31 - NRC - Code Development Using Risk Insights Revision 2

ML24193A029
Person / Time
Issue date:	06/27/2024
From:	Stephen Cumblidge NRC/NRR/DNRL/NPHP
To:
Rezai, A., NRR/DNRL, 301-415-1328
Shared Package
ML24159A553	List: ML24172A256 ML24172A257 ML24172A264 ML24172A265 ML24172A266 ML24172A267 ML24172A295 ML24172A296 ML24172A297 ML24173A193 ML24173A194 ML24177A025 ML24193A029
References
Download: ML24193A029 (29)
v • d • e

Text

Code Development Using Risk Insights

Stephen Cumblidge Technical Exchange Meeting June 27, 2024 The Old Three Ds Model

• When the current fleet was being Current designed and built, regulations were Regulations based on Determinism, Design Basis Met Defense-In-Accidents, and Defense-in-Depth.

Depth

• Safety was primarily assured via Safety appropriate safety margins and Margins defense-in-depth in reactor designs.

• Performance monitoring was based Performance on in-ser vice testing rules, and Monitoring Design inspections using a percent sampling Basis and ten-year inter vals.

Accidents

2 Use of Risk in ASME Code

The effective Risk Importance for passive components was ranked into different categories based roughly on the proximity to the core and the size of the component (ASME Code Class 1, 2, and 3).

• RG 1.26 provides guidance for categorizing components based on proximity to core and function.

• Pipes with NPS 4 or less have lower inspection requirements.

• Components less than NPS 1 are exempt from most requirements.

Quality Group Classifications And Standards For Water -, Steam-, And Radioactive-wa ste-3 containing Components Of Nuclear Power Plants, Regulatory Guide 1.26 Rev. 6, Dec 2021 How Was This Implemented?

• Safety factors based on fossil boilers (with some significant modifications) were used for component design and construction.

• Preser vice inspection requirements were made to workmanship standards with clear acceptance criteria.

• Inser vice inspection requirements were extensive and were designed to have all Class 1 components inspected over 40 years of operation.

4 Some Advantages of the Deterministic Method

• Can provide high confidence that systems will be reliable

• Easy to understand and communicate to licensees and the public

• Can be used to set a common standard for all licensees

• Easy to verify compliance

5 Some Challenges of Deterministic Method

Risk significance of some Class 2 and 3 SSCs can be as high as many Class 1 SSCs.

Choosing the level of conser vatism for calculations can be challenging.

Some inspection methods could impose undue burden and others may be inadequate to assure safety (examples below):

• The initial scope of examining 25% of welds every inter val was larger than needed to give reasonable assurance that novel degradation would be found in some areas.

• The ten-year ISI inter val was too long for some degradation mechanisms such as stress corrosion cracking.

6 Rise of Risk Information

• Concerns over the safety of the Hanford plutonium production reactors in the 1950s drove the need for applying risk assessment for nuclear reactors.

• Based on public concerns over the safety of nuclear power, the Atomic Energy Commission started work on the WA S H-1400 project to develop Probabilistic Risk Assessments (PRAs) based on fault trees for Nuclear power plants in 1972.

• WA S H-was issued in October 1975, shortly 1400, Reactor Safety Study, after the NRC was Created by Congress. Hanford B Reactor

7 Strengths of PRAs

• PRAs provide a systematic approach of assessing systems that are superior to simple engineering judgement.

• PRAs provide a systematic approach to estimate the effects of events and the importance of different systems.

• PRAs enable licensees and the NRC to focus on systems and events that have relative high impact on public safety using a rigorous and reviewed process.

8 Challenges of PRAs

• Completeness uncertainty: Some passive components are not modeled, known phenomena of very low frequency are not modeled.

• PRA models do not capture all risks important to the regulators (e. g., risks associated with security related events) and risks important to the plant owner (e. g., crediting feed and bleed as a success).

9 Uncertainties Should be Identified and Considered

• PRAs use a significant amount of information pertaining to design, operations, and operating experience.

• While some of the values are based on engineering judgement, these values undergo peer reviews for acceptability.

• PRAs help identify, and sometimes quantify uncertainties in ways that deterministic classifications cannot.

• Therefore, NRC requires treatment of uncertainty when PRA inputs are used in regulatory decision making.

10 Mitigating Uncertainties: Defense -in-Depth

As discussed above, Defense in Depth is one of the original core concepts in nuclear safety used to mitigate uncertainties.

• Three barriers to contain radioactive material: fuel cladding,

primary system boundary, and the containment.

• The use of successive measures to prevent an accident or to mitigate the consequences of an accident.

• The use of redundancy and diversity.

• Implementation of the single failure criterion (Defined in Appendix A to 10 CFR Part 50).

11 Mitigating Uncertainties: Safety Margins

• When a component is designed, one uses expected operating conditions, nominal materials properties, and flawless assembly in the design.

• Using sufficient safety margins, including quality control, mitigates:

- Uncertainties in material properties

- Minor design deviations

- Fabrication flaws

- Unforeseen operating conditions

12 Mitigating Uncertainties: Performance Monitoring

• Performance Monitoring is a wide term with many meanings, depending on the co ntex t.

Direct evidence of presence and/or extent of degradation

Vadequacy of analysesalidation/confirmation of continued

Timely method to detect novel/unexpected degradationBurn-inM a t urit yWe a r-o ut

Are you where you think you are?

• Performance monitoring can use statistics to determine confidence, but this is not standardized across the industry.

13 Balanced Risk -Informed Decisionmaking

• When all factors of the RIDM framework are Defense-In -appropriately considered, appropriate Depth reductions in undue burdens can be approved without adversely impacting safety (e. g., Risk Informed Inser vice inspections provided the Current Safety same level of safety using fewer than half the Regulations Margins Met examinations).

• That approach (consideration of all RIDM factors) during the staff s review is essential to Performance Risk allow burden reductions without adversely Monitoring Analysis affecting safety.

14 Challenges of Risk Based Thinking

Defense-In -* Unless care is exercised, using risk solely may lead to Depth risk-based decision making because:

• PRAs provide a number that can easily be compared to Current Safety an acceptance value and easy to communicate Regulations Margins Met Risk

• On the contrary, Safety Margin, Performance Monitoring, and Defense-in-Depth dont have as clear Analysis an acceptance criteria

Performance

• The direct method of analyzing risk vs. the evaluation Monitoring of other principles can result in quantified risk dominating the discussion without proper consideration of uncertainties

15 Some Challenges to Risk Informing - Granularity

• If a NPP is broken down to each individual weld, pipe, tube, etc. no individual piece would have a CDF of greater than 10-6/ y r.

• The Pressure Vessel typically has a CDF of 10 -7/ y r.

• Going through an NPP with a magnifying glass and a PRA can justify thousands of individual changes that look small but add up to significant reductions in safety.

• Treductions in safetyo prevent cumulation of such incremental risks leading to, key risk-informed initiatives (e. g., TSTF-505) require applicants to track cumulative risk and update PRAs on a periodic basis using operating experience that relies on performance monitoring.

16 Potential Impact on RIDM on Safety Margins

• Safety margins were established using engineering judgement and operational experience, with much of this experience pre-dating the nuclear industry.

• How can we reduce undue industry burdens with minimal impacts on safety margins? poses a significant challenge.

- Example: Many successes listed in prior presentation, e. g., reactor vessel inspections, risk-informed ISI

17 Risk-Informing Safety Margins

Changes in the Safety Margin can affect how often an SSC fails, possibly invalidating the justification for reducing the safety margin.

CDF Value

Reducing Safety margins can increase the initiating event frequency, increasing CDF.

18 Modifying Safety Margins Using Risk

• How do we reduce safety margins with risk? We are doing it already.

• A large body of precedent has shown that the NRC is open to reducing the safety margins of SSCs, if it can be shown that the effects of failure are not highly safety significant.

• ASME Code Case N-660 is in Reg Guide 1.147, many approvals of 10 CFR 50.69 LARs are using this method for ASME Class 2 and 3 items

19 Modifying Defense-in-Depth with Risk

• Many systems in nuclear power plants have multiple redundant trains.

• The system function may have a high associated risk, but each individual train may have a lower risk.

• Pieces and parts in each individual train in a high-risk system can be downgraded to low safety significance, if defense-in-depth is maintained.

• Want to avoid downgrading all trains of a risk-significant system since it may challenge defense-in-depth.

20 Modifying Performance Monitoring with Risk

• The NRC and Industry have significant experience with risk-informing inspections and testing.

• Risk-Informed ISI is a mature field that has been implemented for decades.

• Other areas where inspections and testing can be modified are being explored.

21 What Changes Can Be Made to ASME Code?

Two main areas have been the focus of code changes lately

• Modification of inspection inter vals

• Reduction in requirements for items determined to be Low Safety Significance

22 Optimizing Inspection Inter vals Using Risk Insights

Inser vice inspections ser ve two main purposes:

- Inspections to find unexpected degradation

• Examinations for leakage cover the entire reactor coolant pressure boundary

- Every outage

• Other examinations sample SSCs to provide reasonable assurance of no novel damage mechanisms

- Sampled over 10- year ISI interval

- Monitor known degradation mechanisms

• Inspection inter val based on degradation rates

• Requires information about degradation mechanism, materials, and ser vice conditions

23 Optimizing Inspection Inter vals Using Risk Insights

• Inspections have been successfully risk-informed for decades.

• Some SSCs in NPPs have no postulated degradation mechanisms and have not shown any signs of degradation over the life of the fleet.

• An increase in the inspection inter vals can be justified for such SSCs.

• Any such, the increase should include an appropriate number of inspections to provide reasonable assurance that novel degradation would be discovered (e. g., steam generator inspections).

24 Tools for Inspection Inter val Optimization

• Crack growth rate calculations can be used to determine how often an SSC with an active degradation mechanism should be inspected.

• N-770 and N-729 take materials and coolant temperature into account to determine re-inspection inter vals.

• Tools like Probabilistic Fracture Mechanics could be used on other SSCs to provide insights in determining appropriate inspection inter vals.

25 Risk-Informing Safety Margin based on Risk

• Safety margins may be reduced for Structures, Systems, and Components (SSCs) requirements for items determined to be LSS

• These possible reductions in safety margin largely apply to repair/replacement activities, as the inspections have already been risk informed

26 Treatment for LSS Components

• 10 CFR 50.69(d)(2) - The licensee or applicant shall ensure, with reasonable confidence, that RISC-3 SSCs remain capable of performing their safety-related functions under design basis conditions

• 10 CFR 50.69(d)(2)(i)... Periodic inspection and testing activities must be conducted to determine that RISC-3 SSCs will remain capable of performing their safety-related functions under design basis conditions

27 Moving Forward

• The NRC will continue to review methodologies used to categorize passive

Defense-In -

components as HSS/LSS, and define Depth alternative treatment for LSS components.

• The NRC needs to ensure that different Current methodologies for the same purpose do not Regulations Safety produce different results. Is there a Met Margins minimum treatment?

• Internal discussions are continuing to align on enforceable minimum standards to use for LSS to ensure that LSS components Performance Risk would remain capable of performing their Monitoring Analysis safety-related functions under design basis conditions.

28 29