ML16172A343
ML16172A343 | |
Person / Time | |
---|---|
Issue date: | 06/20/2016 |
From: | Anders Gilbertson NRC/RES/DRA/PRB |
To: | |
Anders Gilbertson 301-415-1541 | |
References | |
DG-1285 | |
Download: ML16172A343 (8) | |
Text
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 1
D R A F T D R A F T D R A F T 2.1 Evaluation of Defense-in-Depth Attributes and Safety Margins 1
One aspect of the engineering evaluation is to show that the proposed change does not 2
compromise the fundamental safety principles on which the plant design was based. Design-basis 3
accidents (DBAs) play a central role in the design of nuclear power plants. DBAs are a combination of 4
postulated challenges and failure events against which plants are designed to ensure adequate and safe 5
plant response. During the design process, plant response and associated safety margins are evaluated 6
using assumptions of physical properties and operating characteristics that are intended to be 7
conservative. National standards and other considerations such as defense-in-depth attributes and the 8
single-failure criterion constitute additional engineering considerations that also influence plant design 9
and operation. The licensees proposed LB change may affect margins and defenses incorporated into the 10 current plant design and operation; therefore, the licensee should reevaluate these items to support a 11 requested LB change. As part of this evaluation, the impact of the proposed LB change on the functional 12 capability, reliability, and availability of affected equipment should be determined. The plants LB 13 identified in the FSAR is the reference point for judging whether a proposed change adversely affects 14 safety margins or defense-in-depth. Sections 2.1.1 and 2.1.2 below provide guidance on assessing 15 whether implementation of the proposed change maintains adequate safety margins and consistency with 16 the defense-in-depth philosophy.
17 2.1.1 Defense-in-Depth 18 The engineering evaluation should evaluate whether the impact of the proposed LB change is 19 consistent with the defense-in-depth philosophy. In this regard, the intent of this key principle of risk-20 informed decision-making is to ensure that any impact of the proposed LB change on defense-in-depth is 21 fully understood and addressed and that the philosophy of defense-in-depth is maintained; not to prevent 22 changes in the way defense-in-depth is achieved. The licensee must fully understand how the change will 23 impact the design, operation and maintenance of the plant, both from risk and traditional engineering 24 perspectives.
25 This section provides some background on the defense-in-depth philosophy. Next is discussion 26 of seven key factors that may be used to evaluate the impact of a proposed change on defense-in-depth.
27 One or more examples are provided to help illustrate what is meant by each factor. Finally, this section 28 provides guidance on a process for evaluating the seven key factors, including an integrated example.
29 2.1.1.1 Background 30 Defense-in-depth is an element of the NRCs safety philosophy that employs successive 31 compensatory measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally 32 caused event occurs at a nuclear facility1. The defense-in-depth philosophy has traditionally been applied 33 in reactor design and operation to provide multiple means to accomplish safety functions and prevent the 34 release of radioactive material. It has been and continues to be an effective way to account for 35 uncertainties in equipment and human performance and, in particular, to account for the potential for 36 unknown and unforeseen failure mechanisms or phenomena, which (because they are unknown or 37 unforeseen) may not be reflected in either the PRA or traditional engineering analyses.
38 1
Staff Requirements Memorandum (SRM) - SECY-98-0144, White Paper on Risk-Informed and Performance-Based Regulation, March 1, 1999, (Agencywide Document Access and Management System (ADAMS) accession number ML003753601).
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 2
D R A F T D R A F T D R A F T For the purposes of this RG, it is useful to consider the following layers of defense (successive 39 measures) when evaluating the impact of the proposed licensing basis change on defense-in-depth:
40 Robust plant design to survive hazards and minimize challenges that could result in an event 41 occurring; 42 Prevention of a severe accident (core damage) should an event occur; 43 Containment of the source term should a severe accident occur; and, 44 Protection of the public from any releases of radioactive material (through, e.g., siting in low 45 population areas and the ability to shelter or evacuate people if necessary).
46 2.1.1.2 Key Factors for Evaluating the Impact of LB Changes on Defense-in-depth 47 Any one or more of the layers of defense discussed above may be adversely impacted by a 48 proposed change to a plants licensing basis. The NRC has identified seven factors that should be used to 49 assess the impact of the change on defense-in-depth. These are discussed in detail below. Guidance on 50 how to apply these factors is discussed in more detail in section 2.1.1.3.
51 The NRC finds it acceptable for a licensee to use the following seven key factors to evaluate 52 whether a proposed change to the LB maintains the philosophy of defense-in-depth.
53
- 1.
Preserve a reasonable balance among the layers of defense.
54
- a.
Guidance 55 A propose change should not significantly reduce the effectiveness of a layer of defense that 56 exists in the plant design before the proposed change.
57 58 The evaluation of the proposed change should consider insights based on traditional engineering 59 approaches; insights from risk assessments may be used to support engineering insights, but not 60 be the only justification for meeting this factor.
61
- b.
Discussion 62 A reasonable balance of the layers of defense, minimizing challenges to the plant, preventing any 63 events from progressing to core damage, containing the radioactive source term, and emergency 64 preparedness, helps to ensure an apportionment of the plants capabilities between limiting 65 disturbances to the plant and mitigating their consequences. The term reasonable balance is not 66 meant to imply an equal apportionment of capabilities. A reasonable balance is preserved if the 67 proposed plant change does not significantly reduce the effectiveness of a layer that exists in the 68 plant design before the proposed change. The NRC recognizes that there may be aspects of a 69 plants design that may cause one of the layers to be adversely affected. For these situations, the 70 balance among the other three layers becomes especially important when evaluating the impact of 71 a proposed change to the LB and its impact on defense-in-depth.
72 If a comprehensive risk analysis is done, it can provide insights into whether the balance among 73 the layers of defense remains appropriate to ensure protection of public health and safety. Such a 74 risk analysis would not only include the likelihood of challenges to the plant (i.e., initiating event 75 frequencies) from various hazards, but would include estimates of core damage frequency, 76
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 3
D R A F T D R A F T D R A F T containment response and, in some cases, dose estimates to the public. It would include 77 implementation of the emergency plan and estimate the effectiveness of actions such as sheltering 78 in place or evacuation.
79 Note that the risk acceptance guidelines in this RG are based on the surrogates for the 80 Commissions quantitative health objectives, CDF and LERF. These risk metrics, developed as 81 part of the risk assessment, can help inform the licensees assessment of the relative balance 82 between the second and third layers of defense.
83 However, to address the unknown and unforeseen failure mechanisms or phenomena, the 84 licensees evaluation of this factor of defense-in-depth should also address insights based on 85 traditional engineering approaches. Results of the risk assessment may be used to support the 86 conclusion but should not be the only justification for meeting this factor. The licensee should 87 consider the impact of the proposed change on each of the layers of defense:
88 Robust plant design to survive hazards and minimize challenges that could result in an event 89 occurring - the change should not significantly increase the likelihood of initiating events or 90 create new significant initiating events; 91 Prevention of a severe accident (core damage) should an event occur - the change should 92 maintain the availability and reliability of SSCs that provide the safety functions that prevent 93 plant challenges from progressing to core damage; 94 Containment of the source term should a severe accident occur - the change should maintain 95 the containment and SSCs that support that barrier, such as containment fan coolers and 96 sprays; and, 97 Protection of the public from any releases of radioactive material - the change should not 98 reduce the effectiveness of the EP program, including the ability to detect and measure 99 releases of radioactivity, to notify offsite agencies and the public, to shelter or evacuate the 100 public as necessary 101
- c.
Examples 102
[Under development]
103
- 2.
Preserve adequate capability of design features without an over-reliance on programmatic 104 activities as compensatory measures.
105
- a.
Guidance 106 A proposed change should not significantly reduce the reliability and availability of design 107 features to perform their safety functions.
108 109 The evaluation of the proposed change should demonstrate that the change does not result in the 110 overreliance of programmatic activities to compensate for a proposed reduction in the capability 111 of engineered safety features.
112
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 4
D R A F T D R A F T D R A F T
- b.
Discussion 113 Nuclear power plant licensees implement a number of programs, including, for example, 114 programs for quality assurance, testing and inspection, maintenance, control of transient 115 combustible material, foreign material exclusion, containment cleanliness, training, and so forth.
116 In some cases, activities taken as part of these programs are used to ensure safety functions; for 117 example, reactor vessel inspections that provide assurance that reactor vessel failure is unlikely.
118 A proposed change that does not affect how safety functions are performed or reduce the 119 reliability or availability of the SSCs that perform those functions would meet this defense-in-120 depth factor. However, a licensee could contemplate a change where a reduction in the capability 121 of those SSCs is compensated in some manner by reliance on plant programs. In such a case, the 122 licensee should assess whether the proposed change would increase the need for programmatic 123 activities to compensate for the lack of engineered features. If the change requires new or 124 additional reliance on such programs, the licensee should justify that reliance on these measures 125 is not excessive. Use of compensatory measures may be considered overreliance when a program 126 is substituted for an engineered means of performing a safety function, or failure of the 127 programmatic activity could prevent an engineered safety feature from performing its intended 128 function.
129 The NRC also recognizes that compensatory measures are sometimes associated with temporary 130 conditions. A licensee may request a risk-informed change to the plants licensing basis to permit 131 occasional entry into conditions requiring measures that rely on plant programs to compensate for 132 reduced capability of engineered systems, or for one-time to allow completion of corrective 133 action to restore engineered systems to match the design and licensing basis. For such situations, 134 the licensee should demonstrate that the plant condition requiring such compensatory measures 135 would occur at a sufficiently low frequency or that the time frame to effect corrective action is 136 commensurate with the significance of the non-conforming condition.
137
- c.
Examples 138
[Under development]
139
- 3.
Maintain sufficient availability and reliability of SSC commensurate with their importance to 140 safety.
141
- a.
Guidance 142 A proposed change should not defeat the redundancy, independence, or diversity of design 143 features.
144 145 The evaluation of the proposed change should demonstrate that the change does not result in a 146 substantial reduction in the availability or reliability of the associated SSCs, e.g., introduction of a 147 new single failure.
148
- b.
Discussion 149 The importance of system redundancy, independence and diversity is to ensure that the system 150 function can be achieved. A proposed risk-informed change should consider both safety-related 151 and nonsafety-related SSCs that are important to core damage or large early release. Redundancy 152 provides for duplicate equipment that enables the failure or unavailability of at least one set of 153
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 5
D R A F T D R A F T D R A F T equipment to be tolerated without loss of function. Independence among equipment implies that 154 the redundant equipment are separate such that they do not rely on the same supports to function.
155 It can sometimes be achieved by the use of physical separation or physical protection. Diversity 156 is accomplished by having equipment that perform the same function rely on different attributes, 157 such as different principles of operation, different physical variables, different conditions of 158 operation, or production by different manufacturers.
159 A substantial reduction in the ability to accomplish a safety function would likely undermine the 160 effectiveness of a layer of defense-in-depth and, therefore, would not be consistent with the 161 defense-in-depth philosophy. A safety function may be compromised if one of the plant features 162 that provides for either system redundancy, independence, or diversity is defeated. This adverse 163 impact could occur by the introduction of a new dependency that could potentially defeat the 164 redundancy, independence or diversity of the affected equipment. That is, system redundancy, 165 independence and diversity can be assumed to be sufficient if, given the proposed licensing 166 change, the affected system safety function can be accomplished assuming a single failure.
167 The licensee should demonstrate that the proposed licensing change would not affect system 168 redundancy, independence, or diversity of the affected equipment; that is, the affected system 169 safety function can still be accomplished assuming a single failure.
170
- c.
Examples 171
[Under development]
172
- 4.
Preserve adequate defense against potential common-cause failures (CCF).
173
- a.
Guidance 174 A proposed change should not reduce defenses against CCFs that could defeat the redundancy, 175 independence, and/or diversity of DID layers, fission product barriers, and engineered safety 176 features.
177 178 The evaluation of the proposed change should demonstrate that the change does not result in a 179 reduction of existing CCF defenses or introduce new CCF dependencies.
180
- b.
Discussion 181 An important aspect of ensuring defense-in-depth is to guard against CCF. Failure of several 182 devices or components to function may occur as a result of a single specific event or cause. Such 183 failures may simultaneously affect several different items important to risk. The event or cause 184 may be a design deficiency, a manufacturing deficiency, an operating or maintenance error, a 185 natural phenomenon, a human-induced event, or an unintended cascading effect from any other 186 operation or failure within the plant.
187 The licensee should evaluate the proposed change to determine whether it increases the potential 188 for events or causes that would be a CCF. The licensee should also evaluate the proposed change 189 to determine whether new CCF mechanisms could be introduced.
190
- c.
Examples 191
[Under development]
192
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 6
D R A F T D R A F T D R A F T
- 5.
Maintain multiple fission product barriers.
193
- a.
Guidance 194 A proposed change should not significantly reduce the effectiveness of the multiple fission 195 product barriers.
196 197 The evaluation of the proposed change should demonstrate that the change does not:
198 199 Create a significant increase in the likelihood or consequence of an event that simultaneously 200 challenges multiple barriers and is within the plants existing licensing basis.
201 202 Introduce the possibility of a new event that would simultaneously impact multiple barriers.
203 204
- b.
Discussion 205 This factor refers to the physical fission product barriers e.g., the fuel cladding, reactor coolant 206 system pressure boundary, and containment. This includes the physical barriers themselves and 207 any equipment relied upon to protect the barriers (e.g., containment spray). In general, these 208 barriers are designed to perform independently so that a complete failure of one barrier does not 209 disable the next subsequent barrier. For example, one barrier, the containment, is designed to 210 withstand a double-ended guillotine break of the largest pipe in the reactor coolant system, 211 another barrier.
212 A plants licensing basis may contain events that, by their very nature, challenge multiple barriers 213 simultaneously. Examples include interfacing-system LOCA and SGTR. Therefore, complete 214 independence of barriers, while a goal, may not be achievable for all possible scenarios.
215 To demonstrate that this factor is met, the licensee should demonstrate that the change does not 216 create a significant increase in the likelihood or consequence of an event that simultaneously 217 challenges multiple barriers and is within the plants existing licensing basis.
218 Furthermore, the licensee should demonstrate that the change does not introduce the possibility of 219 a new event that would simultaneously impact multiple barriers. If this cannot be shown, the 220 licensee should:
221 Perform a deterministic analysis to show that the simultaneous challenge to multiple barriers 222 caused by the new event can be mitigated. This may be done by assuming that the new event 223 has occurred and performing an analysis (using conservative assumptions) demonstrating that 224 affected barriers would perform their safety function or; 225 Use the results of the plants PRA to demonstrate that the likelihood of the new event is 226 sufficiently low such that independence of barriers would not be significantly affected by the 227 proposed change.
228
- c.
Examples 229
[Under development]
230
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 7
D R A F T D R A F T D R A F T
- 6.
Preserve sufficient defense against human errors.
231
- a.
Guidance 232 A proposed change should not significantly increase the potential for or create new human errors 233 that may adversely affect one or more layers of defense.
234 The evaluation of the proposed change should demonstrate that the change does not 235 create new human failure events that have a significant adverse impact on risk; 236 significantly increase the burden on the operators responding to events; or, 237 significantly increase the human error probability of existing operator actions.
238
- b.
Discussion 239 Human errors include the failure of operators to perform the actions necessary to operate the plant 240 or respond to off-normal conditions and accidents, errors committed during test and maintenance, 241 and operators performing an incorrect action. Human errors can result in the degradation or 242 failure of a system to perform its function, thereby significantly reducing the effectiveness of one 243 of the defense-in-depth layers or one of the fission product barriers.
244 The plant design and operation includes defenses to prevent the occurrence of such errors and 245 events. These defenses generally involve the use of procedures, training, and human engineering; 246 however, other factors, e.g., communication protocols, may also be important.
247 In determining whether these defenses are preserved, the licensee should assess whether the 248 proposed change would create new operator actions that significantly impact the change in risk, 249 place a greater mental/physical demand on operators in responding to events, or increase the 250 probability of existing operator errors. The licensee should consider whether the change creates 251 new situations that are likely to cause errors, not only for operators, but for maintenance 252 personnel and other plant staff.
253
- c.
Examples 254
[Under development]
255
- 7.
Continue to meet the intent of the plants design criteria. [ NRC staff is considering deleting 256 this evaluation factor and expanding the narrative of the first paragraph of Section 2.1.1 of 257 this document to more fully explain the concept of this factor. ]
258
- a.
Guidance 259 A proposed change should not affect meeting the intent of the plants design criteria referenced in 260 the licensing basis.
261 262 The evaluation of the proposed change should demonstrate that the change does not affect 263 meeting the intent of the plants design criteria referenced in the licensing basis.
264 265
D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 8
D R A F T D R A F T D R A F T
- b.
Discussion 266 The plants design criteria establish the necessary design, fabrication, construction, testing, and 267 performance requirements for SSCs important to safety; that is, SSCs that provide reasonable 268 assurance that the facility can be operated without undue risk to the health and safety of the 269 public. The plants design criteria define minimum requirements that achieve aspects of the 270 defense-in-depth philosophy; as a consequence, a compromise to those design criteria can directly 271 result in a significant reduction in the effectiveness of one or more of the defense-in-depth layers.
272 When evaluating the effect of the proposed change, the licensee should demonstrate that the 273 intent of the plants design criteria continue to be met.
274 The General Design Criteria of Appendix A to 10 CFR 50 form the basis for the design criteria 275 for newer plants. In some cases, exemptions to specific GDC may have been granted. Older 276 plants may have been licensed to other criteria, such as the AEC draft design criteria. A given 277 plants design criteria are summarized in its UFSAR. This factor of defense-in-depth should 278 consider the current licensing basis of the plant.
279
- c.
Examples 280
[Under development]
281