31 - Code Development Using Risk Insights, NRC Presentation Slides

ML24173A194
Person / Time
Issue date:	06/27/2024
From:	Stephen Cumblidge NRC/NRR/DNRL/NPHP
To:
Rezai, A., NRR/DNRL, 301-415-1328
Shared Package
ML24159A553	List: ML24172A256 ML24172A257 ML24172A264 ML24172A265 ML24172A266 ML24172A267 ML24172A295 ML24172A296 ML24172A297 ML24173A193 ML24173A194 ML24177A025 ML24193A029
References
Download: ML24173A194 (29)
v • d • e

Text

Code Development Using Risk Insights Stephen Cumblidge Technical Exchange Meeting June 27, 2024

The Old Three Ds Model Performance Monitoring Safety Margins Current Regulations Met Defense-In-Depth

• When the current fleet was being designed and built, regulations were based on Determinism, Design Basis Accidents, and Defense-in-Depth.

• Safety was primarily assured via appropriate safety margins and defense-in-depth in reactor designs.

• Performance monitoring was based on in-service testing rules, and inspections using a percent sampling and ten-year intervals.

Design Basis Accidents 2

Use of Risk in ASME Code The effective Risk Importance for passive components was ranked into different categories based roughly on the proximity to the core and the size of the component (ASME Code Class 1, 2, and 3).

• RG 1.26 provides guidance for categorizing components based on proximity to core and function.

• Pipes with NPS 4 or less have lower inspection requirements.

• Components less than NPS 1 are exempt from most requirements.

3 Quality Group Classifications And Standards For Water-, Steam-, And Radioactive-waste-containing Components Of Nuclear Power Plants, Regulatory Guide 1.26 Rev. 6, Dec 2021

How Was This Implemented?

• Safety factors based on fossil boilers (with some significant modifications) were used for component design and construction.

• Preservice inspection requirements were made to workmanship standards with clear acceptance criteria.

• Inservice inspection requirements were extensive and were designed to have all Class 1 components inspected over 40 years of operation.

4

Some Advantages of the Deterministic Method

• Can provide high confidence that systems will be reliable

• Easy to understand and communicate to licensees and the public

• Can be used to set a common standard for all licensees

• Easy to verify compliance 5

Some Challenges of Deterministic Method Risk significance of some Class 2 and 3 SSCs can be as high as many Class 1 SSCs.

Choosing the level of conservatism for calculations can be challenging.

Some inspection methods could impose undue burden and others may be inadequate to assure safety (examples below):

• The initial scope of examining 25% of welds every interval was larger than needed to give reasonable assurance that novel degradation would be found in some areas.

• The ten-year ISI interval was too long for some degradation mechanisms such as stress corrosion cracking.

6

Rise of Risk Information Concerns over the safety of the Hanford plutonium production reactors in the 1950s drove the need for applying risk assessment for nuclear reactors.

Based on public concerns over the safety of nuclear power, the Atomic Energy Commission started work on the WASH-1400 project to develop Probabilistic Risk Assessments (PRAs) based on fault trees for Nuclear power plants in 1972.

WASH-1400, Reactor Safety Study, was issued in October 1975, shortly after the NRC was Created by Congress.

Hanford B Reactor 7

Strengths of PRAs

• PRAs provide a systematic approach of assessing systems that are superior to simple engineering judgement.

• PRAs provide a systematic approach to estimate the effects of events and the importance of different systems.

• PRAs enable licensees and the NRC to focus on systems and events that have relative high impact on public safety using a rigorous and reviewed process.

8

Challenges of PRAs

• Completeness uncertainty: Some passive components are not modeled, known phenomena of very low frequency are not modeled.

• PRA models do not capture all risks important to the regulators (e.g., risks associated with security related events) and risks important to the plant owner (e.g., crediting feed and bleed as a success).

9

Uncertainties Should be Identified and Considered

• PRAs use a significant amount of information pertaining to design, operations, and operating experience.

• While some of the values are based on engineering judgement, these values undergo peer reviews for acceptability.

• PRAs help identify, and sometimes quantify uncertainties in ways that deterministic classifications cannot.

• Therefore, NRC requires treatment of uncertainty when PRA inputs are used in regulatory decision making.

10

Mitigating Uncertainties: Defense-in-Depth As discussed above, Defense in Depth is one of the original core concepts in nuclear safety used to mitigate uncertainties.

Three barriers to contain radioactive material: fuel cladding, primary system boundary, and the containment.

• The use of successive measures to prevent an accident or to mitigate the consequences of an accident.

• The use of redundancy and diversity.

• Implementation of the single failure criterion (Defined in Appendix A to 10 CFR Part 50).

11

Mitigating Uncertainties: Safety Margins

• When a component is designed, one uses expected operating conditions, nominal materials properties, and flawless assembly in the design.

• Using sufficient safety margins, including quality control, mitigates:

- Uncertainties in material properties

- Minor design deviations

- Fabrication flaws

- Unforeseen operating conditions 12

Mitigating Uncertainties: Performance Monitoring

• Performance Monitoring is a wide term with many meanings, depending on the context.

Direct evidence of presence and/or extent of degradation Validation/confirmation of continued adequacy of analyses Timely method to detect novel/unexpected degradation

• Performance monitoring can use statistics to determine confidence, but this is not standardized across the industry.

Burn-in Maturity Wear-out Chance of failure Are you where you think you are?

13

Balanced Risk-Informed Decisionmaking Safety Margins Performance Monitoring Risk Analysis Defense-In-Depth Current Regulations Met When all factors of the RIDM framework are appropriately considered, appropriate reductions in undue burdens can be approved without adversely impacting safety (e.g., Risk Informed Inservice inspections provided the same level of safety using fewer than half the examinations).

That approach (consideration of all RIDM factors) during the staffs review is essential to allow burden reductions without adversely affecting safety.

Can implementation of 10 CFR 50.69, that does not consider other requirements, lead to eliminating or unacceptably reducing safety margins based on the SSC being of low safety significance?

14

Challenges of Risk Based Thinking Unless care is exercised, using risk solely may lead to risk-based decision making because:

PRAs provide a number that can easily be compared to an acceptance value and easy to communicate On the contrary, Safety Margin, Performance Monitoring, and Defense-in-Depth dont have as clear an acceptance criteria The direct method of analyzing risk vs. the evaluation of other principles can result in quantified risk dominating the discussion without proper consideration of uncertainties 15 Safety Margins Performance Monitoring Defense-In-Depth Current Regulations Met Risk Analysis

Some Challenges to Risk Informing - Granularity

• If a NPP is broken down to each individual weld, pipe, tube, etc. no individual piece would have a CDF of greater than 10-6/yr.

• The Pressure Vessel typically has a CDF of 10-7/yr.

• Going through an NPP with a magnifying glass and a PRA can justify thousands of individual changes that look small but add up to significant reductions in safety.

• To prevent cumulation of such incremental risks leading to reductions in safety, key risk-informed initiatives (e.g., TSTF-505) require applicants to track cumulative risk and update PRAs on a periodic basis using operating experience that relies on performance monitoring.

16

Potential Impact on RIDM on Safety Margins

• Safety margins were established using engineering judgement and operational experience, with much of this experience pre-dating the nuclear industry.

• How can we reduce undue industry burdens with minimal impacts on safety margins? poses a significant challenge.

- Example: Many successes listed in prior presentation, e.g., reactor vessel inspections, risk-informed ISI 17

Risk-Informing Safety Margins Changes in the Safety Margin can affect how often an SSC fails, possibly invalidating the justification for reducing the safety margin.

CDF Value Reducing Safety margins can increase the initiating event frequency, increasing CDF.

18

Modifying Safety Margins Using Risk

• How do we reduce safety margins with risk? We are doing it already.

• A large body of precedent has shown that the NRC is open to reducing the safety margins of SSCs, if it can be shown that the effects of failure are not highly safety significant.

• ASME Code Case N-660 is in Reg Guide 1.147, many approvals of 10 CFR 50.69 LARs are using this method for ASME Class 2 and 3 items 19

Modifying Defense-in-Depth with Risk

• Many systems in nuclear power plants have multiple redundant trains.

• The system function may have a high associated risk, but each individual train may have a lower risk.

• Pieces and parts in each individual train in a high-risk system can be downgraded to low safety significance, if defense-in-depth is maintained.

• Want to avoid downgrading all trains of a risk-significant system since it may challenge defense-in-depth.

20

Modifying Performance Monitoring with Risk

• The NRC and Industry have significant experience with risk-informing inspections and testing.

• Risk-Informed ISI is a mature field that has been implemented for decades.

• Other areas where inspections and testing can be modified are being explored.

21

What Changes Can Be Made to ASME Code?

Two main areas have been the focus of code changes lately

• Modification of inspection intervals

• Reduction in requirements for items determined to be Low Safety Significance 22

Optimizing Inspection Intervals Using Risk Insights Inservice inspections serve two main purposes:

- Inspections to find unexpected degradation

• Examinations for leakage cover the entire reactor coolant pressure boundary

- Every outage

• Other examinations sample SSCs to provide reasonable assurance of no novel damage mechanisms

- Sampled over 10-year ISI interval

- Monitor known degradation mechanisms

• Inspection interval based on degradation rates

• Requires information about degradation mechanism, materials, and service conditions 23

Optimizing Inspection Intervals Using Risk Insights

• Inspections have been successfully risk-informed for decades.

• Some SSCs in NPPs have no postulated degradation mechanisms and have not shown any signs of degradation over the life of the fleet.

• An increase in the inspection intervals can be justified for such SSCs.

• Any such, the increase should include an appropriate number of inspections to provide reasonable assurance that novel degradation would be discovered (e.g., steam generator inspections).

24

Tools for Inspection Interval Optimization

• Crack growth rate calculations can be used to determine how often an SSC with an active degradation mechanism should be inspected.

• N-770 and N-729 take materials and coolant temperature into account to determine re-inspection intervals.

• Tools like Probabilistic Fracture Mechanics could be used on other SSCs to provide insights in determining appropriate inspection intervals.

25

Risk-Informing Safety Margin based on Risk

• Safety margins may be reduced for Structures, Systems, and Components (SSCs) requirements for items determined to be LSS

• These possible reductions in safety margin largely apply to repair/replacement activities, as the inspections have already been risk informed 26

Treatment for LSS Components

• 10 CFR 50.69(d)(2) - The licensee or applicant shall ensure, with reasonable confidence, that RISC-3 SSCs remain capable of performing their safety-related functions under design basis conditions

• 10 CFR 50.69(d)(2)(i)... Periodic inspection and testing activities must be conducted to determine that RISC-3 SSCs will remain capable of performing their safety-related functions under design basis conditions 27

Moving Forward

• The NRC will continue to review methodologies used to categorize passive components as HSS/LSS, and define alternative treatment for LSS components.

• The NRC needs to ensure that different methodologies for the same purpose do not produce different results. Is there a minimum treatment?

• Internal discussions are continuing to align on enforceable minimum standards to use for LSS to ensure that LSS components would remain capable of performing their safety-related functions under design basis conditions.

Safety Margins Performance Monitoring Risk Analysis Defense-In-Depth Current Regulations Met 28

29