Text

Page 1 of 7 January 11, 2018 White Paper for Addressing Common Cause Failure (CCF)

Impact within the Significance Determination Process (SDP)

Summary The intent of this whitepaper is to provide a basis to expand the framework for crediting observed defense against common cause qualitatively outside of the quantitative risk analysis. Consideration of crediting defenses using a qualitative approach for successful CCF prevention is currently promoted in the existing process, but lacks a framework to characterize such consideration.

The approach being suggested is for those SDPs where common cause failure significantly contributes to the outcome of the quantitative result. The approach does not change the evaluation method or basis of the calculation of the potential impact of common cause, but rather suggests the use of sensitivities to highlight the impact of common cause on the conclusion of significance. In addition, the accounting for utility defenses to limit or prevent factors that impact the potential for common cause is represented through the use of a table that relates the strength of the defense to a qualitative factor as an enhancement to the process.

The changes to the process are envisioned to not only add perspective to the evaluation of the significance of a performance deficiency, but also promote increased recognition and use of common cause defenses by utilities, thereby promoting good practices. In addition, this enhancement can help minimize the resource expenditure of both NRC and utilities in attempting to achieve numerical refinements that are beyond the state of practice in modeling CCF for SDP event and condition assessment.

Recommendations Two recommendations are provided below. Background and supporting information on these two recommendations is provided in following sections of this paper.

Recommendation 1: Add an additional paragraph to the end of Section 5.3 in the RASP handbook to recommend the use of sensitivity results between the baseline or nominal CCF calculation and the conditional CCF calculation. This additional information will help illustrate the CCF impact on the quantitative results. This process should only be employed if CCF from a CCCG is a major driver in the SDP result. The details regarding how to select the values of CCF would be contingent on the impact the conditional CCF has on the result and the difference between the quantitative conditional CCF result and the SDP threshold, along with the consideration of qualitative factors as stipulated by Ground Rule 3.

Recommendation 2: Add text to the discussion of Ground Rule 3 in Section 5 of the RASP handbook to reflect the table provided in considering qualitative factors using the above approach. The additional framework would help both the SERP deliberations as well as utilities better view the application of common cause with respect to the defenses employed. A general characterization of defenses are associated with the qualitative factors outlined in Table 1 below.

Page 2 of 7 January 11, 2018

Background

The NRCs internal guidance for assessing risk associated with a performance deficiency is provided in its RASP (Risk Assessment Standardization Project) Handbook. The instructions for determining the contribution of potential common cause failure when a multi-train system is involved can greatly influence the outcome of the NRCs Significance Determination Process. Overestimating the potential for CCF leading to elevated outcomes within the Significance Determination Process disserves the public interest, which is best served by holistic, realistic estimates of risk significance. The RASP guidance on CCF is reflected in the NRCs SPAR models1 for quantifying risk significance. The focus of this whitepaper is to suggest methods for evaluating the impact of CCF by providing a framework for illustrating the impact of common cause through the use of sensitivities and the consideration of qualitative CCF adjustment factors during the Significance and Enforcement Review Panel (SERP) process. The industrys current focus is not to seek changes in the quantitative method used to calculate the impact of CCF associated with the elevated preliminary significance determination. This effort is intended to reinforce a risk-informed framework in which CCF is appropriately considered, but also includes a more robust consideration of both quantitative and qualitative aspects, therefore minimizing resource expenditure of both NRC and utilities in attempting to achieve numerical refinements that are beyond the state of practice in CCF for SDP event and condition assessment.

The basic ground rules in the treatment of CCF for event and condition assessment outlined in Section 5.2 of the RASP Handbook provide guidance to assist analysts in a consistent approach in SDPs.

Specifically, Ground Rule 3 allows the crediting of strong defenses against CCF to be considered qualitatively outside the quantitative risk analysis in the SDP process by the Significance and Enforcement Review Panel. Specific programmatic licensee actions to defend against or limit common cause coupling factors (a characteristic of a group of components that identifies them as susceptible to the same causal mechanisms of failure) can reduce the occurrence of CCF. The impact of these actions or defenses is difficult to quantify and may not be fully captured by the CCF databases with respect to a specific performance deficiency. However, a qualitative assessment may be applied if utility actions to defend against CCF were in place to reduce the likelihood of the remaining components in a common cause component group (CCCG) suffering from a similar failure mechanism.

Illustrating the Impact of Common Cause Failure using Sensitivities Section 5 of the RASP handbook provides guidance for the treatment of CCF dependencies among components in a CCCG given an observed failure, and/or unavailability due to test or maintenance of one or more components in the CCCG. The quantitative adjustment to the baseline CCF basic event probability of the CCCG using the SPAR model to reflect the failure(s) that were observed is automatically calculated using embedded calculations in the NRCs Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) software. In addition, quantitative credit of 1 The SPAR (Standardized Plant Analysis Risk) model is used by the NRC to quantify changes in public risk associated with plant events and inspection findings.

Page 3 of 7 January 11, 2018 defenses against CCF is not part of the scope of the RASP Handbook due to the inability to quantitatively apportion the CCF data to specific coupling factors such as environment, maintenance, design, etc.

Although this may be the case, the current analytical approach used within the context of the RASP handbook is essentially binary, in that, either a conditional CCF probability is automatically applied, or an allowable deviation from the ground rules justifies not propagating the conditional CCF. Since a binary approach does not adequately reflect the range of potential outcomes, the over-reliance on strict quantification alone does not provide flexibility nor clarity on the impact the quantitative CCF assessment can have on the SDP evaluation.

The proposed process for considering the overall impact of CCF would apply the current method which includes application of the conditional CCF as a first step. This result would be considered the entry result that would be coupled with additional considerations given potential observed deficiency that resulted in a single failure in the CCCG. An additional aspect would involve considering qualitative attributes and how they may impact the spectrum of results given the thresholds in safety significance established for SDPs (Green-White or White-Yellow or Yellow-Red). Illustrating this spectrum and considering how the possible qualitative aspects that are applicable to a specific case may impact the quantitative results can help communicate the CCF impact in a more clear and understandable way, and provide a framework for decision making, if justified, as stated in Ground Rule 3. An example illustration of the sensitivity evaluation is provided in Figure 1.

Figure 1 Crediting Observed Defenses Against Common Cause Qualitatively Utilities employ a spectrum of actions to mitigate the potential for CCF, particularly in risk-significant evolutions. Despite this, the NRCs quantitative CCF evaluation process does not account for specific or deliberate actions taken by a utility that reflect an understanding of the implications of common cause 0.00E+00 5.00E-07 1.00E-06 1.50E-06 2.00E-06 2.50E-06 3.00E-06 1

5 10 20 50 100 233 Delta CDF Factor Increase in CCF Conditional CCF Treatment if no additional information is available on extent of condition/cause is known Nominal CCF Treatment if robust CCF defenses are in place and extent of condition/cause is known Green/White Threshold X

Page 4 of 7 January 11, 2018 for similar components in redundant trains. In other words, the current quantitative approach is the same irrespective of the actions, or lack thereof, to defend against some contributors to common cause due to limitations in the data and quantitative approaches. The industry proposes to represent utility CCF defensive practices and reflect those as a qualitative factor within the framework of Ground Rule 3 in the RASP Handbook. This will not only add perspective to the evaluation of significance of a performance deficiency, but also promote increased recognition and use of common cause defenses by utilities, thereby proactively promoting good practices.

NUREG/CR-6268, R1, Common-Cause Failure Database and Analysis System: Event Data Collection, Classification, and Coding, defines extrinsic dependency as those conditions where the dependency or coupling is not inherent or intended in the functional characteristics of the system. The source and mechanism of such dependencies are often external to the system, such as environmental or human interaction dependencies. A typical classification scheme used in the analysis of operational data and in evaluating specific defenses against multiple failures is partitioned into five coupling factor classes of quality, design, maintenance, operation, and environmental. The focus of this effort is on coupling factors or mechanisms associated with the extrinsic dependencies of maintenance or operation that create the potential for multiple components to be affected by the same cause.

The maintenance based coupling factors propagate a failure mechanism from identical maintenance program characteristics among several components. The categories of maintenance based coupling involve maintenance/test/calibration activities on multiple components being performed simultaneously or sequentially; propagation of errors through procedural errors and maintenance staff interpretation of procedural steps; or the same team/individual being responsible for maintaining multiple similar systems or components.

Similarly, the operation based coupling factors propagate a failure mechanism from identical operational characteristics among several components. The categories of operation based coupling involve cases when operation of all identical components is governed by the same operating procedures, or result if the same operator (or team of operators) is assigned to operate all trains of a system.

A defense strategy against proximate causes can include design control, use of qualified equipment, testing and preventive maintenance programs, procedure review, personnel training, quality control, redundancy, diversity, and barriers. When a defense strategy is developed using protection against a proximate cause as a basis, the number of individual failures may decrease, as well as, result in a reduction in the CCF coupling factors.

If a defense strategy is developed using protection against a coupling factor as a basis, the relationship between the failures is eliminated and common cause reduced. The proximate cause codes used in the determination of potential common cause failure data analysis in the above referenced NUREG/CR can be used to identify defensive strategies to help illustrate the relationship between deliberate utility actions and consideration of a qualitative adjustment factor.

Page 5 of 7 January 11, 2018 Human error resulting in an unintentional or undesired action, wrong procedure followed, failure to follow a procedure, inadequate training, inadequate procedure are all proximate causes considered in the development of CCF data are associated with maintenance and operational coupling factors.

Demonstration of actions taken to reduce or eliminate these potential contributors can be used to assess the qualitative impact on the quantitative result.

The use of qualitative factors to adjust the quantitative data analysis of common cause failure events is employed in NUREG/CR-6268, R1, Section 7.3.1. The evaluation of the numerical representation of a CCF event can be adjusted using an applicability factor which qualitatively adjusts the applicability of the cause and the coupling factor of the event due to the strength of common cause defense. The strength of defense is characterized using the terms, Complete, Superior, Moderate, and Weak in Table 7-2 of NUREG/CR 6268. This concept of qualitative adjustment is used as the framework in assessing the defenses or actions employed by a utility in the context of a qualitative common cause adjustment. The intent is to view the common cause defenses in the context of a specific performance deficiency by applying a qualitative factor that best represents the actions taken to limit common cause potential. The strength of the defense determines the qualitative factor used to inform the quantitative result during SERP deliberation. For example, a set of defenses addressing the coupling factors exhibited by a utility could be considered Complete using the above framework. If so, the qualitative factor applied would be such that only the nominal or baseline CCF factor would be used. Use of the baseline CCF continues to highlight the potential from common cause from contributors not impacted by the performance deficiency. The converse would be that a Weak characterization of employed defenses would result in the full use of the quantitative conditional CCF used in the existing process. A Superior or Moderate characterization would clearly fall within the range defined by Complete and Weak. It is suggested that the following table be added to the RASP Handbook to assist in providing a framework for applying associated qualitative factors to the characterizations described above.

Table 1 Strength of Defenses Qualitative Factor Complete Nominal or baseline CCF Superior Nominal CCF - 0.5 Conditional CCF Moderate 0.5 Conditional CCF - Conditional CCF Weak Conditional CCF (NRCs quantitative estimate)

The selected qualitative factors in Table 1 are loosely based on Table 7-2 of NUREG/CR 6268. Rather than use point values to relate to the strength of a defense, a range is being proposed to help emphasize the qualitative nature of the factor, and also recognize that the characterization of a defense will involve a range of actions or organizational factors. The simplicity of the table is intended to support the

Page 6 of 7 January 11, 2018 intended use within the context of decision-making during the SERP when the qualitative aspects are considered.

Varied terminology may be used in characterizing the type of defensive actions, but in general, the defensive actions can be applied to reduce or prevent the maintenance and operation coupling factors listed above. A limited sampling of human performance tools and verification practices include alternate verification to validate expected response or action, concurrent verification used in confirming correct components were manipulated or worked, identification of error precursors and barriers (physical or procedural) employed to defend against errors, independent verification, 2 minute drill at the job site, pre-job briefs, application of technical human performance tools that reflect a cognitive level of understanding of the factors influencing the task at hand. Defenses on a programmatic level that may be employed involve management or supervisory oversight, use of additional or outside subject matter experts, review of industry experience, the use of mockups or simulations prior to work, peer or supplemental review in the field, challenge meetings/calls prior to action being taken, discussion or application of human performance fundamentals, or staggered maintenance on redundant components.

Discussion of the defensive actions can also provide an improved understanding of the performance deficiency in terms of the influence of organizational factors as compared to singular or isolated errors associated with equipment.

Using the above terminology, a Complete characterization of defenses could include confirmation that the appropriate application of human performance tools, verification practices, and organizational or programmatic barriers were employed to defend or limit the potential for common cause associated with maintenance or operational coupling factors. In other words, the actions taken to protect against a proximate cause can result in the reduction in the CCF coupling factors to the nominal CCF in the model.

The application of the nominal CCF in the Complete characterization continues to reflect the potential for other common cause potential from others contributors such as design or environment.

A spectrum of defenses might have been employed in the context of a particular performance deficiency, therefore a tabulation of specific defenses for each strength of defense characterization cannot be developed to cover all situations. Rather, the table is intended to guide the discussion of the defenses that were employed and relate those to qualitative factors that could be considered during the SERP evaluation.

Conclusion The industry believes that enhancements in the use of qualitative factors along with CCF quantification for event/condition assessment within the existing framework of the RASP Handbook can improve the characterization of performance deficiencies when common cause is identified as a significant contributor to the preliminary as well as final significance determination. It will also highlight proactive defensive actions that can be taken to minimize the impact from common cause whether a performance

Page 7 of 7 January 11, 2018 deficiency is under consideration or not (but that can be justifiably credited during an SDP to properly provide context on the impact of the current quantitative approach). The effective use of such an approach could minimize resource expenditure during SDP assessments (given the state of practice in numerical CCF estimation) by focusing on risk-informed aspects rather quantitative refinements that may not provide additional clarity for robust decision making.