ML22272A042

From kanterella
Jump to navigation Jump to search
10/18-19/2022 ACRS Public Meeting - Predecisional - Documents to Support Part 53 - DG-1413 Technology-Inclusive Identification of Licensing Events for Commercial Nuclear Plants
ML22272A042
Person / Time
Issue date: 09/29/2022
From:
Office of Nuclear Material Safety and Safeguards
To:
Beall, Robert
Shared Package
ML22272A034 List:
References
10 CFR Part 53, DG-1413, NRC-2019-0062, RIN 3150-AK31
Download: ML22272A042 (46)
v  d  e


Text

U.S. NUCLEAR REGULATORY COMMISSION DRAFT REGULATORY GUIDE DG-1413 Proposed new Regulatory Guide 1.254, Revision 0 Issue Date: Month 20##

Technical Lead: Mihaela Biro This draft regulatory guidance is the latest draft regulatory guidance that the NRC staff has publicly released to support interactions with the Advisory Committee on Reactor Safeguards (ACRS). This version is based on reviews by NRC staff and consideration of stakeholder input. The NRC staff expects to adopt further changes in the draft regulatory guidance.

This guidance has not been subject to complete NRC management or legal review, and its contents should not be interpreted as official agency positions. The NRC staff plans to continue working on the draft regulatory guidance provided in this document.

TECHNOLOGY-INCLUSIVE IDENTIFICATION OF LICENSING EVENTS FOR COMMERCIAL NUCLEAR PLANTS A. INTRODUCTION Purpose This regulatory guide (RG) provides the U.S. Nuclear Regulatory Commission (NRC) staffs technology-inclusive guidance for identifying initiating events, delineating event sequences, and licensing events that can be used to inform the design basis, licensing basis, and content of applications for commercial nuclear plants.

Applicability This RG applies to nuclear power reactor designers, applicants, and licensees of commercial nuclear plants applying for permits, licenses, certifications, and approvals under Title 10 of the Code of This RG is being issued in draft form to involve the public in the development of regulatory guidance in this area. It has not received final staff review or approval and does not represent an NRC final staff position. Public comments are being solicited on this RG and its associated regulatory analysis. Comments should be accompanied by appropriate supporting data. Comments may be submitted through the Federal rulemaking Web site, http://www.regulations.gov, by searching for draft regulatory guide DG-1413. Alternatively, comments may be submitted to Office of the Secretary, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, ATTN: Rulemakings and Adjudications Staff.

Comments must be submitted by the date indicated in the Federal Register notice.

Electronic copies of this RG, previous versions of RGs, and other recently issued guides are available through the NRCs public Web site under the Regulatory Guides document collection of the NRC Library at https://www.nrc.gov/reading-rm/doc-collections/reg-guides/index.html. The RG is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under Accession No. ML22257A173. The regulatory analysis is associated with a rulemaking and may be found in ADAMS under Accession No. MLXXXXXXXXX.

Federal Regulations (CFR) Part 50, Domestic Licensing of Production and Utilization Facilities (Ref. 1), Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants (Ref. 2), and Part 53, Risk-Informed, Technology-Inclusive Regulatory Frameworks for Commercial Nuclear Plants (Ref. 3), including Framework A and Framework B.

Applicable Regulations The following regulations are applicable to the identification of licensing events:

  • 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities.1 o 10 CFR 50.34(a)(1)(i) requires all power reactor applicants for a construction permit (CP) to provide a description and safety assessment of the site on which the facility is to be located, with appropriate attention to features affecting facility design. Special attention should be directed to the site evaluation factors identified in 10 CFR Part 100. The assessment must contain an analysis and evaluation of the major structures, systems, and components (SSCs) of the facility which bear significantly on the acceptability of the site under the site evaluation factors identified in Part 100 of this chapter, assuming that the facility will be operated at the ultimate power level which is contemplated by the applicant.

o 10 CFR 50.34(a)(1)(ii) requires stationary power reactor applicants for a CP to provide a description and safety assessment of the site and a safety assessment of the facility. It is expected that reactors will reflect through their design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.

o 10 CFR 50.34(a)(4) requires all power reactor applicants for a CP to provide a preliminary analysis and evaluation of the design and performance of SSCs of the facility with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents.

o 10 CFR 50.34(b) requires each application for an operating license to include a final safety analysis report that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the SSCs and of the facility as a whole.

o 10 CFR 50.34(b)(2) requires each application for an operating license to provide a description and analysis of the SSCs of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished.

1 SECY-22-0052, Proposed Rule: Alignment of Licensing Processes and Lessons Learned from New Reactor Licensing (RIN 3150-AI66), (ML21159A055) describes NRC proposed changes to the regulations in 10 CFR Part 50 and 10 CFR Part 52, to align reactor licensing processes and incorporate lessons learned from new reactor licensing into the regulations.

The NRC is proposing to remove and reserve the requirements in 10 CFR 50.34(h) that require an applicant to include an evaluation of conformance with the Standard Review Plan.

DG-1413, Page 2

The description should be sufficient to permit understanding of the system designs and their relationship to safety evaluations.

o 10 CFR 50.34(h) requires applications for light-water reactor (LWR) CPs and operating licenses (OLs) to include an evaluation of the facility against the Standard Review Plan (SRP) revision in effect six months before the docket date of the application. This evaluation must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for a facility and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where such a difference exists, the evaluation must discuss how the alternative proposed provides an acceptable method of complying with those rules or regulations of the Commission, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.

  • 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.2 o 10 CFR 52.47(a)(2) requires applications for standard design certifications (DCs) to provide a description and analysis of the SSCs of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which these requirements have been established, and the evaluations required to show that safety functions will be accomplished. It is expected that the standard plant will reflect through its design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.

o 10 CFR 52.47(a)(9) requires applications for LWR DCs to include an evaluation of the standard plant design against the SRP revision in effect 6 months before the docket date of the application. The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for the design and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.

o 10 CFR 52.79(a) requires applications for combined licenses (COLs) to provide a final safety analysis report that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the SSCs of the facility as a whole.

o 10 CFR 52.79(a)(1)(vi) requires applications for COLs to provide a description and safety assessment of the site on which the facility is to be located. The assessment must contain an 2

SECY-22-0052 (ML21159A055) describes NRC proposed changes to the regulations in 10 CFR Part 50 and 10 CFR Part 52, to align reactor licensing processes and incorporate lessons learned from new reactor licensing into the regulations. The NRC is proposing to remove and reserve the requirements in 10 CFR 52.17(a)(1)(xii), 52.47(a)(9), 52.79(a)(41),

52.137(a)(9), and 52.157(f)(30) that require an applicant to include an evaluation of conformance with the Standard Review Plan.

DG-1413, Page 3

analysis and evaluation of the major SSCs of the facility that bear significantly on the acceptability of the site under the radiological consequence evaluation factors identified in § 52.79(a)(1)(vi)(A) and § 52.79(a)(1)(vi)(B).

o 10 CFR 52.79(a)(2) requires applications for COLs to provide a description and analysis of the SSCs of the facility with emphasis upon performance requirements, the bases, with technical justification upon which these requirements have been established, and the evaluations required to show that safety functions will be accomplished. It is expected that reactors will reflect through their design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.

o 10 CFR 52.79(a)(41) requires applications for LWR COLs to include an evaluation of the facility against the SRP revision in effect 6 months before the docket date of the application.

The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for a facility and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.

o 10 CFR 52.137(a)(2) requires applications for standard design approvals (SDAs) to provide a description and analysis of the SSCs of the facility, with emphasis upon performance requirements, the bases, with technical justification, upon which the requirements have been established, and the evaluations required to show that safety functions will be accomplished.

It is expected that the standard plant will reflect through its design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products.

o 10 CFR 52.137(a)(4) requires applications for SDAs to provide an analysis and evaluation of the design and performance of SSCs with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents.

o 10 CFR 52.137(a)(9) requires applications for LWR SDAs to include an evaluation of the standard plant design against the SRP revision in effect 6 months before the docket date of the application. The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for the design and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.

DG-1413, Page 4

o 10 CFR 52.157(c) requires applications for manufacturing licenses (MLs) to provide a description and analysis of the SSCs of the reactor to be manufactured, with emphasis upon the materials of manufacture, performance requirements, the bases, with technical justification therefor, upon which the performance requirements have been established, and the evaluations required to show that safety functions will be accomplished.

o 10 CFR 52.157(f)(1) requires applications for MLs to provide an analysis and evaluation of the design and performance of SSCs with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents.

o 10 CFR 52.157(f)(30) requires applications for LWR MLs to include an evaluation of the design to be manufactured against the SRP revision in effect 6 months before the docket date of the application. The evaluation required by this section must include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for the design and those corresponding features, techniques, and measures given in the SRP acceptance criteria. Where a difference exists, the evaluation must discuss how the proposed alternative provides an acceptable method of complying with the Commission's regulations, or portions thereof, that underlie the corresponding SRP acceptance criteria. The SRP is not a substitute for the regulations, and compliance is not a requirement.

  • 10 CFR Part 53, Risk-Informed, Technology-Inclusive Regulatory Framework for Commercial Nuclear Plants.

o 10 CFR 53.240 requires CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to identify and analyze licensing-basis events in accordance with § 53.450 to support assessments of the safety requirements in 10 CFR Part 53. The licensing-basis events need to address combinations of malfunctions of plant SSCs, human errors, facility hazards, and the effects of external hazards ranging from anticipated operational occurrences (AOOs) to very unlikely event sequences. The analysis of licensing-basis events needs to include analysis of one or more design-basis accidents (DBAs) in accordance with § 53.450(f). The analysis of licensing-basis events needs to be used to confirm the adequacy of design features and programmatic controls needed to satisfy safety criteria defined in §§ 53.210 and 53.220 and to establish related functional requirements for plant SSCs, personnel, and programs.

o 10 CFR 53.4730(a)(5) requires CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to provide a description identifying postulated initiating events for anticipated operational occurrences and DBAs using a generally accepted, risk-informed approach for systematically evaluating engineered systems.

o 10 CFR 53.4730(a)(5)(iv)(A) requires CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to perform additional assessments and analyses to identify design features or programmatic controls for enhancing the plants capabilities to withstand, without undue risk, events that are either more severe than DBAs or that involve additional failures.

DG-1413, Page 5

Events include unlikely but credible events that could lead to situations beyond those considered for DBAs, multiple credible failures (e.g., common cause failures in redundant SSCs) that prevent safety systems from performing their intended function, or credible failure sequences that are not assessed within the scope of DBAs but are mitigated by other plant SSCs outside the scope of the credited safety function of those SSCs.

o 10 CFR 53.4730(a)(5)(v)(A) requires CP, OL, DC, SDA, ML, and COL applicants for commercial nuclear plants to provide a description and analysis of design features deemed important because they prevent or mitigate accidents that could progress beyond-design-basis accidents and events addressed by (i). These events could include conditions not considered for DBAs, but that are considered in the overall design using best estimate methodology including consideration of uncertainties, in order to assess risk to the public health and safety.

These events include those that require analysis of design features for the prevention and mitigation of severe accidents.

o 10 CFR 53.4730(a)(5)(v)(C) requires LWR applicants to address how the design prevents and mitigates severe accidents based on conditions derived from operating experience and input from risk evaluations.

o 10 CFR 53.4730(a)(5)(v)(D) requires an applicant with a non-LWR design to use engineering judgment and input from risk evaluations to identify what constitutes severe accident conditions for its specific design and describe the measures provided in the design for preventing or mitigating such accidents.

Related Guidance

  • Draft Regulatory Guide (DG) 1414 (proposed new RG 1.255), Alternative Evaluation for Risk Insights Framework (Ref. 4), is a companion RG. It provides the NRC staffs guidance on the use of an Alternative Evaluation for Risk Insights (AERI) framework under 10 CFR Part 53, Framework B. Once the licensing events have been identified as described in DG-1413 (proposed new RG 1.254), then DG-1414 (proposed new RG 1.255) provides guidance which uses these licensing events as inputs to identify and characterize the bounding event, determine a risk consequence estimate, search for severe accident vulnerabilities, identify risk insights, and assess defense-in-depth adequacy.
  • RG 1.200, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities (Ref. 5), provides an acceptable approach for determining whether a base Probabilistic Risk Assessment (PRA), in total or in the portions that are used to support an application, is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision-making for LWRs. When used in support of an application, this RG will obviate the need for an in-depth review of the base PRA by NRC reviewers, allowing them to focus their review on key assumptions and areas identified by the PRA peer reviewers as being of concern and relevant to the application. Consequently, RG 1.200 provides for a more focused and consistent review process.
  • RG 1.206, Applications for Nuclear Power Plants (Ref. 6), refers to the technical requirements in the SRP, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for DG-1413, Page 6

Nuclear Power Plants: LWR Edition (Ref. 7), which provides guidance to the NRC staff in performing safety reviews of LWR CP or OL applications under 10 CFR Part 50 and LWR DC, COL, SDA, and ML applications under 10 CFR Part 52.

  • NUREG-0800, Section 15.0, Introduction - Transient and Accident Analyses, guides the NRC staff in its review of licensing events, specifically including guidance to help ensure that the applicants selection and assembly of the plant transient and accident analyses represent a sufficiently broad spectrum of transients, accidents, and initiating events.
  • RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors (Ref. 8), provides guidance on using a technology-inclusive, risk-informed, and performance-based methodology to inform the licensing basis and content of applications for non-LWRs, including, but not limited to, molten salt reactors, high-temperature gas-cooled reactors, and a variety of fast reactors at different thermal capacities. This RG endorses Nuclear Energy Institute (NEI) 18-04, Revision 1, Risk-Informed Performance-Based Guidance for Non-Light Water Reactor Licensing Basis Development (Ref. 9), with clarifications and points of emphasis, as one acceptable method for non-LWR designers to use when selecting licensing-basis events (LBEs), classifying SSCs, and assessing defense-in-depth adequacy.
  • Trial RG 1.247, Acceptability of Probabilistic Risk Assessment Results for Non-Light-Water Reactor Risk-Informed Activities (Ref. 10), describes an approach for determining whether a design-specific or plant-specific PRA used to support an application is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision-making for non-LWRs. In this RG, the term application includes pre-application activities, initial licensing applications, and risk-informed applications. When used in support of an application, this RG will help reduce the need for an in-depth review of the PRA by NRC reviewers, allowing them to focus their reviews on key assumptions and areas identified as being of concern and relevant to the application and the demonstration of PRA acceptability.
  • Interim Staff Guidance (ISG) DC/COL-ISG-028, Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application (Ref. 11), provides Interim Staff Guidance for assessing the technical adequacy of the PRA needed for an application for DC or for COL of an advanced light-water reactor (ALWR) under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.

Purpose of Regulatory Guides The NRC issues RGs to describe methods that are acceptable to the staff for implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific issues or postulated events, and to provide guidance to applicants. RGs are not substitutes for regulations DG-1413, Page 7

and compliance with them is not required. Methods and solutions that differ from those set forth in RGs are acceptable if they provide a sufficient basis for the findings required for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act This RG provides voluntary guidance for implementing the mandatory information collections in 10 CFR Parts 50, 52, 53 and 100 that are subject to the Paperwork Reduction Act of 1995(44 U.S.C. 3501 et. seq.). These information collections were approved by the Office of Management and Budget (OMB),

under control numbers 3150-0011, 3150-0151, 3150-XXXX and 3150-0093, respectively. Send comments regarding this information collection to the FOIA, Library, and Information Collections Branch (T6-A10M), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202 (3150-0011, 3150-0151, 3150-XXXX, 3150-0093), Office of Management and Budget, Washington, DC 20503.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.

DG-1413, Page 8

B. DISCUSSION Reason for Issuance This RG was issued to provide technology-inclusive guidance for identifying a comprehensive set of licensing events without preconceptions or reliance on predefined lists (i.e., starting with a blank sheet of paper) and determining an appropriate level of information for parts of an application, including preliminary or Final Safety Analysis Reports for commercial nuclear plants. NRC regulations require that applications for a CP, OL, DC, COL, SDA, or ML include a level of information sufficient to enable the Commission to reach a safety conclusion before issuing a permit, license, or certification.

Background

This RG provides a technology-inclusive, systematic, and comprehensive approach to identifying licensing events that may be applied to any commercial nuclear plant licensing pathway. It has been developed by considering historical licensing practices and recommendations from the Advisory Committee on Reactor Safeguards (ACRS) and utilizes information and insights from risk evaluations that may be performed in support of an application for a commercial nuclear plant permit, license, certification, or approval. The following sections discuss the relation between licensing events and commercial nuclear plant licensing pathways, review historical practices for identifying licensing events, and provide the staffs perspectives.

The Relation Between Licensing Events and Licensing Pathways For ease of reference, this RG uses the term licensing events in a generic sense to refer to collections of designated event categories such as AOOs, DBAs, design-basis events (DBEs),

beyond-design-basis events (BDBEs), and postulated accidents. The term licensing event does not appear, per se, in NRC regulations; however, various designated licensing event categories are identified in 10 CFR Parts 50, 52, and 53, regulatory guidance, and NRC SRP for LWRs.

The identification of a comprehensive set of licensing events is fundamental to the safe design of commercial nuclear plants. Specifically, the safety of a commercial nuclear plant is shown by analyses of the responses of the plant to licensing events, which include postulated disturbances in process variables and postulated malfunctions or failures of equipment. The results of such safety analyses are used to: (1) demonstrate compliance with the NRCs regulations or justify requested exemptions from specific NRC regulations; (2) inform the selection of limiting conditions for operation, limiting safety system settings, and design specifications for SSCs to protect public health and safety; and (3) identify the appropriate scope and depth of information that commercial nuclear plant designers and applicants should provide in applications for permits, licenses, certifications, and approvals. Accordingly, it is essential to identify a comprehensive set of licensing events that considers all radiological sources at the plant, all internal and external hazards, and all plant operating states.

NRC regulations provide a variety of regulatory frameworks for commercial nuclear plant licensing, thus giving designers and applicants considerable flexibility while also ensuring an acceptable level of safety. The choices made by designers and applicants have implications concerning the approach used to identify licensing events as summarized in Table 1.

DG-1413, Page 9

Table 1. Licensing Pathways and Licensing Events.

Regulation and Reactor Risk Application Type Type Use of LMPa Licensing Event Categories Evaluation

  • DBEsb - this term is used in Part 50 the § 50.2 definition of not requiredc CP, OL safety-related SSCs; § 50.49 identifies four subcategories LWR n/a of DBEs as follows:

Part 52 o AOOs PRA required DC, SDA, ML, COL o DBAs (i.e., postulated accidents) o External events Part 50 o Natural phenomena not requiredc CP, OL

  • Non-DBA - this term is used in the § 50.2 definition non- of safe shutdown for station LWR no blackout (SBO)

Part 52

  • SBO Licensing events are Part 50 collectively referred to as PRA implied CP, OL licensing-basis events (LBEs),

which include the following non- categories:

yes LWR

  • DBAs Licensing events are collectively referred to as LBEs, which include the following Part 53 categories:

LWR or Framework A non- n/a d

  • Unlikely event sequences ML, COL
  • Very unlikely event sequences
  • Design-basis accidents
  • Anticipated operational Part 53 occurrences LWR or Framework B
  • Design-basis accidents PRA or AERI non- n/a CP, OL, DC, SDA,
  • Additional licensing-basis requirede LWR ML, COL events
  • Severe accidents a

The Licensing Modernization Project (LMP) guidance, which is provided in NEI 18-04, Rev. 1 and endorsed in RG 1.233, provides a voluntary technology-inclusive approach to LBE selection for non-LWRs licensed under Parts 50 or 52.

DG-1413, Page 10

Table 1. Licensing Pathways and Licensing Events. (cont.)

Regulation and Reactor Risk Application Type Type Use of LMPa Licensing Event Categories Evaluation b

Although 10 CFR Parts 50 and 52 include normal operation in the design basis, the risk evaluation focuses on departures from normal operation.

c SECY-22-0052 (ML21159A055) describes NRC proposed changes to the regulations in 10 CFR Part 50 and 10 CFR Part 52 to align reactor licensing processes and incorporate lessons learned from new reactor licensing into the regulations. The NRC is proposing to add new regulations, 50.34(a)(14) and 50.34(b)(14), to require CP and OL applicants to submit a description of the plant-specific PRA and its results.

d The staff intends to revise RG 1.233 to address licensing under Part 53 Framework A in the future.

e An applicant under Part 53 Framework B may elect to develop an AERI in lieu of a PRA if the entry conditions in 53.4730(a)(34)(ii) are met.

Each row in Table 1 denotes a specific licensing pathway, which is characterized by the first three columns labeled Regulation and Application Type, Reactor Type, and Use of LMP. Collectively, the information in the first three columns identifies (1) the regulation under which the application is submitted; (2) the type of application (CP, OL, DC, SDA, ML, or COL); (3) the reactor technology that is proposed (LWR or non-LWR); and (4) the use of the Licensing Modernization Project (LMP) guidance (NEI 18-04, Rev. 1, as endorsed in RG 1.233), which provides a voluntary technology-inclusive approach to LBE selection for non-LWRs licensed under Parts 50 or 52. The column labeled Licensing Event Categories lists the types of licensing events that apply to each licensing pathway. Finally, the column labeled Risk Evaluation shows what type of risk evaluation (PRA, AERI, or none) may be performed to support the application. The information and insights from risk evaluations, specifically the initiating event analysis and the event sequence analysis, may be used to inform the identification of licensing events as described in detail in Section C of this RG.

Historical Perspective In the early days of commercial nuclear power, licensing events were identified on an ad hoc basis, relying on the collective engineering judgment of designers and the regulatory staff. Edward Teller, the first chair of the Atomic Energy Commission (AEC) Reactor Safeguards Committee (1947-1949),

described the process as follows (Ref. 12):

To avoid the very real and very great danger of an accidental release of radioactivity from a reactor, our committee established a simple procedure: We asked the planner of each reactor to imagine the worst possible accident and to design safety apparatus guaranteeing that it could not happen. The committee reviewed each reactor plan, trying to imagine an accident even greater than that conceived by the planner. If we could think of a plausible mishap worse than any discussed by the planner, his analysis of the potential dangers was considered inadequate.

The limitations of this ad hoc approach were recognized by the AEC regulatory staff, as described by Clifford Beck in 1959 (Ref. 13):

It is inherently impossible to give an objective definition or specification for credible accidents and thus the attempt to identify these for a given reactor entails some sense of futility and frustration, and, further, it is never entirely assured that all potential accidents DG-1413, Page 11

have been examinedIt should be noted parenthetically, however, that this systematic search for credible accidents often contributes substantially to the safety of a facilityIn the plants finally approved for operation, there are no really credible potential accidents against which safeguards have not been provided to such extent that the calculated consequences to the public would be unacceptable.

To help standardize and expedite the review of new plant license applications, the AEC issued guidance in 1966 (Ref. 14) that provided, as examples, a list of accidents to be addressed in Safety Analysis Reports. A plan to develop an SRP for the review of LWR applications was developed in 1969 (Ref. 15) that identified various transients and accidents, including ATWS, to be addressed in Safety Analysis Reports. The original version of the SRP was issued in 1975 as NUREG-75/087, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition.

Sections of the SRP were subsequently revised and individually issued (annotated with revision numbers and publications dates) along with an updated table of contents that indicated the revision numbers of the currently effective sections. The SRP was reissued as NUREG-0800 (Ref. 7) in July 1981 to more completely identify the NRC requirements that are germane to each review topic, to more fully describe how the review effort determines satisfaction of the requirement, and to incorporate the large number of new and revised regulatory positions (primarily Three Mile Island (TMI)-related) that had already been established. As a result, some SRP sections were added, deleted, split, and/or combined. With respect to the identification of licensing events, Chapter 15 of NUREG-0800 introduced the expectation that transients and accidents should be categorized as AOOs or postulated events according to their frequency of occurrence and type.

The staff has not developed an SRP for non-LWRs due to the perceived lack of demand and the wide variation among potential non-LWR designs. Licensing events for previously licensed non-LWRs (e.g., Peach Bottom Unit 1, Ft. St. Vrain) were identified, analyzed, and reviewed on a case-by-case basis.

NRCs Advisory Committee on Reactor Safety (ACRS)

The ACRS has discussed the importance of performing a comprehensive and systematic search for initiating events3 and delineating a comprehensive set of event sequences to inform the design and review of new commercial nuclear plants. The following Committee letter reports have, in part, played an important role in the development of this RG.

  • Letter Report concerning review of draft SECY paper, Population - Related Siting Considerations for Advanced Reactors, October 7, 2019 (Ref. 16):

One specific caveat not raised in the draft SECY but implied in all the licensing activities for new non-LWR designs flowing out of the vision and strategy process (Ref. 17), is the need for examining new designs with a clean sheet of paper. Improvements in our ability 3 As defined in the non-LWR PRA standard (Ref. 25), an initiating event is a perturbation to the plant during a plant operating state that challenges plant control and safety systems whose failure could potentially lead to an undesirable end state and/or radioactive material release. An initiating event is defined in terms of the change in plant status that results in a condition requiring a response to mitigate the event or to limit the extent of plant damage caused by the initiating event. An initiating event may result from human causes, equipment failure from causes internal to the plant (e.g., hardware faults, flood, or fires) or external to the plant (e.g., earthquakes or high winds), or combinations thereof.

DG-1413, Page 12

to calculate source terms and consequences in conjunction with the inherent safety aspects of advanced designs can reduce the probability and consequences of many of the events that have historically dominated the risk at LWRs. Nevertheless, one must be sure to think carefully about the failures and combinations of failures that could occur, i.e.,

what could go wrong. There are many tools that can help in such a search: a simple reframingasking how could I make this system fail; employing a search scheme similar to the Hazard and Operability Study (HAZOP) approach used in the chemical processing industry; and applying a modified failure modes and effects analysis at the system level rather than at the component level.

There is a tendency to believe in the perfection of new designs, especially when they are developed to eliminate the dominant failure scenarios in existing designs. However, one must remain vigilant and remember that nature provides surprises. There will be new accident scenarios and new combinations of events to be considered that challenge our expectation and our assumptions about these advanced reactor systems. Creative thinking will be required to identify such unique situations, to thoroughly identify the scenarios that will be the basis of the safety analysis and the source of releases, and to evaluate the suitability of sites.

  • Letter Report concerning 10 CFR Part 53 licensing and regulation of advanced nuclear reactors, October 21, 2020 (Ref. 18): The staff should ensure that applicants compensate for novel designs with uncertainties due to incompleteness in the knowledge base by performing systematic searches for hazards, initiating events, and accident scenarios with no preconceptions that could limit the creative process.
  • Letter Report concerning the preliminary proposed rule language for 10 CFR Part 53, Licensing and Regulation of Advanced Nuclear Reactors, May 30, 2021 (Ref. 19): The two recommendations in our first letter report on 10 CFR Part 53 of October 21, 2020, still apply: for novel designs with uncertainties due to incompleteness in the knowledge base, systematic searches for hazards, initiating events, and accident scenarios should be required; and a licensing pathway including additional testing and monitoring akin to prototype testing should be available.

Include guidance that the initial search for initiating events and scenarios should be done without preconceptions or using existing lists.

Staff Perspective on Identification of Licensing Events The identification of licensing events should be conducted objectively and without preconceptions or reliance on predefined lists (such as those provided in the SRP, previous applications for permits, licenses, certifications, and approvals, and previous PRAs). The use of a blank sheet of paper approach helps to avoid pitfalls such as, but not limited to:

  • the unwitting or unquestioning carryover of assumptions about plant design or behavior DG-1413, Page 13
  • the tendency to focus on which predefined events apply (or do not apply) rather than which events are missing from the list
  • the use of predefined lists that are dated and do not reflect contemporary commercial nuclear plant design or operating experience In short, the identification of licensing events, conducted objectively and without preconceptions or reliance on predefined lists, helps to ensure that the final list of licensing events is comprehensive and, hence, that the plant design is appropriately analyzed and demonstrated to be safe based on the comprehensive set of licensing events.

Consideration of International Standards The International Atomic Energy Agency (IAEA) works with member states and other partners to promote the safe, secure, and peaceful use of nuclear technologies. The IAEA develops Safety Requirements and Safety Guides for protecting people and the environment from harmful effects of ionizing radiation. This system of safety fundamentals, safety requirements, safety guides, and other relevant reports, reflects an international perspective on what constitutes a high level of safety. To inform its development of this RG, the NRC considered IAEA Safety Requirements and Safety Guides pursuant to the Commissions International Policy Statement (Ref. 21) and Management Directive and Handbook 6.6, Regulatory Guides (Ref. 22).

This RG is, with the exception of technology-specific topics, generally consistent with the principles and guidance in the IAEA document series, including the IAEA documents listed below:

a. Specific Safety Requirements (SSR), No. SSR-2/1, Safety of Nuclear Power Plants: Design (Ref. 23).
b. Specific Safety Guide (SSG), No. SSG-2, Deterministic Safety Analysis for Nuclear Power Plants (Ref. 24).

DG-1413, Page 14

C. STAFF REGULATORY GUIDANCE General Guidance

1. An acceptable technology-inclusive approach for identifying commercial nuclear plant licensing events should address the following overarching principles:
a. Identify application-specific factors (licensing framework, plant-specific design features, and site characteristics).
b. Conduct a systematic and comprehensive search for initiating events.
c. Use a systematic process to delineate a comprehensive set of event sequences.
d. Group initiating events and event sequences into designated licensing event categories according to the selected licensing framework.
e. Provide assurance that the set of licensing events is complete.
2. Figure 1 presents an acceptable technology-inclusive process for identifying licensing events that addresses each of these overarching principles. The process includes the following sub-steps:
a. setting up the project
b. collecting application-specific information
c. selecting analysis methods
d. performing initiating event analysis
e. conducting event sequence analysis
f. selecting licensing events
3. The guidance in the following sections provide additional details on each of these sub-steps. The first five sub-steps apply to all licensing frameworks. Non-LWR designers and applicants who voluntarily seek implementation of LMP under 10 CFR Parts 50 or 52 should use the guidance in RG 1.233 for the identification of licensing events.
4. The process described in Figure 1 is expected to be performed in an iterative fashion. The design process and the development of licensing basis information is iterative, involving assessments and decisions on system design, operating parameters, and programmatic controls to ensure that a reactor design can be deployed without posing undue risk to public health and safety. The identification of initiating events and event sequences can be performed as the design evolves through the conceptual phases. As the design matures, the licensee or applicant should consider the licensing framework it is planning to use for regulatory review and approval, as this decision influences the technology-inclusive process for identifying licensing events as summarized below. Specifically, the licensing framework determines the appropriate licensing event categories to be used, whether a PRA will be developed, and how risk insights from the PRA will be used. The choice of licensing framework is a complex decision made by applicants. Accordingly, this RG does not provide any associated guidance.

DG-1413, Page 15

Figure 1. Technology-Inclusive Identification of Licensing Events (Sheet 1 of 3).

DG-1413, Page 16

Figure 1. Technology-Inclusive Identification of Licensing Events (Sheet 2 of 3).

DG-1413, Page 17

Figure 1. Technology-Inclusive Identification of Licensing Events (Sheet 3 of 3).

DG-1413, Page 18

Setting Up the Project Assemble a Multi-Disciplinary Team (Box 1, Principle #5)

5. To help ensure that (1) the identification of licensing events is conducted objectively and without preconceptions or reliance on predefined lists, and (2) the final list of licensing events is comprehensive, a team should be assembled that provides familiarity with the following disciplines:
a. licensing
b. plant design details (1) reactor (2) spent fuel (3) structures (4) mechanical systems (5) electrical systems (6) instrumentation and control systems (7) siting
c. construction
d. plant operations (1) concept of operations (2) plant operating states
e. reactor physics
f. thermal-hydraulic analysis
g. reliability engineering and/or PRA methods
h. expertise in the selected methods of analysis (including hazard identification and assessment)
i. expertise in disciplines unique to the chosen technology
6. A single individual may provide expertise in more than one discipline; however, the team should be composed of at least three people in order to provide a suitably broad and unbiased perspective.

Establish Process for Quality Control (Box 2, Principle #5)

7. Before engaging in the work, a program for quality control should be established that includes, as a minimum, the following elements:
a. use of personnel qualified for the analysis
b. use of procedures that ensure control of documentation, including revisions, and provide for independent review, verification, or checking of calculations and information used in the analyses
c. documentation and maintenance of records, including archival documentation as well as submittal documentation
d. use of procedures that ensure that appropriate attention and corrective actions are taken if assumptions, analyses, or information used previously are changed or determined to be in error When developing the quality control program, designers or applicants should consider the following items:

DG-1413, Page 19

a. In accordance with the preamble for the 2007 Part 52 rulemaking (72 FR 49365; August 28, 2007), a PRA is not part of the design-basis information. Therefore, the initiating event and event sequence analyses are not subject to the quality assurance (QA) requirements of 10 CFR Part 50, Appendix B (for applications submitted under Parts 50 and 52); 10 CFR Part 53, Subpart K (for applications submitted under Part 53, Framework A); or 10 CFR Part 53, Subpart U (for applications submitted under Part 53, Framework B). However, the licensing event selection analysis, which uses the results of the initiating event and event sequences analyses, is subject to the previously cited quality assurance requirements because the identification of a comprehensive set of licensing events is foundational to establishing the design basis and the licensing basis of the commercial nuclear plant.
b. Applicants may leverage existing programs and processes when addressing this guidance. For example, if a PRA is developed in accordance with RG 1.200 (Ref. 5) and DC/COL-ISG-028 (Ref. 11) (for LWRs) or in accordance with RG 1.247 (for non-LWRs) (Ref. 10), then the PRA Configuration Control Program may be used to control the initiating event and event sequence analysis documentation.
c. If a PRA is planned to be developed and peer reviewed in accordance with RG 1.200 (Ref. 5) and DC/COL-ISG-028 (Ref. 11) (for LWRs) or RG 1.247 (for non-LWRs) (Ref. 10), then completion of a peer review and disposition of its facts and observations (F&Os) will satisfy the staffs expectations concerning the independent review. Consistent with DC/COL-ISG-028, peer review of the PRA (including the initiating event and event sequence analyses) is not needed prior to application. However, a PRA peer review will help reduce the need for an in-depth review of the PRA by the NRC staff, thus allowing the staff to focus its review on key assumptions and areas identified as being of concern and relevant to the application. If a peer review has not been performed, the applicants/holders should justify why their PRAs are adequate in terms of scope, level of detail, and technical acceptability. PRA self-assessment is an acceptable tool for assessing the technical adequacy of a PRA performed in support of an application.

Collecting Application-Specific Information Collect Information on Plant Design, Plant Operating States, and Site Characteristics (Box 3, Principle #1)

8. To support the analysis for initiating events, event sequences and licensing events, the relevant information regarding plant design, operating states and, if the site is selected, site characteristics should be collected, and made available to the analysis team. For a DC, SDA, or ML (when the applicant has not yet selected a site), postulated site parameters take the place of site characteristics.

The level of information should be consistent with the level of detail of the design information available and be sufficient to facilitate the search for initiating events and the analysis of plant response to support event sequence delineation.

Identify Radiological Sources and Transport Barriers from the Source to the Environment (Box 4, Principle #1)

9. The identification of significant radiological sources should involve first a search for and review of plant operating states, including refueling outages, other controlled shutdowns, and forced outages.

DG-1413, Page 20

Depending on the design, significant inventories of radioactive material may be re-located during operation or plant shutdown. The search should consider all radiological sources within the plant including, but not limited to, each reactor core and non-reactor-core source, such as spent fuel in the spent fuel storage system, online fuel or salt processing systems (for molten salt reactors), radioactive waste systems, and other process systems with radioactive material (e.g., radioactive material circulating or plated out within the reactor coolant boundary, spent fuel in the spent fuel storage system, fuel/salt processing systems, radioactive waste systems).

10. For each identified source, the barriers that can prevent the release of radioactive material to the environment (e.g., reactor building, containment, or confinement) should be identified to support the development of event sequences.

Identify Sources of Hazardous Chemical Materials (Box 5, Principle #1)

11. In addition to the search for radiological sources, a search for sources of hazardous chemical materials should be performed. Chemical sources of interest are those that are combined with radiological sources, or which can impact the plant response to an initiating event or can affect the properties of the radiological release. Chemical sources that are not combined with radiological sources, and which do not impact plant response are outside the scope of the search performed in this step.
12. Other hazards, such as hazards from nearby industrial facilities that could induce an initiating event to the nuclear plant are expected to be covered during the search for initiating events discussed in paragraphs 26 through 29 below.

Identify Plant-Specific Safety Functions (Box 6, Principle #1)

13. Having identified the radiological sources and sources of hazardous chemical materials, the plant-specific safety functions that need to be performed in order to prevent radiological releases should be identified, followed by the identification of systems and operator actions needed to perform each safety function.
14. Safety functions are those functions performed to limit the release of radioactive materials from the facility and control the sources of energy in the plant. The safety functions are established during the design process for the facility. The concept of safety functions forms the basis for selecting initiating events and delineating potential plant responses. Generally, safety functions specify a group of actions that limit the release of radioactive materials from the facility, or support the retention of radioactive materials, such as controlling reactivity, heat generation, heat removal, and chemical interactions. Such actions can result from the automatic or manual actuation of a system, from passive system performance, or from the natural feedback inherent in the design of the plant.
15. Identifying the necessary safety functions forms the preliminary basis for grouping accident-initiating events and provides the structure for defining and grouping systems in order to define a complete set of system responses and interactions for each group of initiating events. Additional distinction may be needed in the definition of safety functions to differentiate between groups of initiating events.

DG-1413, Page 21

16. Following the identification of the safety functions, the systems needed to perform each safety function should be identified, along with associated success criteria and operator actions needed to perform the safety function. Specific success criteria for each safety function or system that performs safety or support functions should be specified. Typically, success criteria specify the minimum criteria for each function, given an initiating event. The derivation of success criteria should be based on acceptable engineering analyses, performed with validated computer codes, by qualified personnel, and represent the design and operation of the plant under consideration. For a safety function to be successful, the success criteria may be dependent on the initiator and the conditions created by the initiator.
17. If a PRA is being developed and peer reviewed in accordance with RG 1.200 (Ref. 5) and DC/COL-ISG-028 (for LWRs) (Ref. 11) or RG 1.247 (for non-LWRs) (Ref. 10), the derivation of success criteria is specified in the corresponding PRA standard.

Define Plant-Specific End States (Box 7, Principle #1)

18. The end states for event sequences should be defined in order to support event sequence delineation and selection. The end state of each accident sequence should correspond to either a release of radioactive material or to a safe stable state in which each safety function is fulfilled, and a radioactive release has been prevented. Definition of a safe stable state should be specified.

Analysis Methods Selection Select Initiating Event Identification Techniques (Box 8, Principle #2)

19. The identification of techniques for initiating events search is key to conducting a search that is systematic, comprehensive, exhaustive, and without preconceptions or reliance on predefined lists (i.e., starting with a blank sheet of paper). The identification methods could involve a number of different approaches including the following:
  • Analytical techniques such as hazard and operability studies, failure mode and effects analysis, or other relevant methods for plant SSCs to determine whether their failures, either partial or complete, could lead to an initiating event.
  • Deductive techniques such as master logic diagrams to determine the elementary failures or combinations of elementary failures that would challenge normal operation and lead to an initiating event.
20. Appendix A to this RG summarizes known techniques for conducting the search for initiators and delineating event sequences. Other approaches may be used with sufficient explanation and technical justification.
21. Using a combination of different techniques should be considered, especially for new designs with little or no operating experience, in order to gain confidence that the list of initiating events is comprehensive.

DG-1413, Page 22

Define Initiating Event Grouping Strategy and Characteristics (Box 9, Principle #2)

22. After identifying the initiating events, they should be grouped to reduce the number of analyzed initiating events to a manageable and representative selection of initiating events that supports efficient development of relevant event sequences. A strategy for initiating event grouping should be established to support a systematic structured process for grouping. The strategy chosen may depend on the intended scope and depth of the analysis, but generally, initiating events grouping can be based on similarity in plant response, the radioactive barriers that prevent the releases, the mitigating systems involved, associated success criteria, timing, or the effect on performance of operators.

Alternatively, the initiating events can be bounded by the worst-case consequences within the group.

Select Event Sequence Delineation Analytical Methods (Box 10, Principle #3)

23. Following the identification and grouping of the initiating events, applicants should determine the response of the plant to each group of initiating events in order to develop event sequences. The methods needed to perform this task should be clearly identified. The methods can include event sequence diagrams, event trees, or other methods.
24. Event trees are one method to order and depict safety functions according to the mitigation goals of each group of initiating events. For each safety function, the systems needed to successfully perform the function should be identified and documented. Depending on plant design, a safety function can be performed by one or more systems, some systems may perform more than one function or portions of several functions, and the systems that perform a certain function may be different for different initiators. Because each initiating event group generates a distinctly different plant response as discussed in C.3.2, function event trees should be developed for each initiating event group.
25. Event Sequence Diagrams similarly order and depict safety functions according to the mitigation goals of each initiating event group. An Event Sequence Diagram is a graphical tool used to illustrate possible success paths from a particular initiating event to a safe shutdown condition.

Initiating Event Analysis Apply Initiating Event Identification Methods (Box 11, Principle #2)

26. The objectives of the initiating event analysis are to identify and characterize events that challenge plant operation during any plant operating state, that require successful mitigation by plant equipment, and that require personnel to prevent or to mitigate a release of radiological material. The characteristics and attributes needed to achieve the objectives of an initiating event analysis are as follows:
  • The analysis includes sufficiently detailed identification and characterization of initiating events.
  • Initiating events are grouped so that events in the same group have similar requirements for mitigation.

DG-1413, Page 23

27. The initiating event analysis necessitates a structured, systematic process and accounts for plant- or design-specific features. The methods identified in paragraphs 19 through 21 above should be applied to identify the list of initiating events. The initiating event analysis should include both internal hazards (e.g. internal events, internal flooding, internal fires) and external hazards (e.g. seismic events, high winds, external floods, and other external hazards)4 considering the radiological sources and the plant operating modes. Additionally, the analysis should consider scenarios that simultaneously affect multiple reactor modules or radiological sources at the plant. If multiple reactor modules are located on the same site, the analysis should also consider those initiating events that are caused by interactions with the other units or by an accident at one or more of the other units.
28. When screening out initiating events from further consideration, a technical basis should be provided that accounts for design and operational uncertainties.
29. If a PRA is being developed and peer reviewed in accordance with RG 1.200 (Ref. 5) and DC/COL-ISG-028 (for LWRs) (Ref. 11) or RG 1.247 (for non-LWRs) (Ref. 10), the guidance on identification of initiating events for a PRA in the corresponding RG and associated PRA standard should be followed.

Apply Initiating Event Grouping Strategy (Box 12, Principle #2)

30. After identifying initiating events, the initiating event grouping should be conducted using the process and criteria established in paragraph 22 above. Grouping should be performed such that events in the same group have similar mitigation requirements in order to facilitate an efficient analysis of event sequences and the subsequent derivation of licensing events.
31. If a PRA is being developed and peer reviewed in accordance with RG 1.200 and DC/COL-ISG-028 (for LWRs) or RG 1.247 (for non-LWRs), the guidance on initiating events grouping in the corresponding RG and associated PRA standard should be followed.

Account for Relevant Operating Experience and Insights from Earlier Relevant Analyses in the Initiating Event Search (Box 13, Principle #5)

32. To ensure that the final list of initiating events is comprehensive, a review of any relevant operating experience should be performed to ensure that any initiating events that have occurred are included in the list of initiating events. Additionally, a review of any prior relevant initiating event analyses performed for other designs should be conducted to ensure that any possible insights are considered and captured in the initiating event list.

Conduct an Independent Review and Complete Quality Control Activities for the Initiating Event Search (Box 14, Principle #5) 4 There are many references providing lists of external hazards. In contrast to internal initiating events which can be highly design-specific, the external hazards to be considered are generally not design specific. Appendix B to RG 1.247 (Ref. 10) and the associated non-LWR PRA standard ASME/ANS RA-S-1.4-2021 (Ref. 25) provides a listing and a general description of the external hazards that can be considered. As stated in ASME/ANS RA-S-1.4-2021 this list was compiled based on review of previous industry studies.

DG-1413, Page 24

33. The process and results of the initiating event search should be independently reviewed to help assure that the list of initiating events is comprehensive. If a PRA is developed and peer reviewed in accordance with RG 1.200 and DC/COL-ISG-028 (for LWRs) or RG 1.247 (for non-LWRs), then completion of a peer review and disposition of its F&Os will satisfy the staffs expectations concerning the independent review.
34. Since the systematic and comprehensive search for initiating events is used, in part, to inform the selection of licensing events, it should be developed under the established Quality Control process.

Event Sequence Selection Apply Selected Event Sequence Delineation Analytical Methods (Box 15, Principle #3)

35. Similar to the initiating event search and grouping, the event sequence analysis should follow a structured, systematic process. The event sequence analysis should describe the scenarios that can lead to the release of radioactive material following each identified initiating event for all plant operating states and sources of radioactive material. These scenarios should address system responses and operator actions that support the key safety functions necessary to protect the radionuclide barriers and to prevent or mitigate the release of radioactive material. The event sequences should account for the systems that are used (and available) and operator actions performed to mitigate the initiator, based on the defined success criteria, plant operating procedures, and training. The availability of a system includes consideration of the functional, phenomenological, and operational dependencies and interfaces between the various systems and operator actions during the accident progression.
36. If a PRA is being developed and peer reviewed in accordance with RG 1.200 and DC/COL-ISG-028 (for LWRs) or RG 1.247 (for non-LWRs), the guidance on event sequence analysis for a PRA in the corresponding RG and associated PRA standard should be followed.

Account for Relevant Operating Experience and for Insights from Earlier Relevant Analyses in the Event Sequence Delineation (Box 16, Principle #5)

37. A review of the operating experience of similar plant designs, if any, and any event sequence analyses performed for similar designs should be conducted to ensure that any possible insights are considered in the event sequence delineation.

Conduct an Independent Review and Complete Quality Control Activities for the Event Sequence Delineation (Box 17, Principle #5)

38. The process and results of the event sequence delineation should be independently reviewed to help assure that the list of initiating events is comprehensive. If a PRA is being developed and peer reviewed in accordance with RG 1.200 and DC/COL-ISG-028 (for LWRs) or RG 1.247 (for non-LWRs), then completion of a peer review and disposition of its F&Os will satisfy the staffs expectations concerning the independent review.
39. Since the systematic and comprehensive event sequence delineation is used, in part, to inform the selection of licensing events, it should be developed under the established Quality Control process.

DG-1413, Page 25

Defining Licensing Events If a PRA Is Being Developed, Provide the List of Initiating Events and Event Sequences to the PRA (Boxes 18 and 19, Principle #1)

40. If the designer or applicant develops a PRA consistent with the selected regulatory framework), the initiating events and event sequences are integral to the development of the PRA models and, as such, should be provided as inputs to the PRA.

Identify Required Categories of Licensing Events for the Selected Licensing Framework (Box 20, Principle #1)

41. Once the list of event sequences has been completed, the designer or applicant should identify categories of licensing events consistent with the selected licensing framework. Table 1 summarizes the licensing event terminology for the various licensing pathways.
42. Non-LWR designers and applicants who voluntarily seek use of LMP under 10 CFR Part 50 and Part
52) should use the guidance in NEI 18-04 as endorsed by RG 1.233 (Ref. 8) for the identification of licensing events.
43. Note: The following sections of this RG (specifically, the sections Define the Licensing Event Grouping Strategy and Its Characteristics through Conduct an Independent Review and Complete QA Activities for the Licensing Event Identification) apply to all designers and applicants who did not elect implementation of LMP.

Define the Licensing Event Grouping Strategy and Its Characteristics (Box 21, Principle #4)

44. Once the categories of licensing events have been identified, the event sequences should be grouped and mapped into the defined licensing event categories. The designers and applicants should define the strategy for grouping event sequences. There are many ways grouping can be accomplished. The events can be grouped by frequency which can be estimated quantitatively or qualitatively. The events can also be grouped by type of event, which considers aspects such as plant response following the initiating events, the similarity of challenges to the safety functions, or similarity in pathways that could lead to the release of radioactive material to the environment.

Apply the Licensing Event Grouping Strategy (Box 22, Principle #4)

45. Licensing events should be identified using the results of the initiating event search, event sequence delineation, and grouping strategy. All identified event sequences should be mapped to a licensing event category, and no event sequences should be eliminated.

Identify the Limiting Cases for Each Group of Licensing Events (Box 23, Principle #4)

46. A number of limiting cases, referred to as bounding or enveloping scenarios, should be selected from each group of licensing events. The bounding or enveloping scenario(s) should be chosen so that individually or collectively they account for the greatest possible challenges and limiting values for DG-1413, Page 26

the performance parameters of safety-related equipment of those scenarios within the group. Several initiating events may be combined, and/or their consequences amplified, to develop a bounding scenario that encompasses all initiating events in the group.

Compare the List of Licensing Events to Predefined Lists (Box 24, Principle #5)

47. To ensure that all relevant licensing events have been considered, the licensing event list should be compared with that for similar plants or type of plants and, for LWRs, with the Standard Review Plan. Any identified differences should be justified.

Conduct an Independent Review and Complete QA Activities for the Licensing Event Identification (Box 25, Principle #5)

48. The process and results of the licensing event identification should be independently reviewed to ensure that the list of licensing events is complete. The list of licensing events should be developed under the relevant QA program for the selected licensing framework.

Documentation

49. Documentation of the analysis for identification of licensing events should be sufficient to allow the staff to determine the acceptability of the analysis and the results. Thus, the documentation should include information necessary for the staff to gain a full understanding of the technical bases of the analysis and the establishment of the licensing basis. This documentation should include information on the process used in the initiating event search, event sequence analysis and licensing event definition, the applied methods, and the results.
a. For initiating events, documentation should include information about the systematic search for initiators, the approach to identifying initiating events specified to each identified radiological source, the basis for grouping initiating events, the basis for screening out any initiating event from further considerations, the approach for assessing completeness and consistency of initiating events with previous relevant experience, and any analysis assumptions, uncertainties, and limitations.
b. For event sequences the documentation should include information on the linkage between the initiating events and event sequences, a description of the event sequence including system response and operator actions, success criteria including the bases for the criteria, clear definition of the event sequence end states, analysis performed to support the event sequence analysis, and any analysis assumptions, uncertainties, and limitations.
c. For licensing events, the documentation should include information on the method and basis for grouping of the event sequences into licensing events, the selection of limiting cases for each group of licensing events, the approach for assessing completeness and consistency of licensing events with similar plants or type of plants, and any analysis assumptions, uncertainties, and limitations.
50. Documentation should be archived and be preserved as lifetime quality records.

DG-1413, Page 27

51. Submittal documentation should follow the application-specific guidance under the selected regulatory framework.

DG-1413, Page 28

D. IMPLEMENTATION The NRC staff may use this regulatory guide as a reference in its regulatory processes, such as licensing, inspection, or enforcement. However, the NRC staff does not intend to use the guidance in this regulatory guide to support NRC staff actions in a manner that would constitute backfitting as that term is defined in 10 CFR 50.109, Backfitting, and 10 CFR 53.1590 or 10 CFR 53.6090, Backfitting, and as described in NRC Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, (Ref. 26), nor does the NRC staff intend to use the guidance to affect the issue finality of an approval under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, or 10 CFR Part 53, Subparts H or R, Licenses, Certifications and Approvals.

The staff also does not intend to use the guidance to support NRC staff actions in a manner that constitutes forward fitting as that term is defined and described in Management Directive 8.4. If a licensee believes that the NRC is using this regulatory guide in a manner inconsistent with the discussion in this Implementation section, then the licensee may file a backfitting or forward fitting appeal with the NRC in accordance with the process in Management Directive 8.4.

DG-1413, Page 29

ACRONYMS AND ABBREVIATIONS ACRS Advisory Committee on Reactor Safeguards AEC Atomic Energy Commission AERI Alternative Evaluation for Risk Insights ALWR Advanced Light-Water Reactor AOO Anticipated Operational Occurrence ATWS Anticipated Transients Without Scram BDBE Beyond-Design-Basis Event CCA Cause Consequence Analysis CCF Common Cause Failure CCFA Common Cause Failure Analysis CFR Code of Federal Regulations CP Construction Permit COL Combined License DBA Design-Basis Accident DBE Design-Basis Event DC Design Certification DFM Double Failure Matrix FaHA Fault Hazard Analysis FMEA Failure Mode and Effect Analysis FMECA Failure Mode Effects and Criticality Analysis DG-1413, Page 30

FTA Fault Tree Analysis FuHA Functional Hazard Analysis F&Os Facts and Observations HAZOP Hazard and Operability HRA Human Reliability Analysis IAEA International Atomic Energy Agency IE Initiating Event ISA Integrated Safety Analysis LBE Licensing-Basis Event LMP Licensing Modernization Project LWR Light-Water Reactor MA Markov Analysis ML Manufacturing License MLD Master Logic Diagram NEI Nuclear Energy Institute NRC U.S. Nuclear Regulatory Commission OE Operational Experience OL Operating License O&SHA Operating and Support Hazard Analysis PHA Preliminary Hazard Analysis DG-1413, Page 31

PRA Probabilistic Risk Assessment QA Quality Assurance RG Regulatory Guide SBO Station Blackout SDA Standard Design Approval SHA System Hazard Analysis SRP Standard Review Plan SSC Structures, Systems, and Components TMI Three Mile Island DG-1413, Page 32

REFERENCES5

1. U.S. Code of Federal Regulations (CFR) Domestic Licensing of Production and Utilization Facilities, Part 50, Chapter 1, Title 10, Energy.
2. CFR, Licenses, Certifications, and Approvals for Nuclear Power Plants, Part 52, Chapter 1, Title 10, Energy.
3. CFR, Risk-Informed, Technology-Inclusive Regulatory Frameworks for Commercial Nuclear Plants, Part 53, Chapter 1, Title 10, Energy.
4. U.S. Nuclear Regulatory Commission (NRC), Draft Regulatory Guide (DG) -1414 (Proposed New Regulatory Guide [RG] 1.255), Alternative Evaluation for Risk Insights Framework, Washington, DC.
5. NRC, RG 1.200, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, Washington, DC.
6. NRC, RG 1.206, Applications for Nuclear Power Plants, Washington, DC.
7. NRC, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Washington, DC. (Available at https://www.nrc.gov/reading-rm/doccollections/nuregs/staff/sr0800/).
8. NRC, RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors, Washington, DC.
9. Nuclear Energy Institute (NEI) 18-04, Revision 1, Risk-Informed Performance-Based Technology-Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development, August 2019. (ADAMS Accession No. ML19241A472).6
10. NRC, RG 1.247, TRIAL - Acceptability of Probabilistic Risk Assessment Results for Non-Light Water Reactor Risk-Informed Activities, Washington, DC.
11. NRC, Interim Staff Guidance (ISG), DC/COL-ISG-028, Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application, November 2016 (ADAMS Accession No. ML16130A468).

5 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e mail pdr.resource@nrc.gov.

6 Publications from the Nuclear Energy Institute (NEI) are available at their Web site: http://www.nei.org/ or by contacting the headquarters at Nuclear Energy Institute, 1776 I Street NW, Washington DC 20006-3708, Phone: 202-739-800, Fax 202-785-4019.

DG-1413, Page 33

12. Teller, Edward with Allen Brown, The Legacy of Hiroshima, Double Day & Company, Garden City, NY, 1964.
13. Beck, Clifford K., TID-7579, Safety Factors to be Considered in Reactor Siting, Sixth International Congress and Exhibition of Electronics and Atomic Energy, Rome, Italy, 1959.

(Available at https://www.osti.gov/biblio/4200786-sixth-international-congress-exhibition-electronics-atomic-energy-rome-italy-june-papers).

14. Atomic Energy Commission (AEC), A Guide for the Organization and Contents of Safety Analysis Reports, June 30, 1966. (ADAMS Accession No. ML11255A064).
15. Morris, P. L. (Director, AEC Division of Reactor Licensing), Plan to Develop a Standardized Review Plan, December 19, 1969. (ADAMS Accession No. ML19308B888).
16. Advisory Committee on Reactor Safeguards (ACRS) Letter Report, Review of Draft SECY Paper, Population - Related Siting Considerations for Advanced Reactors, Washington, DC, October 7, 2019. (ADAMS Accession No. ML19277H031).
17. NRC, "NRC Vision and Strategy: Safely Achieving Effective and Efficient Non-Light Water Reactor Mission Readiness," Washington, DC, December 21, 2016 (ADAMS Accession No. ML16356A670).
18. ACRS Letter Report, 10 CFR Part 53 Licensing and Regulation of Advanced Nuclear Reactors, Washington, DC, October 21, 2020. (ADAMS Accession No. ML20091L698).
19. ACRS Letter Report, Preliminary Proposed Rule Language for 10 CFR Part 53, Licensing and Regulation of Advanced Nuclear Reactors, Interim Report, Washington, DC, May 30, 2021.

(ADAMS Accession No. ML21140A354).

20. ACRS Letter Report, Regulatory Guide 1.247, Acceptability of Probabilistic Risk Assessment Results for Advanced Non-Light Water Reactor Risk-Informed Activities, Washington, DC, October 26, 2021. (ADAMS Accession No. ML21288A018).
21. NRC, Nuclear Regulatory Commission International Policy Statement, Federal Register, Vol.

79, No. 132, July 10, 2014, pp. 39415-39418 (79 FR 39415).

22. NRC, Management Directive (MD) 6.6, Regulatory Guides, Washington, DC, May 2, 2016.

(ADAMS Accession No. ML18073A170).

23. International Atomic Energy Agency (IAEA), Specific Safety Requirement (SSR) SSR-2/1, Safety of Nuclear Power Plants: Design, Vienna, Austria.7 7

Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their Web site:

www.IAEA.org/ or by writing the International Atomic Energy Agency, P.O. Box 100 Wagramer Strasse 5, A-1400 Vienna, Austria.

DG-1413, Page 34

24. IAEA, Specific Safety Guide (SSG) SSG-2, Deterministic Safety Analysis for Nuclear Power Plants, Vienna, Austria.
25. American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS) RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, American Society of Mechanical Engineers and American Nuclear Society, New York, NY, 2021.8
26. NRC, MD 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, Washington, DC.

8 Copies of American Society of Mechanical Engineers (ASME) standards may be purchased from ASME, Two Park Avenue, New York, New York 10016-5990; telephone (800) 843-2763. Purchase information is available through the ASME Web-based store at http://www.asme.org/Codes/Publications/.

DG-1413, Page 35

APPENDIX A COMPREHENSIVE SEARCH FOR INITIATING EVENTS Identification of initiating events is the first step that needs to be performed prior to the identification of licensing events. This appendix provides technology-inclusive, generic guidance for conducting an initiating event search that can be used under any licensing framework.

Identification of initiating events (IEs) is the starting point for the safety assessment of nuclear power plants. Having a reasonably complete set of IEs is crucial in determining what events could propagate to undesirable consequences and in assessing the overall plant risk. A blended and robust approach utilizing multiple methods to identify IEs increases confidence that it produces a list of IEs as complete as possible and thus, all foreseeable IEs are reasonably captured. The set of IEs generated from different perspectives using different methods (tools) yields a high degree of confidence that risk-significant IEs have been identified and evaluated.

IE is defined as an occurrence that challenges plant control and safety systems and whose failure could potentially lead to an undesirable end state or radioactive material release. IEs are categorized into internal hazards and external hazards. The internal hazards include internal events, internal floods, and internal fires, while external hazards include seismic events, high winds, external floods, and other external hazards. American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS)

NLWR PRA standard, ASME/ANS RA-S-1.4-2021 (Ref. A-1), as endorsed by RG 1.247 (Ref. A-2),

provides a typical list of internal and external hazards. Table HS-2 of the PRA standard lists the hazards that are compiled based on review of industry studies such as NUREG/CR-2300 (Ref. A-3), NUREG-1407 (Ref. A-4), IAEA SSG-3 (Ref. A-5), Electric Power Research Institute (EPRI) 1022997 (Ref. A-6).

Although Table HS-2 identifies the potential hazards for preliminary consideration, the table does not explicitly list the internal events, internal floods, and internal fires. Therefore, a comprehensive effort with a thorough systematic search using appropriate methods should be performed to exhaustively identify and evaluate IEs to account for design-specific factors.

Identification of the IEs is an iterative process. The search for IEs is not a one-time activity but involves iterations that are generally commensurate with the design development process that starts with a conceptual design. As the design matures and the understanding of the design and operation of the plant increases, the search for IEs continues and the list of IEs is further refined and iteratively updated. The set of IEs should be revisited throughout the plant life to reflect the as-built and as-operated conditions.

There are many existing sources of literature and guidance regarding the search for IEs and the methods used for identifying the IEs. One of these guidance documents is NUREG-1513, Integrated Safety Analysis Guidance Document, (Ref. A-7), which provides general guidance to fuel cycle licensees and applicants on how to perform an integrated safety analysis (ISA) and document the results.

Another guidance document on the methods used to identify IEs is NUREG-0492, Fault Tree Handbook, (Ref. A-8), which discusses the basic concepts of inductive and deductive techniques, specifically the fault tree method. Other guidance/studies/papers on identifying and conducting hazard evaluation that are worth noting:

DG-1413, Appendix A, Page A-1

  • NRC, NUREG-1150, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, Washington, DC, 1990 (Ref. A-9).
  • NRC, NUREG-1792, Good Practices for Implementing Human Reliability Analysis, Washington, DC, April 2005 (Ref. A-10).
  • NRC, NUREG-1842, Evaluation of Human Reliability Analysis Methods Against Good Practices, Washington, DC, 2006 (Ref. A-11).
  • NRC, NUREG-2198, The General Methodology of an Integrated Human Event Analysis System (IDHEAS-G), Washington, DC, 2021 (Ref. A-13).
  • International Atomic Energy Agency (IAEA), IAEA-TECDOC-719, Defining Initiating Events for Purposes of Probabilistic Safety Assessment, Vienna, Austria, 1993 (Ref. A-15).
  • IAEA, Safety Standard Series, No. SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Vienna, Austria, 2010 (Ref. A-16).
  • International Electrotechnical Commission (IEC), International Standard IEC 31010, Risk Management - Risk Assessment Techniques, Geneva, Switzerland, 2019 (Ref. A-17).
  • American Society of Mechanical Engineers (ASME) and American Nuclear Society (ANS),

ASME/ANS RA-Sa-2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, New York, NY, 2009 (Ref. A-18).

  • Center for Chemical Process Safety (CCPS), Guidelines for Hazard Evaluation Procedures, John Wiley & Sons, Inc. and the American Institute of Chemical Engineers (AIChE), New York, NY, 2008 (Ref. A-20).
  • CCPS, Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, AIChE, New York, NY, 2015 (Ref. A-21).
  • Electric Power Research Institute (EPRI), Report 3002000509, Hazard Analysis Methods for Digital Instrumentation and Control Systems, Palo Alto, CA, 2013 (Ref. A-22).

DG-1413, Appendix A, Page A-2

  • EPRI, Technical Report 3002018340, Compilation of Molten Salt Reactor Experiment (MSRE)

Technical, Hazard, and Risk Analyses: A Retrospective Application of Safety-in-Design Methods, Palo Alto, CA, 2020 (Ref. A-23).

A-24).

  • Vladimir Popovi, Branko Vasi, Review of Hazard Analysis Methods and Their Basic Characteristics, FME Transactions, Vol. 36, 2008 (Ref. A-25).
  • B. Chisholm, S. Krahn, K. Fleming, A systematic approach to identify initiating events and its relationship to Probabilistic Risk Assessment: demonstrated on the Molten Salt Reactor Experiment, Progress in Nuclear Engineering, Vol. 129, 2020 (Ref. A-26).

For IEs searching, the combination of a deductive technique with an inductive technique has been found to be effective to ensure completeness of IE set. The set of IEs can be further refined by performing a human reliability analysis (HRA) to identify potential human-induced events. In addition, comparing the IE set to the generic list of IEs and operational experiences (OEs) will provide high confidence that IEs have been comprehensively identified. The choice of the deductive and inductive methods or combination of methods is dependent upon a number of factors including the reason for conducting the analysis, the results needed from the analysis, the information available, the complexity of the process being analyzed, the personnel and experience available to conduct the analysis, and the perceived risk of the process. Therefore, given the availability of numerous methods, it is not necessary to rely exclusively on any specific one for searching the IEs.

A-1. Inductive Techniques The inductive techniques provide answers to the generic question "What happens if ?" More formally, analyzing from specific to general, the inductive process initiates by assuming a particular state of existence of a component and examining to determine the effects of that condition on the system. Attempts to identify all possible hazards or all possible component failure modes, both singly and in combination, are challenging for complex systems. For this reason, the inductive techniques are generally circumscribed by considerations of time, budget, and manpower.

Induction constitutes reasoning from individual cases to a general conclusion. The inductive technique assumes some possible conditions and tries to determine the corresponding effect on the overall system. For example, in constructing an inductive system analysis, one would postulate a particular fault or initiating condition and attempt to ascertain the effect of that fault or condition on system operation. In short, inductive methods are applied to determine what failed states are possible. These methods should be carried out by a suitable experienced multi-disciplinary team and followed up by an independent review. Many inductive methods have been developed, for example:

  • Double Failure Matrix (DFM)

DG-1413, Appendix A, Page A-3

  • Failure Mode and Effect Analysis (FMEA)
  • Failure Mode Effects and Criticality Analysis (FMECA)
  • Fault Hazard Analysis (FaHA)
  • Functional Hazard Analysis (FuHA)
  • Hazard and Operability Analysis (HAZOP)
  • Preliminary Hazard Analysis (PHA).

The most common and well-developed ones among them are FMEA, HAZOP, and PHA.

A-1.1 Failure Mode and Effect Analysis (FMEA)

ASME/ANS PRA standard defines FMEA as a process for identifying failure modes of specific components and evaluating their effects on other components, subsystems, and systems. As discussed in NUREG-2122 (Ref. A-27), FMEA is generally used to identify IEs for a new plant design with no operational history or failure data. FMEA is aimed at analyzing the effects of a single component or function failure on other components, systems, and subsystems. FMEA can be useful in identifying IEs that involve support system failures and the expected effects on the plant, especially on mitigating systems.

NUREG/CR-6962 (Ref. A-28) describes FMEA as a well-known method used to identify the failure modes of a system and their effects or consequences upon it. In this technique, failure modes can be categorized according to how serious their consequences are, how frequently they occur, and how easily they can be detected.

EPRI Report 3002000509 (Ref. A-22) states that FMEA is a step-by-step approach for identifying possible failures in a design, process, or product. Failure modes means the ways, or modes, in which something might fail to meet a specified functional or performance characteristic. Effects analysis refers to studying the consequences of those failures. The EPRI report also identifies some limitations of FMEA as follows:

  • Common cause failures - It is difficult to postulate and consider the effects of potential common cause failures (CCFs). The focus on single failures also limits consideration of adverse interactions between systems or components, including human interactions.
  • Software hazards - The FMEA method typically considers hardware failures only, where it can be applied effectively. However, to date, methods for identifying software failures and determining their effects is still a research problem, especially since there is no clear industry and regulatory consensus on the meaning of software failure.
  • Dependent on analysis boundary - The FMEA method is useful for analyzing failure modes and effects between components of interest and between interfacing systems and components.

However, it may not assess the effects of all interfaces if the boundary is not drawn correctly or if the block diagram does not account for all interfaces that actually cross the boundary in the implemented system.

  • Coverage of other hazards - Because FMEA method is a bottom-up method that is focused on single failures of equipment, it does not systematically identify a wider range of hazards that DG-1413, Appendix A, Page A-4

can lead to accidents or losses, such as requirements errors, human errors, or adverse interactions between components that have not failed.

A-1.2 Hazard and Operability Analysis (HAZOP)

NUREG-1513 (Ref. A-7) states that the HAZOP method provides a detailed framework for studying each process, line by line, in an exhaustive manner. Each process variable (such as flow, temperature, pressure), a description of deviations from normal values, potential consequences of these deviations, and existing controls, are recorded.

EPRI Report 3002000509 (Ref. A-22) describes the HAZOP method as a systematic review of a process, using guide words, to visualize the ways in which a system can malfunction. The HAZOP analysis searches for possible deviations from the design intent that can occur in components, operator or maintenance technician actions, or material elements (e.g., air, water, steam), and determines whether the consequences of such deviations can result in hazards. The EPRI report quoted from IEC Document 61882-2001 (Ref. A-29) states that HAZOP is a structured and systematic technique for examining a defined system, with the objective of (1) identifying potential hazards in the system; and (2) identifying potential operability problems with the system and in particular identifying causes of operational disturbances and production deviations.

A characteristic feature of a HAZOP study is the examination session during which a multi-disciplinary team under the guidance of a study leader systematically examines all relevant parts of a design or system. It identifies deviations from the system design intent utilizing a core set of guide words. The technique aims to stimulate the imagination of participants in a systematic way to identify hazards and operability problems. The EPRI report also quoted from IEC 61882-2001 on the limitations of HAZOP method as follows:

  • Interactions between systems or parts of a system - HAZOP is a hazard identification technique which considers system parts individually and methodically examines the effects of deviations on each part. The hazard may need to be studied in more detail using techniques such as event tree and fault tree analyses if it involves the interaction between a number of parts of the system.
  • Trained Facilitator - It is difficult to navigate the HAZOP process without a facilitator. A trained facilitator helped the team recognize the error traps created by their own mindsets.

A-1.3 Preliminary Hazards Analysis (PHA)

NUREG-0492 (Ref. A-8) describes PHA as a method for assessing the potential hazards posed by the system. The objectives of a PHA are to identify the potentially hazardous conditions inherent within the system and to determine the significance or criticality of potential accidents that might arise. A PHA study should be conducted as early in the development stage as possible. This will permit the early development of design and procedural safety requirements for controlling these hazardous conditions.

The first step in a PHA is to identify potentially hazardous elements or components within the system. This process is facilitated by engineering experience, the exercise of engineering DG-1413, Appendix A, Page A-5

judgment, and the use of numerous checklists that have been developed from time to time. The second step in a PHA is the identification of those events that could possibly transform specific hazardous conditions into potential accidents. Then the seriousness of these potential accidents is assessed to determine whether preventive measures should be taken.

EPRI Report 3002000509 describes that in the preliminary or conceptual design phases of a project, preliminary hazards that could be potentially created by or related to a proposed solution or modification should be identified. PHA involves one or more organized meetings, where the identified individuals come together and review, discuss, and identify potential hazards. The method for performing a PHA relies on the judgment and experience of individuals knowledgeable in the design, operations, maintenance, and licensing basis of the potentially affected systems, subsystems, or components.

Limitations of PHA method include the hazards recognition that must be foreseen by the analysts.

Another key concern is the effects of interactions between hazards that are not easily recognized.

A.2. Deductive Techniques The deductive techniques address the question of how can it happen? Deduction constitutes reasoning from the general to the specific. In a deductive technique, a design or system is reviewed to identify the hazards and causes of each hazard including those that caused by multiple failures. The approach postulates that the system itself has failed in a certain way and attempts to find out what modes of system/component behavior contribute to this failure. In these deductive techniques, some specific system failure state is postulated, and chains of more basic faults contributing to this undesired event are built up in a systematic way. The deductive methods are applied to determine how a given system state can occur. Like the inductive techniques, the deductive techniques should be carried out by a suitable, experienced multi-disciplinary team and followed up by an independent review. Several deductive methods have been developed, for example:

  • Cause Consequence Analysis (CCA)
  • Common Cause Failure Analysis (CCFA)
  • Fault Tree Analysis (FTA)
  • Markov Analysis (MA)
  • Master Logic Diagram (MLD)
  • Operating and Support Hazard Analysis (O&SHA)
  • System Hazard Analysis (SHA)

The most common and well-developed ones among them are FTA and MLD.

A-2.1 Fault Tree Analysis (FTA)

FTA is discussed in detail in NUREG-0492, Fault Tree Handbook (Ref. A-8). FTA is described as an analytical technique, whereby an undesired state of the system is specified, and the system is then analyzed in the context of its environment and operation to find all credible ways in which the undesired event can occur. The fault tree itself is a graphic model of the various parallel and DG-1413, Appendix A, Page A-6

sequential combinations of faults that will result in the occurrence of the predefined undesired event. The faults can be events that are associated with component hardware failures, human errors, or any other pertinent events which can lead to the undesired event. A fault tree thus depicts the logical interrelationships of basic events that lead to the undesired event, which is the top event of the fault tree.

A fault tree is tailored to its top event which corresponds to some particular system failure modes, and the fault tree thus includes only those faults that contribute to this top event. Moreover, these faults are not exhaustive as they only cover the most credible faults as assessed by the analyst.

FTA is not in itself a quantitative model. It is a qualitative model that can be evaluated quantitatively.

A fault tree is a complex of entities known as "gates" which serve to permit or inhibit the passage of fault logic up the tree. The gates show the relationships of events needed for the occurrence of a "higher" event. The "higher" event is the "output" of the gate; the "lower" events are the "inputs" to the gate. The gate symbol denotes the type of relationship of the input events required for the output event.

NUREG-2122 (Ref. A-27) describes a fault tree as a deductive logic diagram that graphically represents the various failures that can lead to a predefined undesired event. Fault trees describe how failures of top events occur because of various failure modes of components, human errors, initiator effects, and failures of support systems that combine to cause a failure of a top event.

EPRI Report 3002000509 (Ref. A-22) states that FTA is a top-down method, which postulates failures of high-level safety and generation related functions and identifies the plant mechanical and electrical equipment needed for these functions. This top-down approach can thereby focus the failure analysis of the system by identifying the potentially important failure modes of the mechanical and electrical components controlled or actuated by the digital system. Some limitations of FTA include:

  • Focusing on failures - The focus of FTA on failure modes limits the ability of the method to consider interactions between systems or components that can lead to adverse behaviors under plant states in which no failures are present.
  • Complexity of models - Fault tree logic models can be large, difficult to display on a few pages or screens and require specialized software to present and review. The effort can be burdensome if not managed effectively.
  • Time interdependencies - FTA deals only with binary states (i.e., success/failure) and only examines one top event; the time dependencies are not addressed.

A-2.2 Master Logic Diagram (MLD)

Similar to the FTA, MLD is a logic diagram that resembles a fault tree but without the mathematical properties. It is a hierarchical, top-down, logical decomposition of the general undesired end state, which is shown on the top of the tree, proceeding to increasingly detailed event descriptions at lower tiers and displaying basic IEs. MLD commences with a top event in DG-1413, Appendix A, Page A-7

which the end state is the event of concern and grows into a plant level logic structure with IEs as the fundamental input events.

NUREG-2122 (A-27) describes MLD as a graphical model that can be constructed to guide the selection of IEs. An MLD is developed using fault tree logic to show general categories of IEs proceeding to increasingly detailed information at lower levels, with specific IEs presented at the bottom level. In a more general sense, an MLD is a fault tree identifying all the hazards that affect a mission, system, or plant. The difference between an MLD and a fault tree is that a fault tree focuses on accounting for the specific causes leading to failure of a system or group of systems, whereas the MLD focuses on listing the hazards that can affect a top event.

ASME/ANS PRA standard (Ref. A-1) defines MLD as a summary fault tree constructed to guide the identification and grouping of IEs and their associated sequences to ensure completeness.

NUREG/CR-2300 (Ref. A-3) states that the MLD can be constructed to guide the selection and grouping of IEs and to ensure completeness. The events in the MLD are identified by the level they appear in the tree, with the top being Level 1. The use of levels is an ordering technique to assist in locating events. The strategy is to achieve completeness of events by level. Limitations of MLD are similar to those described in FTA discussion.

DG-1413, Appendix A, Page A-8

REFERENCES9 A.1 American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS)

RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, American Society of Mechanical Engineers and American Nuclear Society, New York, NY, 2021.10 A.2 NRC, RG 1.247, TRIAL - Acceptability of Probabilistic Risk Assessment Results for Non-Light Water Reactor Risk-Informed Activities.

A.3 NRC, NUREG/CR-2300, PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, U.S. NRC, Washington, DC, 1983.

A.4 NRC, NUREG-1407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities, U.S. NRC, Washington, DC, 1991.

A.5 International Atomic Energy Agency (IAEA) SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, International Atomic Energy Agency, Vienna, Austria, 2010.11 A.6 Electric Power Research Institute (EPRI) 1022997, Identification of External Hazards for Analysis in Probabilistic Risk Assessment, Electric Power Research Institute, Palo Alto, CA, 2015.12 A.7 NRC, NUREG-1513, Integrated Safety Analysis Guidance Document, U.S. NRC, Washington, DC, 2001.

A.8 NRC, NUREG-0492, Fault Tree Handbook, U.S. NRC, Washington, DC, 1981.

A.9 NRC, NUREG-1150, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, Washington, DC, 1990.

9 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

10 Copies of American Society of Mechanical Engineers (ASME) standards may be purchased from ASME, Two Park Avenue, New York, New York 10016-5990; telephone (800) 843-2763. Purchase information is available through the ASME Web-based store at http://www.asme.org/Codes/Publications/.

11 Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their Web site:

www.IAEA.org/ or by writing the International Atomic Energy Agency, P.O. Box 100 Wagramer Strasse 5, A-1400 Vienna, Austria.

12 Copies of Electric Power Research Institute (EPRI) standards and reports may be purchased from EPRI, 3420 Hillview Ave., Palo Alto, CA 94304; telephone (800) 313-3774; fax (925) 609-1310.

DG-1413, Appendix A, Page A-9

A.10 NRC, NUREG-1792, Good Practices for Implementing Human Reliability Analysis, Washington, DC, April 2005.

A.11 NRC, NUREG-1842, Evaluation of Human Reliability Analysis Methods Against Good Practices, Washington, DC, 2006.

A.12 NRC, RG 1.200, Revision 3, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, Washington, DC, 2020.

A.13 NRC, NUREG-2198, The General Methodology of an Integrated Human Event Analysis System (IDHEAS G), Washington, DC, 2021.

A.14 NRC and Canadian Nuclear Safety Commission (CNSC), Joint Report on Terrestrial Energys Methodology for Developing a Postulated Initiating Events List for the Integral Molten Salt Reactor, Joint Report, 2022.

A.15 IAEA, IAEA-TECDOC-719, Defining Initiating Events for Purposes of Probabilistic Safety Assessment, Vienna, Austria, 1993.

A.16 IAEA, Safety Standard Series, No. SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Vienna, Austria, 2010.

A.17 International Electrotechnical Commission (IEC), International Standard IEC 31010, Risk Management - Risk Assessment Techniques, Geneva, Switzerland, 2019.

A.18 ASME/ANS, ASME/ANS RA-Sa-2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, New York, NY, 2009.

A.19 ASME and ANS, ASME/ANS RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, New York, NY, 2021.

A.20 Center for Chemical Process Safety (CCPS), Guidelines for Hazard Evaluation Procedures, John Wiley & Sons, Inc., and the American Institute of Chemical Engineers (AIChE), New York, NY, 2008.

A.21 CCPS, Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, AIChE, New York, NY, 2015.

A.22 Electric Power Research Institute (EPRI), Report 3002000509, Hazard Analysis Methods for Digital Instrumentation and Control Systems, Palo Alto, CA, 2013.

A.23 EPRI, Technical Report 3002018340, Compilation of Molten Salt Reactor Experiment (MSRE) Technical, Hazard, and Risk Analyses: A Retrospective Application of Safety-in-Design Methods, Palo Alto, CA, 2020 A.24 Idaho National Engineering and Environmental Laboratory (INEEL), NUREG/CR-5750, Rates of Initiating Events at U.S. Nuclear Power Plants: 1987 - 1995, Idaho Falls, Idaho, 1999.

DG-1413, Appendix A, Page A-10

A.25 FME Transactions, Vol. 36, Review of Hazard Analysis Methods and Their Basic Characteristics, Vladimir Popovi and Branko Vasi, 2008.

A.26 B. Chisholm, S. Krahn, K. Fleming, A systematic approach to identify initiating events and its relationship to Probabilistic Risk Assessment: demonstrated on the Molten Salt Reactor Experiment, Progress in Nuclear Engineering, Vol. 129, 2020.

A.27 NRC, NUREG-2122, Glossary of Risk-Related Terms in Support of Risk-Informed Decision-making, Washington, DC, 2013.

A.28 NRC, NUREG/CR-6962, Traditional Probabilistic Risk Assessment Methods for Digital Systems, Washington, DC, 2008.

A.29 International Electrotechnical Commission, IEC Document 61882-2001, Hazard and Operability Studies (HAZOP studies) - Application Guide, Geneva, Switzerland, 2001.

DG-1413, Appendix A, Page A-11

Retrieved from "https://kanterella.com/w/index.php?title=ML22272A042&oldid=3516734"