Text

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

1 D R A F T D R A F T D R A F T 2.1 Evaluation of Defense-in-Depth Attributes and Safety Margins 1

One aspect of the engineering evaluation is to show that the proposed change does not 2

compromise the fundamental safety principles on which the plant design was based. Design-basis 3

accidents (DBAs) play a central role in the design of nuclear power plants. DBAs are a combination of 4

postulated challenges and failure events against which plants are designed to ensure adequate and safe 5

plant response. During the design process, plant response and associated safety margins are evaluated 6

using assumptions of physical properties and operating characteristics that are intended to be 7

conservative. National standards and other considerations such as defense-in-depth attributes and the 8

single-failure criterion constitute additional engineering considerations that also influence plant design 9

and operation. The licensees proposed LB change may affect margins and defenses incorporated into the 10 current plant design and operation; therefore, the licensee should reevaluate the safety margins and layers 11 of defense to support a requested LB change. As part of this evaluation, the impact of the proposed LB 12 change on the functional capability, reliability, and availability of affected equipment should be 13 determined. The plants LB identified in the FSAR is the reference point for judging whether a proposed 14 change adversely affects safety margins or defense-in-depth. Sections 2.1.1 and 2.1.2 below provide 15 guidance on assessing whether implementation of the proposed change maintains adequate safety margins 16 and consistency with the defense-in-depth philosophy.

17 2.1.1 Defense-in-Depth 18 The engineering evaluation should evaluate whether the impact of the proposed LB change is 19 consistent with the defense-in-depth philosophy. In this regard, the intent of this key principle of risk-20 informed decision-making is to ensure that any impact of the proposed LB change on defense-in-depth is 21 fully understood and addressed and that the philosophy of defense-in-depth is maintained; not to prevent 22 changes in the way defense-in-depth is achieved. The licensee must fully understand how the change will 23 impact the design, operation and maintenance of the plant, both from risk and traditional engineering 24 perspectives.

25 This section provides some background on the defense-in-depth philosophy, beginning 26 withincluding a discussion on the high-level objective for defense-in-depth. Next is a discussion of seven 27 key factorsfive considerations that may be used to evaluate the impact of a proposed change on defense-28 in-depth. One or more examples are provided to help illustrate what is meant by each factorconsideration.

29 Finally, this section provides guidance on a process for evaluating any changes to defense-in-depththe 30 seven key factors, including an integrated example.

31 2.1.1.1 Background 32 Defense-in-depth is an element of the NRCs safety philosophy that employs successive 33 compensatory measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally 34 caused event occurs at a nuclear facility1. The defense-in-depth philosophy has traditionally been applied 35 in reactor design and operation to provide multiple means to accomplish safety functions and prevent the 36 release of radioactive material. It has been and continues to be an effective way to account for 37 uncertainties in equipment and human performance and, in particular, to account for the potential for 38 unknown and unforeseen failure mechanisms or phenomena, which (because they are unknown or 39 unforeseen) are not reflected in either the PRA or traditional engineering analyses.

40 1

Staff Requirements Memorandum (SRM) - SECY-98-0144, White Paper on Risk-Informed and Performance-Based Regulation, March 1, 1999, (Agencywide Document Access and Management System (ADAMS) accession number ML003753601)

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

2 D R A F T D R A F T D R A F T In addition, there is some flexibility that can be gained in the operations and maintenance of the 41 nuclear plant that leverages the implementation of the defense-in-depth philosophy in the design of the 42 plant. For example, testing and maintenance of SSCs or corrective action to restore an engineered safety 43 system may be allowed for short periods while remaining at power, consistent with established Technical 44 Specifications. The NRC recognizes and allows these temporary configurations within these established 45 programs. If a licensee requests a risk-informed change to the plants licensing basis to permit new or 46 extended entry into temporary conditions, the licensee should demonstrate that the plant condition is 47 justified and consistent with the defense-in-depth philosophy as described in this section.

48 For the purposes of this RG, nuclear power plant defense-in-depth is taken to consist of layers of 49 defense and successive measures to protect the public:

50 Robust plant design to survive hazards and minimize challenges that could result in an event 51 occurring; 52 Prevention of a severe accident (core damage) should an event occur; 53 Containment of the source term should a severe accident occur; and, 54 Protection of the public from any releases of radioactive material (through, e.g., siting in low 55 population areas and the ability to shelter or evacuate people if necessary).

56 2.1.1.2 High Level Consideration 57 Since the focus of this Regulatory Guide is on applications using a risk-informed argument to 58 propose changes to the licensing basis, it is based on the presumption that the as-built, as-59 operated plant, prior to the change, is consistent with the defense-in-depth philosophy, in that:

60 A reasonable balance between the levels of protection has been established.

61 Effectiveness of the barriers is ensured by conformance with design standards and regulations.

62 Administrative procedures and controls are in place to preserve the defenses.

63 64 Preserve a reasonable balance among the layers of defense.

65 A reasonable balance of the layers of defenseminimizing challenges to the plant, preventing 66 any events from progressing to core damage, containing the radioactive source term, and 67 emergency preparednesshelps to ensure an apportionment of the plants capabilities between 68 limiting disturbances to the plant and mitigating their consequences. The term reasonable 69 balance is not meant to imply an equal apportionment of capabilities. A reasonable balance is 70 preserved if the proposed plant change does not significantly reduce the effectiveness of a layer 71 that exists in the plant design and operation before the proposed change. The NRC recognizes 72 that there may be aspects of a plants design or operation that may cause one or more of the layers 73 to be adversely affected. For these situations, the balance between the other layers becomes 74 especially important when evaluating the impact of a proposed change to the LB and its impact 75 on defense-in-depth.

76 Formatted: Indent: Left: 0", Hanging: 0.5", No bullets or numbering Formatted: No bullets or numbering

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

3 D R A F T D R A F T D R A F T The evaluation of any change to defense-in-depth should be based on the presumption that the as-77 built, as-operated plant, prior to the change, is consistent with the defense-in-depth philosophy, in 78 that:

79 A reasonable balance between the levels of protection has been established.

80 Effectiveness of the barriers is ensured by conformance with design standards and regulations.

81 Administrative procedures and controls are in place to preserve the defenses.

82 83 2.1.1.32 ConsiderationsFactors for Evaluating the Impact of LB Changes on Defense-in-Depth 84 Any one or more of the layers of defense discussed above may be adversely impacted by a 85 proposed change to a plants licensing basis. The NRC has identified seven factorsfive considerations that 86 should be used to assess the impact of the change on defense-in-depth. These are discussed in detail 87 below. Guidance on how to apply these factors is discussed in more detail in section 2.1.1.43.

88 The NRC finds it acceptable for a licensee to use the following seven factorsfive considerations 89 to evaluate whether how a proposed change to the LB maintains theimpacts philosophy of defense-in-90 depth. The considerations should be assessed in an integrated manner. A failure of any one 91 consideration is not a reason to reject a risk-informed change.

92

1.

Preserve a reasonable balance among the layers of defense.

93 A reasonable balance of the layers of defenseminimizing challenges to the plant, preventing 94 any events from progressing to core damage, containing the radioactive source term, and 95 emergency preparednesshelps to ensure an apportionment of the plants capabilities between 96 limiting disturbances to the plant and mitigating their consequences. The term reasonable 97 balance is not meant to imply an equal apportionment of capabilities. A reasonable balance is 98 preserved if the proposed plant change does not significantly reduce the effectiveness of a layer 99 that exists in the plant design and operation before the proposed change. The NRC recognizes 100 that there may be aspects of a plants design or operation that may cause one or more of the layers 101 to be adversely affected. For these situations, the balance between the other layers becomes 102 especially important when evaluating the impact of a proposed change to the LB and its impact 103 on defense-in-depth.

104

2.

1. Preserve adequate capability of design features without an overreliance on 105 programmatic activities as compensatory measures.

106 Some proposed changes to the LB may involve or require compensatory measures; that is, 107 measures taken to compensate for some reduced functionality, availability, reliability, 108 redundancy, or other feature of the plants design. Such compensatory measures are often 109 associated with temporary plant configurations. Compensatory measures may include hardware 110 (e.g., skid-mounted temporary power supplies), human actions (e.g., manual system actuation), or 111 some combination of these measures. The preferred approach for accomplishing safety functions 112 is through engineered systems. Therefore, when a proposed change necessitates reliance on 113 programmatic activities as compensatory measures, the licensee should justify that this reliance is 114 not excessive.

115 Formatted: bullet2, Indent: Left: 0.5" Formatted: Indent: Left: 0.5", No bullets or numbering

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

4 D R A F T D R A F T D R A F T Nuclear power plant licensees implement a number of programs, including, for example, 116 programs for quality assurance, testing and inspection, maintenance, control of transient 117 combustible material, foreign material exclusion, containment cleanliness, training, and so forth.

118 In some cases, activities taken as part of these programs are used to ensure safety functions; for 119 example, reactor vessel inspections that provide assurance that reactor vessel failure is unlikely.

120 The intent of this factor is not to preclude the use of such programs as compensatory measures, 121 but to ensure that the use of such measures does not significantly compromise the capability of 122 the design features (e.g., hardware).

123

3.

2. Preserve system redundancy, independence, and diversity commensurate with the 124 expected frequency, consequences of challenges to the system, and uncertainties.

125 A substantial reduction in the ability to accomplish system safety functions is not consistent with 126 the defense-in-depth philosophy. The importance of system redundancy, independence and 127 diversity is to ensure that the system safety function can be achieved. As stated in Section 2.1.1 128 above, the defense-in-depth philosophy has traditionally been applied in reactor design and 129 operation to provide multiple means to accomplish safety functions. System redundancy, 130 independence, and diversity not only result in high availability and reliability of SSCs, but also 131 help ensure that system safety functions are not reliant on any single feature of the design.

132 A proposed risk-informed change should consider both safety-related and nonsafety-related SSCs 133 that are important to core damage or large early release. Redundancy provides for duplicate 134 equipment that enables the failure or unavailability of at least one set of equipment to be tolerated 135 without loss of function. Independence among equipment implies that the redundant equipment 136 are separate such that they do not rely on the same supports to function. It can sometimes be 137 achieved by the use of physical separation or physical protection. Diversity is accomplished by 138 having equipment that perform the same function rely on different attributes, such as different 139 principles of operation, different physical variables, different conditions of operation, or 140 production by different manufacturers.

141

4.

3. Preserve adequate defense against potential common-cause failures (CCF).

142 An important aspect of ensuring defense-in-depth is to guard against CCF. Failure of several 143 devices or components to function may occur as a result of a single specific event or cause. Such 144 failures may simultaneously affect several different items important to risk. The event or cause 145 may be a design deficiency, a manufacturing deficiency, an operating or maintenance error, a 146 natural phenomenon, a human-induced event, or an unintended cascading effect from any other 147 operation or failure within the plant.

148

5.

4. Maintain multiple fission product barriers.

149 Physical fission product barriers (e.g., the fuel cladding, reactor coolant system pressure 150 boundary, and containment) includes the physical barriers themselves and any equipment relied 151 upon to protect the barriers (e.g., containment spray). In general, these barriers are designed to 152 perform independently so that a complete failure of one barrier does not disable the next 153 subsequent barrier. For example, one barrier, the containment, is designed to withstand a double-154 ended guillotine break of the largest pipe in the reactor coolant system, another barrier.

155 A plants licensing basis may contain events that, by their very nature, challenge multiple barriers 156 simultaneously. Examples include interfacing-system LOCA and SGTR. Therefore, complete 157 independence of barriers, while a goal, may not be achievable for all possible scenarios.

158 Formatted: Indent: Left: 0.5", No bullets or numbering Formatted: Indent: Left: 0.5", No bullets or numbering Formatted: Indent: Left: 0.5", No bullets or numbering

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

5 D R A F T D R A F T D R A F T

6.

5. Preserve sufficient defense against human errors.

159 Human errors include the failure of operators to perform the actions necessary to operate the plant 160 or respond to off-normal conditions and accidents; errors committed during test and maintenance; 161 and other plant staff performing an incorrect action. Human errors can result in the degradation 162 or failure of a system to perform its function, thereby significantly reducing the effectiveness of 163 one of the defense-in-depth layers or one of the fission product barriers.

164 The plant design and operation includes defenses to prevent the occurrence of such errors and 165 events. These defenses generally involve the use of procedures, training, and human engineering; 166 however, other considerations, e.g., communication protocols, may also be important.

167 168

7.

Continue to meet the intent of the plants design criteria2.

169 For plants licensed under 10 CFR Part 50 or Part 52, the plants design criteria are set forth in the 170 current licensing basis of the plant, which is documented in the plants FSAR, as updated. The 171 plants design criteria define minimum requirements that achieve aspects of the defense-in-depth 172 philosophy; as a consequence, a compromise to those design criteria can directly result in a 173 significant reduction in the effectiveness of one or more of the defense-in-depth layers. When 174 evaluating the effect of the proposed change, the licensee should demonstrate that the intent of the 175 plants design criteria continue to be met.

176 For plants licensed under 10 CFR Part 52, this factor should also address those design features 177 for the prevention and mitigation of severe accidents that are described and analyzed in 178 accordance with 10 CFR 52.47(a)(23) for DC applications and 10 CFR 52.79(a)(38) for COL 179 applications. For this factor, the potential impacts on these severe accident design features should 180 also be evaluated to ensure the intent of the design features continue to be met.3 181 2.1.1.43 Evaluating the Impact of the LB Change on Defense-in-Depth 182 The five considerations seven factors described above are an acceptable way for a licensee to 183 evaluate the impact of a proposed change to the LB on defense-in-depth. While such an evaluation of a 184 change against the seven factors is qualitative, the licensee should be able to conclude that the change 185 2

The General Design Criteria of Appendix A to 10 CFR 50 form the basis for the design criteria for newer plants licensed under 10 CFR Part 50 or Part 52. In some cases, exemptions to specific GDC may have been granted. Older plants may have been licensed to other criteria, such as the AEC draft design criteria. A given plants design criteria are summarized in its FSAR, as updated. This factor of defense-in-depth should consider the current licensing basis of the plant and how the proposed change would continue to meet the intent of the plants design criteria.

3 Section C.I.19.8 of Regulatory Guide 1.206, Combined License Applications for Nuclear Power plants (LWR Edition), issued June 2007, provides guidance on implementing these requirements and ties the requirements to the issues and performance goals identified in SECY-90-016, Evolutionary Light-Water Reactor (LWR) Certification Issues and Their Relationship to Current Regulatory Requirements, dated January 12, 1990 and SECY-93-087, Policy, Technical, and Licensing issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR)

Designs, dated April 2, 1993, which the Commission approved in staff requirements memoranda (SRMs) dated June 26, 1990, and July 21, 1993, respectively. In addition, Regulatory Guide 1.216, Containment Structural Integrity Evaluation for Internal Pressure Loadings above Design-Basis Pressure, dated August 2010, provides acceptable methods for an analysis that specifically addresses the issues and performance goals identified in SECY-90-016 and SECY-93-087 and related SRMs for containment structures in nuclear power plants under severe accident conditions.

Formatted: Indent: Left: 0.5", No bullets or numbering Formatted: Indent: Left: 0", Hanging: 0.5"

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

6 D R A F T D R A F T D R A F T maintains consistency of the plant design with the defense-in-depth philosophy by showing that the intent 186 of each factor still is met following the proposed change.

187 The seven factors could be arranged in a hierarchical manner. For example, the first factor is an 188 over-arching, high level description of how defense-in-depth is achieved. Factors two through six may 189 apply at any of the layers of defense to aid the analyst in justifying that the proposed change maintains 190 suitable balance among the layers. Finally, factor seven helps ensure completeness of the assessment of 191 how the proposed change could affect defense-in-depth. Nevertheless, in the interest of simplicity, the 192 seven factors should each be addressed for any proposed risk-informed change to the licensing basis. If a 193 proposed change has no impact on a given factor, that should be stated with a brief justification as 194 appropriate. Licensees are encouraged to structure their discussion of how a proposed change maintains 195 theimpacts defense-in-depth philosophy by addressing the seven factorsconsiderations as relevant to the 196 decision being sought; such an approach should facilitate the licensees analysis as well as make for a 197 more efficient review by the NRC staff. The licensee should demonstrate/justify that there has not been a 198 significant impact to LB for each of the factors.

199 Note that the focus here is on the effect of the change on defense-in-depth. When a nuclear 200 power plant is licensed, NRC regulations result in some amount of protection or defense at each of the 201 layers of defense. The seven factorsfive considerations presented above are not intended to define how 202 defense-in-depth is implemented in a plants design, but to help licensees assess the impact of the 203 proposed change. To demonstrate that defense-in-depth has been preserved, the LAR should demonstrate 204 that the proposed change maintains appropriate safety within the defense-in-depth philosophy by showing 205 that:

206 The licensee should consider the impact of the proposed change on each of the layers of defense-207 in-depth in the following way:

208 Robust plant design to survive hazards and minimize challenges that could result in an 209 event occurring - the change should not significantly increase the likelihood of initiating 210 events or create new significant initiating events; 211 Prevention of a severe accident (core damage) should an event occur - the change should 212 not significantly impact the availability and reliability of SSCs that provide the safety 213 functions that prevent plant challenges from progressing to core damage; 214 Containment of the source term should a severe accident occur - the change should not 215 significantly impact the containment function or SSCs that support that function, such as 216 containment fan coolers and sprays; and, 217 Protection of the public from any releases of radioactive material - the change should not 218 significantly reduce the effectiveness of the EP program, including the ability to detect 219 and measure releases of radioactivity, to notify offsite as necessary.

220 In addition, the licensee should demonstrate that the proposal does not introduce new or additional failure 221 dependencies among barriers that significantly increase the likelihood of failure compared to the 222 existing conditions.

223 224 The change does not result in significant increase in the existing challenges to the integrity of the 225 barriers 226 Formatted: Indent: Left: 0", Hanging: 0.5"

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

7 D R A F T D R A F T D R A F T The proposal does not significantly change the failure probability of any individual barrier 227 The proposal does not introduce new or additional failure dependiencies among barriers that 228 significantly increase the likelihood of failure compared to the existing conditions.

229 The NRC finds it acceptable for a licensee to use the following seven key factors to evaluate 230 whether a proposed change to the LB maintains the philosophy of defense-in-depth.

231 Evaluating Factor 1High-Level Consideration: Preserve a reasonable balance among the layers of 232 defense.

233 A propose change should not significantly reduce the effectiveness of a layer of defense that exists in the 234 plant design before the proposed change.

235 236 The evaluation of the proposed change should consider insights based on traditional engineering 237 approaches; insights from risk assessments may be used to support engineering insights, but should not be 238 the only justification for meeting this factor.

239 To demonstrate that this factor is met, the licensee should address each of the layers in turn.

240 If a comprehensive risk analysis is done, it can provide insights into whether the balance among the layers 241 of defense remains appropriate to ensure protection of public health and safety. Such a risk analysis 242 would not only include the likelihood of challenges to the plant (i.e., initiating event frequencies) from 243 various hazards, but would include estimates of core damage frequency, containment response, and dose 244 estimates to the public. It would include implementation of the emergency plan and estimate the 245 effectiveness of actions such as sheltering in place or evacuation.

246 Note that the risk acceptance guidelines in this RG are based on the surrogates for the Commissions 247 quantitative health objectives, CDF and LERF. These risk metrics, developed as part of the risk 248 assessment, can help inform the licensees assessment of the relative balance between the second and 249 third layers of defense. In addition, qualitative and quantitative insights from the PRA may help justify 250 the balance across all the layers.

251 The NRC also recognizes that compensatory measures are sometimes associated with temporary 252 conditions. A licensee may request a risk-informed change to the plants licensing basis to permit 253 occasional entry into conditions requiring measures that rely on plant programs to compensate for reduced 254 capability of engineered systems, or for one-time to allow completion of corrective action to restore 255 engineered systems to match the design and licensing basis. For such situations, the licensee should 256 demonstrate that the plant condition requiring such compensatory measures would occur at a sufficiently 257 low frequency or that the time frame to effect corrective action is commensurate with the significance of 258 the non-conforming condition.

259 260 However, to address the unknown and unforeseen failure mechanisms or phenomena, the licensees 261 evaluation of this factor of defense-in-depth should also address insights based on traditional engineering 262 approaches. Results and insights of the risk assessment may be used to support the conclusion but should 263 not be the only justification for meeting this factor. The licensee should consider the impact of the 264 proposed change on each of the layers of defense:

265

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

8 D R A F T D R A F T D R A F T Robust plant design to survive hazards and minimize challenges that could result in an event 266 occurring - the change should not significantly increase the likelihood of initiating events or create new 267 significant initiating events; 268 Prevention of a severe accident (core damage) should an event occur - the change should not 269 significantly impact the availability and reliability of SSCs that provide the safety functions that prevent 270 plant challenges from progressing to core damage; 271 Containment of the source term should a severe accident occur - the change should not 272 significantly impact the containment function or SSCs that support that function, such as containment fan 273 coolers and sprays; and, 274 Protection of the public from any releases of radioactive material - the change should not 275 significantly reduce the effectiveness of the EP program, including the ability to detect and measure 276 releases of radioactivity, to notify offsite agencies and the public, to shelter or evacuate the public as 277 necessary 278 Evaluating Consideration 1Factor 2: Preserve adequate capability of design features without an 279 overreliance on programmatic activities as compensatory measures.

280 A proposed change should not significantly reduce the reliability and availability of design features to 281 perform their safety functions.

282 The evaluation of the proposed change should demonstrate that the change does not result in the 283 overreliance of programmatic activities to compensate for an intended reduction in the capability of 284 engineered safety features is not excessive 285 To demonstrate that this factor is metevaluate this consideration, the licensee should first determine 286 whether the proposed change necessitates compensatory measures. If not, this should be stated as the 287 reason this factor consideration is met. If compensatory measures are needed to support the proposed 288 change, the licensee should determine the extent to which programmatic activities, as compared to design 289 features, are being relied upon. The intent of this factor is not to preclude the use of programs as 290 compensatory measures, but to ensure that this use is not excessive.

291 A proposed change that does not affect how safety functions are performed or reduce the reliability or 292 availability of the SSCs that perform those functions would meet this defense-in-depth factor. However, 293 a licensee could contemplate a change where a reduction in the capability of those SSCs is compensated 294 in some manner by reliance on plant programs. In such a case, the licensee should assess whether the 295 proposed change would increase the need for programmatic activities to compensate for the lack of 296 engineered features. If the change requires new or additional reliance on such programs, the licensee 297 should justify that reliance on these measures is not excessive. Use of compensatory measures may be 298 considered overreliance when a program is substituted for an engineered means of performing a safety 299 function, or failure of the programmatic activity could prevent an engineered safety feature from 300 performing its intended function.

301 The NRC also recognizes that compensatory measures are sometimes associated with temporary 302 conditions. A licensee may request a risk-informed change to the plants licensing basis to permit 303 occasional entry into conditions requiring measures that rely on plant programs to compensate for reduced 304 capability of engineered systems, or for one-time to allow completion of corrective action to restore 305 engineered systems to match the design and licensing basis. For such situations, the licensee should 306 demonstrate that the plant condition requiring such compensatory measures would occur at a sufficiently 307 Formatted: bullet2, No bullets or numbering

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

9 D R A F T D R A F T D R A F T low frequency or that the time frame to effect corrective action is commensurate with the significance of 308 the non-conforming condition.

309 Evaluating Consideration 2Factor 3: Preserve system redundancy, independence, and diversity 310 commensurate with the expected frequency, consequences of challenges to the system, and uncertainties.

311 A proposed change should not significantly impact the ability for the system function to be performed.

312 The evaluation of the proposed change should demonstrate that the change does not result in a substantial 313 reduction in the availability or reliability of the associated SSCs and does not introduce a new single 314 failure.

315 To demonstrate that this factor is metevaluate this consideration, the licensee should ensure that there is 316 not a substantial reduction in the ability to accomplish a safety function. A safety function may be 317 compromised if one of the plant features that provides for either system redundancy, independence, or 318 diversity is defeated. This adverse impact could occur by the introduction of a new dependency that 319 could potentially defeat the redundancy, independence or diversity of the affected equipment. Plant 320 changes that introduce new dependencies among systems or functions, or that introduce new common 321 cause failures (addressed under factor 4), should not result in a disproportionate increase in risk. That is, 322 system redundancy, independence and diversity can be assumed to be preserved if, given the proposed 323 licensing change, the affected system safety function can be accomplished assuming a new single failure 324 has not been introduced.

325 Some proposed changes are temporary4 in nature and result in the plant being in an operational condition 326 where certain design features are not available to perform their intended functions. For example, a single 327 train of a multi-train system may be out of service. It is not the intent of this factor of defense-in-depth to 328 preclude such temporary plant configurations. In general, a proposed change would meet the intent of 329 this factor provided no permanent change to the plants design or change in operation that affects the 330 redundancy, independence or diversity of the design was being contemplated. There are other controls on 331 temporary plant configurations, such as the Technical Specifications, that limit the exposure to risk during 332 such periods.

333 Evaluating Consideration 3Factor 4: Preserve adequate defense against potential common-cause failures 334 (CCF).

335 A proposed change should not significantly reduce defenses against CCFs that could defeat the 336 redundancy, independence, and/or diversity of DID layers, fission product barriers, and design or 337 operation plant features.

338 The evaluation of the proposed change should demonstrate that the change does not result in a significant 339 reduction of existing CCF defenses or introduce new CCF dependencies.

340 To understand a defense strategy against a CCF event, it is necessary to understand that defending against 341 a CCF event is no different than defending against an independent failure that has a single root cause, 342 except that more than one failure has occurred and the failures are related through a coupling mechanism.

343 The defense mechanisms for the CCF system include functional barrier, physical barrier, monitoring and 344 awareness, maintenance staffing and scheduling, component identification, and diversity. These defenses 345 are constructed primarily based on defending against the CCF coupling factors. A coupling factor is the 346 condition or mechanism through which multiple components could be affected (or coupled) by the same 347 4

Temporary is not meant to imply excessive periods of time.

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

10 D R A F T D R A F T D R A F T cause. Coupling factors can be based on attributes, such as hardware quality (manufacturing, installation),

348 design (component part, system configuration), maintenance (schedule, procedure, staff), operation 349 (procedure, staff), and environment (external, internal).

350 There are three methods of defense against a CCF: (1) defend against the failure cause, (2) defend against 351 the CCF coupling factor, or (3) defend against both items 1 and 2. A defense strategy against causes 352 typically includes design control, use of qualified equipment, testing and preventive maintenance 353 programs, procedure review, personnel training, quality control, redundancy, diversity, and barriers. For 354 coupling factors, a defense strategy typically includes diversity (functional, equipment, and staff),

355 barriers, and staggered testing and maintenance. A defense strategy addressing both the cause and 356 coupling factor is the most comprehensive.5 357 To evaluate this considerationdemonstrate that this factor is met, the licensee should evaluate the 358 proposed change to determine whether it increases the potential for events or causes that would be a CCF.

359 The licensee should also evaluate the proposed change to determine whether new CCF mechanisms could 360 be introduced.

361 Evaluating Factor 5Consideration 4: Maintain multiple fission product barriers.

362 A proposed change should not significantly reduce the effectiveness of the multiple fission product 363 barriers.

364 The evaluation of the proposed change should demonstrate that the change does not:

365 Create a significant increase in the likelihood or consequence of an event that simultaneously 366 challenges multiple barriers.

367 Introduce the possibility of a new event that would simultaneously impact multiple barriers.

368 To demonstrate that this factor is metevaluate this consideration, the licensee should demonstrate that the 369 change does not create a significant increase in the likelihood or consequence of an event that 370 simultaneously challenges multiple barriers. To do this, the licensee should consider the following 371 objectives to ensure that the proposed change maintains appropriate safety within the defense-in-depth 372 philosophy:

373 The change does not result in a significant increase in the existing challenges to the integrity of 374 the barriers.

375 The proposal does not significantly increase the failure probability of any individual barrier.

376 The proposal does not introduce new or additional failure dependencies among barriers that 377 significantly increase the likelihood of failure compared to the existing conditions.

378 The overall redundancy and diversity among the barriers is sufficient to ensure compatibility with 379 the risk acceptance guidelines.

380 5

Refer to NUREG/CR-6268, Revision 1, Common-Cause Failure Database and Analysis System: Event Data Collection, Classification, and Coding, for further discussions on major failure cause categories, coupling factor categories, and defense mechanisms.

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

11 D R A F T D R A F T D R A F T Evaluating Factor 6Consideration 5: Preserve sufficient defense against human errors.

381 A proposed change should not significantly increase the potential for or create new human errors that may 382 adversely affect one or more layers of defense.

383 The evaluation of the proposed change should demonstrate that the change does not 384 Create new human failure events that have a significant adverse impact on risk; 385 Significantly increase the burden on the plant staff responding to events; or, 386 Significantly increase the human error probability of existing human actions.

387 In determining whether these defenses are preserved, the licensee should assess whether the proposed 388 change would create new human actions that significantly impact the change in risk, place a greater 389 mental/physical demand in responding to events, or increase the probability of existing human errors.

390 The licensee should consider whether the change creates new situations that are likely to cause errors, not 391 only for operators, but for maintenance personnel and other plant staff.

392 Evaluating Factor 7: Continue to meet the intent of the plants design criteria.

393 A proposed change should not affect meeting the intent of the plants design criteria referenced in the 394 licensing basis.

395 The evaluation of the proposed change should demonstrate that the change does not significantly 396 compromise meeting the plants design criteria thereby significantly reducing the effectiveness of one or 397 more defense-in-depth layers.

398 This factor of defense-in-depth should consider the current licensing basis of the plant and how the 399 proposed change would continue to meet the intent of the plants design criteria and, for Part 52 plants, 400 continue to meet the intent of the severe accident design features. It is recognized that, in general, the 401 consideration of applicable regulations under the first principle of risk-informed regulation would be 402 expected to address this factor of defense-in-depth. Also, it is not the intent of this factor that changes to 403 the plants design criteria or severe accident design features cannot be requested. However, the licensee 404 should fully understand any impacts that the proposed change may have on the design criteria or severe 405 accident design features of the plant.

406 For example, for some hazards and for some licensees, defense-in-depth may be defined in the plants LB.

407 For example, the fire protection program for licensed nuclear power plants requires that fire protection 408 defense-in-depth, which is scenario-based, be maintained. Any proposed plant change must be evaluated 409 against any plant-specific LB defense-in-depth requirements in addition to the guidance presented herein.

410 411 It is proposed that consideration of defense-in-depth would be most relevant when:

412 The proposed change affects a method of achieving a required safety function when the level of 413 redundancy or diversity is limited or where significant uncertainty exists.

414 The proposed license amendment affects defense-in-depth by introducing cross-cutting changes (e.g.,

415 administrative changes, maintenance practices) that affect multiple safety functions or cut across levels of 416 protection.

417

D R A F T D R A F T D R A F T Revised Draft of Section 2.1 from DG-1285 [7-27-16]

12 D R A F T D R A F T D R A F T Changes whose effects cannot be addressed directly by the PRA, e.g., impacts the likeliehood or modes of 418 late containment failures.

419 2.1.2 Safety Margin 420 The engineering evaluation should assess whether the impact of the proposed LB change is 421 consistent with the principle that sufficient safety margins are maintained. Here also, the licensee is 422 expected to choose the method of engineering analysis appropriate for evaluating whether sufficient 423 safety margins would be maintained if the proposed LB change were to be implemented. An acceptable 424 set of guidelines for making that assessment is summarized below. Other equivalent acceptance 425 guidelines may also be used. With sufficient safety margins, the following are true:

426 Codes and standards or their alternatives approved for use by the NRC are met.

427 Safety analysis acceptance criteria in the LB (e.g., FSAR, supporting analyses) are met or 428 proposed revisions provide sufficient margin to account for analysis and data uncertainty.

429 The NRC has developed application-specific guidelines reflecting this general guidance which 430 may be found in the application-specific regulatory guides (Refs. 5-9).

431