ML22146A045
| ML22146A045 | |
| Person / Time | |
|---|---|
| Issue date: | 06/10/2022 |
| From: | Robert Beall NRC/NMSS/DREFS/RRPB |
| To: | |
| Beall, Robert | |
| Shared Package | |
| ML20289A534 | List:
|
| References | |
| 10 CFR Part 53, DG-1413, NRC-2019-0062, RIN 3150-AK31 | |
| Download: ML22146A045 (41) | |
Text
U.S. NUCLEAR REGULATORY COMMISSION PRE-DECISIONAL DRAFT REGULATORY GUIDE DG-1413 Proposed new Regulatory Guide 1.XXX Issue Date: Month 20##
Technical Lead: Mihaela Biro This pre-decisional draft regulatory guide is currently in preparation and is being released to support ongoing public discussions. The purpose of releasing this pre-decisional draft regulatory guide at this early stage of new commercial nuclear plant guidance development is to engage stakeholders on the staffs initial high-level considerations on issues to potentially be considered and addressed in such guidance.
This pre-decisional draft regulatory guide language has not been subject to NRC management and legal reviews and approvals, and its contents are subject to change and should not be interpreted as official agency positions. The NRC staff is releasing this pre-decisional language to facilitate discussion at upcoming public meetings and to further public understanding of the related rulemaking. Should comments be submitted on the pre-decisional language, the NRC plans to consider them in further developing the pre-decisional draft regulatory guide to the extent practicable, but will not provide written responses to those comments. The NRC staff plans to prepare a DG for public comment based on this pre-decisional DG, at which time the staff will request written comments on the DG and provide written responses, accordingly.
TECHNOLOGY-INCLUSIVE IDENTIFICATION OF LICENSING EVENTS FOR COMMERCIAL NUCLEAR PLANTS A. INTRODUCTION Purpose This pre-decisional draft Regulatory Guide (pre-decisional DG) provides the U.S. Nuclear Regulatory Commission (NRC) staffs guidance on identifying licensing events used to inform the design basis, licensing basis, and content of applications for commercial nuclear plants. For ease of reference, this pre-decisional DG will use the term licensing event in a generic sense to refer to the collections of designated event categories identified in Title 10 of the Code of Federal Regulations (10 CFR) Parts 50, 52, and preliminarily proposed part 53, such as anticipated operational occurrences, design basis accidents, beyond design basis accidents, postulated accidents. The set of licensing events for a particular reactor application varies in accordance with the NRC regulations that govern the application (see Table 1). This pre-decisional DG covers applications for commercial nuclear plants, including light-water reactors (LWRs) and non-light-water reactors (non-LWRs) such as, but not limited to, molten salt reactors, high-temperature gas-cooled reactors, and a variety of fast reactors at different thermal capacities. This pre-decisional DG may be used by LWR and non-LWR applicants applying for permits,
DG-1413, Page 2 licenses, certifications, and approvals under 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities (Ref. 1), 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants (Ref. 2), and preliminary proposed 10 CFR Part 53, Risk-Informed, Technology-Inclusive Regulatory Frameworks for Commercial Nuclear Plants (Ref. 3).
The identification of a comprehensive set of licensing events is fundamental to the safe design of commercial nuclear plants. Specifically, the safety of a commercial nuclear plant is shown by analyses of the responses of the plant to licensing events, which include postulated disturbances in process variables and postulated malfunctions or failures of equipment. The results of such safety analyses are used to: (1) demonstrate compliance with the NRCs regulations or justify exemptions from specific NRC regulations; (2) inform the selection of limiting conditions for operation, limiting safety system settings, and design specifications for components and systems to protect public health and safety; and (3) identify the appropriate scope and depth of information that commercial nuclear plant designers and applicants should provide in applications for permits, licenses, certifications, and approvals. Accordingly, it is essential to identify a comprehensive set of licensing events that considers all radiological sources at the plant, all internal and external hazards, and all plant operating states.
This pre-decisional DG provides technology-inclusive guidance for identifying initiating events, delineating event sequences, and licensing events. The NRC determines on a case-by-case basis the applicability of specific technical requirements in NRC regulations or the need to define additional technical requirements arising from the safety analyses for each commercial nuclear plant.
Applicability A Regulatory Guide developed from this pre-decisional DG applies to nuclear power reactor designers, applicants, and licensees of commercial nuclear plants applying for permits, licenses, certifications, and approvals under 10 CFR Part 50, 10 CFR Part 52, and 10 CFR Part 53 (preliminary proposed). Regarding new commercial nuclear plants, the Commission expects, as a minimum, at least the same degree of protection of public health and safety and the common defense and security that is required for LWRs licensed before 1997 (Ref. 4).
Applicable Regulations The following regulations are applicable to the identification of licensing events:
10 CFR Part 50 o § 50.34(a)(1)(i) requires all power reactor applicants for a construction permit to provide a description and safety assessment of the site on which the facility is to be located, with appropriate attention to features affecting facility design. Special attention should be directed to the site evaluation factors identified in 10 CFR Part 100. The assessment must contain an analysis and evaluation of the major structures, systems, and components (SSCs) of the facility which bear significantly on the acceptability of the site under the site evaluation factors identified in part 100 of this chapter, assuming that the facility will be operated at the ultimate power level which is contemplated by the applicant.
DG-1413, Page 3 o § 50.34(a)(1)(ii) requires stationary power reactor applicants for a construction permit to provide a description and safety assessment of the site and a safety assessment of the facility.
It is expected that reactors will reflect through their design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.
o § 50.34(a)(4) requires all power reactor applicants for a construction permit to provide a preliminary analysis and evaluation of the design and performance of SSCs of the facility with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents.
o § 50.34(b) requires each application for an operating license to include a final safety analysis report. The final safety analysis report shall include information that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the SSCs and of the facility as a whole.
o § 50.34(b)(2) requires each application for an operating license to provide a description and analysis of the SSCs of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.
o § 50.34(h) requires applications for LWR construction permits (CPs) and operating licenses (OLs) to include an evaluation of the facility against the Standard Review Plan (SRP) revision in effect six months before the docket date of the application. This evaluation must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for a facility and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where such a difference exists, the evaluation must discuss how the alternative proposed provides an acceptable method of complying with those rules or regulations of Commission, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.
10 CFR Part 52 o § 52.47(a)(2) requires applications for standard design certifications (DCs) to provide a description and analysis of the SSCs of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which these requirements have been established, and the evaluations required to show that safety functions will be accomplished. It is expected that the standard plant will reflect through its design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.
DG-1413, Page 4 o § 52.47(a)(9) requires applications for LWR DCs to include an evaluation of the standard plant design against the SRP revision in effect 6 months before the docket date of the application. The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for the design and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.
o § 52.79(a) requires applications for combined licenses (COLs) to provide a final safety analysis report that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the SSCs of the facility as a whole.
o §52.79(a)(1)(vi) requires applications for COLs to provide a description and safety assessment of the site on which the facility is to be located. The assessment must contain an analysis and evaluation of the major SSCs of the facility that bear significantly on the acceptability of the site under the radiological consequence evaluation factors identified in § 52.79(a)(1)(vi)(A) and § 52.79(a)(1)(vi)(B).
o §52.79(a)(2) requires applications for COLs to provide a description and analysis of the SSCs of the facility with emphasis upon performance requirements, the bases, with technical justification therefor, upon which these requirements have been established, and the evaluations required to show that safety functions will be accomplished. It is expected that reactors will reflect through their design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.
o § 52.79(a)(41) requires applications for LWR COLs to include an evaluation of the facility against the SRP revision in effect 6 months before the docket date of the application. The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for a facility and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.
o § 52.137(a)(2) requires applications for standard design approvals (SDAs) to provide a description and analysis of the SSCs of the facility, with emphasis upon performance requirements, the bases, with technical justification, upon which the requirements have been established, and the evaluations required to show that safety functions will be accomplished.
It is expected that the standard plant will reflect through its design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.
DG-1413, Page 5 o § 52.137(a)(4) requires applications for SDAs to provide an analysis and evaluation of the design and performance of SSC with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents.
o § 52.137(a)(9) requires applications for LWR SDAs to include an evaluation of the standard plant design against the SRP revision in effect 6 months before the docket date of the application. The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for the design and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.
o § 52.157(c) requires applications for manufacturing licenses (MLs) to provide a description and analysis of the SSCs of the reactor to be manufactured, with emphasis upon the materials of manufacture, performance requirements, the bases, with technical justification therefor, upon which the performance requirements have been established, and the evaluations required to show that safety functions will be accomplished.
o §52.157(f)(1) requires applications for MLs to provide an analysis and evaluation of the design and performance of SSCs with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents.
o § 52.157(f)(30) requires applications for LWR MLs to include an evaluation of the design to be manufactured against the SRP revision in effect 6 months before the docket date of the application. The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for the design and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.
Preliminary Proposed 10 CFR Part 53 o § 53.240 would require CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to identify and analyze licensing basis events in accordance with § 53.450 to support assessments of the safety requirements in 10 CFR Part 53. The licensing basis events would
DG-1413, Page 6 need to address combinations of malfunctions of plant SSCs, human errors, facility hazards, and the effects of external hazards ranging from anticipated operational occurrences to very unlikely event sequences. The analysis of licensing basis events would need to include analysis of one or more design basis accidents in accordance with § 53.450(f). The analysis of licensing basis events would need to be used to confirm the adequacy of design features and programmatic controls needed to satisfy safety criteria defined in §§ 53.210 and 53.220 and to establish related functional requirements for plant SSCs, personnel, and programs.
o § 53.4730(a)(5) would require CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to provide a description identifying postulated initiating events for anticipated operational occurrences and design basis accidents using a generally accepted, risk-informed approach for systematically evaluating engineered systems.
o §53.4730(a)(5)(iv)(A) would require CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to perform additional assessments and analyses to identify design features or programmatic controls for enhancing the plants capabilities to withstand, without undue risk, events that are either more severe than design basis accidents or that involve additional failures. Events include unlikely but credible events that could lead to situations beyond those considered for DBAs, multiple credible failures (e.g., common cause failures in redundant SSCs) that prevent safety systems from performing their intended function, or credible failure sequences that are not assessed within the scope of DBAs but are mitigated by other plant SSCs outside the scope of the credited safety function of those SSCs.
o §53.4730(a)(5)(v)(A) would require CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to provide a description and analysis of design features deemed important because they prevent or mitigate accidents that could progress beyond design basis accidents and events addressed by (i). These events could include conditions not considered for design basis accidents, but that are considered in the overall design using best estimate methodology including consideration of uncertainties, in order to assess risk to the public health and safety. These events would include those that would require analysis of design features for the prevention and mitigation of severe accidents.
o §53.4730(a)(5)(iv)(B) would require light-water reactor applicants to address how the design prevents and mitigates severe accidents based on conditions derived from operating experience and input from risk evaluations.
o §53.4730(a)(5)(v)(D) would require an applicant with a non-light-water reactor design to use engineering judgment and input from risk evaluations to identify what constitutes severe accident conditions for its specific design and describe the measures provided in the design for preventing or mitigating such accidents.
Related Guidance Pre-decisional Draft Regulatory Guide (in preparation) DG-1414, Alternative Evaluation for Risk Insights Framework (Ref. 5), is a companion document to this pre-decisional DG. It provides the NRC staffs guidance on the use of an Alternative Evaluation for Risk Insights (AERI) framework under the preliminary proposed 10 CFR Part 53 Framework B. Once the
DG-1413, Page 7 licensing events have been identified as described in this pre-decisional DG, DG-1414 provides potential guidance which uses these licensing events as inputs to identify and characterize the bounding event, determine a risk consequence estimate, search for severe accident vulnerabilities, identify risk insights, and assess defense-in-depth adequacy.
RG 1.200, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities (Ref. 6), provides an acceptable approach for determining whether a base Probabilistic Risk Assessment (PRA), in total or in the portions that are used to support an application, is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision-making for LWRs. When used in support of an application, this RG will obviate the need for an in-depth review of the base PRA by NRC reviewers, allowing them to focus their review on key assumptions and areas identified by the PRA peer reviewers as being of concern and relevant to the application. Consequently, RG 1.200 provides for a more focused and consistent review process.
RG 1.206, Applications for Nuclear Power Plants refers to the technical requirements in the Standard Review Plan, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (Ref. 7), which provides guidance to the NRC staff in performing safety reviews of LWR CP or OL applications under 10 CFR Part 50 and LWR DC, COL, SDA, and ML applications under 10 CFR Part 52.
o NUREG-0800, Section 15.0, Introduction - Transient and Accident Analyses, guides the NRC staff in its review of licensing events, specifically including guidance to help ensure that the applicants selection and assembly of the plant transient and accident analyses represent a sufficiently broad spectrum of transients, accidents, and initiating events.
o NUREG-0800, Section 19.0, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, pertains to the NRC staff review of the design-specific PRA for a DC and plant-specific PRA for a COL application.
RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors (Ref. 8), provides guidance on using a technology-inclusive, risk-informed, and performance-based methodology to inform the licensing basis and content of applications for non-light-water reactors (non-LWRs), including, but not limited to, molten salt reactors, high-temperature gas-cooled reactors, and a variety of fast reactors at different thermal capacities. This RG endorses Nuclear Energy Institute (NEI) 18-04, Revision 1, Risk-Informed Performance-Based Guidance for Non-Light Water Reactor Licensing Basis Development (Ref. 9), with clarifications and points of emphasis, as one acceptable method for non-LWR designers to use when selecting licensing basis events (LBEs),
classifying SSCs, and assessing defense-in-depth adequacy.
Trial RG 1.247, Acceptability of Probabilistic Risk Assessment Results for Non-Light-Water Reactor Risk-Informed Activities (Ref. 10), describes an approach for determining whether a design-specific or plant-specific PRA used to support an application is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision-making for non-
DG-1413, Page 8 light-water reactors (non-LWRs). In this RG, the term application includes pre-application activities, initial licensing applications, and risk-informed applications. When used in support of an application, this RG will help reduce the need for an in-depth review of the PRA by NRC reviewers, allowing them to focus their reviews on key assumptions and areas identified as being of concern and relevant to the application and the demonstration of PRA acceptability.
Purpose of Regulatory Guides The NRC issues RGs to describe methods that are acceptable to the staff for implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific issues or postulated events, and to provide guidance to applicants. RGs are not substitutes for regulations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs are acceptable if they provide a sufficient basis for the findings required for the issuance or continuance of a permit or license by the Commission.
Paperwork Reduction Act
[The Paperwork Reduction Act statement and public protection notice will be added to this location when this pre-decisional DG is finalized in a DG.]
Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.
DG-1413, Page 9 B. DISCUSSION Reason of Issuance This pre-decisional DG provides technology-inclusive guidance for identifying a comprehensive set of licensing events without preconceptions or reliance on predefined lists (i.e., starting with a blank sheet of paper) and determining an appropriate level of information for parts of preliminary or final safety analysis reports for commercial nuclear plants. NRC regulations require that applications for a CP, OL, DC, COL, or ML include a level of design information sufficient to enable the Commission to reach a safety conclusion before issuing a permit, license, or certification. Applications for an SDA are likewise required to include information needed for NRC staff approval.
=
Background===
The following sections discuss the terminology for licensing events, describe commercial nuclear plant licensing frameworks, review historical practices for identifying licensing events, cite recent Advisory Committee on Reactor Safeguards (ACRS) recommendations concerning the identification of licensing events, and provide the staffs perspectives on these topics.
Licensing Event Terminology In this pre-decisional DG, the term licensing events is used in a generic sense to refer to collections of designated event categories such as anticipated operational occurrences (AOOs), design basis accidents (DBAs), design basis events (DBEs), beyond design basis events (BDBEs), and postulated accidents. This term does not appear, per se, in NRC regulations; however, various designated licensing event categories are identified in 10 CFR Parts 50, 52, and 53 (preliminary proposed), regulatory guidance, and NRC Standard Review Plan as shown in Table 1.
Table 1. Licensing Event Terminology.
Licensing Basis Designated Licensing Event Categories 10 CFR Parts 50 and 52 (Mix of initiating events and event sequences)
Design basis events1 (§ 50.2 definition of safety-related SSCs; § 50.49 specifies four subcategories):
o Anticipated operational occurrences (AOOs) o Design basis accidents (i.e., postulated accidents) o External events o Natural phenomena Non-DBA (§ 50.2, definition of safe shutdown, for Station Blackout (SBO) only)
Beyond design basis events (BDBEs)
Anticipated Transients Without Scram (ATWS)
SBO Licensing Modernization Project (LMP) as presented in NEI 18-04, Rev. 1 and endorsed in RG 1.233 (Event sequences)
Licensing events are collectively referred to as licensing basis events (LBEs), which include the following categories:
Anticipated operational occurrences (AOOs)
Design basis events (DBEs) 1 Although Parts 50 and 52 include normal operation in the design basis, the risk evaluation focuses on departures from normal operation.
DG-1413, Page 10 Table 1. Licensing Event Terminology.
Licensing Basis Designated Licensing Event Categories Beyond design basis events (BDBEs)
Design basis accidents (DBAs)
Preliminary proposed 10 CFR Part 53, Framework A (Event sequences)
Licensing events are collectively referred to as licensing basis events (LBEs), which include the following categories:
Anticipated operational occurrences (AOOs)
Unlikely event sequences Very unlikely event sequences Design basis accidents (DBAs)
Preliminary proposed 10 CFR Part 53, Framework B (Mix of initiating events and event sequences)
Anticipated operational occurrences (AOOs)
Design basis events (DBEs)
Design basis accidents (DBAs)
Beyond design basis events (BDBEs)
Commercial Nuclear Plant Licensing Frameworks NRC regulations provide a variety of licensing frameworks for commercial nuclear plant licensing, thus giving designers and applicants considerable flexibility while also ensuring an acceptable level of safety. The choices made by designers and applicants have implications concerning the need for exemptions from regulations, how the risk evaluation is developed, and the approach used to identify licensing events. Table 2 provides a high-level summary of the options available (or that may become available through the Part 53 rulemaking) to designers and applicants, and the implications of these options.
Table 2. Implications of Applicant Decisions on Licensing Event Identification.
Applicant Decisions Implications Licensing Basis Use of Risk Insights Reactor Design Exemptions Required Risk Evaluation Licensing Event Identificationa 10 CFR Parts 50 or 52 traditional LWR no PRA DG-1413 non-LWR yes PRA DG-1413 enhanced LWR or non-LWR yes PRA RG 1.233 Preliminary proposed 10 CFR Part 53 Framework A enhancedb LWR or non-LWR no PRA RG 1.233 Preliminary proposed 10 CFR Part 53 Framework B traditionalb LWR or non-LWR no PRA or AERIc DG-1413 aLWRs must compare the plant design to the SRP regardless of how the licensing events are identified.
bDictated by the choice of licensing framework.
cVoluntary risk-informed applications require development of a PRA.
DG-1413, Page 11 Designers and applicants choose the type of reactor (LWR or non-LWR) to be licensed and the degree to which risk insights are used to inform the licensing basis. The regulations in 10 CFR Part 50 governing the issuance of CPs and OLs and in 10 CFR Part 52 governing the issuance of DCs, SDAs, MLs, and COLs are oriented toward LWRs and in many respects are prescriptive in nature. Non-LWR designers and applicants who seek licenses, certifications, or approvals under 10 CFR Parts 50 and 52 should request and justify exemptions from applicable requirements in 10 CFR Parts 50 and 52 that need not be satisfied for the chosen reactor technology. Moreover, all designers and applicants (LWR and non-LWR) who voluntarily seek enhanced use of risk insights to inform the licensing basis (including, but not limited to, use of a risk-informed and performance-based approach to select licensing events; determine the safety classification of systems, structures, and components; and evaluate defense-in-depth adequacy as discussed in RG 1.233) should also request and justify exemptions from the certain prescriptive requirements in 10 CFR Parts 50 and 52.
In contrast to 10 CFR Parts 50 and 52, the licensing frameworks provided in preliminary proposed 10 CFR Part 53 would be entirely technology-inclusive and, hence, may be used by both LWR and non-LWR designers and applicants without the need to seek exemptions. Framework A in preliminary proposed 10 CFR Part 53 would provide a voluntary risk-informed and performance-based regulatory framework that enables the enhanced use of risk insights to inform the licensing basis.
Framework B in preliminary proposed 10 CFR Part 53 would provide a voluntary traditional regulatory framework that is closely aligned with 10 CFR Part 50, 10 CFR Part 52, and international safety standards, like those published by the International Atomic Energy Agency (IAEA). Framework B in preliminary proposed 10 CFR Part 53 would also provide an option to develop an alternative evaluation for risk insights (AERI) in lieu of developing a PRA if certain entry conditions are met. Pre-decisional DG-1414, Alternative Evaluation for Risk Insights Framework, provides the NRC staffs potential guidance on the use of the AERI framework to inform the licensing basis and content of applications for LWRs and non-LWRs using what would be Framework B in preliminary proposed 10 CFR Part 53.
Designers and applicants who voluntarily seek enhanced use of risk insights to inform the licensing basis may use the guidance in RG 1.233 to identify licensing events. Otherwise, designers and applicants who seek traditional use of risk insights may use the guidance provided in this pre-decisional DG to identify licensing events. Identification of initiating events and delineation of event sequences are actions necessary to be performed prior to the identification of licensing events. To this effect, this pre-decisional DG provides technology-inclusive, generic guidance for conducting initiating event search and delineating event sequences, and can be used under any licensing framework.
Historical Perspective In the early days of commercial nuclear power, licensing events were identified on an ad hoc basis, relying on the collective engineering judgment of designers and the regulatory staff. Edward Teller, the first chair of the Atomic Energy Commission (AEC) Reactor Safeguards Committee (1947-1949),
described the process as follows (Ref. 11):
To avoid the very real and very great danger of an accidental release of radioactivity from a reactor, our committee established a simple procedure: We asked the planner of each reactor to imagine the worst possible accident and to design safety apparatus guaranteeing that it could not happen. The committee reviewed each reactor plan, trying to imagine an accident even greater than that conceived by the planner. If we could think
DG-1413, Page 12 of a plausible mishap worse than any discussed by the planner, his analysis of the potential dangers was considered inadequate.
The limitations of this ad hoc approach were recognized by the AEC regulatory staff, as described by Clifford Beck in 1959 (Ref. 12):
It is inherently impossible to give an objective definition or specification for "credible accidents" and thus the attempt to identify these for a given reactor entails some sense of futility and frustration, and, further, it is never entirely assured that all potential accidents have been examinedIt should be noted parenthetically, however, that this systematic search for credible accidents often contributes substantially to the safety of a facilityIn the plants finally approved for operation, there are no really credible potential accidents against which safeguards have not been provided to such extent that the calculated consequences to the public would be unacceptable.
To help standardize and expedite the review of new plant license applications, the AEC issued guidance in 1966 (Ref. 13) that provided, as examples, a list of accidents to be addressed in safety analysis reports. A plan to develop a SRP for the review of LWR applications was developed in 1969 (Ref. 14) that identified various transients and accidents, including ATWS, to be addressed in safety analysis reports. The original version of the SRP was issued in 1975 as NUREG-75/087. Sections of the SRP were subsequently revised and individually issued (annotated with revision numbers and publications dates) along with an updated table of contents that indicated the revision numbers of the currently effective sections. The SRP was reissued as NUREG-0800 in July 1981 to more completely identify the NRC requirements that are germane to each review topic, to more fully describe how the review effort determines satisfaction of the requirement, and to incorporate the large number of new and revised regulatory positions (primarily TMI-related) that had already been established; as a result, some SRP sections were added, deleted, split, and/or combined. With respect to the identification of licensing events, Chapter 15 of NUREG-0800 introduced the expectation that transients and accidents should be categorized as AOOs or postulated events according to their frequency of occurrence and type.
The staff has not developed an SRP for non-LWRs due to the perceived lack of demand and the wide variation among potential non-LWR designs. Licensing events for previously licensed non-LWRs (e.g., Peach Bottom Unit 1, Ft. St. Vrain) were identified, analyzed, and reviewed on a case-by-case basis.
ACRS Recommendations The ACRS has discussed the importance of performing a comprehensive and systematic search for initiating events2 and delineating a comprehensive set of event sequences to inform the design and review of new commercial nuclear plants. The following items, provided as a convenience to the user of 2 As defined in the non-LWR PRA standard (Ref.22), an initiating event is a perturbation to the plant during a plant operating state that challenges plant control and safety systems whose failure could potentially lead to an undesirable end state and/or radioactive material release. An initiating event is defined in terms of the change in plant status that results in a condition requiring a response to mitigate the event or to limit the extent of plant damage caused by the initiating event. An initiating event may result from human causes, equipment failure from causes internal to the plant (e.g., hardware faults, flood, or fires) or external to the plant (e.g., earthquakes or high winds), or combinations thereof.
DG-1413, Page 13 this pre-decisional DG, summarize the advice and recommendations which have, in part, motivated the development of this pre-decisional DG.
Letter concerning review of draft SECY paper, "Population - Related Siting Considerations for Advanced Reactors," October 7, 2019 (Ref. 15):
One specific caveat not raised in the draft SECY but implied in all the licensing activities for new non-LWR designs flowing out of the vision and strategy process (Ref. 16), is the need for examining new designs with a clean sheet of paper. Improvements in our ability to calculate source terms and consequences in conjunction with the inherent safety aspects of advanced designs can reduce the probability and consequences of many of the events that have historically dominated the risk at LWRs. Nevertheless, one must be sure to think carefully about the failures and combinations of failures that could occur, i.e.,
what could go wrong. There are many tools that can help in such a search: a simple reframingasking how could I make this system fail; employing a search scheme similar to the Hazard and Operability Study (HAZOP) approach used in the chemical processing industry; and applying a modified failure modes and effects analysis at the system level rather than at the component level.
There is a tendency to believe in the perfection of new designs, especially when they are developed to eliminate the dominant failure scenarios in existing designs. However, one must remain vigilant and remember that nature provides surprises. There will be new accident scenarios and new combinations of events to be considered that challenge our expectation and our assumptions about these advanced reactor systems. Creative thinking will be required to identify such unique situations, to thoroughly identify the scenarios that will be the basis of the safety analysis and the source of releases, and to evaluate the suitability of sites.
Letter concerning 10 CFR Part 53 licensing and regulation of advanced nuclear reactors, October 21, 2020 (Ref. 17): The staff should ensure that applicants compensate for novel designs with uncertainties due to incompleteness in the knowledge base by performing systematic searches for hazards, initiating events, and accident scenarios with no preconceptions that could limit the creative process.
Interim report concerning the preliminary proposed rule language for 10 CFR Part 53, "Licensing and Regulation of Advanced Nuclear Reactors," May 30, 2021 (Ref. 18): The two recommendations in our first letter report on 10 CFR Part 53 of October 21, 2020, still apply: for novel designs with uncertainties due to incompleteness in the knowledge base, systematic searches for hazards, initiating events, and accident scenarios should be required; and a licensing pathway including additional testing and monitoring akin to prototype testing should be available.
Letter concerning RG 1.247, Acceptability of Probabilistic Risk Assessment Results for Advanced Non-Light Water Reactor Risk-Informed Activities, October 26, 2021 (Ref. 19):
Include guidance that the initial search for initiating events and scenarios should be done without preconceptions or using existing lists.
DG-1413, Page 14 Staff Perspective The identification of licensing events should be conducted objectively and without preconceptions or reliance on predefined lists (such as those provided in the SRP, previous applications for permits, licenses, certifications, and approvals, and previous PRAs). The use of a blank sheet of paper approach helps to avoid pitfalls such as, but not limited to:
The unwitting or unquestioning carryover of assumptions about plant design or behavior, The tendency to focus on which predefined events apply (or do not apply) rather than which events are missing from the list, The use of predefined lists that are dated and do not reflect contemporary commercial nuclear plant design or operating experience.
In short, the identification of licensing events, conducted objectively and without preconceptions or reliance on predefined lists, helps to ensure that the final list of licensing events is comprehensive and, hence, that the plant design is appropriately analyzed and demonstrated to be safe based on the comprehensive set of licensing events.
Consideration of International Standards The IAEA has established a series of technical reports, safety guides, and standards constituting a high-level of safety for protecting people and the environment. This pre-decisional DG contains guidance similar to guidance prepared by IAEA on the identification of licensing events. This pre-decisional DG is, with the exception of technology-specific topics, generally consistent with the principles and guidance in the IAEA document series, including the IAEA documents listed below.
Specific Safety Requirements (SSR), No. SSR-2/1, Safety of Nuclear Power Plants: Design (Ref. 20).
Specific Safety Guide (SSG), No. SSG-2, Deterministic Safety Analysis for Nuclear Power Plants (Ref. 21).
DG-1413, Page 15 C. STAFF REGULATORY GUIDANCE An acceptable technology-inclusive approach for identifying commercial nuclear plant licensing events should address the following overarching principles:
- 1. Identify application-specific factors (licensing framework, plant-specific design features, and site characteristics).
- 2. Conduct a systematic and comprehensive search for initiating events.
- 3. Use a systematic process to delineate a comprehensive set of event sequences.
- 4. Group initiating events and event sequences into designated licensing event categories according to the selected licensing framework.
- 5. Provide assurance that the set of licensing events is complete.
Figure 1 presents an acceptable technology-inclusive process for identifying licensing events that addresses each of these overarching principles. The process includes the following sub-steps: setting up the project; collecting application-specific information; selecting analysis methods; performing initiating event analysis; conducting event sequence analysis; and selecting licensing events. The guidance in the following sections provide additional detail on each of these sub-steps. The first five steps apply to all licensing frameworks. The guidance on selection of licensing events in this section applies to those designers and applicants who elect to use AERI (preliminary proposed 10 CFR Part 53 Framework B) or the traditional use of the PRA (10 CFR Part 50, Part 52, or Part 53 Framework B (preliminary proposed)).
Designers and applicants who voluntarily seek enhanced use of PRA (10 CFR Part 50, Part 52, or Part 53 Framework A (preliminary proposed)), should use the guidance in RG 1.233 for the identification of licensing events.
DG-1413, Page 16 Figure 1. Technology-Inclusive Identification of Licensing Events (Sheet 1 of 3).
DG-1413, Page 17 Figure 1. Technology-Inclusive Identification of Licensing Events (Sheet 2 of 3).
DG-1413, Page 18 Figure 1. Technology-Inclusive Identification of Licensing Events (Sheet 3 of 3).
DG-1413, Page 19 C.1.
Setting Up the Project C.1.1 Select the Licensing Framework (Box 1, Principle #1)
As shown in Tables 1 and 2, the choice of licensing framework influences the technology-inclusive process for identifying licensing events. Specifically, the licensing framework determines:
The appropriate licensing event categories to be used, Whether a PRA will be developed, and How risk insights from the PRA will be used.
The choice of licensing framework is a complex decision made by applicants; accordingly, this pre-decisional DG does not provide any associated guidance.
C.1.2 Assemble A Multi-Disciplinary Team (Box 2, Principle #5)
To help ensure that (1) the identification of licensing events is conducted objectively and without preconceptions or reliance on predefined lists, and (2) the final list of licensing events is comprehensive, a team should be assembled that provides familiarity with the following disciplines:
Licensing Plant design details o Reactor o Spent fuel o Structures o Mechanical systems o Electrical systems o Instrumentation and control systems o Siting Plant operations o Concept of operations o Plant operating states Reactor physics Thermal-hydraulic analysis Reliability engineering and/or PRA methods Expertise in the selected methods of analysis Expertise in disciplines unique to the chosen technology A single individual may provide expertise in more than one discipline; however, the team should be composed of at least three people in order to provide a suitably broad and unbiased perspective.
DG-1413, Page 20 C.2.
Collecting Application-Specific Information C.2.1 Collect Information on Plant Design, Plant Operating States, and Site Characteristics (Box 3, Principle #1)
To support the analysis for initiating events, event sequences and licensing events, all the relevant information regarding plant design, operating states and, if the site is selected, site characteristics should be collected, and made available to the analysis team. For a DC, SDA, or ML, or if the applicant has not yet selected a site, postulated site parameters take the place of site characteristics. The level of information should be consistent with the level of detail of the design information available and be sufficient to facilitate the search for initiating events and the analysis of plant response to support event sequence delineation.
C.2.2 Identify Radiological Sources and Transport Barriers from the Source to the Environment (Box 4, Principle #1)
The identification of all significant radiological sources should involve first a search for and review of all possible plant operating states, including refueling outages, other controlled shutdowns, and forced outages. Depending on the design, significant inventories of radioactive material may be re-located during operation or plant shutdown. The search should consider all radiological sources within the plant including, but not limited to, each reactor core and non-reactor-core source, such as spent fuel in the spent fuel storage system, online fuel or salt processing systems (for molten salt reactors), radioactive waste systems and other process systems with radioactive material (e.g., radioactive material circulating or plated out within the reactor coolant boundary, spent fuel in the spent fuel storage system, fuel/salt processing systems, radioactive waste systems).
For each identified source, the barriers that can prevent the release of radioactive material to the environment (e.g., reactor building, containment, or confinement) should be identified to support the development of event sequences.
C.2.3 Identify Chemical Hazards (Box 5, Principle #1)
In addition to the search for radiological sources, a search for chemical hazards should be performed. Chemical hazards in scope are those chemical hazards that are combined with a radiological hazard or which can impact the plant response to an initiating event or can affect the properties of the radiological release. Pure chemical sources are outside the scope.
C.2.4 Define Analysis Scope and Level of Detail of the Event Sequence Delineation (Box 6, Principle #3)
The task of identifying initiating events and event sequences should begin with a clear understanding of the objectives of the analysis. The objectives should delineate whether PRA is intended to be developed, or the AERI framework is to be followed. These objectives, in turn, will be used to define the depth of the analysis
DG-1413, Page 21 C.2.5 Identify Plant-Specific Safety Functions (Box 7, Principle #1)
Having identified the radiological sources and the inherent and chemical hazards, the plant-specific safety functions that need to be performed in order to prevent radiological releases should be identified, followed by the identification of systems and operator actions needed to perform each safety function.
Safety functions are those functions performed to control the sources of energy in the plant and the radiation hazards. The concept of safety functions forms the basis for selecting initiating events and delineating potential plant responses. Generally, safety functions are defined by a group of actions that prevent fuel damage, prevent containment/confinement failure, or minimize radionuclide releases. Such actions can result from the automatic or manual actuation of a system, from passive system performance, or from the natural feedback inherent in the design of the plant.
Safety functions can be defined in many ways, depending on the plant type, the system design, the timing of system responses, and the goal of the analysis. Typically, safety functions can be considered within a certain hierarchical framework. Reactivity control is the foremost function because the amount of heat that must be removed from the core depends on how well this function is accomplished. Next are the functions for appropriately cooling the fuel. Other safety functions may include shutting down, maintaining subcriticality, and confinement of radioactive releases.
Defining the necessary safety functions forms the preliminary basis for grouping accident-initiating events and provides the structure for defining and grouping systems in order to define a complete set of system responses and interactions for each group of initiating events. Additional distinction may be needed in the definition of safety functions to differentiate between groups of initiating events.
Following the definition of the safety functions, the systems needed to perform each safety function should be identified, along with associated success criteria and operator actions needed to perform the safety function. Specific success criteria for each safety function or system that performs safety or support functions should be specified. Typically, success criteria specify the minimum criteria for each function to prevent a radiological release, given an initiating event. The derivation of success criteria should be based on acceptable engineering analyses, performed with validated computer codes, by qualified personnel, and represent the design and operation of the plant under consideration. For a safety function to be successful, the success criteria may be dependent on the initiator and the conditions created by the initiator.
If a PRA is being developed and peer reviewed in accordance with RG 1.200 (for LWRs) or RG 1.247 (for non-LWRs), the derivation of success criteria is specified in the corresponding PRA standard.
C.2.6 Define Plant-Specific End States (Box 8, Principle #1)
The end states for event sequences should be defined in order to support event sequence delineation and selection. The end state of each accident sequence should correspond to either a release of radioactive material or to a safe stable state in which each safety function is fulfilled, and a radioactive release has been prevented. Definition of a safe stable state should be specified.
DG-1413, Page 22 C.3.
Analysis Methods Selection C.3.1 Select Initiating Event Identification Methods (Box 9, Principle #2)
The identification methods to search for initiating events is key to conducting a search for initiating events that is systematic, comprehensive, exhaustive, and without preconceptions or reliance on predefined lists (i.e., starting with a blank sheet of paper). The identification methods could involve a number of different approaches including the following:
Analytical methods such as hazard and operability studies, failure mode and effects analysis, or other relevant methods for plant SSCs to determine whether their failures, either partial or complete, could lead to an initiating event.
Deductive analyses such as master logic diagrams to determine the elementary failures or combinations of elementary failures that would challenge normal operation and lead to an initiating event.
Appendix A to this pre-decisional DG summarizes known approaches for conducting the search for initiators and delineating event sequences. Other approaches may be used with sufficient explanation and technical justification.
Using a combination of different methods should be considered, especially for new designs with little or no operating experience, in order to gain confidence that the list of initiating events is as comprehensive and exhaustive as possible.
C.3.2 Define Initiating Event Grouping Strategy and Characteristics (Box 10, Principle #2)
After identifying all initiating events, initiating events should be grouped to reduce the number of analyzed initiating events to a manageable and representative selection of initiating events that supports efficient development of relevant event sequences. A strategy for initiating event grouping should be established to support a systematic structured process for grouping. The strategy chosen may depend on the intended scope and depth of the analysis, but generally, initiating events grouping can be based on similarity in plant response, the radioactive barriers that prevent the releases, the mitigating systems involved, associated success criteria, timing, or the effect on performance of operators. Alternatively, the initiating events can be bounded by the worst-case impacts within the group.
C.3.3 Select Event Sequence Delineation Analytical Methods (Box 11, Principle #3)
Following the identification and grouping of the initiating events, applicants should determine the response of the plant to each group of initiating events in order to develop event sequences. The methods needed to perform this task should be clearly identified. The methods can include event sequence diagrams, event trees, or other methods.
Event trees are one method to order and depict safety functions according to the mitigation goals of each group of initiating events. For each safety function, the systems needed to successfully perform the function should be identified and documented. Depending on plant design, a safety function can be performed by one or more systems, some systems may perform more than one function or portions of several functions, and the systems that perform a certain function may be different for different initiators.
DG-1413, Page 23 Because each initiating event group generates a distinctly different plant response as discussed in C.3.2, function event trees should be developed for each initiating event group.
Event Sequence Diagrams similarly order and depict safety functions according to the mitigation goals of each initiating event group. An Event Sequence Diagrams is a graphical tool used to illustrate all possible success paths from a particular initiating event to a safe shutdown condition.
C.4.
Initiating Event Analysis C.4.1 Apply Initiating Event Identification Methods (Box 12, Principle #2)
The objectives of the initiating event analysis are to identify and characterize events that challenge plant operation during any plant operating state, that require successful mitigation by plant equipment, and that require personnel to prevent or to mitigate a release of radiological material. The characteristics and attributes needed to achieve the objectives of an initiating event analysis are as follows:
The analysis includes sufficiently detailed identification and characterization of initiating events.
Initiating events are grouped so that events in the same group have similar requirements for mitigation.
Any individual or grouped initiating events are properly screened.
The initiating event analysis necessitates a structured, systematic process and accounts for plant-or design-specific features. The methods identified in step C.3.1 above should be applied to identify all possible initiating events. A complete consideration of all initiating events is necessary, and the initiating event analysis should include both internal and external hazards for all radiological sources and for all operating modes. Additionally, the analysis should consider scenarios that simultaneously affect multiple reactor modules or radiological sources at the plant.
When screening out initiating events from further consideration, a technical basis should be provided that accounts for design and operational uncertainties.
If a PRA is being developed and peer reviewed in accordance with RG 1.200 (for LWRs) or RG 1.247 (for non-LWRs), the guidance on identification of initiating events for a PRA in the corresponding RG and associated PRA standard should be followed.
C.4.2 Apply Initiating Event Grouping Strategy (Box 13, Principle #2)
After identifying all initiating events, the initiating event grouping should be conducted using the process and criteria established in step C.3.2. Grouping should be performed such that events in the same group have similar mitigation requirements in order to facilitate an efficient analysis of event sequences and the subsequent derivation of licensing events.
If a PRA is being developed and peer reviewed in accordance with RG 1.200 (for LWRs) or RG 1.247 (for non-LWRs), the guidance on initiating events grouping in the corresponding RG and associated PRA standard should be followed.
DG-1413, Page 24 C.4.3 Account for Relevant Operating Experience and Insights from Earlier Relevant Analyses in the Initiating Event Search (Box 14, Principle #5)
To ensure that the final list of initiating events is comprehensive, a review of any relevant operating experience should be performed to ensure that any initiating events that have occurred are included in the list of initiating events. Additionally, a review of any prior relevant initiating event analyses performed for other designs should be conducted to ensure that any possible insights are considered and captured in the initiating event list.
C.4.4 Conduct an Independent Review and Complete Quality Assurance (QA) Activities for the Initiating Event Search (Box 15, Principle #5)
The process and results of the initiating event search should be independently reviewed to help assure that the list of initiating events is complete. If a PRA is developed and peer reviewed in accordance with RG 1.200 (for LWRs) or RG 1.247 (for non-LWRs), then completion of a peer review and disposition of its facts and observations (F&Os) will satisfy the staffs expectations concerning the independent review.
Since the systematic and comprehensive search for initiating events is used, in part, to inform the selection of licensing events, it should be developed under the relevant QA program for the selected licensing framework.
C.5.
Event Sequence Analysis C.5.1 Apply Selected Event Sequence Delineation Analytical Methods (Box 16, Principle #3)
Similar to the initiating event search and grouping, the event sequence analysis should follow a structured, systematic process. The event sequence analysis should describe the scenarios that can lead to the release of radioactive material following each identified initiating event for all plant operating states and sources of radioactive material. These scenarios should address system responses and operator actions that support the key safety functions necessary to protect the radionuclide barriers and to prevent or mitigate the release of radioactive material. The event sequences should account for the systems that are used (and available) and operator actions performed to mitigate the initiator, based on the defined success criteria, plant operating procedures, and training. The availability of a system includes consideration of the functional, phenomenological, and operational dependencies and interfaces between the various systems and operator actions during the accident progression.
If a PRA is being developed and peer reviewed in accordance with RG 1.200 (for LWRs) or RG 1.247 (for non-LWRs), the guidance on event sequence analysis for a PRA in the corresponding RG and associated PRA standard should be followed.
C.5.2 Account for Relevant Operating Experience and for Insights from Earlier Analyses of Similar Designs in the Event Sequence Delineation (Box 17, Principle #5)
A review of the operating experience of similar plant designs, if any, and any event sequence analyses performed for similar designs should be conducted to ensure that any possible insights are considered in the event sequence delineation.
DG-1413, Page 25 C.5.3 Conduct an Independent Review and Complete QA Activities for the Event Sequence Delineation (Box 18, Principle #5)
The process and results of the event sequence delineation should be independently reviewed to help assure that the list of initiating events is complete. If a PRA is being developed and peer reviewed in accordance with RG 1.200 (for LWRs) or RG 1.247 (for non-LWRs), then completion of a peer review and disposition of its F&Os will satisfy the staffs expectations concerning the independent review.
Since the systematic and comprehensive event sequence delineation is used, in part, to inform the selection of licensing events, it should be developed under the relevant QA program for the selected licensing framework.
C.6.
Defining Licensing Events C.6.1 If a PRA Is Being Developed, Provide the List of Initiating Events and Event Sequences to the PRA (Boxes 19 and 20, Principle #1)
If the designer or applicant develops a PRA consistent with the regulatory framework for either the traditional use of PRA (under 10 CFR Part 50, Part 52, or Part 53 Framework B (preliminary proposed)) or the enhanced use of PRA (under 10 CFR Part 50, Part 52, or Part 53 Framework A (preliminary proposed)), the initiating events and event sequences are integral to the development of the PRA models and, as such, should be provided as inputs to the PRA.
C.6.2 Identify Required Categories of Licensing Events for the Selected Licensing Framework (Box 21, Principle #1)
Once the list of event sequences has been completed, the designer or applicant should identify categories of licensing events consistent with the selected licensing framework. Table 1 summarizes the licensing event terminology for the various licensing frameworks. Table 2 provides a high-level summary of the choices available to the designers and applicants for use of risk insights: enhanced used of PRA, traditional use of PRA, and the alternative evaluation for risk insights (AERI).
Designers and applicants who voluntarily seek enhanced use of PRA (10 CFR Part 50, Part 52, or Part 53 Framework A (preliminary proposed)), should use the guidance in NEI 18-04 as endorsed by RG 1.233 for the identification of licensing events.
The following sections of this pre-decisional DG (specifically, sections C.6.3 through C.6.7) apply to those designers and applicants who elect to use AERI (preliminary proposed 10 CFR Part 53 Framework B) or the traditional use of the PRA (10 CFR Part 50, Part 52, or Part 53 Framework B (preliminary proposed)).
C.6.3 Define the Licensing Event Grouping Strategy and Its Characteristics (Box 22, Principle #4)
Once the categories of licensing events have been identified, the event sequences should be grouped and mapped into the defined licensing event categories. The designers and applicants should define the strategy for grouping event sequences. There are many ways grouping can be accomplished.
DG-1413, Page 26 The events can be grouped by frequency which can be estimated quantitatively or qualitatively. The events can also be grouped by type of event, which considers aspects such as plant response following the initiating events, the similarity of challenges to the safety functions, or similarity in pathways that could lead to the release of radioactive material to the environment.
C.6.4 Apply the Licensing Event Grouping Strategy (Box 23, Principle #4)
Licensing events should be identified using the results of the initiating event search, event sequence delineation, and grouping strategy. All identified event sequences should be mapped to a licensing event category, no event sequences should be eliminated.
C.6.5 Identify the Limiting Cases for Each Group of Licensing Events (Box 24, Principle #4)
A number of limiting cases, referred to as bounding or enveloping scenarios, should be selected from each group of licensing events. The bounding or enveloping scenario(s) should be chosen so that individually or collectively they account for the greatest possible challenges and limiting values for the performance parameters of safety-related equipment of those scenarios within the group. Several initiating events may be combined, and/or their consequences amplified, to develop a bounding scenario that encompasses all possible initiating events in the group.
C.6.6 Compare the List of Licensing Events to Predefined Lists (Box 25, Principle #5)
To ensure that all relevant licensing events have been considered, the licensing event list should be compared with that for similar plants or type of plants and, for LWRs, with the Standard Review Plan.
Any identified differences should be justified.
C.6.7 Conduct an Independent Review and Complete QA Activities for the Licensing Event Identification (Box 26, Principle #5)
The process and results of the licensing event identification should be independently reviewed to ensure that the list of licensing events is complete. The list of licensing events should be developed under the relevant QA program for the selected licensing framework.
C.7.
Documentation For those designers or applicants who elect to use AERI (preliminary proposed 10 CFR Part 53 Framework B) or the traditional use of the PRA (10 CFR Part 50, Part 52, or Part 53 Framework B (preliminary proposed)), documentation of the analysis for identification of licensing events should be sufficient to allow the staff to determine the acceptability of the analysis and the results. Thus, the documentation should include information necessary for the staff to gain a full understanding of the technical bases of the analysis and the establishment of the licensing basis. This documentation should include information on the methods of analysis used, the initiating event analysis and results, the event sequence analysis and result, and the resulting list of licensing events.
Documentation should be archived and be preserved as lifetime quality records.
DG-1413, Page 27 Submittal documentation should follow the application-specific guidance under the selected regulatory framework.
DG-1413, Page 28 D. IMPLEMENTATION If the NRC staff should publish a DG on the topics discussed in this pre-decisional DG, then the NRC staff would explain in this section of the DG how the NRC would use the final RG in its regulatory processes. The NRC would also describe its use of the final RG in the context of the backfitting provisions of Parts 50 and 53 (preliminary proposed), the issue finality provisions of Parts 52 and 53 (preliminary proposed), and the forward fitting provisions of NRC Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, (Ref. 23).
DG-1413, Page 29 REFERENCES3
- 1.
U.S. Code of Federal Regulations (CFR) Domestic Licensing of Production and Utilization Facilities, Part 50, Chapter 1, Title 10, Energy.
- 2.
CFR Licenses, Certifications, and Approvals for Nuclear Power Plants, Part 52, Chapter 1, Title 10, Energy.
- 3.
CFR Risk-Informed, Technology-Inclusive Regulatory Frameworks for Commercial Nuclear Plants, Part 53, Chapter 1, Title 10, Energy.
- 4.
U.S. Nuclear Regulatory Commission (NRC), Policy Statement on the Regulation of Advanced Reactors (73 FR 60612, October 14, 2008).
- 5.
Pre-decisional Draft Regulatory Guide/DG-1414, Alternative Evaluation for Risk Insights Framework.
- 6.
NRC, RG 1.200, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities.
- 7.
NRC, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition. (Available at https://www.nrc.gov/reading-rm/doccollections/nuregs/staff/sr0800/).
- 8.
NRC, RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors.
- 9.
Nuclear Energy Institute (NEI) 18-04, Risk-Informed Performance-Based Technology-Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development, Revision 1, August 2019.
(ADAMS Accession No. ML19241A472).
- 10.
NRC, RG 1.247, TRIAL - Acceptability of Probabilistic Risk Assessment Results for Non-Light Water Reactor Risk-Informed Activities.
- 11.
Teller, Edward with Allen Brown, The Legacy of Hiroshima, Double Day & Company, Garden City, NY, 1964.
- 12.
Beck, Clifford K., TID-7579, Safety Factors to be Considered in Reactor Siting, Sixth International Congress and Exhibition of Electronics and Atomic Energy, Rome, Italy, 1959.
3 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e mail pdr.resource@nrc.gov.
DG-1413, Page 30 (Available at https://www.osti.gov/biblio/4200786-sixth-international-congress-exhibition-electronics-atomic-energy-rome-italy-june-papers).
- 13.
Atomic Energy Commission (AEC), A Guide for the Organization and Contents of Safety Analysis Reports, June 30, 1966. (ADAMS Accession No. ML11255A064).
- 14.
Morris, P. L. (Director, AEC Division of Reactor Licensing), Plan to Develop a Standardized Review Plan, December 19, 1969. (ADAMS Accession No. ML19308B888).
- 15.
Advisory Committee on Reactor Safeguards (ACRS) Letter Report, Review of Draft SECY Paper, Population - Related Siting Considerations for Advanced Reactors, October 7, 2019.
(ADAMS Accession No. ML19277H031).
- 16.
U.S. Nuclear Regulatory Commission, "NRC Vision and Strategy: Safely Achieving Effective and Efficient Non-Light Water Reactor Mission Readiness," December 21, 2016 (ML16356A670).
- 17.
ACRS Letter Report, 10 CFR Part 53 Licensing and Regulation of Advanced Nuclear Reactors, October 21, 2020. (ADAMS Accession No. ML20091L698).
- 18.
ACRS Letter Report, Preliminary Proposed Rule Language for 10 CFR Part 53, Licensing and Regulation of Advanced Nuclear Reactors, Interim Report, May 5, 2021. (ADAMS Accession No. ML21140A354).
- 19.
ACRS Letter Report, Regulatory Guide 1.247, Acceptability of Probabilistic Risk Assessment Results for Advanced Non-Light Water Reactor Risk-Informed Activities, October 26, 2021.
(ADAMS Accession No. ML21288A018).
- 20.
IAEA, Specific Safety Requirement (SSR) SSR-2/1, Safety of Nuclear Power Plants: Design.
- 21.
IAEA, Specific Safety Guide (SSG) SSG-2, Deterministic Safety Analysis for Nuclear Power Plants.
- 22.
ASME/ANS RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, American Society of Mechanical Engineers and American Nuclear Society, New York, NY, 2021.
- 23.
NRC Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests.
DG-1413, Appendix A, Page A-1 APPENDIX A COMPREHENSIVE SEARCH FOR INITIATING EVENTS Identification of initiating events is the first step that needs to be performed prior to the identification of licensing events. This Appendix provides technology-inclusive, generic guidance for conducting initiating event search that can be used under any licensing framework.
Identification of initiating events (IEs) is the starting point for the safety assessment of nuclear power plants. Having a reasonably complete set of IEs is crucial in determining what events could propagate to undesirable consequences and in assessing the overall plant risk. A blended and robust approach utilizing multiple methods to identify IEs increases confidence that it produces a list of IEs as complete as possible and thus, all foreseeable IEs are reasonably captured. The set of IEs generated from different perspective using different methods (tools) yields a high degree of confidence that risk-significant IEs have been identified and evaluated.
IE is defined as an occurrence that challenges plant control and safety systems and whose failure could potentially lead to an undesirable end state or radioactive material release. IEs are categorized into internal hazards and external hazards. The internal hazards include internal events, internal floods, and internal fires, while external hazards include seismic events, high winds, external floods, and other external hazards. American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS)
NLWR PRA standard, ASME/ANS RA-S-1.4-2021 (Ref. A-1), as endorsed by RG 1.247 (Ref. A-2),
provides a typical list of internal and external hazards. Table HS-2 of the PRA standard lists the hazards that are compiled based on review of industry studies such as NUREG/CR-2300 (Ref. A-3), NUREG-1407 (Ref. A-4), IAEA SSG-3 (Ref. A-5), Electric Power Research Institute (EPRI) 1022997 (Ref. A-6).
Although Table HS-2 identifies the potential hazards for preliminary consideration, the table does not explicitly list the internal events, internal floods, and internal fires. Therefore, a comprehensive effort with a thorough systematic search using appropriate methods should be performed to exhaustively identify and evaluate IEs to account for design-specific factors.
Identification of the IEs is an iterative process. The search for IEs is not a one-time activity but involves iterations that are generally commensurate with the design development process that starts with a conceptual design. As the design matures and the understanding of the design and operation of the plant increases, the search for IEs continues and the list of IEs is further refined and iteratively updated. The set of IEs should be revisited throughout the plant life to reflect the as-built and as-operated conditions.
There are many existing sources of literature and guidance regarding the search for IEs and the methods used for identifying the IEs. One of these guidance documents is NUREG-1513, Integrated Safety Analysis Guidance Document, (Ref. A-7), which provides general guidance to fuel cycle licensees and applicants on how to perform an integrated safety analysis (ISA) and document the results.
Another guidance document on the methods used to identify IEs is NUREG-0492, Fault Tree Handbook, (Ref. A-8), which discusses the basic concepts of inductive and deductive techniques, specifically the fault tree method. Other guidance/studies/papers on identifying and conducting hazard evaluation that are worth noting:
Nuclear Regulatory Commission (NRC), PRA Procedures Guide, NUREG/CR-2300, Washington, DC, 1983.
DG-1413, Appendix A, Page A-2 NRC, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, NUREG-1150, Washington, DC, 1990 (Ref. A-9).
NRC, Good Practices for Implementing Human Reliability Analysis, NUREG-1792, Washington, DC, April 2005 (Ref. A-10).
NRC, Evaluation of Human Reliability Analysis Methods Against Good Practices, NUREG-1842, Washington, DC, 2006 (Ref. A-11).
NRC, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, RG 1.200, Revision 3, Washington, DC, 2020 (Ref. A-12).
NRC, The General Methodology of an Integrated Human Event Analysis System (IDHEAS-G),
NUREG-2198, Washington, DC, 2021 (Ref. A-13).
NRC, Acceptability of Probabilistic Risk Assessment Results for Non-Light-Water Reactor Risk-Informed Activities, RG 1.247, Washington, DC, 2022 (Ref. A-2).
NRC and Canadian Nuclear Safety Commission (CNSC), Joint Report on Terrestrial Energys Methodology for Developing a Postulated Initiating Events List for the Integral Molten Salt Reactor, Joint Report, 2022 (Ref. A-14).
International Atomic Energy Agency (IAEA), Defining Initiating Events for Purposes of Probabilistic Safety Assessment, IAEA-TECDOC-719, Vienna, Austria, 1993 (Ref. A-15).
IAEA, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Safety Standard Series, No. SSG-3, Vienna, Austria, 2010 (Ref. A-16).
International Electrotechnical Commission (IEC), Risk Management - Risk Assessment Techniques, International Standard IEC 31010, Geneva, Switzerland, 2019 (Ref. A-17).
American Society of Mechanical Engineers (ASME) and American Nuclear Society (ANS),
Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME/ANS RA-Sa-2009, New York, NY, 2009 (Ref. A-18).
ASME and ANS, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, ASME/ANS RA-S-1.4-2021, New York, NY, 2021 (Ref. A-19).
Center for Chemical Process Safety (CCPS), Guidelines for Hazard Evaluation Procedures, John Wiley & Sons, Inc. and the American Institute of Chemical Engineers (AIChE), New York, NY, 2008 (Ref. A-20).
CCPS, Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, AIChE, New York, NY, 2015 (Ref. A-21).
Electric Power Research Institute (EPRI), Hazard Analysis Methods for Digital Instrumentation and Control Systems, Report 3002000509, Palo Alto, CA, 2013 (Ref. A-22).
DG-1413, Appendix A, Page A-3 EPRI, Compilation of Molten Salt Reactor Experiment (MSRE) Technical, Hazard, and Risk Analyses: A Retrospective Application of Safety-in-Design Methods, Technical Report 3002018340, Palo Alto, CA, 2020 (Ref. A-23).
Idaho National Engineering and Environmental Laboratory (INEEL), Rates of Initiating Events at U.S. Nuclear Power Plants: 1987 - 1995, NUREG/CR-5750, Idaho Falls, Idaho, 1999 (Ref.
A-24).
Vladimir Popovi, Branko Vasi, Review of Hazard Analysis Methods and Their Basic Characteristics, FME Transactions, Vol. 36, 2008 (Ref. A-25).
B. Chisholm, S. Krahn, K. Fleming, A systematic approach to identify initiating events and its relationship to Probabilistic Risk Assessment: demonstrated on the Molten Salt Reactor Experiment, Progress in Nuclear Engineering, Vol. 129, 2020 (Ref. A-26).
For IEs searching, the combination of a deductive technique with an inductive technique has been found to be effective to ensure completeness of IE set. The set of IEs can be further refined by performing a human reliability analysis (HRA) to identify potential human-induced events. In addition, comparing the IE set to the generic list of IEs and operational experiences (OEs) will provide high confidence that IEs have been comprehensively identified. The choice of the deductive and inductive methods or combination of methods is dependent upon a number of factors including the reason for conducting the analysis, the results needed from the analysis, the information available, the complexity of the process being analyzed, the personnel and experience available to conduct the analysis, and the perceived risk of the process. Therefore, given the availability of numerous methods, it is not necessary to rely exclusively on any specific one for searching the IEs.
Inductive Techniques The inductive techniques provide answers to the generic question "What happens if ?" More formally, analyzing from specific to general, the inductive process initiates by assuming a particular state of existence of a component and examining to determine the effects of that condition on the system.
Attempts to identify all possible hazards or all possible component failure modes, both singly and in combination, are challenging for complex systems. For this reason, the inductive techniques are generally circumscribed by considerations of time, budget, and manpower.
Induction constitutes reasoning from individual cases to a general conclusion. The inductive technique assumes some possible conditions and tries to determine the corresponding effect on the overall system. For example, in constructing an inductive system analysis, one would postulate a particular fault or initiating condition and attempt to ascertain the effect of that fault or condition on system operation. In short, inductive methods are applied to determine what failed states are possible. These methods should be carried out by a suitable experienced multi-disciplinary team and followed up by an independent review. Many inductive methods have been developed, for example:
Double Failure Matrix (DFM)
Failure Mode and Effect Analysis (FMEA)
Failure Mode Effects and Criticality Analysis (FMECA)
DG-1413, Appendix A, Page A-4 Fault Hazard Analysis (FaHA)
Functional Hazard Analysis (FuHA)
Hazard and Operability Analysis (HAZOP)
Preliminary Hazard Analysis (PHA).
The most common and well-developed ones among them are FMEA, HAZOP, and PHA.
Failure Mode and Effect Analysis (FMEA)
ASME/ANS PRA standard defines FMEA as a process for identifying failure modes of specific components and evaluating their effects on other components, subsystems, and systems. As discussed in NUREG-2122 (Ref. A-27), FMEA is generally used to identify IEs for a new plant design with no operational history or failure data. FMEA is aimed at analyzing the effects of a single component or function failure on other components, systems, and subsystems. FMEA can be useful in identifying IEs that involve support system failures and the expected effects on the plant, especially on mitigating systems.
NUREG/CR-6962 (Ref. A-28) describes FMEA as a well-known method used to identify the failure modes of a system and their effects or consequences upon it. In this technique, failure modes can be categorized according to how serious their consequences are, how frequently they occur, and how easily they can be detected.
EPRI Report 3002000509 states that FMEA is a step-by-step approach for identifying possible failures in a design, process, or product. Failure modes means the ways, or modes, in which something might fail to meet a specified functional or performance characteristic. Effects analysis refers to studying the consequences of those failures. The EPRI report also identifies some limitations of FMEA as follows:
Common cause failures - It is difficult to postulate and consider the effects of potential common cause failures (CCFs). The focus on single failures also limits consideration of adverse interactions between systems or components, including human interactions.
Software hazards - The FMEA method typically considers hardware failures only, where it can be applied effectively. However, to date, methods for identifying software failures and determining their effects is still a research problem, especially since there is no clear industry and regulatory consensus on the meaning of software failure.
Dependent on analysis boundary - The FMEA method is useful for analyzing failure modes and effects between components of interest and between interfacing systems and components.
However, it may not assess the effects of all interfaces if the boundary is not drawn correctly or if the block diagram does not account for all interfaces that actually cross the boundary in the implemented system.
Coverage of other hazards - Because FMEA method is a bottom-up method that is focused on single failures of equipment, it does not systematically identify a wider range of hazards that can lead to accidents or losses, such as requirements errors, human errors, or adverse interactions between components that havent failed.
DG-1413, Appendix A, Page A-5 Hazard and Operability Analysis (HAZOP)
NUREG-1513 states that the HAZOP method provides a detailed framework for studying each process, line by line, in an exhaustive manner. Each process variable (such as flow, temperature, pressure), a description of deviations from normal values, potential consequences of these deviations, and existing controls, are recorded.
EPRI Report 3002000509 describes the HAZOP method as a systematic review of a process, using guide words, to visualize the ways in which a system can malfunction. The HAZOP analysis searches for possible deviations from the design intent that can occur in components, operator or maintenance technician actions, or material elements (e.g., air, water, steam), and determines whether the consequences of such deviations can result in hazards. The EPRI report quoted from IEC Document 61882-2001 (Ref. A-29) states that HAZOP is a structured and systematic technique for examining a defined system, with the objective of (1) identifying potential hazards in the system; and (2) identifying potential operability problems with the system and in particular identifying causes of operational disturbances and production deviations.
A characteristic feature of a HAZOP study is the examination session during which a multi-disciplinary team under the guidance of a study leader systematically examines all relevant parts of a design or system. It identifies deviations from the system design intent utilizing a core set of guide words.
The technique aims to stimulate the imagination of participants in a systematic way to identify hazards and operability problems. The EPRI report also quoted from IEC 61882-2001 on the limitations of HAZOP method as follows:
Interactions between systems or parts of a system - HAZOP is a hazard identification technique which considers system parts individually and methodically examines the effects of deviations on each part. The hazard may need to be studied in more detail using techniques such as event tree and fault tree analyses if it involves the interaction between a number of parts of the system.
Trained Facilitator - It is difficult to navigate the HAZOP process without a facilitator. A trained facilitator helped the team recognize the error traps created by their own mindsets.
Preliminary Hazards Analysis (PHA)
NUREG-0492 describes PHA as a method for assessing the potential hazards posed by the system. The objectives of a PHA are to identify the potentially hazardous conditions inherent within the system and to determine the significance or criticality of potential accidents that might arise. A PHA study should be conducted as early in the development stage as possible. This will permit the early development of design and procedural safety requirements for controlling these hazardous conditions.
The first step in a PHA is to identify potentially hazardous elements or components within the system. This process is facilitated by engineering experience, the exercise of engineering judgment, and the use of numerous checklists that have been developed from time to time. The second step in a PHA is the identification of those events that could possibly transform specific hazardous conditions into potential accidents. Then the seriousness of these potential accidents is assessed to determine whether preventive measures should be taken.
DG-1413, Appendix A, Page A-6 EPRI Report 3002000509 describes that in the preliminary or conceptual design phases of a project, preliminary hazards that could be potentially created by or related to a proposed solution or modification should be identified. PHA involves one or more organized meetings, where the identified individuals come together and review, discuss, and identify potential hazards. The method for performing a PHA relies on the judgment and experience of individuals knowledgeable in the design, operations, maintenance, and licensing basis of the potentially affected systems, subsystems, or components.
Limitations of PHA method include the hazards recognition that must be foreseen by the analysts.
Another key concern is the effects of interactions between hazards that are not easily recognized.
Deductive Techniques The deductive techniques address the question of how can it happen? Deduction constitutes reasoning from the general to the specific. In a deductive technique, a design or system is reviewed to identify the hazards and causes of each hazard including those that caused by multiple failures. The approach postulates that the system itself has failed in a certain way and attempts to find out what modes of system/component behavior contribute to this failure. In these deductive techniques, some specific system failure state is postulated, and chains of more basic faults contributing to this undesired event are built up in a systematic way. The deductive methods are applied to determine how a given system state can occur. Like the inductive techniques, the deductive techniques should be carried out by a suitable, experienced multi-disciplinary team and followed up by an independent review. Several deductive methods have been developed, for example:
Cause Consequence Analysis (CCA)
Common Cause Failure Analysis (CCFA)
Fault Tree Analysis (FTA)
Markov Analysis (MA)
Master Logic Diagram (MLD)
Operating and Support Hazard Analysis (O&SHA)
System Hazard Analysis (SHA)
The most common and well-developed ones among them are FTA and MLD.
Fault Tree Analysis (FTA)
FTA is discussed in detail in NUREG-0492, Fault Tree Handbook. FTA is described as an analytical technique, whereby an undesired state of the system is specified, and the system is then analyzed in the context of its environment and operation to find all credible ways in which the undesired event can occur. The fault tree itself is a graphic model of the various parallel and sequential combinations of faults that will result in the occurrence of the predefined undesired event. The faults can be events that are associated with component hardware failures, human errors, or any other pertinent events which can lead to the undesired event. A fault tree thus depicts the logical interrelationships of basic events that lead to the undesired event, which is the top event of the fault tree.
A fault tree is tailored to its top event which corresponds to some particular system failure modes, and the fault tree thus includes only those faults that contribute to this top event. Moreover, these faults
DG-1413, Appendix A, Page A-7 are not exhaustive as they only cover the most credible faults as assessed by the analyst. FTA is not in itself a quantitative model. It is a qualitative model that can be evaluated quantitatively.
A fault tree is a complex of entities known as "gates" which serve to permit or inhibit the passage of fault logic up the tree. The gates show the relationships of events needed for the occurrence of a "higher" event. The "higher" event is the "output" of the gate; the "lower" events are the "inputs" to the gate. The gate symbol denotes the type of relationship of the input events required for the output event.
NUREG-2122 describes fault tree as a deductive logic diagram that graphically represents the various failures that can lead to a predefined undesired event. Fault trees describe how failures of top events occur because of various failure modes of components, human errors, initiator effects, and failures of support systems that combine to cause a failure of a top event.
EPRI Report 3002000509 states that FTA is a top-down method, which postulates failures of high-level safety and generation related functions and identifies the plant mechanical and electrical equipment needed for these functions. This top-down approach can thereby focus the failure analysis of the system by identifying the potentially important failure modes of the mechanical and electrical components controlled or actuated by the digital system. Some limitations of FTA include:
Focusing on failures - The focus of FTA on failure modes limits the ability of the method to consider interactions between systems or components that can lead to adverse behaviors under plant states in which no failures are present.
Complexity of models - Fault tree logic models can be large, difficult to display on a few pages or screens and require specialized software to present and review. The effort can be burdensome if not managed effectively.
Time interdependencies - FTA deals only with binary states (i.e., success/failure) and only examines one top event; the time dependencies are not addressed.
Master Logic Diagram (MLD)
Similar to the FTA, MLD is a logic diagram that resembles a fault tree but without the mathematical properties. It is a hierarchical, top-down, logical decomposition of the general undesired end state, which is shown on the top of the tree, proceeding to increasingly detailed event descriptions at lower tiers and displaying basic IEs. MLD commences with a top event in which the end state is the event of concern and grows into a plant level logic structure with IEs as the fundamental input events.
NUREG-2122 describes MLD as a graphical model that can be constructed to guide the selection of IEs. An MLD is developed using fault tree logic to show general categories of IEs proceeding to increasingly detailed information at lower levels, with specific IEs presented at the bottom level. In a more general sense, an MLD is a fault tree identifying all the hazards that affect a mission, system, or plant. The difference between an MLD and a fault tree is that a fault tree focuses on accounting for the specific causes leading to failure of a system or group of systems, whereas the MLD focuses on listing the hazards that can affect a top event.
DG-1413, Appendix A, Page A-8 ASME/ANS PRA standard defines MLD as a summary fault tree constructed to guide the identification and grouping of IEs and their associated sequences to ensure completeness.
NUREG/CR-2300 states that the MLD can be constructed to guide the selection and grouping of IEs and to ensure completeness. The events in the MLD are identified by the level they appear in the tree, with the top being Level 1. The use of levels is an ordering technique to assist in locating events. The strategy is to achieve completeness of events by level. Limitations of MLD are similar to those described in FTA discussion.
DG-1413, Appendix A, Page A-9 References
- 1.
ASME/ANS RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, American Society of Mechanical Engineers and American Nuclear Society, New York, NY, 2021.
- 2.
NRC, Acceptability of Probabilistic Risk Assessment Results from Non-Light-Water Reactor Risk-Informed Activities, RG.1.247, Washington, DC, 2002.
- 3.
NUREG/CR-2300, PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, U.S. NRC, Washington, DC, 1983.
- 4.
NUREG-1407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities, U.S. NRC, Washington, DC, 1991.
- 5.
IAEA SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, International Atomic Energy Agency, Vienna, Austria, 2010.
- 6.
EPRI 1022997, Identification of External Hazards for Analysis in Probabilistic Risk Assessment, Electric Power Research Institute, Palo Alto, CA, 2015.
- 7.
NUREG-1513, Integrated Safety Analysis Guidance Document, U.S. NRC, Washington, DC, 2001.
- 8.
NUREG-0492, Fault Tree Handbook, U.S. NRC, Washington, DC, 1981.
- 9.
NRC, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, NUREG-1150, Washington, DC, 1990.
- 10.
NRC, Good Practices for Implementing Human Reliability Analysis, NUREG-1792, Washington, DC, April 2005.
- 11.
NRC, Evaluation of Human Reliability Analysis Methods Against Good Practices, NUREG-1842, Washington, DC, 2006.
- 12.
NRC, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, RG 1.200, Revision 3, Washington, DC, 2020.
- 13.
NRC, The General Methodology of an Integrated Human Event Analysis System (IDHEAS G), NUREG-2198, Washington, DC, 2021.
- 14.
NRC and Canadian Nuclear Safety Commission (CNSC), Joint Report on Terrestrial Energys Methodology for Developing a Postulated Initiating Events List for the Integral Molten Salt Reactor, Joint Report, 2022.
- 15.
International Atomic Energy Agency (IAEA), Defining Initiating Events for Purposes of Probabilistic Safety Assessment, IAEA-TECDOC-719, Vienna, Austria, 1993.
DG-1413, Appendix A, Page A-10
- 16.
IAEA, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Safety Standard Series, No. SSG-3, Vienna, Austria, 2010.
- 17.
International Electrotechnical Commission (IEC), Risk Management - Risk Assessment Techniques, International Standard IEC 31010, Geneva, Switzerland, 2019.
- 18.
American Society of Mechanical Engineers (ASME) and American Nuclear Society (ANS), Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME/ANS RA-Sa-2009, New York, NY, 2009.
- 19.
ASME and ANS, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, ASME/ANS RA-S-1.4-2021, New York, NY, 2021.
- 20.
Center for Chemical Process Safety (CCPS), Guidelines for Hazard Evaluation Procedures, John Wiley & Sons, Inc. and the American Institute of Chemical Engineers (AIChE), New York, NY, 2008.
- 21.
CCPS, Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, AIChE, New York, NY, 2015.
- 22.
EPRI Report 3002000509, Hazard Analysis Methods for Digital Instrumentation and Control Systems, Electric Power Research Institute, Palo Alto, CA, 2013.
- 23.
EPRI, Compilation of Molten Salt Reactor Experiment (MSRE) Technical, Hazard, and Risk Analyses: A Retrospective Application of Safety-in-Design Methods, Technical Report 3002018340, Palo Alto, CA, 2020
- 24.
Idaho National Engineering and Environmental Laboratory (INEEL), Rates of Initiating Events at U.S. Nuclear Power Plants: 1987 - 1995, NUREG/CR-5750, Idaho Falls, Idaho, 1999.
- 25.
FME Transactions, Vol. 36, Review of Hazard Analysis Methods and Their Basic Characteristics, Vladimir Popovi and Branko Vasi, 2008.
- 26.
B. Chisholm, S. Krahn, K. Fleming, A systematic approach to identify initiating events and its relationship to Probabilistic Risk Assessment: demonstrated on the Molten Salt Reactor Experiment, Progress in Nuclear Engineering, Vol. 129, 2020
- 27.
NUREG-2122, Glossary of Risk-Related Terms in Support of Risk-Informed Decision-making, U.S. NRC, Washington, DC, 2013.
- 28.
NUREG/CR-6962, Traditional Probabilistic Risk Assessment Methods for Digital Systems, U.S.
NRC, Washington, DC, 2008.
- 29.
IEC Document 61882-2001, Hazard and Operability Studies (HAZOP studies) - Application
DG-1413, Appendix A, Page A-11 Guide, International Electrotechnical Commission, Geneva, Switzerland, 2001.