 15.. "Design of Sheet Pile Walls," EM 1110-2-2504. 1994.
- 16.. "Engineering and Design-Design of Coastal Revetments, Seawalls and Bulkheads, EM 1110-2-1614. 1995.
- 17.. "Coastal Engineering Manual-Part VI, Introduction to Coastal Project Element Design, EM 1110-2-1100. 2002.
- 18.. "Coastal Engineering Manual-Part V, Planning and design Process, EM-2-1100.
2002.
- 19. U.S. Nuclear Regulatory Commission. "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition," NUREG-0800, Section 2.4.2:
Floods, Rev. 4.
- 20. U.S. Army Corps of Engineers, St. Paul District. Flood-Fight Handbook - Preparing for a Flood. 2009. http://www.mvp.usace.army.mil/docs/disaster_response/CEMVP_Flood-Fight_Handbook_2009.pdf.
- 21. U.S. Army Corps of Engineers. Sandbag Construction.
http://www.mvp.usace.army.mil/docs/flood_fight2009/5Sandbag_Construction_2009_JR L.pdf.
- 22.. Laboratory Testing of Flood Fighting Products. Coastal and Hydraulics Laboratory.
[Online] [Cited: August 23, 2012.]
http://chl.erdc.usace.army.mil/chl.aspx?p=s&a=Projects;182.
- 23. U.S. Nuclear Regulatory Commission. "EPRI/NRC-RES Fire Human Reliability Analysis Guidelines," NUREG-1921. July 2012. ADAMS Accession No. ML12216A104.
- 24.. "ATHEANA User's Guide," NUREG-1880. 2007.
- 25.. "Human-System Interface Design Review Guidelines," NUREG-0700, Revision 2.
2002.
- 26.. "The Impact of Environmental Conditions of Human Performance," NUREG/CR-5680. 1994.
- 27.. Fort Calhoun Station - NRC Followup Inspection - Inspection Report NRC 05000285/2010007; Preliminary Substantial Finding. July 15, 2010. ADAMS Accession No. ML101970547.
- 28.. "Shutdown Decay Heat Removal Analysis of a Babcock and Wilcox Pressurized Water Reactor," NUREG/CR-4713. March 1987.
- 29.. "Shutdown Decay Heat Removal Analysis of a Westinghouse 2-Loop Pressurized Water Reactor," NUREG/CR-4458. March 1987.
- 30.. "Shutdown Decay Heat Removal Analysis of a General Electric BWR3/Mark I,"
NUREG/CR-4448. March 1987.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 39
- 31.. "Shutdown Decay Heat Removal Analysis of a Combustion Engineering 2-Loop Pressurized Water Reactor," NUREG/CR-4710. August 1987.
- 32.. "Shutdown Decay Heat Removal Analysis of a Westinghouse 3-Loop Pressurized Water Reactor," NUREG/CR-4762. March 1987.
- 33.. "Shutdown Decay Heat Removal Analysis of a General Electric BWR4/Mark I,"
NUREG/CR-4767. July 1987.
- 34.. "Evaluation of External Hazards to Nuclear Power plants in the United States,"
NUREG/CR-5042. 1987.
- 35.. "Perspectives Gained From the Individual Plant Examination of External Events (IPEEE) Program," NUREG-1742. April 2002.
- 36.. "Good Practices for Implementing Human Reliability Analysis (HRA)," NUREG-1792.
April 2005. ADAMS Accession No. ML051160213.
- 37. American Nuclear Society. "Determining Design Basis Flooding at Power Reactor Sites,"
ANS/ANSI 2.8-1992. La Grange Park, IL : s.n., 1992.
- 38. U.S. Nuclear Regulatory Commission. "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278. August 1983.
ADAMS Accession No. ML071210299.
- 39.. "Human Factors Engineering Program Review Model," NUREG-0711, Revision 2.
2004.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 40 APPENDIX A: Evaluation of flood protection The goal of this appendix is to provide guidance on the evaluation of flood protection.
Section A.1 provides on guidance on evaluating individual features of a flood protection system. Section A.2 provides guidance on evaluating a complete flood protection system.
A.1 Individual flood protection features This section provides guidance on evaluating individual features comprising flood protection systems. Section A.1.1 of this Appendix provides guidance on the evaluation of exterior and incorporated flood protection features that are passive and permanent. Section A.1.2 provides guidance on the evaluation of active flood protection features. Section A.1.3 provides guidance on the evaluation of temporary protective measures. Section A.1.4 provides guidance on evaluation of equipment required for manual actions.
A.1.1 Exterior and incorporated flood protection features The following steps should be considered in the assessment of exterior and incorporated flood protection features that are permanent and passive:
analysis of potential failure modes evaluation of capacities comparison against present-day codes and standards evaluation of operational requirements sensitivity studies, as appropriate, to capture uncertainties Section 6.2 of this ISG describes high-level performance criteria applicable to all types of flood protection, including exterior and incorporated flood protection features that are permanent and passive. The following sections in this Appendix provide points of consideration in evaluating individual flood protection exterior and incorporated flood protection features that are permanent and passive. These include:
earthen embankments (e.g., earth dams, levees and dikes) (Section A.1.1.1) floodwalls (Section A.1.1.2) seawalls (Section A.1.1.3) concrete barriers (Section A.1.1.4) plugs and penetration seals (Section A.1.1.5) storm drainage systems (Section A.1.1.6)
In evaluating these types of features, licensees should refer to the guidance in this Appendix as well as appropriate codes and standards to assess whether in place or planned features conform to good practices. Licensees shall identify flood protection features not meeting the implied expectations associated with these points of consideration and a technical judgment should be provided.
A.1.1.1 Earthen Embankments (earth dams, levees and dikes)
Earthen dikes and embankments come in a variety of configurations. There are differences in design and construction details between earthen dams, levees, and dikes. However, since earthen dams, levees, and dikes are subsets of an earthen embankment, that term
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 41 will be used in this Appendix. This section provides points of considerations for evaluating earthen embankments, including:
potential failure modes of earthen embankments considerations that should be evaluated to determine whether appropriate factors were considered in the embankment design material characterization maintenance and inspection Potential failures modes of earthen embankments that should be considered for applicability include:
seepage, internal erosion, and piping erosion-induced breaching shear failure surface sloughing excessive deformation seismically-induced liquefaction other types of slope movement The foundation and subsurface design of an embankment, levee, or berm should be evaluated to determine whether the following factors were appropriately considered in its design:
foundation stability positive control of seepage minimum adverse deformation via good contact between flood protection structure and foundation use of cut off walls and drainage systems to control seepage paths through foundation The stability of embankments should be evaluated utilizing pertinent geologic information and in situ engineering properties of soil and rock materials. The geologic information and site characteristics that should be considered include:
groundwater and seepage conditions lithology, stratigraphy, and geologic details disclosed by borings and geologic interpretations maximum past overburden at the site as deduced from geological evidence structure, including bedding, folding, and faulting alteration of materials by faulting joints and joint systems weathering cementation slickensides field evidence relating to slides, earthquake activity, movement along existing faults, and tension jointing The materials used in construction of the structure should be evaluated to determine whether the following factors were appropriately considered in its design:
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 42 use of filter materials to preclude migration of soil materials through the embankment and foundation erosion control against surface runoff, wave action, hydrodynamic forces, and debris In evaluating engineering properties of soil and rock materials used in construction of the embankment, consideration should be given to:
possible variation in natural deposits or borrow materials natural water contents of the materials climatic conditions possible variations in rate and methods of fill placement variations in placement water contents and compacted densities that mustbe expected with normal control of fill construction The maintenance and inspection regime of the embankment should be evaluated to assess whether:
the embankment is inspected at regular intervals written procedures are in place for proper maintenance personnel responsible for inspecting the structure have been trained in inspection techniques, implementing preventative and compensatory measures, and correcting or repairing deterioration suitable instrumentation is used to obtain information on the performance and condition of the structure A.1.1.2 Floodwalls A retaining wall is any wall that retains material to maintain a change in elevation whereas the principal function of a flood wall is to prevent flooding (inundation) of adjacent land. A floodwall is subject to water force on one side which is usually greater than any resisting earth force on the opposite side. A wall may be a retaining wall for one loading condition and a floodwall for another loading condition. The flood loading (surge tide, river flood, etc.)
may be from the same or the opposite direction as the higher earth elevation.
Most flood walls are of the inverted T-type. The cross bar of the T serves as a base and the stem serves as the water barrier In evaluating T-type floodwalls, potential failure modes for T-walls that should be considered include:
seepage wall stability Planning and design procedure considerations for floodwall projects are described in Ref.
(13) and Ref. (14).
An I-wall is a slender cantilever wall, embedded in the ground or in an embankment that rotates when loaded and is thereby stabilized by reactive lateral earth pressures. Potential failure modes for I-walls that should be considered include:
depth of piling, deep seated (global failure) rotational failure due to inadequate pile penetration seepage
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 43 Information on I-Walls as they relate to hydrostatic loads, static and dynamic water (wave) loads, seepage and piping, I-wall deflections, and determination of safety factors etc., are described in Ref. (15).
A.1.1.3 Seawalls Seawalls are onshore structures with the principal function of preventing or alleviating overtopping and flooding of the land and the structures behind them due to storm surges and waves. Potential failure modes of seawalls that should be considered include instability due to erosion of the seabed at the toe of the structure and increase in wave impact, runup, and overtopping. Additional information on seawalls is provided in Ref. (16), Ref. (17), and Ref. (18).
A.1.1.4 Concrete barriers In assessing whether other concrete barrier can support flood loads, the foundation and subsurface design of the barrier should be evaluated to determine whether the following factors were appropriately considered in design of the structure:
static loads from stillwater elevation hydrodynamic loading from wave effects and debris foundation design and treatment, including good contact between the flood protection structure and foundation removal of problem soils increasing seepage paths through the foundation by use of deep cut off walls, if necessary The material properties of the concrete barrier should be evaluated (using available documentation and current condition) to assess whether:
there was a competent investigation of material sources adequate testing was performed of materials in accordance with accepted standards proper proportioning of concrete was performed to improve strength and durability The design of the concrete barrier should be evaluated to ensure it is safe against overturning and sliding without exceeding the allowable stress of the foundation and concrete for the loading conditions imposed by the flood and all associated flood effects The maintenance and inspection regime of the concrete barrier should be evaluated to assess whether:
the barrier is inspected at regular intervals written procedures are in place for proper maintenance personnel responsible for inspecting flood control structures have been trained in inspection techniques, implementing preventative and compensatory measures, and correcting or repairing deterioration suitable instrumentation is being used to obtain information on the performance and condition of the structure
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 44 A.1.1.5 Plugs and penetration seals In assessing whether plugs and penetration seals are watertight and support applied loads the evaluation should demonstrate the following:
able to withstand the flood height and associated effects (including static and dynamic loads) associated with the flood scenario parameters, including the following considerations:
all sizes have been tested to withstand hydrostatic seal pressures for the anticipated water pressures adequately designed for the effects of hydrodynamic and debris loading from floods restrict leakage to amount within the capacity of drainage or pumping systems in satisfactory condition able to withstand anticipated temperatures suitable for applications in water - above ground and direct burial and will provide the electrical insulation where cathodic protection is required adequately resistive to fires, corrosive fluids, UV and radiation, as applicable qualitative evaluation of operational requirements such as surveillance, inspection, design control, procurement, maintenance, and testing is appropriate to provide confidence in the reliability of plugs and penetration seals.
A.1.1.6 Storm drainage systems If credited, storm drainage systems should be evaluated to demonstrate they are capable of passing sufficient flow to accommodate the reevaluated flood flow rate while maintaining the flood height not greater than the allowable value.21 A.1.2 All effects associated with the flood (e.g.,
scour) should be considered in the evaluation. Performance should be compared against appropriate present-day codes and standards, including Standard Review Plan Section 2.4.2 (Ref. (19)). Storm drainage systems should also be evaluated to demonstrate they are in satisfactory condition. Qualitative evaluation of operational requirements such as surveillance, inspection, design control, maintenance, and testing is appropriate (e.g., a walkdown procedure should be provided for verifying that the system is clear of debris and objects that could impede flow). If drainage systems are associated with active components, they should be evaluated using considerations described in Section A.1.2 Active features The attributes in Table A 1 may be used, in part, to justify the reliability of flood protection equipment. The reliability of active components, other than flood doors and hatches, should be also quantified based on operating experience and other data or information using traditional PRA or statistical techniques. In some cases, this information may not be available. In this case, tests or analyses may be required to support quantification of reliability.
In assessing whether water tight doors (flood doors and hatches) perform their intended functions, the following factors should be considered:
21 If storm drainage is not capable of handling the reevaluated flood, flood protection should be provided and evaluated.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 45 Flood barriers shall conform to the criteria for resisting lateral forces due to hydrostatic pressure from freestanding water.
Hydrodynamic force resistance - flood barriers shall conform to the criteria for resisting lateral forces due to moving flood waters.
Debris impact force resistance - flood barriers shall conform to the criteria for resisting debris objects at stated velocities.
A.1.3 Temporary features In addition to the performance criteria described in Section 6.2, standards, codes, and guidance documents (e.g., Ref. (20) and (21)) should be consulted to determine whether the configuration of the temporary barrier (e.g., configuration of a sandbag wall) conforms to good practices. Human actions associated with construction or installation of temporary protective measures should be evaluated using Appendix C. Justification of feature reliability may require laboratory or field testing (e.g., Ref. (22)), analytical modeling, or demonstrations.
A.1.4 Equipment necessary to perform human actions Human actions associated with flood protection features should be evaluated as described in Appendix C.
Equipment necessary to facilitate performance of manual actions should be functional, available, and accessible when required. The availability of special equipment required for the performance of protective or mitigating actions should be considered. In crediting the availability of equipment for use by personnel, the following criteria should be considered:
Equipment should not be damaged or otherwise adversely effected by the flood event (e.g., due to direct inundation, excessive humidity, hydrodynamic forces, or debris) or adverse environmental conditions.
Equipment should not be located in an area exposed to the flood (including any associated effects), unless there is strong justification for the continued functionality of the equipment.
All needs of the equipment should be met, including supporting electrical power, cooling, and ventilation, etc.
Equipment should be easily located and all aids should be readily available.
Physical access and manipulation constraints should be considered in evaluating whether equipment is available for use.
Plant personnel should be able to find and reach the equipment and should be able to perform the required actions using the equipment. Credit should not be given if the equipment is not functional, available, and accessible to personnel. Therefore, if any of the above criteria are not met, the operation of the equipment should be considered infeasible.
Consideration should be given to special and portable equipment that may be required to facilitate performance of required actions. Special equipment may include keys to open locked doors (doors may fail closed in the event of a loss of power), ladders, and special purpose tools (e.g., equipment required to fill sandbags, portable generators, tools to manipulate equipment manually) and equipment necessary to cope with environmental conditions (e.g., flashlights and personal protective equipment such as personal floatation devices). Equipment should be easily located and readily available so as not to impede or delay the performance of required actions. Equipment should be controlled and routinely
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 46 verified. Personnel should be trained to locate and use the required equipment. Any delays associated with acquisition and use of portable equipment should be considered.
A.2 Flood protection systems The guidance in Section A.1 provides guidance of the evaluation of individual flood protection systems (i.e., evaluation at the component level). Some flood protection systems involve multiple features or components. This section describes the evaluation of flood protection systems as a whole (i.e., at the system-level) as directed by Section 6. System evaluation should begin with the definition of the flood scenario parameter to which the system is subjected. Next, criteria defining failure of the flood protection system should be identified. In the context of the Integrated Assessment, failure may be defined as loss of barrier integrity, a leakage rate into a room exceeding a specified threshold, or other effects.
Failure modes and effects analysis (FMEA) is a common tool for systematically identifying possible failure modes of a SSC and evaluating the effects of the failure on other SSCs and is applicable to the Integrated Assessment. Once failure criteria have been defined, individual flood protection barriers within the flood protection system should be evaluated at the component level under the loads resulting from the flood scenario parameters. Finally, the flood protection system should be evaluated, accounting for interactions and dependencies between components.
Following the above steps, the system evaluation should progress though the sequence of subsequent events that can ultimately lead to end states corresponding to failure (or damage) of the flood protection system and subsequent adverse consequences (e.g.,
leakage of water past a barrier or inundation of a room). Logic structures, such as event trees, provide a way to represent the various outcomes that can occur as a result of the flood scenario parameters. An event tree starts with the specification of the flood scenario parameters and develops sequences based on whether a feature (including a human action) succeed or fail in performing the intended functions. The system level evaluation should account for factors such as:
the duration of the flood event22 the reliability of active components (e.g., pumps that are required to remove water that bypasses flood barriers) the effect of flood height and associated flood effects on the performance of barriers the robustness of barriers, particularly temporary barriers the feasibility and reliability of human actions that must be performed to install or construct barriers (e.g., flood gates, sandbag walls), including factors that can influence personnel performance, as described in Appendix C the time available to carry out procedures and perform required actions, including consideration of the reliability of communication mechanisms and instrumentation that trigger actions by plant personnel potential hindrances to movement of personnel and equipment around the site 22 For some hazards, flood conditions could persist for a significant amount of time. Extended inundation on or near the site could present concerns such as site and building access, travel around the site, equipment operating times, and supplies of consumables (Ref. (1)). Flood protection feature limitations based on flood duration should be evaluated. For example, if the duration of the design basis flood is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and a diesel driven pump is credited with removing water from an area, the total amount of fuel available for the pump and the operating time it represents should be determined and included in the assessment.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 47 The final two factors in the above list primarily affect the feasibility and reliability of the identified manual action factor in the above list. To avoid double counting the affects of the last two factors, it is suggested that they only be taken into consideration in the evaluation of manual actions performed by Appendix C.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 48 Table A 1: Criteria for evaluating active components Functional characteristics:
- 1. Capable of performing required function, i.e., functional requirements are met (e.g., pump flow rate, pump discharge pressure)
- 2. There is an engineering basis for the functional requirements for the equipment which:
- a. is auditable and inspectable
- b. is consistent with generally accepted engineering principles
- c. defines incorporated functional margin
- d. is controlled within the configuration document control system
- 3. Functionality of the equipment may be outside the manufacturers specifications if a documented engineering evaluation justifies the equipment will be functional when needed during the flood event duration.
Operational characteristics
- 1. Testing (including surveillances)
- a. Equipment should be initially tested to verify performance conforms to the limiting performance requirements.
- b. Periodic tests and test frequency should be determined by an engineering evaluation based upon equipment type and expected use.
- c. The testing basis shall be documented.
- d. Periodic testing should address storage and standby conditions as well as in-service conditions (if applicable).
- e. Testing records shall be retained.
- f. Equipment issues identified through testing shall be incorporated into the corrective action program.
- 2. Preventive maintenance (including inspections)
- a. Preventive maintenance tasks and task intervals should be determined by an engineering evaluation based upon equipment type, expected use, as well as NRC and industry guidance.
- b. The preventive maintenance basis shall be documented.
- c. Preventive maintenance should address both storage /
standby conditions and in-service conditions.
- d. Preventive maintenance records shall be retained.
- e. Equipment issues identified through preventive maintenance shall be incorporated into the corrective action program.
- 3. Corrective and elective maintenance
- a. Corrective and elective maintenance records shall be retained including the reasons for the corrective or elective maintenance performed.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 49
- b. Equipment issues identified through corrective or elective maintenance shall be incorporated into the corrective action program.
Unavailability characteristics
- 1. The unavailability of equipment should be managed such that loss of capability is minimized. A temporary replacement should be procured for equipment that is expected to be unavailable for more than 30 days or when a flood event is forecasted.
- 2. A spare parts strategy should be developed to support availability considerations.
Equipment storage characteristics
- 1. Portable equipment should be stored and maintained as to assure that it does not degrade while being stored and that it is accessible for periodic maintenance and testing.
- 2. Credited active equipment should be protected from flooding while stored. It should be accessible during a flooding event. Alternatively, credited active equipment may be stored in locations that are neither protected from flooding nor accessible during a flood if adequate warning of an impending flood is available and equipment can be relocated prior to inundation. Manual actions associated with relocation of equipment should be evaluated using Appendix C.
- 3. If B.5.b equipment is credited, it must meet the above storage requirements.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 50 APPENDIX B: Peer Review A peer review is an important element of the Integrated Assessment. The peer review increases confidence in the results of the Integrated Assessment and provides assurance that they form a sound basis for regulatory decisions. Where feasible, the peer review can incorporate established licensee review procedures if compatible with the site-specific conditions and non-routine nature of the Integrated Assessment. Peer reviewer attributes, attributes of an acceptable peer review, and required documentation of the peer review are described below.
B.1 Peer reviewer attributes The reviewers should have the following attributes:
Peer reviewers should be independent of those who are performing the Integrated Assessment (i.e., the peer review team members shall have neither performed nor directly supervised any work on the portions of the assessment being reviewed).
The number of peer reviewers is dictated by the scope of the Integrated Assessment and should include as many people as necessary for review by individuals with appropriate expertise. Collectively, peer reviewers should have expertise in all areas of importance to the Integrated Assessment. For example, reviewers should have combined experience in the following areas (as applicable):
systems engineering, flood hazard assessment, flood protection engineering (e.g.,
structural and geotechnical engineering), human reliability analysis and evaluation of manual actions, and application of PRA methodologies.
One of the peer reviewers should be designated as the peer review team leader.
The team leader is responsible for the entire peer review process, including completion of the final peer review documentation. The team leader is expected to provide oversight related to the process, scope, and technical aspects of the peer review. The team leader will establish the initial scope of the peer review and assemble an appropriate review team. The team leader should have sufficient knowledge and experience to determine the scope of the review based on the above considerations. The peer review team leader should expand the scope of the review and add members to the team if necessary to ensure all areas of review are appropriately covered.
Peer reviewers may be selected from within the licensees organization if the attributes described above are met. If reviewers with the above attributes cannot be assembled from within the licensees organization (in whole or in part), it is necessary to assemble additional reviewers from outside the licensees organization (i.e., external peer reviewers).
B.2 Peer review attributes The peer review should have the following attributes:
To facilitate an efficient and informative review, an in-process peer review is recommended, though a one-time peer review at the end of the Integrated Assessment is also acceptable. In other words, it is recommended that the peer review be performed contemporaneous with the Integrated Assessment and
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 51 observations made by the reviewers should be transmitted to the Integrated Assessment team as soon as possible.
The peer review should be conducted as an assembled team. This is particularly important for critical items such as the following (if credited): (1) manual actions, (2) temporary protective measures, and (3) non-safety-related equipment used for event mitigation. Reviewers should have the opportunity to interact with one another when performing the reviews, irrespective of the specific areas of review to which a team member is assigned.
The reviewers should evaluate each of the following if they are a part of the Integrated Assessment and assess the rationale if they are not:
methodologies used to evaluate capabilities for flood protection and mitigation assumptions made and methods used to formulate and validate the methodologies performance criteria applied evaluations of the reliability of flood protection features and systems for which generally accepted codes and standards are either unavailable or inapplicable evaluations of the feasibility and reliability of non-routine or new human actions (i.e., actions that are not routinely performed or have not been previously evaluated under other processes) judgments made regarding the mitigation capability and reliability of credited systems (applies to both margins-type and full PRA methods) judgments made that there is high confidence that key safety functions will be maintained, including logic models and timelines (applies to scenario-based evaluation methods)
Peer reviewers should pay particular attention to the following:
assumptions, particularly those that are not thoroughly developed and documented justification for the use of novel models or methods, especially if those models or methods are inconsistent with current practices technical judgments, especially those that are not supported by technical analyses such as explicit calculation or appropriate data judgments made regarding the reliability of protection or mitigation actions involving the use of equipment, personnel, or other resources in non-traditional ways Peer reviewers should evaluate the completeness, accuracy, and technical bases of the final Integrated Assessment report B.3 Peer review documentation The peer review process should be clearly documented in the Integrated Assessment submittal. Documentation of the peer review should be contained in a separate enclosure report as part of the licensees Integrated Assessment submittal and should include the following:
a description of the peer review process the names and credentials (e.g., training, experience, capabilities, and background) of the peer review team members and leader, as well as the areas on which each reviewer concentrated
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 52 a description of how reviewer attributes (Section B.1) are met by the assembled peer review team a discussion of the key findings and a discussion as to how the findings were addressed an assessment of the disposition of comments made by peer reviewers a review of the final Integrated Assessment report the conclusions of the peer review team as to the completeness, accuracy, and technical bases of the Integrated Assessment
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 53 APPENDIX C: Evaluation of manual actions C.1 Overview C.
1.1 Purpose and Scope
This appendix provides guidance for evaluating manual actions23 Much of this appendix focuses on manual actions performed outside the main control room, including actions taken throughout the plant and around the site associated with both flood protection and mitigation. Nonetheless, some flooding scenarios may challenge the operating crews ability to maintain situation awareness and command and control.
Therefore, in addition to ex-MCR actions, manual actions that are performed in the MCR during a flood scenario with the specific intent to affect plant operating conditions associated with flooding based on concepts and approaches used in human factors engineering and human reliability analyses (HRA). The purpose of the evaluation is to assure, with high confidence, that manual actions required for flooding events are both feasible and reliable. An action is considered feasible if it has been analyzed and the licensee has demonstrated that it can be performed correctly within an available time so as to avoid a defined undesirable outcome.
A feasible action is reliable when it is demonstrated as being dependably repeatable within an available time (while considering varying conditions that could affect the available time and/or the time required for performing the action). All reliable actions must be feasible, but not all feasible actions will be reliable (Ref. (10)). Results of the evaluation process described here may show that an important human action is infeasible or cannot be performed reliably. In these instances, it may be possible to modify aspects of the task or the circumstances in which the action is performed to identify acceptable alternatives.
Therefore, the evaluation process described in this Appendix may be iterative.
24 C.1.2 Organization of the Appendix are also within the scope of this evaluation.
This Appendix is organized according to the process for evaluating the feasibility and reliability of flood-related manual actions for the Integrated Assessment:
Section C.2 describes a process for identifying and defining important human actions.
Section C.3 discusses evaluating whether of manual actions are feasible, including:
- timing analysis (Section C.3.1)
- evaluation of performance shaping factors (Section C.3.2) 23 This appendix refers to manual actions as an all-inclusive term. It is recognized that, due to the nature of flood events, manual actions may be performed by operators, maintenance personnel, or other plant staff. Requirements associated with experience and training apply to all plant personnel performing activities associated with protection and mitigation actions.
24 These include actions to reconfigure flow paths, to recover equipment important to safety, to change power level, and to switch sources of coolant inventory, among others. Because Emergency Operating Procedures (EOPs) have been validated during their development and subsequent change processes, actions included in the existing EOPs are acceptable with little further evaluation, but only if they are applicable to the plant mode and effective under the conditions of the scenario, i.e., I&C for the equipment is not degraded, power is available, no spurious alarms, etc.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 54 Section C.4 provides a process for evaluating whether manual actions are reliable Section C.5 discusses adjustments of actions and associated context to improve feasibility of reliability Section C.6 describes documentation C.2 Identify and Define the Human Actions The first step in the evaluation is to identify the manual actions associated with for protection or mitigation. This step also entails defining the actions at the appropriate level of detail to support qualitative analysis and quantification, if necessary. For each human action upon which flood protection or mitigation depends, the licensee should develop a timeline that locates the human action within the sequence of activities in the flooding scenario and provide a high-level description of it (i.e., an operational story or human failure event (HFE) narrative, as described in NUREG-1921, Ref. (23)). The narrative should include:
the initiating event for the scenario, including flood scenario parameters and credible flood protection failure modes (if applicable) scenario sequence (preceding system/functional failures and successes) description of the objective of the action (i.e., what the action is intended to achieve) description of the credentials and experience of personnel performing the action, (e.g., licensed operators versus maintenance personnel) description of the cognitive (detection, diagnosis, decision-making) and execution (actions, behaviors) aspects of the manual action timing information (as specified in Section C.3.1) scenario-specific procedural guidance availability of cues and other associated indications that may be needed to initiate necessary actions, as well as cues that might subsequently enable personnel to detect the need to correct an action that has been omitted or performed incorrectly preceding human errors or successes in sequence human action success criteria undesired human responses physical environment in which the action is performed a summary of the operating history of human errors associated with establishing and maintaining the flood protection features and with systems, structures, and components (SSCs) involved in flood mitigation C.3 Evaluate human action feasibility The objective of this step is to determine whether a manual action is feasible. A manual action is feasible if it can be accomplished in the context within which it will be performed and whether there is adequate time available to perform the action, considering any adverse contextual factors that may delay or degrade performance. An action that is possible to performed in a given context is considered feasible when the time required to complete the action is less than the time available based on a timing analysis, with appropriate margin, as described in Section C.3.1. In addition, determination of whether a manual action is feasible and reliable should account for relevant performance shaping factors (PSFs), as described in Section C.3.2. This appendix includes a section corresponding to applicable PSFs (Sections C.3.2.1 to C.3.2.13). Each section includes a general discussion of the PSF as well as criteria for specifying whether a task is feasible based on whether the each PSF associated with the task is categorized as nominal (or better) or degraded.
A manual action is considered to be feasible if all of the following criteria are met:
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 55 the timing analysis (Section C.3.1) determines that the time required to complete the action is less than the time available (see Section C.3.1.2) the PSF for workload, pressure and stress is categorized as high or nominal all other PSFs are categorized as nominal or better (i.e., not degraded), unless strong justification is available to support the feasibility of an action under degraded conditions C.3.1 Timing analysis Figure C 1 provides a framework for conducting a timing analysis of a manual action to evaluate whether the time required to complete it is less than the time available. The figure is composed of several elements to capture the various aspects of timing during the period of time between when an action is necessary until the time at which the action will no longer succeed.
C.3.1.1 Timing elements The terms associated with each timing element are:
T0 = start time, or the point in time in a flooding scenario or HFE narrative at which the conditions exist that will require the human action (e.g., a weather forecast predicts excessive precipitation, a dam failure occurs, a levee onsite is overtopped, leakage develops)
Tdelay = time delay, or the duration of time it takes for the cue to become available Tsw = the time window within which the action must be performed to achieve its objective Tavail = the time available for action = (Tsw - Tdelay)
Tcog = cognition time, consisting of detection, diagnosis, and decision making Texe = execution time including travel, collection of tools, donning of PPE, and manipulation of relevant equipment Treqd = time required, or the time required for an individual or crew to accomplish the action = (Tcog + Texe)
It is likely that the majority of manual actions required for flood protection and mitigation will not have been analyzed previously, with the result that initial values for these timing elements must be developed. Interviews with personnel who will perform the action can provide initial timing estimates. Operators, trainers, and other knowledgeable plant staff should be involved to the extent possible. Ideally, those who would have to perform the action (or set of actions) should be interviewed. More than one expert should be involved if possible to obtain more than one opinion about the timing for the actions being examined in obtaining the estimate.
It will also be necessary to walk-through the actions in the field to refine and verify the estimates. Again, those who would have to perform the action should perform the walk-throughs and timing data should be collected from repeated walk-throughs involving different individuals or crews to assess variability. Reasonable simulations performed under the flood walkdowns (Ref. (1)) may provide a useful source of information. In addition, for certain actions (e.g., actions performed in the MCR) information about manual actions may be available from the plant-specific Individual Plant Examination (IPE) and Individual Plant Examination of External Events (IPEEE), existing procedures, controlled system descriptions, training documents, and personnel interviews. Plants that have a Time-critical
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 56 Action Program (a configuration control program that validates and protects time-critical actions from inadvertent changes) may use timing information from that program when it is relevant to the scenario being evaluated.
It may not be possible to collect actual baseline values for some actions. In these cases, it may be possible to simulate the actions using mock-ups. Expert elicitation techniques may also be used to estimate timing values, as described in Appendix B to NUREG-1852 (Ref.
(10)) or other available guidance for performing HRA (e.g., NUREG-1880, Ref. (24)).
C.3.1.2 Calculate Time Margin The time margin available for the action should be calculated. Time margin is defined as the ratio of time available for the recovery action to the time required to perform the action (Tcog+Texe) and is calculated as follows:
Time Margin =
Time Margin =
100%
C.3.2 Performance shaping factors The following performance shaping factors (PSFs) are relevant to manual actions associated with flooding:
Cues and indications - the availability and quality of information needed to initiate and perform the action.
Complexity - the ambiguity and mental effort associated with detection, diagnosis and decision-making and any complicated aspects associated with action execution, such as special sequencing, coordination between multiple individuals at different locations, or the need for sensitive and careful manipulations.
Special equipment - the availability and accessibility of any special equipment needed to perform the human action. These items may include portable equipment as well as personal protective equipment (PPE).
Human-system interface - the availability and usability of that part of a piece of equipment or system with which personnel interact to perform the action.
Procedures - the availability, accuracy/applicability and usability of instructions for performing a human action.
Training - the availability and quality of training provided for performing the human action.
Workload, pressure and stress - the amount of work that a crew or individual has to accomplish in the available time (e.g., task load) along with their overall sense of being pressured and/or threatened in some way with respect to what they are trying to accomplish.
Environmental factors at location(s) of action(s) - the presence and severity of those factors that could negatively impact the ability to perform the human action, such as the presence of water, radiation, poor lighting, temperature extremes, humidity, noise, vibration, electrical hazards.
Special fitness issues - the extent to which performance of the human action requires unusual levels of fitness or may create fitness concerns.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 57 Staffing - the availability of sufficient numbers of qualified personnel to perform the action, considering concurrent activities and collateral duties.
Communications - the availability, accessibility and functionality of communications equipment needed to perform the action and coordinate activities among personnel.
Accessibility: the ability of personnel and resources to move around the site as well as the ability of offsite personnel or resources to arrive onsite Scenario-specific PSFs - other task or contextual factors that have the potential to adversely impact performance of the action.
The relative importance of each PSF will vary, depending on the type of manual action being evaluated. For example, the availability and quality of cues and indications needed to initiate sandbagging will likely be less important in determining the feasibility of that manual action than those required by the control room crew to perform flood mitigation actions with degraded instrumentation and controls in the MCR. Nevertheless, consideration of each of these PSFs aids in ensuring the evaluation is comprehensive.
As described previously, performance shaping factors should be used to adjust time elements used in the timing analysis. For example, a failed alarm may increase the length of Tdelay, which is the period of time between when an action is required and plant personnel recognize that action is necessary. Ambiguous or conflicting indications may increase Tcog, which is the period of time required to assess a situation and determine the correct action to execute. A lack of tools or equipment that is not functional could increase Texe, or the period of time between the decision to execute an action and when it is completed. Taken together, a human action is infeasible when Tdelay + Tcog + Texe > Tsw.
In addition, as described previously, manual actions that are associated with PSFs that are not categorized as nominal or better (with the exception of workload, pressure, and stress which should be high or better), should be considered infeasible.
The following subsections describe PSFs to be considered in evaluating the feasibility of manual actions.
C.3.2.1 Cues and indications Cues and indications serve the following functions:
- 1) enable personnel to determine that flood protection and mitigation actions are required or appropriate
- 2) direct or guide personnel performing actions
- 3) provide feedback on the success/failure of actions In the context of flood protection, indications should be available to provide notification that a flood event is imminent if manual actions are required to provide protection against the flood event. Examples of indications include river forecasts, dam condition reports, and river gauges. If durable agreements are not in place to ensure communication from offsite entities and the plant does not have an independent capability to obtain the same information onsite, any manual action initiated by the indication should be considered infeasible. Consideration should be given to the quality of the agreements in place between offsite entities and personnel at the nuclear power plant site as well as the potential for the communication mechanisms to fail.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 58 Cues and indications are also necessary for determining whether and which flood protection manual actions are required, to direct the performance of those actions, and to evaluate whether the actions have achieved their objective. Particularly with respect to active flood protection features, cues and indications should be available to verify that the needed equipment is functioning as intended. The impact of other postulated conditions on the availability of cues and indications should also be considered, such as communication difficulties resulting from noise, difficulties in manipulating equipment, or verifying its status in the dark.
In the context of mitigation actions, indications should be available to alert personnel to the failure of flood protection features and presence of water in locations that are intended to be kept dry or otherwise protected from flood effects. For cases in which indications are not available, the evaluation can consider compensatory measures (e.g., local observations).
Evaluations of adequacy of time should account for the frequency of manual checks in the absence of continuous monitoring. If cues or indications are not available, the mitigation actions should be considered infeasible.
For control room based actions, the presence and the salience of indicators and cues should be considered. Annunciators, alarms, computer logs, and position indicators may be more or less effective based on the context (e.g., it may not be feasible to expect an operator to attend to a single annunciator when fifty or sixty are in alarm coincidentally).
Additionally, consideration should be given to whether spurious alarms due to flood effects are likely to cause unwanted operator responses that could make plant conditions worse instead of better. In addition to potential effects on cues and indications, some flooding scenarios may degrade or fail systems normally available to crews in the MCR for taking actions to control key safety functions. If local control actions are required, consideration should be given to the communications burden on the operating crew for directing the action and verifying that the action has been successful. The evaluation should also pay attention to the accessibility of data or information in digital or computerized systems (e.g., if the computer is not functional because of the flood, many alarms and other information will be inaccessible to operators).
Based on the considerations described above, the PSFs for cues and indications should be categorized using the following categorization scheme:
Nominal - cues and indications are available and can be accessed in time to support diagnosis and decision-making before action execution is required, and the cues and indications are accurate Degraded - cues and indications are difficult to obtain or unreliable such that additional time is required to obtain and verify them C.3.2.2 Complexity of the required action Complexity refers to the nature of the action that must be diagnosed and performed. High levels of complexity, particularly in the absence of training and practice, reduce the feasibility of manual actions. Sources of complexity that may affect the timeliness and effectiveness of cognition may include diagnostic ambiguity from conflicting or difficult-to-interpret cues and indications; unfamiliar circumstances that require mental effort and, perhaps, consultation, to interpret; ambiguity in the appropriate prioritization of competing goals; and the need to consider multiple variables simultaneously implementing a proceduralized action. Sources of complexity that may affect the timeliness and
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 59 effectiveness of action execution may include the need for personnel to perform many steps in rapid succession; the need to perform multiple actions concurrently; and whether special sequencing or coordination is required for the action to be successful (especially if it involves multiple persons in different locations). Actions that require concurrent diagnosis and execution or sensitive and careful manipulations are also likely to be complex.
Input from personnel should be obtained regarding their perception of whether the scenario is complex or simple. If rarely-used configurations will be used, the possibilities of new single failures, interfacing LOCA, inadvertent system interactions, and unrecognized drainage pathways for the reactor vessel or important storage tanks should be considered.
In addition, to evaluate complexity, the following questions should be considered:
Are there many alarms or indications that the crew/operator must identify, evaluate, and respond to?
Will communication between several individuals at different locations be necessary?
Will plant symptoms be difficult to ascertain because of instrumentation failures and spurious indications?
Will component failure(s) have multiple or propagated effects on systems, equipment, or other components?
Will the action sequence include concurrent tasks that require specific timing to be successful? Will the situation include many distractions, crowds of people, or other factors which could divert attention from the required task(s)?
Based on the considerations described above, the PSFs for complexity should be categorized for cognition and execution tasks using the following categorization schemes:
Cognition Obvious diagnosisdiagnosis becomes greatly simplified. Cognition tasks are so obvious that it is difficult for personnel to misdiagnose it. The most common and usual reason for this is that validating and/or convergent information becomes available to the individual Nominal - detection, diagnosis and decision-making associated with the action are simple, straightforward, and unambiguous or the crew or individual is highly familiar with and skilled in addressing the situation Degraded - cues and indications are conflicting or difficult to interpret, resolution of any ambiguity and/or response planning requires consideration of competing goals, multiple variables, or unusual circumstances with which the individual or crew is not highly familiar and practiced. Cognition tasks associated with degraded conditions should be further classified as follows:
- Moderately complexsomewhat difficult to perform. There is some ambiguity in what needs to be diagnosed. Several variables are involved, perhaps with some concurrent diagnoses (i.e., evolution performed periodically with many steps).
- Highly complexvery difficult to perform. There is much ambiguity in what needs to be diagnosed. Many variables are involved, with concurrent diagnoses (i.e., unfamiliar maintenance task requiring high skill).
Execution
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 60 Nominal - execution of the action is simple and straightforward and the crew or individual is highly skilled in performing the task Degraded - execution requires rapid performance of multiple, complicated steps, the performance of steps by the same individual at multiple locations, coordination of steps between two or more individuals at the same or multiple locations, or sensitive and careful manipulations. Tasks associated with degraded conditions should be further classified as follows:
- Moderately complexsomewhat difficult to perform. There is some ambiguity in what needs to be executed. Several variables are involved, perhaps with some concurrent actions (i.e., evolution performed periodically with many steps).
- Highly complexvery difficult to perform. There is much ambiguity in what needs to be executed. Many variables are involved, with concurrent actions (i.e., unfamiliar maintenance task requiring high skill).
C.3.2.3 Special equipment Manual actions associated with flooding may require special or portable equipment and personal protective equipment (PPE). Portable equipment may include keys (doors may fail closed in the event of a loss of power), ladders, hoses, torque devices, electrical breaker rackout tools, flashlights, portable pumps and meters, rafts or boats, among others. PPE may include protective clothing to enter high radiation areas or flood-specific protective clothing, such as life jackets, hip waders, or other special purpose gear. Section A.1.4 of Appendix A discusses criteria for crediting the functionality, accessibility and availability of special equipment when needed to perform an action.
The use of special equipment itself may adversely affect action execution. Examples include delays from having to hold a flashlight or aim a headlamp when manipulations are required or from the time required to don PPE; movement restriction and slowed performance to ensure that a raft or boat does not capsize; reduced vision from wearing face protection reduced manual dexterity from wearing gloves; or reduced communications ability from wearing special purpose gear. In addition, personnel may not be familiar with and highly practiced in using some of the special equipment that may be required in flooding events, resulting in discomfort, delay and an increased likelihood of errors.
Based on the considerations described above, the PSF for special equipment should be categorized using the following scheme:
Nominal - The number and type of special equipment required is minimal and personnel are familiar with and practiced at using it.
Degraded - Extra time is required to access and prepare to use special equipment or use of the equipment slows or interferes with action performance.
C.3.2.4 Human-system interfaces The availability, functionality and usability of human-system interfaces (HSIs) will impact the performance of some manual actions. HSIs involved in flooding events include the controls and displays provided by portable and temporary equipment, control room HSIs, HSIs for local control stations, and any other hardware or software with which personnel must interact to obtain information or change the state of SSCs. Guidance for the evaluation of
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 61 HSIs, including evaluation of conventional (non-computerized) HSIs, is available in NUREG-0700 (Ref. (25)).
HSI design may affect both the cognition and execution aspects of a manual action and will likely have a greater impact on local actions than actions in the MCR. For example, if the decision to perform an action depends on readings from meters or gauges that are located in areas that become difficult to access during a flooding event, the cognitive portion of an action will be delayed. Action execution may be delayed if time is required to travel from the location of a display to the equipment to be manipulated. Labeling of components may become particularly important for local actions that must be performed in the dark or extreme weather conditions.
Based on the considerations described above, the PSF for HSIs should be categorized using the following scheme:
Goodthe design of the HSIs positively impacts task performance, providing needed information and the ability to carry out tasks in such a way that lessens the opportunities for error (e.g., easy to see, use, and understand computer interfaces; instrumentation is readable from workstation location, with measurements provided in the appropriate units of measure).
Nominal - HSIs required to perform the action are functional, accessible and their design to supports human performance under anticipated flooding conditions Degraded - HSIs are poorly designed, have been damaged, or are difficult to use under the expected conditions. Degraded HSIs should be further categorized as follows:
- Poorthe design of the plant negatively impacts task performance (e.g., poor labeling, needed instrumentation cannot be seen from a work station where control inputs are made, or poor computer interfaces).
- Missing/Misleadingthe required instrumentation fails to support diagnosis or post diagnosis behavior, or the instrumentation is inaccurate (i.e.,
misleading). Required information is not available from any source (e.g.,
instrumentation is so unreliable that individuals ignore the instrument, even if it is registering correctly at the time).
C.3.2.5 Procedures Procedures, or instructions for performing actions, improve human performance by --
assisting personnel to diagnose the type of event that may be occurring and decide on the required actions to respond to the event; providing guidance for how to perform the required actions and verifying that they have been effective; and minimizing confusion that may result from conflicting signals, including spurious actuations, or other factors.
Written and maintained plant procedures must be available to cover all credited manual actions. Written procedures should describe what needs to be done (including interpretation of cues), how and where the actions should be performed, and what tools or equipment should be used.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 62 If procedures are not available to guide a manual action, the action should be considered infeasible, except when a strong case can be made that performing the steps required to complete the manual action are skill-of-the-craft. 25 In addition to being available, procedures should be technically accurate, comprehensive, explicit, easy to use, and validated. Personnel should be trained to implement the procedures. If the expected conditions in which the procedures will be used make it difficult or impossible to read the procedure, personnel should either be trained to perform the steps from memory or provisions should be made to communicate the procedure steps to the individual(s) performing them.
The PSF for procedures may affect both the cognition and execution portions of a manual action. Based on the considerations described above, the PSF for HSIs should be categorized using the following scheme:
Cognition Diagnostic/symptom orienteddiagnostic procedures assist personnel in correctly diagnosing the event. Symptom-oriented procedures (sometimes called function-oriented procedures) provide the means to maintain critical safety functions.
Nominal - Procedures support diagnosis and decision-making, in that they: identify parameters to monitor and criteria that trigger action, are sufficiently comprehensive to apply to the range of circumstances associated with flooding events, are technically accurate, are written at a sufficient level of detail, are easy to use, and have been validated.
Degraded - Procedures are not sufficiently comprehensive to support diagnosis and decision-making for the range of circumstances associated with flooding events.26
- Not availablethe procedure needed for a particular task or tasks in the event is not available.
Degraded (or lack of) procedures should be further categorized using the following scheme:
- Incompleteinformation is needed that is not contained in the procedure or procedure sections; sections or task instructions (or other needed information) are absent.
- Available, but poora procedure is available but it is difficult to use because of factors such as formatting problems, ambiguity, or such a lack in consistency that it impedes performance.
Execution Nominal -Procedures can be used as written to perform the action 25 A term describing those tasks in which it is assumed that the workers know certain aspects of the job and need no written instructions, e.g., a plumber replacing a washer in a faucet. (Ref. (38))
26 Procedures should be considered degraded if (1) the procedures do not contain sufficient instructions, guidance or warnings, (2) the procedure design makes it difficult to use (e.g., double-negative instructions, failing to include step checking, sign-offs, or verification), or (3) procedures were developed or revised using an inadequate process.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 63 Degraded - Procedures require modification to apply to the situation, provide an insufficient level of detail, or are not easy to follow. Degraded (or lack of) procedures should be further categorized using the following scheme:
- Not availablethe procedure needed for a particular task or tasks in the event is not available.
- Incompleteinformation is needed that is not contained in the procedure; sections or task instructions (or other needed information) are absent.
- Available, but poora procedure is available, but it contains wrong, inadequate, ambiguous, or other poor information. An example is a procedure that is so difficult to use, because of factors such as formatting, that it degrades performance.
C.3.2.6 Training and experience Personnel performing required manual actions should have been trained in their individual responsibilities and had opportunities to practice. In evaluating the effectiveness of training, the following factors should be considered:
Training should establish familiarity with procedures and required actions including operation of any special equipment.
Training should engender familiarity with potential adverse conditions arising from a flood event (e.g., dangerous weather).
Training should prepare personnel to handle departures from the expected sequence of events.
Training should provide the opportunity to practice the skills required to accomplish the manual action (e.g., construction of barriers using special equipment).
Training and experience may also take on added importance for flood protection actions because additional personnel must be called to the site to establish flood protection features. These additional personnel may be unfamiliar with the layout of the site as well as the rigor and procedural adherence expected of personnel in the nuclear industry.
Based on the considerations described above, the PSF for training and experience should be evaluated as follows for ex-control room actions:27 27 Training requirements for in-control room actions should be evaluated using the following criteria.
Training should be considered degraded (low) if any of the following apply:
Training on the action or a specific topic of importance to the action is not provided.
Training content is incomplete, incorrect, out-of-date, or otherwise less than adequate.
The systems approach to training (SAT) (e.g., job or task analysis, definition of knowledge, skills, and abilities (KSAs), task qualification process) was not used to ensure that the worker could successfully perform the task in actual job conditions.
Assumptions about skill-of-the-craft appear to be incorrect, e.g., all operators do not have the experience assumed regarding the mitigation action being reviewed.
Simulator training is:
- incomplete (e.g., it does not simulate the failure of a particular device, or include a particular scenario),
- inaccurate (e.g., it does not match actual plant/system response), or
- the simulator is not used for training even though it is capable of being used.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 64 Highextensive experience and training with the affected SSC and relevant indicators, procedures, and actions has been provided; a master level of expertise has been demonstrated. This level of training/experience provides personnel with extensive knowledge and practice in a wide range of potential scenarios.
Nominalmore than 6 months experience in a nuclear power plant setting and/or training. Specific training on the affected SSC and relevant indicators, procedures, and actions has been provided. This level of training/experience provides an adequate amount of classroom training and practice to ensure that individuals are proficient working are familiar with the actions to be performed in a flooding event and have been exposed to abnormal conditions.
Degraded (or low)less than 6 months experience in a nuclear power plant setting and no training provided regarding the indicators, procedure, or action sequence.
This level of training/experience does not provide the knowledge and skills required to adequately perform the required tasks; does not provide adequate practice in those tasks; or does not expose individuals to various abnormal conditions.
C.3.2.7 Workload, pressure and stress Workload, pressure and stress refer to the amount of work that a crew or individual has to accomplish in the available time (e.g., task load) along with their overall sense of being pressured and/or threatened in some way with respect to what they are trying to accomplish. High workload, time pressure, and stress are generally thought to have a negative impact on the performance of crews or individuals (particularly if the task being performed is considered to be complex).
However, the impact of these factors should be carefully considered in the context of the scenario and that of the other PSFs thought to be relevant. For example, if the scenario is familiar, procedures and training are very good, and the crews or individuals typically implement their procedures well within the available time, relatively high expected levels of workload and stress may not have a significant impact on performance. Alternatively, if the scenario is unfamiliar, the procedures and training for the scenario are considered only adequate, and the time available to complete the action has been shortened because of flooding, workload, time pressure and stress may have a significant adverse impact on performance.
Several individuals should be interviewed independently to evaluate the extent to which workload, pressure and stress would affect performance of the action.
Based on the considerations described above, the PSF for workload, time pressure and stress should be categorized using the following scheme:
Nominala level which is conducive to good performance, or at least, is not disruptive.
Degradeda level at which the performance of most people will deteriorate. This is more likely to occur when the onset of the event is sudden or the situation persists for long periods. This level is also associated with a feeling of threat to ones safety or well-being. Degraded conditions for workload, pressure, and stress should be further categorized as follows:
Perseonnel are not familiar with the tools required to perform the action.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 65
- Higha level of stress higher than the nominal level (e.g., multiple instruments and annunciators alarm unexpectedly and at the same time; loud, continuous noise impacts ability to focus attention on the task, weather, lighting and/or humidity conditions that impair the individuals ability to obtain required information or perform required actions, elevated but not life threatening radiation levels; the consequences of the task represent a threat to plant safety).
Extremea level of disruptive stress in which the performance of most people will deteriorate drastically. This is likely to occur when the onset of the stressor is sudden and the stressing situation persists for long periods.
This level is also associated with the feeling of threat to ones physical well-being or to ones self-esteem or professional status, and is considered to be qualitatively different from lesser degrees of high stress (e.g., catastrophic failures can result in extreme stress for individuals because of the potential for radioactive release). For this qualitative evaluation if there is extreme stress, the human action is assumed to fail.
C.3.2.8 Environmental factors The environmental conditions at the location of an action may affect an individuals physical or mental performance. As a result, an individuals capability to perform the required actions may be degraded or precluded. The expected environmental conditions should be considered in both the locations where the manual actions will be performed and along the access and egress routes. Personnel performance can be degraded, if not precluded, by adverse environmental conditions in reaching the location as well as the inability to perform the action in the conditions existing at the location. The environment along the egress route after completion of the action should also be considered to ensure personnel health and safety Environmental conditions associated with flooding events that could impair performance include:
adverse weather (e.g., lightning, hail, wind, precipitation) temperatures (e.g., air and water temperatures, particularly if personnel must enter water) conditions hazardous to the health and safety of personnel (e.g., electrical hazards, hazards beneath the water surface, drowning, structural debris) lack of lighting humidity radiation noise vibration NUREG/CR-5680 (Ref.(26)) describes the impacts of environmental factors on cognitive and physical performance.
The presence and severity of each of these environmental factors should be considered in evaluating the cognitive and execution elements of the manual action. For each environmental factor, categorize the factor using the following scheme:
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 66 Nominal - The environmental factor is irrelevant, is at a level unlikely to affect manual performance, or personnel are highly familiar with and experienced in performing actions under the expected conditions Degraded - The environmental factor is present and at a level likely to adversely impact performance of the action. Degraded environmental conditions should be further categorized as follows:
- High: environmental conditions could prevent the successful performance of the manual action
- Extreme: environmental conditions present a threat to life-safety or pose a significant risk to the health and safety of personnel performing the action C.3.2.9 Special fitness issues Manual actions for flood protection or mitigation may require special types of fitness or involve fitness-for-duty issues. Special physical fitness requirements could include, for example, having the strength and agility to climb up or over equipment to reach a device because the flood has caused the ideal travel path to be blocked; needing the strength to move equipment and connect cables, especially if using a heavy or awkward tool; or having the stamina to use special purpose gear, which is physically demanding and hinders communication.
Fitness-for-duty issues include any personal factors that impair an individuals ability to safely and competently perform the required manual actions. For example, fatigue may become problematic if workload prevents the management of acute fatigue or individuals accrue cumulative fatigue over extended periods of high work hours and limited sleep. Or, if the licensee has declared a General Emergency and an individual with special skills is needed to perform an action but has consumed alcohol within the pre-duty abstinence period specified in 10 CFR Part 26, it may be necessary to establish controls and conditions on that individuals actions that delay performance of the action. Long and continuous work hours cause mental as well as physical impairment. It is appropriate to determine how long a specific operator (worst-case and nominal schedules) could be on shift for the duration of the flood scenario under the restrictions of the current Fatigue Management Plan and under an exemption, if the licensee plans to request one.
For each special fitness issue identified, determine whether it adversely affects cognition, execution or both. Based on the considerations described above, the PSF for special fitness needs should be categorized using the following scheme:
Nominalspecial fitness needs are not a barrier to performance of the action and sufficient personnel are available that are physically capable of performing the task.
Degradedspecial fitness needs make the task difficult to perform or few or no personnel are physically capable of performing the task C.3.2.10 Staffing In assessing the feasibility of a manual action, the persons performing the action should be qualified. In particular, the evaluation should consider whether the action requires a licensed operator or other special qualifications are required. The feasibility assessment should consider the availability of a sufficient number of trained personnel without collateral duties during a flood event such that the required manual action can be completed as needed.
Required staff may be normally onsite or available from offsite, if sufficient warning time is
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 67 available and the flood event does not inhibit access to the site. Consideration should to given to whether task assignments (or task loads) subject one or more workers to excessive physical or mental stress or if concurrent tasks challenge the ability of the person to perform as required. Additional considerations include both normal staffing and minimum staff requirements associated with Technical Specifications. If there are insufficient qualified personnel to complete the action (considering actions that must be performed concurrently),
the action should be considered infeasible.
Based on the considerations described above, the PSF for staffing should be evaluated using the following categorization scheme:
Nominal staffingsufficient qualified personnel to perform the required activities are either 1) onsite, or 2) available offsite with sufficient warning time to arrive onsite and site access is not inhibited by the event. Also taken into account is the availability of qualified personnel to perform all concurrent (simultaneously) required activities.
Degraded (Insufficient) staffinginsufficient qualified personnel are available to perform required activity.
C.3.2.11 Communications Equipment (e.g., two-way radios) may be required to support communication between personnel to ensure the proper performance of manual actions (e.g., to support the performance of sequential actions and to verify procedural steps). Also because of the long durations of many flooding scenarios and because of the possible need of offsite support, communication with corporate and governmental organizations is important. Therefore, consideration of the causes of the floods impact on offsite communications must be considered. Because there may be substantial warning time preceding some flood mechanisms, efficient communication may be less important when evaluating the feasibility of manual actions associated with preemptive protective measures. However, mitigation may require actions for which the time available to diagnose, perform, and confirm actions is short. Communications methods should be checked to ensure prevailing conditions do not challenge their effectiveness. The availability of alternate means of communication, if the planned communications system fails, should also be evaluated. Consideration should be given to whether personnel are trained to operate the equipment that is planned to be used as well as alternatives and whether there is feedback in the control room to indicate that portions of communication systems may not be functional due to flooding or wind damage.
Training should ensure effective communication and coordination during a flood event.
Based on the considerations described above, the PSF for communications should be evaluated using the following categorization scheme:
Nominalcommunications (both onsite and offsite) are not adversely affected by the flooding event.
Degradedperformance is negatively affected by the lack of, the poor quality of, or likely failures of the communications process/equipment (both onsite and offsite),
(e.g., too much static, insufficient number of radios or radio frequencies to support the amount of work, no diversity and redundancy designed into the system
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 68 C.3.2.12 Accessibility Accessibility of the site and the locations in which manual actions must be performed are uniquely important for flood-related manual actions. Site accessibility should not be assumed in the evaluation of manual actions. For example, a rapid-onset flooding event on the backshift could require the establishment of temporary flood protection features or performance of manual actions associated with mitigation with only minimal staff available.
Roads may become impassible. Severe weather conditions may impact the communications infrastructure such that there could be significant delays in calling out any additional laborers needed. Site inaccessibility issues could also require sequestering personnel, which may create fitness-for-duty issues if conditions for sleeping and eating are uncomfortable or additional stress from worry about personal property and family members.
The accessibility of locations at which actions must be performed is particularly important when evaluating manual actions that must be performed after the onset of flood conditions and throughout the duration of the flood event. The evaluation of accessibility requires the consideration of the travel path required for manual actions given the location of the flood waters and associated effects and how such accessibility might be compromised by the flood. Other accessibility issues include obstructions (e.g., charged fire hoses) and locked doors. In particular, the flood may cause electric security systems to fail locked. In this case, personnel will need to obtain keys for access. Doors that are normally locked should also be considered.
Inundation of an area and the equipment located there will create unique PSFs. Actions that must be performed in inundated areas or requiring personnel and/or equipment to travel through inundated areas, should be considered infeasible unless it can be shown that elevated pathways or other means are available to enable movement through the inundated areas and significant hazards to personnel (e.g., electrical hazards due to presence of water, low temperatures, etc.) are not present.
Based on the considerations described above, the PSFs for accessibility should be categorized for diagnosis and action tasks using the following categorization scheme:
Nominalthe location(s) is reachable and conditions are such that the actions can be performed Degraded (inaccessible)one or more of the required tasks is in a location that the personnel will not be able to reach because of the flood C.3.2.13 Scenario-specific PSFs In addition to the PSFs listed above, performance of a manual action may be affected by unique PSFs that are specific to the flood scenario in which the action is required. For example, safety culture issues may have a larger influence in some scenarios. If actions have high occupational safety, public health and safety or economic consequences, decision-making may be delayed, particularly if roles and responsibilities for these decisions have not been clearly defined in advance. On the other hand, weaknesses in the licensees safety conscious work environment within some work groups could delay or prevent individuals from raising concerns or offering information about a planned course of action that is necessary to ensure its success. Accessibility of locations, equipment, resources, and personnel will vary among scenarios, and is an important consideration. Scenario-specific PSFs should be added and evaluated as appropriate.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 69 C.4 Evaluate manual action reliability The purpose of this step is to assess whether feasible manual actions can be performed reliably under the variety of plant conditions that personnel might encounter during flooding.
For a feasible action to be performed reliably, it should be shown that there is adequate time available to account for uncertainties not only in estimates of the time available, but also in estimates of how long it takes to diagnose and execute the actions (e.g., as based, at least in part, on a demonstration of the action under dry conditions). It should be shown that there is extra time available to account for such uncertainties (i.e., margin). For the purposes of the Integrated Assessment, manual actions may be considered reliable if an appropriate time margin is available. At minimum, time margin should be larger the time required for the worst-case (longest time) credible recovery action (i.e., the margin should be larger than the longest recovery time associated with the action).
This extra time is a surrogate for directly accounting for sources of uncertainty, such as the following, inherent in estimating the time available for an action and the time required to complete it:
Variations in the nature of the flooding scenario and related plant conditions that could affect the time estimates (e.g., fast energetic flooding that fails equipment quickly vs. slowly developing flooding with few or no equipment failures for some time, flooding location relative to important targets)
Factors that cannot be recreated in a demonstration, or in some cases not anticipated for an actual flooding situation, that could cause further delay in the time it could take to perform the actions under actual flooding conditions, as in the following examples:
- Personnel may need to recover from/respond to unexpected difficulties, such as problems with instruments or other equipment (e.g., locked doors, a stiff handwheel, or difficulty with communication devices). Such difficulties can and sometimes do happen and represent a possible uncertainty in how long it will take to perform an action.
- Environmental and other effects might exist that are not included as part of the simulation, such as radiation (e.g., the flood could reasonably damage equipment in a way such that radiation exposure could be an issue at the location in which the action needs to be taken, requiring personnel to don personnel protection clothing, which takes extra time, but which may not be included in the demonstration); effects of equipment inundation which are not likely to be actually simulated; increased noise levels from the flooding itself, the operation of pumps and from personnel shouting instructions; water in areas possibly delaying personnel movements; obstruction from charged hoses; or too many people in one location getting in one others way. While all these may not actually be simulated, they should be considered as possible (and perhaps even likely) when determining the time it may take to perform a manual action in a real situation.
- The simulation or demonstration might be limited in its ability to account for (or envelop) all possible flooding locations where the actions are needed and for all the different travel paths and distances to where the actions are to be performed. A similar limitation is that the current location and activities of needed plant personnel when the flooding occurs could delay their participation in executing the manual action. The intent of the reliability
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 70 evaluation is not to address temporary/infrequent situations but to account for those that are typical and may impact the timing of the action.
- It may not be possible to execute relevant actions during the demonstration because of normal plant status and/or safety considerations while at power (e.g., personnel cannot actually operate the valve using the handwheel, but can only simulate doing so).
Typical and expected variability between individuals and crews leading to variations in personnel performance (i.e., human-centered factors), as in the following examples:
- physical size and strength differences that may be important for the desired action
- cognitive differences (e.g., memory ability, cognitive style differences)
- different emotional responses to flooding (e.g., fear of water, concern for family and personal property)
- different responses to wearing any PPE required
- differences in individual sensitivities to real-time pressure
- differences in team characteristics and dynamics Given the likely experience and training of plant personnel performing the actions, it need not be assumed that these characteristics would lead to major delays in completing the actions, but their potential effects should be considered in the specific flood-related context of the actions being performed, to confirm this assumption A tradeoff exists between the extent to which the feasibility assessment is realistic and the uncertainties to be addressed as part of justifying that there is adequate time to perform an action. For instance, more realistic demonstrations of feasibility (e.g., systematic walk-throughs while simulating flood conditions) translate to less uncertainty with regard to justifying that there is adequate time to complete an action. Similarly, gathering information from a larger number of simulations with additional personnel can increase the confidence in estimated completion times. Therefore, the licensee may be able to justify reducing the amount of extra time to be added to address uncertainties for some manual actions.
C.5 Adjustments If the results of the feasibility and reliability evaluations indicate that a manual action cannot be performed or cannot be performed reliably, it may be possible to modify the nature of the task or aspects of the context in which it must be performed. Examples of adjustments could include changing the anticipated pathway by which personnel will move to the location at which the action must be performed, relocating equipment, adding resources stationed on site, or predetermining decision criteria and command and control authorities for actions with significant potential worker or economic consequences. Planned adjustments to assure the feasibility and reliability of manual actions should be documented in the Integrated Assessment, as well as the basis/justification for a conclusion that the adjustments will lead to acceptable human performance.
C.6 Documentation Documentation of the evaluation of human actions should include:
The HFE narrative (described in Section C.2 of this Appendix).
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 71 A description of the sources of information used for the evaluation and justification of their applicability to the action.
A detailed description of the methods (e.g., simulation, talk-throughs, walk-throughs, mock-ups, expert elicitation) used to develop and adjust the values for the timing elements in Figure C 1 for each action. This description should include the qualifications and experience levels of the subject matter experts involved in collecting or estimating the timing information, and the number of times each action was simulated to develop the timing estimates or the number of experts who provided independent estimates.
For each PSF that the licensee determines does not apply to the human action, a description of the basis for excluding the PSF from consideration.
The calculated time margin for completing the action A detailed description justifying the categorization of all PSFs
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 72 Table C1: Documentation of performance shaping factors for cognition PSFs PSF categories Applicable category Summary of justification Cues and indications Nominal
Degraded
Complexity Obvious diagnosis
Nominal
Degraded: moderately complex
Degraded: highly complex
Special Equipment Nominal
Degraded
Human-system interfaces Good
Nominal
Degraded: poor
Degraded:
missing/misleading
Procedures Diagnostic/symptom oriented
Nominal
Degraded: not available
Degraded: incomplete
Degraded: available but poor
Training and experience High
Nominal
Degraded (low)
Workload, pressure, and stress Nominal
Degraded: high
Degraded: extreme
Environmental factors
[may require multiple entries]
Nominal
Degraded: high
Degraded: extreme
Special fitness issues Nominal
Degraded
Staffing Nominal
Degraded
Communications Nominal
Degraded
Accessibility Nominal
Degraded
Scenario-specific PSFs added as appropriate Shaded cells indicate PSFs meeting the criteria: (1) the PSF for workload, pressure, and stress categorized as high or nominal, and (2) all other PSFs are categorized as nominal or better.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 73 Table C2: Documentation of performance shaping factors for action PSFs PSF categories Applicable category Summary of justification Cues and indications Nominal
Degraded
Complexity Obvious diagnosis
Nominal
Degraded: moderately complex
Degraded: highly complex
Special Equipment Nominal
Degraded
Human-system interfaces Good
Nominal
Degraded: poor
Degraded: missing/misleading
Procedures Nominal
Degraded: not available
Degraded: incomplete
Degraded: available but poor
Training and experience High
Nominal
Degraded (low)
Workload, pressure, and stress Nominal
Degraded: high
Degraded: extreme
Environmental factors
[may require multiple entries]
Nominal
Degraded: high
Degraded: extreme
Special fitness issues Nominal
Degraded
Staffing Nominal
Degraded
Communications Nominal
Degraded
Accessibility Nominal
Degraded
Scenario-specific PSFs added as appropriate Shaded cells indicate PSFs meeting the criteria: (1) the PSF for workload, pressure, and stress categorized as high or nominal, and (2) all other PSFs are categorized as nominal or better.
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 74 Figure C 1: Framework for conducting a human action timing analysis
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 75 APPENDIX D: Existing references and resources The goal of this Appendix is to provide references to existing assessment of external flood risk at nuclear power plants. These references may provide useful resources and insights for performance of certain aspects of the Integrated Assessment. However, this Appendix does not necessarily endorse the methodologies used in the external flood risk studies referenced here and these references do not supersede the guidance contained in this ISG.
D.1 Evaluations performed under the NRC Significance Determination Process In June 2010, NRC inspectors identified an apparent violation of Technical Specification 5.8.1.a, "Procedures," at Fort Calhoun Station for failure to establish and maintain procedures that protect the intake structure and auxiliary building during external flooding events. An NRC senior reactor analyst performed a Phase 3 significance determination process (SDP) analysis, which is documented in Ref (27). The analysis described in Ref. (27) was performed to represent a best-estimate risk evaluation of a specific performance deficiency related to flood protection. As such, the analysis has a different purpose and smaller scope that evaluations performed as part of the Integrated Assessment. Nonetheless, the analysis contained in Ref.
(27) provides insights on how flood risks have been considered in other applications. In particular, Section 2 of Attachment 2 in Ref. (27) demonstrates the calculation of conditional core damage probability (CCDP), given flood elevations in varying ranges and the equipment compromised at those elevations (with and without the availability of flood protection). This portion of the assessment pertaining to the calculation of CCDP under the performance deficiency (i.e., given the failure of flood protection) is conceptually consistent with the type of evaluations required under a margins-type evaluation of mitigation capability. Section 2 of in Ref. (27) also considers flood frequencies corresponding to a range of flood heights. This information is convolved with the estimates of CCDP given each flood range. This assessment is conceptually consistent with a PRA-based evaluation of mitigation capability.
Moreover, the SDP discusses evaluations performed of additional methods for mitigating the event (e.g., alternate methods of refilling the essential feedwater tank and use of tabletop generated, non-proceduralized actions), including consideration of human failure probabilities based on application of SPAR-H (Ref. (11)). Under the SDP, the analysis was simplified to: (1) calculation of flooding frequencies, (2) computation of the gasoline powered pump system probability (estimated by fault tree as described in Ref. (27)), and (3) comparison of risk assuming flood protection failure to the baseline risk.
D.2 Evaluations performed under Task Action Plan A-45 The objectives of Task Action Plan (TAP) A-45 was initiated to evaluate the safety adequacy of decay heat removal systems in existing light water reactor nuclear power plants and to assess the value and impact of alternative measures for improving the overall reliability of the decay heat removal function. PRA and deterministic evaluations were used to evaluate decay heat removal systems and support systems required to achieve hot standby and cold shutdown. The following six plants were analyzed under the program:
Arkansas Nuclear One-1 (Ref.(28))
Point Beach (Ref. (29))
Quad Cities (Ref. (30))
St. Lucie (Ref.(31))
Turkey Point (Ref.(32))
Cooper (Ref. (33))
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 76 It was beyond the scope of TAP A-45 to perform an in-depth PRA. The objective was to conduct an analysis that quantified the significant threats to the plant. The authors indicate that the analysis performed embodies the basic philosophy of a full scope probabilistic risk assessment. As such, in many cases, the scope of the TAP A-45 evaluations maybe more limited than the evaluations required by the Integrated Assessment and all facets pertaining to the Integrated Assessment are not considered under TAP A-45.
To evaluate the frequency of plant damage due to external flooding, the following five tasks were performed:
Plant familiarization Hazard analysis Fragility analysis Systems analysis Risk quantification There are necessary differences in the specific methodologies and techniques used to evaluate external flood risk at each site. The summary provided here is intended to provide a general overview of what was done at the sites and not all parts may be explicitly used at a given site.
The purpose of plant familiarization (step 1) was to gather information on the occurrence of external hazards and the vulnerability of plant structures and equipment to flooding (e.g.,
plant location and flood hazard, plant design basis, and vulnerable structures and equipment). The hazard analysis (step 2) was performed in two steps: (1) screening, and (2) evaluation the frequency of occurrence. Due to the differences in flood hazard at each site, TAP A-25 uses site-specific approaches to assessing flood hazard. Fragility analysis (step
- 3) was performed for structures and equipment vulnerable to the effects of external flooding.
A conservative approach was used in developing capacities of structures and equipment to resist external flood loads. An approach was used that is similar to that used in seismic applications. Fragility functions were typically computed with respect to hydrostatic loads and did not consider both flood height and associated effects, as required under the Integrated Assessment. Systems analysis (step 4) involved evaluation of response of the plant to safety system failures. The systems analysis describes the component and system failures due to external flooding and associated effect on plant functions. Simple functional event trees were used to model the plant response to external flooding. Risk is quantified (step 5) by determining core melt probability using system failure information and the functional event tree developed under step 4. The core melt frequency is determined by consideration of flood frequency and conditional core melt probability given an external flood event.
D.3 NUREG/CR-5042, Evaluation of External Hazards to Nuclear Power Plant in the United States Ref. (34) investigates the effect of external hazards on nuclear power plants in the United States. The objective of the work was to gain an understanding of whether external initiators (internal fires, high winds and tornados, external flood and transportation accidents) are among the major potential accident initiators. Ref. (34) documents a review and evaluation of what was known (at the time) about the risk of core-damage accidents and potential for large radiological release as a result of external floods. The report uses two figures of merit as evaluation criteria: (1) mean core damage frequency less than 1 10-5, and (2) frequency
DRAFT
[Preliminary/partial revisions - Draft for use at public meeting Nov. 7, 2012]
Page 77 of large early release less than 1 10-6. Ref. (34) provides a review of NRCs regulatory approach, General Design Criteria, Appendix A of 10 CFR 100, the Standard Review Plan, regulatory guides, papers and reports, selected plant specific documents, and PRA literature on flooding a nuclear power plants. Reviewed literature includes the following sources:
Indian Point Probabilistic Safety Study, 1983 Probabilistic Risk Assessment, Limerick Generating Station, 1981 Severe Accident Risk Assessment, Limerick Generating Station, 1983 Millstone Unit 2 Probabilistic Safety Study, 1983 Oconee PRA, A Probabilistic Risk Assessment of Oconee Unit 3, 1984 Zion Probabilistic Safety Study, 1982 Studies performed under TAP A-45, 1987 (see Section D.2)
Ref. (34) provides a summary of the above references and offers conclusions based on available literature. The report also describes a proposed approach for plant evaluation of external flood risk. The approach involves evaluation of the frequency of large flood events and contingent likelihood of an accident scenario given a large flood. Bounding analysis is suggested as a mean to easily demonstrate the figures of merit are met. If a probabilistic bounding assessment cannot demonstrate risk is acceptably low (i.e., figures of merit are met) then a more extensive plant response analysis is required (e.g., through a full-scope PRA).
D.4 Individual Plant Examination of External Events (IPEEE) Program External flooding was evaluated under the Individual Plant Examination of External Events (IPEEE) Program. Ref. (35) documents the perspectives gained as a result of the review of the IPEEE submittals. The report observes that under the IPEEE Program, twelve submittals reported the contribution of core damage frequency from external flooding.
Typically, submittals treated external flooding as leading to a loss of offsite power (typically assumed unrecoverable) with additional random failures that could lead to core damage.
Some submittals considered additional flood-induced damage (e.g., loss of intake structure, failures of diesel fuel oil transfer pumps, as well as failures of safety-related equipment in the diesel generator, auxiliary, and turbine buildings). The majority of sites used a qualitative screening rather than a PRA to evaluate external flooding under the IPEEE Program (Ref.
(35)).