NUREG-1602, Requests Comments on Encl Draft Documents Including,Draft Regulatory Guide DG-1061, General Guidance, DG-1062, IST, Draft Std Review plan-general Guidance,Draft Std Review Plan - IST & Draft NUREG-1602
| ML20140E947 | |
| Person / Time | |
|---|---|
| Site: | Comanche Peak  |
| Issue date: | 06/09/1997 |
| From: | Polich T NRC (Affiliation Not Assigned) |
| To: | Terry C TEXAS UTILITIES ELECTRIC CO. (TU ELECTRIC) |
| References | |
| RTR-NUREG-1602, RTR-REGGD-XX.XXX, TASK-*****, TASK-RE TAC-M94165, TAC-M94166, NUDOCS 9706120262 | |
| Download: ML20140E947 (200) | |
Text
{{#Wiki_filter:.__ _ _ _ _ _ _ _ _ w aru 4, 4 UNITED STATES
! 4 j a*
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. So66Ho01
'% . l
***** June 9, 1997 Mr. C. Lance Terry 'f TV Electric Group Vice President, Nuclear '
[ ,l () Attn: Regulatory Affairs Department P. O. Box 1002 Glen Rose, TX 76043
SUBJECT:
THIRD ROUND REQUEST FOR ADDITIONAL INFORMATION (RAI) ON RISK-INFORMED INSERVICE TESTING (RI-IST) PILOT PLANT - COMANCHE PEAK STEAM ELECTRIC STATION, UNITS 1 AND 2 (TAC NOS. M94165 AND M94166)
REFERENCES:
- 1. TV Electric letter logged TXX-95260, from C. L. Terrj to the NRC, dated Novembe:- 27, 1995
- 2. NRC letter from Timothy J. Polich to C. Lance Terry, dated March 15, 1996
- 3. TV Electric letter logged TXX-96371, from C. L. Terry to the NRC, dated June 3, 1996
- 4. TU Electric letter from Hossein G. Hamzehee to Mike Cheok, dated July 2, 1996
- 5. TU Electric letter logged TXX-96458, from C. L. Terry to the NRC, dated September 12, 1996 -
- 6. NRC letter from Timothy J. Polich to C. Lance Terry, dated March 12, 1997
Dear Mr. Terry:
On November 27, 1995, Texas Utilities Electric Company (TV Electric) submitted a request to the Nuclear Regulatory Commission (NR4 (Reference 1) to utilize a risk-informed inservice testing (RI-IST) program at the Comanche Peak Steam Electric Station (CPSES), Units 1 and 2, to determine inservice test frequencies for certain valves and pumps that were categorized as low safety significant. The request was part of a pilot plant effort with Arizona Public Service Company (APS). The NRC staff pr. vided an initial request for additional information (RAI) to TV Electr ic related to the proposed RI-IST program via Reference 2. The NRC staff met with TU Electric at the CPSES site on April 25, 1996, to discuss the RAI. TU Electric responded to the NRC staff's initial RAI and submitted a revised RI-IST program to the NRC via Reference 3. TU Electric submitted additional information to the NRC in support of their proposed RI-IST program via References 4 at.d 5. The NRC staff provided a second round RAI to TV Electric related to the proposed RI-IST program via Reference 6. The second round RAI focused on several of the key areas described in the attached draft regulatory guides and standard review plan sections. 3 y mE , " _ _ ,__.- a-
,P Y NBC FILE CENTER COPY 9706120262 970609 i PDR ADOCK 05000445 G PDR j
1 C. Lance Terry 2 l The attached draft regulatory guides, draft standard review plan sections, and ; draft NUREG will be issued by the NRC for a 90-day public comment period in I the near future. An advanced copy of these documents is being provided to you for two reasons. First, the NRC staff is requesting TV Electric's comments (i.e., as one of the two RI-IST pilot plants) on these draft documents. Second, the NRC staff is requesting that TU Electric describe how its proposed RI-IST program comports with the guidance provided in Draft Regulatory Guide DG-1061 - General Guidance and Draft Regulatory Guide DG-1062 - IST. Where TV Electric's approach used in its proposed RI-IST program differs from the approach described in these draft documents, the NRC staff requests the pilot licensee describe its proposed alternative as well as the basis for its acceptability. This will facilitate preparation of the NRC staff's safety evaluation of TV Electric's proposed RI-IST program and will be useful in revising the draft regulatory guides and standard review plan sections. The NRC staff would appreciate the licensee's response to this RAI as soon as possible (e.g., within approximately 45 days of receipt of this request). If l the licensee is unable to provide a timely respond to this RAI, the NRC l requests that the licensee submit its plan and schedule for providing a l complete response to the NRC. ! l Sincerely, I 1 Timothy J. Polich, Project Manager Project Directorate IV-1 Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation Docket Nos. 50-445 and 50-446
Enclosures:
- 1. Draft Regulatory Guide DG-1061 - General Guidance
- 2. Draft Regulatory Guide DG-1062 - IST
- 3. Draft Standard Review Plan - General Guidance
- 4. Draft Standard Review Plan - IST
- 5. Draft NUREG-1602 - Use of PRA in RI Applications cc w/encls: See next page
I , Mr. C. Lance Terry l TV Electric Company Comanche Peak, Units 1 and 2 ' cc: , - -Senior Resident Inspector- Honorable Dale McPherson l U.S. Nuclear Regulatory Commission County Judge i P. O. Box 1029 P. O. Box 851 Granbury, TX 76048 Glen Rose, TX 76043 Regional Administrator, Region IV Office of the Governor U.S. Nuclear Regulatory Commission ATTN: John Howard, Director
- 611 Ryan Plaza Drive, Suite 400 Environmental and Natural l Arlington, TX 76011 Resources Policy l P. O. Box 12428 l Mrs. Juanita Ellis, President Austin, TX 78711 Citizens Association for Sound Energy 1426 South Polk Arthur C. Tate, Director Dallas, TX 75224 Division of Compliance & Inspection Bureau of Radiation Control l
Mr. Roger D. Walker Texas Department of Health TV Electric 1100 West 49th Street Regulatory Affairs Manager Austin, TX 78756-3189 P. O. Box 1002 Glen Rose, TX 76043 Texas Utilities Electric Company c/o Bethesda Licensing 3 Metro Center, Suite 610 Bethesda, MD 20814 George L. Edgar, Esq. Morgan, Lewis & Bockius 1800 M Street, N.W. Washington, DC 20036-5869 l l
C. Lance Terry 2 June 9, 1997 i The attached draft regulatory guides, draft standard review plan sections, and draft NURFG will be issued by the NRC for a 90-day public comment period in " the near future. An advanced copy of these documents is being provided to you for two reasons. First, the NRC staff is requesting TU Electric's comments (i.e., as one of the two RI-IST pilot plants) on these draft documents. Second, the NRC staff is requesting that TV Electric describe how its proposed RI-IST program comports with the guidance provided in Draft Regulatory Guide DG-1061 - General Guidance and Draft Regulatory Guide DG-1062 - IST. Where TV Electric's approach used in its proposed RI-IST program differs from the approach described in these draft documents, the NRC staff requests the pilot 4 licensee describe its proposed alternative as well as the basis for its acceptability. This will facilitate preparation of the NRC staff's safety evaluation of TV Electric's proposed RI-IST program and will be useful in revising the draft regulatory guides and standard review plan sections. i The NRC staff would appreciate the licensee's response to this PAI as soon as , possible (e.g., within approximately 45 days of receipt of this renuest). If the licensee is unable to provide a timely respond to this RAI, the NRC requests that the licensee submit its plan and schedule for providing a complete response to the NRC. Sincerely, l Orig. signed by Timothy J. Polich, Project Manager l Project Directorate IV-1 l Division of Reactor Projects Ill/IV Office of Nuclear Reactor Regulation Docket Nos. 50-445 and 50-446 g
Enclosures:
- 1. Draft Regulatory Guide DG-1061 - General Guidance
- 2. Draft Regulatory Guide DG-1062 - IST
- 3. Draft Standard Review Plan - General Guidance
- 4. Draft Standard Review Plan - IST
- 5. Draft NUREG-1602 - Use of PRA in RI Applications {fl cc w/encls: See next page DISTRIBUTION: Docket File OGC PUBLIC JRoe BWSheron Glainas GHill (4) ACRS CGrimes AHowell, RIV WBHardin MCCheok PDIV-1 r/f EAdansam (EGAl)
JColaccino TPolich (2) CHawes Document Name: CP941653.RAI *See previous concurrence OFC EMEB:DE* DC:EMEB:DE* BC:EMEB:DE* PM/PD4-1 LA/PD4-1 NAME DCFischer DTerao RHWessman TPolich/vw CHawes00)fl DATE 05/23/97 05/23/97 05/23/97 (,/ 3 /97 N [o/3/97 COPY YES/NO YES/NO YES/NO YES/N0 YES/N0 0FFICIAL RECORD COPY cggre7jp
,e I I
J .M 0 70 !
C. L. Terry 2 The attached draft regulatory guides, draft standard review plan sections, and draft NUREG will be issued by the NRC for a 90-day public comment period in the near future. An advanced copy of'these documents is being provided to you for two reasons. First, the NRC staff is requesting TV Electric's comments (i.e., as one of the two RI-IST pilot plants) on these draft documents. Second, the NRC staff is requesting that TU Electric describe how its proposed RI-IST program comports with the guidance provided in Draft Regulatory Guide DG-1061 - General Guidance and Draft Regulatory Guide DG-1062 - IST. Where TU Electric's approach used in its proposed RI-IST program differs from the approach described in these draft documents, the NRC staff requests the pilot licensee describe its proposed alternative as well as the basis for its / acceptability. This will facilitate preparation of the NRC staff's safety evaluation of TU Electric's proposed RI-IST program and will be useful in revising the draft regulatory guides and standard review plan sections. p The NRC staff would appreciate the licensee's response to this RAI as soon as possible (e.g., within approximately 45 days of receipt of this request). If the licensee is unable to provide a timely respond to this RAI, the NRC requests that the licensee submit its plan and schedule for providi,ng a complete response to the NRC. /
/
Sincerely, / Timothy J. Polich, Project' Manager Project Directorate IV-1/ Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation Docket Nos. 50-445 and 50-446 /
Enclosures:
- 1. Draft Regulatory Guide DG-1061 General Guidance
- 2. Draft Regulatory Guide DG-1062 - IST
- 3. Draft Standard Review Plan ' General Guidance
- 4. Draft Standard Review Plan - IST
- 5. Draft NUREG-1602 - Use of/PRA in RI Applications
/
cc w/ encl: See next page DISTRIBUTION: Docket OGC PUBLIC JRoe BWSheron Glainas GHill (4) ACRS CGrimes AHowell, RIV WBHardin MCCheok PDIV-1 r/f EAdensam JColaccino Document Name: C:\RI-IST\CPSES\CP-RAI#3 / OFC EMEB:DE DC:EMEB:DE BC:ENkB:J)E PM/PD4-1 MLA/PD4-1 NAME DCFischeN DTerao N RHWMmM TPolichk CHawes DATE 5 /23/97 T /D /97 T/23/97 (/3/97 / /97 COPY / YL3/N0 k NO
'YES/NO YES/NO (2) YES/NO (2) 0FFICIAL RECORD COPY l
I L
Lance Tprry 2 Juns 9, 1997 f g ,,,
% /
The attached draft regulatory guides, raft standard review plan sections, and ! draft NUREG will be issued by the NRC for a 90-day public comment period in l the near future. An advanced copy of these documents is being provided to you for two reasons. First, the NRC staff is requesting TV Electric's comments I I (i.e., as one of the two RI-IST pilot plants) on these draft documents. Second, the NRC staff is requesting that TV Electric describe how its proposed RI-IST program comports with the guidance provided in Draft Regulatory Guide DG-1061 - General Guidance and Draft Regulatory Guide DG-1062 - IST. Where TU
' Electric's approach used in its proposed RI-IST program differs from the approach described in these draft documents, the NRC staff requests the pilot licensee describe its proposed alternative as well as the basis for its acceptability. This will facilitate preparation of the NRC staff's safety evaluation of TU Electric's proposed RI-IST program and will be useful in revising the draft regulatory guides and standard review plan sections.
The NRC staff would appreciate the licensee's response to this RAI as soon as possible (e.g., within approximately 45 days of receipt of this request). If the licensee is unable to provide a timely respond to this RAI, the NRC requests that the licensee submit its plan and schedule for providing a complete response to the NRC. Sincerely, Orig. signed by Timothy J. Polich, Project Manager Project Directorate IV-1 Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation 4 Docket Nos. 50-445 and 50-446
Enclosures:
- 1. Draft Regulatory Guide DG-1061 - General Guidance
- 2. Draft Regulatory Guide DG-1062 - IST
- 3. Draft Standard Review Plan - General Guidance
- 4. Draft Standard Review Plan - IST
- 5. Draft NUREG-1602 - Use of PRA in RI Applications cc w/encls: See next page DISTRIBUTION: Docket File OGC PUBLIC JRoe BWSheron Glainas GHill (4) ACRS CGrimes 1
AHowell, RIV WBHardin MCCheok PDIV-1 r/f EAdensam (EGAl) JColaccino TPolich (2) CHawes Document Name: CP941653.RAI *See previous concurrence OFC EMEB:DE* DC:EMEB:DE* BC:EMEB:DE* PM/PD4-1 LA/id4-1 NAME DCFischer DTerao RHWessman TPolich/vw CHawes0/7)d . DATE 05/23/97 05/23/97 05/23/97 6 / 3 /97 F [o/3/97 COPY YES/NO YES/NO YES/N0 YES/NO ,YES/NO OfflCIAL RECORD COPY g go
O mKarp, p UNITED STATES j 2' NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 30eeHo01 j
)
***** June 9, 1997 J Mr. C. Lance Terry i
! TU Electric -) ! Group Vice President, Nuclear l
- Attn
- Regulatory Affairs Department l i P. O. Box 1002 i Glen Rose, TX 76043 1.
i
SUBJECT:
THIRD ROUND REQUEST FOR ADDITIONAL INFORMATION (RAI) ON , RISK-INFORMED INSERVICE TESTINC (RI-IST) PILOT PLANT - COMANCHE PEAK STEAM ELECTRIC STATION, UNITS 1 AND 2 (TAC NOS. M94165 AND M94166)
REFERENCES:
- 1. TU Electric letter logged TXX-95260, from C. L. Terry to the NRC, dated November 27, 1995 i
i 2. NRC letter from Timothy J. Polich to G. Lance Terry, i dated March 15, 1996-p j 3. TV Electric letter logged TXX-96371, from C. L. Terry i to the NRC, dated June 3, 1996 j lf
- 4. TU Electric letter from Hossein G. Hamzehee to Mike Cheok, dated July 2, ~ 1996
- 5. TU Electric letter logged TXX-96458, from C. L.' Terry to the NRC, dated September 12, 1996
- 6. NRC letter from Timothy J. Polich to C. Lance Terry, dated March 12, 1997
Dear Mr. Terry:
On November 27, 1995, Texas Utilities Electric Company (TU Electric) submitted a request to the Nuclear Regulatory Commission (NRC) (Reference 1) to utilize a risk-informed inservice testing (RI-IST) program at the Comanche Peak Steam Electric Station (CPSES), Units 1 and 2, to determine inservice test-frequencies for certain valves and pumps that were categorized as low safety significant. The request was part of a pilot plant effort'with Arizona Public Service Company (APS). The NRC staff provided an initial request for additional information (RAI) to TU Electric related to the proposed RI-IST program via Reference 2. The NRC staff met with TU Electric at the CPSES site on April 25, 1996, to discuss the RAI. TU Electric responded to the NRC staff's initial RAI and submitted a revised RI-IST program to the NRC via Reference 3. TU Electric submitted additional information to the NRC in support of their proposed RI-IST program via References 4 and 5. The NRC staff provided a second round RAI to TU Electric related to the proposed j RI-IST program via Reference 6. The second round RAI focused on several of i the key areas described in the attached draft regulatory guides and standard review plan sections. b
1 k, k ~ C. Lance Terry 2 The attached draft regulatory guides, draft standard review plan sections, and
-draft NUREG will be issued by the NRC for a 90-day public comment period in the near future. An advanced copy of these documents is being provided to you for two reasons. First, the NRC staff is requesting TU Electric's comments (i.e., as one of the two RI-IST pilot plants) on these draft documents.
Second, the NRC staff is requesting that TU Electric describe how its proposed RI-IST program comports with the guidance provided in Draft Regulatory Guide DG-1061 - General Guidar.ce and Draft Regulatory Guide DG-1062 - IST. Where TU Electric's approach used in its proposed RI-IST program differs from the . approach described in these draft documents, the NRC staff requests the pilot i licensee describe its proposed alternative as well as the basis for its I acceptability. This will facilitate preparation of the NRC staff's safety l
; evaluation of TU Electric's proposed RI-IST program and will be useful in ,
revising the draft regulatory geides and standard review plan sections. ' The NRC staff would appreciate the licensee's response to this RAI as soon as possible (e.g., within approximately 45 days of receipt of this request). If , the licensee is unable to provide a timely respond to this RAI, the NRC 1 requests that the licensee submit its plan and schedule for providing a complete response to the NRC. Sincerely, Timothy J. Polich, Project Manager Project Directorate IV-1 Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation Docket Nos. 50-445 and 50-446
Enclosures:
- 1. Draft Regulatory Guide DG-1061 - General Guidance
- 2. Draft Regulatory Guide DG-1062 - IST
- 3. Draft Standard Review Plan - General Guidance
- 4. Draft Standard Review Plan - IST
- 5. Draft NUREG-1602 - Use of PRA in RI Applications cc w/encls: See next page l l
k k , l - Mr. C. Lance Terry TU Electric Company Comanche Peak, Units 1 and 2 cc: Senior Resident Inspector Honorable Dale McPherson l U.S. Nuclear Regulatory Comission County Judge l P. O. Box 1029 P. O. Box 851 Granbury, TX 76048 Glen Rose, TX 76043 i l Regional Administrator, Region IV Office of the Governor l U.S. Nuclear Regulatory Comission ATTN: John Howard, Director 611 Ryan Plaza Drive, Suite 400 Environmental and Natural Arlington, TX 76011 Resources Policy P. O. Box 12428 Mrs. Juanita Ellis, President Austin, TX 78711 ; Citizens Association for Sound Energy l 1426 South Polk Arthur C. Tate, Director Dallas, TX 75224 Division of Compliance & Inspection Bureau of Radiation Control Mr. Roger D. Walker Texas Department of Health TU Electric 1100 West 49th Street l Regulatory Affairs Manager Austin, TX 78756-3189 l P. O. Box 1002 l Glen Rose, TX 76043 Texas Utilities Electric Company c/o Bethesda Licensing 3 Metro Center, Suite 610 Bethesda, MD 20814 George L. Edgar, Esq. . Morgan, Lewis & Bockius 1800 M Street, N.W. Washington, DC 20036-5869
~
? U.S. NUCLEAR REGULATORY COMMISSION March 1997 OFFICE OF NUCLEAR REGULATORY RESEARCH Draft DG-1061 i \s *ese* -
DRAFT REGULATORY GUIDE
Contact:
M. A. Cunnin'gbam (301)415-6189 I b l i } . i I - i j An Approach for Using Probabilistic Risk Assessment in Risk-Informed j Decisions on Plant-Specific Changes to the Current Licensing Basis 1 I l i I Draftfor Comment ' i l i I March 28,1997 l l - 1 l 1 I Teen meeswy pass a tems imme en est twm as inweeve we pesic in se eeny stages of she esveinement of ~ sepwinery poeman m was area. ( a tue set suspeed ammpete endt sowww and esse not seemount am othesi NRC mett poemerL i i PuhEc emneonne em being sehened on Wu WW1 p ee imelueng any emeismeramen schedulel and ha sneessmed segulatory enefysis a
! sehmAmoest ensemos. Comments ehewed be accommersed by opersonate supperung date. Wittten sommersts may be outmrtted to the Anes j me and Dwee.us transh. DFIPs. Othee of A*ww.treten. U.S. seussew nessetery commmmen, washmeten. DC 20sss. Ceems of I sommeme seaweed seer he esanoned et we NftC Pdhe Domenent neom. 2120 L Sweet NW., Weakngton. DC. Comments arW be meet heteful ! 8 8 885u8 by 1
1 amewone en saw. e eine e eri w earve seederw e en n i=wem awy w seemesse w sw esessment en en enemsiac esmhuien ist se d ameis es.o W sueum ** poen en eseehe one.no es wed he mens a wwene = em u.s. ekaneer nepammy can en, wahrasien. Oc sosss. Anmeen Deemmen we iaen sewees semen. e my em is caotms 22so. ENCLOSURE 1 4 d i I 4
l L e e >. af s,- s- e-s
, (,. . . 4 ,
t- 8 , 9. e
, e e
0
*$*e
- b . ,,
9
** e _ e *
- I, 4 9 e s
,88 *4 94 e
4 8 l
$' s e e
I e r 9 6 9 P e 9 9 O 9 9 9
i 4 h w . f FOREWORD 4 i De NRC's Pohey Statunent (Raf.1) en probabihstic risk analysis (PRA) secourages grama use dthis malysis sedsnque to imprwe safay Mia-6: and huprwe regulatary el5ciency. De NRC staffs PRA imph Plan denaribes actryines now underway or planned to expand this use. Dese activities inchde, for l muuP e, prwang gedance for NRC impacters on focusing inspection resources a risk-important equipment, as j well as ressassag plants with relatively high core damage frequencias for possible backfits. Aanther amivity muier wsy in response to the policy stateaunt is the use of PRA in sup#, af decisions to a indrvidual plant's cumet hoenseg basis (CLB). His regulatory guide provides gedanos en the use afPRA findags and risk insights in support afhousee r-ests for changes to a plant's cumut hemsing basis (e.g., request
" for hoense h and technical spamiranaa saanges under 10 CFR f $50.90 92. k doesnot address changes to the current M: basis winch do NOT regare NRC review and apprwel (e.g.,
changes to the facihty as described in the FSAR which me the abject of 10 CFR 650.59). T ' - -- mitimed CLB-shangeswhichmewa-withcumatly-apprmedStarpositions,e.g ; .h yguides,madsrdreview j plans, branch technical positions, or the Standard Technical S ' L=~=, are nonnaDy evalustad by the staff asing tradmanal, h -- 2=F aginemog analyses A hemsse would not be 5-- +i to subaut risk information l in apport of the proposed change Licasse-imtisted CLB changes which request chases which go beyond annet Staffponticas may be evalumed by the Staffusing tradmanal datammisne segmeering analyses as well as . i the risk-infanned appnach set farth in this regulsory gade. A heensee may bc requested to subnut suppleme! ! risk infannaian or desammisne infannaian irsah informati= is not - by the housee Ifrisk I i informance am the proposed CLB change is not prwided to the Staff, the Staffwill review the infonnanan , } provided by the hcensee to determine if the applicanon can be apprwed based span the infannatim pnmdI j ' tradinamal datannimstic methods and w2! sither appnm or reject the spphcstian based span the Staffs review. 1
~ For those hoensee-initimed CLB changes which a boensee c6cosas to sgpart (oris.x ~ i by the stafYto i
aupport) with risk informatim, this regulacry guide descn1ms an anosptable method for assessing the nature and - ! impact afpropomd CLB changes by ad-g aginsoms ismes ad applying risk insights hommees { **: risk information (whether an their own innimive or a the request of the srsf!) should address each of the l pnnciples ofrisk infanned regulation damssed in this regulsory guide' Ucansees should identify how chosen i approaches and methods (whether they se quantustrve or quahtstrve, and dotarsuaistic or probabihsuc), data, and j , musna for cm.idermg risk me appropriate for the decision to be made i i FineDy, the F prwided here does not prochde other apprendies forrequesting changes to the CLB. Raher, ' this PWy Gade is inunded to improve aansistency in regulatory decisions in sees in which the nauks ofrisk i malyses se used to helpjustify regelmary assion. As such, the pnnaples, process, and m 4 docussed berem also prwise neeful F- far the applicence afrisk Marmmer to a broeder ast afactivities than plant @ abanges to a plan's CLB (i.e., generic actry nes) and beansees are sneauraged to utihas this guidance in that i 8"d- . 4 i ~ 1 . l 4 4 J 4 4 i. 2 1 _ . _ _ _ _ -_ _ _ . - ___ __
a_. _ O
- G e
G S S S e 6 i l I l e - l l 0 1 l 4 1 1 1 i 1 1 i 1 1 l l
b W e comwrs
.. j
~
. IACif 70 REWORD ii
~
- 1. Sf7RODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 L1 as:tsround ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1.2 Papon et che Raguisory Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 sJ soop er 6is nagulsory Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 l Ld malatiseship so e6er Guidanse Documeum ...........................13
- 2. , AN ACCEPTABLE APPROACH TO RISK.INPORMED DECISIONMAKING . . . . . . . . . . 21 2.1 Risk lafonned Philosophy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1 2.2 A Pour Ekenest Approach e Eneagraad NWr . . . . . . . . . . . . . . ~. . . . . 2 3 2.3 Eesset 1: Define abe Proposed change .............................24 Elanem 2: Perform Engineering Analysis ............................25 2.4 2.4.1 Evaluation of defense-in-Depsb Anribass & Safety Margins ...........25 2.4.1.1 Defense-in Depth ...........................26 2.4.1.2 safay Marsins ...........................27 2.4.2 Evaluation of Risk lapset, Incimhng Treannem of Uncensinties . . . . . . . . . 27 2.4.2.1 Asesytanos n=lM*'= ........................28 2.4.2.2 Comparison of PRA Rasuhs with abe Aansplance Guidehnes . 210 2.4.3 Imesrmad Decision-Makins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 13 2.5 Essnest 3: Define 1=pI==rml= and Manhanag Progran . . . . . . . . . . . . 2 14 2.6 Bemem 4: Subadt Proposed Change . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.16 2.7 Quality Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , , . . . . . . . . . . . . . . . . . . . . . . . 2 6
- f. DOCUMENTATION AND SUBMITTAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . !
3.1 Introduction ..............................................31 3.2 h =tmi- .............................................31
. SJ Lissesse bubunnal ..........................................31 3.4 i '-- " Plan'and Perfannonce Moshonag Process . . . . . . . . . . . . . . . . . . 34
' APPENDIX A. USE OF RISK IMPORTANCE MEASURES TO CATEGORIZE STRUCTURES, SYSTEMS.
AND COMPONENTS WITH RESPECT TO SAFETY SIGNIFICANCE . . . . . . . . . . A.1 APPENDIX B. AN APPROACE ESTIMATING THE PREQUENCIES OF VARIOUS CONTAD0 DENT FAILURE MODES AND BYPASS EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . 51 B.1 INTRODUCTION ..........................................51
. 3.2 FWRs wkb Large Vahnne Cusahmessas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 B3 FWRs los condeser h ................................56
...............................~.t....58 3.4 BWR Mark 1 Commhunset RJ SWR Mark II N=h ....................................511 E.6 EWK Matt lii " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 14
. ATTACIDdENT TO APPENDIX 3 Du6mioon of N=='==='" Pathus Made Classes ............................313 C
m O - - h
. 4 o G
9 - - 1 e i l l 1 I
.. \
2 i J l 4 4 l l J l
~
1 e l l I l 4 l l l I l l l l e
i4 1 4*
- Drqjif:r Ccmmeret I introducti:n i
1' ' 1. INTRODUCTION . l -- -- .1.1 Background _
.. ._ 7 j
During the last several years, both the NRC and the nuclear industry have recognized that probabilistic risk l
, assessment (PRA) has evolved to the point wherc it can be used increasingly as a too! in regulatory l
j decisionmaking. In August 1995, the NRC adopted the following policy statement regarding the expanded use ofPRA. , e The use of PRA technologyshould be increased in all regulatory matters to the exse.it yym.4 l by the state-of-the-art in PRA methods and data and in a manner that complements the NRCs l j deterministic appmach and supports the NRC's traditional defense-in-depth philosophy. ! e PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and imps,.ecc measures) should be used in regula'.ory m:::ters,where practical within the bounds of the state of-l the art, to reduce unnecessary conservatism associated with current regulatory requirements, j regulatoryguides, license commitments,and staff practices. Where appropriate, PRA should be l used to support the proposal of additional regulatory requirements in accordance with 10 CFR l l 50.109 (Backfit Rule). Appropriate pmcedures for including PRA in the process for changing : l !
- regulatoryrequirements should be developed and followed. It is, of course, understood that the l
j' intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised. l - 1 I e PRA evaluations in support of regulatory decisions should be as realistic as pr.cdcsle and 1 epy~yi; ate supporting data should be publicly available for revww. l 7 1
- e The Commission's safety goals for nuclear power plants and subsidiary numerical objectives are j to be used with appropriate consideration of uncertainties in making regulatoryjudgements on
. need for proposing and backfitting new generic requirements on nuclear power plant licensees. ,
\
in its approval of the policy statement, the Commission articulated its expectation that implememation of the
- policy statement will improve the regulatory process in three areas: foremost, through safety decisionmaking enhanced by the use of PRA insights;through more efficient use of agency resources; and thmugh a reduction in
! unnae*mry burdens on lie *==*s. . In parallel with the publication of the policy statement, the staff developed an implementation plan to define and ! organize the PRA related activities be*.ng undertaken. These activities cover a wide range of PRA applications i and invelve the use of a variety of PRA methods (v.ith varwty including both types of models used and the detail j of modeling needed). For example, one application involves the use of PRA in the assessment of operational I j evems in reactors. 'the der w;. des of these assessments permit relatively simple PRA models to be used. In j oontrast, other applications require the use of detailed models. The activities described in the PRA implementation Plare relate to a number of agency interactions with the - regulated industry. With respectto reactorregulation, activities include, for example, guidance development for } NRC inspectors on focusing inspection resources on risk importantequipment, and a reassessment of plants with i relatively high core damage frequencies for possible backfit. i
)
i I March 28,1997 11 DG-106i l l ~l
1' l . Drqftfir Conuhent , $ g Introduction t This regulatory guide focuses on the use of PRA "m a subset of the applications described in the s ); implementation plan. Its principal focus, and that of the m.yi~Ghg staffdocument (draft NUREG - is the use of PRA findings and risk insights in decisions on proposed changes to a plant's current licens (CI.B).' Such CLB changes are expected to result in improved reactor safety by incorporating advanc - l technology and lessons leamed from operating urib,or fixing vulnerabilities identified through analysis l other means and, in addition, may result in the removal of unnecessarily burdensome regulatory practices. The regulatoryguide also makes use of the Commission's Safety Goal Policy Statement. As discussed bel )i key principle in sisk informed regulation is that increases in risk be small and do not cause the NRC S l to be exceeded.. De Commision's Safety Goals (and associated quantitative health objectives (QHos)) derme l j ' { an acceptable level of risk which is a smal! fraction (0.1%) of other risks so which se public is ~=W De acey== guidelines dermed in this regulatoryguide (in Section 2.4.2)are based on subsidiaryobjectives d l l from the Safety Goals and their QHOs. l I 1.2 *1 rpose of the Regulatory GuMe
- Chanvas to many of the activities and desip characteristics in a nuclear power plant's current licensing bas recuireNRC review and approval. His regulatorypide provides the Staf!'s recommendations for utilizing risk informaiton in support of licensee initiated CLB chriges requiring such review and approval. De guidance provided here does not preclude other .yy.M.w for reriuesting CLB h- Rather,this regulatory guide is intended to improve consimency in regulatory decisions in areas in which the results of risk analyses are used to help justify regulatory action. As such, this regulatory guide, the use of which is voluntary, provides general j guidance concerningone syy,M.that the NRC has determined to be acceptable for analyzing issues associated
! with proposed changes to a plants's current licensing bases (CLB) and for assessing the impact of such pmpos j changes on the risk associated with plant design and operation. His guidance does not address the specific analyses needed for each nuclear power plant activity or design characteristic that may be amenable to risk-l 1 informed resulation.
~
- 1.3 Scope of this Regulatory Guide.
i his regulatory guide describes an =rpsie appmach for assessing the nature and impact of proposed CLB changesbyconsideringengineeringissuesandapplyingriskinsights. A==*====*=shouldconsiderrelevantsafety margins and defense /m-depth attributes, including eaaahetion of success criteria as well as aquipment 1 - functionarny, reliability, and availability. De analyses should reflect the actual design, conseuction, and l operational practices of the plant. Aew=== guidelines for evaluating the results of such assessments are provided also, his guide also addresses implementationstrategies and perh--~ monitoring plans associate
. with CLB changes that will help ensee assumptions and analyses supporting the change are verified.
'This augulatory guide adopu the 10 CFR Put $4 danninen of sununt h=matar basis. That is. "Caventt E=ammimp Bois (CLB) is the est of NRC requarumanu apphable to a specific plant and a hesasse's wrinsa W for ensunng
===pl- with and operamon wkh in apphouble NRC requiremsats and the pisms.epecifsc design basis (includag all snedificanons and additions to such ========= over the life of the license) that are docksand and in sfiest. T the NRC reguisuons e=am==d in 10 CFR Pans 2,19,20,21,26,30,40, S t. 54,55,70,72,73,100 and apperuhees thereso; orders, hasase condnions; exampuans; and i=^===1 specifissuons. It slao includes the ;' -- ; Pic design-lums infonnanon defmed in 10 CFR $0.2 as documented in the moor recent final safety analyas report (FSAR) as required by 10 CFR $0.71 and l lioeming -. , - M auch as liosasse sospenses the basasse's somminnents renaming in effect : hat was saade in h i en NRC >=um=< genene louers, and enforcement acuans, as well as hoensee oosummerges daa====aat in NRC safety evalumness er boensee event espons?
12 Bdarch 28,1997 DG 1061 I.
t A . Dr:ftfor Ccmment introduction Consideration of the Commission's Safety Goal Policy Statement is an important element in regulatory decisionmaking. Consequently, this regulatory guide provides acceptance guidelines consistent with th l Commission's Safety Goal Policy Statement. In theory, one could construct a more generous regulatory framework for consideration of those risk-inform changes which may have the effect of increasing risk to the public. Such a framework would include, of cours assurance of cominued adequate protection (that level of protection of the public health and safety which mus reasonablyassured regardless of economic coet). But it could also include provision for possible elimination of a!! measures net needed for adequate protection which either do not effect a substantial reduction in overall risk or result in continuing costs which are not justified by the safety benefits. Instead NRC has chosen, in this regulatoryguide, a more restrictive policy which would permit only small increases in risk, and then only when it is reasonably assured, among other things, that sufficient defense in depth and sufficient margins are maintain This policyis adopted because of the inherent uncertainties in PRA and to account for the fact that safety issues onetinue to emerge regarding design, construction, and operational maners scres, ding the maturity of the nuclear power industry. These factors suggest that nue' ear power reactors should operate routinely only at a prudent margin above adequate protection. The safety goal subsidiary objectives are used as an example of such a prudent margin. Finally,this regulatory guide indicates an acceptable level of documentation that will enable the staff to reach a finding that the licensee has performed a sufficiently complete and scrutable analysis and that the results of the engineerms evaluations support the licensee's request for a regu.atory change. l i l i 1.4 Relationship to Other Guidance Documents Directly relevant to this regulatory guide is the Standard Review Plan (SRP) designed to guide the NRC staff evaluations oflicensee requests for changes to the CLB that apply risk insights, as well as selected application-specific regulatory guides and the corresponding Standard Review Plac chapters Related regulatory guides l ,! includeDG-1062(Ref.3)on inservicetesting, DG-1063(Ref.4)oninserviceisiydosofpiping,DG 1064(Ref. l 1 l , 5)on graded qualityassurance,and DG 1065(Ref.6)on technical specifications. Draft NUREG 1602 contair.: eference material on issues and methods for PR A that can be used to support regulatory decisionmaking. The staffrecognizes that the risk analyses necessaryto support regulatory decisionmaking may vary with the relative weight that is given to the risk assessmentelement of the decisionmaking process. The burden is on the licensee l j requestmg a change to their CLB to justify why the chosen risk asseanment approach, methods, and data are wy.wf. ate for the decision to be made. ' i f i March 28,1997 I3 DG 1061 T i
- + -s w , a t
e. 4 5 p S 8 9 9 , e D 4 S 9 4 e
$ 4 e
6 e G e 9 0 0 0 10 e
6 ~ DrafIfor Comment , Aceptable Approach
- . . 2. AN ACCEPTABLE APPROACH TO RISK-INFORMED DECISIONMAKING 2.1 Risk-Informed Philosophy In its approval of the policy statement on the use of PRA methods in nuclear regulatory activities, the Comniission stated.an q+:t-iion that "the use of PRA technology should be increased in all regulatory mattern inamannerthatcomplementstheNRCsdeterministicapproachandsupportstheNRCstraditional defense-in-depthphilosophy." The use of risk insights in licensee submittals requesting CLB changes will assist the staffin the disposition of such licensee proposals.
The staff has defined an acceptable approach to analyzing and evaluating proposed CLB abaga<. This approachsupportstheNRCsdesiretobaseitsdecisionsontheresultsof traditionalengineeringevaluations, supported by insights (derived from the use of PRA methods) about the risk significance of the proposed l changes. Decisions concerning proposed changes are W to be reached in an L.,. d fashion, ! consideringtraditionalengineering and risk information,and may be based on qualitative factors as well as ! quantnative analyses and information. ! In implementingrisk-informed decisionmaking, changes are WM to meet a set orkey principles. Some of these principles are wntten in terms typically used in traditional engineering decisions (e.g., defense-in-depth). While written in these terms, it should be understood that risk analyses techniques can be, and are encouraged to be, used to help ensure and show that they are met. ' Dese principles are:
- 1. The proposed change meets the cunent regulations. His principle applies unless the proposed change is explicitly related to a requested exemption or rule change (i.e, a 50.12 " specific exemption" or a 2.802 " petition for rulemaking"). ,
- 2. Defense in-depth is ==intained.
- 3. Sufficient safety margins are maintained.
- 4. Proposed increases in risk , and their cumulative effect, are small and do not cause the NRC Safety Goals to be e-ied.
- 5. Performance-basedimplementationand monitoring strategies are proposed that address uncensintis in analysis models and data and provide for timely feedback and corrective action.
April 4,1997 2-1 DG-1061 H
, 4 4 ,
1 Draftfor Conunent . Acceptable Approach
._ m. -. .- ...-___...__.. ___ . _ _ _
Each of these principles _ shouldbe consideredin the i W - risk-informed, integrated I d.8 = W
. dec..isionmakingprocesslas u ,,, ,,,,,,,
"2d -
illustrated in Figure 1 l
*
- below.
==sm.
Y Innesr sad -
. p.cisionmakiss I
mm w ==
==e== =w m.s m .am m w
u 6. -
~
, UE* *"'" h i I . Figure 1. Principles of Risk-Informed Regulation The staff's proposed " evaluation .yyivech and acceptance guidelines follow from these principles. In implementing these principles, the staff expects that:
- All safety impacts of the proposed change are evaluated in an integrated manner as part of an overall risk management approach in which the licensee is using risk analysis to improve operational and engineering decisions broadly and not just to eliminate requirements the licensee sees as undesirable. "Ihe apprtch used to identify changes in requirements should be used to identify areas where requirements should be increased,8 as well as where they could be reduced.
8 The naffis aware of, but does not endorse here, guidelineswhich have been developed (e.g by NEl/NUMARC in NUMARC 91-04) (Bef. 7) to assia in identifying potentially beneficial changes to requnments. DG-1061 2-2 April 4,1997 I>
O % < Draffor Comment A&+ Appmach e The ==@bilityofproposed changes should be evaluated by the licensee in an integrate that ensures that all principles are met.8
- Core damage frequency (CDF) and large early release frequency (LERF)' can be used as su metrics for making risk-informed regulatory decisions.
l l i e Increases in +=H CDF and LERF resulting from proposed CLB changes will be limited to small increments. e De scope and quality of the engineeringanalyses(including traditional and probabilistic mlyses) conducted tojustify the proposed CLB change should be .py.oydate for the natme and scope of the change and should be based on the arrbuilt and as-operated and maintained plant.' e Appropriate consideration of uncertainty is given in analyses and L.;..y.44 ion of findings. e The plant-specific PRA si.j+ rdsg licensee pmposals has been subjected to quality controls such
- j as an independent peer review.8 l e Data, methods, and assessment criteria used to support regulatwydecisionmakingmust be scrutable and available for public rev'ww.
2.2 A Four-Element Approach to Integrated Decisionmaking i Given the principles ofrisk-informeddecisionmakirigdiscussed above,the staffhas identified a four element approach to evaluating proposed CLB changes. This .er wech, which is presented graphically in Figure 2, accep: ably supports the NRC's decisionmakingprocess. His .yr uech is not sequential in nature; rather it ' is iterative. - i l . 8 One imponent element ofintegreed "- '
- i== can be the use of an " expert peneL' Such a panel is not a necessary componentofrisk informedh . -rbut when it is used, the key principlesand ===aci=mwi dar'=aan eriteria presented in this s :.i-i guide still apply and must be shown to have been met or to be inclevant to the issue at hand.
8la this context.LERFis being used as a surogate for the cerfy 8stality QHO. It is defined as the f.wi of those accidents t landmg to significant,urunitigatedreleases 6cm contamment in a time frame prior to effective evacuanon of the close-in population auch that there is a potential for early health effects. Such accidents generally include unscrubbed releases associated with serfy contammentfailure at or shortly aAct vessel breach, r=t===an' bypass evens, and loss of cane ====at a=al='aaa This definicon is consusent with accident analysis used in the safety goal acrocamg misna di=====d in ther'a====='s Regulatory Analysis Guidelmes. E
' Draft NUREG-1602 provides supplemental infonnanon ce PRA attriknes.
s g, a,m,,d in Section 2 A.2 below, such a peer review is not a replacement for NRC review. April 4,1997 2-3 D0-1061 j i3 l
, g4 6 Accqtable Approach Draftfor Comment .
s D Q
,I.
Paa
\
\ /
/ [//[/
e e-. sema cW 9,f Tf 2 . Figure 2. Principal Elements ofRisk Informed, Plant-Specific Decisionmaking 2.3 Element 1: Define the Proposed Change 1 ( Element 1 involves three primary activities. Eica, the licensee should identify those aspects of 4 licensing bases that may be affected by the proposed change, including, but not limited to, rules and regulations, final safety analysis report (FSAR), technical specifications, licensing conditions, andl j - ' commitments. Seeand the licensee should identifyall SSCs, iwecAss, and activities that are coverel the CLB change under evaluation and consider the original reasons for inclusion of each program l requirement. i 1 When considering CLB changes, a licensee may identify regulatory requirements or commitments in its i licensing bases that it believes are overly restrictive or unnecessary to ensure safety at its plant. Note tha1 )
. the corollary is also true; that is, licensees are ead also to identify possible cases where design and operational aspects of the plant should be enhanced consistent with an improved ura.i.eding of their safety significance. Such enhancements should be embodied in appropriate CLB changes which reflect these enhancements. With this staff expectation in mind, the licensee should, thini, identify available
{ engineering studies, methods, codes, applicable plant-specific and industry dsta and operational experience, PRA findings, and research and analysis resuhs relevant to the proposed CLB change. With particular regard to the plant-specificPRA, the licensee should assess the capabilityto use, refine, augment, and update system models as needed to support a risk ===== ment of the proposed CLB change. The above information should be used collectivelyto provide a description of the CLB change and to outline j the method of analysis. The licensee should describe the proposed change and how it meets the objectives , of the Commission's PRA Policy Statement, including enhanced decisionmaking, more efficient use of resources, and reduction of unnecessary burden. In addition to improvements in reactor safety, this
- assessment may consider benefits from the CLB change such as reduced fiscal and personnel resources and radiation exposure. In addition,the licensee should affirm that the proposed CLB change meets the current i 1 DG-1061 2-4 April 4,1997 1
k ] l# ! l
-o-.-._--- . - - .. .. - -- - - - ,- - - _- -.- -
5 k , Drapfor Comment . Acceptable Approach regulations,unlessthe pmposed change is explicitly related to a proposed exemption or rule change (i.e., a 50.12 " specific exemption" or a 2.802 " petition for rulemaking").
~ '
2.4 Element 2: Perform Engineering Analysis As part of the second element, the licensee will evaluate the pmposed CLB change with regard to the principlesthat adequate defense-in depth is maintained, that sufficient safety margins are maintained, and that pmposed mcreases in risk, and their cumulative effect, are small and do not cause the NRC Safety Goals to be -madad . . The staff expects that the scope and quality of the engineering analyses conducted tojustify the proposed CLB change will be appropnate for the nature and scope of the change. The staff also expects that appmpriate consideration will be given to uncertainty in the analysis and interpretation of findings. The Jicensee is ==-* d otuse itsjudgment, drawing from the appropriate technical disciplines for the CLB i change being considered, of the complexity and difficulty ofimplications of the proposed CLB change to decideuponadequateengineeringanalysestosupportregulatorydecisi-= Mag Thus,thelican-should consider the appropriateness of qualitative and quantitative analyses, as well as analyses using traditional engineering approaches and those techniques associated with the use of PRA findings. Regardless of the analysis methods chosen, the licensee must show that the principles set forth in Section 2.1 have been met through the use of scrutable acceptance guidelines established for making that determination. Some pmposed CLB changes can be characterized as involving the casesonzation of SSCs w-ding to safety sipificance. An example is grading the application of quality assurance contmis commensurste with i the safety significance of equipment. The licensee's analyses of the impact of the proposed CLB change ! should address each of the key principles of risk-informed regulation (discussed previously in Section 2.1 ! of this regulatoryguide). Like other applications,the staff's review of CLB change requests for applic'a tions involving safety categorizationwill be accordingto the =p---m guidelineswhich are associated with each key principle and which are presented in this regulatory guide (see Sections 2.4.1,2.4.2, and 2.5), unless equivalent guidelines are proposed by the lic=nese. Since risk importance measures are often used in such
- categorizations, guidance on their use is provided in Appendix A of this regulatory guide. For such CLB changes, guidelines associated with the adequacy of programs (in this exampic, quality controls) implemented for different safety significant categories (e.g., more safety si =ih* and less safety significant)are addressed in other application-specific regulations and guidance documents. Licensees are encouraged to apply risk informed findings and insights to decisions (and potential CLB requests) associated with what are .ygegiate, for instance, test methods, surveillance intervals, or quality controls.
2.4.1 Evaluation of Defense-in-Depth Attributes & Safety Margins One aspect of the engineering evaluations is to show that the fundamental safety principles on which the plant design was based are not compmmised. Design basis accidents (DBAs) play a central role in nuclear power plant design. DBAs are a combination of postulated challenges and failure events against which l plants are designed to ensure adequate and safe plant response. During the design process, plant response ; and associated safety margins are evaluated using assumptions which are intended to be conservative. ' Apre 4,19n 2-5 0o.1061 I(
. .- - - .\
l .
, M ii
{ Draffer Conunent . l A808Peable Approach , ! National standards and other.aaamiderations such as defense in-depth attributes and the single failme crnerion constitute additional engineermg r==iderationsthat influence plant design and operation. Margis
- and defenses associated with these considerations may be affected by the licensee's proposed CLB change
- and, therefore, should be reevaluated to support a requested CLB change. As part of this evaluation, the ;
l impact of the proposed CLB change on affacted equipment functionality, reliability, and availability should , i be determined. > ' 'r ! ! 2.4.1.1 Defense-in-Depth : ! The engineering evaluation conducted should evaluate whether the impact of the propoemd CLB change l (individuallyand cumulatively)is consistentwith the principle that defense-in<lepth is maintained. In this i regard, the intent of the principle is to assure that the philosophy ofdefense in-depth is maintained, not to . j prevent changes in the way defense-in-depthis achieved. The defense-inalepthphilosophyhas traditionalp j been applied in rer.ctor design and operation to provide multiple means to accomplish safety functions and i j preventthe release of radiosarve material. It has been and continues to be an effective way to account for j uncertainties in equipment and human performance. Where a comprehensive risk analysis can be done, it can be used to help determine the appropriate extent of defense in<lepth (e.g., balance among core damage I prevention,containmentfailure and consequencemitigation)to ensure protection ofpublic baskh and safety.' l Where a comprehensive risk analysis is not or cannot be done, traditional defense-in<lepth considerations
- should be used or maintained to account for ancertainties.1he evaluation should consider the intent of the l l general design criteria, national standards, and engineering principles such as the single failure cnterion.
Further,the evaluation should consider the impact of the proposed CLB change on barriers (both preventive l 3 and mitigative) to core damage, containment failure or bypass, and the halmar* among defense-in<lepth j attributes. As stated earlier, the licensee should select the engineering analysis techniques, whether j quantitative or qualitative and traditional or probabilistic, appropriate to the proposed CLB change. l The licensee should assess whether the proposed CLB change meets the defense-in.oepth principle. ) . Defense-in-depthconsists of a number ofelements, as ammmarized below.1hese elements can be used as j guidelines for making that assessment. Other equivalent acceptance guidelines may also be used. e Defense in depth is maintained e a reasonablebalanceamong, .. ;*onofcore damage, prevention ofcontainment failure, and consequence mitigation is preserved e over-reliance on progr===mtic activities to compensate for weatr====== in plant design is avoided e system redundancy, independence, and diversity are preserved commensurate with th'e
-- e,d frequency and consequences of challenges to the system (e.g., no risk outliers) e defenses against potential common cause failures are preserved and the potential for introduction of new common cause failme mechanisms is assessed DG-1061 2-6 April 4,19M
i I h ,
~
i l Draffor'Conament . l Acceptable Approach
^
i _ e . independence of betriers is not degraded * *
* ~
~ e- defenses against human errors are preserved -
{ -
- 14.1.2 Safety Margins '
i The engineering evaluation conducted should assess whetber the impset of the proposed CLB change is
- consistent with the principle that sufficient safety margins are maintained. Here also, the licensee is WM
- to choom the method of engineering analysis appropriate for evaluating whether sufficient safety margins j would be maintained if the proposed CLB change were implemented. An acceptable set of guidelines for makingthat assessmentare summarized below. Other equivalent rW guidelines may also be used.
e Sufficient safety margins are maintained , e codes and standards or ahernatives approved for use by the NRC are met 1 e safety analysis = f---m criteria in the current licensing basis (e.g., FSAR, supporting analyses) are met, or proposed revisions provide sufficient margin to account for analysis and data uncensinty Application-specific guidelines rem =3 this general guidance may be found in the application-specific regulatory guides. 14.2 Evaluation of Risk Impact, Including Treatment of Uncertainties As noted in Section 2.1,'the li===='s risk assessment abound be used to address the principle that propcsed
- increases in risk, and their curnulative effect, are smaall and do not cause the NRC Safety Goals to be ,
exceeded. For purposes ofimplementation,the licaisee should assess the -W change in core damage frequency (CDF) and large early release frequency (LERF). De necersarysophistication of the evaluation, including the scope of the PRA (e.g, internal events only, full power only), depends on the contribution the risk assessment makes~to the integrated decision-making, which depends to some extent on the magstude of the pc-- St risk impact. For some CLB changes for which a more substan*ial impact is possible, an in-depth and comprehensive PRA analysis of appropriate scope to derive a quantified estimate of the total impact of a proposed CLB change will be necessaryto provide adequate justification. In other applications, l calculated risk imponance measures or bounding estimates will be adequate. In still others, a qualitative i assessment of the impact of the CLB change on the plant's risk may be sufficient. De PRA performed should realistically reflect the actual design, construction, and operational practices. C= --7-:- etly, the PRA used to support risk-informed decisionmaking is ---M to reflect the impact of previous changes made to the CLB. l The remaindert,f t;ds section discusses the use of quantitative PRA results in decisionmakivig. One of the strengths of the PRA framcwork is its ability to provide a means of d.,h aing the impact of snalytical uncertainty,and it is essentialthat these uncensinties be recognized when assessing wheiber the principles April 4.1997 2-7 0 0-1061 17
, 4 6 i
Drgpfor Comment . Aeospenble Approach are being met. To provide a vehicle for ema% between subminals and the review of those submittals, the following guidelines on how to address uncertaintyin the decisionmakingprocess are provided. De firs 1 step is the dermition of a set of quantitativeacceptance guidelines. MM the role of uncertainty analysis in decisionnaking is discussed. De staffs decision on the proposed license amendment will be based on its independentjudgment and review, as .yy.vy i.;e, of the entire application. . 2A.2.1 Acceptance Guidelines l Deriskecc,.y; ce.guidelinespresentedinthisregulatoryguidearebasedontheprinciplesandW a== for risk-informedregulsion discussed in Section 2.1. For the purposes of establishing guidelines for risk-informed decisionmaking, a core damage frequency (CDF) P13= of IE-4 perxenctor year (annual average of CDF) has been adopted in this regulatory guide. (with additional management attention for the IE-5 to IE-4 per reactor year range). A large early release frequency (LFRF) of IE-5 per reactor year (annual average of LERF) has been adopted as a containment performance guideline.(with additional J i management auention for the IE-5 to 1E 6 per reactor year range). Dese guidelines are inta= lad for 1 comparison with a full scope PRA (including internal events, external events, full power, low power and shutdown). However,it is neogniand that many PRAs are not full scope and the use ofless thar. full scope PRA information may be -*=hle as di=e====d in Section 2.4.2.2 of this regulatory guide. . l De =W- -? guidelines have the following elements. j e For a plant with a mean core damage frequencyat or above IE 4 per reactoryear(the e nemni. ian's l subsidiarycore damage frequencyobjective)or with a mean LERF at or above IE-5 per reactoryear, i it is ~.e-d hatt applications will result in a not decrease in risk or be risk neutrat
. o For a plant with a mean cose damage frepency ofless than 1E-4 per reactor year, applications will l be considered which, when combmed with the LERF guide 8 ires described below:
\
e Resuk in a net decrease in CDF or are CDF-neutral; l e Result in increases in calculated CDF that are very small (e.g., CDF increase ofless than l IF 6 per reactoryear);or l e Result in an increase in e= lent =*=d CDF in the range of IE-6 to IE-S per reactor year, , subject to in::rcased NRC *=chnical and management review and cmsidering the following i factors: . e De scope, quality, and robnen==< of the analysis (including, but not limiend to, the PRA), including consideration and e J5=:on of uncatainties; e De base CDF and LERF of the plant; e De cumulative impact of previous ^-- .*= (the he===ae's risk management approach); e Consideration of the Safety Goal screening criteria in the staffs Regulatory Analysis Guidelines, which derme what changes in CDF and containment
. perforrnance would be needed to consider potential backfits; . ;
Do-so61 2-8 ' April 4,1997
) ~ , !e he, a 1
1 Draftfor Comment , \ Acceptable Appmach i
+ e The impact of the proposed change on operational complexity, burden on the __
operstmg staff, and overall safety practices; and
- Mant-specific performance and other factors, including, for example, siting factors,-
i inspection findings, performance indicators, and operational events. AND : o Ior a plant with a mean LERF of between 1E-6 and IE-S per reactor year: ,
- Resuh in a net decrease in LERF or are LERF-neutral; -
e Result in an increase in calculated LERF ofup to 1E.6 per reactoryear, subject to ir d NRC technical and management review, as descr%ed above; OR - l l e For a plant with a mean LERF ofless than IE-6 per reactor year: l
- Resuh in a net decrease in LERF or are LERF-neutral; e Resuk in increases in calculated LERF that are very small (e.g., LERF increase of less than IE-7 per reactor year); or -
o Resuk in an ircrease in calculated LERF of up to 1 E-6 per reactoryear, subject to increased NRC technical and management review, as described above. De rigor of analyses needed to support the different types of applications is AM in Section 2.4.2.2 below.
. 2.4.2.2 Comparison ofPRA_Results with the Acceptance Guidelines In cornparing estimates ofplant risk (i.e., calculated plant CDF and LERF) and changes in these metrics as a resuh of CLB changes with the = p == guidelines,k is necessaryto take into account the uncertainties in the analysis. His section pmvides guidance on the comparison of the PRA resuhs with the Wace guidelines with particular reference to the role of uncertainty analysis.
l Types of Useertalaty and Methods of Analysis Because they are generally chand=4 and treated different:y, it is useful to identify three classes of uncertainty: parameter uncertainty, model uneenainty, and completeness uncertamty. N ..ar Uncertainn Parameter uncertainties are tose associated with the values of the fundamental parameters of the PRA model, such as equipment failu.t rates, initiating event frequencies, and human error probabilities that are used in the quantification of tiv accident sequence frequencies. Dey are typically characterized by establis.hing probability distribu*. ions on the parameter values. It is straightforward and within the capabilityof most PRA codes to propagate the distribution representing uncertainty on the basic , l April 4,1997 2-9 00 1061 of
, M &
l
.Drapfor Commertt ,
Acceptable Approach parametervalues to generate a probability distribution on the results (CDF, accident sequence frequencies, etc.) of the PRA. His is in fact the only practical way of generating a mean value of the CDF. However, the analysis must be done careAallyto correlate the sample values for different e+w->== from a group to which the same parameter value applies (the so-ca!!ed state of kno viedge dap-=Aaacy). Parameter uncertainties can be explicitly representh! and propegated through the PRA model, and probability distribution of the relevant metrics (i.e., CDF and ACDF, and LERF and ALERF) can be generated. Various measures of central tendancy, such as the mean, median and mode, cu be evaluated. In principle, the distributions can be used to assess the confidence with which the guidelines are met. - However,it is also instructive to study the contributorsto see whether it can be determined whether the tails of the distributionsare being deiermined by uncertaintieson a few significant elements of the model. If so, these elements can be identified as candidates for compensstory measures and/or monitoring during integrated decisiaammking. , Model Uncertainty here are also uncertainties as to how to model certain elements of the PRA. .Model uncertainty may be analyzed in different ways. It is possible to include some model uncertainty by I iscwposingwithin the PRA model a discrete probability distribution over a set of modela for a particular i issue. His has been done for the modeling of seismic hazard, for example, where the result is a discrete i probability distribution on the frequencies of earthquakes. This uncertainty can then be propagated in the same way as the parameter uncertainties. Other methods are also available. For most level 1 PRAs, sere are few model uncertanties explicitly represented in the model structure. Instead, where it is -=ry to address issues that are uncertam, e.g., success criteria, it is more usual for the analysts to adopt a specific assumption or modeling approach. Dus the effect ofmodel uncertaintiesis generally to introduce some type of bias into the results. Here are significant model uncertainties in level 2 PRAa, particularly in the modeling of the phenomenologyofaccidentprogressionandthemechanismsforthereleaseoffissionproducts. Again,some uncertamties are addressed by == king specific assumptions. However, others may be incorporated in the level 2 analysis by, for ezample, including within the structure of the caseia=
- event trees a set of possible outcomes for the uncertain issues. NUREG-il50 (Ref. 8) provides examples of an attempt to
, characterize the full impact of the uncertainty. In many PRAs, however, the conditional containment probabilities or large early release fractions ..r. an average over these outcomes.
It is often instructive to understand the impact of a specific assumption on the predictions of the model. De impact of using alternate assumptions or models may be addressed by performing appropriate sensitivity studies, or they may be addressed using qualitative argumer.ts, comnleteness Unceremiatv Completeness is not in itselfan uncertainty,but a reflection of scope limitations. De result is, however, an uncertainty about where the true risk lies. De problem with completeness uncertaintyis that, because it reflects an unanalyzed contribution,it is difficult (if not impossible)to estimane its magnitude. Thus, for example, the impact on actual plant risk from unanalyzed issues such as the influences of organizational performance cannot now be explicitly assessed. DG-1061 2 '.0 April 4,1997
m _ _ . _ _ _ _ _ _ . _ _ _ . _ d b , Drapfor Comment . Acceptable Appmach j The issue of completeness of scope of a PRA can be addresse:I by either supplem ; additional analysis to enlarge the scope, using more restrictive scwy;.ece guidelines, ol argumentsthat,for the applicationofconcem,the out-of-scopecontributorsare not signil
-yy.vecties to dealing with incompleteness are diam =ad in the next section.
Comparisonswith Acceptance Guidelines ne purpose of this section is to provide guidance on how to compare the results of the PRA
-~a;*= ace guidelines described in Section 2.4.2.1. In the context of decisiaa== Mag the sc-y; ec guidelines should not be ini y. ;.,4 as being overly y. ~'ydve. They are intended to provide an indication,innumericalterms,ofwhatisconsideredacceptable. Assuch,thenumericalguidelinesdescribed
' in this regulatoryguide are approximate values that provide an indication of the changes that are sc-y;-1,le. Furthermore,the epistemic uncertaintiesassociated with PRA calculationspreclude a def decision of acceptabilityor ==~~;* bilitybased perly on the numerical resuhs. De intent in making the comparison of the PRA results with the ecceptesce guidelines is to demonstrate with reasonable assura that Principle 4, discussed in Section 2.1, is being met. His decision must be made basmi on a full understandingof the impacts of the uncertainties, both those that are explicitly accounted for in the results and those that are not. His is a somewhat subjective process, and the reasoning behind the' decisions must be well documented.
De three types of uncertainty can be addressed as follows to demonstrate ra==anahle assurance: 1) those uncertainties that are explicitly quantified in the model (parameter uncertainties and some model uncertainties)do not produce a probabilitydistrbution on the anim=*M value of CDF or LERF that results
~ in a lowlevel of confidencethat the goal is met; 2) the adoption of specific modeling does not overl bias the results in favor of the change and ahernate, but reasonable, modeling assumptions would not aher the i . decision (model uncertainty); and,3) the contributors to risk that are not modeled would not aher the , j decision significantly (completeness uncertainty). He discussion presented here addresses quantitative l i
. analyses of uncertainties; qualitative arguments may be appropriate for specific CLB d-a, a= 1 De level of detail required in the analysis ofuncertaintywill depend on the CLB change being considered, l the base case estimat*< ofCDF or LERF, and the y*==*i=Urnpact of the change on those metrics. The closer l the base case estimates and the estimates of the impact of the change are to their w..-yeeding =~ ;*==ce ,
guidelines, the more detail will be required. In contrast, if, as an example, the enim=tM change in a l l particular metric is very small compared to the acceptance goal, a simple bounding analysis or even a qualitative analysis may suffice. . l Changes resuhing in a net decrease in the CDF and LERF estunates are allowed irrespective of the calculated baseline CDF and LERF. Generally, it should be possible to argue on the basis of an understanding of the contributors and the changes that are being made that the overall impact is indeed a d- sc, without the need for a detailed uncertainty analysis. i IntheinitialcomparisonofthePRAresultstothesc-yi-eceguidelines,the yyivpdatenumericalmeasure i to use are mean values. In general, if the change is such that it would resuh in either the point estimate or mean value of the CDF or LERF or the cesspondingincrease(ACDF or ALERF) exceeding its guideline, April 4,1997 2-11 0G.1061 l - - -
y J 6 Draftfor Comment , 1 Acr.eptable Approach i the change will not be approved unless, for example,it is shown that there are unquantified benefits that are not reflectedin the quantitative risk resul:s. In addition, ifconvincing qualitative arguments are made that the analysis is conservative,or compa-wymeasures are proposed to counterthe impact of the major risk contributors, even though the impact of these measures may.not be. estimated numerically, then such arguments will be considered in the decision process. Finally, changes which result in very emall increases in the estimates of CDF or LERF might be allowable even for plants for which the base casc .yy, ud,es the guidelines, but again, only-if additional qualitative arguments can be made as discussed above. If the mean value of a measure were to lie near the cumsyonding guideline a full parametric, uncertainty analysis will allow an assessment of the confidence with which the guideline is met. ' h-* of the nature of PRA analyses,it is not reasonable to be so prescriptive about the =~ptable level of confidence; changes ' could still be allowed when lower levels of confidence are calculated when, as discussed above, convincing qualitative arguments that the true values are less than the calculated values can be brought to bear. Such arguments can only be made with a full understanding of the contributors to uncertainty. While the analysis ofparametric uncertainty is fairly mature, the analysis of the model and completeness uncertainties cannot be handled in such a formal manner. Whether the PRA is full scope or only pc.rtial scope, it will be incumbent on the licensee to demonstrate that the choice ofreasonable alternate hypotheses or modeling approximationsor methods to those adopted in the FRA model would not significantly change the swament. The attematesthat would drive the result towards unacceptability should be identified and reasons given as '.o why they are not appropriate for the current application or for the particular plant. Alternatively, this analysis can be used to identify candidates for compensatory actions or increased monitoring. The licensee should concentrate its attention on those assumptions which i npact the parts of the model being exercised by the change. When the PRA is not full scope,then it is ===y for the licensee to address the significance of the out-of. scope items. The importance of assessing the contribution of the out-of-scope portions of the PRA to the base case estimates of CDF and LERF is related to the margin terms the as-calculated values and the acceptanceguidelines When the contributions from the modeled contributors are close to the guidelines, the argument that the contribution from the missing items is not significantmust be convincing,and in.some cases may require additional PRA analyses. . When the margin is significant, a qualitative argument may be sufficient. 'Ihe contribution of the out of-scope pedoes of the model to the change in metric may be addressed by bounding analyses, detailed analyses, or by a demonstration that the change has no impact on the unmodeled contributors. In addition,it should also be demonstrated that changes based on a pamal PRA do not disproportionallychange the risk associated with those accident sequences that arise from the modes of operation not included in the PRA. Ifjust a level 1 PRA is available, in general only the CDF is calculated and not the LERF. An approach is presented in Appendix B to this regulatory guide which allows a subset of the core damage accidents identified in the Level 1 analysis to be allocated to a release category that is equivalent to a LERF. The approach uses simplified event trees that can be quantified by the licensee on the basis of the plant configuration applicable to each accident sequence in the Level 1 analysis. The frequency derived from these event trees can be compared to the LERF acceptance guidelines. The guidance in Appendix B may DG-1061 2-12 Apr9 4,1997 l
m l 4 4 c l l Drapfor Comment . be used to enimate LERF in only those cases when the plant is not close to the CDF and LERF benchmark
~
values. 2.4.3 Integrated Decision-Making The asults of the differentelements of the engineermg analysis discussed in Sectiots 2.4.1 and 2.4.2 must be consideredin an
- 4.ad manner. None of the individualanalyses is sufficient in and ofitself. In this way, k can be seen that the decision is not driven solely by the numerical results of the PRA. They are one input into the decisionniakingand help in building up an overall picture of the implications of the proposed change on risk. He PRA has an important role in putting the change into its proper context as it impac:s the plant as a whole. .
2.5 Element 3: Define Implementation and Monitoring Program Careful consideration should be given to implementation and performance-monitoring strategies. The primarygoal for this element is to assess SSC performance under the proposed CLB change by establishing performance-monitoringstrategies to confirm the assumptions and analyses that were conducted tojustify the CLB change. De implementation of the regulatory changes should ensure that no =T+n+1 adverse safety degradation occurs because of the changes. Based on the findings of the engineering evaluations ceducted to namine the impact of the proposed changes, an implementation plan should be developec. .o ensure that any unexpected problems and deficiencies are detected and corid prior to becoming a significant safety problem. Further details of an acceptable process for implementation in specific application areas are discussed in the application-specific guides. Decisions concerning implementation of changes should be made in light of the uncertainty associated with the resuhs of the traditional and probabilistic engineering evaluations. Broad implementation within a limited tina period may bejustified when uncertainty is shown to be low (data and models are adequate, engineering enluations are verified and valid #ad, etc.), whereas a . slower, phased approach to implementation (or other modes of partist implementation) would be ==aad when uncertainty in evaluation findings is higher. In applicationsv.bere progr===de changes are being made which potentially impact SSCs across a wide sp.m of the plant, such as in IST, ISI and graded QA, the potential introduction of common cause effects must be fully considered and iuluded in the submittal. In such l situations, a carefully planned approach to the selected mode ofimplementation should be identified and justified. A monitoringpogram, utilizing syy.g.ete performance-based feedback criteria, is an irnportant element of many risk informed application appmaches. This performance-basedapproach should have the following staributes:there are measurable parameta s to monitor plant performance; objective criteria are established to assess performance based on a combination of risk insights, traditional engineering analysis, and performance history; and parameters are selected for monitoring such that, if-eW they will provide early indication of problems prior to being a safety concem. Apr0 4,1997 2-13 0o.3os3
, J 6 Draftfor Comment ,
Acceptable Appmach
'Specifically,the proposed monitoring program should establish a means to adequatelytrack the performance of equipment covered by the proposed licensing changes. The program should be capable of trending equipment performance after a change has been implemented to demonstrate that performance is consistent with that predicted by the traditional engineering and probabilistic anelyses that were c~dar'ad t ojustify the change. It is desirable that definitive and quantitative performance enteria be established which are consistent with analysis ==<maptions and %+3-dons in such areas as SSC functionality'and reliability / availability. The monitoring pian should be structured such that performance degradation is detected and corrected before plant safety can be compromised. The potential impact of observed SSC degradation on similar components in different systems throughout the plant should be considered.
Monitoring that is performed as part of the Maintenance Rule implementation can be used in cases where the SSCs affected by the application are also covered under the Maintenance Rule. In these cases, the performance criteria chosen should be shown to be .pyroydat for the application in question. It should be noted that plant or licensee performance under actual design conditions may not be readily measurable. In , cases where actual conditions cannot be monitored or measured, an approach should be implemented by striving to use whatever information most closely approximates actual performance data. For example, a hierarchyfor establishinga monitoringprogram with a performance based-feedback myymsch may consist ofa combination of the following:
- 1. Monitoring performance charactenstics under actual design bases conditions (e.g., reviewing actual demands on EDGs, reviewing operating experience)
- 2. Monitoring performance characteristics under test conditions that are similar to those *=e'ad during a design basis event (e.g., monthly EDG testmg)
- 3. Monitoring and trending performance characteristics to verify aspects of the underlying analysis, research,or bases for a requirernent(e.g, measuring battery voltage and specific gravity, inservice inspection ofpiping) ,
- 4. Evaluating licensee performance during training scenarios (e.g., emergency planning exercises, operatorlicensing examinations)
~
- 5. Com sonent quality controls including developing pre- and post- component inct=11*tice' evaluations (e.g, environmentalqualification la=ae+inae,RPS channel checke, continuitytesting ofBWR squib valves)
- 6. Establishing performance. based elements (e.g., monitoring, measurement) where actual performance-based measurements may be impractical (i.e, performance-based elements of a QA progum observing activities vs. reviewing programs)
As part of the monitoring program, it is important that provisions for specific cause determination and corrective actions be included in cases when performance falls below erpae' A levels. Cause determination is needed when a performance criteria is not being met or when there is a functional failure of an application. specific SSC, even if performance criteria is met. The cause determination should identify the cause of the ) DG 1061 2-14 Apra 4,1997 NF
- O A 4 4 Draffor Comment .
Acceptable Appmach failure or degraded performance, and whether the failure or degraded performance was a result of the application. It should address failure significance, the circumstances surrounding the failure or degraded ) performance,the characteristicsof the failure, and whetherthe failure is isolated or has generic or common i cause implications (as defined in NUREG/CR-47F0, Ref. 9). .
. , i Finally, the monitoring program should identify any corrective actions to preclude recummce of unacceptable failures or degraded performance below wrions. The circumstances surMag the failure may indicate that the SSC failed because of adverse or harsh operating conditions (e.g., operstmg a valve dry, over-pressurization of a system) or failure of another component which caused the SSC failure.
Therefore, correctwe actions should also consider SSCs with similar charactenstics with regard to operational, design, or maintenance conditions. It is - ,W that upon initial approval of the proposed monitoring program, subsequent NRC oversight will focus on evaluating performance results rather than on a ym, ==eir review. 4 l - l l t l April 4,1997 2-15 oc,.106 l
o 4 e Draftfor Comment , l Acceptable Approach j 2.6 Element 4: Submit Proposed Change Requests for proposed change to the plant's CLB typically take the form ofrequests for license amendment (including changes to or removal of license conditions), technical changes, changes to or withdrawalso' f orders, and changes to programs pursuant to 10 CFR 50.54 (e.g., QA program changes under 10 CFR 50.54(a)). Licensees should: (i) carefully review the proposed CLB change in order to determine the appropriate form of the change request, and (ii) assure that information required by the relevant regulations (s)in support of the request is developed; and (iii) prepare and submit the request in accordance with relevant procedural requirements. For example, license amendments should m.eet the requireraents of , 10 CFR ((50.90,50.91 and 50.92, as well as the procodural requirements in 10 CFR 550.4. Where the < licensee submits risk information in support of the CLB change request, that information should meet the guidance in Section 3 of this regulatory guide. Licensees are free to decide whether to submit risk information in support of their CLB change request. Where the licensee's proposed change to the CLB is consistent with currently-approved staff positions, the stafPs determinstion will be based solely on traditional deterministic engineering analysis without recourse to risk information(ahhough the staffmay considerany risk information which is submitted by the licensee) However, where the licensee's proposed change goes beyond m. 3y-approved staff pa%, the staff will normally consider both information based upon traditional deterministic engineering analysis as well as information based upon risk insights. If the licensee does not submit risk information in support of a CLB change which goes beyond cunently-approved staffpositions, the staffmay request the lirwn=* to submit such information. Such an information request is not a backfit under 10 CFR 50.109. If the licensee chooses not to provide the risk information, the staff will review the proposed application using deterministic engineering analysis and determine whether sufficient information has been provided to support the requested change. . In developing the risk information set forth in this regulatoryguide, licensees will likely identify SSCs with high risk significance which are not cunently subject to regulatoryrequirements, or are subject to a level of regulation which is not commensuratewith their risk significance. It is ,W that lirwn==< will propose CLB changes that will subject these SSCs to appropriate level of regulation, consistent with he risk significance of each SSC. Specific information on the staffs expectations are set forth in the application-
~
specific regulatory guides. I 2.7 Quality Ass'urance t 1 As stated in Section 2.4, the staff expects that the quality of the engineering analyses conducted tojustify proposed CLB changes will be appropriate for t:w nature of the change. In this regard, it is expected that )
- for traditional engineering analyses (e.g., deterministic engineering calculations) existing provisions for quality assurance (e.g.,10CFR50, Appendix B for safety-related SSCs) will apply and provide the l appropriate quality needed. Likewise, when a risk assessment of the plan *. is used to provide insights into j the decisionmaking process, the staff expects that the PRA will have been subject to quality control.
2
~
i l i j DG-1061 2-16 Apr0 4,19M i i ! 54
Drapfor Comment , Acceptable Approach To the extent that a licensee elects to use PRA information to enhance or modify activities affecting the ~ safety-related functions of SSCs, the following, in conjunction with the other guidance contained in th guide, describe an acceptable way to ensure that the pa. cat quality assurrance requirements of 10C Appendix B are met and that the PRA is of sufficient quality to be used for regulatory decisions: e utilize personnel qualified for the analysis e utilize pmcodures that ensure control of documentation, including revisions, and provide for k-i g -h review, verification or checking of calculations and information used in the analyses (an ind=g=4entpoer review can be used as an important element in this process) e provide documentation and maintain records in pd.sce with th'e guidelines in Section 3 of this guide e provide for an ind p-adataudit function to verify quality (an ia%t peer review can be used for this purpose) e utilize procedures that ensure .yropriate attention and corrective actions are taken if analyses or information used in previous decision making is determined to be in error. Where performance monitoring programs are used in the implementation of proposed change to the CLB, it is expected that those programs will be implemented utilizing quality provisions commensurate with the safety significanceof affected SSCs. An existing PRA or analyses can be utilized to support a proposed CLB change, provided it can be shown that the erroyh quality provisions have been met. l ( i April 4,1997 2-17 DG-1061 A7
, - - - - - , - . - - - --,w - - - - - --------.-.,------r-_-,------- - - - - - . - - . - - - - - - . - - . - , . , , , - - - - . - - - - - - , - - . - . - - . - -
4 9 0 8 0 8 0 0 e
4 , Dnqftfor Comment DOCarmentatiOD
- 3. DOCUMENTATION AND SUBMrITAL 3.1 Introduction ,
To permit abe staffs audit to enasse that the analyses a-hwead wem sufficient to eneh* that the key principles of risk-informed agulation have been met, d===*mion of the evaluation proces: and findings an expected to be maintained. AdditionaDy,information submined should include a' Won of the process used by the hcensee to mesme quakty and some specific information to support the staffs conclusion agarihng the WMi'y of the requesend CIA change. , 3.2 Documentation Archival documentation should include a dwailad description of engineering analyses conducted and the asuhs Maad. L+T;ve of whether they were quantitative or qualitative, or whether the analyses made use of traditional engineermg methods or probabilistic approaches. This h==ttation shouk! be maintained by the M . as part of their normal quality assurance program, so that it is available for ar==in=rion. Documentation of the analyses conducted to support changes to a plant's CLB sbound be maintained as lifetime quality rocords in accordance with Regulatory Guides 1.33 and 1.88 (Ref.10 and 11, sespectively). An example of typical PRA d===aatation is described in draft NUREG 1602. 3.3 IJcensee Submittal To support the staffs conclusion that the proposed CLB change is consistent with the key principles of risk-infermed regulation and NRC staff expectations, the fonowing information is era = +=d to be subenitted to the NRC: .
- a description of how the proposed change wBlimpact the CLB (Relevant . *-i=k CLB changes meet regulations.)
- a desenptice of the components and systems affected by the change, the types of changes proposed, the reason for the changes, and results and insights from an analysis of available data on equipment perfonnance (Relevant staff expectation: AB safety impacts of the proposed CIA change shall be evaluatect) e a tubulation of the cumet licussing basis accident parameters that are affected by the change and an manan==ent of the expected changes (Ralevant principles: CLB changes sect the segulations; enfficient safety marsms are ==intainad def=- i f- & = is ==imainad )
- a servaluation of the M: basis acxsdent analysis and the provisions of 10 CFR Parts 20 ad 100, if appropriate (Relevant 9 CLB changes meet the segulations; sufficient safety margas are waad: defense-in. depth is ==intainad ) ,
March 31,1997 31 DG.1061 8
o 4 a Drn$tfor Consment l nnemn neoinn , j
*- an evaluation of the impact of the change in licensing bases on the breadth or depth of defense-in-l depth amibutes of the plant (Relevant principle: Defar i 41 is maintained.) - s .
- identification of how and where the proposed change will be docenented as part of the plants keensing basis (e.g., FSAR, TS, beensing condnions). This should include proposed changes and/or ambacements to the regulatory controls for high risk significant SSCs which a not subject to any ,
seguir-enri, or where the requirements are not a=wnan==rsee with the SSCs sisk aih
- 1be tiraname should also identify: ', l 1 - those key assumptions in the PRA, ele = anes of the monitoring program, and commitments made to apport the application -
j - those SSC's for whih requirements abould be increased ---
- a description of that information to be provided as part of the plants licensing basis (e.g., PSAR, TS, licensing condition)
The bcensee's submittal should discuss measures used to ensure adequate quabty, such as a repcet that addresses the appropriaranaat of the PRA model for supporting a risk aswaww=t of the CLB change under candderation. An & peer review can be an W n element of ensuring this quality. The report should address any analysis limitations that are ==,W to impact the == lation regarthag acceptability of the proposed change. The beensee's resolution of tbc findags of the peer review, when performed, should also be submined. For example, this response scold indicane whenbar the PRA was modified or ay G&edon as to why no change was necessary to support decisionmaking for the CLB change under ea=idaration. As
, eenmaad in .%uon 2.4.2, the staff's decision on the proposed license amandmant will be based on its Matjudgment and review, as appropriate. of the ensue application.
h order to have ennMana that the risk =======' a= Ave =d is adequese to support the conclusion that there is no more than an insignificant increase in risk to besith ami safety of the pubbc has been met, a ====ary of the risk asemannent methods used should be subadued. rnania=w with comet practice,information submined to the NRC forits a==idsrance in maldag risk informed, agulmary decisions will be made pubbely available, unless such information is deemed propnetary and jnew=f a such. The fouowing informaion should be submined and is imended to Blustrate abat the scope.and quality of the engineering analyses condacmed tojustify the proposed CLB chase is approprime to the amane and scope of the change: a hWon of risk ========* mesbods used .
- the key anodehng assenptions e the success criteria and the basis for each
- * ' a list of initimors considered and their frequencies, as well as the basis for excludag any initiators frorn the risk at==== ant i
4 DG 1061 32 March 31,1997 3o
5 % c DrqfVfor Comment Docurnentation
- alisting of systems and components addressed in the risk =====* the faihues considered fw each
- ed the basis for excludmg failmes, and the depa=4aariac between systems and components e the evem trees and fault trees as necessary to support the analysis e a lists of opennor actions modeled in the FRA (and the basis for =~W cperator actions) and their errorprobabilities
- a list describing all events incloded in the risk ===*==aat Submined information ...... ' 1.g the results of the risk assomssent should incinde: -
- a description of daminant mm==
l
- an merimask of total plant CDF (meloding a qualitative or quantitative ====maat of uncertainty) before and after implementing the proposed CLB change
- an estimate of containment performance as described by plant damage states and the frequencies of l
the high and low consequence categocies (if a simplified level 2 PRA analysis was performed such as is described in Appendix B to this regulatory guide); or frequencies of accident progression pathways (including a qualitative or quantitative assessment of uncensinty), as grouped for source nenn calculations, if a full level 2 PRA was conducted
- the definition of source terms and an identikarian of their frequencies and =r* Garhidiae nacenamty) if full Level 2G PRA was performed ,
. . the frequencies of individual early and latent f atatitian, if a ih!! Ievel 2G analysis was pubM
. In addition, information that should be enhmied as part of the l _=T*= for the specific CIE change includes: .
. . a h4h of the analyses performed so assess the impact of the change on risk l '
l
- an estimate of plam CDF and LERF and changes in those estimsses if the proposed CLB change were implamaarad
- an identification of all minimal casets affsend by Ibe change, any success crheria that are affected by the change, and any changes in damiana' risk contribmors .
1 1 1 hearch 31,1997 S3 DG 1061 i V .
o 4 a I go,
- the resuhs of analyses that show that the conclusions regarding the impact of the CLB change on plant risk will not vary @d"- =:y under a di5erent'aet of assumptions. (See NUREG 1602 for a discussion of the uses and limit =tiam of Mrs measures and Jviry snadies.)
1 I The staff sho expeca lumnsees to track and consider the canadative kapact of all plant changes, Whe: those not =W br NRC review and approval. a 3.4 Implementation Plan and Performance Monitoring Process As desedbed in Seedon 2.5 above, a key r6W of risk-infonned reguladon is that pr'oposed perfonnance kuplementation and monitoring sinnegies reflect nacertainties in analysis models and data . Cmtly, the subminal should inchade a desenpuon and rationale for the * - L-- f = and performance monitoring stralegy forthe proposed CLE change. , k l DG.1061 M March 31,1997 e
- 4. REFERENCES ,
- l. Use 'of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement, -
US. Nuclear Regulatory Commission,60FR42622
- 2. Use of PRA in Risk-Informed Applications, U.S. Nuclear Regulatory Commission, Draft NUREG-1602, Februn:y 1997 -
- 3. An Appmach for Plant Specific, Risk Informed Decisionmaking: Inservice Testing, U.S.
Nuclear Regulatory Commission, DraA Regulatory Guide DG-1062, February 1997 4.' An Approach for Plant. Specific, Risk-Informed Decisionmaking: Inservice Inspection, US. Nuclear Regulatory Commission, DraA Regulatory Guide DG-1063, March 1997
- 5. An Appmsch for Plant-specific, Risk-Informed Decisianeaaking: Graded Quality Assurance, U.S. Nuclear Regulatory Commission, Draft Regulatory Guide DG-1064, february 1997
- 6. An Approach for Plant. Specific, Risk-Informed Decisionmaking: Technical Specifications U.S.
Nuclear Regulatory Commission, Draft Regulatory Guide DG-1065, February 1997
- 7. Industry Guidelines for Monitoring the Effectiveness of Mat ===e at Nuclear Power Plants, NUMARC 93 01 Rev.1, January 1996
- 8. Severe Accident Risks: An Assessment for Five US. Nuclear Power Plants,NUREG-IISO, December 1990
- 9. Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, January 1989
- 10. Quality Assumnce Psy L Requirements, U.S. Nuclear Regulatory Commission, Regulatory Guide 1.33, February 1978
- 11. Collection, Storage, and Mamtenance ofNuclear Power Plant Quality Assurance Records, US.
Nuclear Regulatory COMMISSION, Regul='a y Guide 1.88
- 12. PSA Applications Guide, D. True et al., EPRI TR 105396, August 1995 i
l 0 O
4
- 9 #
1 l i
- i s.... .~ .
l l ~ l
-- g h J %' - - - --
- t W . . .a z. e 23 4 . T. _, ,
a e e
'%O* ga 4
- p D ...p 6
i e es s l l l l
- e 4 G
I 9 l e e e 0 0 e d I i ( f i i i l
t ( c , Draftfor Commett . . AMA APPENDIX A: USE OF RISKIMPORTANCE MEASURES TO CATEGORIZE STRUCTURES, SYSTEMS, AND COMPONENTS WITH RESPECT TO SAFETY ' ~ SIGNIFICANCE
.n ... .
O Introduction For several of the proposed applicanons of the risk-infonned rar1=% process, one of the principal activities is the categarnation of SSCs and hinnan acnons accor4 to safety siriG- .The pwpose of this Appendix = to discuss one way that this cat, don rnay be performed to be consistent with pnnciple 4 and the ;-'a+ ions dim ==M in Scenen 2.1. Safety-si ai&- of an SSC can be thought of as being related to the role the SSC plays in r Q the occumace of the undesund and state. Thus the position adopted in this regulatory guide is that all the SSCs and h===n actions considered when construcung the PRA model (~1adig those that do not necessanly appear in the fmal ; eihd model, either because they have been semened intially, assumed to be, mhemntly reliable or have been truncated from the solution of the model) have the paea-d=1 to be safety si aikaat, since they play a role in preventag core damage l in establishmg the categoruation, it is important to recognize the purpose behind the categoruation, wiuch is, generally, to sort the SSCs and human acnons into groups w4 ; those for winch some r 1==arma of requirements is proposed, and those for which no such change is proposed. It is the proposed applicanon that is the motivation for the categoruanon, and it is the pa*='i=1 impact of the applicanon on the paracular SSCs and human actions and on the measwes of risk which ultimately detennmes wiuch of the SSCs and - human actions must be regarded as safety-sieni&=~ witlun the centext of the applientmn This impacton l overall risk must be evaluated in light of the pnnciples and dacinian r9teria id=tihd in this draA guide. !' l Thus, the most appropnate way to addms: the categoruanon is through a g S= = of the risk measwes However, the feasibility of perfanmng such risk ;-+i&='iaa has been ;w for those applications for which a methad for the evaluation of the impact of the change on SSC unavailability is not available. An acceptable alternative to requanti&=h of risk is for the hcensee to perform the categoruanon of the SSCs and h= nan acuens in an integrated ==nnar, makmg use of an analytical technique, based on the use of PRA unpartance measwes, as input. This 4 - .g % diernen*= the tachaieml issues =+=acia'ad with the use of PRA anportance measures NUREG 1602 includes more datailad dimasen of this subject. TechnicalIssues Associated with the Use ofImnertence Memeures In the implementation of the Mamianance Rule and in industry guides for the risk infonned applicanons (for example, the PSA Applications Guide), the Fussell Vesely Importance, Risk Reduction Worth, and Risk Achievement Worth are the most e-aaly idenufied measwes in the relative risk rankmg of SSCs. A1 W
. _ _ _ . . _ _ _ _ . _ _ _ _ _ - _ _- _ _ . _ _ _ _ _ _ - . _ ~ . _ . _ _ _ . . _
e [ J Draftfor Comment . Appa=dN A - Hom.n:r,in the use of L yr.ance measures for risk-informed applinhanc, there are severalissues that should be addrused. Most of the issues are related to technical problems which can be resolved by the use of ! sensitivity studies or by yyn,y,; ate quantification techniques. These issues are di an=ad in detailin the sub- !
& I section below In addition, there are two issues, name}y a) diat risk rankmss apply only to individual contribunons and not to combinatio:. s or sets of contributors, and b) that risk rankings are not narescanly i i
related to the risk changes which result from those comributor changes, that the hean=* should be aware of and should make sure that they have been addressed =d~;a*1y. When perfanned and interpreted carrectly, component-level rem measures can provide valuable input to the hcensee Risk rankmg results from a PRA can be affected by many factors, the most ; yM-i bemg model assumptions and techniques (e.g., for =adaling ofhuman rehability or =n= nan cause fadures), the data used, or the success mtma chosest The hcensee should therefore make sure that the PRA is of =meiant quahty. In addition to the use of a "quahty" PRA, the robustness of categoruanon residts should also be da=anented for conditions and parameters that might not be addressed in the base PRA. Thatfore, when importance measures are used to group - a;= = or human actions as low safety-si -=r contributors,the information to be provided to the analysts performmg quahtanve categoruanon should include sensitmty studies and/or other evaluations to demanenate the sensrtivity of the importance results to the important PRA
]
=rdehng techniques, ---.yJons, and data. Issues that should be considered and addressed are listed below Truncation limit: The ucensee should detenmc that the tr=catina limit has been set low enough so that the )
truncated set of mmimal cutsets cantam all the sienine=' contnbutors and their logical combinanons for the ' application in question and be low enough to capture at least 95 percent of the CDF. Tha-d% on the PRA level of detail (module level, c--- ;==^ level, or piece-part level), this may translate into a inmcenon limit from lE-12 to IE-8 per reactor year. In addMaa. the truncated set of ==nnal cu' acts should be astermmed l to contam the important applicanon-speedie contniutors and their logical combastions Risk metrics: The hcensee should ensure that tisk in tenns of both CDF and LERF is considasd in the
, l r.akmg process l 1
Completeness of risk model: The hcensee should ensure that the PRA model is ~-{--@ complete to ' address all important modes of operation for the SSCs being analymd Safety ei :' =r contribunons from mternal events, external events, and shutdown and low power innators should be comedered erther by using PRA or other engmeenng analyses (NUREG-1602 provides a A,a- ofmodel anmpletensee } S ;0.ity analysis for component data uncertainties: The J,ity ofc. . - categorizanons to uncertamhec in the parameter values should be addressed by the hcensee. t L-a** should be sansfied that SSC categoruation is not affected by data uncertamnes C ;Gv-;rf analysis for common cause failures: CCFs are modeled in PRAs to account for '-g= 5^ failures of raduadaa' r-- ;==- withm a system The heensee should datenene that the safety si-ine=' categoruation has been perfanned takmg into account the combined effect of ===r ='d basic PRA events, such as failure to start and failure to run, including indirect contributions through ===ariatad CCF event 4' probabilities. CCF probabilities can affect PRA results b/anhancing or obscuring the importance of 1 A-2 l l
L te < Draftfor Commerit ' Appendix A
==paaente 'A b -i- =: may be ranked as a high risk contributor mainly because ofits contribution
~
CCFs, or a - --i==.: may be ranked as low risk contnbutor mamly because it has negligible or no contribution to CCFs. Sensitivity analysis for recovery actions: PRAs typcally model recovery actions == pad =Hy for damman accident sequences Q en den of recovery actions typically depends on the time available for diagnosis ad performmg the action, training, y, 4. , and knowledge of w.ss. There is a certain degree of subjectivity involved in estunstmg the sucness probability for the recovery actions The concerns in this stem from situations where very high success probabilities are assigned to a sequece, resultag in related
- = = being ranked as low risk contributors. Furthermore,it is not dearable for the categorizauon of SSCs to be affected by recovery actions that nametimes are only modeled for the dominant scenarios Sesinvity analyses can be used to show how the SSC categorizauon wr*M ahange if all recovery actions were removed. The twenw should ensure that the categoritanon has not been unduly affected by the W% ofrecovery acuans ,
Multiple comporient considermas: As @a_aaad previously, nnportance measures are typically evaluated on an indivxlual SSC or human action basis. One pasa=*ial concern raised by this is that smgle event anportance measures have the potential of denissing all elementi J::y-*::: .: s .; hspite the system or , group having a high importance when taken as a whole. (Conversely, there may be grounds for screemng out groups of SSCs, owing to the ununportance of the systems of which they av elements.) There are two potential approaches to addressing the muhiple 9 --i-:==c issue. The first is to define st'itable measures of system or group importance The second is to choose appropnate criteria for categorizanon based on
-- ,==' level importance measures In both cases, it will be necessary for the hcensee to demanarrate that the a'-adadve impact of the change has been 6-ly addresse i.
whde there == no widely-accepted defautions of systan or group importance measures, if my are proposed, the trenw should make sure that the measures am capturmg the impact of changes to the group in a logical way. As an example of the issues that arise ena=ider the followmg. For front line systems, one possibility would be to define a Fussell Vesely type measure of systan unpartance as the sum of the fW" of sequences involving failure of that system, divided by the sum of all sequence fM_- Such a mecurs would need to be interpraad carefully if the numerator included comnbutaans from fadures of that symenc due to support systems Sinularly, a Birnbaum-like measure could be defined by qu sytg sequeces invoing the system, conditional on its failure, and summmg g those gn=ntities This would provide a measure of how often the systan is cnocal However, again the support systems make the atuanon more complex. To take a two dmsson plant as an example, front line fadures can occur as a resuh of failure of support dmsson A in conjuncnon with failure of front line divmon B. Workmg with a figure of merit based on " total failure of support system" would miss conenbunons of this type. In the absence of appropnately defined group level importance measures, rehance must be made on a quahtative categonzation by the licensee, as put of the integrated decisicemakmg proccas, to make the appropnate determination. Relationship ofImportance Measures to risk changes: Importance measures do not directly relate to changes in risk. Instead, the risk impact is indirectly reflected in the choice of the value of the measure'used to de:enmne whether an SSC should be classified as being of high and low safety significance. This is a A-3 57
o / a Draftfor Comment , AaA 4 w - q -. . i ' concern whetbu unportances are evalumed at the mnpanent or at the group level. The PSA Applications Guide enM values of Fussell Vesely hupanance of.05 at the system level, and .005 at the component i j level for example.' However, the criteria for catesonzanon into low and high signif2cance should be related to {
- .the acceptance criteria for changes in CDF and LERF. This implies that the entena should be a funcuan of j the base case CDF and LERF rather than being fixed for all plants. Thus the hcensec should heate !
bow the choice of criteria are related to, and conform with, the W guielel= desenbod in this I
- document If component level criteria are used, they should be established takmg into account that the i
allowable risk increase ===<ri=*M with the change should be based on Meaa== ebanges to all members ofthe category. .. i SSCs not included in tefinal quantified cutset sokrtion: yers measures based ce the quantified l cutsets wili not factor in those SSCs that have other been trM or were not included in the fauh tree ! models because they were screened on the basis of high reliability. SSCs that have been screened because t their credible failure modes would not fail the system function can be argued to be -4 tant. The hcensec must make sure that these SSCs are considered. This subject is Ana==M in more detail in NUREG-1602.
~
i 8
- ,s i
8 6 8 A4 GS .
. . i 4 In t Draftfor Comment An==& B APPENDIX B: . AN APPROACH FOR. ESTIMATING THE FREQUE OF VARIOUS CONTAINMENT FAILURE MODES AND '
BYPASS EVENTS
~
I B.1 Introduction This appachx describes an .yymach for estimating the im- of vanous matamment failure modes a events. This' approach is dangned to supplanet Imel 1 PRAs nuhmittM in support ofrisk-infonne The intet is to use accidet sequence infonnation provided in the Level 1 PRA to antimate the fmquecies o ' Pl ant damage states (PDSs) and hence the ON=i lee of==ta===at failure and bypass ' Accidet sequeces kadmg to core damage are usually grouped into PDS for the purpose of assessmg the su accident progression. A PDS is dermed in std a way that all accident sequenoes binned into it can be trea
-i ny a the accident progresson analysis. That is, the PDS detmtian must recognize all distmetiane that matte in the accident progression analysis Once a set of PDSs is dermed for a given reactor, mntamnwat performa ,
; calculated for each PDS. It is clear that some PDSs will be more ^="-png to entminn==v meegnty than others (pnssure, w.me, nrchanical loadmg, etc.), and some TDSs will completely bypass matamment For example, an f isg systems LOCA has the potannat to amnpletely bypass mnt===nmt, while a tr==>ent event with loss of
==*=====t heat removal (CHR) will pose more of a AnH"=a to enntamment meegnty than a LOCA with the CHR systems apaang The PDSs are distributed into veious mnian=nent fahne modes (CFMs) to allow for assessment of the likely outcomes of the accidant progression.
For the purpose of the simplified yymech, sufficient level 2 PRAs have been completed to penst the allocanon of l care damage ymime seq ==ms to appropnate CFMs. To allow compenson to the acceptmice Pli=~ identified in l this appendoc, the -yy. i has to c5*inpah between cant =====t failure modes that might lead to early fatahtiam vs. l those feiture modes that will not cause early fatahtien r'a._.==itly,the failure modes were categorized as follows : I -
. carly mntamment failure or bypass (a==*infly leadmg to large early release, i.e., early fatahm likely) ,
. late mntamm=t faihac or mata=v>==t intact (potamaDy not leadmg to large emiy release, i.e., only fatalitic.
I unkkely) Once establisbod, the fr=" of these categones can be detenamed and changes in the 0% A w-y M assmst the ==re=n~h A key advantage ofthis approach is that each accident sequence is allocated to a risk sategory based on the status of the plant. A scheme for allocatag the vanous accident aequences to the categones is described below. An evet tree has bem dcvi+ed for each ======nent type that allocates accident sequences to one of the categanes. The intent is that each bcensee wiB develop split fracuans for most of the quaminne in the trees based on plant-specific accident sequences and charactensucs These nues prescribe a single quesuon concernmg the hkehh-d ofearly matamment failure. Each accident sequence from the imel 1 analyns can be processed through the trees with indrvidual fr-Mae allocated to the various release categories. .The man of these individual accident fr--~= desammes the total frequency for each release category.
, B.2 PWRs With Large Volume Containments .
Figure B 1 presents an event tne that allows allocauan bf accident sequences ta one of two categones for use with PRAs for PWRs with large dry or sub.-ospheric matam=*mte Each accident sequence in a level 1 PRA would be allocated to one of these casesones based on the plant status as dermad by the vanous accident sequences This March 24,1997 B1 DG-1061, Appenchx B [ l %1
o / a Draftfor Comment 4paadix B , approach prescribes only a single querdon mamnmg the WiW of mntammmt fabure at vessel breach i Question 5). The split fraction for this geian reflects i reasonable estunate of the likalihed ofearly mntammmt fathatforlarge-volutneenntammeretgivenahigh-or-lowprismecoresneltdown Wd at However,if alicenseehas
}d ~4- for an ahanstrve split fraction, this could be prtmded to support changes in the event tree quantification.
Contamment hCCRestored No No Potential Isohted orNut Before Wsel Conta paent forEarly large Early Core Damase ' Bypassed RCS Depress. Falure Faaure at VB Fatahues Path Release 1 2 3 5 6
. 1 No 2 No 3 No 4 Yes Y j A 6 No
^
7 No V - a Yes N ' 9 No
. 10 Yes Firure B I PWR Large Dry C='ah*
- Note:
In the case of seismic initiators, tbwe is a possibility that efective warnmg and evacuanon may be precluded due to the thsruption of warning sysicsns and evacuation paths. If the avtammet structure is jah to survive the event, the likelihood of long-term enneammant heat runoval should be investigated. If CHR is predicted to fail (for any set of r====9 tbc a=tainment will eventuaDy fail due to over pressunzation and, the consequence category should be 3ts" since it is unhkely that evacumuce will occur. Question 1: Core Damage Frequency? This is simply the entry point for the tree. "Ihe frequency for the accident sequence under consideration is entered here. Question 2: C='=ia= a' Isola +ed or Not Bypassed? This question includes accidents in which the contammmt fails to isolate, as well as accidents initiated by mntamment bypass (such as interfacing systems LOCAs and steam generator tube ruptures). This category is iramtw to apply only to =i -=< that bypass matamment at am< tent nunation. Accident
- g- that cause rmeninment bypass (such as induced SGTR) during mmd at progression aAer core damage are not DG-1061, Appenda B B-2 March 24,1997 e
5 h . Draftfor Commett Apa=4 B l
- included in this category. Accdets in wiuch the er=ta==ent is intially open have been found important )i during shutdown and would also be ineladad in this category.
]
Question 3: t' RCS Depressunad? For amdents nunated by trans ente and small break LOCAs, the RCS will ranain at high pressure unless the m.4sr depnssurize the RCS or the RCS y- e boundary fails. If the operators cannot depressunze the RCS the v~dmf sequence would be allocated to the "not 4 hd branch"in the ennt tree. However, a homsee may wish to take credit for hot leg fahre'as a cause of RCS depressurization before vessel breach. Junedic= tina should br prended if sudi a fahne ==ch==== is ====ad Intermediate and large -break LOCAs and accdets in winch the operators .' y. he the pranary system to below 200 psi would bc =Itaratad to the.' y.- ized branch. Question 4: ECC Restored Before VesselBreach? Acculents in winch ECC is restored within 30 ==aan of the start of core damage are assumed to arrest the - acadet pogressmo wnhout vessel breach. For these +#L=, iM=' questions related to enatai=nant faihre at s essel breach a the potetial for early fatahties me not mm.s.:. If the ECC is not restored withia 30 ==utes, vessel breach is assumed to occur, and all -k====aa' questions are p-
~
Cmht for in vessel arresang of the accident will only be given for cases where recoverms AC power will lead to the restoraban of ECCS wahm 30 manses of the onset ofure danap For example, no credit will be given for an operator n===ny depressunnqs the reactor and using a low-pressure system between core damage and vessel breach. If cooling is restored within 30 mmutes, the probability of successful arrest is assumed to be 1.0; if coohng is restored aAer 30 nmunes, the probability of ance*=<fid arrest is assumed to be 0.0. Question 5: No e,=ta==ent Faihre at Vessel Breach?
' Die tikelihand ofrant===ent failme at vessel breach depends on several factors, such as the pressure in the pnmary system, the amount and ^ y 4.re of the core debns entag the vessel, the size of the hole in the vessel, the amount of water in the cavny, the configuraban of the cavny, and the structural capability of the anne ===ent buildmg. In the simplified event tree, only the presswe in the pnmary systan is Wii=kad so that all other considerauens have to be folded into the spht fractions for high- and low pressure sequences Each possibility is di<ai<aad below.
Low 1presswe M-7' i M M ggt"tWTittanert, V3ngjg Snmehante=g M dall.u..p crmtain=Mrtt . b inci d iDa vessel steam explosions, rapid steam generanon aused by care debns contactag water in the cavity, and hydrogen ea=Wan On the basis ofprenous PRAs, the prooaoimy w ./ nant=nment fadwe is assumed to be 0.01. If a heensee does not consuler this probability to be appropnate because of plant specific considerations, then the probabihty can be A=.=ad butjusufication for the change should be prended. High-P'ressure ha=a=7 Several mneharusms could challenge contamment under these cucumstances In-vessel steam explosions are a penann=1 fadure ==ch=ai==. but it is more ddfindt to trigger steam explosions at high presswe than at low urss dunng core pressure Steamgeneratortuberuptureis alsopossiblebecauseofhigh L y .h. and y. ~ j mehdown ifinduced SGTR occurs, a p--~ial baass of enata==ent can result if the --d=y system is March 24,1997 B3 DG-1061,.mWW B wt
. - - . - - . - - - . - - _ - - - - -- - . _ - - . - ~ . - _ - . . - . . - -
o /- a Draf:for C.,..,,.att AMB . openc However, the most Qw fadure i=ehamam, for high-pressure core mehdown sequences are
===acintart with high pressure meh ejecnon (HPME). Ejechan of the core debris at high-pressure can caus the core debns to fann fine p.nides that can duectly heat the r=tahnnant - --f-w (i.e., DCH) and cause rapid pressure spiles Dirms HPME,the hot pamcles could alsoignite any combustible gases in aanta===t, thmeby addmg to the presswe pulse. The p--i=1 for DCH to cause containment failure e' -k on several r factors, such as the prunary system pressure, the size of the opeang in the vessel, the temperanne and composition of the core debns cutmg the vessel, the amount of water in the cavity, and the dispersive characaristics of the reactor cavity. .The probability of early -. .. .... ~.. fadure is, therefore, a composite of och of these potennal faiham modes and is assumed to be 0.1. Again, a heenses can change this probability, prcmded that appropnatejnennemaan is provided. .
'!he fracnon orlow- or high-pressure aa7- that resuk in early raatai===nt faihne at the time of the vessel breach have the tweenhal to be allocated to the high-release category. De remaining frmaans of the accident sequences (in which the erwummnwnf remams intact) are allocated to the low-release category.
Question 6: No Potentialfor Early Fatahnes? De potential for early fatalmas depends on the m 5 ' and timing of the release relative to two factors-(1) the time elapsed from reactor scram to the time at which the release starts (particularly relevant to shutdown nervla*=). (2) the time froen llW declaration of a general emergency to the time of the start of the release ww. red to the time requned to effectrvely warn and evacuate she populanon in the vacuuty of the plant. Durms shutdown, for example, the early health risk from many meernally ininated arrien*= is greatly reduced simply by the decay of the short-lived isotopes that affect early farmheias At full-power operanon, this question allows long-term sequences, such as loss of CHR or other late over pressunzanon sequences to be placed in the low-release category without the need for a dotaded eva6 nnn of the uttanate e<=======* response, since it is =====ad that evacuation will occur before the reh: suuu. 3equences angmatag from sasnac ant stars should all bc ====*ad with the potenal for early fatality branch on the event tree. In order to place a sequence on the branch labeled no p"-int for early fatahtim, a hommee should provide infonnanon, specific to the sequence, eencarnag who a gueral emersecy would be declared and the expected time required to warn and evacuate the p-W , For shutdown accidents, where the ==*ai===* is essentially - ^ ', the time available for , evacuanon is the time from declaranon of a general emergency to the onset of core damage For acadets at full power, the time available for evacuanon is the time from the declaranon of a general emagency to vessel breach. Unless otherwisejustified, the hcensee should use one hour from anset of core damage to vesselbreach. All Other Accidents All acudas sequences that do not fall iano the above catesones are assumed not to fail enne,nnwnt and, therefore, are allocated to the no "large early release" ocesequencz bin category. DG.1061, Appen&x B B.4 March 24,1997 e
Draftfor Comment W iv B B.3 ' FWRIce Condenser Containments Figme an=nes B-2 provides a high-level ==rmie event tree (CET) for ic of the CET for ice =adana r plants are placed in a high conse
==*m===**, l occurs and the potential exists for early fatahnes late failures, A== are assigned a low consequence category. (There s cons e a i which g id r ble tenn CHR systems,' and on all other a, and many of the questions are sam lar.)
aumlanty in the event trees for large dry and ice cH = re. - , Care Damage Frequency? Questian 1: This is simply the entry point for the event tree. The fi.+ -y of the accid is entered here. 4 cantammet Isolated or Not Bypassed? Question 2: I This top event is similar to the first aa~ dan asked in the event tree for la ' answer results in an anmme with the y=d=1 to be allocated to the "large early release" categoryt Quesnan 3: Hydrogen Ismters Operatag Before Core Damage? d==d=' on the availability of The smaller volume contammante, such as ice eaadan=s, are crincally , hydrogen igniters to control pressure loads resulting from hydrogen combustion dynanne loads. The annular design of the ice compartmans leds itself to build up of hydro There is a siaine=' probability of a hydrogen combusnan event causmg enatmimaaar failure , arenot+.i g(ie . ess ofwhethercore coohngwasrestored) Questian 4: RCS Ly. isd? If the RCS cannot be J.ysu d by opermar acton, core melt with the RCS remammg at high pres pose a sevos threat to the matamment stegnty. For ice cet '.:nser plants, this can lea er p=r " of the core debns on the matamamat wall in the seal table room, provided this A. musts at the plant. Question 5: ECC Rastered Before VesselFaihse? All accidents in which ECC is restored wahm 30 =im*= of the start of core damage are assumed to mend-t progression without veuel breach. For these accidents, if the igniters are not operatmg' . possibilny of enatammew failure due to hydrogen ccabustica even if the core isIfretamed - samteri are operatag, then it is assumed that the eaatainman' does not fail due to hydrogen combusc the ECC is not restored wnbm 30 mannes, then vessel breach is assumed to occur. Credit for in-vessel arrest of the acciden will only be given for cases where recovermg AC power will iced to the ressorsuon of ECCS wnhm 30 ==nen of the onset of core damage. For murmple, no credit will be given for an operator manually depressunzmg the reactor and using a low pressure system to iqject water between core damag breach. If coohng is restored wahin 30 munnes, the probability of wf ! arrest is assumed to b: 1.0, and if cooling is restored after 30 ==*as, the probability of successful arrest is == a=adt o be 0.0. Mars 24,1997 B-5 001061 AppenducB s
o $ e Draftf:r Comment - Appendix B g,gg,, ' .
, y, a,.
Cosianamet Opeusteig EX33testored Coatsamset No Posemeis! Isolated erNot ReineCase Before %ssel Fense ater istEarly 1.orse Early Que Doment Bysessed Dummae It3 Desress. Fahne m.6., Reime VB Fetalities Pas t 2 3 4 5 6 7
. I No 2 No
., 3 %
4 Ws
~ 6 No
( 7- No j s Yes 9 No d . 10 No
!! Yes 1
1 12 No y . . D % ! A 14 Yes h/ N 16 W l 17 Vos 1 j - is No I - 19 No 1 j . so ws 21 No i 22 vos e -i- r e-e.---e. j Jigure B 2 FWRice !
- Note: ki she asse of asismic intastors, there is a possibiiny ibst edIsotm wanung and evsousbon may be , bhd due to the i 1
! dartpuan of warnas symans sad avsoushan paths. If the ====='seussure is prediased to survive the event, the '. likelihood of knag-term ======' hast rear, val abc uld be invesagstad. If CHR is probcasd to fail (for any set of j seasons) the -tai-' will eviatusDy fail due to amr pressmusbon and, the consequenos assegory should be 'W" i since it is unlikely that evamashan wiD occur. 1 1 i j Questian 6: No e,=emin==t Faihse at or Before Vessel Banach? l If the igmans are not operstag, then the ~*d 1 exists for faihre of the cr=tenwn=t as a resuk of hydrogen i combusbon before the vessel breach. This failure can, therefore, occur even if the care damage is arrested a the vessel. The probability of a hydrogen combustion event causing mat =====' failure before the vessel DG.1061, Appenda B B4 March 24,1997
,' Draff:r Commatt App--'- B breach was detennined to be 0.04. Agam, if a licensee wislE to change this probabidty, appro Mr. =*i-a should be prwided. If the igmtm a opermag, the a=daar==t is asmaned not to fail befor
- .- _ . . c -_ . _ _ . . . _ .
the veuel , As for the large Dry contamments, the likelihood of enntainmmt faihse at vessel breach depends on s of the core dehns exitmg the famors, sudi as the pnssure in the pnmary system, the amous and L r vesse!, the size of the hole in the vessel, whether or not the igmters are si~.--g, the amount ofice left in the ice chests, the amount of water in the cavity, the configuration of the cavity, and the structura! e===4fie the ==*====t buildag. In the simpli5ed event tme in Figure B 2, the pressee in the pnmary system, and the operability of the iganers, are considered so that all other eensidmanens have to be folded into the appropnate split fraccons in the event tree. Each pcssibility is discussed below. . law Prese.se Sequems? E Unds these escumstmoes, various of machenisms could e' -=e contamment insegnty *%g in-vessel skam --ta-aeygid steam genersbon caused by core debns contactag water in the cavny, and hydrogen coenbustart For ice madanner aantamm=ta, the facehhand of these failure modes depends upon the operability of the ismts ., and the availability ofice in the =adancer. On the basis of r,..b PRAs, the probabilines of early mat =-t failure at or before vessel breach, with and wahout the issters operstmg ! are given below- , ; I Ismters Operating Igniters Failed Probability of Early r'antainmant Faiks 0.01 0.1 If a hcensee enneidars either of these yML. to be ii ,,rs,rh because of plant specific consideranons, the probabilities can be ^==ad buty- 2='= for the changes should be provided. j High-Pressure Segances? Ice mid- er -*===aa*= can be challenged by fadmus modes sanilar to those mmAmed for large vahane i e in. vessel steam explasiane are a pa*dat faihat =ach==== but it is incre ddlicult to tngger ! mamm pla==== st high pnmass then at now pnnsure Steam genormer tube rupture is also poemble because of high temperatures and pnssures dunng core mahdown. Ifinduced SG11t occurs, a potential bypass of ,
-ta==ent can neult if the ==a-d=y syman is open. However, two importam faihme =ach=- are ;
assocasted with HPME in ice a=d=== =======vt The potennal for DCH to cause imhs ofios aanda==ar ennt=--,nte depends on those factors found m.portant fa lea- % -*====t= However, ice nanasung in the ice chest was also found to mitigste DCH for ice f==d==ar =*====** The second failu e mach-== ===cassad with HPME in ice e-laar- ======== is unpaganent of cornan on the mate ===nt l wa!!, winch can lead to faihse and a diract path out of aant===nent Another unportant faihse =ach-== for l ice a=dme r -*===avn is hydrogen -d==an at the time of vessel faiks: Theimportance of this faihse j vnacha=== depends on the operabday of the igmtars
~
The probability of carty =*===nent failure at or before vessel breach is, therefore, a e ; ='= of each of f these paa- *=1 failure modes as imhcated below: ! i Much 24,1997 B7 DG 1061, Appenda B l uf
t c ' a f a Draftfor Commant i Appen&x B j
' " ' ' Isniters Operanns Ismters Failed ComhtionalProbabdityofEwly 0.05 0.2 _ . _ . _
f Cr=fam nentFadme d Agam, a hcensee can change the above prM*i==. pnmded that appropnatej wrirmarim is furmshed. ! The fraction oflow or high-presswe sequences that resuh in early r<=taiaia=* faihre at the time of vessel breach have the pa*-*i=1 to be allarmad to the large early release category. The nmaimag fracuans of the 4 accidet sequences (in which the en=*=ia aaat remains intact) se allocated to the no '1arge early release" ) consequence category. j Quesuon 7: No Parential for Esty Fatal *ica? 1 ! The potential for early fatahnes depends on the magstude of the release and on the timag of the release ! relative to two factors: (1) the time elapsed from reassar scren to the time at winch the release starts (partxulsirly relevant to shutdown accidents) and (2) the time inan the declaranon of a guaral emergency to ! the time of the start of the release compared to the time requesd to effecovely warn and evacuate the i population in the vicanty of the plant. During shutdown, for cumple, the early hashh risk from many } maarnally mutisted acadets is gruntly nutuced due suply to the decay of the short-lived isotopes which affect j early fatahnes At fuU power operanon, this question allows W sequences, auch as loss of CHR or i other late over pnnsunana sequences to be placed in the low release category wahout the need for a detaded j evaluation of the uhanate contamment naponse, since it is assumed that evacuanon will occur before the
- release starts. Sequences ongmatmg from seismic mutistors should all be placed on the potential for enriy l fatality branch on the event tree. In order to place a sequence on the branch labeled no potannal for early '
4
' + W a hcesse should pronde infonnanon, spacefic to the sequenos, concernag who a general emersecy would be declared and the ed time required to warn and evacuate the populanon. For shutdomi j
madents, where the ormtamment is essentaalh unisolated, the time available for evacuation is the time from
- declarance of a general amrgnacy to the ansa ofcore damage For acadents at full power, the time avadable for evacuation is the time from the declaranon of a general anerpecy to vessel breach. Unless othenvise j P+i Aa4. the beansee should use one hour from caset of core damage to vessel breach.
i B.4 BWR MarkI Containment Figure B 3 provides an evaa noe eBowng allocanon of accidas sequences to one of two consequece categories for use with PRAs for BWRs with Mark I aa=8=====ta. The structure of the event tree is based on the prenuse that all early releases that are scrubbed by the suppnamon pool are p>Mie==tly low that by themselves will not result in admdual carty fatahty risk. Hence,if an early imise occurs with the f==nw=alay of the suppmmon pool intact, it is ma==ad hat t the early scrubbed releases will not pose an early fatahty threat to the populanon within one mile of the plat boundary, and that this population will evacuate before aktmadat oore concrete usaraction releases or late iodine releases from pools se of a magnitude to cause individual early fatahty risk (except in the case of a seinmc event, as notad in Figure B-3). Each top event quesnan in the event see is &scussed below. The boensee would be j cd o pnmde t the split fracnons for all quesnons with the exampaan of Quesman 7. l Question 1: Core Damage Frequency? . f . This is simply the entry point for the event true. The frequency for the accadent sequence under T E =ksi is amared here. DG 1061, Appenda B B-8 March 24,1997
e .
' \ .
Draftfor Ccmmast . j App-%B l Question 2: r,=taimnent Faded / Vented Prior to VB (Releases not weed by suppression pool)? l 1his queshon involves the fracnon of the core damage frequency where the n=ta' ==t is failed at the start
=
l of the ach* ar prior to vessel failure. Failures at the start of the accident melude bypas, sequenas l (Evat V), can'anment innlarm fadures, and sequeces where the r=ta===t is initially open. For example, l deng cold shwdown and refuehog,if the erme===mr is ope ad the vessel head is emoved, no credit should , be given for closmg the ev=ta===t in the presence of the radioactive armronment within the conta=mmt - Faihres aAer the stat of the accidet can also occur due to insufficient evetaiennent heat removal, e.g., during A1WS tr loss of=*a===nr heat muoval. Loss of=*====t heat removsl or other non A1WS sequeces where the only breach of ev=ta==re integnty prior to vessel faihme is through wetwell vents should be put into the"oK" category. ! Question 3: Core Damage Amsted Prior to Vessel Fadure? i ! This quesnan accouets far the fact that some sequences may be amsted in-vessel without siriA=* releases j froen the RPV. All arrested sequenom se aangned to the 1.ow consequence category. Shutdan events where
- the vessel head has been anmed should all be placed in the " Breach" category. Credit for in-vessel arrestmg of the aridect will only be given for cases where recovering AC power will lead to the restorance of ECCS j wahm 30 mmutes of the caset of core damage For exarnple, no credit will be given for an v.w manually l depressuriang the reactor and using s low pressue systan berwenn core damage and vessel breach. If coohng is restored within 30 ==*,5, the probability of successful arrest is =*en=M to be 1.0, and if coohng is nstored aRar 30 ===*en, the probabilny ofsuoussful arrest is assumed to be 0.0. The inclusion of this event in the tree and the assignment of the success path to the Law consequence category are based on the prunise 2 that the time wmdow is =&-'ly short that mimmal in-vessel releases will occur and that they will have a high probability of being scrubbed by the suppression pool, includmg those from ATWS. l j Question 4: No Potannal for Early Fatalities? -
i . ) Early fatalities me largely precluded if an effecove evacuance has w.4; only a small fracnon of the l . y=W is expected to reman betund. Therefore, this quashon er== tars the fraction of the remammg co - , i damage frequency (e- '- M= sequeces that were amsted w ====tM for in the preymus M=) that . l urvolves an effects evamanon This quesaca allows long-term sequences, such as loss af = rwa ==*=t heat j l j mauval sequeces GW) or long-term boiloff sequences dunng shutdown, to be placed in the no "large early release" category without the need for a sieraitM evaluanon of the uhunate cornminment response. Seismic l } sequences should all be placed in the p*='W for early fatahty branch on the event tree. Note that to place
- a sequence on the branch labeled no potannal for early fatal *=5, a hcenses should provide iuformation
- soncernung whm a general emergency would actually be declared and the ~-*-8 evnenat== time required For shutdown sequences with the vessel head removed, the time available for evacustica is the time froen
- declaranon of a peeral anersecy to the onset of cars damage. For other acquences, the time available is the
] time fran declarance of a general anergency to vessel breach. The hoensee should use one hour for the time from anser of core damage to vessel breach. . Q--- 5: RPV Depressuruanon? l The contamment failwe probability will be h=' by the RPV presswe at vessel breach. This question i addresses the freence of the m===g core damage frequacy (excluding sequences accounted for by previous 4 quesnons) that me at low versus high pressure The top branch is the fraction at low pressure, and the bottom branch is the frecuan at high pressure. . i l March 24,1997 B-9 DG-1061, Appenchx B WI
o 1 e i Draftfir Ccamernt j A,e B Noumseneh d ' W U marubbed Cannsesment Care Dumass Arreesd No Fusmaal for Weser en N- Imp Early Failes/ Vent Esty Feasilities RPV Depress Drymell Fleur Failes et VB Path aslease CareDamap Before VB Whbas VB 3 4 5 6 7 I 1 2 I No 2 No 3 No 4 Yes Y .. s W 6 Ya 7 No h/
" s Ya
- P No
. 1 10 Yes l 11 No 12 No
- 13 Ya Figme B 3 BWR Mark I cant ====*a
. ' Note: In the case ofsetsnue initiators, there is a possibility that effective warnmg and evacuation may be precluded due to the Leik- of warmng systems and evacuanan paths. If the ar=*==-me structure is predicted to
. srvive the event, the likaHhaad oflor term enntangnent heat runoval should be invesugated. If CHR is
, G to fail (for any sa of riescas) the carmamment will ,;. 1="y fail due to over prussurustion and, the consequence category should be "yes" since it is unhkaly that evacuence will occur.
It is considered re inanahle to use the pressure a the time of core damage, rather than the pressive a vessel breach,if the latter is not readdy available. High pressure is considered to be anything above 200 psig in the vessel Qtestian 6: Water on the DrywellFloor? Water in tha. drywell will effect both the likalihaad of ex-vessel steam explomons and the tikehhand and oce arp-mar ofliner meinbrough. Small =ntumen of water will have inmated mitigatmg effec's. It is beheved that water levels in exass of 12" will be effective in substannally reduces the probability of s L .4 and/or partially scrubbing the releases in takmg credit for such water, factors, such as the height of the downcomes,pumpeg capacay, and power availabihty, must be considered. For this ;+_. the top branch is the fracnan of the rumanung segmaces (escludmg sequences ar== wad for by previous quesuans) in which at kast 12." of water will be available, and the bottom branch is the fracnon where 12" of water will not be available. DG-1061,.AWW B B-10 March 24,1997 as
1 i i. Draftfor Comment i . A:==wW B ! i I reatmim==t Faihat At VB (Releases not w.:h' by suppressmo pool)?
- Questen7
- !
i ! h=='d== an the answers to Questmas 5 ed 6,the enntamme=r fadure probability is =i=ad These fadme f j pr w=Ima ,,:a.ly anoomt for the followns phen-== alpha-mode fadme, ex-vessel steam explosmas, vessel blowdown, liner ad.vogh, and drect heatmg. They do not c<meider long term failure madas, such drywe!! heatup Bypass events have been me== tad for prmously. j as conwoncrtse usaracnons or 'sr-
- The brand probabilities for these questions are y.
- ...ined (refer to Table B-1 below) and not a=I~3 ed by the licensee. The leanece could change the probabilities by prtwiding a suitable argument that plant- l l
j specdic featmos affect the ;-*i8 -dan The licensee should consider plant-specific festmas that increase j the er=t=== cat failme and not only those plant,,y.JSc features that nutigste severe acculets i i Table B-1. Mark I ranairw==1 Probabilities of Unscrubbed Cantammant Fahne at Vessel Breach I Path RPV Pressee Water TotalFailme Prob l
- 0.4 4 1.c Yes !
j
.6 14 No 0.7 l , ,
i 0.6 Hi Yes
- 8 . ..
10 Hi No 1.0 B.5 BWR Mark D Containment Figure B 4 provides n evnt tree wind allows acculet sequenom to be allocaind to one of two consequence categarns for use with PRAs for BWRs with Mark II - .. .-.. - The structure of the event tree is based on the pnumse that all early releases that are scrubbed by the suppression pool me J 4=dy low that by themselves will not resuh in edividual early fatality risk. Hence, if an early failme occurs with the i d=*y of the suppression pool intact, it is assumed that the early scrubbed releases will not pose a early fatahty threat to the na d dan vnthin anc mile of the plant bandary, and that this populanon will evacuate before substannal care concrete interacnon scleases or late iodine releases from pools are of a = 6 to cause indivulual early fatahty risk (except in the case of a samme event, as noted in Figure B 4). Each top event ;-*u= in the event tree is daci==ad below. The haensee would be ya to provide the split fracnons for all quesnans with the --
- ion of Question 7. ;
Quesnan 1: Core Damage Frequency? This is so,1y the enny point for the evet tree.1he frequency for the acculent sequence under consuieration is misred here. r,.w.mment FailedNented Prior to Vessel Breach (Releases not scrubbed by suppr==w= pool) 7 Quesuan 2: This quesaca involves the fracnon of the care damage Ow e s.cy where the aant==n=r* is failed or vented at the mart of the acculent or prior to vessel faihre. Failures at the start of the =revient include bypass sequences (Event V), enntamment molatice failures, and sequences where the contamment is initially open. For example, during cold shutdown and refueling, if the contamment is open and the vessel head is removed, no credit is given for closing the contamment in the presence of the radioactive environment withm the enntamment Fahses after the sunt of the acculent can also occur due to insuf5 cant aant=== ant heat removal, e.g., durmg ATWS or loss of enatammer heat removal. Less of matamment heat removal accompanied by drywell March 24,1997 B-11 DG 1061, Appen&x B wt
,, ,t e Draftfor Conensant Appenda B ventag should be pm into the " failed" cmegory. S=- whee the only breach of-ta==ad integnty prior to vessel fadwe is through wetwell vents should be put into the "OK" category.
~
Questian 3: Care Damage Anested Prior to Vessel Failure? Dis quesman acusts for the fiscs that same sequeces may be arrestad in-vessel without sismficant releases from the RPV. All arrested sequmors are assigned to the no "large early release" consequence category. Shutdown events where the vessel head has been removed should all be placed in the " Breach" category. Crakt for in-vessel arnsang of the accident will only be grven for csans wluse recoverug AC power will lead to the notoratim of ECCS walun 30 nanntes af the aunt ofcore damage For example, no credit will be given foranaparatormanuaDy4 --- the reaclar and using a low pressure system betwee core damage and vemel breach. If coohng is restored withm 30 minutes, the probability of successful arrest is assumed to be 1 1.0, med ifconhng is restored afbr 30 mimen, the probabdity of successful arrest is assumed to be 0.0. We inclusion of this event in the tree and the assignment of the success path to the no "large early release" i a==~p- category me based on the prunise that the time wmdow is -- ""?=cly short that ea==nal in-vessel ' releases will occur and that they will have a high probabihty of bemg scrubbed by the suppressian pool, including thoa from ATWS. Questian 4: No Potannal for Early Fatahnes? , Early fatahties are largely precluded if an effective evacustian has wi 1; only a small fraccia:: of the ; mW is e to remain behad Derefore, this quesnan considers the fraction of the remaming core damage frequency (excluding sequeces that were arrestad, as mara=ted for in the previous questian) that evolves an effective evacuanon. Dis questaan allows long-term sequences, such as loss of aantan===* heat renoval sequences (TW) or long tam boil off sequences durms sinadown, to be placed in the no "large early release" category wahout the need for a detailed evaluation of the ultunate aantaia==* response Scisme i sequences should all be plar.ed in tb potennal for early fatahty branch an the event tree. Note that to place
- a sequence on the branch labeled no potental for early fatahty, a heensee should provide information comarang when a general emergency would actually be declared and the P-8 evacuation time regered.
For shutdown ; - r .hL the vessel head removed, the time avadable for evacuation is the time from
. declarence of a smaral anerymey to the onset of core damage For other sequences, the time available is the !
time from declarsom of a general smergency to vessel breach. De heensee should use one hour for the time ~ from anset of core damage to vessel breach. l Quesnan 5: RPV Depassurizanan?
. De contm'== eat failme probability will be impacted by the RPV pnssure at vessel breach. His quesnan skkessa the fractum of the runaning care damage frequacy (excludag sequences ea==ead far by previous ervana=) that are at low vens high pnesse De top branch is the fraction at low pnasure, and the bottom ,
branch is the fraction at high pnesse k is considered reasonable to use the pnasure at the time of core damage, rather than the pressure at vessel breach, if the lanar is not readdy available. High presswe is mnednad to be anythms above 200 psig in the vessel.
. DG-1061, Appendix B B 12 March 24,1997
.fo
Draftfor Commast /WN B No Ummhed y,w - c.. - ' (( ""%
,. w ..m .
g, p
-m s.
m t,s-won
- n.- - - = =
r- 1m se h
- 4 5 '
I 2 3 l 'No
- 2 No 3 No 4 Ya s No Y
6 Ya
/\
7 No V 8 Y" N
- No lo Ya 11 No 12 No 13 Yrs
- Figure B-4 BWR Mark D r, i.--nte .
- Note: In the came of seismic initiators, there is a poenbity that e5scaive warmng and evacuanon may ber lu Ane to ti
&sruption of warning systems and evacuation paths. If the on saucare isrA to survive the event. :he l
likehbood of long-term contamment best removal should be investigated. If CHR is predacted to fail (for any set of reasons) the contamment will evennially fail due to overr- Cm auf, the consequence category abound be "yes" l category since it is unlikely that evacusion will occur. l l < Quesuon 6: Water on the Podestal or Drywell Floor? Water a the pedestal will aficca she likelihnnd of ex-vessel mesm explosions in the pedestal and drain line (and downmmes,when located directly below the vessel). For this question, the top branch is the fracti.m of the remaining s:oquences (excluding sequences at-m'M for by previous questicas) in which the pedestal is flooded, and the bottom branch is the fraction where the pedestal is not flooded March 24,1997 B.13 DG-1061, Appen&x B l , l C .
. / e kaftfor Comment Quesuon 7: C-=i==~w Failwe At Vessel Breach (Unsembbed by Suppression pool)?
n'--~5=* an the answers to Quesnes 5 ed 6, the aantain===t failwe probability is assigned. These failure prahaM*== unphaaly accout for the faDowmg phena===s alpha-mode failure, ex vessel steam explosions m podestal and drain lines or /& ===.), vessel blowdown, and drect heating. These fadure probabilities do not include steel shell fadure by melt impingemem ham care debns ejected from the pedestal cavny nor do theyinclude falures in free s:::ndmg steel she!! . .. .. .. -. from dpmime loads as a result ofex-vessc! steam l
~$= in the suppresman pool that can paamuaDy occur if mohan care dehns exits the pedestal cavity and enters the pool through the downcomers (this latter failwe mode was addressed by the ema====t Imds I Workmg Grog and is discussed in NUREG 1079'). Plats that are vulacrable to these failwes should modify the faihse probabihees, talang into acommt the plant specific fcanres that canenbute to tir vulnerabday. '1he faihre probabiliiies also do not consider long-term failm modes, such as care.acomme inter cnans or lace-term dryweD hestup Bypass and events with mate.innumt failwe or drywell ventag have been ======I for' previously. The branch probabilities far these questians == g.t : and a not calculated by the hcensee The hcensee could change the probabilines by providing a smtable argument that plant-specific featwes affect the rd6-dan. The hoensee should consuier plant-specific festmas that increase the aant====at failure such as for the steel shelled mata====t and not only those plant specific features that mitigate tevere acculents Table B-2. Mark II G:mditional rnota ,at Fahre Probabilities l
' Path Pressure Water Total Faihme
. Probability i
4 14 Yes . 0.1 l i l J 6 la No 0.3 8 Hi Yes 0.3
~ '
10 Hi No - 0.3 f i i 1 B.6 BWR Mark HI Containment i j Figue B 5 provides an event noe which aBows acculant sequeces to be aBocated to one of two consequence categanes i for use with PRAs for BWRs with Mark Ill mantanenanta The structure of the event tree is based on the preense that j_ all early releases that are scrubbed by time suppression pcul are C iy low that by themselves wiB not result in j indrvidual early fatahty risk. Hence, if an early failme occurs with the fWalay of the suppressian pool intact, it i is assumed that the early scrubbed releases will not pose an early fatahty threat to the populanan withm one mile of 1 the plant br==d=ry, and that this popularian wiH evacuate before substannal care concrete misracnon releases or late ! iodme releases from pools se of a ===i" to cause indivulual early fatalny risk (except in the case of a semme event, as noted in Figwe B 5). Each top event quesnan in the event tree is discussed below. The beensee would be
- - '~i o provide t the split fractions for all questions with the -a=*-= of Questian 7.
3 -Esminness ofEarly Cenessunent imods inen Cu Matt A=~i=== "DraA NUltEG-1079, Desember 1985. DG 1061, Appendixg B.14 March 24,1997 SV
e e 9 k e A8/f/M bN# Ap~=div B NoIJsssubbed NoIJsssruhhad Ism 8ters No Psamment fur W hootysot Baders Care Arvened er a VB WM VB Early Falailitie RPV Cw--. Befwe VB Dennase h> d 8 ' 2 3 i No 3 & __ 3 W
. g
' 4 Ya i 5 No
.i 6 Ya 7 No Y 3 No O -. 9 k 10 Ya N. 31 W
' 12 Yu is m t 34 W l l
1
!$ Ya Figme B-5 BWR Merk E e,-ta====t. .
~
- Nose:
lo the osse of seisme inmaw s, there is a possiihty that e5setive warams and evaeushan may be prochM due disrupixm of warmng symans and evacuation paths. If the aant=====' structure is prabcled to survive likehbood of leg term conta-a==t best renovel should be kr.--P If CHR is preheted to fail (for any set of reasons) the aantanwnent will eventually fail due to over pressurussion and, the consequence category sh ~ canegory since it is unlikely that evacusuon will coeur. o SpecaalNote for Mark E rs=tammante-Mark E rs=t==mente M=ny have a double layer caatniament, with the drywell and suppression pool formmg one layer and the outer .. .. ... .. ... senmane formmg the other layer. In the cp-ev== below, the term enatan=nent fa refers to anat==mentfunc:ronal failwe and roquaes the folkmmg two arahtv== to both be met:
- 1. The outer contammetis L4 and
- 2. Either the drywell presswe boundary integrity is breached (e.g., by stuck.cpen drywell vacuum breaker, mor -z faihme, or faihar to isohne) er the suppression pool drums susciently to negate the scrubbing function of the suppresman pool.
March 24,im B.15 DG 1061,.*M"B i
. 1 < 1 Dr"Jtfor Cartmatt Questian 1: Care Damage Frequency?
This is simply the aary point for the event tree. The frequency far the accident sequence under considerstmo ' is entmed here. Quesuan 2: n-a :- -
- FailedNeted Prior to VB (Raleases not scrubbed by suppressica pool)?
This quesnan addresses who the === a-=t is failed at'the stat of the accident or prior to vessel breach (VB). Faiheus at the start of the accadent include bypass sequences (Event V), =======t isolanan fadures, and sequences where the =======t is intiaDy open. For example, durms cold shutdown and r A=he,if
- .. the ==tainawat is open and the vessel head is removed, no credit is given for closag the =*=i===* in the
- presence of the radioactive environment withm the =*=====t Faihees aAer accident uutnanan that are
~
i add essed here include those due to inancist =*=ianumt best reumal, e.g., durung A1WS or loss of l sentaswnst heat removal loss ofcontamaant best renmal or other non ATWS sequences where the only breach of car *====nt stegnty prior to vessel failure is'through wetwell vents should be put into the "OK" 1 l category. Cant ===>d failure due to incontrolled hydrogen burns dunng cars damage are considered in l Question 7. i l Questaan 3: HydrogenIsmters Before CD? - l This quesnan involves the fraction of the om danage h, ; yin which the ignitas se operstag prior to care damage (CD). N. -
- l. . of the igsters prior to care damage increases the probability of an uncontrolled hydrogen burn.
Question 4: Cat Damage Anested Prior to Vessel Failure? . I~
- 1his quesnan -=*= for the faa that some sequences may be arrested in vessel wnhout si==i6= releases l from the RPV. All arnstad sequeces se assigned to the law consequence category. Shutdown events where
! the vessel head has been renoved should all be placed in the " Breach" category. Craht for in-vessel arrestas l ' of the .weident witi only be given for cases where recovenns AC power will lead to the restoration of ECCS
- wahm 30 numans af the anset afcare damage For esample, no ambt will be givai for an operstar == anally i shynssurmng the rummor and using a low pnamus system between oori
- danage and vessel breach. If coohng j is restored within 30 mmutes, the probabihty of successful arnst is assumed to be 1.0, and if coahng is j senared a8er 30 masses, the probabihty ofsuccesful arrest is assumed to be 0.0. The inehiman of this event i in the tree and the assignment of the success path to the no"large early release" consequence category me l beced an the pnunise that the time wmdow is Whianly short that nunannt in-vessel releases wiB cocur and i that they will have a high probabihty of being scrubbed by the suppneuan pool, includag those from ATWS.
1 1 Questian 5: No Potential for Early Fatal *==7 ! Early fatale == se largely precluded if an efective evacuanan has w..J; caly a small fracnon of the populman is W to nunain behimL 1hsefore, this questian consides the fraction of the renaming care
- damage frequency (w-
- sequences that were arnsted, as -=*a4 for in the previous questian) that j mvolses an c5ecsive evacuanart This questian allows long-tenn sequences, such as loss of enntain==mt heat renoval sequences (TW) or long-term boiloffsequences dunng shutdown, to be placed in the low category I wahaut the need for a daniled evaluarian of the ultimate contaianwat response Seismic sequences should all j be placed in the =~"=1 for early fatality branch ce the event tree. Nate that to place a sequence on the 1 breos labeled no a*=1 far serly fatality, a heensee should provide infonnation concanmg when a general
! anergency would actually be declared and the ed evacuation time regered. For stundown sequences
] DG 1061, Appenda B B.16 March 24,1997 i 1 d
--,._-.m. _ _ ~ .. . . _ _ ._.., ._, .. . . , . . _ ,, , _ , _ ,, _ . _ __ . _ .
e o Duftfe Omt
. l '
with the vessel head anoved, the time available for evacuence is the ti smaymcy to the onset of core damage For other sequences, the of a general emergency to vessel breach h hoensee should use on damage tovesselbreach ' Question 6: RPVI4 sa'i=7 h caritamnumt failure probabihty will be impacted by the RPV pressure at vess addruses the fracnon of the reumag core damage frequeey (~^% sequences acco r quesnons) that se allowversus high pressure The top branch is the fracno branch is the fraction at high presses it is considered .c==* to use the pressure at damage, rather than the pressure at vessel breach,if the latter is not readily 4 to be anything above 200 psig in the vessel r=r==nwar Faihs Before or At VB (n+= not scrubbed by suppression poo0? , Quation 7; l failure probability is assigned. These failure Drpedag on the answer to Quesnons 2 and 6, the =*====w probabilities (refer to Table B-3 below)impbcaly annount for the foGowag ph==nm and at vessel fahre, alphaemode failure, ex vessel stec:: explosions, vessel blowdown, and d faihre mods, sudi e core.conmse intcactions or long-tem pedestal erosion i They do not umside W._ : ! Bypass evets have been ====*M for prmously. The branch probabilities for these questions are predenernamed and me not cakulated by the housee The hcensee could change the p; a matable sgumet that plat-speci5c featres affect the ;-*h= The licensee should consider pla specific festmes that increase the mata==* failme and not only those plant-specific featur severe acculents Table B 3. Mark III r=ddi==1 enaram==t Faihre Probabilities Path Pressure TotalFaihre Prob . Ismters Yes Iow 0.2 4 Yes High 0.2 ; l . 6 . No Iow 0.2 10 No High 0.3 12 1 ! t March 24,1#7 B 17 DG 1061 AppendixB Cf
- A .
Mfor conensaat A&8 Attachment to Appendix B:
" Definition of Containment Failure Mode Classes -
Earty Stractural Failure , l %dves stumme failure ofthe canta=nw=t before, during or shghtly maar reactor vessel fadure, k .h a few l bours of the stan of core desnage A vanesy of =wehan=== can cause early struceme failure such as danct contact of l the core debns with steel ev=tamn-wn, rapid pressure and sanparature loads, hydrogen combustion and aussdes
- smerated by fuel coolantinteramans -
Containment Bypass I l e ! hr;dves faihre afahe presame bounday betwas the insb-pressure reactor coolant system and a low-prissure anohary j sptem. For PWRs it can also occur because of the failure of the steam generator tubes, other as an initiatmg event l or as a resuk of severe somdat acadroons In these scenanos, if care damage occurs, a duect path to the envuomaant can exist. i ! Containment Isolation Failure - Failure to isolate lines that pencersze the ev=tain==nt (the frequency of cantai== ant isolation fadure weha the frequency of pre existag unimalahle leaks). i ' ( 4 l Late Structural Fallart l hevolves structural failure of the aant==wn=* several hours aAer reactor vessel failure. A variety of maehaniens can l j muse hae structure faihre such as gradus! pressure and temperature inmessa, hydrogen aa-haarw=, and basemat meh- ! through by the core debns I l Cantainment Venting i i Ventag is clasafaed as orther late or sady N Mure depedag upon when the vents are W. j . i i . i i
)
I ! 0o.1061, Appen&x s s.ts M24.1m 1 i t _- --
O 0 , t 3/ 1 4 l l l l 1 1 l l i I 4 l 1 l l 1 l l l I I l 4 l l 1 1 1 4 1 1 i i l l l i 1 4
. . 1
. . i , g \ U.S. NUCLEAR REGULATORY COMMISSION l
; } OFFICE OF NUCLEAR REGULATORY RESEARCH Draft DG-1062 l
.../
1 ' DRAFT REGULATORY GUIDE - 1 1 DRAET FOR COMMENT 1 . 1 4 j An Approach for Plant' Specific, Risk-Informed, Decision Making: i j Inservice Testing i 1 i, k
- l
- l 4 i
- Regulatory Guide DG-1062 l
i March 14,1997 d J t l 4 Contacts: B. Hardin (415-656. Fischer (415-2728) ENCLOSURE 2 l r
9 I 0 0 4 . e
='e 0
9 o e 0 0 6 O O e S 6 2
, g' ,
TABLE OF CONTENTS - Page
. I'1 1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 la 1- 1 Organization . . . . . . . . . . . . 13. . . . . . . . Pwpose and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . nne-nenec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Pd-hkin to Other Guidance ( 1.5 1.6 Rd =%hin to the Ma= tea = ace Rule . . . . . . 2 AN ACCEPTABLE APPROACH TO RISK 2.1 2.2 2- 1A Fcur Element Approach to Integrated Mi. Key Safety Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Flament 1: Define Proposed Changes to the Inserwoe Testag 2.2.1 Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 Element 2: Ca~8e Faaiaaering Evalustson . . . . . . . . . . . . . . . . . . . . . Flement 3: Develop Imlenwnfahon, Performance-Mcoitoring and 2.23 Corrective Action Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Flement 4: D~~at Progran Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4 3 ELEMENT 1:DEFINEPROPOSEDCHANGESTOINSERVIC 3.1 3.2 Description of Proposed Chanses . . . . . . . . . . . 4 ELEMENT 2: ENGINEERING EVALUATION . . . . . . . . . . . 4.1 Traditional Engmeenng Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Evaluating the Proposed Changes to the Cwrent Lacensing Basis . . . . 4.1.2 Insernce Testag Program Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.13 Inservice Testing Program Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.4 Relief Requests and Taehnical Speedication Changes 4-6 . . . . . . . . . . . . 4.2 Probabilistic 4.2.1 Risk A~e==an"Prah=bE= tic Risk A"==a for laservice Testing App 4.2.2 Calculating the RiskIncrease from Changes in Test Intenal 4-12 . . . . . . . . . . 4.2.3 Categoruation of C1- i+== . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.4 Other Technical Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.4.1 Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.4.2 Dependencies and Ca==n= Cause Failures . . . . . . . . . . . . . . . . 4.2.43 Uncertai' sty and Sensitivity Analyses . . . . . . . . . . . . . . . . . . . . . . . 4.2.4.4 Hanan Eclic.bility Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.4.5 Use of /lant. Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . s 3 .
.- Jn
TABLE OF CONTENTS- Cont. Page 4.2.5 Evaluatmg the FEsclt'af the T.W N=== on Plant Risk . . . . . . . . . . . . 4-18 43 m-===ation of Confonnance with Key Safety 7m 4,ks . . . . . . . . . . . . . . . . . . . . 4-18 4.4 Ley s d Meian Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 19 5 ELEMENT 3: IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION STRATEGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1 Program implanants.tian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.2 - Perfonnance Momtoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 53 Feedback and Cornctive Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.4 Perioche A ===aaae* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 6 ELEMENT 4: DOCUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1 6.1 Risk-Infonned Insavice Testing Program Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1 6.2 Probabilistic Ek .'mement Records and Supportag Data . . . . . . . . . . . . . . . . . . . . 6-1 6.2.1 Determinarian and Q#f+ of Acculent 6 . . . . . . . . . . . . . . . . . 6-1 6.2.2 Initistag Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 6.23 Categornatma ofInservice c-ting 0 -- ;==^= . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.2.4 A ==a==nent of Proposed Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 6.2.5 Uncertainty /Sensstrvity Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.2.6 Plant Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 63 Integrated Decision Making Process Reconis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 6.4 Performance Mw.;^ ;.4 rogram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 P 6.5 Feedback and C.Jvs Action Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 6.6 Implemeat=*=n Plans and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 7 REFEREN CES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7- 1 APPENDIX - DETAILED GUIDANCE FORINTEGRATED DECISION MAKING 9
~
N
- % 2
~~
FIGURES Page 1 Principles ofRisk-Infonned Regulation . . . . . . . . . . . . . . . . . . .
.. 2-5 S.............
2 Principal Elements of Risk-Infonned Plant-Specific Decisio==W e e 0 e 9 9 O 6 O 0
- v. $ '
'a
. / ,
l ABBREVIATIONS / DEFINITIONS s 1 American Society ofE ' '=1 Engineers SME CCF common cause failure CDF core damage frequency CLB currentlicensing basis EPRI ElectricPowerResearchInstitute FV Fussell-Vesely risk '.wp.ui.cc measure . GQA graded quality assurance
~ HEP human error probability HSSC high-safety-sigd8 cant coE-penent
= Won inservice' ISI IST inservice testing 12RF containmentlarge relene frequency LSSC low-safety-significant coe MCS minimal cut set NEI Nuclear Energy 1+*e NUMARC Nuclear Utilities Management Research Council
. : O&M Operations and Maintenance (ASME committee) ,
PRA probabilistic risk assessment PSA' probabilistic safety assessment RAW risk achievement worth risk impoitance measure RI-IST risk-informed IST (e.g., RI-IST programs) SRP standard review plan SSC(s) structures, systems, and comp % THERP Technique for Human Error Rate Prediction USAR Updated Safety AnalysisReport USNRC U.S. Nuclear Regulatory Commission 4 4 e i
-e , - ,, -n--- w -
> s . '
DRhiFOR COMMENT I 1. INrRODUCTION l
1.1 Background
(NRC) and the During the last several years both althe U.S. Nuclear Regulatory engineering approachesin
. nuclear industry have recognized that dii probabilistic risk assessment where it can be used to a greater extent in supplementing ff to develop a regulatory tra t on(Reference 1) reactor regulation. After the publication ofits policy November statement 27, in nuclear regulatory activities, the Commission i directed the NRC sta -
framework that incorporated riskinsights. hi h That framework was ar ddresses'mservice 1995, paper to the Commission (Reference i2). This regulatory gu h i to the testing (IST) and its companion regulatory dea ==tsCom regulation of nuclear power plants. hi eased use of In 1995 and 1996, the industry developed a (ASME) number of documents PRA in nuclear plant regulation. The American Society ofMechan d ti g ofcertainplant published a research guidance document fPRA on risk-b
' components using risk insights. The Electric Power Research Institut Insutute Applications Guide (Reference 14) to provide E utilities with guida information for both regulatory and non-regulatory t nd thenapplications. Th (NEI) distributed a draft guideline on risk-based IST (Reference distributed a revised guideline (Reference 16) based on comments
1.2 Purpose and Scope
FR 50.55a(f) Current IST programs are performed d in compliance with the req hi h are a part ofeach ptable alternative and with Section XI of the ASME Boiler and Pressure Vesse plant's current licensing basis (CLB).' This regulatory guide desc 4 definition of cumnt limoseg ' basis. That is,'Cumat Licensmg inen mmmitments for
'This regulatory guide adopts the 10 CFR Pan 5 Basis (CLB) is the act of NRC requu m applicable to a sperMe plant and a life of the lun=) that are deckchd and in ensunng compliance with and operation with in applicable (
hil eedications. It alsoincludes the effect.1be CLB includes the NRC regulations mnt-ai in 1
, 73,100 and appendices thereto; orders; license conditions;exemptiocr, and plant-specific design-basis infonnation defined in 10 CFR 50.2 DG 1062as documen 11 March 14,1997 (E:tlam) l 4
1
. I e
~
DRAFTFOR COMMENT approach applying risk insights from PRA to make changes to a nuclear power plant's CLB speciSc to the IST program. An accompanying new Standard Review Plan (SRP) chapter (Reference 9) has been prepared for use by the NRC staffin reviewing RI-IST applications. Another regulatory guidance doannant. Regulatory Guide DG-1061, "An Approach for Plant-Specific Risk-Informed Decision Making General Guidance" (Referer.ce 3) is referenced
~
throughout this report. Rag"1='ory Guide DG-1061 provides overall g"idm on the technical
=W that are common to developing accepts.ble risk-informed programs for all applications such as IST (this guide), inservice iaea-tion, graded quality assurance, and technical specifications. Additional information on PRA applications is given in dr:A NUREG-1602, "A Standard for Probabilistic Risk A==*=mant (PRA) to Support Risk-Informed Decisionmaking,"
drafi for comment September 27,1996 (Reference 18). Further information regarding the relationship between this guide, the ralated SRP chapter, DG-1061, and NUREG-1602 will be given in Section 1 A.
. This regulatory guide gives application-specific details on an acceptable method for developing risk-informed IST (RI-IST) programs and supplements the information given in Regulatory Guide DG-1061. It gives guidance on acceptable methods for n'ilidag PRAm' formation together with established traditional engineering information in the development of RI-IST programs that have improved effectiveness regardmg the utilization ofplant resources while still maia+=iaing acceptable levels of quahty and safety .
In this regulatory guide, an attempt has been made to strike a balance in defining an acceptable process for developing RI-IST programs witicut being overly prescriptive. Regulatory Guide DG-1061 identifies a list of high-level safety principles that must be maintained during all risk-informed plant design or operational changes. Regulatory Guide DG-1061 and this guide ide:tify acceptable approaches for addressing these basic high-level safety principles, however, licensees may propose altemate approaches for consideration by the NRC staff. It is intended that the approaches presented in this guide be regarded as examples of acceptable practice and that licensees should have some degree of flexibility in satisfying regulatory needs on the basis of their
*-mulated plant experience and knowledge.
report (FSAR) as requind by 10 CFR 50.71 and the 1 's commitments randning in effect that were made in docketed beensmg % , 'a = such as licensee responses to NRC bulletms, genene letters, and enforcancat ( l
-t=, as well as licensee commitments documented in NRC safety evaluations or licensee event repons
- l DG-1062 1-2 March 14,1997 (8:11am) l t .
.' i ,
I DRAri FOR COMMENT 1.3 Organization This regulatory guide is structured to follow the approach giv O-=*=r 2 gives a briefoverview of a four-element yiw envisione RI-IST program. This processis iterative d ib dand g the
'Ihis desc:
first elenent in the process in which the pro subsequent reviews will be performed. Chapter 4 contains d guidan engineering evaluation needed to support the proposed changes t process element). Chapter 5 addresses program L.@e=+1o Chapter 6 addresses documentation requirements (fo b
, corrective action (third element). element) for licensee sub= hal 7 contains 0=A in the licensee's records in case later review or reference is needed. Cha alist of references, and the appendix contains additional guidance d fo related decision == Mag issues such as might arise during the del topics.
1.4 Relationship to Other Guidance Documents
' This regulatory guide gives detailed guidance Regulatory Guide DG-1061. -
Cwaion regulatory guides (References 4-6) ad guide. New SRP chapters associated with each of the risk-informed in References 7-11. The SRP sections are WM for staffuse dudng the r requests for risk-informed program changes. SRP Section 3.9. and is consistent with the guidance given in this regulatory guide. References 12-17 give industry guidance for use in developing risk-infoms ' changes. These documents have provided useful viewpo'mts for development of the NRC regulatory guidance documents. DG4062 13 Mank 14,1997 (s:11am) S
o r. . Daarrna COMMENT 1.5 Relationship to the Maintenance Rule The Maintaaaaaa lude requires that licensees monitor the performance or condition of structu
'!*+i goals, in a manner adficient to systems, or components (SSCs) against E=- =
provide reasonable assurance that such SSCs are capable of fulfdling their intanda Such goals are to be ==tahlinhad, where yi rd-M commensurate with safety, and are into account industrywide operating =pstra. When the performance ore ="*= of a component does not meet established goals, appropriate corrective actions are to be ta Ce monitoring that is performpd as part of the Maintenance Rule implementation - ca used to satisfy monitoring needs for RI-IST, and for such cases, the pr.Jo,swis criteria cho have to be compatible to both the Maintenance Rule requ;.w..aas/;dd- and the RI-IST guidance provided herein. Where a licensee chooses to rely upon its Maintenance Rule monitoring to also satisfy the monitoring needs ofits RI-IST program, for safety-related an important to safety SSCs, that monitoring should be subject to the requirements of AM 10 CFR Part 50. 1.6 Relationship to the Proposed Data Rule The proposed rule on reporting reliability and availability information for risk-signi6 cant syste and equipment (i.e.,10 CFR 50.76,61 TR 5318) and the ===aci=*ad draR Rarda+avy G 1046 (Reference 19) are intended to provide reliability and availabihty data on selected system and equipment in U.S. commercial nuclear power plants for use by both the NRC and its licensees. The data would be compiled by the NRC in a. centralized datahane .The definitions a information requested are intended to be sufBeient to qualify the database for r=="lataey . applications ofpmbabilistic risk assessment (PRA) that fall within the limitations of the d RI-IST programs. Licensees that choose to implement RI-IST programs will be expected to auch plant-specinc data, in *or. don with their plant-specific PRA, to help categorize w.r.p.was into the two IST component groups, i.e., low-safety-signi6 cant ce= (LSSC and high-safety-signi6 cant coregr .s (HSSCs). Information gained about the types of failu that occur will also help define the appropriate testing strategies for the two groups of - ' components In addition, these data will help to improve the accuracy of plant-speci6c PR estimates of der.g= in plant risk projected to result from ah=agan in IST programs. 14 March 14,1997 (8:1!am) DG 1062 10
_ -- ~ _ _ -~-
. 5 ,
l DRAPiFOR COMMENT (
- 2. AN ACCwfABLE APPROACH TO RISK-INFO MAKING FOR INSERVICE TESIING PROGRAM 3 2.1 Key Safety Principles Regulatory Guide DG-1061 identifies t d usingfive key change applications. As indicated in Regulatory Guide, f ible, to utilize risk while these ke traditional engineering terminology, efforts should be made, wherever These key eas evaluation techniques to help ensure and to show that these principles are met.
principles and the location in this guide where each is addressed fo follows:
- 1. Theproposed change meets the current reguladons. (This applie change is explicitly related to a requested exemption or rule change.]
(This principle is addressed in Sections 3.1 and 4.1 of this guide.)
- 2. Defense-in-depth is maintained.
(Section 4.3)
- 3. Sapicient safety margins are maintained.
(Section 4.3)
- 4. Proposed increases in risk, and their cumuladve efect, are smal NRCSafety Goals to be excorded (Sections 4.2,4.4)
- d
- 5. Performance-basedimplementadonk and monitor correcdve acdon.
(Chapter 5) Regulatory Guide DG-1061 gives additional guidance on the ke
, risk-informed applications. Figure 1 of this guide repeated from Regu illustrates the consideration ofeach of these principles in risk-informed d
{ DG-1062 21 March 14,1997 (B:1Iam) s
I
- E 4 [
. i DRAFTFOR COMMENT l l
l l
'i@d,,,4,.my?
- **,an J 6. p.. < Q .
h' E,~..... e.,7 r
~as
* * * ; \ '
/ pe@j
, e wy .
% map edsj f % 1
%m eh % ., am ma _ ,, m ,ss, gA w .
- s. Mand see ee se: w#
Ser.essins Wd E ws.A ddsmus ' ;.'-@ plRC'.W *+"p Gemis es"h ( } Q6 ~-4ee smaded Figure 1 Principles of Risk-Informed Regulation ) 1 , i I i 2.2 . A Four-Element Approach To Risk-Informed Decision Making for ' Inservice Testing Programs , i i = Chapter 2 ofRegulatory Guide DG-1061 describes a four-element process for developing ris l informed regulatory changes. An overview of this process @=Hy related to RI-IST programs is given in this chapter and illustrated in Figure 2. The o.rder in which the elements are p l may vary or occur somewhat in parallel dap=adag on the particular application and the pre i of the program developers. J 2.2.1 Element 1: Define Proposed Changes to the Imicc Testing P wgram. In this element, the licensee should identify the particular components that would be affecte l the proposed changes in testing practice. This would include those components curre j IST program and possibly some that are not ifit is determined through new informatio l insights such as the PRA that these additional components have importance for plant r l Specific revisions to testing schedules and methods should be desenhd. Plant sys functions that rely on the affected components should be identified. Chapter 3 gives a more j j detailed description ofElement 1. . March 14,1997 (3:11am) 2-2 f: DG 1062 1 bPi_ ' ]
, - - - w
- 1 .
l DRAFTFOR COMMENT ; i l l 2.2.2 Element 2: ConductEndseeringEvalmation In this ata=aat, the proposed changes are examined in light of the cu evaluate the effect of the changes. Areas that are to be evaluated in the mproposed RI-IST program on design basis e both used in the evaluation. The results of the two complementary metho together in an integrated decision process that will be carried over described below in Element 3. During the integration f ll of all of the available sonedjudgement ag=* d that many issues will need to be resolvedd throug been ~~ M to in industry documents as being perfonned by an " expert panel." further at the end of this chapter and in the appendix, this important process is responsibility and may be accomplished by means other than a forma safety principles discussed in this guide must be addressed and shown of what approach is used for RI-IST program decision making. In the planning stages of the program, PRA resuhs may be used to catego LSSC and HSSC groupings After a plan has been developed, a MMeion is made plant-specific PRA to evaluate the effect of the planned program changes measured by core damage frequency (CDF) and containment larger early release fre (LERF). The risk evaluation should explicitly consider the affected IST E =r="< that it is feasible to model them in the PRA. The necessary scope of the PRA dep particular systems as well as modes of operation that are affected. Regula contains extensive guidance regarding the engineering evaluation including a%.iw for projected risk change. Additional appEcation-specific details concerni Element 2 are contained in Chapter 4 of this guide. 2.2.3 Element 3: Develop Implementation, Performance-Monitoring, and Corrective Action Strategies. . In this element, plans are formulated that ensure that component reliability is ==W=iaa
-:- -w=== ate with the component's safety significance The planned conditions for oper should be consistent with the assumptions in the PRA analysis to ensure that the PRA re reflect the expected plant behavior. Both testing intervals and rr.ethods should be s to the extent practicable, the testing methods should address the relevant failure mec could significantly affect co.mponent reliability. In the event that cor. , anent failure the RI-IST program, guidance for evaluatingthe need fo., and the implementation o l
23 DG1062 March 14,1997 (3:11am) 0 s
. t o DRAFTFOR COMMENT action should be included in the plans. Specific g"idance for Element 3 is given in t'.'hapter 5. .
2.2.4 Dement 4f Document Program Proposal The final element involves preparing that documention to be included in the submittal'and that to be ==~~aiaed by the licensee for later reference (i.e., archival) if needed. The submittal will be reviewed by the NRC according to the standard review plans given in SRP (NUREG-0800) Chapter 19 and Section 3.9.7 (References 7 and 9 respectively). Dm_imer** don requirements for RI-IST programs are given in Chapter 6 of this regulatory guide. In carrying out this process, the licensse will need to make a number of decisions based on the best available information. Some of this information will be derived from traditional engineering practice and some will be probabilistic in nature resulting from PRA studies. It may be that certain issues discussed in this guide are best evaluated through the use oftraditional engineering approaches, but for other issues, PRA may have advantages. It is the licensee's responsibility to ensure that its RI-IST program is developed using a well-reasoned and integrated decision pim that considers both forms ofinput information (traditional engir-.hg and probabilistic) Mading those cases in which the choice of direction is not obvious. Examples of this latter situation are when there is insufEcient information to make a clear decision or if the PRA results appear to disagree with the traditional engineering data. This important decision-making process may at times require the participation of special comb *mations of ficensee expertise (staft) depending on the technical and other issues involved and may at times also have a need for outside consultants. Industry documents have generally' referred to the use of an expert panel for such decision making. The appendix to this guide discusses a number of IST-specific issues such as might arise in expert panel deh'berations . 2-4 March 14,1997 (8:11am) DG 1062
s g' . DRAFTFOR COMMENT
/
Traditional q . PftA Ar=#* , s , Ir
\
\
, //// s ' , s ,
\,
1 V Denne sabou Pwfonn g N ** C nOs Analysis Program t 1' i 4 Figure 2 Principal Elements ofRisk-Informed, Plant-Specific Decision Making . ) 4 i 1 l* 1
., 1 1 l
) N l 1 4 DG-1062 March 14,1997 (9:43am) 25 1 6 -
, m , __ _ a _ _.- - - - _4 _. ,
4
. . . - v(, - .
--- .. .. 9 l
l i e i 1 4 4 e l i j 8 1 1 r e d
~ --~~_ ~ _-- _
s DRAviFOR COMMENT
- 3. ELEMENT 1: des 1NE PROPOSED CHANG TESTING PROGRAM fi d This l d d how
[ In this first element of the i process,h tthe the propos their testing would be changed. Also included in this ele implementation of the RI-IST, 3.1 Description of Proposed Changes ld A full description of the proposed change in the IST program is pr Made: d RI-(1) An identification of the aspectsi hitsofCLB.the plant's should also confirm that the plant's design and operation is in accordanc An identification of the specific revisions to existing testing sc (2) resuh from implementation of the proposed program An identification of the components in the plant's CLB that are (3) involved with the yvyesed testing changes. Any components in the plant's IST program but are determined to be importa i h insights) should also be identified. In edm supporting engineering @ An identification of the information that will be used in suppor (4) include performance data, traditional engineering analyses and PR . A brief statement describing the way in which the proposed c (5) the Commission's PRA Policy Statement. DG 1062 3-1 March 14,1997 (9:04am)
. 11 <
n s i i ! i I ' ; I DRAFTFOR COMMENT l i ? 1 i Formal interactions With The Nuclear Regulatory Commission i 3.2 l 1 1 1his section gives guidance on the need fer Econsee reporting ofprogram activities an l NRC review of r'=i= nd to RI-IST programs. ,. l . j The licents can make serga to its approved RI4IST program under the foHowiss Mana: i
- 1. Changes made to the NRC-approved RI-IST program that could affect the process al !
l were neviewed and approved by theNRC maff(' Mag the change in plant risk associated l implemention ofthe RI-IST program) should be evaluated to ensure that the basis l spproval has not been w,myswaised. If there is a question regarding this issue, the j seek NRC review and approval prior to haplementation. 1 AB disages should also be evaluated usingthe charige mechanisms described in ex ' regulations (e.g.,10 CFR 50.55a,10 CFR 50.59) to deter nine if NRC review and ap required prior to implementation. For example: l i . f !
- Changes to component smupings, test 'stervals, and test methods that do not change to the overaH RI-IST approach where the overaH RI-IST .pysved w approved by the NRC do not require speciSc (i.e., additimmi) review and a implementation provided that the effect of the der,. on plant risk increase is
. C2=aaaaarit test ~+h=I changes involving the implementation of an NRC endorse Code, NRCedarsed. Code Case, or pubhshed NRC guidance which were app of the RI-IST program do not require prior NRC approval.
. Test method dergs that involve deviation from the.NRC-endorsed Code requireme require NRC approval prior to implanentation.
- Changes to the RI-IST program that involve promN p (e.g., changes to the probabilistic model assumptions, changes to the grouping criteria or S categorize components, and changes in the' Acceptance Guidehnes u
- integrated decision-making process) require NRC approval prior to imple March 14,1997 (9:03em) 3-2 s RBG GUIDE IST
, s y .
j 1 l
, i 1
DRAriFOR COMMENT i i
- ME i
ter.wd test method he will typicaDy invcive the implementation Changes toof thean appli
- Code or code case (as approved by the NRC) or published NRC r'id== l j
component test methods for these situations do not require prior NRC appro method dw a that involve deviation from the NRC approved code requirmnant l j approvalprior to* hnplementation. The licensee will include in its submittal, a proposed prw for determining when fo review and approval are or are not necessary. As dl===aad, once this proces NRC, formal NRC review and approval are only needed when the process de review is necessary, or when changes to the process are requested. e 9 e I e 6 m DG-1062 March 14,1997 (9:04em) 3-3 Ii
- -- - - , . . . , .+- --, -
a .. a e c Y J l l O
. . .. j - , ,, s.
e *
. y i
i i 1 1 O l J e e I I I i 1 4 1 1 1 1 i i 1 1 l l l
= l i
e e
$ 0 I
4 % , DRhr FOR COMMENT l
- 4. ELEMENT 2: ENGINEERINGEVALUATION Overview of Approach ARer the proposed change to the licensee's IST program has b
- an engineering evaluation of the proposed change using a combin engineering methods and PRA. The purpose of this evaluatica is in light of the current licensing basis of the plant to ensure that plant Wahle levels. The results of this evaluation are to be used in co information such that the two different approaches complement
..,,...k defense in one of this evaluation is to confirm that the proposed program change will not a depth and other key safety principles described in Chapter 2. Raga general guidance for the performance of this evaluation supplemen guidance herein.
4.1 Traditional Engineering Evaluation This part of the evaluation is based on tradidonal mg!=- -bg methods (not to be evaluated from this viewpoint include the paea=+ial effect of the proposed RI on design basis accidents, deferair. h 9at attnh tes and safety margins. As indic i ,
' defense-in-depth and safety margin should also be ev bM as feasible, using risk (PRA).
l 4.1.1 Evaluating the Proposed Changes to the Current dcensing Basis A broad review of the CLB may be necessary. Proposed IST program changes could requirements or commitments that are not explicitly stated in the licensee's sa Furthermore, staff approval of the design, operation, and maintenance of te= re-= st facihty have likely been granted in terms other than probability, consequence Therefore, it may be more vy ef,rste to evaluate proposed IST program changes aga more explicit criteria (e.g., criteria used in either the licensing process or to determ acceptability of component design, operation and maintenance). Section 50.55a of 10 CFR allows the Director of the Office of Nuclear Regulation to shernatives to the specific requirements of this regulation provided that the proposed will ensure an acceptable level of quahty and safety. Thus, ahematives to the examples of DG-1062 4-1 March 14,1997 (8:llam) I i 3,.! ,
a $ / I I DRAFTFOR COMMENT
' acceptable RI-IST approaches pred in this guide may be proposed by licensees so long as supporting infonnation is provided that demonstrates that the key safety principles dim =A in Chapter 2 of this guide are maintained.
Acceptance Guidelines , The sources ofinformation for the traditional engineering part of the evaluation should include the IST plan information in+ ding component functions from the design-basis documents, references to relevant plant licensing commitmeru, and approved relief requests. On a component-specific ~ basis, the licensee should identify each instance where the proposed IST program change will affect the CLB of the plant and domment the basis for the acceptability of the proposed change by explicitly addressing each of the key safety principles. If the CLB is not affected by the proposed IST program changes, the licensee should indicate this in its RI-IST program description.
- 4.1.2 Inservice Testing Program Scope 10 CFR 50.55a specifies IST requirements for certain safety-related pumps, valves and snubbers.
These components are to be tested according to the requirements of Section XI of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (the Code) or the applicable Operations and Maintenance (O&M) Code. Both Section XI and 10 CFR 50.55a state that the IST program includes certain components classified by the liceruee as components which are required to perform a specific function in shutting down a reactor, ==in+=iains the shutdown condition, or mitigating the consequences of ._n accident. To ensure that the proposed RI-IST program will provide an acceptable level of quahty and safety, the licensee should use the PRA to identify the eyyioyriate scope of components to be included in the program All of the components that are important to the scope of an RI-IST program must be identified. This will normally inchule all components that are within the scope - of the current IST program. In addition, licensees may identify stmetures, systems and components (SSCs) with high risk significance which are not cu:rently subject to traditional Code requirements or to a level of regulation which is commensura:e with their risk significance. PRA systematically takes credit for non-Code stmetures, systems and components (SSCs) as providing support, acting as alternatives, and acting as backups to those SSCs that are within the current code. To maintain the validity of the PRA as it is used to categorize components and to evaluate the effect of the proposed RI-IST program on plant risk, the assumptions regarding component 4-2 Mmh 14,1997 (8:11am) DG 1062
e v ,
'DRAn FOR COMMENT reliability and availability must be preserved. hog ly, these addition should be included in licensees' RI-IST yief-::9. SpecificaDy, the licensee's scope should include those ASME Code Class 1,2 & 3 and non-Cod li 's integrated decision making process categorized as HSSCs and components to be appropriate additional candidates for the RI-IST program.
To pavs the PRA ===='*ians which contribute to suyg,.ig the propose the PRA should aho be used to evaluate RI-IST program test requirement methods) as weH as practicable. Consequently, for the IST componen j proposed RI-ISTs prey.ir the licensee should examine the test strategie evaluate the test strategy effectiveness, and where appropriate, modify the test strateg Acceptance Guidelines
'Ibe RI-IST program scope is acceptable ifit includes, in addition to compaa- *< i Code prescribed program (i.e., Code class I,2, & 3 coir,g,rms), thoce ASM
& 3 and non-Code components categorized as HSSC. Test strategies should be ensure that they are consistent with PRA assumptions.
4.1.3 Inservice Testing Program Changes
" Ibis section discusses what licensees need to consider if they propose to change intervals (i.e., if they propose to continue to use the exisdng approved Code they choose to change both IST intervals and test MW Acceptance Guidelines-General The licensee should reevaluate the IST interval (and methods as applicable) for HSSC compr nents that were the subject of an approved relief request, or an NRC-attemative test. The licensee should resubmit relief requests, and requests that a authorized, along with risk-related 'msights, for NRC staff review and approval.
i i In establishing the test strategy for LSSC components, the licensee should consider l design, service condition, and perfonnance, as well as risk insights. The pr DG 1062
- 4-3 March 14.1997 (3:1 lam) t A
< t ,
DRAFTFOR C0hinfENT must be supported by both generic and plant-speci6c failure rate data and the test irr.erval should be 4N=dy less than the v~i time to failure of the SSC in question. The rationale for the proposed change in test interval and its relationship to ed ime t to failure should be provided. 'Ihe licensee should ensure that adequate component capability (i.e., margin) exists, above that required during design basis conditions, such that component operatirig characteristics' over time do not resuh in reaching a point ofinsufficient margin before the next scheduled test activity. The IST interval should generally not be W~' beyond once every $ years or 3 rMag outages (whichever is longer) without specific compelling doc'.unented justification. Extensions beyond 5 years or 3 refueling outages (whichever is longer) will be considered as coi i-:==^ performance data at extended intervals is acquired and as PRA technology improves. IST mmponents (with the exception of check valves) should, as a mininunn be exercised or operated at least once every refueling cycle. If practical, more frequent exercising should be considered for components in any of the following categories:. i) Components with high-risk sipidicance; ii) Components in adverse or harsh environmental conditions; or lii) Components with any abnormal characteristics (operational, design, or maintenance conditions). Licensees choosing to pursue RI-IST programs should consider the adoption of enhanced test strategies developed with ASME risk-based IST Code cases endorsed by the NRC2 (or the revised ASME Code after the risk-based Code cases get incorporated into the Code and endorsed by the NRC). Deviations from endorsed Code cases (or revised ASME Code) should be reviewed and approved by the NRC staffvia relierrequests prior to implementation. For components that the licensee proposes to place in the HSSC category and that are not in',the licensee's current IST program, the following conditions should be met: Dese components should be tested in accordance with the ASME Code cases (or revised ASME Code), including compliance with all administrative requirements. Where ASME Section XI or O&M Code testing is not practical, ahernative test tnethods should be developed by the licensee 2 Gemme neuer 96-05,"Pmo&c Va*m dDengo-Basis Capability dSafay-Related Motor-Operated Valus," issued September 1 L,1996, ha that risk insights may be used in 64g MOV pmo&c vm6 cation programs. It also endorses (with limitaticas) ASME non-mandatory Code Case OMN-1, entitled:" Alternative Rules for 7 m and Inservice Testing d Certam Electric Moto- Operated Valw Assemblies in LWR Power Plants, OM Code 1995 Edition; Subsection ISTC. ' Ibis code case prcmdes for the use drisk insights in establishmg an MOV t st program, however detailed guidance is not included. Licensee pmgrams are subject to NRC review. DG 1062 4-4 March 14,1997 (8:llam) l -
~ '
m
, i .
DRAFT FOR COMMENT-I to ensue opensional mediness and to detect cess-:== degradation with failure modes identified as being important in the licensee's PRA). As a m msnmary of alternativo test methods should be reviewed and appr review and prior to implementation of the RI-IST program at the plant. Acceptance Guidelines - Changes to Test Interval (Only) If a licensee proposes to only change IST interval (i.e., if the licensee pro the existing eyggscd Code test methods), then the process used by the l components should satisfy the following conditions: M al a) The -apa-aring evaluation should give considera sed intervals. b) The effectiveness of the current IST program in determining the AW es=g-c+m to carry out its intended function should be ==W Test inter only be extended for a,i..idra.s that are tested using methods that hav detect ws.g,.m degradation associated with the important failure modes and identi6ed in the plant's PRA. f c) Extensions to test intervals will be " step-wise." l Acceptance Guidelines - Changes to Test Interval and Method A process (similar to that described in Reference 16) should be used to test s:rategy for IST components For the HSSC components this should inv activities: i) a component failure mode and cause analysis ; a structured goalhaiive assessmerd of the effectiveness ofeach potential te ii) on its ability to detect failure, to detect conditions that are precursors to failu and predict end ofservicelife; and a strategy formulation and evaluation for each component taking into account
. iii) generic and plant-specific performance histories.
DG 1062 4-5 March 14,1997 (s:11am) d .
- . r o i
' DRAFTFOR COMMLVT These tasks may be E-:+g" ' " through the ASME's IST Code Case (References 13 and 17) l i appstyved by the NRC. If a lie ===ae proposes to change both IST intervals and IST then the process used by the linanmaa to categorize m- should identify w.rpr e whose test strategy should be more focused as well as components whose test strateg l relaxed. Fr**nniaan to test intervals should be made step-wise. i i l 4.1.4 Relief Requests and Technical Specification Changu iIrmaeaan proposing d.er a in IST programs based on risk considerations need to addmss i' certain issues related to requesting relief from existing program requirements: Acceptance Guidelines l ' Reliefis required for any HSSC or LSSC E =re-- ^a for which the test methods are not l -der.cc with NRC approved ASME code reqs-. s or NRC r4== 1 in a i
- Reliefis required for any HSSC w...pc,s..;s for which the test frequencies ar: not in
- awder.cc with the approved ASME code requirements or NRC guidance.
j i
- The licensee must submit and have approval of a technical spw" .4 ion amendment prior
- to implementing the RI-IST program for any c+=re =^m for which there are propose changes in technical g=-:" =ke requirements.
l j On a e-@ basis, the licensee should identify each instance where the proposed RI-IST program changeis not consistent with the guidance given above. In each such case i licensee should document the basis for the acceptabihty of the proposed ddrerence. i i 1 I Probabilistic Risk Assessinent 4.2 Overview of Approach for Probabilistic Evaluations. lasues specific to the IST risk-informed promas are diame=ad in this section. Regulator DG-1061 contains much of the general guidance which is applicable for this topic. The risk-informed application process is intended not only to support relaxation (test interva method), but also to identify areas in which increased safety resources would be justified March 14,1997 (s:llam) 4-6 DG-1062
.A
-~.- ---- --- -_. - - , _, - - - ._~ -, _ , - - - - , - - , , . , , - , .
o .. O $ , g DRA FT FOR COMMENT = d
' acceptable RI-IST process should therefore 2 =wnot focus exclu to verify i hb testing could bejustified. The increased testing justified forThis ewchapter, whosetherefore, operability is indirectly and partia addresses IST-specific consider other &= h relaxation and e#= x= ' ofverification ofwegfa operpbility.
orderto support bot Ihe following PRA outputs are generally needed for RI-IST applications :
- 1. core damage frequency (CDF) and CDF change
- 2. containment large early release frequency (LERF) and LERF change -
l
- 3. minimal cut sets (MCS) l
- 4. Fussell-Vesely bnponance (FV) and risk achievement worth (RAW after proposed changes, including those from all sensitivity studies .
In addition, the FV and RAW importances of all components are requi . which increased attention (IST or other programs such as technical specifica warranted. . 4.2.1 Probabilistic Risk Assessments for Inservice Testing Applications Quality and Scope of the PRA For the quantitative results of the PRA to play a major and direc a need to ensure that they are derived from "quahty" d analyses. O'ddaw in qual baseline PRA and for the scope of the PRA is pid,ded by the RT awy Guide DG-1 Level of Detail of the FRA The development of a RI-IST program will require that plant-specific PRA informa available to identit those IST components that contribute most significantly to the plan estimated risk. Components covered should include the following:
. Safety-related components that are relied on to remain functional during and basis or beyond design basis events to ensure the integrity of the reactor coolant pres 4-7 00 1062 Mank 14,1997 (1:11am)
A .
.- r ,
1
- DRAFTFOR COMMENT t
l boundary, the capabRity to shut down the reactor and maintain it in a safe shutdown j Wm and the capabEity to pia .; or mitigate the consequences of =Md=*e that could result in potential offsite exposure compamble to 10 CFR Part 100 guidelines. ,
- iec . .Jdy-related components ,
- that are relied on to mitigate aMdava or transients or are used in plant emergency l
Operating procedures
= whose failure could prevent safety-related components frondanning their safety-l related function
- whose failure could cause a reactor scram or actuation of a safety-related system l
Acceptance Guidelines Thisissueis addressed eWAlyif: l
= The PRA quality and scope is acca* Ale as defined in the general Regulatory Guide DG- .
1061.
. The components in the proposed RI-IST program are included in the PRA model, or reasons why they are not modeled arejustified and documented in terms of the potential effect on the plant's risk. ,
dirg the
. . All components in the proposed RI-IST program for which credit is taken re plant's accident response @ty are shown to be within the scope ofprogrammatic '
- activities (IST, GQA, ISI, maintenance, M~ing).
- The licensee justifies that the proposed RI-IST program will not introduce vulnerabilities l}
or remove from pic,n.e...r. etic activities components needed to ensure satisfacto:y safety performance In addition, this guide describes licensee documentation an'd submittal needs for NRC review. 1 4-3 March 14,1997 (5:11am) ! 30 1062 A *
- - - - - - . . - . - - - - - . - . ~.. - .- - . _ . - .. - -
- 4 .
DRArer FOR COMMENT 4.2.2 Cale lating the Risk lacrease froni Changes in Test Interval In order for the PRA to support the decision yy.vy.Mey, i the
' mapping between the compnents e %y of any RI-IST associated program is with IST and a quantitative
==*in cation. Part of the basis for the scw demonstration by use of a qualified PRA that established risk increased by the proposed extension in testing intervals i l for sel l
, establish this demonstration,it is necessary that the PRA ( include t mod l l l account for the change in reliability of the c i For example, enhanced testing n ight be shown to improve l or l even if the intervalis extended. That is, a better test might ceic==+a fo j between tests. I.icensees who apply forhsubst ; increased intervals under consideration. The following steps should be pafvis.ci identi5 cation of all RI-IST systems, and compme e (1) (2) identification of all afected cut-sets and RI-IST-related basic events review of the model used to quantify each afected basic event. Mos (3)
"- process should consider the efect of test strategy (interval andI A check should also be performed to determine ifnon-IST wis stroked manipulation or l in IST basic events or in compaa==+ing-compr.c;;: basic events. If a co.Tpcs /
challenged between instances of IST, and if these activities are actuallyl
' recognition of a component failure, then the efective fault exposure tl RI-IST interval. It can be appropriate to take credit for this effective d shortenl time in the PRA quantification, provided that there is assurance that the impl are in fact identified by the stroking or the system challenges. This is not a functional success can be achieved by any one of a components in para ,
=ceaade even if n-1 of the components fail, then merely monitoring suee-=rul fun I response does not show whether all compr.c;its are good, unless pro ,
component's state is undertaken. In addition to this, some instances of revei fault through challenge have adverse consequeneca, including haetia=J= i taken for shortening fault exposure time through functional challenges, then it is nael account for this downside in the quantification of accident frequency. ) DG 1062 4-9 ) l n4 arch 14,1997 (8:11am) i l
, + .
'DRAFTFOR COhBfENT .
ModelingIncreases In Test Interval The relationship bem;,; , the component unavailability on d==f, q, and the test interval is usually eyyivaunted by: ' q = % AT where. A is the failure rate, and T is the time interval between tests. In addition to transitions to a failed state that occur between component demands or tests, there is also a " demand-related" contribution to unavailability, corramaading to the probability that a component will fail to opente when demanded, even though for some purposes it would have been considered " good" before being subjected to the stress of the dernand itself. This would have the effect of adding a constant to the test-interval-dependent contribution to q . identified above. The assumption that the total q scales linearly with the test interval (i.e., doubles when test interval doubles) is " conservative" in the sense that it scales the test-interval-independent . contribution along with the test-interval-dapaadaat contribution, and in that respect tends to overstate the effect of test interval extension. This approximation is therefore considered acceptable; however, it should be noted that guidance aimed at improving the capability of tests to identify loss ofperformance margin is aimed partly at reducing the " demand" contribution as well, so that improved modelling in this area would appear to have the potential to support further improvements in allocation of safety resources. - As test intervals are extended, there is some concern that the failure rate,1, may increase This failure rate, generally assumed constant, is based on data from current IST test intervals, and therefore does not include effects which may arise from extended test intervals. It is possible that insidious effects such as corrosion or erosion, intrusion offoreign material into working parts, adverse environmental exposure, breakdown oflubrication, etc. which have not been encountered with the current shorter test intervals could significantly degrade the component if test intervals become excessively long One way to address this uncertainty is to use the PRA insights to help to design an appropriate implementation and monitoring program, for example, to approach the interval increase in a stepwise fashion rather than going to the theoretically-allowable maximum in a single step, or to sta gger the testing of redundant components (test different trains on ahernating schedules) so that the population ofcomponents is being sampled relatively frequently, even though individual members of the population are not. By using such approaches, the DG-1062 4-10 March 14,1997 (5:llam) q,o -
~
4 .
\
DRDT FOR COMMENT I l existence'of the above effects cart be d**se**vi and e+g ==Mry measures taken testing of the remaining population F u =.. However, it is important that the m includes enough tests to be relevant, and that the tests are capable of detec degradation (performance monitoring is discussed in Section 5.2). Modeling Enhanced Testing Procedures In addition to the issues raised by leaving components untested for longer periods, the issue of test effectiveness. Licensees are encouraged to employ enhanced testi to improve detection ofdegraded and failed components. All licensees proposi - testing intervals should also address test effectiveness. This includes both consc hnprove testing according to state of the art guidance, and, for licensees who w credit for detecting degraded components, improvements in reliability modelling of basic probability as a function of testing policy. Acceptance Guidelines
- The PRA should include a model which provides an appropriate measure of the risk ~
significance of extendmg the test interval on selected components. This require ' model directly addresses the change in component availability as a function of tes The analysis should include:
. an explicit quarnitative consideration of the degradation of the, component fail rate as a function of time, supponed by. appropriate data and analysis, OR
. arguments which suppon the conclusion that no significant degradation will occu
. The model should consider the effects of anh=~A testing to the extent practicable. If the application seeks a scbstantialincrease in interval, then a proactive search for compensating improvements in testing should be made If the testing is shown to be already as effective as can be expected, then an absolute requirement for test improvem should not be imposed. However, an evaluation should be made to determine whether any common cause group is slated for a major extension of test interval, and if so, whether there is any way that enhanced testing could address common cause potential DG-1062 March 14,1997 (8:11am) 4-11 9
n
, 4 .
l \ DRAFTFOR COMMENT - l 4 l If credit for enhanced testing was taken, the model should treat it Wy. i 1 l 4.2.3 Categorization of Components , General guidelines for risk categorization ofcomponents using importance measures and other l i information are provided in Rp=*ery Guide DG-1061. These general guidhlines address j acceptable methods for carrying out categorization and some of the limitations of this process.
- Guidelines that are specific to the IST application are given in this section. As used here, risk categorization refers to the process for grouping IST components into LSSC and HSSC l
j categories. ! As indicated, risk L. ~neiis resuhs from the PRA may be used as one of the inputs to the i j categorization process. Unfortunately, many components ofinterest to RI-IST are oRen not i j included in @g PRA models, and so there is no quantified risk importance information for i l
- these components. When feasible, adding these comp-
- == to the PRA should be considered by
- the licensee. In cases where this is not feasible, information based on traditional engineering analyses and judgement must be used to determine if a component should be treated as LSSC or HSSC.
l
. 'Ihe identification ofhe.4-:+--w for a change in IST intervals or test methods can be done using l different methods. Component categorization by use 'ofPRA importance measures to classify, l
a components into HSSC and LSSC categories is one method. Categorization or compaaa>* l grouping may also be accomplished using more traditional engineering approaches with data ! developed from operating experience. In addition to component categorization efforts, the determination of safety significance of componems by the use ofPRA-determined importance measures is L..,~Geis for several other reasons:
. When p Lii..sd with a series of sensitivity evaluations, it can identify potential risk outliers by id=>di/.ng IST come= which could dominate risk for various plant configurations and operational modes, PRA model assumptions, and data and model uncertainties.
. Importance measum evaluations can provide a useful means to identify improvements to current IST practices during the risk-informed application process.
DG 1062 4-12 March 14,1997 (8:11am) 7 .
.- ___ - _ _ _ - _ _ _ _ _ _ _- _ . _ _ _ _ _ m
- 4 .
DRAFTFOR COMMENT
'. System level Loysiurs results can provide a high level verification of ceTis== level l resuhs and can provide g'#=ae, for the ..cadrg of1ST wo.prros that are not modeled in the PRA.
While categorization is an annantial step in defining how the RI-IST will be imp'==d, it is not an essential part of ensuring the maintainance of an =a~at kle level of plant risk. As desc Section 4.2.5, the sensitivity of risk iropit.rs measures to changes in IST strategy (i.e., proposed forRI-IST) can be used as one input to overall under='=adag ofthe effect ofthis strategy on plant risk. However, the traditional engineering evaluation descrHm! in Section 4.1 and the calculation of change in overall plant risk described in Section 4.2.5 provide the major
^
input to the determination of whether the risk change is acceptable or not. Acceptance Guidelines When using risk importance measures to identify high and low safety significant wrigerda, po*-ati=11 imitations of these measures have to be addressed. Variations (including uncertainties) in PRA modeling techniques, assumptions, and data could have a significant impact on the results of the component categorizations using importance measures. Sensitivity studies and/or other evaluations have to be carried out to ensure that changes in risk importance categorizations due to these effects do not result in RI-IST programs that have m=- - +g'*'= levels of plant risk. Issues that have to be considered and addressed when determining low safety ' significance of components include: truncation limits; different risk metrics; mukiple ce;-+= Loyoni.rw consideration of aH aDowable plant configurations; sensitivity analysis for common cause failures; and sensitivity analysis for recovery actions. These issues are discussed more in detail in Regulatory Guide DJ-1061. In addition to results from PRA importance measures (and the ===aai=*M sensitivity studies), IST components should also be categorized based on traditional engineering considerations and on , plant-specific operational characteristics. 4-13 DG.1062 March 14,1997 (s:11am) 9
- - - - e a .- _ . . -- - - - _ _ . - - - - - - - _ _ - - - - - - - - - - - - - -
- . + e 1
s 4 f DRAFTFOR COMMENT i t j 4.2.4 OtherTechnicalIssues i 4.2.4.1, , Initiating Events l . ! For purposes of detennining RI-IST reW<, d initiating events (mternal and external) and I all operating modes should be evaluated to see whether initiating events and predicted plant i response are affected by RI-IST yie v ed changes. At a minimum, d internal event initiators l . that have been evaluated in the PRA and d external event initiators that have been shown to i contribute to the upper 95 percent of the total CDF have to be included in the IST, risk - l determination process In addition, other initiators Wia: those that have been screened out ,, j (eliminated) from the base PRA have to be considered by answering the following. questions. (1) Does the IST issue involve a change that could lead to an increase in the frequency of a f j particular initiator already included in the PRA7 (2) Does the IST issue involve a change that could lead to an increase in the frequency of a l . j particular initiator initidy screened out of the PRA7 i ! (3) Does the IST issue affect the quantification of previously identified accident scenarios for specific initiators that were screened out and eliminated from the PRA because of truncation? (4) Does the IST issue affinet only speciSc initiators? (5) Does the IST issue have the ' potential to introduce a new initiating event? Acceptance Guidelines (1) The impact of the proposed plant change on the potential for event initiators (mternal and external) already included in the PRA should be determined. For example, less frequent testing could lead to an increase in the frequency of transients for the loss-of-feedwater or loss of support systems. The initiators included in an evaluation should include any initiators for which the plant change directly affects the frequency of the initiating event. (2) The impact of the plant change on the frequency of an initiating event originally identified in the PRA but screened due to low frequency should be determined. For example, ifless , frequent pump and valve testing could lead to an increase in the frequency ofloss-of . *
~
DG-1062 4-24 March 14,1997 (3:11ami) I y l
v
. - j . t . j DRAFTFOR COMMENT coolant-accident (LOCA) initiators that were initiaDy screened fi'om an an shutdown plant operational state (POS), then the impact of such an frequency should be reexamined.
(3) The impact of the plant change on the failure rates ~of SSCs already analysis should be cWM. SSCs that show a change in their failure pro result of the plant change should be addressed in the analysis. Therefor depend on the affected SSCs to achieve safe shutdown and that w l ' from the PRA should be swi.ed. (4) If the regulatory issue affects only specific initiators, then only those speci should be reexamined For example, if the issue results in changes only to th failure probabilities, then only those initiators important to fire risk will have to reexamined. The effect of an IST program change should be examined to determine whether (5) introduce a new init;ating event. If so, them its effect should be included in the PRA. 4.2.4.2 Dependencies and Common Cause Failures The effects of dependencies and Common Cause Failures (CCFs) for IST 9-gs==^= considered carefully because of the significance they can have on oore damage frequency. Generally, data are insufficient to produce plant-specific estimates based solely on CCFs, data from generic sources mr.y be required. Acceptance Guidelines
. For those components for which CCF contributions are r.ot *~8"M in the PRA model and this exclusion isjusti6ed on the basis of historical and engLwhig evidence driven by current IST requirements, there would be no assurance that the CCF contriinstion w not become significant under the new proposed IST requL . ns. Therefore, this issue l
has to be addressed either using sensitivity studies or as part of a qualitative assessment. l
. For RI-IST applications, the potential for cross system CCFs should be investigated.
Guidance for performing such evaluations is given in Regulatory Guide DG-1061. DO-1062 Harch 14,1997 (s:11em) 4-15 i
.Si '
g Q 3 I DRAFTFOR COMMENT 4.2.4.3 Uncertainty and Seasitivity Analyses Uncertainty and sensitivity analyses are expected to play an important (and complex) part in the support of risk-informed IST program changes. The current guidance on these topics is given in Red ='ory Guide DG-1061. It is expected that certain application-specific guidance will be developed from the ongoing NRC reviews of the proposed RI-IST pilot plant programs. 4.2.4.4 Human Reliability Anslyses Guid=ar* on this topic is given in Regulatory Guide DG-1061. Some IST-specific guidance follows. Acceptance Guidelines The technique (s) used to identify and quantify human actions should be such that they take into account the performance-shaping (or performance-influencing) factors that are applicable for IST-related events.
. The effects ofinnovative recovery s oons that are modeled in the PRA should be considered to determine how cortponent ranking can be affected. The concern here stems from situations in which very high success probabilities are assigned to recovery events for certain sequences, thereby resulting in related components being risk insignificant.
' Furthermore, the ranking of SSCs should not be affected by recovery actions that are only modeled for limited scenarios. Sensitivity analyses should be used to assess the impact of variations in the probability of failure to recover.
4.2.4.5 Use of Plant-Specific Data In selecting appropriate failure rate data to use in the RI-IST program for the IST components, the analyst is frequently faced with ths. gestion of whether to use plant specific or generic data, or some combination of the two. For newer plants with little operating history, the only choice is use of generic data. For those cases where significant plant specific data are available, usually it is most appropriate to combine plant speciSc and generic data with a method that gives appropriate weight to each. DG 1062 4-16 March 14,1997 (1:llsm) ,
,1. *
'b
1 . 4 , i )- I DRAFTFOR COMMENT : i - 1 i l l l
~
As mutandad test intervals are phased in, revisiting faihue data becomes more 4s.iit. It also becomes more important for each licensee to review operating experience (in particular, l My to the licensee's plant. l d,. 4.dosi mechanisms) experienced at other plants for sn Paformance monitoring at individual plants cannat be expected to provide suf5cient expe! l
- to ustify failure rates significantly less than generic failure rates without reference t 1
- . experience ofother plants. -
FmaDy, in ce=" L4 plant-specific failure data, it is Li.po6.iit to be able to recognize 4 poorty-performing individual c+ =r +==. rather than allowing poor performance of a s l 9=i-:== to be averaged over au ce=rsr- = of that type. Poor performance may arise bec l j ofinherent characteristics of one w 4,er ofwhat woukt otherwise be considered a uniform population. This would result in a higher than expected failure rate for the population l less relaxation than might be =Mr= tad Of more concern is poor performance of compc.~..;i l that arises because they are ep . Gig in a more demanding environment for example. If, for l reasons of W!a icy, these components are grouped together with others for which the i I operating conditions are more favorable, then their failure rates could become artificia l and, if requirerr.ents are relaxed based on the group failure rate, this could lead to a significa probabihty of experiencing an in-service failure of one of these poor performers Acceptance Guidelines
- a For those cases where enti tienny sid=t plant specific data are available, it is l
' se~p*ahle to use such data if they are .yp.wpdetely con.!," .sd with generic data. Fo those licensees who propose to use plant specific data only, the data should be justified. I
- When the PRA is M periodicaDy, +: =r-:+w= that have experienced failures should l '
be checked for evidence that they are especially poor performers An extreme example o l such evidence would be multiple failures experienced by a single component in a class l whose other w n.1,sts have experienced no failures over the same interval. Components i that have experienced failures should be reviewed to see whether the testing scheme l I (interval and methods) would be considered adequate to support the performan to them in the risk analysis, based on a component-specific failure rate consistent with the l number of failures experienced. Section 5.3 of this guide diernames faadh=4 and J li corrective action. i a i DO 1062 March 14,1997 (9:05am) 4-17 1, 4 4 i 31 .
I
, 4 c s
DRAFTFOR COMMENT
- 4.2.5 Evalnating the Effects of the Proposed Changes on Plant Risk An assessment of the overaB or cannulative effect of all proposed ^==54in plant design and operation on plant risk is critical to determinin the svakllhy of the +=gr. This guide
. addresses acceptable methods for assessing riA changes ===ariaW withIST program changes, however, if changes in graded quality assurance or technical specifications are also being considered, the integrated effects of aU of these proposed activities abould be' evaluated. , l T h should not assume a low failure rate in one application, e.g., IST, then reduce quality assurance of components included in the IST program (possibly negating the assumed low failure rate) without providingjustification. It is pcssible that more frequent testing (RI-IST) could f l
compensate for a reduction in quality assurance or maintenance provided, again, that supporting analysis and documentation is included in a licensee's submittal. J Acceptance Guidelines See Section 2.4.2 of Reda'ary Guide DG-1061 for more extensive gau- on this subject. I 4.3 Dennonstration of Conformance with Key Safety Principles l 1
, Section 2.1 of this guide indicates specific sections ofthe guide that address each of the key safety i principles including acceptance guidelines. Two of the more difficult areas are those m' volving l consideration of defense in depth and safety margin These are addressed in this section to identify the major areas to be considered consistent with Red ='ary Guide DG-1061. More application specific guidance will be added aAer the staff gains more experience from the review of theist pilot plant programs.
Defense-in-depth evaluation , I
~
As stated in Regulatory Guide DG-1061, general design criteria, national standards and engineering principles such as the single failure criterion are to be considered. Assurance that this criterion is met is when: ,
. the PRA shows that there is preserved a reasonable balance betva. core damage prevention, prevention of containment failure, and consequence mitigation, 4-1s mr.h 14,1997 (9h)
Do-lo62 M
-1 m- -. m. .
. 4 ,
DRDrFOR COMMENT
. there is not an over-id.r.cc on programmatic activities to &*e for plant desig
--- + - .e.
. symem redundancy, independence and diversity are ms;;4r.e.d c+ ==
ed frequency and c -q- ofchauenges to the system,
. defenses againa paamial common cause failures are = aid M. and the int new common cause failure mechanisms is avoided,
- independence ofbarriers is not degraded, and
(
. defenses against human errors are maintained l
i Safety unanzin evaluation Assurance that this cdteiion is met is mainly demonstrated by showirs that the codes and standards or ahernatives approved for use by the NRC that are associated review with IST a f ii
, in Section 4.1 are met. The second means for demonstrating sufficient sa ety marg n s a of the safety analysis sc- +rs = criteria in the CLB (e.g., updated safety analysis repo ,
supporting analyses) showing that these criteria are stiH met for the proposed RI-IST p that sufficient margin exists to account for analysis and data urwei;y. t 4.4 Integrated Decision Making This section discusses the mtegration of all of the technical considerations involved in revie submittals from licensees proposing to implemem RI-IST programs. General guidance for r informed applications is given Regulatory Guide DG-1061 (Reference 3) and in the new S sections, Chapter 19 (Reference 7) for general guidance, and Section 3.9.7 (Reference 9 programs. These documents discun a set of regulatorymfindmgs that form the basi wdring an acceptable safety evaluation report (SER) for a licensee's risk ' formed applica Specifically, Section 2.1 ofRvit**=y Guide DG-1061 identifies a set of"va' ions" that E~a a-= should follow in addressing the key safety principles. Due to the importance of these fmdings, certain of them will be repeated here. po-1062 March 14,1997 (9:05am) 4-19 9 . a \
1
*
- o. !
DRAFTFOR COMMENT Necessary Findings . i
. The comprehensive plant model, including the PRA and the associated detenninie .
analysis, is technicany sound and supports the rest of the findings regarding the proposed RI-IST program. The analysis is based on the as built and as-operated and maintained Pl ant. ,
- All safety ima=Ms of the proposed ds ;. to the licensee's IST program have been evaluated in an integrated manner as part of an overall risk management approach in which the licensee is using risk analysis to improve operational and engineering decisions broedly I
and not just to eliminate requirements he sees as undesirable. The approach used to identify changes in requirements forIST were used to identify areas where reqbwes in IST should be increased as well as reduced. 1 \ 4
- The acceptablity of the proposed changes to the licensee's IST program have been ,
evaluated by the licensee in an integrated fashion that ensures that all of the key safety l l , principles are met. l
- The 1=+ive risk evaluation ema+iag for all of the proposed IST program *==ye '
confirms that changes to the plant core damage frequency (CDF) and large early release l frequency (LERF) are smaH in conformance with the guidelines given in Section 2.4.2.1 of l { . Regulatory Guide DG-1061. j .
. Appropriate consideration was given to urws.ry in the analyses and interpretation of the resuhs .
- Certain quahtative and defense-in-depth evaluations have been performed, and insights from these have been duly liic.c,rr,ided into the classi6 cation scheme, the performance goals, and the ===aci=*ad rvy-. - =*= activities. These evaluations confirm that suf5cient safety margins and defense in depth are irs.@c4.
- The licensee's proposal was subjected to quality controls including an independent peer review.
. Pumps, valves, snubbers and operator actions have been identified and appropriately classified for use in prioritizing and impla-arding the program. In particular, important components not modeled in the PRA have been identified and appropriately classified utihzing available deterministic supporting information.
4-20 March 14,1997 (9:05am) DG-1062 40
O o
, 4 ,
DRArr FOR COMnfENT After the RI-IST programis approved and Wad. plant perfor testig and analysis and maintained by prosrammatic activities s The data, analysis methods and assessment criteria used i are scrutable and available for public review. . These Ediap are seen to comprise both probabilistic and traditio which are addressed in more detail in this chapter and in Regulatory Guid Licensees are expected to review womAr.ests related todoutage pla that they are appropriately reflected in the liceme's component group verify that IST compr. cats that play an integra significant wapr,ca: group. This should include c developed to support the outage. U~a==~ are also expected to review licensing basis documentation to ens erigineering related factors mentioned above are adequately modeled o the PRA analysis. i When making final programmatic decisions, choices must be made based on a information. There may be cases where infonnation is incomplete or where conflicts appe ' exist between the traditional engineering data and the PRA-generated information. It l responsibility of the licensee in such cases to ensure that well-reasoned judgl resolve the issues in the best manner possible including due consideration to the safe ; plant. This process ofintegrated decision making has been dia===ai in various indl documents (References 14 through 19) with reference to the use of an " expert panel. i appendix to this regulatory guideAsincludes some detailed guidance on certal dia===d in the app iiv, it is not intended to decision making specific to RI IST programs specify that an administrative body such as an expert panel must be always form to fulfiD this function. Following below are some general acceptance guidelines for this impo acovity with more specific details given in the appendix. . In summary, acceptability of the proposed change should be determined using an integrat decision-making process that addresses three maior areas: (1) an evaluation of the propose change in light of the plant's current licensing basis, (2) an evaluation of the proposed cha 4-21 DG 1062 March 14,1997 (9:05am)
< 4 .
DRAFTFOR COMMENT relative to the key principles and the =- e; =-x criteria, and (3) the proposed plans for W='iaa, gifvi- Mieri.4, and corrective action. As stated in the Cornmienion's Policy Statamant on the increased use ofPRA in r==ila+ary matters, the PRA infonnstion used.to support the RI-IST progmm should be as realistic as possible, with reduced i- - y conservatism, yet including a consideration ofuncertaimies. These factors are very important when eaaaidaring the cumulative plant risk and ar== ting'for possible risk increases as well as
. risk bene 6ts. The licensee should carefuuy document all of these kinds of considerations in the RI-IST progmm description incbding those areas that have been quantified through the use of PRA as well as ; -* +ive arguments for those areas that cannot be readily ==atis e d.
i q { Acceptance Guidelines l l i ! - 1 The licensee's proposed RI-IST program should be supported by both a traditional engineeririg analysis and a PRA analysis. , j The licensee's RI-IST program subtrattal should be consistant with the acceptance guidelines contained throughout this ram 1=+ary guide, specically with the Andings listed in ) this section, orjustify why an alternative approach is acceptable. 4 l If the licensee's proposed RI-IST program is acceptable based on both the deterministic } and probabilistic analyses, it may be concluded that the e .vyssed RI-IST program provides "an ex+;-is!= level of quality and safety" [ref 10 CFR 50.55a (a)(3)(i)]. 1 i i i i i t i r M 1062 4-22 March 14,1997 (9:05am) i i I D .
, s ,
DRAFTFOR COMMENT
- 5. ELEMENT 3: IMPLEMENTATION, PERFORMANCE MONITORIN AND CORRECTIVE ACTION STRATEGIES h '
Upon approval of an RI-IST prognun, the licensee s include test strategies and testing frequencies for HSSCs and LSSCs that ' the licensee's IST program and c+=p-r--= identified as HSSCs that are not c y, +, . 5.1 Program Implementation , The current ASME Code requires that all safety-related components within the prwn scop defined in the applicable ASME Code be tested on a quarterly fmquency regardles ' significance. The authorization of a risk 'mformed inser dce testing program will a extension ofcertain s-mi-:= testing intervals and modification of certain component tes methods based on the determination ofindividual component imrJecc. The impleme
- an authorized program wiB involve scheduling test intervals based on the results o .
analysis and deterministic evaluation of each individual component. The RI-IST program should distinguish between LSSCs and HSSCs for testing interval Components that are being tested using specific ASME Codes, NRC-endorsed C IST programs, or other .ypO4,'4 W- should be individually identified in the RI-IST, l program. The test intervals of the HSSCs should be included in the RI-IST program verification of compliance with the ASME Code requirements and applicable NRC-endo l ASME code cases. Any component test interval or method which is not in conformance w ( ,
- above should have an approved reliefreguest for that component. Plant corrective action a feedback programs (see Section .) should be appropriately referenced in the IST prog implementing and test procedures to ensure that testing failures sre fed back to the plan i panel and IST coordmator for reevaluation and possible adjustment to the cesg=="'s gro !
and test strategy. , It is acceptable to implement RI-IST programs on a phased approach. Implementation extension for LSSCs may begin at the discretion of the licensee. Implementation may take plac on a component, train or system level !== extension of the test interval for these components (i.e., either individuaDy or as a group) will have already been demonstrated through PRl associated sensitivity analysis to have a minimal impact on the figures of merit. However, it is n l acceptable to immediately adjust the test intervals of LSSCs to the maximum testing int) 5-1 DG 1062 March 14,1991(s:11am) I n .
*' ' ' ' ~ ^ - , - . _ _ _ __ _
A I g DRAFTFOR COMMENT
. aBowed by the PRA analysis unids component p L.m has danonstrated significant '
reliability or that aging is not an issue. NormaUy, test interval increases will be done step-wis with gradus! extensions being permitted consistent with ==% performance data for operation at the extended intervals.' The licensee win be required to submit the actual te , intavals with their RI-IST program submittal. For HSSCs, if the licensee initiaDy chooses not terimplement any of the ASME Code cases directed at providing alternative test strategies for RI-IST programs (when endorsed by the N staft), then testing will be conducted at the required Code interaval. Otherwise, the
'r .dy guided by ASME Code cases implementation phase of the RI-IST program will be pred train, or system level as allowed in the Code Implementation may take place on a wT+es i
i For =aaaaaa's that the licensee proposes to place in the HSSC group that are not in the current IST program, the foHowing conditions should be appHed: j i These wTver .s should be inservice tested commensurate with their safety sic == . Where ASME Section XI or O&M testing is practical, these =- w-- are should be tested in accordance with the ASME Code, including compliance with an administrative requirements. Where ASME Section XI or O&M testing is not practical, alternative test methods should be developed by the i licensee to ensure operational readiness and to detect e-paaaat degradation (i.e., degradation
- =ad with failure modes identi6ed as being ;... yod.ht in the Beensee's PRA). As a minimum, l ' a summary of ahemative test ==*hade should be reviewed and approved by the NRC as part l this review and prior to implementation of the risk *mformed IST program at the plant. This is
! consistent with previous NRC practice. . ! A k ity of mapaaants =ataad within plant IST programs are exercised or operated for reasons other than inservice testing such as during normal plant operations and as a result of oth l i component inservice testing 1he remaining &= are exercised only during IST. An j exercise of a component as part of a system test or normal operations does not constitute an inservice test H= h provides little or no information on ==paaant degradation. However, i d-aaading on the system test or plant activity and the extent that the component is exercis assurance can be gained that the component operated at the time of the test. While this prov Ettle or no information on component degradation, it does provide some assurance that any ! degradation that may have occurred was not significant enough to degrade the syste ] An acceptable method to extend the test interval for'LSSCs that are exercised as a res l operations and other testing is to group like componsts (e.g., NRC Generic Letter 89-0 Position 2 for check valves) and stagger their testing equally over the interval identi6ed for a 1 i Mardi 14,1997 (5:11am) 30,1062 5-2 i l W ., 1 a
+ 1 ,
s 4 i DRAFTFOR COMMENT . operations and other testing is to group like com specific component based on the probabilistic a
-W valves and pump driver type, as applicable. With this method, g failures can 'etentially be identified while allowing i==adi=* implementation for som mi=mts. LSSCs which are exemised only during RI-IST should have thic Madad by gradually stepping out the cunnt and successive *=itest intervals u w= dadt est interval established by the licensee in their enkiig evaluation is Then,these low LSSCs should be tested on a staggered basis. The selecte <
LSSCs that are to be tested on a staggered basis should bejustified in the RI-IST pyyJ Acceptance Guidelines For either HSSCs or LSSCs that will be tested in accordance wit and method requirements, no specific implementation schedule is nece==sry. The should be included in the licensee's RI-IST program. For either HSSCs or LSSCs that will employ NRC-endorsed ASME Code cases, ' of the revised test stategies should be d+a==*=d in the licensee's RI-IST program. _ For any attemate test strategies proposed by the !! . the licenear should submit a milef . request to the NRC as di===d in Section 4.1.4 of this guide.
'Ibe licensee may group and test LSSCs, which are exercised as a result of plant oper testing of other components, on a staggered and madad interval basis provi wpable performance histories. Grouping is =~~*=hle provided it complies,.for ex with the guidance contained in NRC Generic Lener 89-04, Position 2 for check valves; l
Supplement 6 to NRC Generic Letter 89-10 and Section 3.5 of ASME Code C motor operated valves. Component monitoring that is performed es part of the Maintenance Rule imp used to sausfy monitoring as described in the RI-IST program guidance. In these cases l performance criteria chosen have to be compatible with the RI-IST guidance guide. i 5-3 00 1062 l March 28,1997 (1:37pm) W ,
o 9 , DRAFTFOR CO.MMENT For LSSCs that will be tested at an interval greater than the Code test interval, which are not exercised as a result of plant operation or testing of other components, the licensee should increase the test in'erval successively in a step-wise manner until the components are tested at the maximum proposed test interval provided these components have acceptable performance l histories. If no age-%= 'e=' failures occur, then the test interval can be gradually evvendM until the c+si-:+T. or group of components if tested on a staggered basis, is tested at the -
.. .t ., ... proposed acaadad est t interval.
5.2 Performance Monitoring . . l ' =====M for this i De pmpose of performance monitoring is to help -nfirm that th: failure rates l equipment rudi valid, and that no insidious failure mechnetisms widch are related to ewaada test intervals become importnit enough to alter the failure rate assumed in the PRA models. The l 6evitant criteria must be measurable and the test neqwfmust be sufficient to provide j l meaningful data. In addition, the testing procedmes and analysis must provide asswance that i performance degradation is detected with sufficient margin that there is no adverse effect on kle levels public health and safety (i.e., the failure rates cannot be allowed to rise to r==% ! - before detection and correcdve action take place). 1 j A performance monitoring program should be included as part of the licensee's RI-IST program j . if acaading the test intervals for LSSCs is proposed. His program must provide assurance that j components placed on the **aadad t est interval will continue to perform as meewnad in the P and that any performance degradation is detected and cossted before the s 'ei test program l . j is fully implementeri. De prograin should also include monitoring similar w,-@:+v performance at other plants to establish a suf3cient data base of temporal related degrada l
. Testing procedures should detect degradation in component performance and ideally would
{
- replicate, as much as practical, actual demand comiitions.
l In stunmary, the performance monitoring program should have the following attribrtes: l y . l . enough tests are included to provide ===aiapul data; I E i . the test is devised such that incipient degradation can reasonably be evn~t + d o be ] A-* e ^.and
. the licensee trends appropriate i-i.sters as required by the ASME Code or ASME l Code Case and as necessary to provide validation of the PRA.
il
! s-4 March 28.1997 (1:46pm)
. DG-1062 r i . J , e
0 s P DRAFTFOR COMMENT-Acceptance Guidelines The *c~;*=nce guidelines for this item consists of devah_ wing t discussion. monitoring process to assure thatiditd ast responds to l on an extended test interval, and that failure rate assumptions for the part compromised by test data. It must be clearlyl established i methods d Trending that sufE d of the program to provide significant i AI-IST data, and t as appropriate should be performed by comparing parameters measu programs with th: same paramenters measured during the original IST p 5.3 Feedback and Corrective Action If component fi. lures or degradation occur at a higher rate tha IST program, the following basic steos should be followed to impl The cause(s) of the failures or degradation shoulJ be determined implemented. The assumptions and failure rates rsed to categorize compone be reevaluated to deteanine if component importance rankings have ch The equipment test effectiveness templates should be reevaluated program should be modified accordingly. il DG-1062 5-5 March 14,1997 (8:11am) f 61 -
> * . l DRAFTFOR COMMENT Acceptance Gaidelines
- a. 'Ihe licensee's corrective action program should evaluate RI-IST -.rpra that either fail to meet the test E-:+;-;=== criteria or are otherwise determined to be in a nonconforming condition (e.g., a failure or degraded condition discovered during normal ;
Pl ant opemtion).
]
- b. The evaluation should:
i (1) comply with 10 CFR 50, A#v B, Criterion XVI, Correedve Action ] (2) determine the impact of the failure or nonconfonning condition on system / train ! operability since the previous test, i (3) determine and correct the root cause of the failure or s-s -A-s.1g ccendition ) (e.g., improve testing practices, repair or replace the component), , (4) assess the applicabihty of the failure or nonconforming condition to other components in the RI-IST program (m' eluding any test sample expansion that may be required for grouped co.r.pr,r .s such as reliefvalves), (5) correct other susceptible RI-IST wir.pc.r 3 as necessary, (6) assess the validity of the PRA failure rate and unavailabihty assumptions in light of the failure (s), and . (7) consider the effectiveness of the -xeg+r---;'s test strategy in Mg the failure
. or r.er.wi.L..0g cor.dition. Adjust the test interval and/or test meti.ods, as appropriam, where the component (or group of components) experiences repeated failures or nonconforming conditions.
l
- c. 'Ibe corrective action evaluations should be provided to the licensee's PRA group so that any n~*mry model changes and re-grouping are done as might be appropriate. The effect of the failures on plant risk should be evaluated as well as a confirmation that the corrective actions taken will restore the plant risk to an ==:eble level.
- d. The RI-IST program documents should be revised to document any RI-IST program changes resultir.g from corrective actions uken.
5-6 March 14,1997 (5:11am) i DG-1062 l . l 44 .,
, e o DRAFTFOR COMR(ENT 5.4 Periodic Assessments RI-IST programs should contain explicit determination (i.e., test interval and methods) piw Adeguate program implementation requires that the RI-IST pl monitored, and fed back into several key steps of the progmm da:'e proces( '
Periodic assessments should be pafysr.e.d to reDect IIST changes in perfonnance, test results, industry experien taken on past IST program components. Licensees should include in t proposals plans for these assessments, and they may' wish t . related activities such as periodic PRA updates, industry spr .dr.g ex 1 Maintenance Rule program, and other risk-informed program initiatives. ) The assessment should: determine if component performance and conditions are acceptable (i.e l predicted or assumed levels). Ifperformance and conditions are i cause(s) should be determined and corrective action implemented, , review and revise as necessary the asa ..pdvis, reliability data, and failur categorize c,vir.per, cats to determine if component groupings hav data should be incorporated into the generic data using .ypivpriate updating t and
. reevaluate equipment performance as well as test effectiveness to determ program should be adjusted (based on both plant-specific and generic The licensee should have procedures in place to identify the need for more emerg '
program updates (e.g., following a major plant modification, or significant equipm performance problem). pc,.1m , March 14,1997 (5:11am) 5-7 Hi -
~
o I 4
- DRAFTFOR COMMENT -
Acceptance Guidelines The test strategy for RI-IST components should be periodically armW (at least once every two refueling outages) to take into consideration results of RI-IST and new industry Radiage The licensee's RI-IST program proposal should also include a plan for periodically assessing the plant PRA model to determine the need to incorporate new industry findings and newm' fonnation
&%g from the RI-IST program. (Plant specEc data by itself cannot be the sole basis to determine component operability Wane the statistics will not be sufficient. Therefore, the RI-IST PRA model must also reflect industry experience.)
e e DG 1062 5-8 March 14,1997 (8:11am)
---~
DRAFTFORCOMMENT
- 6. ELEMENT 4: DOCUMENTATION
\ The recommended format and content of an RI-IST submittal l are prese of this format by licensees wi!! help ensure the completeness d d forthe of the 've assist the NRC staffin locating the information, and will aid in ishortening the tim review process. Additional guidance on style, c and Content of Safety Analysis Reports for Nuclear Power Plants (LWR Edition) 6.1 Risk-Informed Inservice Testing Program Plan The licensee's subrnittal t sould describe the proposed RI-IST program wi clearly understandable to the reviewers of the program. The description items listed in Chapter 3 including sufEcient detail such that reviewers of the program c understand how the program would be implemented in a phased approach. These (I) changes to the plant's CLB, (2) changes to testin an explicit description of the grouping ofdifferent components in a staggered (4) identification of supporting information, and (5) brief l statement rega the proposed changes are consistent with the Commission's PRA Policy Sta included should be a description of the process that was used for the categoriz components (further discussed hi l in Section 6.2.3) an
, program (Section 3.2). Exemptions from the regulations, tec be given.
6.2 Probabilistic Risk Assessment Records and Supperting Data 6.2.1 Determination and Quantification of Accident Sequences This section should present the methods and techniques used to identify sequences that are specific to IST. Regulatory Guide DG-1061 include for this topic. c ..
--~
. t. .
l DRAFTFOR COMMENT l 6.2.2 Initiating Events ! The process used to identify initiating events and the rendts from the evaluation should be documented. The description of the process should include how it will result in the identification l of the coniplete set of initiating events important to the supporting analysis, including those l
- initiating events that may result from the failure oflST-affected cesger -s For eachinitiating i event identi6ed by the proossa, present
- (1) a description of the initiating event, (2) the rational j for~~ lad % or excluding the event, (3) the event's frequency, and (4) a dina==iani of how
- frequency was estimated. If any individual initiating events are couapsed into a group, desenk the basis for such a grouping. Allinformation should be provided in the main report.
l i L , 6.2.3 Categorization ofInservice Testing Components s . j In this section, the techniques used to categorize the RI-IST cosgsr--:rs should be dian=nad. I When available, results from the categorization of the c+gs=2+ from different viewpo*mts abould be provided (e.g., tmdational engineering analysis, probabilistic, and integented). The ; j 1 technique used should be described including an identification of specifi;: importance measures l . when used. The fmal resuhs from the categorization should be presented in either one of two categories, high or low (i.e., HSSC or LSSC). The rationale used in the integrated decision
- l making pmcess to place cop = in either category should be described for each component.
i . l' ! 6.2.d Assessment of Proposed Changes 1-
'Ihis section should describe the estimated effect of the proposed RI-IST program d-r on plant risk consistent with the general pd=w given in Rpeary Guide DG-1061 and with the f IST-specific guidance given in Section 4.2 of this regulatory guide.
. 6.2.5 Uncertainty / Sensitivity Analyses The data used in any uncertainty calculations (i.e., uncertainty distn'butions for basic events or input parameters) and any sensitivity calculations (e.g., giving additional or less credit for operator actions than that considered in the base case) should be provided consistent with the How uncertainty was accounted for in the guidance provided in Regulatory Guide DG-1061.
component categorization, and what sensitivity studies were performed to ensure the robustness of the categorization should be described. 6-2 March 14,1997 (s:11am) wigg P
- 1 DRAFTFOR COMMENT l l
l l 6.2.6 Plant Data f Systmas and Consponents Pertinent to IST Summarize design and operating features or==i- _== and systems ==44=ed as part of the supporting analyses. Ce records included with the submittal should clearly demonstrate j the application of the speciSc criteria established by the licensee's integrated decision-making process (e.g., expert panel) to make a feal determination of e grouping. Additional information that should be included in the proposal include speciSc ASME code cases that the lir== is implementing and the effected coirg-:+2 For each system, include a table I summarizing key design and operating data. Such values used in the analysis should be identiSed andjustified. Refer to appendices or other documents (e.g , speciSc sections of the USAR) as i
=~===ey for more details. Systems to be considered should include the pertinent portions of all l systems credited in the plant-specific probabihstic analysis. l Plant Operating Experience 1 Summarize any events i.wolving pump and valve failures that have occurred at this plant or similar
' I plants. Include in this summary any lessons learned from these events and indicate actions taken to pr ma or minimize recurrence of the events. )
I Operating Procedures Present and describe the important sp .ivi actions as defined by existing procedures associated with events involving pump and valve failures. Tne descriptions should include what the operator is supposed to do and when h must be done. The conditions under which the uperator takes each action, the expected time for performing the action, and how the time was derived should be identified. A summary of training materials ==aci=*ed with pump and valve failure esents should be supplied. Include in this summary a synopsis of any =imal='ar exercises associated with such events. l 1 ! DG-1062 i March 14,1997 (8:11am) 6-3 4 6
S 4 4 e DRAFTFOR COMMENT 6.3 Integrated Decision Making Process Records , j In addition to the general documentation requirements identified in Regulatory Guide DG-1061,
"-N process and a provide a description of each issue considered in the integrated t+W diaamiaa of how the resolution of each issue impacts the qriginal probabilistic ranking.
Informatiaa should be provided in the main report. Additional infonnation siwi to RI-IST prograns regarding this important process is provided in tiie Appendix to this report. 6.4 Performance Monitoring Program i
'Ibe licensee's program for monitoring the performance ofboth HSSC and LSSC wspreas l'
should be described. Th'e licensee should have procedures* developed to collect the foHowing types ofwcpi.sE performance data: i
- Number of stans (or cycles) that each RI-IST component was subjected to under '
operational conditions and under test conditions, Number of failures that each RI-IST e experienced under operational conditions + and undertest condnions, and
- . Number of hours that each RI-IST com- was unavailable
- for corrective maintenance, preventive maintenance, and for testing l
6.5 Feedback and Corrective Action Program As required by the current ASME Code, a record ofeach test should be w44.h.ed in which E =p +" failure occurred and corrective action was required. Procedures should be in place which are initiated by component failures that are deced by the RI-IST program as well as by other mechanisms (e.g., normal plant operation, inspections). Procedums should also exist to determine their impact on the plant PRA. Component-speci5c perfonnance data should be used ' to support periodic PRA and RI-IST program updates. 6-4 March 14,1997 (s:llam) DG-1062 9t
,s
DRAFTFOR COMMENT 6.6 Implementation Plans and Schedule The licensee's implementation plans should be provided including a proposed schedule for initiating the program pending NRC approval. 'Ihe phased implementation plan should state the composition of the component groupings for the staggered test strategy which are of the same type, size, manufacturer, model, and service conditions. Their staggered frequency over the test interval should also be included. Components should be identified that are to have then test intervals extended. The final test interval (at the maximum extended interval) of these components should a5so be included in the submittal. I L March 14,1997 (8:11am) 6-5 DG-1062 i GI , l
O I i I m I I L t I h e 4 4 1
# J l
1 l 4 0 45 O l i e
* / ,
DRAFTFOR COMMENT
- 7. REFERENCES t
1.
"Use ofProbabilistic Risk Assessment Methods in Nuclear Regulatory Ac l
' Policy Statement," Federal Register. Vol. 60, p 42622, August 16,1995. 2. U. S. Nuclear Regulatory Commission, "F=TscA for Applying Probabilistic Ris Analysis in Reactor Regulation," SECY-95-280, Nms.?st 27,1995.
~
3. U.S. Nuclear Reda*ary Commission, "An Approach for Plant-Speci6c, Risk-In Decision Making: General Guidance," Regulatory Guide DG-1061 (draft)
- 4. U.S. Nuclear P ed=*a'y Commission, "An Ayyid for Plant-Speci6c, Risk-Informed Decision Making: Inservice Inspection ofPipes," Regulatory Guide DG-1063 (draft) l
- 5. U.S. Nuclear Regulatory Commission, "An Approach for Plant-Specific, Risk-Inform Decision Making: Graded Quality Assurance," Regulatory Guide DG-1064, (draft)
- 6. U.S. Nuclear Regulatory Commission, "An Approach for Plant-Specific, Risk-Informed .
Decision Making: Technical Speci6 cations," Regulatory Guide DG-1065, (draft) )
- 7. U.S. Nuclear Regulatory Commission, " Star dard Review Plan for Risk-Informed Dec Making," Standard Review Plan, NUREG 0800, Chapter 19, (draft) l l 8. U.S. Nuclear Reda+a'y Commission, " Standard Review Plan for Risk-Informed Decisio
- Making: Inservice Inspection ofPipes," Standard Review Plan, NUREG-0800, Chapter xx,(draft)
- 9. U.S. Nuclear Red a'y Commission, " Standard Review Plan for Risk-Infonned Decision Making. Inservice Testing," Standard Review Plan, NUREG-0800, Sect. 3.9.7, (draft)
- 10. U.S. Nuclear Regulatory Commission, "Stamlard Review Plan for Risk-Informed Decision Making: Graded Quality Assurance," Standard Review Plan, NUREG-0800, Chapter xx, (draft) 7-1 DG-1062 March 14,1997 (5:11em) fi '
, 4 .
DRAFTFOR COMMENT
- 11. U.S. Nuclear Ragilmary CW% ' Standard Review Plan for Risk-Infonned Decision Making: Technical Speci5 cations," Standard Review Plan, NUREG-0800, Chapter xx, (draA)
- 12. ASME research 6 aam. " Risk-Based In-Service Testing - Development of Guidelines, Vohnne 2, light Water Reactor (LWR) Nuc. lear Power Plant & " 1995 ;
- 13. "ASME Code Case for IST Ce Ir+s nce P== Mag." (draR January 1997) l
- 14. EPRI TR-1053%, "PSA Applications Guide," August 1995 l
- 15. " Nuclear Energy Institute Industry Guideline for Risk-Based Inservice Testing," (NE! I dr:A Rev A), September 20,1995.
- 16. Nuclear Energy Institute DraA (Revision B) " Industry Guidelines for Risk-Based Inservica Testing" dated March 19,1996. -
l 17. ASME Supporting White Paper, "ASME Code Case for IST Came Importance i Ranking,"(draA January 1997) l , 18. U. S. Nuclear Ragida'a y Commission, .NUREG-1602, "A Standard for Probabilistic Risk Assessment (PRA) to Support Risk- Informed Decisionmaking, (draR) ! 19. U. S. Nuclear Ramd=*a y Commission, (r=>Idary guide for proposed data rule), Regulatory Guide DG-1046 (draA) l , i j 20. Common Cause Failure Data Collection and Analysis System, Volumes 1-6, INEL-l 94/u064, December 1995 i l 5 7-2 March 14,1997 (8:11am) J
) pc,.1062 i O
] .s
s s ,
.DRAFTFOR COMMENT i
* \
l APPENDIX A. DETAILED GUIDANCE FOR INTEGRATED DECISIO l MAKING l l A.1 Introduction The increased use of probabilistic risk assessment (PRA) in nuclear plant activities such a informed inservice testing (IST) programs will require a balanced use of the 'probabilistic information with the more traditional engineering (sometimes referred to as " deterministic") information. Some structured process for E = L;.g both types ofinformation and making decisions will be needed that will allow knprovements to be made in plant effectivenen while maintaining adequate safety levels in the plant. This will be particularly important during in program implementation and also for the subsequent early phases of the program. In some instances, the physical data from the PRA and from the deterministic evaluations may be l insufficient to make a clearcut decision. At times, these two forms ofinformation may even seem to conflict. In such cases, it is the responsibility of the licensee to assemble the r .yyco riste skilled utihty staff (and in some cases consultants) to consider all of the available information in its various forms 'and to supplement this information with engineering judgment to determine the best course of action. The p.rddp.rits involved in this important role have generally been referred to j in various industry documents'* as an Expert Panel." In this appendix, this functional activity will be described as being an engineering evaluation without specifying how the evaluation is to be l performed administrativiey. It is not the intention of this guidance to indicate that a special l administrative body needs to be formed within the utility to satisfy this role. It is the function that l is important and that must be performed in some well orgedwd, repeatable, and scrutable man by the licensee. This functional activity is all pervasive in the implementation phase of such . activities as inservice inspection (ISI) and IST, and m.;widhgly, the responsibility of the licensee to see that this function is.done well is great. A.2 Basic Categories ofInformation To Be Considered Risk importance measures may be used together with other available 'mformation to determ l relative risk ranking (and thus categotization) of the components included in the evaluation. Resuhs from all of these sources are then reviewed prior to making final decisions about where to focusIST resources. i Ahhough the risk-ranking of components can primarily be used as the basis for prioritizing IS a plant, additional considerations need to be addressed (e.g., defense in depth, common the single failure criterion) which may be more constraining than the risk-based criteria in some cases Consideration must be given to these issues before the IST requirements for the various A-1 DG-1062 March 14,1997 (8:11am) M .,
i , DRAFTFOR COMMENT . l l components are determined. - i IST experience should contribute an understanding of the kr. prs technical bases underlying the ansting testing program before it is changed. The critical safety aspects of these bases should not be violated inadvertently in changing over to a RI-IST, and L.wrm plant experience gained through the traditional IST should be considered during the change. De plant-specific PRA information should irclude important perspectives with respect to the limitations ofPRA modeling and analysis of systems, some of which may not be explicitly addressed within the PRA analysis. An understanding should also be provided as to how the proposed changes in pump and valve testing could affect PRA estimates ofplant risk. - 1 Plant safety experience should provide' insights associated with the traditional analyses (Chapter 15 of the plant Final Safety Analysis Report) and any effect that proposed changes in testing might have on the traditional perspective of overall plant safety.
~
l Plant operational input should sue the insights of plant safety with additional information i, 0Tig the operational L..gr .se ofcomponents under normal, abnormal, and emergency 1 conditions. Dere should also be input on operating history, system interfaces, and industry operating experience to supplement information from the IST. ) 1 Maintenance considerations should provide perspectives on work practices, implementation of the
- maintenance rule, and equipment operating history.
Systems design considerations should include the potential effect ofdifferent design , configurations (e.g., piping, valves, and pumps) on planning for a risk-informed IST, particulady . if future plant modifications are contemplated or if systems are toiipi./.ly taken out of service for maintainence or replacement or repair. A.3 Specific Areas To Be Evaluated This section addresses some technical and administrative issues that are currently believed to be particularly important for IST risk-informed applications. Additional issues of a more general nature that may arise in expert panel deliberations are given in the general SRP and in Regulatory Ciuide DG-1061. REG GUIDE -IST A-2 March 14,1997 (8:1 lam) L, o
s s' , DRAFTFOR COMMENT
. Each f. -b* dawn function, such as reactivity control, reactor coolant system integrity l coolant inventory control, primary system heat removal, etc. (or use the App-~Ur R shutdown function paths), should retain one system that is considered more safety signi6 cant with pump and valve testing planned aw'Jegly. In other words, a min set of high safety signi6 cant equipment should be operable to maintain defense-in-;)
l
- It should be confirmed that pump and valve classi6 cations have given proper attention to systems identi6ed in emergency operating procedures (and other systems) depl I for operator recovery actions, primary 6ssion product barriers excluded from the P to their inherent rehability (such as the RPV), passive items not modeled in the PRA (suc as piping, cable, supports, building or coi.i.e. .u. structures such as the spent fue and systems relied upon to mitigate the effects of external events in cases where t considered onlyinternalevents
. Failure modes modeled by the PRA may not be all-inclusive. Consideration should be given to the failure modes modeled and the pa*ar*i.1 for the introduction of new failure modes related to the IST application. For example, ifvalve mispositioning has been assumed to be a low-probability event because ofindependent verification and therefore is not included in the PRA assumptions, any changes to such
- independent verifications should be evaluated for potential impact on the PRA resuhs Reverse flow in check valves should be evaluated. .
- Other qualitative /que.eative analyses that shed light on the relative safety importance components, such as FMEA, shutdown risk, seismic risk, SBO/ATWS/ fire protection should be included in the resource information base. .
- Attention should be given to the fact that component performance can be degraded from
- the effects of aging and this issue will need to be addressed and documented..
. De engineering evaluation should include the choice of new test frequencies, the identi6 cation of compensatory measures for potentially important components, and the choice of test strategies for the HSSCs.
. Until the ASME recommendations for improved test methods are available, the different ,
existing IST test methods should be evaluated prior to choosing the test --th=4 to be used for the HSSCs depending on their expected failure modes, service conditions, etc.
. Due to the importance of maintaining defense in depth, particular attention should be given to identifying any containment systems involving IST components.
A-3 DG 1062 March 14,1997 (5:11am)
. C N
)
i I 4 4 4 g O .I O e i I 1 .i 8 E 1 1 e i i d. 4 e i o l 1 a 4 4 d 4 0 ) i
! e a
e L O t i a I 5 i i i
') W l
- o 3Y l
1 o
)
0
a l
/ $%, UNITED STATES NUCLEAR REGULATORY COMMISSION i STANDARD REVIEW PLAN l
(\g,,OFFICEOFNUCLEARREACTORREGULA i 4 DRAFT FOR COMMENT i i Use of Probabilistic Risk Assessment in i Plant-Specific, Risk-informed Decisionmaking: ! General Guidance i l l Draft SRP Chapter 19 i i Revision L March 27,1997 i Contacts: M. P. Rubin (301) 415-3234 M. C. Cheok (301) 415-8380 ENCLOSURE 3 1
e s l l i l l eo e I 1 1 l l l
n
.. A o
1 \ DRAFT FOR COMMENT l STANDARD REVIEW PLAN USE OF PROBABILISTIC RISK ASSESSMENT IN PLANT-SPECIFIC, - l RISK-INFORMED DECISIONMAKING: GENERAL GUIDANCE TABLE OF CONTENTS INTRODUCTION .............................. 1 ROLES AND RESPONSIBILITIES ....................... 2 I. AREAS OF REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . 3 II. REVIEW GUIDANCE AND PROCEDURES .................. 5 II.1 General . . . . . . . . . . . . . . . . . . . . . . . . 5 11.2 Element 1: Define the Proposed Chance . . . . . . . . . 6 11.3 Element 2: Conduct Enaineerina Evaluations ...... 7 11.3.1 Evaluation of Defense-in-Depth Attributes and Safety Margial . . . . . . . . ............... 7 11.3.1.1 Defense-in-Depth ............. 7 11.3.1.2 Safety Margins .............. 10 II.3.1.3 Current Regulations . . . . . . . . . . . . 11 11.3.2 Risk Assessment . . . . . . . . . . . . . . . . . . . . 12 11.3.2.1 Characterization of Change in Terms of PRA Model Elements .............. 13 11.3.2.2 Scope of Analysis . . . . . . . . . . . . . 13 11.3.2.3 Level of Detail . . . . . . . . . . . . . . 14 11.3.2.4 Quality of a PRA for Use in Risk-Informed Regulation ................ 15 11.3.2.5 Risk Impact Including Treatment of Uncertainty . . . . . . . . . . . . . . . . 17 , 11.3.3 Intearated Decisionmakina Process . . . . . . . . . . . 22 II.4 Element 3: Develoo Imolementation and Monitorina Strateaies ...................... 22 l i SRP Chapter 19, REV L 03/27/97 l 2 1 1
t / e DRAFT FOR COMMENT l
, 11.5 Element 4: Staff Evaluation of Submittal ....... 24 )
III. EVALUATION FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . 29 IV. IMPLEMENTATION .......................... 34 V. REFERENCES ............................ 35 I Appendix A GUIDANCE FOR A FOCUSED-SCOPE APPLICATION SPECIFIC PRA REVIEW ..........,............. A-1 l A.1 Use of Acoropriate Data . . . . . . . . . . . . . . . . . . . . A-1 1 1 A.2 Initiatina Events . . . . . . . . . . . . . . . . . . . . . . . A-4 I A.3 petermination of Success Criteria . . . . . . . . . . . . . . . A-6 A.4 Modelina of Common Cause Failures . . . . . . . . . . . . . . . A-7 , A.5 Modelina of Human Performance . . . . . . . . . ....... A-9 A.6 Effects of Truncation limits Used . . . . . . . . . . . . . . . A-12 Appendix B INTEGRATED DECISIONMAKING . . . . . . . . . . . . . . . B-1 Appendix C CATEGORIZATION OF STRUCTURES, SYSTEMS, AND COMPONENTS WITH RESPECT TO SAFETY SIGNIFICANCE . . . . . . . . . . C-1 C.1 Use of Imoortance Measures .................. C-2 l C.2 Role of Intearated Decisionmakina in Component Cateaorization . C-5 1 I ii SRP Chapter 19, REV L 03/27/97 1 1 N
,, ,. j s ' , l l
l DRAFT FOR COMMENT STANDARD REVIEW PLAN USE OF PROBABILISTIC RISK ASSESSMENT IN PLANT-SPECIFIC, RISK-INFORMED DECISIONMAKING: GENERAL GUIDANCE 19.0 USE OF PRA IN REGULATORY ACTIVITIES: GENERAL GUIDANCE INTRODUCTION The purposes of this standard review plan (SRP) are to identify the roles and responsibilities of organizations in the NRC that participate in risk-informed reviews of licensee proposals for changes to a plant's current licensing basis (CLB) . The SRP identifies the types of information that may be used in each activity and provides general guidance on how tne information from a probabilistic risk assessment (PRA) can be combined with other pertinent information in the process of making a regulatory decision. , The guidance in this document is a logical extension of current NRC policy on the use of PRA in regulatory activities which is documented in the commission's PRA policy statement and PRA implementation plan (references 1, 2 and 3). In developing this document, the staff has considered the NRC regulatory guide on the use of PRA in risk-informed regulatory applications, draft Regulatory Guide DG-1061 (Reference 5) and the relevant industry guidance documented in Reference 4. In addition, reference will be made to other SRP chapters which provide additional guidance for the. review of , specific applications of PRA in regulated attivities. Risk-informed decisionmaking will be based on the following approach. The I design, construction, and operational practices of the plant being analyzed are expected to be consistent with its CLB. The risk evaluations performed to justify regulatory changes are expected to realistically reflect the plant-
. specific design, construction, and operational practices. The PRA analyses l should be as realistic as practicable, and should address significant uncertainties. Results of these risk analyses will be part of the input to the duision process that evaluates margin in plant capability (both in performance and in redundancy / diversity). The decision process will use the This SRP adopts the 10 CFR Part $4 definition of current licensing basis, i.e., "CLS is the set of NRC requirements applicable to a specific plant and a licensee's written comunitments for ensuring compilence with and operation within applicable NRC recNirements and the plant specific design basis (including all modifications and additions to such commitments over the life of the license) that are docketed and in effect. The CLB incits:les the NRC regulations contained in 10 CFR Parts 2, 19, 20, 21, 26, 30, 40, 51, 54, 55, 70, 72, 73, 100 and appendices thereto; orders; license conditions; exemptions; a d I technical specifications. It also includes the plant specific design-basis infor: nation defired in 10 CFR l 50.2 as documented in the most recent final safety analysis report (FsAR) as required by 10 CFR 50.71 and i the licensee's co'rnitments remaining in ef fect that were made in docketed licensing correspondence such as Licensee responses to NRC buttetins, generic letters, and enforcement actions, as well as licensee commitments doctanented in NRC safety evaluations or Licensee event reports."
SRP Chapter 19, REV L 03/27/97 l S l 1 1
, % t DRAFT FOR COMMENT risk results in a manner which complements traditional engineering approaches and supports the defense-in-depth philosophy and preserves safety margins.
Risk analysis will inform, but will not determine regulatory decisions. ROLES AND RESPONSIBILITIES Depending on the technical nature of a licensee's request, an appropriate technical review branch in the Office of Nuclear Reactor Regulation (NRR) will
. serve as the primary review branch and, as such, has overall responsibility for leading the technical review, drafting the staff safety evaluation repor.t (SER) or other appropriate regulatory document, and. coordinating any input from other technical review organizations. The responsibilities of specific review organizations that will normally play a role in reviewing risk-informed proposals are listed below.
The Probabilistic Safety Assessment Branch (SPSB), at the request of the primary review branch, is responsible for review of the PRA information and findings submitted by the licensee. Review support includes the assessment of the adequacy of the scope, level of detail and quality of the PRA used by the licensee to support t'ne regulatory change and the application of risk related acceptance guidelines to support decisionmaking. The Reactor Systems Branch (SRXB), at the request of the primary review branch or SPSB, provides support in accident sequence modeling, including treatment of reactivity and thermal-hydraulic phenomena, system response, and the implementation of emergency operating procedures and abnormal operating procedures. The Containment and Severe Accident Branch (SCSB), has primary responsibility , for review of any containment response and containment integrity information submitted by the licensee in support of a request for regulatory action. The Emeraency Preparedness and Radiation Protection Branch (PERB) has primary responsibility for review of any evaluations of radionuclide contamination or public health effects submitted by a licensee in support of a request for regulatory action. The Office of Nuclear Reaulatory Research (RES), at the request of the primary review branch, provides technical support in areas involving all aspects of PRA, severe accident phenomenology and engineering studies. The Office for Analysis and Evaluation of Operational Data (AEOD), at the request of the primary review branch, provides generic and plant-specific data - on the frequency of initiating events, common cause failures and human errors from operating experience. The Reaional Offices, at the request of the primary review branch, provides information on licensee operational experience in areas of system performance, operator performance, risk management practices and management controls. 2 SRP Chapter 19, REV L 03/27/97 L
.-- .- -.- . - - . ~ - ._ . . - - - - - - . . . . . . - - - - - _ . - .
5 i , j DRMT FOR CONNEitT I. AREAS OF REVIEW The NRC's PRA Implementation Plan (reference 1) identifies a wide scope of
. regulatory activities for which PRA can play a role. This scope includes activities which require NRC review and approval and other activities which are considered internal to NRC and affect licensees and applicants in a less i direct manner, e.g., generic issue prioritization. This Standard Review. Plan chapter deals only with licensing amendment requests submitted for NRC review l and approval for which PRA can play an effective role in the decisionmaking j process. General review guidance for applicable activities is presented in ,
this SRP. In addition, application-specific SRP chapters are available to i provide additional guidance for several activities. Examples include:
- Changes to allowed outage times (A0T) and surveillance test intervals (STI) in plant-specific technical specifications;
- Changes in scope knd frequency of tests on pumps and valves in a .
licensee's inservice test (IST) program;
- Changes in scope and frequency of inspections in a 1-icensee's inservice inspection (ISI) program; and f
- Grading of activities in the licensee's quality assurance (QA) program.
Draft regulatory guide DG-1061 defines an acceptable approach to analyzing and evaluating proposed CLB changes. This approach supports the staff's desire to base its decisions on the results of traditional engineering evaluations, supported by insights (derived from the use of PRA methods) on the risk significance of the proposed changes. The decision process leading to the proposed change is expected to be done in an integrated fashion (considering : traditional engineering and risk information) and may be based upon qualitative factors as well as quantitative analyses and information. As discussed later in this section, the scope of the staff review of a risk- I informed application will depend on the specifics of the application. However, this scope should include a review of the four-element approach a,s suggested in chapter 2 of draft Reg Guide DG-1061 The areas of review for , each of these elements are summarized below. Element 1: Define the Proposed Change The objective of this element is to provide the groundwork for the evaluation of safety impacts of the proposed change. Areas of review in this element therefore includes an evaluation of: the proposed change in light of the CLB; the structures, systems and components (SSCs), procedures and activities that l are covered by the proposed change; the method of analysis; and the available ' engineering studies and risk evaluation findings that are relevant to the proposed change. 3 SRP Chapter 19, REV L 03/27/97 1
, t i DRAFT FOR C0WlENT Element 2: Conduct Engineer.ing Evaluations In this element, the reviewer should evaluate the proposed change to ensure . that defense-in-depth and safety margins are maintained, and that the calculated change in plant risk is within the guidelines specified in DG-1061.
The proposed ~ changes are to be evaluated in light of the licensee's risk i management approach in which the licensee is using risk analysis to improve operational and engineering decisions and not just to eliminate requirements the licensee sees as undesirable, and that cumulative risk impacts are appropriately factored into the decision process. Element 3: Develop Implementation and Monitoring Strategies . Implementation and monitoring strategies can provide early indication of plant performance under the proposed changes and these strategies are therefore
- important in applications where there is some uncertainty in evaluation models
- and/or data. : As such, the review scope should include provisions to ensure that the' licensee proposed process for implementation and monitoring is
- adequate to in part account for uncertainties with regard to plant performance under the proposed change. -
Element 4: Document Evaluations and Submit Request i The reviewer should assure that the submittal includes sufficient information
- to support conclusions regarding the acceptability of the proposed change and j that archival documentation of the evaluation process and findings is i maintained and av.ailable for staff audit ar.d reviews The reviewer should also assure that the appropriate regulatory action is requested, for' example, a license amendment, an exemption, or a change to technical specifications.
Where appropriate, these actions should include enhancements in regulatory requirements to preserve the assumptions in the supporting risk analysis, and to assure that high risk significant SSCs not currently subject to regulatory control will be subject to requirements commensurate with their risk significance. Finally, the reviewer should assure that CLB changes are appropriately included in a Safety Analysis Report update as necessary. Application-Specific Reviews This SRP chapter is written to provide guidance for a full scope review of applications in risk-informed regulation where evaluation findings are dependent on the numerical values of risk indices and where a broad set of scenarios and plant operating modes may be affected. Where it is determined that an application could justify a review that is less than full scope, the reviewer should choose the relevant and applicable parts of this SRP for guidance. In addition, some applications may be supportable without resort to the level of integration and quantitative perspective afforded by PRA, and correspondingly, little or no staff review of the PRA may be necessary. Application-specific SRP chapters (where available) will provide additional guidance in this area. 4 SRP Chapter 19, REV L 03/27/97
- _i , ,
DRAFT FOR COMENT } II. REVIEW GUIDANCE AND PROCEDURES , j l 11.1 General { I For each risk-infonned application, reviewers should ensure that the following
- principles for risk-informed decisionmaking are met (SRP sections dealing with each principle are provided in parenthesis)
- The proposed change meets '.he current regulations. This principle applies unless the proposed change is explicitly related to a requested exemption or rule change (i.e., a 50.12 " specific exemption" or a 2.802
" petition for rulemakivig") (section 11.3.1);
- Defense-in-depth is maintained (section 11.3.1); J
- Sufficient safety margins are maintained (section 11.3.1); <
- Proposed increases in risk and their cumulative effect are small, and these changes do not cause the NRC Safety Goals to be exceeded (sections II.3.2 and 11.3.3); and Performance-based inplementation and monitoring strategies are proposed that address uncertainties in analysis models and data, and provide for ,
timely feedback and corrective action (section II 4). In demonstrating the above, reviewers should ensure that the following have been addressed as part of the submittal:
- All safety impacts of the proposed change are evaluated in an integrated manner as part of an overall risk management approach in which the '
licensee is using risk analysis to improve operational and engineering ; decisions broadly and not just to eliminate requirements the licensee 1 sees as desirable. The approach used to identify changes in i requirements was used to identify areas where requirements should be 1 increased as well as where they could be reduced (section II.3.3); , j
- The acceptability of the proposed changes is evaluated in an integrated I fashion that ensures that all principles are met (section 11.3.3); '
- Increases in estimated CDF and LERF resulting from proposed CLB changes are limited to small increments (section II.3.2);
- The scope and quality of the engineering analyses (including traditional and probabilistic analyses) conducted to justify the proposed CLB change are appropriate for the nature and scope of the change and are based on the as-built and as-operated and maintained plant (section II.3.2);
- Appropriate consideration of uncertainty is given in analyses and 5 SRP Chapter 19, REV L 03/27/97 9' i
t a DRAFT FOR COMENT interpretation of findings (section.II.3.2);
- The plant-specific PRA that is used to support licensee proposals has been subjected to quality controls such as an independent peer review -
(section 11.3.2); and
- Data, methods, and assessment criteria used to support regulatory decisionmaking are available for public review (section 11.5).
11.2 Element 1: Define the Proposed Chanae l In this element,. the reviewer should verify that enough information.is i provided to meet the staff's expectation that all potential safety impacts i have been -identified and evaluated. In addition, the reviewer should be j satisfied that, where appropriate, the licensee has identified design and ; operational aspects of. the plant related to the change request that should be 1 enhanced consistent with an improved understanding of their safety ) significance based on the methodology use to support the proposed relaxation ; in regulation. These enhancements should be appropriately-reflected in i licensing basis changes (e.g., technical specification, license' conditions, I and FSAR) The proposed changes should be reviewed with regard to the current licensing basis. The licensing basis of the plant documents how the licensee satisfies certain basic regulatory requirements such as diversity, redundancy, defense-in-depth,' and the General Design Criteria. Engineering (or other pertinent) analysis and data that identify the safety margins or plant activities conducted to preserve those margins should be reviewed. If exemptions from regulations or relief requests are needed to implement the licensee's proposed change, the reviewer should ensure that the appropriate requests accompany the licensee's submittal. 4 l The reviewer shouU verify that available documents reflecting traditional engineering concepts and principles have been identified and appropriately used. Among the non-PRA sources of information that should be examined to support the. evaluation of safety significance are the safety insights developed in licensing documents including the Final Safety. Analysis Report, and the bases for Technical Specifications such as Limiting Conditions for Operation (LCOs), Allowed Outage Times (A0Ts), and Surveillance Requirements (SRs). Where available, plant specific data and operational information should be factored into the evaluation process. Reviewers should consider the way in which the issues at hand are reflected in operational data. Useful insights from plant specific operating experience can also be obtained from inspections that follow incidents at the facility, including NRC incident investigation and augmented team inspections, INPO incident assessments documented in 6 SRP Chapter 19, REV L 03/27/97 9
,4 as==***
t # . DRAFT FOR C00 TENT significant operating event reports,-licensee follow-up investigations and routine inspections by NRC resident inspectors. Inspection results can i provide valuable qualitative insights in areas such as human performance, management controls, adequacy of procedures and root causes of events which are often difficult to treat with precision in a PRA. Finally, as part of the initial review of the licensing amendment, the reviewer should determine if the scope of the impact of the. proposed change has been adequately characterized (specifically, if all SSCs affected by the proposed change have been identified) and if the analysis performed and submitted have the scope and depth needed to adequately characterize the impact of this change. 11.3 Element 2: Conduct Enaineerina Evaluations In order for the staff to make findings of acceptability regarding a proposed license amendment, the staff position should be based on an integrated , assessment of traditional engineering evaluations and probabilistic information. Specific evaluations expected to be performed by the licensee are described in section 2.4 of draft reg guide DG-1061. The scope and quality of the engineering analyses conducted to justify the proposed change should be appropriate for the nature and scope of the change. Types of traditional engineering and probabilistic information which should be included - in submittals are described in section 3 of the draft guide. The results of this element should be reviewed to determine if the following principles for risk-informed decisionmaking are satisfied: the proposed change meets current regulations unless the change is explicitly related to a requested exemption or rule change; defense-in-depth is maintained; sufficient safety margins are maintained; and proposed increases in risk and their cumulative effect are small, and these changes do not cause the NRC Safety Goals to be exceeded. l 11.3.1 Evaluation of Defense-in-Death Attributes and Safety Marains A review of the engineering evaluations should be performed to demonstrate that the principles identified in Section 11.1 are not compromised. These _ i evaluations should include not only the traditional design basis accident ! (DBA) analyses, but also evaluations of the defense-in-depth attributes of the plant, safety margins, and risk assessments performed to obtain risk insights and quantification of the impact of the proposed change. 11.3.1.1 Defense-in-Depth Defense-in-depth is defined as a philosophy which ensures that successive measures are incorporated into the design and operating practices for nuclear plants to compensate for potential failures in protection and safety measures. 7 SRP Chapter 19, REV L 03/27/97
.l
t e DRAFT FOR CONMENT 4 1 In risk-informed regulation, the intent is to assure that the philosophy of defense-in-depth is maintained, not to prevent changes in the way defense-in-3 depth is achieved. The defense-in-depth philosophy has been and continues to
- be an effective way to account for uncertainties in equipment and human
- performance. In some cases, risk analysis can help ~ quantify the range of uncertainty; however, there will likely remain areas of large uncertainty or areas not covered by the risk analysis. Where a comprehensive risk analysis can be performed,'it can be used to help determine the approximate extent of
- defense-in-depth (e.g., balance among core damage prevention, containment.
4 failure and consequence mitigation) to ensure protection of public health and safety. However, because all aspects of defense-in-depth are not reflected in
- PRAs, appropriate traditional defense-in-depth considerations should also be used to account for uncertainties.
Preservation of Multiple Barriers for Radioactivity Release l Defense-in-depth can be argued based on considerations of the barriers that prevent or mitigate radioactivity release. Release of radioactive materials a from the reactor to the environment is prevented by a succession of passive barriers: fuel cladding, reactor coolant pressure boundary, and containment > structure. These barriers, together with an imposed exclusion area and
- emergency preparedness, are the essential elements for accident consequence ,
mitigation. Given thess multiple barriers, assurance of safety is provided by l application of deterministic safety criteria for the performance of each ]. barrier, and design and operation of systems to support the functional j performance of each barrier.
- l
{ In maintaining the defense-in-depth philosophy, the proposed license amendment I i should not result in any substantial change in the effectiveness of barriers. The following are review objectives to ensure that the proposed change maintains appropriate safety within the defense-in-depth philosophy: ; - = the change does not result in a significant increase in the existing l challenges to the integrity of the barriers; l
= probability of failure of each barrier is not significantly changed by the proposal; f = new or additional failure dependencies are not introduced among barriers
- that result in a significant increase in the likelihood of failure l compared to the existing conditions; and
= the overall redundancy and diversity in the barriers is sufficient to be l compatible with the risk acceptance guidelines.
In demonstrating the above, it is a staff expectation that, for the proposed change:
- a reasonable balance among prevention of core damage, prevention of j 8 SRP Chapter 19, REV 1. 03/27/97 1
l
KL
,, j DRAFT FOR COMENT
~
\
containment failure, and consequence mitigation is preserved; l
- over-reliance on programatic activities to compensate for weaknesses in plant design is avoided; e system redundancy, independence, and diversity are preserved, commensurate with the expected frequency and consequences of challenges ,
to the system; e defenses against potential comon cause failures are preserved and the : introduction of new comon cause failure mechanisms is assessed;
- independence of barriers is not degraded; and l, a defenses against human errors are preserved. ;
The above elements can be addressed by using qualitative or traditional engineering arguments or by using PRA results contained in the model sequences and cutsets. j i Role of PRA in Review of Defense-in-Depth In addition to the usual quantitative risk indices, PRAs provide important qualitative results, namely, the accident sequence minimal cutsets. Each ! accident sequence minimal cutset is a combination of passive and active SSC failures and human errors that would cause core damage or a radioactivity release. The cutsets therefore directly show one particular aspect of defense-in-depth, in that.they reveal how many failures must' occur in order for core damage or a radiological release to occur. The minimal cutsets therefore show the effective redundancy and diversity of the plant design. Events appearing in each minimal cutset are, in most cases, targeted by , programatic activities to assure the reliability of the associated SSC. : Specific activities that are important in maintaining reliability of a component include: inservice testing, inservice inspection, periodic surveillance required by Technical Specifications, quality assurance, and maintenance. Therefore, when a review of the minimal cutsets shows areas where redundancy or diversity are already marginal, it would arguably be ' , inappropriate to reduce the level of activities aimed at ensuring SSC l performance, unless the activities can be shown to have little or no effect on l SSC performance or if it can be shown that uncertainties in the performance of the elements in this cutset are well understood and quantified. It is also possible that compensating or alternative activities could be proposed to i provide assurance of SSC performance. The objective of this review is to l avoid completely relaxing the defense-in-depth posture at points at which the plant design has the least overall functional independence, redundancy, and/or i l diversity. On the other hand, in areas where a plant has substantial I redundancy and diversity, defense-in-depth arguments used tn justify relaxations should be given appropriate weight. 9 SRP Chapter 19, REV L 03/27/97 f)
t a l DRAFT FOR CONNENT As part of the review of defense-in-depth, the effects.of multiple component failures that could potentially' result from the proposed change should be evaluated. For example, if all events in a cutset have been proposed for a reduction in requirements, the reviewer should ensure that the effect of the change is modeled properly and that the change does not have an adverse effect on defense-in-depth. Finally, in the review of sequence cutsets, attention should be given to , potential over-reliance on programmatic activities or operator actions that ! compensate for weaknesses in the plant design. For example, proposed j maintenance and surveillance activities should con:plement and not replace
- proper plant design.
11.3.1.2 Safety Margins l In the determination of the design performance characteristics of a system, safety margin represents an allowance for uncertainty in SSC performance. Current safety analysis practices incorporate consideration of margin in most i areas. As examples, many engineering standards, licensing-analyses, and technical specifications take margin into account. Incorporating margin can result in over-designing of components, incorporation l of extra system trains or extra systems, or in conservative operating ; i requirements for systems and components. Therefore, some licensee
. applications will seek to reduce this margin in some areas. Reduction of margin should appropriately reflect the current understanding of existing uncertainties and the potential impact of the proposed change. ,
Therefore, as part of the review of the impacts of a proposed change, its , effects on safety margins should be evaluated. For example, the reviewer i should establish that:
- engineering codes and standards or alternatives approved for use by the NRC tre met, or deviations are justified; and a safety analysis acceptance criteria in the current licensing basis are met, or proposed revisions provide sufficient margin to account for analysis and data uncertainty.
Clearly, these items are closely related to guidance provided in section 11.3.1.3 regarding the need to maintain the current CLB. The thrust of the guidance in the present section is to sensitize reviewers to the !mplications of relaxing margin when evaluating the acceptability of changes to the CLB. The level of justification required for changes in margin should depend on how much uncertainty is associated with the performance parameter in question, the
. availability of mechanisms to compensate for adverse performance, and the consequences of functional failure of the affected elements. Therefore, the 10 SRP Chapter 19, REV L 03/27/97 m
s s , i DRAFT FOR COMMENT results from risk evaluations and the associated analysis of uncertainties, especially in the analysis areas and models affected by the application, will provide useful information to help in the reviewer's decision-making. In the evaluation of available safety margins, reviewers should also look at the risk profile of the plant. If a proposed CLB change creates or exacerbates a situation where risk is dominated by a few elements (SSCs or ! human actions) or a few accident sequences, the impact should be carefully evaluated by the reviewer. If one or a few elements clearly dominate risk, then the modeling of these items (including uncertainty) and the effect on risk if they degraded should be reviewed more in detail, and the acceptability of this contribution assessed. In demonstrating available safety margins, licensees will in some cases cite new data from plant tests or research projects, or analysis with models based on new data to support their proposal. The following examples illustrate situations in which data and analysis can be used effectively to support the CLB change request:
- to show that a phenomenon of concern cannot occur or-is less likely to occur than originally thought; a to show that the amount of safety margin in the design is significantly greater than that which was assumed when the requirement or position was imposed;
. to show that time available for operator actions is greater than originally assumed.
The reviewer's primary objective is to verify the relevance and acceptability of this new information with respect to the CLB change request. Data that apply directly to the original technical concern should be applied in the decision process. Depending on the circumstances, additional specific guidance in the cognizant review branch may be available for reviewing the quality and acceptability of the data. However, the data or analysis must be clearly applicable to the plant and specific circumstances to which it is being applied. 11.3.1.3 Current Regulations Staff reviewers should be aware that the proposed change satisfies current regulations (including the general design criteria) unless the licensee explicitly includes a proposed exemption or rule change (i.e. a 50.12
" specific exemption" or a 2.802 " petition for rulemaking").
The current licensing basis also applies until modifications to it are accepted by the staff. It is expected that many applications will seek to modify the CLB in risk-informed submittals. Applications that seek to make 11 SRP Chapter 19, REV L 03/27/97 if
c
- 4 l DRAFT FOR CONTENT ,
qualitative changes to the CLB (such as moving components out of the scope of- ; a required program) should be reviewed in more. detail with respect to defense-in-depth and safety margins when compared to applications that seek to make ; parametric changes (such as incremental changes to surveillance interval). l 1 11.3.2 Risk Assessment For an effective implementation of risk-informed regulatory approaches, the reviewer should ensure that the licensee has demonstrated that the plant's CLB and actual operating conditions and practices are properly reflected in the risk insights using the plant PRA model. Otherwise, the risk assessment may provide inaccurate or misleading information that will require careful scrutiny before use in any regulatory decisionmaking process. The development of a plant-specific, risk-informed program will also require that information be available to identify the application-specific SSCs and human actions that contribute most significantly to the plant's estimated risk. For each PRA basic event directly affected by the proposed application, it is desirable for the licensee's process to quantify the-event using models that capture the functional relationships between the application and the event. The effects of proposed changes on parameters such as common cause failure probabilities and potential increases in human error probabilities should be addressed within the review process. The characterization of the proposed change in terms of PRA model . elements is discussed in sub-section 11.3.2.1. The results of this determination of the cause-effect relationships between the proposed application and the PRA models will help define the scope and the level of detail required of the PRA to support the application. Sub-sections 11.3.2.2 and II.3.2.3 discuss these topics. Many applications, such as those involving changes in component test l intervals, allow explicit modeling of the impact of the proposed change in the : PRA and quantification of the expected change in risk using plausible models l of the impact of the change on SSC unavailability to the extent that the affected components are included in the plant PRA. There are other possible , risk-informed applications where it may not be feasible to explicitly model i the cause and effect relationship because the actual impact on component ! unavailability resulting from the proposed change is not clearly understood. For applications such as these, the use of risk categorization techniques provide a useful method to identify groups of less risk important SSCs that are possible candidates for a graded approach to regulatory requirements. Using such a categorization approach, it is still necessary to understand the potential or bounding impact of the proposed change, and to assess the risk 4 impact through such bounding evaluations. In either the detailed I quantification approach or the risk categorization approach, risk results should be derived from analyses of appropriate quality. The guidelines to help in the review of PRA quality are discussed in sub section II.3.2.4.and 12 SRP Chapter 19, REV L 03/27/97 4
e I e DRAFT FOR CamlENT also in Appendix A of this SRP. Finally, the issues related to the determination of risk contribution / component categorizatior, are discussed in Appendix C of this SRP. 11.3.2.1 Characterization of Change in Terms of PRA Model Elements Where quantitative PRA results are used as part of a risk-informed evaluation of a proposed change, the licensee should define the change in. terms which are compatible with the risk analysis, i.e., the risk analysis should be able to effectively evaluate the effects of the change. The characterization of the problem should include the establishment of a cause-effect relationship to identify portions of the PRA affected by the issue being evaluated. This includes (i) identification of the specific PRA contributors for the particular. application, (ii) an assessment of the portions of the model which should be modified for the application, and (iii) identification of npplemental tools and methods which could be used to support the application. This will help define the scope and level of detail of analysis required for the remaining steps of the change-process. General guidance for the identification of PRA model elements that may be affected by an application is tabulated in Table 11-1 of this SRP. This guidance, provided as a list of questions, will assist the reviewer in establishing a cause-effect relationship between the application and the PRA model. The answers to these questions should be used to identify the extent to which the proposed change affects the design, operation and maintenance of plant SSts. The reviewer should also verify that the effects of the proposed changes on SSCs are adequately characterized in the PRA elements. For full scale applications of the PRA, this should be reflected in a quantification of the impact on the PRA elements. For applications like component categorization, sensitivity studies on the effects of the change may be sufficient. For other applications it may be adequate to define the qualitative relationship of the impact on the PRA elements or may only require an identification of which - elements are impacted. The review procedure in this element is therefore to verify that the effects of the changes on SSC reliability and unavailability or on operator actions are appropriately accounted for. Where applicable, the modeling and quantification of the effects of the change should also be reviewed to ensure that the models are appropriate and that the results can be supported by plant and/or industry data. 11.3.2.2~ Scope of Analysis The necessary scope of a PRA supporting risk-informed requests will depend on 13 SRP Chapter 19, REV L 03/27/97
\1
DRAFT FOR CONMENT the specific application. It is not required for risk-informed regulation that licensees submit Level III PRAs that treat all plant operational modes and all initiators. Instead, when full-scope PRAs are not available, licensees should demonstrate that the needed findings are supportable based on traditional engineering analyses, or other plant operational information that address modes and initiators not analyzed in the base PRA. For plant modes and initiators not analyzed in the PRA such as shutdown, I seismic, fire, floods and severe weather, the licensee should consider the . effects of the change and provide rationale why additional PRA analyses are not necessary. This rationale could be addressed by assessing the level of redundancy and diversity provided by the plant systems, system trains, human actions, etc. for responding to these unanalyzed configurations. The licensee should also show that the proposed change does not introduce unanalyzed vulnerabilities and that redundancy and diversity will still exist in the plant response capability after the changes are implemented. This issue is addressed acceptably if:
. The licensee addresses all modes and all initiator types using PRA.
OR
= The licensee demonstrates that the application does not unacceptably degrade plant capability, and does not introduce risk vulnerabilities or remove elements of the plant response capability from programmatic activities aimed at ensuring satisfactory safety performance for plant modes and initiator types not included in the PRA.
OR
- If the proposed change impacts unanalyzed plant modes or initiator types, the licensee demonstrates that a bounding analysis of the change in plant risk from the application (e.g., by qualitative arguments, or by use of sensitivity studies) meets guidelines that are equivalent to the acceptance guidelines specified in Section 2.4.2.1 of draft guide DG-1061.
II.3.2.3 Level of Detail Generally, the PRA should be detailed enough to account for important system and operator dependencies (functional, operational, and procedural - dependencies). SSCs that are being depended upon for more than one function should be modeled explicitly so that potential dependencies will not be obscured in the evaluation process. Initiating events causd by the loss of support systems should be modeled in detail if the failure oi the SSCs that could lead to the initiating events could also result in failure of functions that mitigate that event. For components affected by the application, the 14 SRP Chapter 19, REV L 03/27/97 tb
. s ,
~! I DRAFT FOR CONNENT reviewer should verify that the models are detailed enough to account for important' system and operator dependencies. A check of the licensee failure modes and effects analysis and a review of plant operating and emergency
. procedures will be useful for this purpose.
l The usefulness of PRA results in risk-informed regulation is dependent on the ! level of resolution of the modeled SSCs. A component level of resolution ! provides insights at the component level. However, if a PRA is performed at a j system or train level, the insights of the PRA will be limited to the system ' or train level unless it can be demonstrated that component level insights can be bounded by system or train level effects. The direct application of PRA , results will be limited to those SSCs that are explicitly modeled as part of j PRA basic events. Insights for SSCs that are implicitly modeled (i.e., screened out, assumed not important, etc.) shall only be used after additional consideration of the effects of the proposed change on PRA assumptions, screening analyses and boundary conditions. Specifically, the level of detail in the modeling of each SSC can be used to determine the following:
- If the SSCs are modeled at the basi?, event level, i.e., each SSC is represented by a basic event (or sometimes, more than one if different failure modes are modeled), risk insights from the PRA can be directly applied to the component modeled as long as the effects of the change are considered appropriately.
- If the SSCs are included within the boundaries of other components (e.g., the governor and throttle valves being included'in the pump boundary); or if they are included in " black boxes" or modules within the PRA model; or they are modeled as part of the calculation of human ,
error probabilities in recovery actions, risk insights from the PRA can : be applied if the effects of the application can be mapped onto the events (e.g., modules, HEPs, etc.) in question. In these cases it ; should be noted that the mapping is relatively simple if the event is ORed with the other module or HEP events. However, if the logic involves AND gates, the mapping will be more complicated.
- If the SSCs are omitted from the model because of inherent reliability or if they are not modeled at all, risk insights on these components should be obtained from an integrated decisionmaking process (such as an !
Expert Panel) which revisits the assumptions or screening criteria which ! supported the initial omission. ) l i 11.3.2.4 Quality of a PRA for Use in Risk-Informed Regulation The baseline risk profile is used to model the plant's licensing basis and 1 operating practices that are important to safe operation and may provide l insights into areas in which existing requirements can be relaxed without l 15 SRP Chapter 19, REV L 03/27/97
,q .. - -
4 ' o DRAFT FOR CONMENT unacceptable safety consequences. It is therefore essential that the PRA adequately represent the risk profile. To complement this, it is necessary not only to identify significant risk contributors, but also to identify those elements of the plant whose performance is responsible for reducing the risk to acceptable levels, and address these elements adequately in licensee programmatic activities. Therefore, for risk-informed regulation, the following criteria should be satisfied.
- Reasonable assurance of PRA adequacy: The plant's current licensing basis and actual operating condition and practices are properly reflected in the plant PRA model.
- Robustness of results and conclusions: Results and conclusions must be robust, and an analysis of uncertainties and sensitivities should be carried out to show this " robustness".
- Key performance elements are appropriately classified and performance is backed up by licensee commitments: PRA results are dependent on plant activities. They reflect not only inherent device characteristics but also numerous programmatic activities, such as IST, ISI, GQA, and so on.
Use of a PRA to justify relaxation of a requirement should therefore imply a commitment to whatever programmatic activities are needed to maintain performance at the PRA-credited levels that served as the basis , for the proposed relaxation. l Review of PRA Quality Quality in the licensee's technical analysis must be demonstrated in the licensee request. Guidance in this area is provided in Section 2.7 of DG-1061. - Staff review shall demonstrate that the PRA is of sufficient quality to support the decision. The reviewer should evaluate the licensee process to ensure quality. In addition, for each application, specific findings should be made regarding the quality of the PRA for that application. At a minimum, these findings should be based on a " focused-scope" staff review which will concentrate on application specific attributes of the PRA. This includes a review of the assumptions and elements of the PRA model that drive the results and conclusions. Appendix A of this SRP provides more detailed guidance on several issues important to the application-specific reviews of probabilistic evaluations performed as part of risk-informed regulation. In addit' ion to the focused-scope review, the following factors should be considered in determining the need for a more detailed and larger scope staff review of the PRA. 16 SRP Chapter 19, REV L 03/27/97 55'
r e. ; .
. e ,
i !
- DRAFT FOR CONNENT l 2 ;
- Staff audits of the licensee's process for conducting a PRA have
- identified practices which could affect the quality of the technical l
analysis detrimentally; I = Results of the licensee's analysis submitted in support of a licensing 3 action are in some way counter-intuitive or inconsistent with results j for similar plants on similar issues; a The licensee's analysis is part of a pilot application of PRA in a regulatory activity; e
- The PRA includes new methods that are unfamiliar to the staff.
l Draft NUREG-160? contains reference material that could be utilized to help in
- the larger scope staff review of PRAs.
i ,l Quality Assurance Requirements Related to the PRA 1 i To the extent that a licensee elects to use PRA as an element to enhance or modify its implementation of activities affecting the safety-related functions j of SSCs, appropriate quality requirements will also apply to the PRA. In this context, therefore, a licensee would be expected to control PRA activity in a
- manner commensurate with its impact on the facility's design and licensing basis. Section 2.7 of DG-1061 provides a description as to what quality elements are applicable to the licensee's PRA activities. The reviewer should i determine that the quality of analyses and performance programs which affect safety-related equipment and activities, will meet the quality guidelines as
- described in draft guide DG-1061. )
11.3.2.5 Risk Impact Including Treatment of Uncertainty Determination of Risk Impact from the Application l For many risk-informed applications, a quantitative estimate of the total impact of a proposed action is expected to be performed. This includes the evaluation of the absolute and/or relative changes in risk measures such as 1 core damage frequency (CDF) and large early release frequency (LERF). The necessary sophistication of this evaluation depends on the justification arguments and the magnitude of the potential risk impact. For those actions justified primarily by traditional engineering considerations and for which minimal risk impact is anticipated, a bounding estimate may be sufficient. For actions justificd primarily by PRA considerations for which a substantial impact is possible or is to be offset with compensatory measures, an in-depth and comprehensive PRA analysis is generally needed. The acceptance guidelines for changes to the plant's risk profile are discussed in section 2.4.2 of draft Reg Guide DG-1061. In the detailed evaluation of risk significance, the following should be considered: baseline 17 SRP Chapter 19, REV L 03/27/97 W
e, a . DRAFT FOR ConfENT risk; change in the baseline risk; and risk in terms of CDF and LERF. It is necessary,to address both internal and external eviats and all plant operational modes, but it may be possible to accomplish this without a full-
. scope PRA in all cases.
In accordance with DG-1061, it is expected that applications will result in a net decrease in risk or be risk neutral for plants with CDFs at or above IE-4 per. reactor year or LERFs at or above IE-5 per reactor year. In these cases, the reviewer should verify that proposed compensatory measures or plant 1 improvements would clearly offset risk increases from proposed relaxation in current requirements. It is preferred that the net change in risk be quantified, however, risk improvements can also be demonstrated in a non-quantitative sense as long as it can be clearly justified that the risk
- decrease will at least offset any risk increases.
For plants with base CDFs of less than IE-5 per reactor year and base LERFs of less than IE-6 per reactor year, CDF increase of less than IE-6 per reactor year and LERF increase of less than IE-7 per reactor year is allowed subject to the principles and expectations as specified in Section II.1 of this SRP being met. In the review of where the plant stands in terms of th'e base risk, the staff should evaluate licensee justification of the base CDF and LERF. For PRAs that are full scope (i.e., those that include all probabilistically significant initiators and operating modes), the review could consist of the verification of PRA quality as described in Section 11.3.2.4. For less than full scope PRAs, or in cases where the base risk is close to the acceptance guidelines (e.g., within a half order of magnitude of the guidelines), the reviewer should also consider the licensee's analysis of uncertainties as described later in this section of the SRP. For comparisons'in the change in risk, the reviewer is referred to Sections 11.3.2.1, 11.3.2.2 and II.3.2.3 of this SRP. In addition to the above guidelines, larger risk increases of IE-5 in CDF and IE-6 in LERF could be allowed subject to increased NRC management review. For this to apply, the base CDF should be less than IE-4 per reactor year and~the - base LERF should be less than IE-5 per reactor year. In the compilation of information for management review, the staff should include: 0 the scope, quality, and robustness of the analytis (including, but not limited to, the PRA), including consideration and quantification of uncertainties; o the base CDF and LERF of the plant; o the cumulative impact of previous changes (the licensee's risk management approach); o consideration of the Safety Goal screening criteria in the staff's Regulatory Analysis Guidelines, which define what changes in CDF and containment performance would be needed to consider potential 18 SRP Chapter 19, REV L 03/27/97
~ ~
22.
p
*
- r l
)
DRAFT FOR CO MENT backfits; o the impact of the proposed change on operational complexity,-burden
- on the operating staff,' and overall safety practices; and o plant-specific performance _and other factors, including for example, siting factors, inspection findings, performance indicators, and 'l operational events.
Treatment of Uncertainties i The uncertainties in the PRA results should be taken into account in the assessment of the risk impact and in the risk-informed decisionmaking process i to demonstrate the robustness of the results. The general approach to taking uncertainty into account is discussed in section 2.4.2 of draft guide DG-1061. When required, the analysis of uncertainties should have the following-attributes:
- It should reflect the uncertainties associated with each parameter and ,
provide an assessment of the confidence with which any numerical i guidelines are met.
- It should account for model uncertainties. There may be several alternate approaches to the analysis of certain elements of the PRA
. model. The licensee should document why the model or assumption used is appropriate both for the base case risk evaluation and for the. analysis .
of the impact of the change. In certain cases, it may~be necessary to : perform sensitivity analyses using alternate models or assumptions to demonstrate the robustness of the conclusions.
- It should attempt to address uncertainty that is caused by potential incompleteness of the scope of the PRA model. The licensee should address the lack of completeness either by demonstrating that the impact of the missing parts on both the base case risk and the change to risk as a result of the application is bounded so that the overall result is acceptable, or by limiting the scope of the application to the SSCs for which the impact on' risk can be evaluated (see section 11.3.2.2).
In the review of the analysis of uncertainties, the staff should:
- review the types and sources of uncertainty that have been identified by the licensee, and how the uncertainties have been addressed with reference to the decision guidelines provided in DG-1061; e identify if results are strongly impacted by the specific models or assumptions adopted for the assessment of important elements of the PRA, and whether the sensitivity analyses that have been performed (if any) are sufficient to address the most significant uncertalnties with
- 19 SRP Chapter 19, REV L 03/27/97 l 03
q a S q I DRAFT FOR content, respect to these elements. (Care should be taken when the characterization of a model uncertainty is such that the results fall : into a bimodal or multi-modal distribution, and one or more of. the modes l exceeds the acceptance guidelines. The review of the results then should be based on an evaluation of the significance of the hypotheses associated with those modes that exceed the guidelines);
- determine whether the limitations in scope of the PRA, and other completeness issues have been addressed adequately by either limitation of the scope of the application, or by a demonstration that the impact i of the unanalyzed portion of the risk on both the base case risk and on l the change in risk is bounded or can be neglected.
Cumulative and Synergistic Effects from all Applications The flexibility available to any given plant is not only a function of where it started in terms of base risk, but also a function of how much risk increase has taken place in preceding applications. As discussed in the next section, licensee risk management practices are expected to keep the cumulative increases low. The reviewer is expected to look at past changes in j the-plant to see if large increases are being accumulated. The reviewer l should verify that: i a each application is carried out with reference to a model that already l reflects previous applications;
- the cumulative changes from license amendments are being monitored; and
- the accumulation of applications has not created dominant risk contributors.
Beyond cumulative effects, synergistic effects are also possible, not all of which would emerge from a quantification of the PRA. For example, if conventional importance ranking approaches are employed to determine importance of SSCs, it would be possible that multiple requirements could be relaxed on certain " low" significant components under multiple applications. If the QA (potentially.affecting the failure rate) and the test interval
- - (potentially affecting fault exposure time) were to be relaxed for the sama
- component, the component unavailability could increase more than expected F (since failure rate and fault exposure time combine multiplicatively in the i calculation of unavailability). If the effects of OA on failure rate could be
! -quantified convincingly, this would be addressed explicitly, but this cannot i presently be assured. As a result, there is potential for different ! applications to lead to unintended and unquantified synergistic effects on i unavailability of a given component. 1 i Synergis' tic effects on a given element can be addressed by showing that the l basic event model adequately reflects the effects of programmatic activities { and that the calculated unavailability, propagated through the PRA, is 20 SRP Chapter 19, REV L 03/27/97 i l a
- .. /
s t 4 l DRAFT FOR CONNENT consistent with the needed performance with regard to the risk indices and the j defense-in-depth concept. However, it is more straight-forward simply to not allow for the relaxation of i
- multiple programmatic requirements on' a given component, unless demonstrable )
j justification is provided that the risk contribution from the component is negligible for conditions' covered by the set of requirements. For example, if ;
- IST is relaxed on a given component, it would be preferable not to relax QA as '
4 well, unless good arguments are given for allowing this. I 3 Risk Management 1 [ One of the goals of the review should be to ensure that in the course of the ! i licensee's engineering evaluations, principles of risk management are applied l
- appropriately in the process of evaluating changes to current regulatory ,
requirements. For the purposes of this SRP, " risk management" will refer to j i an approach to decisionmaking about safety that seeks to allocate available i resources and worker dose in such a way as to minimize the risk to public i health and safety from plant operations. The staff recognizes that there is a point of diminishing returns in risk reduction and that some residual risk , will be associated with plant operation, but expects that an effort will be ! made to identify reasonable measures to control this residual risk as part of
- the risk-informed regulatory process.
i j Therefore, as a staff expectation, the process of risk management in risk-informed decisionmaking should not be biased towards elimination of i requirements to the exclusion of safety enhancements that would convey a i worthwhile safety benefit. Licensees are expected to apply risk insights in ) an unbiased way, and licensees who do not satisfy subsidiary safety objectives ,
- (as defined in DG-1061) are expected to proactively teek safety enhancements l i in conjunction with any risk-informed applications. '
i l Allowed increases in the CDF and LERF from proposed licensee applications j should be small and any increases in the risk should not cause the NRC Safety Goals to be exceeded. The size of an allowable individual risk increase (per
- DG-1061) depends on the magnitude of the current plant risk. Net increases a should generally not be considered without some evidence of licensee effort to identify measures to offset the risk increases caused by the proposed relaxations.
Finally, when risk increases are proposed, reviewers should consider plant performance and past changes to the licensing bas,is to ensure that there is no _ pattern for a systematic increase in risk. Insights on the licensee operational practices, management controls, risk management programs, plant configuration control programs, or performance monitoring programs from previous applications can be obtained from the NRC regional offices or from documentation of NRC inspection activities. 11.3.3 Intearated Decisionmakino Process 21 SRP Chapter 19, REV L 03/27/97 d
, 4 .
l DRAFT FOR ComtENT The acceptability of the proposed changes should be reviewed and determined in an integrated fashion. The reviewer should verify that the results of the traditional engineering analyses and the risk assessment have been used to ensure that the principles listed in section II.1 have been met. Due to the scope and quality of the engineering analyses, careful examination of the underlying assumptions in the analyses may be necessary to conclude with reasonable assurance that the principles were satisfied. As part of the integrated decisionmaking process, implementation and monitoring strategies should be utilized to provide confidence in the results of the underlying engineering analyses. In addition, compensatory measures which reduce risk can be taken to offset incompleteness or uncertainties in the analysis. Compensatory measures can also be used to offset a quantifiable l increase in risk with a non-quantifiable but expected improvements in safety. ! l To ensure that the underlying assumptions utilized in the PRA remain valid, l the integrated decisionmaking process should ensure that an appropriate set of programmatic activities (e.g., IST, GQA, ISI, maintenance, monitoring) are i maintained for important elements of the plant response capability. In l addition, performance td compensating SSCs should be assured (through l' programmatic activities) when these SSCs are used to help justify the relaxation of requirements of other SSCs. 1 The process used by licensees to integrate traditional and probabilistic engineering evaluations for risk-informed decisionmaking is expected to be l
.well-defined, systematic, repeatable, and scrutable. Appendix B of this SRP l provides review guidance and staff expectations of licensee integrated -
decisionmaking process. 11.4 Element 3: Develoo Imolementation and Monitorina Strateaies Implementation and monitoring strategies are important in most risk-informed processes since they can provide early indication of SSC or other plant. performance under the proposed changes. In addition, these strategies may be needed to ensure that the key assumptions or performance of key SSCs related to a proposed change are effectively maintained. Section 2.5 of DG-1061 J provides guidance for the suggested process in this submittal element. ' A key element in the performance monitoring process is the verification of the capability and availability allocated to SSCs which support the underlying basis for the decisionmaking. This process should also include non-safety I related SSCs that are relied upon to justify the proposed change to the CLB. I The reviewer should evaluate the implementation and monitoring strategies based on findings of the traditional engineering and probabilistic evaluations. When broad implementation is proposed over a short period of time, the 22 SRP Chapter 19, REV L 03/27/97 lb
- - - - - - - - - , - 1
i
. o ,
1 DRAFT FOR CONNENT reviewer should verify that this is consistent with the traditional engineering evaluations, defense-in-depth (includingWhen common there cause is a failure) ! considerations, and risk evaluation models and assumptions. need to gain additional performance insights given a change in requirements, the reviewer should verify that a phased approach to implementation has been proposed. If this phased approach involves plan implementation for different SSC groups at different times, the basis for the selection of the SSC groups and the timing should be reviewed. When SSC or licensee performance can be affected by the proposed change, the reviewer should ensure that monitoring strategies are proposed to evaluate This monitoring should be based on the the performance over a period of time. reliability / availability and key modeling assumptions allocated to SSCs in the risk model (or on performance of operators, where appropriate) used to support the proposed change in regulation. As such, the reviewer should ensure that performance criteria chosen are consistent with the level of performance allocated in the risk analysis. When monitoring that is already being performed as part of the Maintenance Rule implementation is also proposed for the current application, 'the reviewer should ensure that the performance criteria chosen are appropriate for the l application in question. Licensee proposed corrective actions-should also be reviewed as part of the review on the monitoring program. If monitoring detects degradation, then there should be provisions for the SSCs to be refurbished, replaced, or tested / inspected more often (or a combination of these initiatives).. The selected action should be based on a root cause analysis of the degradation, whether it is generic, age-related, etc. The reviewer should evaluate if the information gathered during monitoring activities is extensive enough to < I provide a timely indication of component degradation. Since many components l are inherently quite reliable, the limited tests on a limited number of similar components may not provide adequate data, especially for newer plants where aging effects may not be detected until the proposed program is fully in place (and the advantages of a phased implementation are lost). One approach to ameliorate this concern would be to obtain performance data of similar SSCs at other plants with a range of operating times to expand the applicable database over a range of component ages. Such a program would be expected to provide a better chance of early detection of SSC reliability degradation. A review (or evaluation) of the impact on plant risk and SSC functionality, reliability and availability given the proposed implementation and monitoring . plan should also be carried out. The benefits from the implementation and monitoring programs should be balanced against any negative impact on risk. 23 SRP Chapter 19, REV L 03/27/97 W
_ _ - ~
~
g 4 DRAFT FOR COMMENT Finally, the reviewer should also look at the criteria to be applied in deciding what actions are to be taken in cases where performance falls below that predicted by the supporting evaluations. Corrective action should be in place before implementation of the proposed program. procedures 11.5 Element 4: Staff Evaluation of Submittal CLB change based on review guidance provided in earlie engineering available by and licensing information have to be submitted or be made the licensee. Furthermore, the data, methods, and assessment criteriareview. public used to support the regulatory decisionmaking should be available for In addition, appropriate regulatory action should be requested by the licensee. form of requests for license amendments (including changes to license of orders conditions), technical specification changes, changes to or withdrawal changes un, der 10 CFR 50.54 aand changes to programs pursuant to 10 CFR 50.54 (e.g the change request isi . appro(pr)) The staff should determine if: 1) the form of ate for the proposed CLB change; ( information required by the relevant regulation (s) in support of the request is submitted; and (iii) the request is in accordance with relevant procedural requirements. 10 CFR 9550.90, 50.91 and 50.92, as well as the procedural req CFR 550.4. change draft request, that information should meet the guidance in 'Se guide DG-1061. Licensees have a choice of whether to submit results or insights from risk ' analyses in support of their CLB change request. Where the licensee's proposed change to the CLB is consistent with currently-approved staff positions, the Staff's determination will be based solely on traditional engineering analysis without recourse to risk information (although the Staff may consider any risk information which is submitted by the licensee). However, where the licensee's proposed change goes beyond currently-approved staff positions, the Staff should consider both information based upon traditional insights. engineering analysis as well as information based upon risk If the licensee does not submit risk information in support of a CLB request that thewhich change licenseegoes beyond provide currently-approved Staff positions, the Staff m this information. backfit under 10 CFR 50.109. Such a request is not a information, the Staff will review the proposed application using traditio engineering analysis and determine whether sufficient information has been provided.to support the requested change. with high risk significance which are not currently subject 24 SRP Chapter 19, REV L 03/27/97
ccq ,. s ! , DRAFT FOR C0ntENT l requirements, or are subject to a level of regulation which is not i commensurate with their risk significance, and propose CLB changes that will subject these SSCs to the appropriate level of regulation, consistent with the j
. risk significance of each SSC. Specific information on the staff's ,
expectation are set forth in the application-specific regulatory guides. The > staff reviewer should assure that the application-specific guidance is followed. If there is no guidance, the reviewer should determine whether any ; assumptions from the risk analysis are reflected in the licensing basis, and that commitments for enhanced regulatory requirements / controls applicable to , high risk SSCs not currently subject to regulatory requirements (or subject to a level which is not commensurate with their risk significance) are , appropriate and reflected in the licensing basis. 1 Update of the Safety Analysis Report
]
Reviewers should assure that the proposed changes, when hpproved by the staff, will be appropriately included in future updates to the licensee Safety . Analysis Report. In addition, important assumptions including SSC functional ) capabilities and performance attributes, which play a key role in supporting the acceptability of the CLB change, should be identified by the licensee. Since the continued satisfaction of these assumptions is'necessary to maintain the validity of the safety evaluation, the reviewer should verify that such , assumptions are reflected by licensee commitments which are incorporated into the Safety Analysis Report. The reviewer should verify that the licensee has submitted revised FSAR pages as necessary. This revision should include all ! the programmatic activities, performance monitoring aspects and SSC functional performance and availability attributes which form the basis of the request. This material should identify those SSCs whose performances ~should be verified l (including nonsafety-related SSCs whose performance and reliability provide part of the basis for the CLB change). NEPA Considerations In accordance with 10 CFR Part 51, environmental protection regulations such as those from the National Environmental Policy Act (NEPA) would have to be addressed as part of the staff's review process. The reviewer should utilize NRR Office Letter 906, Revision 1 and 10 CFR 51.25 to determine how the NEPA requirements are to be addressed. If it is determined necessary, an environmental assessment (EA) should be prepared to assess whether an environmental impact statement (EIS) is required or whether a finding of no significant impact (FONSI) can be made. It is expected that, if all the guidance and acceptance criteria provided in DG-1061 is satisfied, the staff should normally be able to make a finding of no significant impact for the - proposed CLB change. I 25 SRP Chapter 19, REV L 03/27/97 s
q M i DRAFT FOR CONNENT l Table 11-1 (page 1 of 3) 2 i Questions to Assist in Establishing the cause-Effect Relationship
- e i
j- LEVEL 1 (INTERNAL EVENTS PRA) i i Initiating Events i
- Does the application introduce consideration of new initiating events?
- Does the application address changes that lead to a modification of the initiating event groups?
l 4
- Does the application necessitate a reassessment of the frequencies of the initiating event progs?
,
- Does the application increase the likelihood of a system fatture that was bounded by an initiating I event group to the extent that it needs to be considered explicitly?
1 Success Criteria
- Does the application necessitate modification of the success criteria?
- Does the modification of success criteria necessitate changes in other criteria, such as system interdependencies?
Event Trees
- Does the application address an issue that can be associated with a particular branch, or branches on the event trees, and if so, is the branching structure adequate? ~
- Does the application necessitate the introduction of new branches or top events to represent concerns not addressed in the event trees?
- Does the application necessitate consideration of re ordering branch points, i.e., does the application affect the sequence dependent fatture anetysis?
System Reliability Models
- Does the application impact system design in such a way as to alter system retlability models?
- Dess the application impact the support fmetions of the system in such a way as to alter the dependencies in the modet?
- Does the application impact the system performance, and, if so, is that ispect on the function obscured by conservative modeling techniques?
Parameter Data Base
- Can the applicatf or, be etearly associated with one or more of the basic event definitions, or does it necessitate new besic events?-
- Does the application necessitate a specialized probability model (e.g., time dependent model, etc.)?
- Does the application necessitate modifications to specific parameter values?
- Does the application introduce new component fatture modes?
- Does the application affect the component mission times?
- Does the application necessitate that the plant specific (hlstorical) data be taken into account, and can this be achieved easily by an update of the previous parameters?
- Does the application involve a change which may impact parameter values, and do the present estimates reflect the current status of the plant with respect to what is to be changed?
Dependent Failure Analysis
- Does the application introduce or suggest new common cause falture (CCF) contributions?
- Does the application introduce new asyumetries that might create sub grogs within the CCF component groups?
- Is the application Likely to effect CCF probabilities?
2 Information from section 3.3 of the EPRI PSA Applications Guide provided substantial input to this listing. 26 SRP Chapter 19, REV L 03/27/97 se
. - .- ~ . - - - . - - ~. - .- . .. -
- a. <
b [ p i DRAFT FOR CONNENT Table II-1 (page 2 of 3) Questions to Assist in Establishing the Cause-Effect Relationship l Human Reliability Analysis '
- Does the application involve a procedure change?
- Does the application involve a new human action? j
- Does the application change the available time for human actions? I
- Does the application affect the human action @hy analysis?
e Does the application eliminate or inodify an existing human action? e Does the application introduce or modify dependencies between plant instrumentation and human 4 actions? ]
- Is the application concerned with events that have been screened from the model, either in whole or ]
4 in part? l l
- Does the application ispect a particular performance shaping f actor (PSF), or a gro@ of PSFs, and I are they explicitly addressed in the estimation approach? For example, if the issue is to address l
- training, is training one of the PSFs used in the HRA?
- Does success in the application hinge on incorporating the impact of changes in PSFs, and if so, do i the current estimates reflect the current status of these PSFs?
- Is it possible that the particular group of hunan error events that is af fected by the change being analyzed has been truncated?
- Does the change address new recovery actions?
4 Internal Flooding 1
- Does the application af fect the screening analysis, for example, does the application result in the I location of redundant trains or components into the same flood zone?
- Does the application introduce new flooding sources or increase existing potential flood inventories?
- Does the application affect the status /avaltability of flood mitigation devices?
- Does the application af fect flood propagetf or, pathways?
e Does the application af fect critical flood heights? Quantification
- Does the application change any of the basic event probabilities?
e Does the application change relative magnitudes of probabilities?
- Does the application only make probabilities smaller?
e Is the new result needed in a short time scate?
- Does the application necessitate a change in the trtmcation limits for the model?
e Does the application affect the " delete tenus" used charing the cpantification process? (More specifically, does the application introduce new combinations of maintenance actions or operating modes that are deleted during the base case quantification process using the delete fLmetion?) e Does the application affect ocpJipunent that have been credited for operator recovery ections? Also, for recovery actions that credit inter-system or inter unit cross ties, the effect en other systems or functions or on the operation of the other unit should be considered and addressW. Analysis of Results e Does the application necessitate an assessment of uncertainty, and is it to be qualitative or quantitative? e Are there smcertainties in the application that could be clarified by the application of sensitivity studies? e Does the application strategy necessitate an importance analysis to rank contributions?
- Does the application necessitate that an importance, uncertainty, or sensitivity analysis of the base case PRA exist?
Plant Damage State Clas t ication
- Does the application isb.. the choice of parameters used to define plant damage states?
e Does the Key Plant Damage States (KPDS) utilized adequately represent the results of the Level 1 analysis by including the plant damage states that have a significant frequency of occurrence? e Have those plant damage states that have been eliminated in this process been assigned to KPDSs of higher conseqJence (e.g. Likelihood of Large Early Release)? 27 SRP Chapter 19, REV L 03/27/97 V
1
. 'h 4 DRAFT FOR C0mfENT Table 11-1 (page 3 of 3)
Questions to Assist in Establishing the cause-Effect Relationship Level 2 (CONTAINMENT ANALYSIS PRA) e Move new containment fatture modes identified by the application been addressed in the Pita? Are potential changes accounted for? l e Are any dependencies among contalrunent fatture modes being changed? j
- Does the application involve mechanisms that could lead to containment bypass? .
i e Does the application involve mechanisms that could cause failure of the containment is isolate? e Does the application directly affect the occurrence of any severe accident phenomena? e Does the application necessitate use of risk measures other than large, early release?
- Does the application change equipment qualification to the point where it affects timing of equipment falture relative to containment failure?
e Does the application af fect core debris path to the stmp / suppression pool or to the other portions l
'of the containment?
- Does the selected source term categories adequately represent the revised Contairunent Event Tree (CET) endpoints? Are CET endpoint frequencies changed enough to affect the selection of the dominant / representative sequence (s) in the source term binning process?
e Does the application af fect the timing of release of radionuclides into the environment relative to the initiation of core melt? and relative to the time for vessel rteture? LEVEL 3 (CONSEQUENCE ANALYSIS PRA)
- Does the application necessitate detailed evacuse doses?
e Are individual doses at specific locations needed for this application?
* !s evacuation or sheltering being considered as a mitigation measure?
e Are long term doses a consideration in this application? l EXTERNAL EVENTS PRA (Hazard Analysis)
- Witt the changes introduce externet hazards not previously evaluated?
e Witt the changes increase the intensity of existing hazards significantly? I e Are design changes modifying the structural response of the plant being considered? l . Does the change inpact the avaltability and performance of necessary mitigation systems for an externet hazard? l
..
- Does the application significantly modify the inputs to the plant model conditioned on the external event?
e Are changes being requested for systems designed to mitigate against specific external events? e Does the application involve evallability and performance of containment systems under the externet hazard? SHUTDOWN PRA
-. Witt the changes affect the schedullne of outage activities?
e Wilt the changes affect the ability of the operator to respond to shutdown events? - e Witt the application affect the rettability of egJipunent used for shutdown conditions? e Witt the changes affect the availability of equipment or instrumentation used for contingency plans? l \ l 28 SRP Chapter 19, REV L 03/27/97 9
.. e s r ,
)
DRAFT FOR CONMENT l III. EVALUATION FINDINGS The results of a reviewer's evaluation should reflect a consistent and scrutable integration of the probabilistic considerations and traditional
-engineering considerations provided by the licensee or applicant and developed independently by the reviewer. To make a finding of acceptability the l reviewer will generally need to show that in light of a small or non-existent increase in risk and a reduced level of conservatism, defense-in-depth and :
sufficient safety margins are maintained. Findings of acceptability should be supported with logical bases built from an evaluation of the considerations given in section II. l 1 The reviewer should confirm that sufficient information is provided in I accordance with the requirements of this SRP and that the evaluation supports conclusions as specified below, to be included in the staff's safety evaluation report. General
- The proposed change meets the current regulations. Jhis principle applies unless the proposed change is explicitly related to a requested exemption or rule change (i.e., a 50.12 " specific exemption" or a 2.802
" petition for rulemaking").
- Defense-in-depth is maintained.
- Sufficient safety margins are maintained.
- Proposed increases in risk and their cumulative effect are small, and these changes do not cause the NRC Safety Goals to be exceeded.
- Performance-based implementaticn and monitoring strategies are proposed that address uncertainties in analysis models and data and provide for timely feedback and corrective action.
- All safety impacts of the proposed change are evaluated in an integrated manner as part of an overall risk management approach in which the licen:ee is using risk analysis to improve operational and engineering decisions broadly and not just to eliminate requirements the licensee sees as undesirable. The approach used to identify reduced requirements was also used to identify if there are areas where requirements should be increased.
. The acceptability of the proposed changes have been evaluated in an integrated fashion that ensures that all principles are met;
. Increases in estimated CDF and LERF resulting from proposed CLB changes are limited to small increments.
29 SRP Chapter 19, REV L 03/27/97 9
DRAFT FOR COMENT
- The scope and quality of the engineering analyses (including traditional and probabilistic analyses) conducted to justify the proposed CLB change are appropriate for the nature and scope of the change and are based on the as-built and as-operated and maintained plant.
- Appropriate consideration of uncertainty has been given to analyses results and interpretation of findings.
- The plant-specific PRA supporting licensee proposals has been subjected to quality controls such as an independent peer review.
- Data, methods, and assessment criteria used to support regulatory decisionmaking are available for public review.
L Definition of the proposed Chanae
- Adequate traditional engineering and probabilistic evaluations are available to support the proposed CLB change. Plant-specific and relevant industry data and operational experience also supports the proposed change. -
- Cause-effect relationships have been identified to adequately link the application with the PRA model elements.
- The proposed risk models can effectively evaluate or realistically bound the effects of the proposed change.
- Information from engineering analyses, operational experience, plant-specific performance history have been factored into the decision process.
Evaluations of Defense-In-Deoth Attributes and Safety Marains
- Defense-in-depth is preserved, for example: system redundancy, diversity and independence is maintained commensurate with the expected frequency and consequence of challenges to the system; defenses against potential common cause failures are maintained and the introduction of new common cause failure mechanisms is assessed; and defenses against human errors are maintained. 1
- Sufficient safety margins are maintained, for example: codes and standards approved for use by the NRC are met or deviations justified; l and safety analysis acceptance criteria in the CLB are met, or proposed i revisions provide sufficient margin to account for analysis and data uncertainty.
- Current regulations have been met or the proposed exemption is acceptable. '
30 SRP Chapter 19, REV L 03/27/97
U .. 2 DRAFT FOR CONNENT I Scone of Risk Analysis
- The licensee's PRA satisfactorily addresses all mode / initiator combinations, OR
- The licensee's PRA does not need to analyze the following mode / initiator type combinations. [Listcombinations) In each instance, the licensee has demonstrated that:
o suitably redundant and diverse plant response capability is maintained for significant initiators in'these modes; and - o sufficient elements of the plant response capability are subject to j programnatic activities to assure suitable performance. , level of Detail of Risk Analysis a The PRA is detailed enough to account for important system and operator dependencies.
~
= Risk insights are consistent with the level of detai1 modeled in the PRA.
Quality of the PRA
- There is reasonable assurance of PRA adequacy as shown by the licensee process to ensure quality and by a focused scope application-specific review by the staff.
l
- Results are robust in terms of uncertainties and sensitivities'to the key modeling parameters.
- Key performance elements for the application have been appropriately classified and performance is backed up by licensee commitments.
Risk Imoact and Treatment of Uncertainty
. If the risk-informed application is based on the quantification of the change to risk, then the following applies:
o The application is either risk neutral or results in a decrease in plant risk, OR o If an application results in an increase in risk, the increase is within the guidelines defined in draft guide DG-1061. The cumulative and synergistic effects on risk from the present and previous applications have been addressed. Licensee risk management practices are being followed to minimize the risk from plant operations. 31 SRP Chapter 19, REV L 03/27/97
/
h
l DRAFT FOR COMfENT l i ! ~ o In either of the above cases, an appropriate consideration of l i uncertainties is provided in support of the proposed a) plication. l The licensee showed that the uncertainty in the risk c1ange was ' , ,. small compared to the margin between the estimated change and the i allowable change. This argument was supported either by explicit propagation or by & qualitative and/or sensitivity analysis showing that no event contributing to the change in risk is subject to-significant uncertainty. . If the risk-informed application is based on a qualitative assessment of the change to risk, then the application is shown to result in a decrease in plant risk, or is risk neutral, _or CDF and LERF increases are shown to be acceptable based on bounding evaluations or sensitivity studies. When this assessment is based solely on traditional engineering information or use of compensatory actions, then the application clearly shows a reduction in risk. Intearated Decisionmakina Process Results from traditional engineering analyses and risk analyses have been used to ensure that the principles for risk-informed decisionmaking have been met. Potential analysis limitations,- uncertainties and conflicts are resolved by use of conservative results, or by use of appropriate implementation and monitoring strategies, or by use of appropriate compensatory measures. l The integrated decisionmaking process is well-defined, systematic, I repeatable, and scrutable. ! Imolementation and Monitorina Stratecies The implementation process is commensurate with the uncertainty associated with the results of the traditional and probabilistic engineering evaluations. A monitoring program which could adequately track the performance of equipment covered by the proposed licensing changes was established. It was demonstrated that the procedures and evaluation methods will provide . reasonable assurance that performance degradation will be detected and that the corrective action plan will assure that appropriate actions can be taken before SSC functionality and plant safety is compromised. Data from similar plants will be used if needed. In addition to the tracking of performance of SSCs affected by the application, the performance monitoring process also includes the tracking of performance of SSCs which support the underlying basis for the decisionmaking. 32 SRP Chapter 19,_REV L 03/27/97 9/,
p , , s ! , i DRAFT FOR CONNENT Licensee Submittal
- The submittal includes sufficient information to support conclusions i
. regarding the acceptability of the proposed change. l
- The appropriate regulatory action was requested. In addition, pertinent information on the CLB change will be included in the Safety Analysis Report, technical specifications or license conditions as necessary.
- The licensee has appropriately committed to the important programmatic and performance assumptions in the PRA and engineering analyses which '
served as the basis of the CLB change. These include any enhancements to regulatory requirements necessary to preserve assumptions in the PRA and engineering analyses, and to reflect new regulatory requirements for high risk significant SSCs not otherwise subject to existing requirements, commensurate with their risk significance. These commitments are reflected in revisions to the Safety Analysis Report, technical specifications or appropriate licensee conditions ha e been imposed by the staff. 33 SRP Chapter 19, REV L 03/27/97 1 l
o 4 , DRAFT FOR CONNENT i IV. IMPLEMENTATION The following is intended to provide guidance to applicants and licensees ! regarding the NRC staff's plans for using this SRP section. l Except in those cases in which the applicant or licensee proposes a acceptable alternative method for demonstrating that a proposed CLB change is acceptable, ' 4 the method described herein will be used by the staff in its evaluation of l i risk-informed changes to the CLB. j ) 4 1 l i ! . 1
- 1 a
l l l i i i i i 34 SRP Chapter 19, REV L 03/27/97 31
c ..' r s ! e DRAFT FOR CONNENT V. . REFERENCES
- 1. " Status Update of the Agency-Wide Implementation Plan for Probabilistic Risk Assessment", U.S. Nuclear Regulatory Commission, SECY-95-279, March 30, 1995
- 2. NRC Policy Statement on "Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities", (60 Federal Reaister (FR) 42622, August 16, 1995.
- 3. " Framework for Applying Probabilistic Risk Analysis in Reacter Regulation", U.S. Nuclear Regulatory Commission, SECY-95-280, November 27, 1995.
- 4. "PSA Applications Guide", Electric Power Research Institute, EPRI-TR-105396, August 1995.
- 5. "An Approach for Using Probabilistic Risk Assessment in Rfsk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis,"
Draft Regulatory Guide, DG-1061, XXXXX,1997. -
- 6. " Guidelines for Use of PRA in Risk-Informed Applications", Draft NUREG-1602, XXXXX, 1997
- 7. " Procedures for Treating Common Cause Failures in Safety and Reliability Studies", NUREG/CR-4780, January 1988 )
l
- 8. " Severe Accident Risks: An Assessment for Five Nuclear Power Plants,"
NUREG-1150, Volumes 1 and 2, December 1990
- 9. " Common-Cause Failure Data Collection and Analysis System", Draft i Volumes 1 through 6, INEL-94/0064, December 1995 35 SRP Chapter 19, REV L 03/27/97
A - ae- A-. _A _. A e *-*4 4 .- AmA J e % a i i i l { l I l I' I L l I
]
e
s t , DRAFT FOR COMMENT Appen: GUIDANCE FOR A FOCUSED-SCOPE APPLICATION SPECI As stated in Section 11.3.2.4 of this SRP and in draft guide DG-1061, PRAs that are used ir, risk-informed submittals to determine risk significance Staff or risk impact should have been shown to be of adequate Where quality. include a review of the licensee process for PRA quality assurance. necessary, this should be supplemented by an overall review of the following: event and fault tree models; data on SSC failures and common cause failures; mission success criteria; initiating event analysis; human reliability analysis; and result quantification including the analysis of uncertainties. These reviews should be of sufficient detail to provide the staff with confidence that the PRA properly reflects the plant's CLB and actual operating conditions and practices. Results from previous staff review efforts (e.g., from prior applications) should be utilized as appropriate. In addition to the general overall review as described above, staff reviewers are also expected to perform a focused-scope review of the risk analysis on an application-specific basis. This appendix provides review-guidance on the likely elements of a PRA which may affect or be affected by proposed changes to the CLB. A.1 Use of Acorooriate Data
- a. Area of Review In risk-infermed applications it is important that appropriate SSC fa data is used. Furthermore, operating history, the only choice is use of generic data.
when the impact of the change is being modeled as a modification of parameter The values, there may be no plant-specific data to support the modification.a) if data related isstes are the following: to be modeled as a change in parameter values associated with basic events representing modes of unavailability of certain SSCs, t1ese changes should be reasonable and should be supported by technical argumenns; and b) the impact of the change is neither exaggerated nor obscured by the parameter values used for those SSCs unaffected by the change,
- b. Review Guidance and Procedures It is to be expected that, for a PRA that has undergone a technical review, parameter values will have been judged to be appropriate, However,whether since thethey have been evaluated using generic or plant specific data.
review was focused on the PRA as a base case model, a different perspective on the appropriateness of parameter values may be required for specificTh applications. focus on those parameter values that have the potential to change the A-1 SRP Chapter 19, REV L 03/27/97 l
a % i DRAFT FOR CONTENT conclusion of the analysis. For example, parameters associated with SSCs that appear in the same cutsets as the affected SSCs have the potential to distort the conclusions by decreasing the assessed importance of the change if their values are too low, or by increasing it if their values are too large. Similarly, parameters that contribute to the cutsets that do not contain affected SSCs can decrease the importance of the change by being too large, or increase it by being too-low. Whether the data'used is plant-specific, generic, or a combination of both, the parameter values are expected to be consistent with generally accepted values from PRAs of similar plants, or significant deviations should have been justified. Significant in this context can be defined as no greater-than a i i factor of 3 for the mean values of the failure rate or failure probability. The focus of the review should be on those parameter values which both have a significant impact on the results as discussed above, and which deviate significantly from the generally accepted norm. 4 l 1 If it was decided that a more detailed review of the parameter values is ! j appropriate, then the following guidance applies.- For plant-specific data, ! i the reviewer should determine how plant records were used-to estimate the l l number of events / failures, the number of demands, and the operating hours or ' j standby hours. The reviewer should verify the consistency between the i
- definitions of failure modes and component boundaries used in the risk ,
analysis and the definitions used in the plant records. When generic data are used, it is important to ~ verify that the plant component is typical of the l generic industry component. In cases where generic failure rates are used in 1 combination with plant-specific data like test intervals, the reviewer should verify that the generic data are applicable for the range of plant data used. i When evaluating the impact of the change, it is important for the reviewer to i recognize the assumptions that have gone into developing the PRA model. For j example, two models are commonly used for events representing the' j unavailability of a standby component on demand; the standby failure rate model and the constant probability of failure on demand model. Using the former model can result in large differences between the unavailabilities of components whose test intervals differ significantly, given the same standby l failure rate is used. The reviewer should be sensitive to this effect, and j ascertain that appropriate models are used. As another exsmple, in
- considering plant-specific failure data, poorly-performing individual i components may have been grouped with other components, allowing their poor
{ performance to be averaged over all components of that type. Poor performance ! may arise because of inherent characteristics of one member of what would i otherwise be considered a uniform population, or may arise because components ! are operating in a more demanding environment. If these components are i grouped together with others for which the operating conditions are more i favorable, then the failure rates used for the poor performers could be j artificially lowered. If requirements are relaxed based on the group failure i rate, reduced programmatic attention to these poor performers could lead to a .i greater than expected probability of experiencing an in-service failure of one I A-2 SRP Chapter 19, REV L 03/27/97 I
,t \
i MAFT FM COMENT of these components. The reviewer should be aware of such effects, and should make sure that components are grouped appropriately. When the impact of the change is being modeled as a change in the parameter j values associated with specific basic events representing modes of ) unavailability of SSCs, the reviewer should focus on whether the change in i parameter values is appropriate and reasonable. The rationale behind the : change in parameter values is expected to be documented and should be reviewed 1 carefully. If generic values are used for the base case parameter values which are ' candidates for being changed, it should be checked that the conditions under which the generic data are applicable do not correspond to those which would be more appropriate for a plant with the change incorporated. This should only be a real concern if the plant being changed is somewhat untypical with > respect to the issue being addressed by the change. This would not be a concern if plant specific data were being used. Finally, as a validation of the data used to justify CLB changes in risk-informed applications, monitoring of the performance of components affected by the application is important. This monitoring should be performed as the proposed application is phased in. For very reliable SSCs, it may be . necessary for the licensee to review available operating experience at other t plants for applicability to the licensee's plant to expand the operating : experience database. The reviewer should ascertain that the monitoring , program is capable of demonstrating that the performance of the components or systen's is in acccedance with what nas been assumed.
- c. Evaluation Findings
/
The reviewer verifies that information was provided to support the following i conclusions:
- The failure rates and probabilities used, especially those that dir!ctly affect the proposed application, appropriately consider both plant- i specific and generic data that are consistent with generally accepted values from PRAs of similar plants, and deviations (if any) have been justified.
- The licensee has ::ystematically considered the possibility that )
individual components could be performing more poorly than the average associated with their class, and have avoided relaxation for those components to the point where the unavailability of the poor performers would be appreciably worse than that assumed in the risk analysis.
- The changes to the parameter values impacted by the application are both justified and reasonable.
- Data used to support changes to the CLB are supported by an appropriate A-3 SRP Chapter 19, REV L 03/27/97
./s
DRAFT FOR CONNENT performance monitoring program. . 4 i A.2 Initiatina Events
- a. Area of Review Whether or not a particular initiating event is included in a PRA depends on 4
the scope of the PRA, the frequency of that event, the available plant systems or other f>atures to mitigate the event, and the consequences of the event if : unmitigatei. Proposed plant changes could affect the frequency of initiating events, thi. probability of mitigation of event initiators and, in some cases, event consequences. In addition, plant changes could potentially introduce l new initiating events or result in previously screened out events becoming more important.
- b. Review Guidance and Procedures For risk-informed applications, the staff should determine if initiating i events and anticipated plant response are affected by the proposed changes. l The reviewer should determine if the proposed changes: (i) can lead to an )
increase in the frequency of an initiator already included in the PRA; (ii) can lead to an increase in the frequency of an initiator initially screened out in the PRA; (iii) have the potential to introduce new initiating events; and (iv) can affect the grouping of initiating events. These are discussed further below. Applications that result in changes to initiator frequency or the ability of l the plant to respond to event initiators are relatively easy to model in the ! risk analysis if the initiators are already included in the base analysis. In , these cases, the impact of the changes should be evaluated directly from the ! risk model. i In cases where initiators are not included in the original risk analysis based on screening evaluations, it is necessary to review whether initiating events previously screened out on grounds of low frequency, might now be above the screening threshold as a result of a proposed application. Plant changes could increase the frequency of initiating events that were relatively infrequent to begin with, or these changes could affect SSCs or operator actions that were credited with the satisfactory mitigation of initiating events. If initiating events increased in frequency as a result of an application to the point where it became important (i.e., could no longer be screened out), then the scope of the analysis would need to change to reflect ' this. Usually, low frequency of an event by itself is not sufficient as a criterion for screening purposes. The consequences of non-mitigation of the events also play a big part in this process. For example, interfacing system LOCAs are often assessed as low frequency events, but because of their impact on public A-4 SRP Chapter 19, REV L 03/27/97 m
7 .. ,, e DRAFT FOR COMMENT Therefore, for potentially high health and safety, they can be important. consequence events, even if the event frequency is below a screening criterion, the features that lead to the frequency being I account in reviews of PRA applications. Proposed plant changes should be evaluated to determine For example, changes if these chan result in initiators not previously analyzed in the PRA. might enhance the potential for spurious operation of components whose may cause initiating events or changes might increase the likelihood for If mechanisms operator errors of commission which may result in plant trips. for producing new initiators have been identified, the rev these initiators can be analyzed. In PRAs, initiating events are usually grouped according to the systemsThis im required to respond to the transient. In plant systems and operator response are similar for all events in a group. addition, events may be screened out when it can be shownInthat thethey are review bounded in probability and consequence by other similar even ensure that grouping criteria used in the base analysis have true, the licensee has made appropriate changes to the event groupings. Finally, it should be noted that many PRAs mo' del initiating events a basic events or " black boxes". that initiating events especially Ifthose this is notthat result from th the case, dependencies are fully understood and accounted for.the reviewer events that could lead to the " failure" of the black box.a better un risk categorization applications.
- c. Evaluation Findings The reviewer verifies that the information provided and review activities support the following conclusions:
The licensee has adequately considered the effects of pr initiating events previously screened out. The changes have been shown to not result in new initi in the risk model.
- Proposed changes have been taken into account in the grouping of A-5 SRP Chapter 19, REV L 03/27/97
DRAFT FOR COMENT initiating events. Dependencies between the initiating events and the plant mitigation systems have been considered in the decisions.aking process. A.3 Determination of Success Criteria
- a. Area of Review Guidance in the PRA policy statement and in DG-1061 stipulates that realistic analysis should be used in PRA implementation. The following discussion is aimed at sorting out what is meant by " realistic" analysis of success criteria by reference to SAR analysis.
In order to fulfill its intended purpose, SAR analysis is ordinarily based on a set of assumptions containing significant embedded conservatisms. SAR analysis also reflects a postulated sin whatever event initiated the sequence. When gle active a SARfailure inshows analysis addition to a successful outcome, then, there is good reason to believe that apart from beyond-single-failure scenarios, the system will meet or exceed performance requirements for the initiating event considered. Applying the SAR mission success criterion in a PRA would be conservative, in the sense that the probability of failure to meet this standard of performance would be greater than probability of failure to meet a more realistic standard ! of performance. However, re-analyzing event sequences with conventional SAR tools would be too burdensome to apply to the large number of scenarios that are defined in the course of a PRA. In addition, the rather specialized computer codes used in SAR analysis may not be appropriate in beyond-single-failure scenarios. Traditionally, development of mission success analysis in PRAs has ranged from the use, of faster running models that might not have the same level of quality assurance as the conventional SAR tools, to the
, extrapolation of results from analysis performed on similar plants. ,
4 In order to satisfy the Commission guideline, then, the staff should find that ! the applicable PRA insights have not been distorted by a systematic 2 conservative bits in mission success criteria, and that mission success I i criteria used to justify changes to the CLB have a sound technical basis. ' 4 l b. Review Guidance and Procedures When it is determined that the results and conclusions of a risk-informed j application are especially sensitive to the choice of mission success
- criteria, or if the modeling is particularly controversial, the staff should j review the relevant success criteria and the basis for each. In cases where i the basis is lacking, the reviewer should either request additional licensee justification or seek independent analysis. ,
) A-6 SRP Chapter 19, REV L 03/27/97 i
L N6 i i
~
l DRAFT FOR CONMENT If the basis is analytical, staff evaluation of the code used and the i dhta may be appropriate.have not received Odequate licensee or other industry revi examination of the models should also be considered. The models, codes, and input used to determine mission success This criteria should meet QA standards that are consistent with general accepted methods. I standard should include configuration control of the analysis input and results. The standard does not have to be the same as the standard applicable to SAR analysis, but it should be explicit (i.e., engineering calculations and codes should be verified and quality assured) and it should be formalized by the licensee as part of the licensee QA program. Some mission success criteria can validly be extrapolated between similar plants when a firm basis for the criterion is created at the first plant and it is shown that plant-specific features do not invalidate the comparison. On an application specific basis, the emphasis of the review should be on whether the definition of the system success criteria will be affected by the application specific elements or the elements required in the same minimalThe cutset as the application specific element.the success criteria are not optim components required (i.e., overestimate the size of the minimal cutset).
- c. Evaluation Findings In cases where conclusions are sensitive to the mission success criteria, the staff safety evaluation report should contain findings equivalent to the following:
a a technical basis has been established for the mission success criteri used in the analysis. Analytical elements of the technical basis have been assurance. given an appropriate level of configuration control and qu is possible, this comparison has been justified. A.4 Modelina of Common Cause Failures
- a. Area of Review Common cause failures (CCF) represent the failures of components that are caused by common influences such as design, manufacturing, installation, calibration or operational deficiencies. Since CCFs can fail more than one component at the same time and can occur with greater they can contribute significantly to plant risk.
Risk-informed applications that cover SSCs as a group have the potential of SRP Chapter 19, REV 1. 03/27/97 f; A-7
n DRAFT FOR COMENT affecting'the CCF probabilities of SSCs within that group. .For the affected components, CCF probabilities could be low or might not even be included in the baseline PRA models based on the operational and engineering evidence i driven by current requirements, blith proposed changes there should be assurance that the CCF contribution will not become more significant. In { i addition, the assessment of the impact of the change can be affected by the i CCF probabilities for other components, and can either be exaggerated or , obscured depending on the CCF probabilities. i b. Review Guidance and Procedures s i The reviewer should verify that potentially significant CCFs have been covered j in the PRA and that, where applicable, the effects of the proposed changes have been incorporated into the CCF modeling. Staff evaluation should include
- a review of the process used for the selection of common cause component groups.
Acceptable methods for the modeling of CCF contributions are presented in i NUREG-4780 (reference 7). Additional guidance can be found in an AEOD report j " Common Cause Failure Data Collection and Analysis System"-(reference 9), l which also provides an extensive database of generic CCF probabilities that can be used to compare to those used in the risk-informed licensee submittal. Significant differences in CCF probabilities should be reviewed carefully to determine whether they are justified. i Specific review guidelines related to risk-informed applications and the j assessment of the change are provided below. The reviewer should verify that industry and especially plant-specific experience which involve the failure of two or more components (especially for the application specific components) from the same cause was analyzed and incorporated into the risk model where appropriate. For relevant applications, reviewers should check that licensees have appropriately modeled CCF of groups of equipment that were proposed for the change. In cases where the effects of the application on CCF cannot be easily evaluated or quantified, reviewers should establish that performance monitoring is capable of detecting CCF before multiple failures are likely to occur subsequent to an actual system challenge. In addition, to reduce fault exposure times for potential common cause failures, phased or incremental implementation should be considered as part of the effort to protect against CCF.
- The reviewer should make sure that the impact of the change is not inappropriately made insignificant by the choice of CCF probabilities for SSCs unaffected by the change. This can occur in two ways. First, the cutsets containing events which represent failures of SSCs affected by the change may include CCF contributions from other SSCs which are too small. Second, the cutsets which do not contain affected SSCs may A-8 SRP Chapter 19, REV L 03/27/97 93
- -- ~---
DRMT FOR CONMENT be artificially increased in value by having CCFThese contributions cases that are too large so that the impact of the change is obscured. will impact applications involving risk categorizationAnby lowering the relative contribution (and importances) of the affected SSCs. l understanding of these effects can be obtained from sensitivity analyses I I performed by removing the pertinent CCFs or by using more realistic values for the CCFs. A common modeling approximation is to include CCF contributions only from that combination of SSCs which fails the function of the system. For example, if system success is defined as success of I out of 4 components, usually only a single term representing a CCF of al components is included. corresponding CCF term would represent failure of any three or all four SSCs in the group. While probabilistically this usually corresponds to the dominant contributions, care has to be taken when the application relies on assessing the impact on risk of having one train unavailable. In this case, the effective success criterion of the remaining part of the system changes, so that in the caseThe of impact the 1 out of 4 sy. stem, a CCF of not of three SSCs becomes a possible contributor. Note modeling the lower order CCF contributors should be inv change relies on risk categorization as well as those that require an evaluation of changes to risk.
- c. Evaluation Findings Evaluation findings should include statements of the following effect:
Common cause failure has been suitably addressed and that the licensee has systematically identified component groups sharing attributes that correlate with CCF potential and that affect the application. Where applicable, the licensee's performance monitoring prog increased incidence of CCFs due to the proposed change. A.5 Modelina of Human Performance
- a. Area of Review The results of a PRA, and therefore the input it provides to risk-informed decisionmaking, performance.
can be very strongly influenced by modeling of hum However, the modeling of human is essential that PRAs treat it carefully. performance, typically referred to as Human Reliability An encountered, and these can result in significantly different estimates of A-9 SRP Chapter 19, REV L 03/27/97 f d
DRAFT FOR COMMENT human error probabilities (HEPs) for what appear to be similar human failure events. The particular values used for HEPs can significantly influence results of the assessment of the impact of a proposed change. In addition to
.the quantification issue, there are questions related to what kind of human actions can appropriately be credited in the context of a particular-regulatory finding.
relaxation of requirements for a component based on the argument t the component fails, its failure can be recovered with high probability by operator actions outside the control room. The issues of concern here are whether the modeling of the operator action and the evaluation of the failure probability is appropriate, and whether this kind of credit is the sort of compensatingofmeasure justification that is intended by staff guidance to support a relaxation. One further issue is the impact of human performance parameter values. which is not explicitly modeled, but is implicit in certain initiating event frequency.An example is the influence of human performance on addressed; their impact is included in the frequency in an implicit way b. Review Guidance and Procedures The reviewer should have an understanding of the potentially significant human performance reflected in the issues PRA.that might be affected by the application and how these are estimate human error probabilities.This should include a review of the approach used to the assessment of the change in one of three ways.The human First, HEPs errors unrelated to probabilities can their values by inappropriately increasing or decreasing the va cutsets unaffected by the change. failures of the SSCs im Second, the HEPs may represent responses to affected by the change.pacted by the change. Third, the HEPs may be directly Specific below. provided guidance related to the assessment of the impact of the change is The reviewer should make sure that the impact of the change is not inappropriately made insignificant by the choice of HEPs included in the PRA model. This can occur in two ways. events which represent failures of SSCs affected by the change mayFirst, include HEPs which are too small. Second, the cutsets which do not HEPs.that are too large so that the impact of the change is ob These cases will impact applications involving risk categorization by lowering the relative contribution (and importances) of the affected SSCs. An understanding of these effects can be obtained from sensitivity using moreanalyses performed realistic values byHEPs. for the removing the pertinent HEPs or by The reviewer should identify any human actions that compensate for events affected by the proposed application, and ensure that A-10 SRP Chapter 19, REV L 03/27/97 so
? .. e i
- , 0 ,_
DRAFT FOR C00 TENT i ! inappropriate credit has not been taken for these events. i
- Justification of proposed changes to the CLB that are based on taking credit for post-accident recovery nf failed components (repair or other
- non-proceduralized manual actions, such as manually forcing stuck valves to open) should be reviewed carefully to ascertain dether the identified recovery-action is an obvious one to take, and is feasible j given the time and physical constraints.
i j Credit may be taken for proceduralized implementation of alternative l success strategies to work around a failed component. Licensees that . take this kind of credit should demonstrate that these recoveries are j feasible and are supportable by plant programs such as training, etc. 1
- For human actions that are used to compensate for a basic event probability increasing as a result of proposed CLB changes, licensee
- actions to ensure operator performance at the level credited in the risk
- analysis should also be a part of the CLB change.
- For human actions that represent responses to the unavailability of SSCs
! which are impacted by the change, an assessment should be made on whether the conditions under which the human actions'are to be performed 3 have changed significantly so that the HEP should be modified. i
- For HEPs that are directly impacted by the change, e.g., as a result of i 4
a procedure or operating practice, the reviewer should make sure that I j the impact has been modeled appropriately. In particular, care should i be taken to check whether HEPs that have been screened ~out of the model i should now be reinstated.
- The reviewer should assess whether any dependencies between HEPs have been altered by the change.
- The reviewer should be assured that the set of HEPs used in the PRA is internally consistent, and that the proposed changes, if any, are made consistent with the changes in the performance shaping factors (PSFs) used' by the analysts. ,
- c. Evaluation Findings The staff safety evaluation report should include language that is equivalent ,
in effect to the following. '
. The modeling of human performance is appropriate.-
- Post-accident recovery of failed components is modeled in a defensible way. Recovery probabilities are quantified realistically. The formulation of the model shows decisionmakers the degree to which the !
apparently low risk significance of certain items is based on credit for A-11 SRP Chapter 19, REV L 03/27/97 9
I 1 ), DRAFT FOR Co nENT recovery of failed components (restoration of component function, as I ! opposed to actuation of a compensating system). {
- When human actions are proposed as compensatory measures as part of a l l- proposed CLB change, licensee actions..to ensure operator performance at i
- the level credited in the risk analysis (e.g., by training, procedures, j etc.) are also a part of the CLB change.
i. l A.6 Effects of Truncation Limits Used ! a. Area of Review i As a result of computer model and time limitations, the quantification process ! to evaluate CDF or LERF would involve cutset truncation either by use of a l cutoff frequency or a maximum cutset order. Since the truncation process ! eliminates accident sequences from further consideration, care has to be taken i to ensure that important sequences are not discarded and that the final j results are not sensitive to the truncation limit chosen. ' ! b. Review Guidance and Procedures Acceptability of a truncation value used in the baseline PRA should be ! reviewed as part of the licensee review process. On an application specific i j basis, licensees should also demonstrate and reviewers should verify that-the j effects of the application on components modeled in the PRA is not restricted ;
- by the truncation criteria chosen. This could include sensitivity studies
! using different. truncation levels (to selected parts of the model), or by the ! requantification of the base model from the beginning (as opposed to use of a j pre-solved model) when evaluating the risk for the proposed applications. i ! It is preferred that- the change in risk from the application is calculated by l the requantification of the base model at the fault tree / event tree level so
- that the potential effects of originally truncated events could be accounted j for should they become important as a result of an application. If model requantification was not performed or if the application depended on the risk l ranking of SSCs from a pre-solved cutset equation, the reviewer should use the ;
! guidelines provided below. l The reviewer should be assured (either by documentation provided in the licensee review or by an independent analysis) that cutset truncation has not i introduced errors into the application results or the logic of the PRA that
- affect the application. Staff review could also involve the performance of (or the review of) sensitivity studies where the truncation limit is lowered i for the dominant sequences and event initiators, and a study of the resultant a cutsets .to see if there are any hidden dependencies or unusual / unexpected
- event combinations especially if these involve components affected by the
! proposed application.
l A-12 SRP Chapter 19, REV L 03/27/97 i s>
j_- . . .. _ _ _. . _ _ - . 4 s' , DRAFT FOR COMMENT Staff review could also include a comparison of a list of the events affected by the application that is in the final truncated cutset equations to the list of application-specific basic events used in the fault tree and event tree models. This will yield a list of events that did not make it past the truncation process. Documentation should be available that enables the reviewer to determine the reason truncated events are not important to the - risk. Finally, in PRA models where common cause failures and human dependencies are incorporated at the sequence level after a truncated set of minimal cutsets has been obtained, the reviewer should verify that the truncation criteria used in the PRA do not lead to cutsets involving application specific components being truncated that could be important if common cause failures, or human dependencies are considered.
- c. Evaluation Findings The staff review should conclude that the licensee has satisfactorily established that conclusions are not adversely affected by truncation, i.e.,
a the truncation criteria is sufficiently low to ensure stable results, that is, the magnitude of the CDF or release frequency will not change as a result of lower truncation limits, and the grouping of SSCs into risk categories will also not tie affected. , 1
- the components affected by the application are, for the most part, not l truncated out of the model. In cases where they are, a qualitative l assessment can demonstrate the reasons why they are unimportant to risk.
l A-13 SRP Chapter 19, REV L 03/27/97 C
e ~ s --- e e g l 4 l l l 1 i l e i 1 f l l
. t , e ,
DRAFT FOR CONMENT Appendix B , INTEGRATED DECISIONMAKING Risk-informed applications are expected to require a process to integrate traditional engineering and probabilistic considerations to form the basis for acceptance. In order for this decisionmaking process to be effective in rendering accurate representations of plant safety and risk, it is expected that documented guidance be available to ensure consistent and defensible results. Such guidance would also allow staff reviewers to reconstruct the logic and events involved in the integration process. This appendix discusses issues that should be addressed by the staff during reviews of the licensee integrated decisionmaking process (sometimes referred to as the " expert panel" process by licensees).
- a. Area of Review Staff reviewers are expected to evaluate all proposed changes to the CLB taking into account both traditional and probabilistic engineering.
considerations. For each proposed change, the reviewer should evaluate the licensee justification for the change. In cases where licensee results or conclusions are in some way counter-intuitive or inconsistent with results for similar plants on similar issues, the reviewer may also want to evaluate in detail the licensee documentation of the process by which the results were obtained. This would provide a better understanding of the reasons, assumptions, approaches, and information that were used in the licensee integrated decision process.
- b. Review Guidance er.d Procedures Since the licensee integrated decisionmaking process is responsible for the justification of acceptability of the proposed changes to the CLB, it is expected that the process will be documented in a relatively formal fashion.
The staff may not routinely audit all of the licensee findings or recommendations, but the documentation should exist to support such a review, l and should be maintained for the life of the plant or until such time when the recommendations are invalidated by later changes. Staff expectations of the integrated decisionmaking process: I
- The process should be well-defined, systematic, repeatable, and l scrutable. This process should be technically defensible and should be l detailed enough to allow an independent party to reproduce the major results.
- Deliberations should be application specific. The objectives proposed for the integrated decisionmaking process for a particular application (particularly, how the results are to be utilized) should be well defined and should be relevant to that application.
B-1 SRP Chapter 19, REV L 03/27/97 [
, 'a a 1 DRAFT FOR COMIENT
- Membership in the dacisionmaking team should include experienced individuals with demonstrated skills and knowledge in relevant engineering disciplines (depending on the application), plant procedures and operations, system knowledge including operational history, system response and dependencies, operator training and response, details of the plant specific probabilistic risk assessment, and regulatory guidance. ,
- The decisionmaking team should have been advised of the specif'ics of all proposed changes and the relevant background information associated with the licensing action. In addition, since the judgement will be based in part on the results of a risk analysis, imparting to the team an -
interpretation of the results of the risk model and the potential , limitations of this model is important.
- The process should take into account the principles and the NRC expectations as described in Section 2.1 of DG-1061.
- In the formulation of findings, both probabilistic and traditional engineering considerations should-be taken into account. This should include information from the risk analysis, traditional engineering evaluations and insights, quantitative sensitivity studies, operational experience and historical plant performance, engineering judgment, and current regulatory requirements. Potential limitations of the risk i
model should be identified and resolved. SSCs that are affected by the proposed application but that are not modeled in the PRA should be considered individually and evaluated based on guidelines similar to those provided later in this appendix or in appendix C.2. Finally, conclusions should be robust to different plausible assumptions and i analyses.
- When findings or conclusions are based in part on the use of compensatory measures, justification should be provided as to why the compensatory measures are an appropriate substitute for'a proposed relaxation in current requirements. The compensatory measure should become part of the plant licensing basis.
l 4 Technical information basis: In many risk-informed pilot applications, integrated decisionmaking panels have been utilized in cases where there are broad applications of PRA and traditional engineering results over a large number of plant SSCs to justify - changes to the CLB. In cases such as these, it is expected that the information base supplied to the integrated decisionmaking panel is capable of supporting the findings that should be made in the context of the specific risk-informed application. For example, in risk quantification and risk categorization type of applications, the following should be applicable. B-2 SRP Chapter 19, REV L 03/27/97 (b
. a s e ,
DRAFT FOR CONNENT l
- At least.the level 1 portion of the internal events PRA should be ;
formulated in such a way as to support quantification of a change in J risk (a CDF and a LERF) and importance measures, and should provide qualitative (minimal cutset) information adequate to support defense-in-depth findings.
- There should be an inventory of plant response capability for probabilistically significant operating modes and initiating event categories (internal, external, flood, fire, seismic, etc.). Given a full scope level 2 PRA, this requirement could be satisfied by an +
inventory of event tree success paths, with an indication of the mission success criteria, systems, and SSCs involved in each path. Lacking a full scope level 2 PRA, surrogate information should be developed for unanalyzed areas, along the lines described in Section II.3.2.2. This requirement is necessary in order to show the safety functions performed
~
by SSCs affected by the application.
- Causal models (determination of cause-effect relationships) should be developed to support quantification of basic event probability as a function of the application. This is necessary in or-der to relate the application to actual risk indices.
Documentation of inputs to the decisionmaking panel should be part of the process. The reviewer should verify the scope and depth of the information base, especially information supplied regarding modes and/or classes of initiators unanalyzed in the PRA. Treatment of SSCs not Modeled in the PRA: PRAs do not model all SSCs involved in performance of safety functions for various reasons. However, this should not imply that unmodeled SSCs are not important in terms of contributions to the plant risk. For example, in some cases SSCs are omitted based on analysts taking credit for programmatic activities that ensure a low failure frequency for that item or a short fault exposure time in the event that it does fail. In such cases, when PRA results will not reflect the SSC at all, it would be inappropriate to conclude that the programmatic activity is unimportant. It is one of the tasks of the integrated decisionmaking panel to extrapolate from the PRA and other information sources to draw conclusions about SSCs not modeled in the PRA. This does not mean that the panel is to impute to the PRA high-level results that were not generated in the analysis; it does mean that
.if a success path is modeled in the PRA, the panel is justified in reasoning that unmodeled SSCs in that path are relied upon. If items were screened from- ,
the PRA, the panel should be aware of the screening process, in order to avoid violating the basis for the screening. i For SSCs not modeled in the PRA, the reviewer should verify that the i decisionmaking panel has performed the following: B-3 SRP Chapter 19, REV L 03/27/97
. 'c a DRAFT FOR CONNENT
+ reviewed the PRA assumption base for instances in which initiators were screened out on the basis of credit for SSCs affected by the l application;
- reviewed plant operating history for initiating events whose occurrence might have been prevented by the proposed application; I 1
- reviewed plant operating history for failures of mitigating system l trains as a result of events that might have been prevented by the proposed application;
- reviewed accident sequence modeling for instances in which early termination of the analysis obscured challenges to affected SSCs that would normally come into play later than the termination point.
Possible dispositions of the above include the following: the item will not affect initiating event frequency or mitigating system performance under reasonably foreseeable circumstances, and the proposed I change is warranted; -
- the item, although unmodeled, already receives and will continue to receive programmatic attention commensurate with its significance. In cases where reduced commitments are proposed, adequate justification is provided for this reduction;
- the item does not currently receive sufficient programmatic attention, and may be subject to tighter controls.
The reviewer should verify that the safety significance of SSCs not modeled in the PRA (but affected by the proposed application) are appropriately characterized and justified. Addressing limitations of the risk analysis: Part of the integrated decisionmaking process is to overcome certain limitations of the PRA. However, this does not include substituting the analyst's judgment for essential PRA results. One of the reasons for developing PRA models is that the complexity of many facilities makes judgment : difficult in many contexts. Generally, if PRA highlights a plant vulnerability, this should be taken seriously. This result should not be discounted on the basis of judgment. If 1 the analyst can show that the PRA representation of a vulnerability is invalid, then the PRA should be modified, and the licensee should work with i the results of the revised PRA. To address the issue of credit for unmodeled systems that would change a PRA B-4 SRP Chapter 19, REV L 03/27/97 1 I
. e ,
6 .* , ! l DRAFT FOR CONNENT i i result, the preferred method is to alter the PRA to take the credit. The reviewer.should be aware that there are potentially cases in which credit for ; an unmodeled system would be seriously complicated by issues of shared support l systems, environmental conditions, or other factors such as spatial interaction issues or operator interaction dependencies. To address the issue of making decisions about SSCs that might influence plant i response in unmodeled modes or to unmodeled initiators, the acceptable approach is to proceed on the basis of a structured representation of plant response that shows at least qualitatively what initiating events pertain, what systems are available to respond to each, functional dependencies of these systems at the train level, and in particular, what backups are available in the event of failure of any particular SSC. While it is possible to accept program reductions for SSCs that are explicitly shown to play no role in unanalyzed modes, it is much more difficult to accept reductions for i components that do play a role in unanalyzed (e.g., shutdown) modes. For such instances, conservative methods will be considered prudent. To address instances in which a PRA model exists but is considered misleading, caution is indicated. An example of this would be to down-classify SSCs (i.e., state that a high risk contributor is actually a low contributor) from a PRA result, based on panel judgment. It is not acceptable to place on the . record both a PRA and a finding that clearly contradicts it. Although the l panel is not expected to take the FRA as absolute truth, the test should be whether the record establishes a clear basis for a finding. A technical ) argument that begins with the misleading PRA result and furnishes supplementary information sufficient to justify a relatively minor change to a PRA result, or a qualified interpretation of a PRA result, is satisfactory. A u cursory technical argument leading to a conclusion that qualitatively' contradicts a major PRA result is an unsatisfactory record.
- c. Evaluation Findings The following language, or language substantially equivalent to this, should appear in the SER, or else exceptions should be noted and explained.
- The integrated decisionmaking process is appropriate. Appropriate information was available, suitable issues were raised, the disposition of these issues was systematic and defensible, and the documentation of the findings is traceable and reviewable in principle, so that the basis for conclusions and recommendations is available for scrutiny and review.
. The evaluation of risk significance represents appropriate consideration of probabilistic information, traditional engineering evaluations, sensitivity studies, operational experience, engineering judgment, and current regulatory requirements.
l B-5 SRP Chapter 19, REV L 03/27/97 l O
DRAFT FOR C00fENT
- The technical information basis was adequate for the scope of the application. In particular, the analysis of success and failure scenarios was adequate to identify the roles played by the SSCs affected by the application, the quantification of the frequency of these scenarios was adequate to establish the safety significance of the SSCs, and the causal models were adequate to establish the effects of the proposed changes in the program.
- The safety significance of components affected by the proposed application but not modeled in the PRA was evaluated in a systematic manner. This included a search of components that might contribute to initiating event occurrence, mitigating system components that were not modeled in the PRA because their failure was not expected to dominate system failure in the baseline configuration, and components in systems that do not play a direct role in mitigation but that interface with mitigating systems.
. The process applied by the licensee to overcome limitations of PRA was appropriate. Where decisions were made that do not follow straight-forwardly from the PRA, a technical basis was provided that shows how the PRA information and the supplementary information validly combine to support the finding. No findings contradict the PRA in a fundamental way.
B-6 SRP Chapter 19, REV L 03/27/97
. .r 6 O s DRAFT FOR CONMENT CATEGORIZATION OF STRUCTURES, SYSTEMS, AND COMPONENTS WITH Appendix C RESPECT TO SAFETY SIGNIFICANCE For several of the proposed applications of the risk-informed regulation process one of the principal activities is the categorization of SSCs and human actions with respect to their safety-significance. The purpose of this Appendix is to discuss how to review approaches that may be used in this
( categorization process. The first review consideration is the definition of safety-significance as applied to SSCs and human actions for a specific application. A related, but not identical concept, is that of risk significance. For example, an individual SSC can be identified as being risk-significant if it can be demonstrated that its failure or unavailability contributes significantly to the measures of risk, e.g., CDF and LERF. Safety-significance, on the other hand, can be thought of as being related to the role the SSC plays in the prevention of the occurrence of the underired end state. Thus the position adopted in this SRP is that all the SSCs and human actions considered when constructing the PRA model (including those that do not necessarily appear in the final quantified model, either because they have been screened initially, assumed to be inherently reliable or have been truncated from the solution of the model) have the potential to be safety significant, since they play a role in preventing core damage.
.In reviewing the categorization, it is important to recognize the purpose behind the categorization, which is, generally, to sort out the SSCs or human actions into two general groups: those for which some change'is proposed; and those for which no change is proposed. It is the potential impact of .the application on the particular SSCs and human actions and on the measures of risk which ultimately determines which of the SSCs and human actions should be regarded as safety-significant. Since different applications impact different SSCs and human actions, it is reasonable to expect that the categorization could be different for the different applications. Thus the question being addressed by the application is, for which groups of SSCs and human actions can the change be made such there will be no more than insignificant increase in the risk to the health and safety of the public. This impact on overall risk should be related back to the criteria for acceptable changes in the risk measures identified in draft guide DG-1061. It is those groups for which changes can be made that satisfy these criteria that can be regarded as low safety-significant in the context of the specific application. Thus, the most appropriate way to address the categorization is through a requantification of the risk rreasures. However, the feasibility of performing such risk quantification has been questioned for those applications for which a method for the evaluation of the impact of the change on SSC unavailability is not obviously available.
In the above case, an acceptable alternative to requantification of risk is to perform the categorization of the SSCs and human actions using an C-1 SRP Chapter 19, REV L 03/27/97 l W
l DRAFT FOR CONNENT integrated decisionmaking process (such as the use of an Expert Panel), based on the use of PRA importance measures as input. The issues that should be addressed by the reviewer for this approach are discussed in this appendix. i Section C.1 discusses the technical issues associated with the use of PRA l importance measures, and Section C.2 discusses the use of the importance ! measures by the decisionmaking panel. l 1 C.1 Use of Imoortance Measures
- a. Area of Review l In the implementation of the Maintenance Rule and in many industry guides for the risk-informed applications, the Fussell-Vesely Importance, Risk Reduction Worth, and Risk Achievement Worth are the most commonly identified measures in the relative risk ranking of SSCs. However, in the use of these importance measures for risk-informed applications, there are several issues that should ,
be addressed. Most of the issues are related to technical problems which can be resolved by the use of sensitivity studies or by appropriate quantification techniques. These issues are discussed in detail in the sub-section below. ; In addition, there are two issues that the reviewer should insure have been ; addressed adequately, namely a) that risk rankings apply only to individual contributions and not to combinations or sets of contributors, and b) that risk rankings are not necessarily related to the risk changes which result from those contributor changes. When performed and interpreted correctly, i component-level importance measures can provide valuable input to the integrated decisionmaking process.
- b. Review Guidance and Procedures Risk ranking results from a PRA can be affected by many factors, the most important being model assumptions and techniques (e.g., for modeling of human 4
reliability or common cause failures), the data used, or the success criteria ! chosen. The reviewer should therefore perform an evaluation of the licensee i PRA as part of the overall review process. Guidance for this review is
- provided in Appendix A.
In addition to the use of a PRA of appropriate quality for the application, the robustness of risk ranking results should also be demonstrated for conditions and parameters that might not be addressed in the base PRA. i Therr. fore, when importance measures are used to group components or human i actions as low safety-significant contributors, the information to be provided i to the integrated decisionmaking process should include sensitivity studies and/or other evaluations to demonstrate the sensitivity of the importance results to the important PRA modeling techniques, assumptions, and data. Issues that should be considered and addressed are listed below. Different risk metrics: The reviewer should ensure that risk in terms of both CDF and LERF is considered in the ranking process. C-2 SRP Chapter 19, REV L 03/27/97 4-
r ( DRAFT FOR COMENT The reviewer should ensure that, when determining Completeness of risk model: safety significance contributions using an internal events PRA, external events and shutdown and low power initiators have also been considered either
.by PRA modeling or by the integrated decisionmaking process (as detailed in section C.2 and in Appendix B).
The sensitivity of Sensitivity analysis for component data uncertainties: component categorizations to uncertainties in the parameter values should have been addressed by the licensee. Reviewers should be satisfied that SSC categorization is not affected by data uncertainties. Sensitivity analysis for coianon cause failures: CCFs are modeled in PRAsAsto account for dependent failures of redundant components within a system. discussed in Appendix A, CCF probabilities can impact PRA results by enhancing or obscuring the importance of components. This should be addressed by the review. A component may be ranked as a high risk contributor mainly because of its contribution to CCFs, or a component may be ranked as a low risk contributor mainly because it has negligible or no contribution to CCFs. In RIR, removing or relaxing requirements may increase the CCF contribution, thereby changing the risk impact of an SSC. Consideration of multiple failure modes: PRA basic events represent specific , failure events and failure modes of SSCs. The reviewer should determine that the safety significant categorization has been performed taking into account the combined effect of all associated basic PRA events, such as failure to start and failure to run, including indirect contributions through associated CCF event probabilities. Sensitivity analysis for recovery actions: PRAs typically model recovery actions especially for dominant accident sequences. Quantification of recovery actions typically depends on the time available for diagnosis and performing the action, training, procedure, and knowledge of operatcrs. There is a certain degree of subjectivity involved in estimating the success probability for the recovery actions. The concerns in this case stem from situations where very high success probabilities are assigned to a sequence, resulting in related components being ranked as low risk contributors. Furthermore, it is not desirable for the categorization of SSCs to be impacted by recovery actions that sometimes are only modeled for the dominant scenarios. Sensitivity analyses can be used to show how the SSC categorization would change if recovery actions were removed. The reviewer should ensure that the categorization has not been unduly impacted by the modeling of recovery actions. Truncation limit: The reviewer should determine that the truncation limit has been set low enough so that the truncated set of minimal cutsets contain the significant contributors and their logical combinations for the application in question and be low enough to capture at least 95 percent of the CDF. Depending on the PRA level of detail (module level, component level, or piece-part level), this may translate into a truncation limit from IE-12 to IE-8 per C-3 SRP Chapter 19, REV L 03/27/97 i l g%
DRAFT FOR C00NENT reactor year. In addition, the truncated set of minimal cutsets should be determined to contain the important application-specific contributors and their logical combinations. Multiple component considerations: As discussed previously, Importance
-measures are typically evaluated on an individual SSC or human action basis.
One potential concern raised by this is that single-event importance measures have the potential of dismissing all elements of a system or group despite the ; system or group having a high importance when taken as a whole. (Conversely, j there may be grounds for screening out groups of SSCs, owing to the i unimportance of the systems of which they are elements.) There are two , l potential approaches to addressing the multiple component issue. The first is ' l to define suitable measures of system or group importance. The'second is to
- -choose appropriate criteria for categorization based on component-level l importance measures. In both cases, it will be necessary for the licensee to j demonstrate that the cumulative impact of the change has been adequately j addressed.
l While there are no widely-accepted definitions of system or group importance j [ measures, it is likely that some licensees will develop new system or group i measures. If any are proposed, the reviewer should make sure that the ! measures are capturing the impact of changes to the group in a logical way. ! As an example of the issues that arise consider the following. For front-line , ! systems, one possibility would be to define a Fussell-Vesely type measure of ! } system importance as the sum of the frequencies of sequences involving failure j
.of that system, divided by the sum of all sequence frequencies. Such a
- measure would need to be interpreted carefully if the numerator included i j contributions from failures cf that system due to support systems. Similarly, l
- a Birnbaum-like measure could be defined by quantifying sequences involving '
i the system, conditional on its failure, and summing up those quantities. This ;
- would provide a measure of how often the system is critical. However, again j the support systems make the situation more complex. To take a two-division i plant as an example, front-line failures can occur as a result of failure of i support division A in conjunction with failure of front-line division B.
1 Working with a figure of merit based on " total failure of support system" would miss contributions of this type. i l In the absence of appropriately defined group level importance measures, l reliance shoeld be made on the integrated decisionmaking process to make the ( appropriate determination (see section C.2). 4 i Relationship of Importance Measures to risk changes: Importance measures do I not directly relate to changes in risk associated with implementation of a set l- of changes proposed in an application. Instead, the risk impact is indirectly I reflected .o the choice of the value of the measure used to determine whether i an SSC should be classified as being of high and low safety significance. 1 This is a concern whether importances are evaluated at the component or at the { group level . The .PSA Applications Guido suggested values of Fussell-Vesely
; importance of .0S at the system level, and .005 at the component level for ) ; C-4 SRP Chapter 19, REV L 03/27/97 i 64 l
. 4 DRAFT FOR C3 MENT example, liowever, the criteria for categorization into low and high significance shos1d.be related to the acceptance guidelines for changes in CDF and LERF. This implies that the criteria should be a function of the base case CDF and LERF rather than being fixed for all plants. Thus the reviewer should determine how the choice of criteria are related to, and conform with, the acceptance guidelines described in draft guide DG-1061. If component level criteria are used, they should be established takihg into account that the allowable risk increase associated with the change should be based on simultaneous changes to all members of the category.
- c. Evaluation Findings The reviewer verifies that the information provided to the integrated decisionmaking process on the determination of risk.importance of contributors
- for a specific application is robust in terms of model inputs and assumptions and " uncertainty" issues like common cause failure modeling and modeling of human reliability, and that the categorization addresses the effect of the on groups of componetits in a way that is compatible with the risk acceptance guidelines. -
C.2 Etle of Intearated Decisionmakina in Componer,t Cateoorization
- a. Areas of Review While probabilistic importance analysis can provide valuable informatior, on categorization, it should be supported and supplemented by an evaluation based on traditional engineering considerations. This will require using the qualitative insights obtained from the PRA, and the incorporation of the ~
consideration of snaintenance of defense-in-depth and the maintenance of sufficient safety margins. One important element of this integrated decisionmaking can be the use of an " expert panel". General review guidelines for the licensec integrated decisionmaking process arqt provided in Appendix B of this SRP.
- b. Review Guidance and Procedures Identification of functions, systems and components important to safety: The PRA can provide significant qualitative insights that emerge simply from consideration of whether and how systems are invoked in particular scenarios.
If a front-line system is credited in success paths, then it is in some sense !
"important," and at least some of its SSCs must also be, in some sense, important, even if a given single-event importance measure does not reflect -
l this. However, the real importance of a system is a function of whether there are alternate, diverse systems that could fulfil the same function, those , systems which are the only means of providing the function being more important than those for which there are viable alternatives. A system that ! supports an important front-line system could also be important. This does not mean that all such systems (.annot be candidates for relaxation in current C-5 SRP Chapter 19, REV L 03/27/97
,,i
. = .
DRAFT FOR CONNENT requirements, it does mean that components in system trains credited in the PRA should be' explicitly considered during the integrated decisionmaking process. i The reviewer, either by evaluation of licensee documentation or by independent j verification, should: 1 identify all systems that are relied upon in plant response to an initiating event, whether explicitly modeled in the PRA or not (e.g., i HVAC, I&C associated with indications rather than control),-and identify j the function (s) they perform or support; and i j
- check to see whether failure of components screened out on the basis
! that they are elements of " unimportant" systems could affect a system j that is relied upon in plant response to an initiating event. 1 ! The reviewer 'should then verify that at least some elements of each' of the i important systems as itlentified above are considered " safety significant." If ! this is not the case, then the reviewer should ascertain what performance is ! allocated to these items in the PRA, and ascertain whether-the programmatic activities allocated to these elements are commensurate with that performance
- l evel . If a system is. identified as being important but none of its elements
- is, then licensee justification should be reviewed in detail.
1 As an example consider the case of a system that contains many redundant flowpaths. Single-event-importance analysis will tend to dismiss the flowpaths one at a time, effectively dismissing the group as a whole. The focus of the above guidance is that the redundant flowpaths, considered as a subsystem, and recognizing the function they perform, are important and deserve some attention, even though conventional importance measures would not highlight them. However, in the case of redundant systems, the solution need not always' be to assign every redundant path to the high risk contributor category. In this epample, especially'if the paths are essentially similar, it is arguably necessary to consider common cause failure and a program that addresses common cause failure potential by monitoring component performance may provide the necessary protection against loss of the function while still allowing a decrease in some level of commitment on the individual members of the group. Verification of low safety significance: As part of the evaluation of the qualitative risk-informed categorization, the integrated decisionmaking i process and criteria used by the licensee should be reviewed. In reviews of the licensee determination of low safety significance for SSCs or operator actions, the staff should verify that risk importance measures have been applied appropriately and that results of sensitivity studies have been taken into account. In addition, the reviewer should verify that the ; licensee has considered and has compensated for factors such as potential inadequate scope and level of detail of the PRA (see sections 11.3.2.2 and C-6 SRP Chapter 19, REV L 03/27/97 4
DRMT FOR COMMENT Finally, the reviewer should verify that, in categorizing an SSC II.3.2.3). or operator action as low safety significance, the licensee has Review guidance on considered the defense-in-depth philosophy and available safety margins. these topics is provided in Section II.3.1 of this SRP. 1 I For SSCs not modeled in the PRA, the reviewer should verify that the following conditions are applicable for each SSC that has been proposed as a candidate for relaxation or removal of current requirements: the SSC is not a part of a system that acts as a barrier to fission product release during severe accidents the SSC does not perform a support function to a safety function or does not complement a safety f'.nction a the SSC does not support operator actions credited in PRAs for either procedural or recovery actions e the failure of the SSC will not result in the eventual occurrence of a PRA initiating event
- the failure of the SSC will not result in unintentional releases of radioactive material even in the absence of severe accident conditions If any of the above conditions are applicable, or if SSC performance is difficult to quantify, the licensee should have used a qualitative evaluation process to determine the impact of relaxing requirements on equipmentThis e reliability / performance.
of those failure modes for which the failure rate may increase, and The the reviewer failure modes for which detection could become more difficult. should then verify that one or more of the following justifications (or similar) were provided by the licensee:
- a qualitative discussion and historical evidence why these failure modes may be unlikely to occur;
= a qualitative engineering discussion on how such failure modes could be detected in a timely fashion; e a discussion on what other requirements may be useful to control such failure rate increases; and
= a qualitative engineering discussion on why relaxing the requirements may have minimum impact on the failure rate increase.
- c. Evaluation Findings The SER should incorporate language substantially equivalent to the following.
Exceptions, if any, should be noted and explained. C-7 SRP Chapter 19, REV L 03/27/97
~
DRAFT FOR COMMENT The categorization of the SSCs or human actions has adequately captured their significance to safety, and has been performed in such a way that the potential impact of the proposed application results in at most a small increase in the risk to the health and safety of the public. The input to the integrated decisionmaking process derived from Importance measures has been utilized taking into account the known limitations of importance calculations, and the results have been supplemented by tppropriate qualitative considerations. The integrated decisionmaking process explicitly recognized systems invoked in plant response to inf'.iating events, and ensured that components within these systems are considered for programmatic attention in areas (IST, ISI, etc.) appropriate to their performance characteristics and to the level of performance needed from them. C-8 SRP Chapter 19, REV L 03/27/97 l ia
- _ _ _ - _ _ _ - _ _ . _ _ _ _ - - - - - _ _ _ _ _ _ , - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -~~
, 2c.
4
==
p= &
- i , .- ,
%, UNITED STATE 8 NUCLEAR REGULATORY COMMISSION f 1 STANDARD REVIEW PLAN ,
OFFICE OF NUCLEAR REACTOR REGULATION 1 l l DRAFT FOR COMMENT Standard Review Plan l l l For The Review Of Risk-Informed Inservice Testing Applications Draft SRP Chapter 3.9.7 Revision 2C March 13,1997 Contacts: D. C. Fischer (301) 415-2728 W. B. Hardin (301) 415-6561 ENCLOSURE 4
_e s ._,Jr.1 .a.__a -. A... A4 _ AA, -4A% M .4L* _A .3 J- M-s. J4up_m. aJ,._4 a A eb a 4 I e
- 4 l i
O e S J i r i 4 I e 3 4 l I l < l i , i 1 l l J d I I I I l 1 i l l I i l I 7
-- - J
(- DRAFT FOR COMMENT Standard Review Plan For The Review Of Risk-informed inservice Testing Applications FOREWORD The NRC's Policy Statement on the use of probabilistic risk analysis (PRA) in nuclear regulatory activities encourages greater use of this analysis technique to improve safety decision making, reduce unnecessary burden and improve regulatory efficiency. A number of NRC staff and industry activities are in progress to consider approaches for expanding the scope of PRA applications in regulatory activities. Several activities are ongoing which consider appropriate uses of PRA in support of the modification of individual plant's current licensing basis (CLB) and a number of pilot applications with proposed CLB changes are now under staff review. This Standard Review Plan (SRP) chapter describes review procedures and acceptance guidelines for NRC staff reviews of proposed plant-specific, risk-informed changes to a licensee's inservice testing (IST) program. The review procedures contained in this SRP are consistent with the acceptable methods for implementing a risk-informed IST (RI-IST) program described in DG-1062 (reference 2). Licensees may propose RI-IST programs consistent with the guidance provided in DG-1062, propose an alternative approach for implementing a RI-IST program (which must be demonstrated to be consistent with the fundamental principles identified in Section II.A.9), or maintain their IST programs in accordance with the ASME Code as referenced in 10 CFR 50.55a. It is the NRC staff's intention to initiate rulemaking as necessary to permit licensees to implement RI-IST programs, consistent with this SRP chapter, without having to get NRC approval of an alternative to the ASME Code requirements pursuant to 10 CFR 50.55a(a)(3). Until the completion of such rulemaking, the staff anticipates reviewing and approving each licensee's RI-IST program as an alternative to the current Code required IST program (e.g., including alternative test frequency, test methods, and program scope requirements). As such, the licensee's RI-IST program will be enforcable under 10 CFR 50.55a. The current ASME Code inservice testing requirements, as endorsed in 10 CFR 50.55a, have been determined to provide reasonable assurance that public health and safety will be maintained. The individual ASME Code committees i Rev 2C, 3-13-97 1
DRAFT FOR COMMENT
~
- concerned with inservice testing of pumps and valves continually review these testing strategies to develop improvements to the existing Code requirements.
Changes to the ASME Code, either as new Code editions or Code Cases, are subject to review and approval by the NRC to ensure that the new testing i requirements maintain an adequate level public health and safety. A risk-informed inservice testing program, if properly constructed, will also provide
, an acceptable level of quality and safety by evaluating and possibly improving
- significant components (as the test effectiveness identified for PRA by the licensee's the high safety 'ated decision making process) in and integr conj'inction with the relaxation of testing requirements (e.g., test frequency) j for the low safety significant components.
i I i 1 i l 4 1 l 1 i 2 . i 1 11 Rev 2C, 3-13-97 J
- ' ~ - - -
5 w--
i
\
DRAFT FOR COMMENT Standard Review Plan ; For The Review Of j Risk-informed inservice Testing Applications , TABLE OF CONTENTS 3.9.7 RISK-INFORMED INSERVICE TESTING OF PUMPS AND VALVES EAat REVIEW RESPONSIBILITIES . . . . . . . . . . . . . . . . . . . . . . I l 1. DEFINE THE PROPOSED CHANGES TO THE IST PROGRAM . I II. AR EA O F R EVI EW . . . . . . . . . . . . . . . . . . . . . . . . 2 i 2 A. ENGINEERING EVALUATION ...................... l
- 1. Evaluation of Proposed Changes to the Current Licensing Basis . . 2
- 2. IST Program Scope . . . . . . . . . . . . . . . . . . . . . . . . 3 4
- 3. IST Program Changes . . . . . . . . . . . . . . . . . . . . . . .
- 4. Relief Requests and Technical Specification Amendments ..... 4
- 5. Quality of the PRA for IST Application ............. 4 ,
- 6. Modeling of the Effects of IST on PRA Basic Events ....... 4
- 7. Categorization of Components .................. 4
- 8. Other Technical Issues ..................... -
5
- a. Initiating Events . . . . . . . . . . . . . . . . . . . . 5
- b. Dependencies and Common Cause Failures ......... 5
- c. Uncertainty and Sensitivity Analyses .......... 6
- d. Human Reliability Analyses ............... 6
- e. Use of Plant-Specific Data ............... 6 l
- 9. Evaluating the Overall Effect of Proposed Changes on Plant Risk . 7
- 10. Integrated Decision Making ................... 7
- 8. IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION . . . . 9
- 1. Program Implementation ....................9
- 2. Performance Monitoring of IST Equipment . . . . . . . . . . . . . 9 iii Rev 2C, 3-13-97
( i
DRAET EOR COMMENT
- 3. Feedback and Corrective Action Program ........... 9 4..
, 5.
Periodic Reassessment . . . . . . . . . . . . . . . . . . . . Formal Interactions With the NRC
.9
...............10 111.
ACCEPTANCE GUIDELINES . . . . . . . . . . . . . . . . . . 10 A. ENGINEERING EVALUATION . . . . . . . . . . . . . . . . . . . . . . 10
- 1. EvaluatiN of Proposed' Changes to the Current Licensing Basis . 10
- 2. IST Program Scope . . . . . . . . . . . . . . . . . . . . . . 10
- 3. IST Program Changes . . . . . . . . . . . . . . . . . . . . . 11
- 4. Relief Requests and Technical Specification Amendments
- 5. . . . . 12 Quality of the PRA for IST Application . . . . . . . . . . . . 12
- 6. Modeling of the Effects of IST on PRA Basic Events
- 7. . . . . . . 13 Categorization of Components . . . . . . . . . . . . . . . . . 13
- 8. Other Technical Issues ................ . . . 13
- a. Initiating Events . . . . . . . . . . . . . . . . . . 13
- b. Dependencies and Common Cause Failures . . . . . . . . 14
- c. Uncertainty and Sensitivity Analyses . . . . . . . . .
- d. 14 Human Reliability Analyses . . . . . . . . . . . . . . . 14
- e. Use of Plant-Specific Data ..............15
- 9. Evaluating the Overall Effect of Proposed Changes on Plant Risk .15
- 10. Integrated Decision Making ..................15
- 8. IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION . 17 ..
- 1. Program Implementation
- 2. ....................17 3.
Performance Monitoring of IST Equipment . . . . . . . . . . . . 18 Feedback and Corrective Action Program .... . . . . . . . 19 4.
- 5. Periodic Reassessment . . . . . . . . . . . . . . . . . . . . 19 Formal Interactions With the NRC ...............20 IV. REVIEW PROCEDURES . . . . . . . . . . . . . . . . . . . . 21 A.
REVIEW OF THE LICENSEE'S ENGINEERING EVALUATION . . . . . . 21 .... 1. Evaluation of Proposed Changes to the Current Licensing Basis . 21
- 2. IST Program Scope . . . . . . . . .
- 3. IST Prograra Changes . . . . ... .. .. .. . .. .. .. ... .. .. .. ... .. .. 21 21
- 4. Relief Requests and Technical Specification Amendments
- 5. 23 Quality of the PRA for IST Application . . . . . . . . .. .. ... . 24
- 6. Modeling of the Effects of IST on PRA Basic Events ......25
- 7. Categorization of Components
- 8. Other Technical Issues .................26
............ 26 a.
b. Initiating Events . . . . . . . . . . . . . . . . . .
.......26 Dependencies and Common Cause Failures ........26
- c. Uncertainty and Sensitivity Analyses . . . . . . . . . 27 iv Rev 20, 3-13-97 b
o *. , 4 DRAFT FOR COMMENT
- d. Human Reliability Analyses . . . ... . . . . . . . . . 27
-l e. Use of Plant-Specific Data ..............28
- 9. Evaluating the Overall Effect of Proposed Changes on Plant Risk . 28
- 10. Integrated Decision Making . . . . . . . . . . . . . . . . . . 28 4
B. REVIEW IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION . 29
- l. Program Implementation ....................29
- 2. Performance Monitoring of IST Equipment . . . . . . . . . . . . 31
- 3. Feedback and Corrective Action Program . . . . . . . . . . . . 31
- 4. Periodic Reassessment . . . . . . . . . . . . . . . . . . . . . 31
- 5. Formal Interactions With the NRC ...............32 V.
EVALUATION FINDINGS ...................32 A. ENGINEERING EVALUATION . . . . . . . . . . . . . . . . . . . . . . 33
- 1. Evaluation of Proposed Changes to the Current Licensing Basis . 33
- 2. IST Program Scope . . . . . . . . . . . . . . . . . . . . . . . 33
- 3. IST Program Changes . . . . . . . . . ... . . . . . . . . . . . 33
- 4. Relief Requests and Technical Specification Amendments ....35
- 5. Quality of the PRA for IST Application ............35 t
- 6. Modeling of the Effects of IST on PRA Basic Events ......36
- 7. Categorization of Components .................36
, 8. Other Technical Issues . . . . . . . . . . . . . . . . . . . . 37 1 a. Initiating Events . . . . . . . . . . . . . . . . . . . 37
- b. Dependencies ard Common Cause Failures ........37
- c. Uncertainty and Sensitivity Analyses .........37 .
- d. Human Reliability Analyses ..............37
- e. Use of Plant-Specific Data ..............38
- 9. Evaluating the Dverall Effect of Proposed Changes on Plant Risk . 38
- 10. Integrated Decision Making ..................39 B. IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION . . . 39
- 1. Program Implementation ....................39
- 2. Performance Monitoring of IST Equipment . . . . . . . . . . . . 40
- 3. Feedback and Corrective Action Program ............40
- 4. Periodic Reassessment . . . . . . . . . . . . . . . . . . . . . 41
- 5. Formal Interactions With the NRC . . . . . . . . . . . . . . . 41 VI. RISK-INFORMED IST PROGRAM DOCUMENTATION . . . . 42 Vll. IMPLEMENTATION ......................42 Vill. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . 42 v Rev 2C, 3-13-97 7
~
e < DRAFT FOR COMMENT 9 vi Rev 2C, 3-13-97 4
DRAFT FOR COMMENT Standard Review Plan For The Review Of Risk-informed inservice Testing Applicafons
' ~ - . . - .,...--....w-.--.,... . - - . - - - -...-..,--e--, - - - - - - - ~ - -.- , gj '
3.9.7 RISK-INFORMED INSERVICE TESTING 1 REVIEW RESPONSIBILITIES Primary - Mechanical Engineering Branch (EMEB) Secondary - Probabilistic Safety Assessment Branch (SPSB)
- 1. DEF!NE THE PROPOSED CHANGES TO THE IST PROGRAM The licensee's risk-informed inservice testing (RI-IST) submittal should have defined the proposed changes to the IST program in general terms. The licensee should have confirmed that the plant is pesigned and operaten in accordance with the current licensing basis (CLB) and that the PRA used in support of their RI-IST program submittal reflects the actual plant. The licensee should have identified the particular components that would be affected by the proposed changes in IST strategy. This should include all of the components currently in the licensee's IST program as well as any .other
' This regulatory guide adopts the 10 CFR Part 54 definition of current .
licensing basis. That is, " Current Licensing Basis (CLB) is the set of NRC requirements applicable to a specific plant and a licensee's written comitments for ensuring compliance with and operation with in applicable NRC requirements and the plant-specific design basis (including all modifications and additions to such comitments over the life of the license) that are docketed and in effect. The CLB includes the NRC regulations contained in 10 CFR Parts 2, 19, 20, 21, 26, 30, 40, 51, 54, 55, 70, 72, 73, 100 and appendices thereto; orders; license conditions; exemptions; and technical specifications. It also includes the plant-specific design-basis information defined in 10 CFR 50.2 as documented in the most recent final safety analysis report (FSAR) as required by 10 CFR 50.71 and the licensee's comitments remaining in effect that were made in docketed licensing correspondence such ' as licensee responses to NRC bulletins, generic letters, and enforcement actions, as well as licensee comitments documented in NRC safety evaluations or licensee event reports." 3.9.7-1 Rev 2C, 3-13-97 1
DRAFT FOR COMMENT components that the licensee's integrated decision making process categorized as being highly safety significant. The method used by the licensee to categorize components should be described. There'should also be a detailed . description of how the proposed RI-IST program affects the CLB of the plant I and why these proposed changes are acceptable. If exemptions from specific l regulations, technical specification amendments, or relief requests are required to implement the licensee's proposed RI-IST program, the appropriate requests should accompany the licensee's submittal. Specific revisions to testing schedules and methods should be described as well as implementation plans and schedules. The licensee should also have described the proposed IST program change in . terms of how it meets the objectives of the Commission's PRA Policy Statement, 1 including enhanced decision making, more efficient use of resources, and I reduction of unnecessary burden. The description may consider benefits from , the CLB change such as reduced fiscal and personnel resources and radiation ) exposure, as well as improvements in reactor safety, 1 The reviewer should familiarize herself or himself with the licensee's entire J submittal before initiating the detailed review described in the following I sections. In short, the reviewer should first develop an understanding of the proposed change in terms of:
- the particular components that would be affected by the proposed changes in IST strategy, e the plant systems involved with the proposed changes in IST strategy, i
a the change in testing strategy (i.e., test frequency and methods) proposed for each component or group of components.
- its affect on the current licensing basis, and
- its overall effect on plant risk.
4 Section 6 of reference 2 contains a more detailed description of the documentation that should have been submitted by the licensee in conjunction with its proposed RI-IST program. II. AREA OF REVIEW A. ENGINEERING EVALUATION :
- 1. Evaluation of Proposed Changes to the Current Licensing Basis After the licensee determined which components are candidates for having their inservice test requirements relaxed and which components should be subjected 3.9.7-2 Rev 2C, 3-13-97
, ? e DRAFT FOR COMMENT r to more focused inservice tests, the licensee should have conducted an The purpose of engineering evaluation of proposed changes to the IST program. l this engineering evaluation is to determine the acceptability of the proposed '
IST program changes in light of the current licensing basis of the plant and risk impact of the changes. In particular, the status of license commitments that would be changed as a result of the proposed RI-IST program should have been clarified explicitly and formally. Either commitments were not affected by the proposed changes, or the alterations in commitment status were identified, described, and revised commitments were made. j i
- 2. IST Program Scope In developing RI-IST programs, licensees will likely identify structures, systems, and components (SSCs) with high risk significance which are not currently subject to traditional Code requirements or subject to a level of regulation which is commensurate with their risk significance. It is expected that licensees will propose RI-IST programs that will subject these SSCs to l
the appropriate level of regulation, consistent with the risk significance of the SSC. Specifically, licensee's RI-IST program scope should include, in - addition to components in the current Code prescr.ibed IST program (e.g., components required to perform a specific function in shutting down a reactor to a cold shutdown condition, in maintaining the cold shutdown condition, or in mitigating the consequences of an accident), those ASME Code Class I, 2, & 3 and non-Code components that the licensee's integrated decision-making process categorized as highly safety significant and determined to be appropriate candidates for IST. The staff's basis for reaching its conclusion that the licensee's proposed RI- , IST program "provides an acceptable level of quality and safety" will be predicated, in part, on the licensee's use of PRA to identify the appropriate scope of components that should be iricluded in a RI-IST program as well as to evaluate test requirements (i.e., test nethods and frequency) to ensure the validity of PRA assumptions. In other words, if the PRA is to be used as the i basis for categorizing components and for evaluating tre acceptability of the overall change in plant risk associated with the proposed RI-IST program i (e.g., ACDF, ALERF) then the PRA assumptions relative to component reliability ) and availability must be preserved. Consequently, for IST components within ' the scope of the licensee's proposed R3-IST program, we would expect the licensee to examine the test strategies currently in place and, where appropriate, modify the test strategy (See Section III.A.3). , To preserve the PRA assumptions which form the basis for the acceptability of the IST program changes, certain non-Code components may need to be included in the RI-IST program. The justification for inclusion of non-code components into the IST program can be derived from the role these components play in justifying the acceptability of changes to the IST program for components currently within the code. PRA systematically takes credits for non-code structures, systems, and components (SSCs) as: 1) providing support to, or 2) alternatives to, and 3) back-ups for SSCs within the current code. Thus, the 3.9.7-3 Rev 2C, 3-13-97 II
1 DRAFT FOR COMMENT relaxation of requirements for safety-related SSCs depends upon the proper operation and reliability attributed to high-safety-significant yet non-code SSCs. .
- 3. IST Program Changes The licensee's submittal she.N describe the considerations ~ (e.g., component performance, service condition, risk significance) that went into establishing the proposed RI-IST frequencies and methods.
- 4. Relief Requests and Technical Specification Amendments While implementation of the licensee's overall RI-IST program may be authorized by a change to the regulations or via NRC authorizing an
! alternative pursuant to 10 CFR 50.55(a)(3), specific details of the licensee's ! RI-IST program may require exemptions from other regulations, technical i specification changes, or require relief from provisions of NRC approved Codes i or Code cases. The license should have included in their RI-IST program ! submittal the necessary exemption requests, technical specification amendment requests, relief requests, and relief requests necessary to implement their i RI-IST program (See Section III.A.4). . 1
- 5. Quality of the PRA for IST Application 1
Since the quantitative results of the PRA are to play a major and direct role i in decision-making, there is a need to ensure that they are derived from i " quality" analyses. Review guidance in quality issues for the licensee's i baseline PRA is provided in the general regulatory guide for risk informed { decision making (Reg Guide DG-1061) and in the general SRP for risk informed j regulation (Chapter 19 of the SRP). The required scope and level of detail of ! the PRA are also discussed in the general Reg Guide and SRP. The review of IST-specific issues, i.e., those pertaining to areas most directly related to IST, are discussed in this IST SRP. i l 6. Modeling of the Effects of IST on PRA Basic Events j One of the requirements for the acceptability of a risk informed IST program
- is a quantitative demonstration by use of a PRA of sufficient quality that
- changes to plant risk caused by the proposed extension in testing intervals or changes in test methods for selected components are small or are reductions and should not cause the NRC Safety Goals to be exceeded (See reference 1).
In order to establish this demonstration, it is necessary that the PRA include models which appropriately account for the change in reliability of the components as a function of testing interval. For many purposes, it is also desirable to model the effects of enhanced testing methods. Components not modeled in the PRA should be evaluated and categorized with appropriate basis. I
- 7. Categorization of Components l
l i 3.9.7-4 Rev 2C, 3-13-97 l
DRAFT FOR COMMENT The identification of components as potential candidates for changes in IST intervals or test methods can be done in many ways. Component categorization using PRA importance measures to classify structures, systems, and components (SSCs) into high and low risk contributors is one of the acceptable methods. The results from this importance analysis can then be one of the inputs to the licensee's integrated decision-making process (e.g., expert panel) to help - determine the safety significance of the IST components. In addition to the determination of risk importance contribution for input to the licensee's integrated decision-making process, the determination of potential risk contribution from SSCs by PRA importance determination can be useful for the following reasons:
- When performed with a series of sensitivity evaluations, it can identify potential risk outliers by identifying components which could dominate risk for various plant configurations and operational modes, PRA model l assumptions, and data and model uncertainties.
- Importance categorization can provide a useful means to identify improvements to current IST practices during the risk-informed application process by identifying components that are high risk contributors which may benefit from more frequent tests or enhanced testing methods.
l 8. Other Technical Issues l
- a. Initiatina Events While completely new initiating events are not expected from proposed ~ changes to IST programs, it is necessary to review whether initiating events previously screened out in the PRA, on grounds of low frequency, might now be >
above the screening threshold as a result of an IST program change. Examples would be events that are (a) relatively infrequent to begin with, (b) mitigated satisfactorily by closure of an i' solation valve, and (c) not analyzed because of a combination of low frequency of event "AND-ed" with a low probability of valve failure. If such events increased in frequency as a result of an IST program change, then the scope of consideration would need to change to reflect this,
- b. Dependencies and Common Cause Failures (CCFs) l Common cause failures (component hardware failure dependencies) cover the L failures of usually identical components that are usually caused by design, manufacturing, installation, calibration, maintenance, or operational deficiencies. Because they can fail more than one component at the same time, CCFs can dominate plant risk.
A change in IST has the potential of affecting the CCF probabilities since similar test methods and frequencies are being proposed for pumps or valves as 3.9.7-5 Rev 2C, 3-13-97 13
DRAFT FOR COMMENT a group. For these components, CCF probabilities could be low'or might not even be included in .the baseline PRA' models based on the historical and engineering evidence driven by current requirements. With proposed changes in IST frequencies and methods, there should be assurance that the CCF contribution will not become so significant that it could affect satisfying the acceptance criteria (See reference,1).
- c. Uncertainty and Sensitivity Analyses This issue consists of two parts. The first part deals with uncertainties in the baseline PRA that is used as the basis for the IST risk evaluation. A discussion for the need and criteria for an evaluation of uncertainties in the base PRA is provided in the general Reg Guide and SRP.
The second part of this issue is the matter of uncertainties in the estimates of the change in risk resulting from implementation of the risk informed IST program. If the licensee provides a best estimate indication of the change in i risk, then an estimate of uncertainties is necessary in order to make a i rational decision on the acceptability of the change. On the other hand, if
- the licensee provides an upper bound estimate of the change in risk based on a i demonstrably conservative analysis, then an uncertainty analysis is not i required.
! d. Human Reliability Analysis i ! The results of a PRA, and therefore the decisions that are influenced by it, ) { can be influenced by modeling of human reliability. Plant safety depends
- significantly on human performance, so it is essential that PRAs treat it carefully. However, the modeling of human performance is a relatively
{ difficult area; significant variations in approach continue to be encountered, i and these can significantly influence the results. In addition to the variability issue, there are, in the IST area, questions related to what kind of human actions can appropriately be credited in the context of a particular ' l regulatory finding. As an example, suppose that PRA results appear to support relaxation of a test interval based on the argument that even if the component fails, its failure can be recovered with high probability by operator actions . outside the control room. The issues of concern here are whether the modeling ? of the operator action and the evaluation of the failure probability is ! appropriate, and whether this kind of credit is an appropriate measure to support justification of a relaxation. Consistent with maintenance of defense
- in depth, operator action should not be the sole basis for determining that a j testing interval can be extended.
j e. Use of Plant-Soecific Data i l In selecting appropriate failure rate data to use in the risk informed IST i program, the analyst is frequently faced with the question of whether to use s plant specific or generic data, or some combination of the two. For newer ! plants with little operating history, the only choice is use of generic data, 5 j 3.9.7-6 Rev 2C, 3-13-97 l 64
DRAFT FOR COMMENT in which case the only decision is which generic data base to use. For those cases where significant plant specific data are available, usually it is most appropriate,to combine plant specific and generic data with a method that gives appropriate weight to each. Since several generic data bases are available, and they do not always agree, a further issue is which of these is most appropriate. Sections III.A.8.e and IV.A.8.e provides guidance. Finally, in considering plant-specific failure data, it is important to be able to recognize poorly-performing individual components, rather than allowing poor performance of a single component to be averaged over all , components of that type. Poor performance may arise because of inherent ! characteristics of one member of would otherwise be considered a uniform , population. This would result in a higher than expected failure rate for the l population and lead to less relaxation than might be anticipated. Of more concern is poor performance of components that arise because they are operating in a more demanding environment for example. If, for reasons of expediency, these components are grouped together with others for which the operating conditions are more favorable, then their failure rates could become artificially lowered, and, if requirements are relaxed based on the group failure rate, this could lead to a significant probability of experiencing an inservice failure of the poor performers.
- 9. Evaluating the Overall Effect of Proposed Changes on Plant Risk The acceptance of risk-informed IST changes should depend on how the proposed changes affects the CLB in light of the following key principles:
- a. The proposed change meets the current regulations. (This principle applies unless the proposed change is explicitly related to a requested exemption or rule change.)
- b. The defense in depth philosophy is maintained.
- c. Sufficient safety margins are maintained.
- d. Proposed increases in risk, and their cumulative effect, are small and do not cause the NRC Safety Goals to be exceeded,
- e. Performance-based implementation and monitoring strategies are proposed i that address uncertainties in analysis models and data and provide for l timely feedback and corrective action.
i
- 10. Integrated Decision Making The reviewer should evaluate the acceptability of the licensee's proposed RI-IST program using the proposed procedures outlined in Section IV of this SRP and the proposed acceptance guidelines specified Section III of this SRP.
Each of the key principles specified in Section II.A.9 above should have been addressed in the licensee's submittal. In implementing these principles, the 3.9.7-7 Rev 2C, 3-13-97 d
- . . l i
! DRAFT FOR COMMENT I reviewer.should ensure that:
, *. All safety impacts of the proposed changes were evaluated on a
! component-specific basis as well as in an integrated manner as part of an overall risk management approach in which the licensee uses risk i analysis to improve operational and engineering decisions broadly and not just to eliminate requirements that the. licensee sees as 4 undesirable. The approach used to identify chantes in requirements should be used to identify areas where requirements should be increased
, as well as where they could be reduced.
- The acceptability of proposed changes should be evaluated by the licepseeinanintegratedfashionthatensuresthatallprinciplesare 1 met
- Core damage frequency (CDF) and large early release frequency (LERF) can be used as suitable metrics for making risk-informed regulatory decisions.
- Increases in estimated CDF and LERF resulting from proposed CLB changes 4 will be limited to small increments.
- The scope and quality of the engineering analyses (including traditional and probabilistic analyses) conducted to justify the proposed CLB change should be appropriate for the nature and scope of the changes proposed and should be based on the as-built and as-operated and maintained plant.
i
- Appropriate consideration of uncertainty is given in analyses and i interpretation of findings.
- The plant-specific PRA supporting decisions has been subjected to quality controls such as an independent peer review.
- Data, methods, and assessment criteria used to support the proposed IST 4
program changes (e.g., those used by the licensee's expert panel) must be available for pubile review. Acceptability of the proposed change should be determined using an integrated decision making process that addresses three major areas: (1) an evaluation of the proposed change in light of the plant's current licensing basis, (2) an , evaluation of the proposed change relative to the key principles and the One important element of integrated decision making can be the use of an " expert panel." Such a panel is not a necessary component of risk-informed decision making; but when it is used, the key principles and associated decision criteria presented in this regulatory guide still apply and must be i shown to have been met or to be irrelevant to the issue at hand. ) 3.9.7-8 Rev 2C, 3-13-97 i
, a ,
DRAFT FOR COMMENT acceptance criteria, and (3) the proposed plans for implementation, performance monitoring, and corrective action. B. IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION l 1. Program Implementation The licensee should have an implementation plan and schedule for testing Priorall high and low safety significant components identified in their progr This plan should include test strategies implementation plan and schedule.(i.e., frequencies and methods) for high a that are within the scope of the licensee's RI-IST program, including components identified as high safety significant components that are not currently in the IST program. The composition of the component groupings (i.e., components of the same type, size, manufacturer, model,Components and that experience the same service conditions) should be identified. whose test interval is to be extended via staggering should be identified Components along with their staggered frequency over the test interval.should also some other step-wise approach. The final test interval of these components should also be included in the submittal. (Section III.B.I describes an acceptable method for extending test intervals in greater detail.]
- 2. Performance Monitoring of IST Equipment Performance monitoring of IST equipment refers to the monitoring of test data for equipment that has been placed on an revised test strategy (e.g., extended test interval). The purpose of the performance monitoring is to help confirm that the failure rates assumed for this equipment remain valid, and that no unexpected failure mechanisms which are related to revised test strategy become important enough to alter the failure rate assumed in the evaluation model s. Two important aspects of performance monitoring are whether the test frequency is sufficient to provide meaningful data, and whether the testing methods, procedures, and analysis provide assurance that performance degradation is detected. Component failure rates cannot be allowed to rise to unacceptable levels before detection and corrective action takes place.
- 3. Feedback and Corrective Action Program A performance-based corrective action program should be a part of the licensee's proposed implementation and monitoring plan.
- 4. Periodic Reassessment The reviewer should evaluate the licensee's RI-IST program to ensure that it contains explicit provisions whereby the overall program is periodically evaluated and component performance data gets fed back into both the component 3.9.7-9 Rev 2C, 3-13-97 6
n % . DRAFT FOR COMMENT grouping and component test strategy determination i.e. methods) process, and that changes will be made as a(pprop,riate. test frequency and Reassessments should be performed at a frequency consistent with the availability of new data from the monitoring programs. This periodic reassessment should not ae confused with the 120-month program updates required by 10 CFR 50.55a(f)(4)(ii) whereby the licensee's IST program must comply with later versions of the ASME Code that have been endorsed by the NRC. 5. Formal Inter.setions With the NRC to determine if it appropriately describes the types of chang made without prior NRC approval and the types of changes that require NRC approval prior to implementation (See Section III.A.1 and III.B.5). Ill. ACCEPTANCE GUIDELINES A. ENGINEERING EVALUATION 1. Evaluation of Proposed Changes to the current Licensing Basis The acceptance guidelines for evaluating proposed changes to the current licensing basis are contained in licensing basis documents as well as in other regulatory documents (e.g., regulations, regulatory guides, standard review plans, branch technical positions). described in 10 CFR 50.59, 50.90, 50.109,The rules and other governing such changes are regulations. Each On a component-specific basisproposed change must be evaluated on a case-by-ca the licensee should identify each instance where the proposed IST program, change will affect the CLB of the plant and document addressing each the ofbasis for safety the key the acceptability principles. of the proposed change by explicitly A broad evaluation of proposed changes to the CLB of the plant is appropriate because proposed IST program changes could affect requirements or commitments that are not explicitly described in the licensee's safety analysis report. Furthermore, staff approval of the design, operation, and maintenance of SSC at the facility may consequences, haveofbeen or margin granted in terms other than probability, safety. evaluate proposed IST program changes against other more explicit criteriaT (e.g., design basis criteria used in either the licensing process or to determine the acceptability of SSC design, operation, and maintenance).
- 2. IST Program Scope In order to be acceptable, the RI-IST program scope should include in addition to components in the current Code prescribed program, any,other significant that were so identified as part of the FRA or licensee'sc integrated decision-making process (e.g., expert panel).
3.9.7-10 Rev 2C, 3-13-97 lb
- e a l DRAFT FOR COMMENT 1
! 3. IST Program Changes i
- a. General f The licensee's RI-IST program should reevaluate the testing frequency (and methods as applicable) for high safety significant components that were the i
subject of a deferred test justification, an approved relief request, or an
- NRC authorized alternative test. The licensee should resubmit relief requests
! and proposed alternatives, al.ong with risk-related insights, for NRC staff i review and approval (see Section 4.1.4 of reference 2). In establishing the test interval for low safety significant components, the licensee should consider component design, service condition, and performance l l as well as risk insights. The proposed test interval should be supported by ,
- both generic and plant-specific failure rate data and the test interval should !
l be significantly less than the expected time to failure of the component in l
- question (e.g., an order of magnitude less). Alternatively, the licensee
- could ensure that adequate component capability (i.e., margin) exists, above that required during design basis conditions, such that component operating
! characteristics-over time do not result in reaching a point of insufficient i margin before the next scheduled test activity. The inservice test interval should generally not be extended beyond once every 5 years or 3 refueling i outages (whichever is longer) without specific compelling documented 1 justification. ) i IST components (i.e. with the exception of check valves) should, at a minimum, be exercised or operated (i.e., via testing of other components in the system, i. routine maintenance, normal plant operations, etc.) at least once every refueling cycle. If practical, more frequent exercising should be considered for components in any of the following categories: a) Components with high safety significance; b) Components in adverse or harsh environmental conditions; or ! c) Components with any abnormal characteristics (operational, design, or maintenance conditions). I
- b. Chanaes to Test Interval (Oniv)
A RI-IST program that proposes to only adjust IST intervals should have l provisions to: l . a) identify components whose test interval should be decreased as well as components whose test interval might be extended. b) assess the effectiveness of the current IST program in determining the ability of the component to carry out its intended function. Test 9 intervals should only be extended for components that are tested using methods that have the capability to detect component degradation associated with the important failure modes and causes identified in the
- 3.9.7-11 Rev 2C, 3-13-97
/f
DRAFT FOR COMMENT plant's PRA. If the licensee chooses the alternative described in reference 2 for implementing a RI-IST program, the licensee should make a commitment to adopt enhanced test strategies as described in risk-based IST Code cases oeveloped by ASME as endorsed by the NRC or obtain staff authorization for an alternative test strategy.
- c. Chanaes to Test Interval and Methods A RI-IST program that adjusts IST intervals as well as IST methods is acceptable if it identifies components whose test strategy should be more focused as well as components whose test strategy might be relaxed.
- 4. Relief Requests and Technical Specification Amendments The licensee should address the following issues:
- For low safety significant components, are there any component test methods that are not in accordance with the Code requirements or any NRC guidance? If so, relief is required for these H st methods.
- For high safety significant components, are there any component test methods that are not in accordance with the Code requirements or any NRC guidance? If so, relief is required for these test methods.
- For high safety significant components, are there any component test frequencies that are not in accordance with the Code requirements or any NRC guidance? If so, relief is required for these test frequencies.
- For any components, are there changes in technical specification requirements? If so, the licensee is required to submit and have approval of a technical specification amendment prior to implementing the RI-IST program. Similarly, if a proposed IST program change requires a change to the updated Final Safety Analysis Report (USAR) change, the licensee should have performed an evaluation pursuant to 10 CFR 50.59.
- 5. Quality of the PRA for IST Application In order to be acceptable for application to IST, the PRA models must reflect the dependence of core damage frequency (CDF) and large early release frequency (LERF) on basic events whose probabilities are affected by IST.
This means that IST-related events and events that are logically in parallel with IST events must be quantified properly. Modeling of IST events should:
- satisfactorily reflect dependence of basic event probability on fault 3.9.7-12 Rev 2C, 3-13-97
, DRAFT FOR COMMENT
- exposure time, . .
- consider effects of staggering of tests,
- use defensible failure rate parameters (A), and if better-than-generic A's are used, special justification may be warranted,
- consider the effect on A of aging, environmental stresses, and frequency
.of testing (either as part of the PRA, or as part of the licensee's integr,ated decision making process), and -
In addition, common cause failure (CCF) modeling of failures potentially , addressed by IST must be performed.
- 6. Modeling of the Effects of IST on PRA Basic Events 1
The PRA should include a model which can provide an appropriate measure of the change in risk as a result of extending the test interval on selected components. This requires that the model directly addresses the change in component availability as a function of test interval. The model must include-l an explicit quantitative. consideration of the degradation of the l component failure rate as a function of time, supported by appropriate ! data and analysis, OR
- arguments need to be presented which convincingly support the conclusion ,
that no significant degradation will occur, !
- 7. Categorization of Components When using risk importance measures to identify components that are low risk contributors, potential limitations of these measures have to be addressed.
Therefore, information to be provided to the licensee's integrated decision-making process (e.g., expert panel) must include sensitivity studies and/or other evaluations to demonstrate the insensitivity of the risk importance results to the important PRA modeling techniques, assumptions, and data. Issues that have to be considered and addressed when determining low risk contributors include the following: truncation limit, different risk metrics, component failure modes, different maintenance states and plant configurations, multiple component considerations, defense in depth, binning criteria, and analysis of uncertainties (including sensitivity studies to component data uncertainties, common cause failures, and recovery actions).
- 8. Other Technical Issues
- a. Initiatina Events 3.9.7-13 Rev 2C, 3-13-97 M
f *, 5 1 y s l i DRAFT FOR COMMENT Other than for IST interval extensions argued on the basis 'of IST-induced i risk, the acceptance guideline in this area is that there should be positive
- evidence that the licensee process considered the effect of the IST program on 1 initiating event frequency.
In the area of IST-induced risk, licensees are encouraged, to analyze the potential for adverse effects due to the tests themselves, and to look for ways to reduce these effects, either through changes in interval or changes in test protocols. If licensees advance the argument that there are significant
- adverse effects associated with testing as a rea. con for reducing or j eliminating test frequency, then it will be necessary to review
- the causal model relating IST activity to the occurrence of an initiating event, j
= the probability of core damage conditional on this event,
- the causal model relating reduction of IST or change in protocol to the
- subsequent behavior of the IST component.
e
- Acct
- ptance criteria for these causal models are the same as for ca'usal models j of IST basic events, and the acceptance criterion for core damage probabihty is covered by acceptance criteria for general PRA issues presented in the general SRP.
$ b. Dependencies and Common Cause Failures Common cause failure (CCF) modeling of failures potentially addressed by IST should be performed. This includes the modeling of CCF groups of similar components that are mutually redundant and all being relaxed. To reduce fault exposure times for potential common cause failures, staggered testing should be implemented as part of the RI-IST change p,rocess, i c. Uncertainty and Sensitivity Analyses The criteria for the analysis of uncertainties in the comparison to acceptance guidelines is provided in the Regulatory Guide DG-1061 (reference 1).
- d. Human Reliability Annivsis Justification of IST relaxations should not be based on credit for post-accident recovery of failed components (repair or ad hoon Risk-Informed Decision Making (DG-1061) provides guidance for the acceptance of RI-IST changes and consideration in context with other RI initiatives.
- 10. Integrated Decision Making The licensee's proposed RI-IST program should be supported by an engineering 3.9.7-14 Rev 2C, 3-13-97
o < a DRAFT FOR COMMENT evaluation (reviewed in.accordance with RI-IST SRP section IV.A). It is expected that the categorization developed by the PRA process and the traditional engineering approach will be considered by the licensee's integrated decision-making process (e.g., expert panel) to categorize components and in making decisions regarding cach component's test strategy.
,The licensee's RI-IST program submittal should meet the acceptance guidelines contained in Section III. A.1 through 8 or justify why an alternative approach ,
is acceptable. 1 l Defense in depth has traditionally been anplied in reactor design and ; operation to provide multiple means to accomplish safety functions and prevent ; the release of radioactive :nterial. It has beenand continues to be an ' effective way to account for uncertainties in equipment and human performance. In some cases risk analysis can help quantify the range of uncertainty; ' however, there will likely remain areas of large uncertainty or areas not 1 covered by the risk analysis. Where a comprehensive risk analysis can be ' done, it can be used to help determine the appropriate extent of defense in depth (e.g., balance an:oung core damage prevention, containment failure, and consequence mitigation) to ensure protection of public health and safety. 1 Where a comprehensive risk analysis is not or cannot be done, traditional l defense in depth considerations should be used or maintained to account for 1 uncertainties. Proposed RI-IST programs should be assessed to ensure that the ! defense in depth is maintained. Defense in depth is preserved if, for example: a reasonable balance is maintained between prevention of core damage, I prevention of containment failure, and consequence mitigation; j there is not an over-reliance on programmatic activities to compensate for weaknesses in plant design;
~
l system redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges i to the system;
- defenses against potential common cause failures are maintained and the
. introduction of new common cause failure mechanisms are avoided;
- independence of barriers is not degraded
- defenses against human errors are maintained Sufficient safety margins are maintained if, for example:
- ASME codes and standards or alternatives approved for use by the NRC are met; i
* - safety analysis acceptance (.riteria in the current licensing basis !
(e.g., USAR, supporting analyses) are met, or proposed revisions provide j sufficient margin to account for analysis and data uncertainties; i l 3.9.7-15 Rev 20, 3-13-97 l N
[ e % . DRAFT FOR COMMENT Defense in depth and safety margin may be evaluated, as feasible, using risk techniques (PRA) provided Code-required margins are preserved. l Ot.her acceptance guidelir.es may be proposed by the licensee. However, I titernative guidelines would require more detailed consideration by the ! reviewer on a case by case basis. After the components have been categorized, RI-IST program implementation, performance monitoring, and corrective action (Section III.B) acceptance gddelines should be satisfied and the overall effect of the proposed changes should be acceptable (ref. Section III.A.9) before the reviewer concludes that the proposed RI-IST program provides "an acceptable level of quality and : safety" (ref. 10 CFR 50.55a (a)(3)(i)). j If the licensee's proposed RI-IST program is unacceptable based on either : i traditional engineering analyses or the probabilistic analyses, the reviewer should deny the licensee's proposed RI-IST program. In evaluating the overall effect of the proposed RI-IST program, the licensee should specifically evaluate the effect of the proposed relaxations of l requirements (e.g., test interval extensions) for components considered singly and when grouped together. Where these relaxations are offset by alternative measuret (e.g., additional monitoring, different tests, procedures, training), the licensee should identify, and quantify to the extent practicable, the j effecte of these alternative measures. Similarly, if there are benefits l I associated with proposed relaxations (e.g., reduction in initiating event frequency, reduction in system misalignment, reduction in radiation exposure), the licensee should identify, and quantify to the extent practicable, the ' effects of these benefits. ' As a general rule, the alternative measures and j benefits should be directly linked to the systems or components associated I with proposed relaxations. On a case by case basis, the staff may assen the ; licensee's propsed improvements made to the test strategy for a group of l components against proposed relaxations in test requirements for another group 1 of components in assessing the overall acceptability of a proposed RI-IST l program. For example, the risk increase associated with relarction of requirements for a group of iow safety significant components may be deemed acceptable in light of improvements made to a group of more high safety significant components, even if all of the factors contributing to the overall change in risk are not quantified. However, the vulnerably associated with the relaxation of requirements for the low safety significant components must be acceptably low (See DG-1061 criteria). The licensee's integrated decision-making process should have explicitly considered all such situations. The factors considered by the licensee's integrated decision-making process, as well as the basis for the licensee's int 9 grated decision-making process conclusion, should be clearly documented. The reviewer should evaluate this documentation to see if there is adequate technical justification for the licensee's decisions. Specific acceptance guidelines for use of Expert Panels are contained in 3.9.7-16 Rev 2C, 3-13-97 Y
. <* a i
l DRAFT FOR COMMENT . Appendix B of reference 3.- ' I
- B. IMPLEMENTATION, PERFORMANCE MONITORING. AND CORRECTIVE ACTION l 1. Program Implementation ;
i
- For sither high or low safety significant components that will be tested in !
! accordance with the current NWC-approved Code test frequency and method requirements, no specific implementation schedule is required. The test frequency should be included in the licensee's RI-IST program. l For either high or lov safety significant components that will employ NRC-i endorsed ASME Code. cases, implementation of the revised test straugies should j be documented in the licensee's RI-IST program. i j For any alternate test strategies proposed by the licensee, the licensee , should submit a relief request to the NRC (reference Section III.A.4). ; For low safety significant compondnts that will be tested at a frequency less i than the Code test frequency which are exercised as a result of testing, routine maintenance, or normal plant operation and have acceptable performance - histories, the licensee should group these components and test them on a staggered basis. Grouping is acceptable provided it complies, for example, with the guidance contained in NRC Generic Letter 89-04, Position 2 for check l valven Supple:nent 6 to NRC Generic Letter 89-10 and Section 3.5 of ASME Code ! i Case OMN-1 for motor-operated valvbs; or other documents endorsed by the NRC. ! [ Component monitoring that is performed as part of the Maintenance Rule f implementation can be used to satisfy monitoring as described in the RI-IST program guidance. In these cases, the performance criteria chosen have to be compatible with the RI-IST guidance provided in Reference 2. - ? For low safety significant components that will be tested at a frequency less than the licensee's current Code test frequency which are not exercised as a
- result of non-Code required system or component testing, routine maintenance, i
or normal plant operation and have acceptable performance histories, the licensee should increase the test interval in a step-wise manner. If no time-
- dependent failures occur, then the interval can be gradually extended until 3 the component, or group of components if tested on a staggered basis, is
- tested at the maximum proposed extended test interval.
- 2. Performance Monitoring of IST Equipment The acceptance guidelines lfor this item consists of evaluating the licensees l proposed performance monitoring process to ensure that it has the following attributes
J
. enough tests are included to provide meaningful data; 3.9.7-17 Rev 2C, 3-13-97 M'
. .. . -_ =
W 8 DRAFT FOR COMMENT i
- the test is devised such that incipiant degradation can reasonably expected to be detected; and
- the licensee trends appropriate parameters as required by the ASME Code :
or ASME Code case and as necessary to provide validation of the PRA. Assurance must be' established that degradation is not significant for components that are placed on an extended test interval, and that failuro rate ass 0mptions for these components are not compromised. It must be cierrly established that the test procedures and evaluation methods are implemented , which provide reasonable assurance that degradation will be detected and I corrective action taken.
- 3. Feedback and Corrective Action Program The licensee's corrective action program for this application is acceptable if it contains a performance-based feedback mechanism to ensure that if a l particular compeoent's test strategy is adjusted in a way that is ineffective l in detecting component degradation and failure, the IST. program weakness is promptly detected and corrected.
The licensee's corrective action program should eval: tate RI-IST componente ) that either fail to meet the test acceptarce criteria or are otherwise < detemined to be in a nonconforming condition (e.g., a failure or degraded i condition discovered during normal plant operation). The licensee's enrrective action procedures should: (a) comply with 10 CFR 50, Appendix B, Criterion XVI, Corrective Action (b) determine the impact of the failure or nonconforming condition on system / train operability since the previous test, (c) determine and correct the root cause of the failure or nonconforming condition (e.g., improve testing practices, repair or replace the component), (d) assess the app 1kability of the failure or nonconforming condition to ; other components in the IST program (including any test sample expansion that may be required for grouped components such as relief valves), (e) correct other susceptible timilar IST components as necessary, (f) assess the validity of the PRA failure rate and unavailability assumptions in light of the failure (s), and (g) couioer the effectiveness of the component's test strategy in detecting the failure or nonconforming condition. Adjust the test frequency and/or methods, as appropriate, where the component (or group of
- ' components) experiences repeated fd lures or nonconforming conditions.
+
3.9.7-18 Rev 2C, 3-13-97 7
e ** , DRAFT FOR COMMENT approved RI-IST program (e.g., a change to a component's categorization) that could affect the results that were reviewed and approved by the NRC staff (e.g., the change in risk associated with implementation of the RI-IST. program), should be evaluated to ensure that the basis for the staff's
, approval has not been compromised . - -
- The licensee is not required to submit regular IST program updates. The licensee may elect to submit program updates in situations that may help the staff evaluate pending requests for relief or authorization, or when there 3 have been significant program changes that do not require review.
IV. REVIEW PROCEDURES , A. REVIEW 0F THE LICENSEE'S ENGINEERING EVALUATION ,
- 1. Evaluation of Proposed Changes to the current Licensing Basis i Verify that the licensees reviewed licensing basis documents to identify proposed changes to the IST program that would alter the current licensing basis of the plant. On a component-specific basis, the licensee should have identified each instance where the proposed IST program change veuld affect the current licensing basis of the plant, identified the source and nature of ,
the commitment (or requirement), and documented the basis for the acceptability of the proposed change. If the current licensing basis was not affected by the proposed IST program changes, the licensee should have so indicated in its risk-informed IST program description. ,' On a component-specific basis, the reviewer should evaluate the acceptability of each proposed change that impacts the CLB. Acceptability should consider the original acceptance conditions, criteria, and limits as well as the risk significance of the component. Ensure that the licensee explicitly and adequately addressed each of the key safety principles. Verify that the licensee reviewed commitments related to outage planning and control to verify that they were appropriately reflected in the licensee's component grouping. Spot check to determine if components that play an integral role in the licensee's plans and procedures for maintaining the key shutdown safety functions are in the group of components that are candidates for more focused inservice tests (i.e., high safety significant component category).
- 2. IST Program Scope Revi n the proposed IST program and verify the following:
. For selected systems, verify that components that perform a safety-related function (s) are in the proposed RI-IST program.
3.9.7-20 Rev 2C, 3-13-97 b
o * . DRAFT FOR COMMENT The corrective action evaluations should be provided to the licensee's PRA group so that any necessary model changes and re-grouping are done as might be appropriate. The effect of the failures on plant risk should be evaluated as well as a confirmation that the corrective actions taken will restore the plant risk to an acceptable level. The RI-IST program documents should be periodically revised to document any RI-IST program changes resulting from corrective actions taken.
- 4. Periodic Reassessment The test strategy for IST components should be periodically, at least once every two refueling outages, assessed to take into consideration results of inservice testing and new industry findings. Plant specific data by itself should not be the sole basis to determine component operability because the sample size will, in most cases, not be sufficient. Therefore, the IST PRA model should also reflect industry experience. (See Section III.A.8.e)
- 5. Formal Interactions With the NRC The licensee can make changes to their RI-IST program that are consistent with the process and results that were reviewed and approved by the NRC staff. For example:
Changes to component groupings, test intervals, and test methods that do not involve a change to the overall RI-IST approach (either traditional engineering or PRA analyses), where the overall RI-IST approach was reviewed and approved by the NRC do not require specific (i.e., additional) review and approval prior to implementation.
- Component test method changes involving the implementation of an NRC-endorsed ASME Code, NRC-endorsed Code case, or published NRC guidance )
which were approved as part of the RI-IST program, do not require prior NRC approval.
- Test method changes that involve deviation from the NRC-endorsed Code requirements require NRC approval prior to implementation.
- Changes to the risk-informed IST program that involve programmatic changes (e.g., changes to the plant probabilistic model assumptions, changes to the grouping criteria or figures of merit used to group components, changes in the Acceptance Guidelines used by the licensee's integrated decision-making process (e.g., expert panel)) require NRC approval prior to implementation. -
Changes to a licensee's RI-IST program should also be evaluated using change mechanisms described in the regulations (e.g., 10 CFR 50.55a, 10 CFR 50.59), as appropriate, to determine if prior ERC staff review and approval is required prior to implementation. In addition, changes to a licensee's 3.9.7-19 Rev 2C, 3-13-97 M
e <* a DRAFT FOR COMMENT ]
- Components categorized as "high safety significant" are included in the RI-IST program, regardless of their status in the licensee's current IST program. l
- 3. IST Program Changes
- a. General Verify that the licensee reevaluated the test frequency (and methods as applicable) for high safety significant components that were the subject of a deferred test justification, approved relief request, or NRC authorized alternative test. Review resubmitted relief requests and requests that alternatives be authorized, along with risk-related insights.
On a sampling basis, verify that the licensee considered component design, service condition, and performance as well as risk insights, in establishing ' the technical basis for each component's (or group of components) test . interval. The licensee's rationale for the proposed change in test interval and its relationship to expected time to failure should be reviewed. Verify that the proposed test intervals are supported by. applicable generic or plant-specific failure rate data. Verify that proposed test ir.tervals are significantly less than the expected time to failure of the components in . question (e.g., an order of magnitude less). Alternatively, spot check the licensee's calculations to ensure that adequate component capability exists, above that required during design basis conditions, such that component operating characteristics over time do not result in reaching a point of insufficient margin before the next scheduled test activity. Verify that the inservice test intervals are not extended beyond once every 5 years or 3 refueling outages (whichever is longer) without specific compelling documented justification. Extensions beyond 5 years or 3 refueling outages should be considered as component performance data at extended test intervals is acquired and as PRA technology improves. On a sampling basis, verify that IST components (i.e. with the exception of check valves) are exercised or operated at least once every refueling cycle.
. Check to see if components in the following categories are exercised more frequently than once per operating cycle, if practical:
a) Components with high risk significance; b) Components in adverse or harsh environmental conditions; or c) Components with any abnormal characteristics (operational, design, or maintenance conditions). If the licensee chooses to use the alternative described in reference 2 for implementing a RI-IST program, verify that the licensee made a commitment to adopt enhanced test strategies as described in risk-based IST Code cases developed by ASHE, as endorsed by the NRC. If the licensee chooses not to adopt one or more of these Code cases, review the licensee's written technical justification outlining why it was impractical to implement the risk-informed i 3.9.7-21 Rev 2C, 3-13-97 j M
s % , DRAFT FOR COMMENT Code Case strategy as well as the licensee's proposed alternative test strategy. Verify that the licensee's RI-IST program identifies and tests components in the high safety significant category that are not in the licensee's current IST program conmiensurate with their safety significance or that the licensee has demonstrated that a suitable search for such components was conducted. These components should be tested in accordance with the ASME Code where practical, including compliance with all administrative requirements.. Where ASME Section XI or 03 testing is not practical, alternative test mathods to ensure operational readiness and to detect component degradation (i.e., ; l degradation associated with failure modes identified as being important in the i l licensee's PRA) should be proposed by the licensee. These alternative test i strategies should be reviewed and approved by the NRC prior to iciementation { L of thi RI-IST program at the plant (see SRP section V. D.). l 1 l On a sempling basis, confirm that changed test strategies do not result in j violatir.g TS requirements, or that an appropriate amendment request is l l submitted.
- b. Chances to Test Interval (On1v)
' Verify that the process used by the licensee to group components (i.e., i components that are candidates for having their inservice test requirements relaxed and components that should be subjected to more frequent (e.g., quarterly) and effective inservice tests) is consistent with the acceptance guidelines specified in Section III.A.3.b and that appropriate commitments to l adopt enhanced test strategies have been made (i.e., if the alternative , described in reference 2 for implementing a RI-IST program is proposed by the licensee).
- c. Chances to Test Interval and Methods l Verify that tests performed for the components within the scope of the RI-IST ;
program meet the enhanced ASME Code test strategies (i.e., test method and frequency) as endorsed by the NRC, except where NRC has either granted relief i or authorized an alternative test strategy. ! l
- 4. Relief Requests and Technical Specification Amendments The regulation (or alternative that was authorized by the NRC) that permitted the licensee to implement the overall RI-IST program will, in part, allow licensees to increase the testing interval (and possibly relax test methods) of components categorized, through the use of their PRA and integrated decision-making process, as low safety significant. Approval of the l alternative includes evaluation and approval of the process to identify low l safety significant components and adjust their test frequencies (or test i methods)' commensurate with their previous service and maintenance histories
! and existing environmental conditions. Therefore, individual component relief ( ! 349.7-22 Rev 2C, 3-13-97 i 30 l i
o DRAFT FOR COMMENT requests are not required to adjust the test interval of individual components ' l that are categorized as having low safety significance (i.e.,'because the j licensee's implementation plans for extending specific component test i intervals should have been reviewed and approved by the NRC staff as part of i their RI-IST program submittal). Similarly, if the' proposed alternative includes improved test strategies to enhance the test effectiveness of low and high safety significant components, such as the use of ASME Code Case OMN-1, ,
" Alternate Rules for Preservice and Inservice Testing of Certain Electric l Motor Operated Valve Assemblies in LWR Power Plants, OM-Code - 1995 Edition; i I
Subsection ISTC" then additional relief from the Code requirements (i.e., beyond staff approval of the licensee's RI-IST program describing the l liceasee's intention to adopt such a . Code case) is not required (See footnote 6 to 10 CFR 50.55a). For high and low safety significant components not tested in accordance with the Code test method requirements or NRC endorsed Code Case, specific relief l would be required from the applicable Code requirements. Relief would also be l required from the Code test frequency requirements for high safety significant components not tested at the Code-required frequency. (High safety significant components are expected to be maintained at Code-required , l frequencies unless specific relief exists or. adjustment is bounded by Generic l Letter 89-04.) l
- a. Verify that requests for relief or approval for alternative testing l have been submitted to the NRC. Verify that the licensee has )
submitted technical specification amendment requests for proposed ) changes that impact technical specification. _ 1
- b. Review the basis for requests for relief and alternatives and assess the adequacy of the implementation of the alternative testing.
- c. Review the justification for deferring testing of high safety significant components to cold shutdowns or refueling outages.
l 5. Quality of the PRA for IST Application ! The reviewer should establish that for IST applications, special attention has been paid to quantification of the failure probability of IST components in light of IST program attributes (e.g., test interval), and that special attention has been paid to quantification of the failure probability of compensating SSCs. Fault Exposure Time for IST Components: l Reviewers must ensure that the fault exposure time credited in the PRA is ! reasonable in light of the IST interval and other activities. In general, the mean fault exposure time will be taken to be 1/2 of the test interval. Some analyses may apply a fault exposure time other than this: a different fault exposure time for a given component might be claimed as a result of credit l 3.9.7-23 Rev 2C, 3-13-97 i i 31
D %
- DRAFT FOR COMMENT taken for non-IST validation of the performance of the component, perhaps by virtue of system challenges, or an IST test on.a different component that implicitly requires functioning of the subject coeponent and would therefore reveal a failed state of the subject component. The reviewer should establish that the licensee has identified a basis for every fault exposure time modeled, and that commitments are in place wherever a fault exposure time is determined by a programmatic activity. Where a fault exposure- time is the result of tests on other components, the reviewer should verify that there is assurance that these other tests will be performed and that the behavior of the subject component will be surveilled in the course of these tests. Where a fault exposure time is tha result of system challenges, the reviewer should verify that this challenge frequency is consistent with system challenge frequencies modeled elsewhere in the PRA.
Failure Rates for IST Components: The reviewer should establish that in general, failure rates for components are consistent with plant-specific data, except that failure rates that are appreciably less than generic data (e.g., those on the order of a factor of 3 or more lower than generic data) should be justified. To qse the lower plant-specific failure rate, it must be demonstrated that the plant-specific failure rate data came from a population statistically different from the generic population and a mechanistic explanation should be provided. The reviewer should ascertain whether the failure rate takes account of special environmental stresses or aging. If not, this should figure in the evaluation of the performance monitoring and feedback activity (see Sections III.B.3 and IV.B.3). Basic Event Probabilities of Compensating SSCs: - Events' that appear jointly in minimal cut sets with IST components (compensating SSCs) must be quantified appropriately or else perspective on the significance of IST components will be distorted. Depending on the form of PRA documentation, this can be relatively difficult for reviewers to spot check; reviewers should therefore verify that as part of IST applications, licensees warrant that the apparent significance of IST events is not distorted by inappropriate quantification of compensating events. Note that PRA updates may have been performed to boost the credited performance of compensating SSCs in anticipation of the need to justify relaxed IST intervals. This is acceptable, and need not prompt special staff attention beyond that allocated generally to review of baseline risk profiles, provided that the licensee makes programmatic commitments appropriate to the level of performance claimed. Connon Cause Failures: Reviewers should check that licensees have appropriately modeled CCF of groups of similar components that are proposed for relaxation and that are mutually 3.9.7-24 Rev 2C, 3-13-97 9
. & 4 DRAFT FOR COMMENT redundant.. This is discussed more in detail in Section.4.2.4.2 of reference l 2.
~
- 6. Modeling of the Effects of IST on PRA Basic Events The review procedure for the modeling of the effects of IST on the risk model l involves the following steps:
- The characteristics of the model used to evaluate the risk significance of extending selected component test intervals is compared against those considered acceptable as defined in Section III.B.2, a The reviewer establishes that the licensee looked for ways to improve test effectiveness,
- Data and analysis used to support the model are reviewed and compared with independent data sources and analysis.
- 7. Categorization of Compenents Results from risk cateporization can be used directly for identifying the high risk significant components (e.g., for the identification of risk outliers, or for the identification of SSCs where more resources can be allocated).
However, when risk importance measures are used to group components as low risk significant, additional evaluations, sensitivity studies and other considerations as discussed in Section III.A.7 have to be taken into account. Review procedures for component risk categorization are provided in Appendix C of the general SRP for risk informed regulation.
- 8. Other Technical Issues
- a. Initiatino Events For most aspects of the general case of IST changes on initiating event frequency, the reviewer is not expected to accept or reject the analysis
, through a process of independent validation of the licensee's evaluation of
'the effect of IST program changes on initiating event frequency. Rather, the reviewer is expected to look for evidence that the licensee e considered the effect of IST changes on initiating events that were analyzed (not screened out),
e considered whether the IST changes would affect the frequencies of initiating events previously screened out from the analysis. Note that the latter step logically requires that there have been documentation of the basis for screening out of initiating events. However, if a licensee argues for a reduction in testing or a change in 3.9.7-25 Rev 2C, 3-13-97 33
t, % . DRAFT FOR COMMENT . protocol' based on adverse risk effects of testing, the reviewer should spot check the calculations, especially if other plants of the same type have not drawn similar conclusions. ,
- b. Decendencies and Common Cause Failures The reviewer should check to confirm that potential CCFs which involve IST components have been considered in the PRA. It is particularly critical that l th9 selection.of common component groups was performed correctly to ensure l thkt important common cause failure groups were not omitted. As a minimum, i the CCF groups should include: redundant standby pumps; redundant MOVs/A0Vs that change state; redundant check valves; and any other components that change state in order to support IST component operability.
The reviewer should verify that plant specific experience which involve the failure of two or more components from the same cause was analyzed and incorporated into the model where appropriate. The reviewer should determine that the methodology used to calculate the CCF probabilities is consistent with that given in the AE00 report (reference XX). Consistency of common cause failure probabilities with past experience and with the AE00 data should also be checked. Reviewers should check that licensees have established that performance monitoring is capable of detecting CCF before multiple failures are allowed to occur subsequent to an actual system challenge.
- c. Uncertainty and Sensitivity Analyses The following are review considerations for the licensee evaluation of uncertainties: l
- If the estimated risk change due to implementation of the IST program is a bounding estimate, then the reviewer should confirm that the models and data assumptions used do indeed produce a demonstrably conservative estimate. ,
- If the licensee contends that the estimated risk change due to implementation of the IST program is a best estimate, then the reviewer needs to establish that uncertainty is addressed for the change. This argument must appropriately include data and model uncertainties. The licensee may be able to argue without explicit propagation that the uncertainty is small compared to the margin between the allowable change and the estimated change.
- d. Human Reliability Analysis The comprehensive review of human reliability modeling is treated in the general Reg Guide and general SRP. For IST applications, the rettew can be 3.9.7-26 Rev 2C, 3-I3-97 34
, d ,
DRAFT FOR COMMENT- . more focused. The IST-specific aspect; include errors specifically related to 4
-testing, and quantification of compensating humen actions.
4 Errors Specifically Related To Testing: , l Two types of errors are of interest here. The first is errors during testing
- that leave equipment unavailable until the condition is discovered during a subsequent test or until the equipment is demantled (i.e., a restoration error). In some PRAs, such errors are included in the data base that is used for the equipment failure rate. The licensee should have verified that this is the case. If such errors are not included, they should have been '
l considered separately. If they were considered separately, then the
- assumptions, models, and data used should be consistent with those that are -
generally accepted. > I The second type of error is associated with error during recovery (e.g., failure to actuate an alternative system train). As indicated previously, the only recovery allowed for present purposes is manual actuation *of alternate
- available equipment to work around failed equipment when a demand occurs and
- ~ the normal equipment response fails. For this recovery situation, human errors must be considered, and they should reflect the time available to >
4 actuate the alternate available equipment, the procedures and training l available, and adverse environmental factors (access to equipment, local
- temperatures and radiation levels, etc.).
s j Quantification of Compensating Human Actions:
- This refers to the credit taken for human actions for purposes of deciding on i IST changes. The reviewer should confirm that credit for cogensating human j actions is limited to proceduralized actions taken to actuate systems; repair
{ of failed equipment is not to be considered. The intent of this review step , is to ensure that licensees do not reduce IST on the basis of arguably i speculative and relatively uncertain quantification of recovery probabilities. That is, acceptability of IST program changer should be assessed without ! credit for such recovery probabilities. Quantification of the baseline for purposes of deciding the acceptability of the overall risk profile and j deciding on the allowed risk increment may be performed on the basis of credit
- for such actions, i
l 'e . Use of Plant-Soecific Data i' i . l Appendix A of the reference 3 (SRP Chapter 19) provides procedures for the
- review of generic and plant-specific data used in support of the licensee's
]_ PRA.
- 9. Evaluating the Overall Effect of Proposed Changes on Plant Risk Reference 3 (SRP Chapter 19) provides revies procedures for the acceptance of
} l 3.9.7-27 Rev 2C, 3-13-97 I i
o % , DRAFT FOR COMMENT RI-IST program changes. !
- 10. Integrated Decision Making There are no explicit criteria for dispositioning the results of traditional l
' engineering and probabilistic analyses which may to conflict with one another. l The reviewer should evaluate the licensee's integrated decision-making process '
records associated with these conflicts. The licensee's integrated decision-uaking process records should clearly identify all factors considered by that
- process and the basis for conclusion. On a sampling basis, the reviewer should conduct an independent evaluation to determine if the licensee's conclusion has sufficient technical basis. The reviewer's determinatien thst the proposed alternative will provide "an acceptable level of quality and l safety" [ref. 10 CFR 50.55a (a)(3)(1)) should be based on the indeper. dent i assessment. The reviewer should consider the fo11cwing factors in trying to l reach a conclusion relative to the acceptability of the licensee's proposed i RI-IST program:
- a. Does the proposed RI-IST program meet the current regulations? (This principle applies unless the proposed change is explicitly related to a i requested exemption or rule change.]
- b. Is defense in depth philosophy maintained?
1
- c. Are sufficient safety margins maintained?
- d. Are proposed changes in risk, and their cumulative effect, small and j within the NRC Safety Goals?
- e. Has the licensee proposed performance-based implementation and mor.itoring strategies that address uncertainties in analysis models and data and provide for timely feedback and corrective action?
More detailed guidance fcr reviewing the integrated decision making process is , provided in Appendix B of Reference 3. R. REVIEW 0F IMPLEMENTATION, PERFORMANCE MONITORING, AND CORRECTIVE ACTION
- 1. Program Implementation On a sampling basis, the reviewer should verify that the following information is provided for each component in the RI-IST prcgram:
High Safety Significant Components: a) component test method and inte'rval b) ASME Code Case, if applicable c) technical specification amendment, if applicable d) relief request, if applicable 3.9.7-28 Rev 2C, 3-13-97
, . - . . .- .- . - - - . - . - . -- -.-.-.- - - - . ~ . . - . +
3
,*' g l
. DRAFT FOR COMMENT Low. Safety Significant Components:
a) component test method and interval with justification for extending interval if greater than interval specified in ASME Code
.b) ASME Code Case, if applicable c) technical specification amendment, if applicable d) relief request, if applicable e) grouping definition and justification f) staggered test justification for specific low safety significant components g) justificati6n for test extensions for the remaining low safety i significant components i High and low safety significant components that will continue to be tested in accordance with the ASME Code requirements for the licensee's Code of record, or ASME Code Cases that have been endorsed by the NRC, require no further evaluation. I The justification for extending the low safety significant component ;
frequencies should be reviewed for adequacy to verify that the extension is i appropriate. Staggered implementation schedules should be evaluated to ensure
.that component tests are distributed as equally as pos:ible over the entire test interval.
The test intervals of the low safety significant components should be included in the RI-IST program fer review. Low safety significant components that are + grouped should have their respective groups identified in the RI-IST program. : The implementation schedule should be described in the RI-IST program. Implementation of interval extension for low safety significant components may begin at the discretion of the licensee subsequent to NRC approval of risk informed IST program. Component corrective action procedures (see SRP.section IV.B.3) should be in place for low safety significant components being tested on a staggered basis prior to implementation of any interval extensions. For low safety significant components tested on a staggered basis, the > licensee should have documented the approach to exercising to which each component in the group is subjected (where appropriate) as a result of plant operation or testing of other components to assess the justification for ! allowing the component to be tested on a staggered basis. The overall test interval for the low safety significant components in the group should also be ! , justified. The adequacy of the component groupings should be verified. The ' i establishment of the staggered test interval should be based on the maximum allowable interval for all the components in a particular group. Each component in the group should have the same designated test interval. For low safety significant components exercised only during inservice testing, the current testing interval should be defined in the RI-IST program. In addition, a schedule should be available that shows the planned test interval of each individual low safety significant component being gradually extended 3.9.7-29 Rev 2C, 3-13-97 l 1 97 i
9 % , DRAFT FOR COMMENT
- ' to the test interval sele'eted by the licensee and described in the approved program. An acceptable method for extending the test interval for this subset i of low safety significant components is by gradually extending the test i interval by a set amount (i.e., equal or successively smaller steps) until the
- maximum approved test interval is reached. The licensee could propose an
; alternative phased approach to extend the test interval. When the maximum allowed test interval is achieved in the absence of time-dependant test i
failures, then the components may be grouped and tested on a staggered basis. . Section III.B.3 discusses' adjusting (i.e., shortening) the test interval when j a component experiences repeated test failures. Verify that the licensee has plant corrective action and feedback procedures developed (see Section IV.B.3) to ensure that testing failures are fed back to i _the plant licensee's integrated decision-making process and IST coordinator for reevaluation and possible adjustment to the component's grouping and test , strategy. Verify that the licensee has a program and schedule for converting from the 4 old IST program to the RI-IST pregram. 4
- 2. Performance Monitoring of IST Equipment The review procedures consist of the following steps:
The performance monitoring program is identified in the licensees proposal for RI-IST. ~ The program is reviewed to determine whether it includes a test program which will provide sufficient data to detect component degradation in a timely manner as described in Section III.B.2.
- 3. Feedback and Corrective Action Program The reviewer sh'ould review the licensee's corrective action procedures to verify that it is initiated by component failures that are detected by the IST program as well as by other mechanisms (e.g., normal plant operation, inspections).
Verify that the licensee's corrective action procedures meets the acceptance guidelines specified in Section III.B.3. Verify that corrective action evaluations are provided to the licensee's PRA group so that any necessary model changes and re-grouping can be done by the PRA group.if appropriate. Verify that procedures are in place to ensure that corrective actions affecting the IST program get documented, as appropriate, in the licensee's RI-IST program. $ 3.9.7-30 Rev 20, 3-13-97
. # c DRAFT FOR COMMENT
- 4. Periodie Reassessment Review the licensee's procedures for conducting the periodic risk-informed IST program review to ensure that it:
prompts the licensee to conduct overall program assessments periodically (i.e., at least once every two refueling outages) to reflect changes in plant configuration, component )erformance, test results, industry experience, and to reevaluate tie effectiveness of the IST program, prompts the licensee to compare actual component conditions / performance l to predicted levels to determine if component performance and conditions are acceptable (i.e., as compared to predicted levels). If performance or conditions are not acceptable then the cause(s) should be detennined and corrective action implemented, l prompts the licensee to review and revise as necessary the assumptions, reliability data, and failure rates used to group components to , determine if component groupings have_ changed, and prompts the licensee to reevaluste equipment performance (based on both plant-specific and generic information) and test effectiveness to j determine if the inservice test program should be adjusted (Plant- 1 specific data should be incorporated into the generic data using appropriate updating techniques). Verify that the licensee has incorporated the results of its corrective action program for IST program components into its periodic IST program reassessment. Verify that the licensee has procedures in place to identify'the need for more emergent RI-IST program updates (e.g., following a major plant modification, or significant equipment performance problem). The periodic RI-IST program review may be addressed in conjunction with the plant's periodic PRA updates, industry operating experience programs, the Maintenance Rule program, and other risk-informed program initiatives. ;
- 5. Formal Interactions With the NRC .
Verify that the licensee has a process or procedures in place to assure that changes that meet the acceptance guidelines in Section III.B.5 above get reviewed and approved by the NRC staff prior to implementation. V. EVALUATION FINDINGS Before the reviewer writes findings in each of the review areas as discussed below, the reviewer should write an introduction to the safety evaluation that describes the proposed change in terms of: 3.9.7-31 Rev 2C, 3-13-97 31
p * , DRAFT FOR COMMENT
- the particular components that would be.affected by the proposed '
changes in IST strategy,
- the plant systems involved with the proposed changes in IST l strategy,
- the physical change in testing strategy proposed for each component i or group of components, i i 1 l
- its affect on the current licensing basis, and l
- its overall affect on plant risk.
A. ENGINEERING EVALUATION
- 1. Evaluation of Proposed Changes to the current Licensing Basis The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports conclusions of the following type, to be included in the staff's safety evaluation report:
On a component-specific basis, the staff has reviewed each IST program ' change as it affects the current licensing basis of the plant. In conducting its review, the staff considered the original acceptance ' conditions, criteria, and limits as'well as the risk significance of the component. Due consideration was given to diversity, redundancy, defense in depth, safety margins, and other aspects of the General Design Criteria. Having conducted this review, the staff finds that the IST program changes proposed by the licensee are acceptable. The licensee has reviewed commitments related to 'tage planning and l control to ensure that components that play an '., sgral role in the licensee's plans and procedures for maintaining tr - key shutdown safety functions are in the group of components that sht i be subjected to more frequent and effective inservice tests. The zaff finds this to be acceptable. IST-related comitments appear to be adequately modeled in the licensee's PRA analysis, or otherwise addressed.
- 2. IST Program Scope The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports
! conclusions of the following type, to be included in the staff's safety I evaluation report: l The staff concludes that the scope of the applicant's risk-informed 3.9.7-32 Rev 2C, 3-13-97 i no
, f a DRAFT FOR COMMENT , inservice test program is acceptable and is consistent with the guidance ' provided in Regulatory Guide 1062. This conclusion is based on the applicant having provided a test pr.ogram to ensure that safetv-related components, as well as other components that are important to plant risk, can reasonably be expected to be capable of performing their intended function throughout the life of the plant.
- 3. IST Program Changes
- a. General The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports conclusions of the following type, to be included in the staff's safety evaluation report:
The licensee reevaluated the testing frequency (and methods as applicable) for high safety significant components that were the subject of an approved relief request, or NRC authorized alternative test. The licensee submitted revised relief requests and requests that alternatives be authorized for these components, along with risk insights associated with the proposed test strategy. The licensee identified technical specification changes needed to implement the RI-IST program and has submitted technical specification amendment requests as appropriate. These requests were reviewed by the NRC staff and found to be acceptable [each instanca should be explicitly addressed in the SE]. The licensee considered component design, service condition, and performance, as well as risk insights in establishing the test interval for low safety significant components. The proposed test intervals for low safety significant components were significantly less than the expected time to failure of the components in question (e.g., an order of magnitude less). Alternatively, the licensee ensured that adequate component capability existed, above that required during design basis conditions, such that component operating characteristics over time will not result in reaching a point of insufficient margin before the next scheduled test activity. The inservice test intervals for components were generally not extended beyond once every 5 years or 3 refueling outages (whichever is longer). In every instance where the interval was extended beyond 5 years or 3 refueling outages (whichever is longer), the licensee provided a specific compelling documented justification that was found to be acceptable to the staff [each instance should be explicitly addressed in the SE]. The licensee's proposed RI-IST program ensures that each IST component (i.e. with the exception of check valves) is exercised or operated at least once every refueling cycle. Components in the following categories are generally exercised more frequently than once per 3.9.7-33 Rev 2C, 3-13-97 HI
p % . DRAFT FOR COMMENT l u operating cycle: a) Components with high risk significance; b)- Components in adverse or harsh environmental conditions; or c) Components with any abnormal characteristics (operational, design, or maintenance conditions). l The licensee also made a commitment to either adopt enhanced test strategies as described in risk-based IST Code cases developed by ASME, as endorsed by the NRC, or request authorization from the NRC to perform an alternative test strategy. Finally, where the licensee has identified high safety significant components that are not in the licensee's current IST program, the licensee has either committed to test these components in accordance with the current ASME Code or has proposed an alternative test strategy that has been reviewed and approved by the NRC staff.
- b. Chanaes to Test Interval (Oniv)
The licensee's proposed RI-IST program is found to be, acceptable because it: a) appropriately identifies components whose test interval should be decreased as well as components whose test interval might be extended, b) considers IST test effectiveness in determining whether components are candidates for having their inservice test requirements relaxed. The reviewer should specify which components will be tested at~ a shorter interval .
- c. Chanaes to Test Interval and Methods The licensee's proposed RI-IST program is found to be acceptable because it appropriately identifies components whose test strategy should be more focused as well as components whose test strategy might be relaxed.
The reviewer should identify (or characterize) which components will be subjected te more focused testing and describe the revised test strategy for these components.
- 4. ' Relief Requests and Technical Specification Amendments The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports
- conclusions of the following type, to be included in the staff's safety l evaluation report:
3.9.7-34 Rev 20, 3-13-97 i i
. P a DRAFT FOR COMMENT The licensee's RI-IST program is testing high safety significant ! components in accordance with the Code test frequency and method j re'quirements or has .a relief request approved or submitted for approval. In addition, the licensee is testing low safety significant components in accordance with the Code test method requirements (although at a extended interval) or has a relief request approved or submitted for approval. The licensee has approved technical specification amendments for all proposed changes that impact technical specification.
- 5. Quality of the PRA for IST Application l l
The reviewer verifies that sufficient information is provided in accordance l with the requirements of this SRP section and that the evaluation supports I conclusions of the following type,-to be included in the staff's safety l evaluation report: ,. , a i
- Fault exposure time is modeled appropriately for IST components. Fault l exposure times are appropriately linked to programmatic activities that I have been explicitly identified and documented.
- Appropriate failure rates have been used for IST components. Wherever I unusually good performance is being claimed, provisional justification j has been provided and monitoring will provide ongoing justification.
)
- The licensee has reviewed the modeling of compensating SSCs, and concluded that it is appropriate and that the significance of IST events is not distorted by modeling of compensating SSCs.
- Common cause failure has been suitably addressed. The licensee' has systematically identified all component groups sharing attributes that correlate with CCF potential and that affect IST, either in that.they comprise IST components or conpensating SSCs. The licensee's performance nanitoring program addresses staggered testing of IST components in CCF groups.
- The effects of aging, environmental stresses, and frequency of testing l has been addressed, either explicitly in the PRA models or as part of the licensee's integrated decision-making process (e.g., expert panel).
- 6. Modeling of the Effects of IST on PRA Basic Events The reviewer veCifies that the information provided supports the following conclusions:
- a model for unavailability in terms of fault exposure time exists and was used in the PRA for evaluating the risk significance of extending the selected component test intervals,.
- the assumptions provided relative to time dependent degradation of the 3.9.7-35 Rev 2C, 3-13-97
p % , , DRAFT FOR COMMENT failure rates for the selected components are justified, and
- the licensee considered enhanced testing as a compensating measure.
. 7. Categorization of components The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports conclusions of the following type, to be included in the staff's safety evaluation report:
The licensee's integrated decision-making process (e.g., expert panel) on the determination of risk importance of components in the RI-IST program is robust in terms of the " uncertainty" issues'like common cause failure modeling and modeling of human reliability.
- 8. . Other Technical Issues
- a. Initiatina Events Th're e is positive evidence that the licensee adequately considered the effects of proposed IST changes on the frequencies of initiating events analyzed and the frequencies of initiating events previously screened out. In addition, if the licensee analyzed adverse risk effects of IST activities, and applied these results to justify IST reductions, this analysis was found acceptable.
Either the analysis is consistent with previously accepted analyses applicable to this plant type, or the causal modelling of the IST activities' effects on initiating effects was reviewed and found to address appropriately the technical issues described in this SRP under " causal modelling." 1
- b. Dependencies and Common Cause Failures Evaluation findings should include statements that common cause failure has been suitably addressed and that the licensee has systematically identified all component groups sharing attributes that correlate with CCF potential and that affect IST, either in that they comprise IST components or compensating SSCs. The licensee's performance monitoring program addresses staggered testing of IST components in CCF groups.
- c. Uncertainty and Sensitivity Analyses The reviewer verifies that the information provided and review findings support the following conclusions:
An appropriate consideration of uncertainties is provided in support of the proposed risk informed IST program. The licensee showed either that a demonstrably conservative estimate of the change in risk was acceptable, or that the uncertainty in the risk change was small 3.9.7-36 Rev 2C, 3-13-97 na
. O 4 DRAFT FOR COMMENT compared to the margin between the estimated change and the allowable change. In the latter case, this was done either by explicit propagation, or by a qualitative analysis showing that no event contributing to the change in risk is subject to significant uncertainty.
. d. Human Reliability Analysis The staff safety evaluation report shall include language that is equivalent in effect to the following.
- The modeling of human performance is appropriate.
- Post-accident recovery of failed components is modeled in a defensible way. Recovery probabilities are not quantified in a clearly f non-conservative way. The formulation of the model shows decision- 1 makers the degree to which the apparently low risk-significance of certain items is based on credit for recovery of failed components (restoration of component function, as opposed to actuation of a compensating system). ,
- e. Use of Plant-Soecific Data The reviewer verifies that sufficient information was provided to support the following conclusions:
- The failure rates used in the proposed risk informed IST program are appropriate and consistent with Appendix A of SRP Chapter 19, or the deviations are justified. >
- 9. Evaluating the Overall Effect of Proposed Changes on Plant Risk The reviewer verifies that sufficient information is provided to make the following findinps:
Acceptable Numerical Risk Impact
- The application is either risk neutral or results in a decrease in plant risk.
OR
- If an application results in an increase in risk, the increase is within the acceptance guidelines specified in Regulatory Guide DG-1061.
- Traditional Engineering Factors
- Traditional engineering analyses and operational considerations do not conflict with the conclusions of the risk analysis.
3.9.7-37 Rev 2C, 3-13-97 w
5 's . DRAFT FOR COMMENT Cumulative and Synergistic Effects from all Applications
- The cumulative changes in risk are consistent with the guidelines established in DG-1061 Synergistic effects have been satisfactorily addressed at the component level either
- 1) by assuring that multiple synergistic relaxations are not applied to i a single component, or 1
- 2) by noting exceptions to this, and convincingly justifying them case by case.
Implementation of a Monitoring Process The monitoring process will produce sufficient data that can support the PRA input and assumptions that were used as the basis for the IST risk acceptance.
- 10. Integrated Decision Making )
l If the licensee's proposed alternative is acceptable in light of the current l licensing basis of the plant and the safety significance of the component, { AND' if the licensee's risk-informed IST program meets the detailed acceptance l guidelines specified in this SRP, 1 then the staff should be able to reach the following general conclusion: l The licensee's proposed risk-informed IST program is authorized as an j alternative to the ASME Code required IST program (e.g, including test l frequency, test methods, and program scope requirements) pursuant to 6
,, 50.55a(a)(3)(1) based on the alternative providing an acceptable level of quality and safety.
- 8. RISK-INFORMED IST PROGRAM IMPLEMENTATION, PERFORMANCE I MONITORING, AND CORRECTIVE ACTION
- 1. Program Implementation l The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports conclusions of the following type, to be included in the staff's safety evaluation report:
For components in the high safety significant category, the licensee is 3.9.7-38 Rev 2C, 3-13-97
. J 4
! DRAFT FOR COMMENT either going to continue to test these components in accordance with the current ASME Code of record for the facility (i.e., test frequency and method requirements) or has proposed an alternative test strategy that is acceptable to the staff (via either an NRC-endorsed ASME Code case or plant specific relief request). Testing strategies are adequately described in the licensee's RI-IST Program Plan and were found to be acceptable. . For components in the low safety significant category, the licensee is either going to continue to test these components in accordance with the current ASME Code of record for the facility or has proposed an alternative test strategy that was found acceptable to the staff. Low safety significant components that will be tested at a frequency less than the Code test frequency, which are also exercised as a result of plant operation or other system / component testing, may be grouped and tested at an extended test interval only if the interval can be justified based on past component performance. These components will be tested on a staggered basis at roughly equal time intervals. Corrective action procedures will ensure that failures.or nonconforming conditions ' that may apply to other components in the group get evaluated and i corrected. Component grouping was found to be consistent with guidance provided in NRC Generic Letter 89-04 or other documents endorsed by NRC. , Low safety significant components that will be tested at a frequency less than the current Code test frequency, which are not exercised as a result of non-Code required system or component testing, routine i maintenance, or normal plant operation, will also only have their test I interval extended if it can be justified based on past component I performance. The licensee will gradually extend the test interval by doubling the test interval for successive tests until the component is tested at the proposed extended test interval. If no age-dependent i failures occur, then the components will be grouped and tested on a staggered basis. Corrective action procedures will ensure that test interval and/or methods, as . appropriate, get adjusted where the component (or group of components) experiences repeated failures or nonconforming conditions. The licensee has plant corrective action and feedback procedures developed to ensure that testing failures are fed back to the plant licensee's integrated decision-making process (e.g., expert panel) and IST coordinator for reevaluation and possible adjustment to the component's grouping and test strategy. The licensee has appropriate plans and schedules for converting from the old IST program to the new RI-IST program at their facility. l l 2. Performance Monitoring of IST Equipment i 3.9.7-39 Rev 2C, 3-13-97 l W
l . . . DRAFT FOR COMMENT The reviewer verifies that the information provided supports the following conclusions: a performance monitoring program exists which covers all components which are placed on an extended IST schedule, the program responds to the attributes specified in Section III.B.2, and l the licensee is committed to maintain the program as part of its RI-IST initiative. i 3. Feedback and Corrective Action Program The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports conclusions of the following type, to be included in the staff's safety l evaluation report: The staff concludes that the licensee's corrective action program is acceptable for implementation with the RI-IST program because it contains a performance-based feedback mechanism to ensure that if a particular component's test strategy is adjusted in a way that is ineffective in detecting component degradation and failure, the IST l program weakness will be promptly detected and corrected.
- 4. Periodic Reassessment The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports conclusions of the following type, to be included in the staff's safety evaluation report:
The staff concludes that the licensee's procedures for periodic reassessment of its risk-informed IST program are acceptable because the licensee's procedures for periodic reassessment ensure that the licensee's test strategies are periodically [specify periodicity not to exceed once every two refueling outages) assessed to incorporate results l of inservice testing and new industry findings.
- 5. Formal Interactions With the NRC The reviewer verifies that sufficient information is provided in accordance with the requirements of this SRP section and that the evaluation supports conclusions of the following type, to be included in the staff's safety .
evaluation report: l The staff concludes that the licensee has an adequate process or procedures in place to ensure that RI-IST program changes of the following types get reviewed and approved by the NRC prior to l 3.9.7-40 Rev 2C, 3-13-97 1 M l-_____ ._
. ? 4 l
DRAFT FOR COMMENT l implementation. l . Test method changes that involve deviation from the NRC-endorsed Code requirements.
- Changes to the risk-informed IST program that involve programmatic changes (e.g., changes to the plant probabilistic model assumptions, changes to the grouping criteria or figures of merit used to group i components, changes in the Acceptance Guidelines used by the j licensee's integrated decision-making process (e.g., expert panel)). l l
Changes to component groupings, test intervals, and test methods that do not involve a change to the overall RI-IST approach (either traditional l engineering or PRA analyses), where the overall RI-IST approach was I i reviewed and approved by the NRC do not require specific (i.e., ! additional) review and approval prior to implementation. Component test method changes involving the implementation of an NRC-endorsed ASME Code, NRC-endorsed Code case,.or published NRC guidance which were approved as part of the RI-IST program, do not require prior NRC approval. . l l VI. RISK-INFORMED IST PROGRAM DOCUMENTATION The reviewer should review the licensee's submittal to tssure that it contained the documentation necessary to conduct the review described in this ' SRP (i.e., the documentation described in Section 6 of DG-1062). The RI-IST ' program and its updates should be maintained on site and available for NRC inspection consistent with the requirements of 10 CFR 50, Appendix B. The reviewer should also ensure that the cover letter that transmits to the ! licensee the staff's safety evaluation approving the proposed RI-IST program (i.e., alternative IST program to that prescribed by the ASME Code) contains a statement to the effect that " Failure to comply with the RI-IST program as reviewed and approved by the NRC staff and authorized pursuant to 10 CFR
$0.55a(a)(3) [e.g., including scope, test strategy, documentation, and other programmatic requirements) constitutes noncompliance with 10 CFR 50.55a and is enforceable".
Vll. IMPLEMENTATION The preceding is intended to provide guidance to applicants and licensees I regarding the NRC staff's plans for using this SRP section. Except in those l cases in which the applicant proposes an acceptable alternative method for I complying with specified portions of this regulatory guide, the method l described herein will be used by the staff in its evaluation of risk-informed 3.9.7-41 Rev 2C, 3-13-97 l l I
#f l
DRAFT FOR COMMENT l
~ 1 performance-based changes to the licensee's current' licensing basis. 1 Vill.. REFERENCES .
i l 'l. Draft Regulatory Guide 1061, "An Approach for Plant Specific Risk- ! l Informed Decision Making: General Guidance," January 16, 1997.
- 2. Draft Regulatory Guide 1062, "Use of PRA in Risk-Informed Inservice Testing," February 4, 1997.
- 3. Draft Standard Review Plan Chapter 19, "Use of PRA in Regulatory Activities," dated January 16, 1997. -.-
- 4. Nuclear Energy Institute Draft (Revision B) " Industry Guidelines for Risk-Based Inservice Testing" dated March 19, 1996.
- 5. ASME Research Report (CRDT-Vol. 40-2, Volume 2), " Risk-Based Inservice Testing - Development of Guidelines" dated 1996.
- 6. NUMARC 91-06, " Guidelines for Industry Actions to Assess Shutdown Management," December 1991. j i
- 7. ASME Code case OMN-1, " Alternate Rules for Preservice and Inservice i Testing of Certain Electric Motor Operated Valve Assemblies in LWR Power Plants, OH-Code - 1995 Edition; Subsection ISTC."
- 8. Generic Letter 89-04, " Guidance on Developing Acceptable Inservice I Testing Programs," dated April 3, 1989. ~
- 9. Generic Letter 89-10, Supplement 6, "Information on Schedule and.
Grouping, and Staff Responses to Additional Public Questions" dated , March 8, 1994. '
- 10. Draft NUREG-1602, "Use of PRA in Risk-Informed Applications"c requirements)constitutesnoncompliancewith10CFR50.55aandis enforceable".
421. IMPLEMENTATION The preceding is intended to provide guidance to applicants and licensees regarding the NRC staff's plans for using this SRP section. Except in those cases in which the applicant proposes an acceptable alternative method for complying with specified portions of this regulatory guide, the method : described herein will be used by the staff in its evaluation of risk-informed
-performance-based changes to the licensee's current licensing basis.
4211. REFERENCES -
- 1. Draft Regulatory Guide 1061, "An Approach for Plant Specific Risk-3.9.7-42 Rev 2C, 3-13-97 So
a l DRAFT FOR COMMENT ; i Informed Decision Making: General Guidance," January 16, 1997. 1 l 2. Draft Regulatory Guide 1062, "Use of PRA in Risk-Informed Inservice l Testing," February 4, 1997. !
'3. Draft Standard Review Plan Chapter 19, "Use of PRA in Regulatory Activities," dated January 16, 1997.
- 4. Nuclear Energy Institute Draft (Revision B)
- Industry Guidelines for
! Risk-Based Inservice Testing" dated March 19, 1996.
- 5. ASME Research Report (CRDT-Vol. 40-2, Volume 2), " Risk-Based Inservice Testing - Development of Guidelines" dated 1996.
- 6. NUMARC 91-06, " Guidelines for Industry Actions to Assess Shutdown Management," December 1991.
- 7. ASME Code Case OMN-1, " Alternate Rules for Preservice and Inservice Testing of Certain Electric Motor Operated Valve Assemblies in LWR Power Plants, OM-Code - 1995 Edition; Subsection .ISTC."
- 8. Generic Letter 89-04, " Guidance on Developing Acceptable Inservice Testing Programs," dated April 3, 1989.
- 9. Generic Letter 89-10, Supplement 6, "Information on Schedule and Grouping, and Staff Responses to Additional Public Questions" dated March 8, 1994,
- 10. Draft NUREG-1602, "Use of PRA in Risk-Informed Applications" 1
I i i 3.9.7-43 Rev 2C, 3-13-97 1
ef~~ . O
> $ e i
I I i
4 NUREG-1602 l Draft for Comment 1
- The Use of PRA in Risk-Informed Applications Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission _
l i l l l I l l 4 e ENCLOSURE 5 i
e b & g l l i i i I e een l l I i Dr-A NUREG-1602 n S . . . - -
e P 4 4 ABSTRACT in August 1995. the Nuclear Regulatory Commission issued a policy statement proposing improved regulatory Mainam= Ling "by increasing the use of PRA [probabilistic risk assessment / analysis) in all regulatory matters to the extent supported by the state of-the-art in PRA methods and data." To support the implementation of the Comrmssion's policy. regulatory guidance documents have been developed by the staff (as drafts for public comment) describing how PRA can be used in specific regulatory actisities, many of which relate to licensee-proposed changes to their current licensing basis (CLB). In addition. a more general regulatory guide has been developed which desenbes an overall approach to using PRA in risk-informed regulation. One key aspect of this general guidance is ; the amibutes ofan acceptable PRA for such regulatory actisities. Detailed discussion is prosided for a full-scope PRA (i.e., a PRA that considers both internal and extemal events for all modes ofoperation). In addition. discussions are prosided for the use and limitanons ofiirpi.s measures and sensitisity studies. Finally, the subject of peer resiew of a PRA is also discussed. t I L d Drrft. NUREG-1602 iij
e
> 6 q i
)
~
l l 1 1 l 1
\
l 1 1 i i i l l Draa. NUREG 1602 IV .
=
1 < IP 4 4 4 2 CONTENTS i 1 i 2 Enu ABSTRACT... ...... ..... ..... ............ ....... ... ...... .... .. . . . . iii i EXECUTIVE
SUMMARY
. . . . . . . . . . . . . ............ .................... . . . . . . . . . . xi
! FOREWORD ........ . ........ .. . ..... ..... . .... ... ..... .. .. ... xv i ACKNOWLEDGMENTS .. .... ... . .. ..................... . ...... . . ... :nii i ABBREVIATIONS .. .... .. .. . .. .. ......... . .. . .. ... . . . xviii
- 1. IN1 RODUCTION . . . . . . . . . . . . . . . .. ......... ......... ... . .. .. .. .1-1 i
- 1.1 Packground . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 - 1 4 1.2 Objectives . ... . ..... .. .. ......... ... .... ......... ... .1-2
- 1.3 Scope ....... . . ...... .... .. . ......... . .. . ... . . 1-2 4
j l.4 Role in Risk-Inforrned Regulation . . . . . . . .. .... ... .......... . ... . 1-3 i 1.5 Report organization . . . . . . . .. .. ...... .......... .. .. . . ... .. 1-4 i
- 2. INTERNAL EVENT LEVEL 1 PRA FOR FULL POWER OPERATIONS . . . . . . . . . . . . . . 2-1 l 2.1 Internal Events Analysis . . . . . . . . . . . . .. ......... ... .. . .. . ....21 2.1.1 Accident Sequence Initiating Event Analysis . ... . . . . . . . . . . . .2-2 4
. 2.1.1.1 Considerations for the Baseline PRA . . . .. . . . , . 2-2 2.1.1.2 Application impact Coneiderations . . . . . . . . . . ._. . . . . . . . . . . . . . . . 2-6 2.1.1.3 Interface with Other Tasks . . . . . ... ...... .. . . . . . ..26 ; 2.1.1.4 Documentation . . . . . . . . . . , . . . . . . . . . . .. .. .. . . 2-6 I i 2.1.2 Accident Sequence Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... .. 2-7 I I .I 2.1.2.1 Considerations for the Baseline PRA . . . . . . . . . . . . . . . . . . . . . . . . 2-7 ! i i 2.1.2.2 Application impact Considerations . . . . . . . . . . . . . . . . . . .... .. 2-12 l l 2.1.2.3 Interfaces with Other Tasks . . . . . .... . . . . . . . . . . . < . . . . . 2 12 1 2.1.2.4 Documentation . . . . . . . . . . . . . . . . . . . . .......... . . . 2-13 l l 2.1.3 Systems Analysis ..... . . . ............. ................ .. 2-13
- 2.1.3.1 Considerations for the Baseline PRA . . . . . . . . . . . . . . . . . 2-13 l 2.1.3.2 Application impact Considerations . . . . . . . . . . . . . . . . . . . .2-17 i 2.1.3.3 laterfaces with Other Tasks . . . . . . . . . . . . . . . . . . . . . . . . 2 18 2.1.3.4 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 18 41.4 Data Analysi s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-19
- 2.1.4.1 Considerations for the Baseline PRA . . . . . . . . . . . . . . . . . . . . . 2-19 j 2.1.4.2 Application impact Considerations . . . . . . . . . . . . . . . . . . .. . . . . . . 2-21 2.1.4.3 Interfaces with other Tasks . . . . . . . . . .... . . . . .. .2 21 2.1.4.4 Documentation . . . . . ....... . .... . ....... . .. .2 21
! 2.1.5 Human Reliability Analysis (HRA) . . . . . . . .. . . .2-22 2.1.5.1 Considerations for the Bauline HRA ... ... . . ... .. . 2-22 j 2.1.5.2 Application impact Consideranons . . ... .. . ..... ... . 2 27 l 2.1.5.3 Interfaces with OtherTasks .... .... . .. . . . . .2 27 2.1.5 4 Documentation . . ............. ....... . ... . .. .2-28 2.1.6 Accident Sequence Quantification . . ......... . . ... .. . .. . . 2-28 2.1.6.1 Considerations for the Baseline PRA . . . . .. .. . . .. .2 28 Draft, NUREG.1602 v S
P CONTENTS (CcnPd) , EASE 4
.... . ...... .. 2 31
' 2.1.6.2 Application impact Considerations . .
. ... ... ..... . . . . . . . . . . 2-31 2.1.63 Imerfaces with Other Tasks .
2.1.6.4 Documentation .. .. .............................2-31~ Internal Flooding Analysis . . . . .. .. ... ..... .... .. . . . . . . . . . . . . . . . 2-3 2 2.2 2.2.1 Considerations for the Baseline PRA
...........................2-33
- 2.2.1.1 Identification and Screemng of flood Sources. Propagation Pathways.
and Flood Scenarios . . . . . . . . . . . . . . . . . . . . . . . . .2 . .34........ 2.2.1.2 Flooding Model Development and Quantification . . . . . . . . . . . . . . . . 2.2.2 Application impact Considerations . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.23 Interface with Other Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4 Documentation . . . .... .. . ..... ........................2-35 , 23 Intemal Fire Analysis . . . . . . . . . ..................................2-35 . . . . . . . . . . . . 2 -3 7 23.1 Considerations for the Baseline P8tA .
.. .. ...... .2-37 23.1.1 Defming; Fire Areas of Fite Zones . . . . . . ...
. . . . . . . 2 38 23.1.2 Equipment identificatbu and Mapping . . . . . . . . . . . . . . .
.. . 2-38 23.13 Fire Source Identification and Quantification . . . . . . . . . . . . . . .
23.1.4 t' ire Growth and Spread Quantification . . . . . . . . . . . . . . . . . . . . . . . . . , 2 39 23.1.5 Fire Damage Analysis . .. . . . l ...........................2-39 23.1.6 Fire Detection and Suppression .........,,..................2-39 23.1.7 Human Intervention and Plant Recovery . . . . . . . . . . . . . . . . . . . . 2-4 0 23.1.8 Fire Model Development and Quantification . . . . . . ... .. . . .2-40
.... .. .... .. . . 2-43 23.2 Application lmpact Considerations . . . . ..
. .... . . . 2-43 233 Interface with Other Tasks . . . . . . . . . . . . . . . . . . . . . . . .
.2-43 23.4 Documentation . . . . . . . . . . . . . .. 1
.........3-1
- 3. INTERN AL EVENT LEVEL 2 PRA FOR FULL POWER OPERATIONS . . . . . .
3,1 Evaluation of Contamment Performance . . . . . . . . . . . . . . . . .. .. .. .. ..3. -2 ........ 3.1.1 Assessment of Challenges to Contamment Integrity . . . . . . . . . . . . . . . 3.1.1.1 Defimng the Accident h,=== to be Assessed . . . . . . . . . . .. . .3-3 3.1.1.2 Assessment of Containment System Performance . . . .
. . , . . . . . . 3 -4 3-6 3.1.13 Evaluation of Severe Accident Progression . . . . . . . . . . . . . . . . . . . . . .
> 3.1.2 Establishing Contamment Performance Limits . . . . . . . . . . . . . . . . .... .... 3-13
..... ..., ... 3-14 3.1.2.1 Considerations for the Baseline PRA . . . . . . . . . . . .
3.1.2.2 Application impact Considerations . . . . . . . . . . . . . . . . . . . . . . . . . 3 15 3.1.23 h terfaces with Other Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15 3.1.2.4 Tecumentation . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3.13 Probabih stic Modeling of Containr. ent Performance . . . . . . . . . . . . . . 3 16 3.13.1 Consideratiocs for the Baseline PRA . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.13.2 Application impact Considerations . . , . . . . . ....... . . . . . 3-18 3.133 Interfaces with Os%r Tasks . . . . . . . .. . . . . . . . . . . . . . . . . . . . . 3-19 3.13.4 Documentation ...... .. .. ... ..... ... ... ....... 3-19 Radionuclide Release Characterizntion . . . . . . .... ..... ... .
. . ... . . 3-19 ;
'3.2 l
.3 20 3.2.1 Defmition of Radionuclide Source Terms . . . .
.... .. . .3-20 3.2.1.1 Considerations for the Baseline PRA .
Draft.NUREG 1602 vi [
a a a 4 CONTENTS (Cont'd) bn 3.2.1.2 Application Impact Considerations . . . . . . . . .... ..... . . 3-21 3.2.1.3 Interfaces with Other Tasks ...... . ... . .. . . .3 21 3.2.1.4 Documentation . . . . . . . .. .. . 3-21 3.2.2 Coupling Source Term and Severe Accident Progression Analyses . . . . 3 22 3.2.2.1 Considerations for the Baseline PRA . . . . . . ........... . . . . 3-22 3.2.2.2 Application impact Conriderations . . .. . . 3-23 3.2.2.3 Interfaces with Other Tasks . . . . . . . .... .. . . . .3 23 3.2.2.4 Documentation . . . . ... .. ....................... .3-23 3.2.3 Treatment of Source Term Uncertainties . . ...... . . ... . . . 3-23 3.2.3.1 Considerations for the Baseline PRA . . . . . . . . . ... . . . . . 3-24 3.2.3.2 Application impact Considerations . . . . . . . . . . . . .3-24 3.2.3.3 Interfaces with Other Tasks ..... ...... . ... ..... .3-24 3.2.3.4 Documentation . . .. .. ... . .3-25 ,
- 4. INTERNAL EVENT LEVEL 3 PRA FOR FULL POWER OPERATIONS . . .. . . 4-1 4.1 Accident Consequence Analysis . . . . . . . . .. .... . . . . . . . . 4-1 4.1.1 Considerations for the Baseline PRA . . . . . . . . .42 4.1.2 Application impact Considerations . .... .... . . . /- . . .. .. ...42 4.1.3 Interfaces with Other Tasks .. . ........ ... ... . ...... . . . .43 4.1.4 Documentation . . .... . .. .. ... .. .... ....... ... 4-3 4.2 Computation of Risk . . . . . . . . . .. .. .. .... .. .... .. ...... . 4-3 4.2.1 Considerations for the Baseline PRA . . .. .... .... .. ... .. .. .. 4-3 4.2.2 Application impact Considerations . . .. ... . ... ..,. ... . . .4-3 '
4.2.3 Interfaces with Other Tasks . ..... . . .. .. .4-3 4.2.4 Documentation . ........ ....... .... . .... . ... . .4-4 1
- 5. EXTERNAL EVENT PRA FOR FULL POWER OPERATION . . . . . . . . . . . . . . . . . . . 5-1 5.1 Level 1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .' . ... .. . ... . 5-1 5.1.1 Seismic Analysis . . . . ....... ... ... ......... ..... . . . 5-1 5.1.1.1 Considerations for the Baseline PRA . . . . . . . . . . . . . . 5-1 )
5.1.1.2 Application impact Considerations . . . . . . . . . . . . . . . . . . . 54 ; 5.1.1.3 Interfaces uith Other Tasks . . . . . ...... . .. . . . . . . . 5-4 5.1.1.4 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 5.1.2 Analysis of"Other" Extemal Events . , . . . . . . . . . . . ... . .5-6 5.1.2.1 Considerations for the Baseline PRA . . . . . .. 5-6 l 5.1.2.2 Application impact Considerations . . . . . . . 5-6 ) 5.1.2.3 Interfaces with Other Tasks . . . .. . ... . ..57 5,1.2.4 Documen'.ation ..... . . ... . ......... . .. . . 5-7 5.2 Level 2 Analysis . . . .. ..... .... .... ... . .5-7 5.2.1 Seismic Analysis . .... . .. ....... ..... .. ... .. .. .. .5-7 I 5.2.2 Analysis of"Other" Extemal Events . . . . . ... . .. . . . 5-8 Draft. NUREG-1602 vii
~1
. a
~ CONTENTS (Cent'd) UE! 5 5.3 Level 3 Analysis . . . . . . . . .. . .. . ... . . . . .. .. ... . .5-8 5.3.1 Seismic Analysis . . . . . . . . . . . . . . . . . . . . . . ... . . .... .. . . 5-8 i 5.3.2 Analysis of"Other" External Events . . . . . . . . . . . . . . . . . . . . . . . . .5-8
- 6. INTERNAL AND EXTERNAL EVENT PRA FOR LOW POWER AND
- SHUTDOWN OPERATIONS . . . . . . . . . . . . . . ............... ..... . .. . . . 61
- 6.1 Internal Events Level 1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . .. .... . .. 6-2
- 4.1.1 Plant Operational States . . . . . . . . . . . . . . . . . . . .....................62 6.1.L1 Consideration for the Baseline PRA .. ... .... ...... .. .. .6-2 6.1.1.2 Application impact Considerations . . . . . . . .. .. . .6-3 6.1.1.3 Interfaces with Other Tasks . . . . . . . . . ..... ... ...... .. . 6-3 )
6.1.1.4 Documentation . . . . . . . . . . . . . . . . . . . . .. .. .. . 6-3 ; i
- 6.1.2 Accident Sequence Initiating Event Analysis . . . . . ... .. . .... . 6-4 i 1 6.1.3 Accident Sequence Analysis . ............ . .... .. . .. . 6-5 ,
6.1.4 Systems Analysis .... ... .. ... ..... .. .. . .... . . .. . 6-6 ; j 6.1.5 Data Analysis ............. ............. .. ...... ............. 6-6
- j. 6.1.6 Human Reliability Analysis (HRA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 l l 6.1.7 Accident Sequence Quanti 6 cation . . . . ............ .. ... . . 6-7 l 6.2 Internal Flood level l Analysis . . . . . . . . . .......... .. ... . .... . . 6-7
' Defmitios and Characterization of Plant Operational States .6-7 J 6.2.1 . . .. .. l 6.2.2 Initiatint, Event Analysis . . . .. ..... . ...... ... .. . . 6-7 ; 4 ! 6.2.3 Flood Fropagation .... . . ... ... ....... . ....... .. . . .. 6-8 l 6.2.4 Flood Model Development and Quantification ......... ..... .... ..... 6-8 i 6.3 Internal Fire level l Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .6-8 6.3.1 Defmition and Charactenzation of Plant Operational States . . . . . . . . . . . . . . .6-9. 6.3.2 Initiating Event Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 l 6.3.3 Identification of Critical Fire Locations . . . . . . . . . . . . . . . . . .... .... 6-9 6.3.4 Fire Propagation and Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.3.5 Fire Model Development and Quantification . . . . . . . . . . . . . . . . . . .' . . . . . . . 6-9 ) . 6-10 j 6.4 Seismic Level 1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .... . .... ... i 6.4.1 Defmition and Characternation of Plant Operational States . . . . . . . . . . 6 10 l 6.4.2 initiating Event Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 10 l 6.4.3 Identification of Structures. Systems, and C--- ;- - (SSCs) . . . . . . . . . . . . . . . 6 10 6.4.4 Hazard Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6- 10 i 6.4.5 Fragility Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6- 10
- j. 6.4.6 Model Development ardl Quantification . . . . . . . . . . . . . . . . . . . . . . .... 6 11 j 6.5 Level 1 Analysis of"Other" External Events .............. ............ ..... 6-11 l 6.6 level 2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 6-11 i
6.6.1 Considerations for the Baseline PRt. ............. . .. .... .... 6-12 ! 6.6.2 Applienion lmpact Considerations . .. .. ... . .. . . . . . . . . 6 12
- 6.6.3 Interfaces with Other Tasks . . . ... .. .. . .. . . . . . . . . . 6-12
- 6.6.4 Documentation . . . . . . . . . . . . . . . . . . .. ........ ....... .... .6-12
; 6.7 Level 3 Analysis . . . . . . . . .. .. . .. . .. . . .6-13 t
Draft NUREG-1602 viii k f 4 1
a - , o n CONTENTS (Cont'd) Eau APPENDD' A. PR]ORITIZATION OF SSCS AND HUMAN ACTIONS . . . . . . . . . . . . . . . A- 1 A.1 Introduction and Objective . . . ... . . . A-1 A.2 PRA Based importance Assessment . . .. . .. . .. . . A-2 l' A.2.1 Quantitative importance Measures . .. . ... . . . A-2 A.2.1.1 Definitions ofImportance Measures A-2 A.2.1.2 Considerations in Calculating importance Measures . . . . . . . . . . . . A-4 A.2.2 Qualitative importance Measures . . . . . . . . . .. . ... .. . A-7 A.2.3. Considerations for Ranking Using importance Measures . . . . .... . A-8 A.3 Safety-Based Prioritization . . .. .. .. ... ... . . . .. . A 11 A.4 Integration . . . . . .... . ... ... .. . ...... . .......... .... . . A-13 APPENDIX B. PRA PEER REVIEW . . . ... .. B-1 B.1 Objectives of the Review . . ... . .. . . . . . . . . ... B-1 B.2 Review Team Composition and Qualifications . . . .. B1 B.3 Review Process and Considerations . . . . . B-2 B.4 Documentation of Findings . ... .. . . .. . .. . . . B-6 i 1 I 1 Draft. NUREG-1602 ix 9
e b 4 4 ; l l i l l l l l l l I . l l l
\
l l i h I e DrafL NUREG-1602 x t0
- . 4 4 2
EXECUTIVE
SUMMARY
l
- Introduction in August 1995, the Nu
- lear Regulatory C== inion (NRC) issued a policy statement proposing improved regulatory decisionmakmg "by merensing the use of PRA [probabilistic risk assessment /analysisj in all regulatory matters to the
- extent supponed by the state-of the-an in PRA methods and data." To support the implementation of the 4
Comnussion's policy, regulatory guidance documents are being developed by the staff (currently as drafts for public l mnmm) &a;bir.,; how PRA can be used in specific regulatory activities, many of which elate to licensee-proposed changes to their cunent I-ang basis (CLB). One key aspect of using PRA for such regulatory activities is what are
- the appropnate scop
- and attributes of the PRA. The main purpose of this report is to address the scope and attributes of a PRA that adequately represents the plant design and operation. It is recogmzed that the scope and at:ributes of a PRA may be different Wag upon its intended use or on the issue being evaluard Accc:dingly, this report is intended for use as reference or supporting information which PRA aralysts can use to help in malmg decisions
- regardmg the scope and atnibutes of a PRA appropriate for their analysis. Dus. this report car be used to help:
. Define the main attributes of each' task of a PRA that is intended to suppon risk-informed regulatory decisian== Mag,
- Identify task-by-iask issues that should be considered when using a PRA to assess the impact of pro,rvised CLB changes.
- Proside supponing irformation for peer reviewers judging the adequacy of a PRA intended to support risk-informed decisionmakmg. nd
. Identify attributes and limitations ofimportance analyses and qualitative ranimg methods that t te most appropnate for use in screenmg analyres and in categonzation of structures, systems, cnd components (SSCs) and human activities according to their contribution to risk and safety.
In addition. this repon may be a valuable step in the development of standards for PRAs. Ab discussed in OMB Circular No. A 119 (fRN. Vol. 58. No. 205, October 26,1993), federal agencies have been durcted to make greater j use ofconsensus starv!ards in their activities. As such, the staff will be interecung with technical societies and others i to develop such consensus standards in parellel with the fmalization of this report.
- Scope and Limitations A PRA c(a nuclear pour plant is an analytical process that quantifies the potential risk associated with the design, s
operation and maintenance of the plant to the health and safety of the public. Traditionally, a full scope PRA is used to quantify the risk from amdann initiated in the plant (from internal initiating events such as pipe breaks and external initiating events such as earthquakes) and during both full power and low power / shutdown conditions. The risk evaluation imolves three sequential parts or "leveis": identifiestion and quantification of the sequences of events leadmg to core damage (level I analysis); evaluation and quantification of the mechanisms, amounts. and probabilities of subsequent radioactive material releases from the containment (Level 2 analysis); and the evaluation and quantification of the resulting consequences to both the public and the emironment (Level 3 analysis). A full-scope PRA as dermed here, does not include evaluation of accidents itutisted by sabotage events or that result in Draft. NUREG-1602 xi n -e-- , - . - _.
n . , l- releases from other radioactiv;: material sources such as the spent fuel pool, routine. smell releases of radioactive material. and does not include the risk to plant personnel from any accident. ! 1 The elements or a full-scope PRA, and the attributes for the analysis of each element. presented in this report reflect the following general considerations:
- The design. construction and Scaal practices of the plant being analyzed is expected to be consistent with its CLB.
- The PRA being performed is expect.:d to realistically reflect the design. constructioru and operational practices. Le C== inion's policy statement on the ev=_aAad use of PRA indicates that 'PRA evaluations in support of regulatory decisions should be as realistic as practicable." Consequently, the PRA used to support risk-informed decisionmakmg is expected to reflect the impact of previous changes made to the CLB.
In this context; it ir presumed that the particular application of PRA for which these attributes apply is quantitative in nanse, and that the change under consideration can be modeled in the PRA (by manipulation of basic event information or the event tree / fault tree logic model).
- The discussions presented in the report are in terms of functional requirements. In general, prescriptive guidance is not provided. nor are enaracterizations of specific methods. In some circumstances, however. l where an issue is both important to risk results and poorly undeistood, prescriptive solutions are stated to l
reduce potential PRA-to-PRA variability.
- The described PRA attributes are meant to cover a wide range of risk-informed regulatory applications.
Additional attributes.for specific applications are described in the application-specific regulatory guides.
- PRA models have been developed and are being used for real-time monitoring of plant operations (and resulting monitoring of risks). The attributes for such models may be quite different f om those for snodels associated with regulatory applications. and are, therefore, not addressed in this report.
Role in Risk-Informed Regulation i This document discusses PRA attributes that support Draft Regulatory Guide DG-1061,'An Approach for Using Probablinstic Risk Assessment in Risk-informed Decisions on Plant Specific Changes to Current Licensing Basis," and the Deaft Standard Review Plan (Chapter 19),"Use of Probabilistic Risk Assessment in Plant Specific, Risk-Informed Decisionmakmg: General Guidance " His report also is referenced by related risk-informed regulatory guides and their w.m idag c standard review plan chapters. Rese include DG-1062 on inservice testing. DG-1063 on inservice inspection of piping. DG-1064 on graded quality assurance, and DG-1065 on technical specifications. As mentioned above. the content of this report is meant to support a wide variety of risk-informed applications that may exceed those covered in the staffs PRA implementation plan. Each risk-informed application imposes different requirements on the supporung PRA scope and level of detail. This document is atended to be flexible to m- = t= and benefit these applications. Some applications are complex and may necessitate a higher standard and high accuracy from a supponing PRA. Since these applications are the mostda='adiag. they dictate the level of technical detail in this h=aat. However, less demandag applications, such as those that need information only about PRA insights, or those that rely on quantitative results only in selected areas of the PRA. may use. as appropnate. simpler models as w.M to those described in this hanent The process for using risk information in regulatory decisionmakmg starts with definition of the scope of the particular application under consideration. This i Draft NUREG 1602 xii Ib
e , e e e infonnation should be used to identify areas (tasks) in the supporting PRA that are influenced by the cpplication and the type of support mformation needed. This information. in turn. can be used to define applicable portions of this report Appli:c ien-specific regulatory pides in:lude furth:r guidene: in this at:n. i i
\
Draft. NUREG-1602 xiii i 3. .
i '6 , t l , . 1 1 i I I l l 1 , 1 1 1 1 1 l i I I 1 1 1 1 1 i 1 1 l l 1 l l l 1 i l Draft.NUREG 1602 xiv pe= W to . a.
m._ _ _._ m _ . - - . _ . _ . _ _ _ . _ _ - - _ . _ . ._ _._.__._ _ ___ _ ___ e *
$ 8 d l
\
- FOREWORD During the last several years. both the U.S. Nuclear Regulatory Comnussion (NRC) and the nuclear industry have l I
recogmzed that probabilistic risk assessment (PRA) has evolved to the point where it can be used increasingly as a tool in regulatory decisionmakmg. In August 1995, the NRC adopted the following policy statement regarding the i expanded NRC use of PRA. \ l
* %e use of PRA technology should be ireressed in all regulatory matters to the extent supported by the state-1 of4he-art in PRA methods and data and in a manner that complements the NRC's determmistic approach and supports the NRC's tradiuonal defense-m-depth philosophy.
- PRA and associated analyses (e g sensitivity studies. uncertainty analyses, and importance measures) should i be used in regulatory maners, where pracncal within the bounds of the state-of-the-art, to reduce unnecessary j conservatism associated with current regulatory requirements, regulatory guides, license commitments. and I staff practices. Where appropriate, PRA should be used to support the proposal of additional regulatory n:quirements in Mies with 10 CFR 50.109. Appropriate procedures for including PRA in the process j for changmg regulatory requirements should be des cloped and followed. It is, ofcours, understood that the j intent of this policy is that existing rules and regulations will be complied with unless these rules and
! regulations are resised. i
- PRA evaluations in support of regulatory decisions should be as realistic as-practicable and eparopriate l supporting data should be publicly available for resiew.
i
- De Comnussion's safety goals for nuclear power plants and subsidiary numerical objectives are to be used i with appropriate consideration of uncertainties in makmg regulatoryjudgements on the need for proposing '
l and backfitting new generic requirements on nuc! car power plant licensees. In its approval of the policy statement the Commission articulated its expectation that implementation of the policy l
- statement will improve the regulatory process in three areas
- foremost. theough safety decisionmalmg enhanced by 4 the use of PRA insights; through more efficient use of agency resources; and through a reduction in unnecessary burden
, on licensees. In parallel with the publication of the policy statement, the staff developed an implementation plan to } define and organize the PRA-related activities being undenaken. Dese actisities cover a wide range of PRA applications and involve the use of a variety of PRA methods (with variety including both types of models used and the detail of modeling needed). His report focuses on defining the attributes of a PRA that will enable it to support a swiety of applications described in the staff PRA implementation plan. These applications vary in complexity and j hence the demand on the quahty of the supportmg PRA will also vary. While cadmg and resiewing this draft report. the reader should keep in mind that the level ofdetail and model complexity are influenced by the issue being analyzed. This report is issued as a draft for comment. Specifically, comments on the following questions are requested:
- Have the main attnbutes ofeach task of a PRA intended to support risk-informed regulatory decisiaan=Wg been dermed?
. Have task-by-task issues that should be considered when using a PRA to assess the impact of proposed current licensing basis changes been dermed?
Draft. NUREG-1602 xv d .
e a * .
= Has sufficient suppomng information for peer resiewers judging the adequacy of a PRA intended to support risk-informed decisionmakmg been presided? , - Have the attributes and limitations ofimportance analyses and qualitative ranking methods that are most app.opriate for use in screemng analpes and in categorization of structures. systems, and components (SSCs) and human activities according to their contribution to risk and safety been adequately discussed? . Is this report a useful step towards development of consensus standards for PRA methods? What steps should be next taken?
All comments should be addsessed in writing within 90 days to: Mark Cunningham Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission MS T10E50 Washington. DC 20555 This report will be issued in fmal form after it is revised on the basis ofcomments received. M. Wayne Hodges. Director Division of Systems Technology i Office of Nuclear Regulatory Research. - Draft NUREG 1602 xvi Ib
e *
- ACKNOWLEDGMENTS l 1
This repon is the result of committed, creative. and professional etrons by the NRC statrand contractors. Overall leadership of the project was provided by: Ann Ramey-Smith, NRC The principal authors of this repon. in alphabetical order, are: Ali Azarm. Brookhaven National Laboratory (BNL) Allen Camp Sandia National Laboratories (SNL) Jeff LaChance (SAIC) Susan Dingman, SNL Mark Leonard, Innovative Technology Solutions Mary Drouin. NRC 1revor Pratt, BNL Adel El-Bassioni, NRC Donnie Whitehead, SNL Alan Kolaczkowski. Sci:nce Applications International Corporation (SAIC) Other contributors include: - Bennett Brady. NRC Brad Hardin, NRC Thomas Brown. SNL Vinod Mubayi, BNL Tsong-Lun Chu. BNL Hossein Nourbakhsh, BNL Julie Gregory SNL Nathan Siu, INEL Jack Guttmann. NRC Roy Woods, NRC Pnmary reviewers include: Patrick Baranowsky. NRC Wayne Hodges, NRC Rudolph Bernard. NRC Thomas King, NRC Michael Cheok, NRC Joseph Murphy, NRC Mark Curuungham. NRC Gareth Parry, NRC Stephen Dinsmore. NRC Dale Rasmuson, NRC Admmistrative suppon: Mahmooda Bano. NRC ' barbara Jordon, NRC Alice Costantini. BNL Emily Preston, SNL Wendy Eisenberg. NRC Donna Storan. BNL Jean Frejka. BNL , Draft. NUREG 1602 xvii I9
ABBREVIATIONS a 4 AC Alternating Current ADS Automatic Depressurization System AEOD Office of Analysis and Evaluation of Operational Data ALARA As Low as Reasonably Achievable J ASME American Society of Mechanical Engineers ATWS Anticipated Transient Without Scram BM Birnbaum Measure BWR Boiling Water Reactor CCF Common Cause Failure CCFP Conditional Containment Failure Probability . CCI Core Concrete Interactions CDF Core Damage Frequency CLB ' Current Licensing Basis CRAC Calculations of Reactor Accident Consequent:. CRD Control Rod Drive DC Direct Current DCH Direct C...tainment Heating DDT Deflagration to Detonation Transition ~ DOE Department of Energy ECCS Emergency Core Cooling System EOPs Emergency Operating Procedures EPRI Electric Power Research Institute FCI Fuel Coolant Interaction FIVE Fire Induced Vulnerability Evaluation FMEA Failure Modes and Effects Analysis FSAR Final Safety Analysis Report FV Fussell-Vesely GL Generic Letter HCLPF High-Confidachd Low-Probability HEP Human Error Probability HPCI High Pressure Coolant injection HRA Human Reliability Analysis HSSCs/LSSCs High and Low Safety Significant Components HVAC Heating. Ventilation. and Air Conditioning IPE Individual Plant Exanunation IPEEE Individual Plant Exammation of Extemal Events ISI In-senice Inspection ISLOCA Interfacing System Loss of-Coolant Accident IST In-senice Testing kV Kilovolt LER Licensee Event Report LERF Large Early Release Frequency LLNL Lawrence Lisermore National Laboratory Draft.NUREG 1602 xviii 6 i
4 ,. , a . ABBREVIATIONS (Cont'd) LOCA Loss-of-Coolant Accident LOOP Loss of Offsite Power LP&S Low Power and Shutdown LPCI Low-Pressure Coolant Injection MAAP Modular Accident Analysis Program MACCS MELCOR Accident Consequence Code System MCR Minimal Cutset Rankmg MOV ^ Motor-Operated Valve MPR Mimmal Pathset Rankmg l MTC Moderator Temperature Coefficient NPSH Net Positive Suction Head NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System PCA Probabilistic Consequence Assessment PCS Power Conversion System PDS Plant Damage State POS Plant Operational State PRA Probabilistic Risk Assessment / Analysis PSF Performance Shaping Factor - PWR Pressurized Water Reactor QA Quality Assurance QRR Qualitative Risk Rankmg RAW Risk Achievement Worth RCIC Reactor Core Isolation Cooling RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Remeval RIR Risk Informed Regulation RPS Reactor Protection System RPT Recirculation Pump Trip ; RPV Reactor Pressure Vessel RRW Risk Reduction Worth RWST Refueling Water Storage Tank SAR Safety Analysis Report SBO Station Blackout SERG Steam Explosion Resiew Group SG Steam Generator SGTR Steam Generator Tube Rupture SLC Standby Liquid Control SRV Safety Relief Valve SSCs Structures, Systems, and Ccmponents THERP- Technique for Human Error Rate Prediction TS Technical Specifications U.S. United States Draft NUREG-1602 xix
/f
; i % i
- 1. INTRODtiCTION 1.1 ,
Background
During the last several years, both the U.S. Nucient Regulatory Conumssion (NRC) and the nuclear industry have ! ra-a3=i hat tprobabilistic risk assessment (PRA) has evolved to the point where it can be used increasingly as a tool in regulatory decisionmakmg. In August 1995, the NRC adopted the following policy statement regarding the apad-1 NRC use of PRA.
. 1
. The use ofPRA technology should be increased in all regulatory matters to the extent supported by the state- l ofabe. art in PRA methods and data and in a manner that complements the NRC's deternunistic approach and I
, supports the NRC's traditional defense-in<iepth philosophy.
. PRA and acenrantal analyses (e.g., sensitivity studies, uncertamty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments and 1
staff practices. Where appropriate. PRA should be used to support the proposal of additional regulatory requirements in accordance with 10 CFR 50.109 (Ref.1.1). Appropriate procedures for including PRA in the process for changing regulatory requirernents should be developed and followed. It is, of course, understood that the intent of this policy is that existing ru!:: and regulations will be complied with unless these rules and regulations are revised 4
. PRA enluations in suppo t of regulatory decisions should be as realistic as practicable and appropriate supportmg data should be publicly available for review. .
1
. The C==le. ion's safety goals for nuclear power p!sats and subsidiary numerical objectives are to be used with appropnate consideranon of uncertamnes in makmg regulatoryjudgments on the need for proposing and backfitting new generic requirements on nuclear power plant licensees la its approval of the policy statement, the Commission articulated its expectation that implementation of the policy statement will improve the regulatory process in three areas: foremost, through safety decisianmak mg anh=ae**i by the use of PRA insights; through more efficient use of agency resources; and through a reduction in un-eary burdens on tv-= In parallel with the publication of the policy statement, the staff developed an implementation plan to denne and organize the PRA related activities being undertaken. These activities cover a wide range of PRA applications and involve the use of a vanety of PRA methods (with vanety including both types of models used and the detail ofmodeling needed), For example, one applicanon involves the use of PRA in the assessment of operational events in reactors The characteristics of these assessments dictates that relatively simple PRA models be used. In contrast, other applications may necessitate the use of detailed models.
This report focuses on definmg the attributes of a PRA that enable it to support a variety of applications described in the staff PRA implementaban plan. These applicabons vary in complexity and hence the demand on the quality of the suppcrting PRA will also vary. While readmg and reviewing this report, the reader should keep in mind that the described level of detail and model complexity are focussed on those risk-informed applications that are most demandmg as far as PRA quality is concerned. Allowance for less da=== Mag risk-informed applications is acceptable provided it is properly justified. In addition, discussion is also provided to direct the PRA user to those attributes in each PRA task that may be impacted by risk-informed applications. Draft, NUREG-1602 11 se
! 4 s a g ! 1 Introduction As 9sd in OMB Ciicular No. A-119 (FRN, Vol. 58, No. 205, October 26,1993), federal agencies have been i directed to make greater use of consensus standards in their activities. This report may be a first step in the l development of standards for PRAs. As such, the staff will bc interacung with technical societies and others l such consensus standards in parallel with the finalization of this report. 1.2 Obje:tives t l This report can be used to help:
- 1. Define the main maributes of esch task of s state of the-art PRA that is intended to support risk-informed l regulatory decisionmakmg.
- 2. Identify task-by-task issues that should be considered when using a PRA to assess the impact of proposed I current licensing basis (CLB) changes.
l l 3. Pro ide supporting information for peer reviewers judging the adequacy of a PRA intended to support risk- ! informed decisiaar=*ing. 1 9
- 4. Ducuss anributes and the limitations ofimportance analyses and qualitative rankmg methods that are most
{ appropnate for use in screemng analyses and in categoruation of structures, systems, and components (SSCs) l i and human activities according to their contribution to risk and safety. i In addition, staff regards the content of this report as a first step towards the development of consensus standards of I PRAs. i 1.3 Scope 2 i A PRA of a nuclear power plant is an salyticah racess that quantifies the potential risk associated with the design, ' operanon and maintenance of the plant to the health and safety of the public. Traditionally, a full-scope PRA is used - to quannfy the risk from accidents initiated in the plant (from internal initiating events such as pipe breaks aii inititting events such as carthquakes) and during both full power and low power / shutdown conditions. ! 4 1he risk evaluation involves three sequential parts or " levels": identificanon and quantification of the sequences of l events leading to core damage (Level I analysis); evaluation and quantification of the "Ams, amounts, and probabilities of subsequent radioactive matenal releases from the containmem (Level 2 analysis); and the evaluation and quantification of the resulting consequences to both the public and the environment (Level 3 analysis). A full-scope PRA, as defined here, does not include evaluation of accidents initiated by sabotage events or that result in releases from other radioactive material sources such as the spent fuel pool, routine, staall releases of radioactive ; material, and does not include the risk to plant personnel from any accident.
"Ihe elements of a full-scope PRA, and the attributes for the analysis of each element, are presented in the following
} sections. While reading and reviewing this report, the reader shoald keep in mind the following general considerations: i i = 1he design, construction, and operational practices of the plant being analyzed is expected to be consistent l with its CLB. Draft, NUREG-1602 12 as
a 1 Introduction . The PRA being performed is :~cted to realisic!!y re!!cet the design. costruc i practices. The Commissids policy statement indicates that "PRA evalu decisions should be ss t alastic as practicable.' Consequently, the PRA u i decisina==hng is expecsed to reflect the impact of previous changes mad l presumed that the pamcular appliation ofPFA for whichifthese i attrib l that the change under consideration can be modeled in the PRA (by manipulationl j or the event trcc/ fault trec logic model). I His &cunwne is not a procedures guide for performing a PRA. Such procedure documents includingNUREGCR 2300,NUREGCR 2815 NUREGCR-2728, NU 1, NUREGCR 4840, and NUREG/CR-5259 (Ref.1.2). This d-=aaat p 1 task) against which a PRA study and its supporting documentation can b supplemented as needed He discussions described below are provided i. interms of functional requirem some circumstances, however, guidance is not provided, nor are characterizations of sp:cific - adale l where an issue is both important to risk results and poorly understood, prescrip .I i provided to reduce PRA to-PR A variability, De described PRA attributes are meant to cover the most demandmg risk-info 3 l although the principal focus for this draft version of the document has been u Additional amibutes for specific applications are described in the application-s 4 PRA models have been developed and are being used for real-time monitori l resulting monitoring of risks). He attnbutes for such models may be quite di associated with regulatory applications, and are not addressed here. l 4 1.4 Role in Risk-Informed Regulation This document discusses PRA attributes that support Draft Regulatory Guide D Probabilistic Risk Assessment in Risk Informed Decisions on Plant-Specific and the Draft Standard Review Plan (Chapter 19),"Use of Probabilistic Risk Informed Decisionmalmg: General C-% ' This report also is referenced by related risk-informed reg gedes and their correspondag standard renew plan chapters These inc on inservice '~=aaa of piping, DG 1064 on graded quality assurance, and DO (Ref.1.3). As me-tioned above, the content in this report is me at to support a wide var may exceed those covered in the staffs PRA implementation plan. Each requirements on the supporung PRA scope and level of detail. This dddocu accommeds',e and benefit these applications. Some applications are complex and and high accuracy from a suppomng PRA. Since these applications i l are technical detail in this document. However, less demandmg applications, such as about PRA insights, or those that rely on quantitative results only in selected areas
=t. He process for using risk information appropriate, simpler models as w.y -M to those descr; bed in this sc-:s in regulatory decisionmakmg starts with definition of the scope of the pa 13 Draft NUREG 1602 9
n * . o e e . J
! Introduction information should be used to identify areas (tasks) in the supporting PRA that are influenced by the application, and the type of support infonnation needed. This information. in turn, can be used to derme applicable portions of this report. Application-specific regulatory guides include further guidance in this area. -
1.5 Report Organization Most PRA5 fehei for U.S. nuclear power plants have focused on accidents initiated by intemal events (includmg intemal floods and fues) during full power operations. As such, the attributes for s PRA ypticable to a power plant during full power operations are described in Chapters 2 through 4, and in significant detail. Chapter 2 provides the anributes of a level 1 PRA with emphasis on accidents initiated by internal events. Chapter 3 follows a similar format to Chapter 2 but for a level 2 PRA. Attributes of a Level 3 PRA are presented in Chapter 4. Accidents initiated by external ewnts during full power operation are addressed in Chapter 5, which considers all the levels of analysis. In Chapter 6, the attributes of a PRA for low power and shutdown operations are presented. Chapter 6 includes consideration of accidents initiated by internal and external events and for all three levels of analysis. Information on the use and limitations ofiirpi-.r.4 measures is provided in Appendix A. Finally. Appendix B presents information
- for peer resiews of a PRA.
l _ l l I l Draft, NUREG 1602 14
1 Introduction REFERENCES FOR CHAPTER I Ll. USNRC."Backfitting," Code of Federal Regulation Title 10, Section 50.109, Amended April 1,8, 1 1.2. *PRA Procedures Guide: A Otude to the Performance of Probabilistic Risk Ar==ts Plants NUREC/CR-2300, Vols I and 2, Americen &clect Seeiety and Ins:itute of Electrica! and E!ectr Engmeers, January 1983. R. A. Bari, et al.,"Probabilistic Safety Analysis Procedures Guide,* NUREG/CR-2815, BNL NUREG Vols. I and 2. Revision 1.Brookhaven National Laboratory, August 1985. D D. Carlson," Interim Reliability Evaluation Program Procedures Guide,* NUREG/CR 2728, SAND 82-1 Sandia National Laboratories, Januaq 1983. 2 D. M. Ericson, Jr. (editor), et al.,
- Analysis of Core Damage Frequency: Internal Events Methodology,*
NOREG/CR-4550, SAND 86-2084, Volume I, Revision I, Sandia National Laboratories, January 1990. M. P. Bohn and J. A. Lambright " Procedures for the Extemal Event Core Damage Frequency Analysi NUREG-1150,* NUREG/CR-4840, Sandia National Laboratories, November 1990.
- Individual Plant Exammation for External Events: Guidance and Procedures," NUREG/CR-5259, Draf 1989.
1.3, USNRC, "An Approach for Using Probabilistic Risn usessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis," Dran Regulatory Guide DG-1061. Februar USNRC, "An Approach for Plant Specific, Risk-Informed Decisionnaking: Inservice Testing," Draft Regulatory Guide DG 1062, February 1997. USNRC,"An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Inspection," Draf Regulatoy Guide DG 1063. February 1997. USNRC,"An Approach for Plant Specific, Risk-Informed Decisionmakmg: Graded Quality Assura Draft Regulatory Guide DO 1064, February 1997. USNRC,"An Approach for Plant Specific, Risk-Informed Decisionmaking: Technical Specificatio Regulatorv Guide DG 1065, February 1997. Draft, NUREG-1602 1-5
i
. - . - . - .. -. - . - . . - ~ - .._ - - .- - - - _ - - -
I, \ ,
- 2. INTERNAL EVENT LEVEL 1 PRA FOR FULL POWER OPERATIONS This chapter provides attributes for a level I probabilistic risk assessment (PRA) of a power plant for a sunated during full power operations. Full power is defined to encompass the operations that occur while the p is at' greater than 15% of rated power. A level 1 PRA identifies and quantifies those accident sequences th lead to the onset of core damage. A summation of all sucli accidents leads to an estimate of the core damage frequen (CDF). Accidents initiated by internal events are discussed in the following section. Accidents initiated by var extemal events are addressed in Chapter S.
2.1 Internal Events Analysis His section provides the attributes for perfornung a Level 1 PRA for analysis ofinternal events at full power operation. The attributes are also generally applicable to the analysis of external events at full power and for l analysis of all ewnts during low pomer and shutdown conditions. Additional attributes applicable only to the an l of externa! events are provided in Chapter 5. Additional attributes sutique to the analysis of the risk from low-power l l ! and shutdown operations are presented in Chapter 6. l l A Level 1 PRA is comprised of three major segments:
* 'lhe identificanon of those sequences of events that, if not prevented, could result in s core damage state and the potential release of radionuclides.
- The development of models of events that contribute to the core damage sequences.
l l !
- The quantification of the models in the estimation of the core damage frequency.
i As noted, the first element of a Level 1 PRA identifies those sequences of events that, if not prevented, could result l in a core damage state and the potential release of radionuclides. his process is typically divided into two tasks: MW of the initiating events and cb4.aa of the potential core damage accident sequences associated with the initiating events, The initiating event task involves identifying those events that challenge normal plant operation and that require j l . successful mitigation in order to prevent core damage. There can be tens to hundreds of events that can cha'len l plant. Indisidual events may, however, be grouped into initiating event classes, with classes defined by si l systems and overall plant response. 1 j In the acculent sequence develvy.ra; task, the different possible sequences of events that can evolve as a result l initiator group are idenafied The resulting sequences depict the different possible combinations of functional an system swmm and failures and operator actions which lead to either successful mitigation of the initiating event to the onset of core damage. Detemunanon of what constitutes success (i.e., success criteria) to avert the onset of c j damage is a crucial part of the accident sequence analysis task. i l he second element of a Level 1 PRA involves the development of the models for the mitigating systems or actions l in the core damage accident g- his task, referred to as systems analysis. involves modeling the failure modes of the plant systems which are necessary to prevent core damage as defined by the core damage accident sequenc [ i his modeling process, which is usually done with fault trees, defines the combinations of equipment failures, l 1 Draft.NUREG-1602 21
- /
o 8 o aj i 2 Level 1 PRA Modeling for Fullpower Operations eqmpment outages (such as for test or maintenance), and human errors desinxifunctions. De thin! element da Level 1 PRA involves estimating the plant's CDF and the asso is typically divided into three tasks: data analysis human reliability analysis analysis. I The data analysis task involves / ----~g uunstmg event freq'uencies, equipment failure probabilitics, and l equipment mantenance una allabilities. Plant maintenance and other operat n! specific equipment failure rates and the frequencies of the initiating events. fadme rates and initiating event frequencies based on industry-wide " generic" data i I
. base used in the risk analysis, i l The human reliability analysis task is a key task in Lew! ! PRA. involving modeling and l
important in the prevention of core damage. His evalue. ion both identifi.:s the op error probabilities of the identined actions. Human reliability analysis is a special aj skills to determine the types and likelihoods of human errors germane to the sequenc ! l l core damage. ! The quenn6 cation task integrates the initiating event frequencies, event probabi to calculate the frequency dcore damage and its associated uncertainty. As typically used 6tquency represents the average annual core damage frequency. I 2.1.1 Accident Sequence Initiating Event Analysis initiating events are broadly categorized into two categories, internal initiating events and Internal initiating events are system and equipment malfunctions inside the plant. Ana initiating events is the loss afoffsite electncal pour. External initiating events include (i.e., from water sources outside the plant), transportation occurrences, and high w extemal esents can cause a loss of offsite power in addition to other adverse impacts o flooding and fire events are conventionally treated in PRA studies as external eve event category in this document. His secuan only addresses conventional interna full power operation including the loss of offsite electncal power. The special case o addressed in Secoons 2.2 and 2.3. respectively. Initiatces during Imv power and shutd ; events are provided in Chapter 6. 2.1.1.1 Considerstloss for the Baseline FRA his secnon defines the scope ofinitiating events that should be initially considered in a as criteria for screenmg out initiators and grouping c,f the remaining initiators. Initia! Scope ofExaminedinitiators In a full power PRA. intemal events that cause an upset of normal plant operation th unplanned controlled shutdown with the need for core h,:st removal are considered as i fall into one of two categories as follows: 22 Draft. NUREG 1602 l g. l l
. ,a ie * $
4 r 2 Level 1 PRA Modeling for Fullpower Operations i !
- Loss of coolant accidents - All events that disrupt the plant by causing a breach in the primary conlant system with a resulting loss of core coolant inventory are modeled. These events include such occurrences as primary system pipe breaks, pressurtzed water rea: tor (PWR) steam generator tube ruptures (SGTRs), ,
I bodmg water reactor (BWR) feedwster pipe breaks. interfacing system loss-of-coolant accidents (ISLOCAs). i reactor pressure vessel (RPV) rupture, and BWR steam pipe breaks-
- Tr:nsients - A!! events dat d:smpt the plant but leave both the core coolant and other water systems' 4
inwnlory insact are modeled. Dese occurrences include such items as automatic mactor shutdous (scrams or trips), unplanned controlled reactor shutdowns (including those caused by degraded equipment l configurations) manual reactor trips or scrams, manual operator actions taken in anticipstion ofdegradmg l plant conditions, and transient induced LOCAs. In identifying the transient events, frequently occ:arring events (such as turbine trips) and more rare events (such as loss of a support system) are considered. 1 W' :nsuring completenes: in the initial list ofinitiating c ents (considered at the ons,:t of the baseline PRA study), j the analyst should have performed a comprehensive engmeering ei,aluation that includes the following events: l
- All general categories ofevents analyzed in Chapter 15 of the Final or Updated Safety Analysis Report (SAR) l (e.g., increase or decreases in reactor coolant flow). The Chapici 15 analysis includes both transiuts and j loss of coolant accidents (LOCAs).
- Events resulting in a loss of primary core coolant. This includes leaks and ruptures of various sizes and at i different locations in the primary system (e.g., pnmary system pipe breaks, penetration failures, SGTRs and
! vessel rupture). In addition, a systemane nearch of the reactor coolant pressure boundary should be performed to identify any actiw ==== in systems interfacing with the primary system that could fail or be operated in such a manner as to result in an uncontrolled loss of primary coolant (-^aly referred to as ISLOCAs).
- All actual initiating events which itave occurred at the plant. Actual plant scrams and unplanned shutdowns l as documented in Licensee Event Reports (LERs) and scram reports should be included. Dese initiatots typically involve faults in the nuclear steam supply system (NSSS) and in the turbine-generator and related systems (referred to hereafter as the balance-of-plant). Plant modifications (not accounted for in the baseline PRA) influencing occurrence rates should be considered.
- All initiating ewnts considered in published PRAs (and related studies) of similar plants. NUREG/CR 4550 (Ref. 2.1) contains a list of transient initiating events that have actually led to reactor trips and that should be considered.
- All initiating events that have occurred at conditions other than full power operation (i.e, during low power oc shutdon conditions) are included unless 't is determmed that they are not applicable to full power operanon. ,
- All sysicms supporting the opnation of other plant systems ma e reviewed to dett:munc if their loss results in automanc scram, manual scrum, or a controlled shutdown. Failure Modes and Effects faalysis (FMEA) are ;
1 generally used to detemune if an initiating event results from complete or partial failure of the sptem to operate, or from inadvertent operanon of a sptem. In this method, the analyst determmes for esek component in the system: (1) its function, (2) the possible failure modes. (3) the failure mechanisms, and (4) the effects of the failure on the system and the plant. Draft,NUREG 1602 2-3 27
. _ . . - . - - _ . - ~ - - - - - - - - - - - - . - . . - . - . ~ . . ~ - - .
6
* = ,
i 2 Level 1 PRA Modeling for Fullpower Operations 0 opertaior, u uglant. At a mininu:m, supp:rt A system is evaluated ifits loss would disrupt the norm: li ater or , f - systems that are exammed include alternating current (AC) and d i (HVAC) systems : service water systems, anstrument and servicel air; t sheating. ventilation throughout the plant (including the control room); and instrumentatiorvcont l
' in determining whether the loss of a plant system or component sho l initiating event, the e :pected level of degradation to other pla li j systems) is also determined and evaluated. This may require c) lification ;
l envitonment to which the mitigating equipment is exposed and compa) ' , 1 information.~ l 1 Initianng events coastsang of multiple equipment failures are inc ifthe l a common cause. For example, the failure of two DC electrical buses l failureis due to a common cause. For multiple unit sites where systems are shared or can be cros
- units should be identified in addition to those that will or ly impact a single uni l
I An ISLOC A can be an important accident sequence because d li f of l ! releases of ra.iioactivity from the m plant due to a
.,,,,2== of this type o event.
f j and the effects of the ISLOCA on other equipment can sigmficanth affect the ' \ ! / 1 NUREG/CR-5928 (Ref. 2.2) describes an acceptable approach to a l In that report, a spectrum of topics are addressed including the mode 1 and components and their failure modes that should be considered, i i of --q+
= including different piping mnemals and designs, humari ff reliabil i or ott.erwise mitigating the LOCA, specific data suggestions 928 forforthe an; consideranons. Two additional specific considerations which may be a specific plant and hence should be considered when analyzing IS Credit for motor operated valve (MOV) or check valve closure t (1) l' rupture can only be taken in the PRA if suppornas analysisf / te adequate capability of the valw for the expected conditions. T i
successfulh addressing Genene beer (GL) 89-10 for the valve (s) l analyses or test results for valves (e.g., check valves) not covere l (Ref. 2.3). With such supporting analyses, the nonunal failu 2 used; otherwise it should be assumed that the valve will not close to f (2) Any resulting streets on equipment exposed to the breach l sho effects of the breach as well as propagation of that water / steam t Any credit taken for the connnued operability of equipment '!his includes in the attributes provided under the " equipment operability' issue discussed consideranon of whether the valve o, .tr. for MOVs will function to close the valve valve is detemuned capable of closing) gi,en its exposure to the expecte 2-4 Draft NUREG-1602 A
. a l eo 9 4 1
l ( 2 Level 1 PRA Modeling for Fullpower Operations Screening Outinitiating Events in a PRN not evay initiating event that causes a d6i@ of the plant has to be modeled. That is, accident sequences do not have to be developed for every initiating event. In some cases, it is allowable to exclude initiating events. Any of the following criteria can be used to exclude initiating events:
- The &,:qwj uf tb kd2L.s event is !:ta 6n IE 7.';:::::c ter ;::: (ry) nhen the initiator does not inve!ve I either an ISLOCA, containment bypass, or vessel rupture.
- The frequency of the initiating event is less than IE Ury and the core damage could not occur unless at least two active trains of diverse mitigating systems are i-Ptly failed.
I i
- The resulting reactor trip is not an "immediate" occurrence That is, the event does not require the plant to I
go to shutdown conditions until sufficient time has exp:r:d during which the initiating event conditions can, with a high degree of certamty (based on supporting calculations), be detected and corrected before normal plant operation would be curtailed (either administratively or automatically). For example. a steam generator tube rupture event may have a relatively low contribution to the total core damage ' I hequency but may constitute a significant fraction of total large early releases. Initiating events such as these should not be excluded. The need to understand the potential consequences of an initiating event in order to exclude it from detailed analysis makes the process of excluding initiating events necessarily iterative. i 1 As another illustration, the loss ofswitchgear room HVAC may not require the operator to initiate a manual shutdown i for 8 hours based on a room heatup calculation. During this time, the operator can almost certainly detect and recover the fault using portable cooling equipment (as directed by procedures) and prevent the need for a forced shutdown in this case, loss of switchgear room cooling couldjustifiably be eliminated as an initiating event (based on procedural guidance and calculational support). The basis for excluding initiating events from detailed evaluation should have been established and documented for a peer review and users of the baseline PRA.' The fact that an event has never occurred, by itself, is not a sufficient basis for eliminating vi initiating event from evaluation. 4 l Grouping ofinitiating Events -
\
Numerous events and occurrences can disrupt a plant and the response of the plant to many of the events can be virtually identical. In such cases, it is acceptable to group the initiating events using the following criteria:
- Initiating events resulting in the same accident progression (i.e., requiring the same systems and operator accons for mitigation) can be grouped together. The success criteria for each system required for mitigation (e.g., the required number of pump trains)is the same for all' initiators grouped together in addition, all i grouped initiators shouki haw the same impact on the operability ami performance of each mitigating system l l
l
' The user (or reviewer) of this baselme PRA and its documessarm need to compare the above criteria with those used for groupag sunanng evasss in the PRA. Deviarms should be noted especially when they have the potential for limiting the use of the baseline PRA.
Draft NUREG 1602 25 d
. __ _ . _ _ . _ __.m . . _ _ . . - - _ _ . _ _ _ _ _ . . _ _ _ _ _ _ _ . . . . . _ _ _ . - _ _ _ _ _ . _
b 9 g 2 Level ! PRA Modeling for Fullpower Operatisns and the operator. Considerauon can also lx gisen to d.cs accider.1 progression s::ribute the subsequent level 2 analysis (refers to Chapter 3).
- In conformance with the criteria above. LOCAs can be grouped according to the size and l
pnmary system breacit Howner. pnmary breaches that bypass the containment sh f t ' = Initiating ennts can be grouped with other initiating events with slightly different acciden success critena if as can be shown that such ucatment L. ids thc res! core dcmage Eequen consequences that would nsult imm the inmatar. To avoid a distorted assessment of r insights, smuping dinitiators with significantly different success criteria should be av of initiators necessitates that the success criteria for the grouped initiators be the most stringen l criteria of all the individual ownes in the group. Note that in a sound baseline PRA. Iow-freque I f are grouped with other relatively high-N.scy initiators, rather than excluding them from fu 4.a.1.2 Application Impact Coesiderations it is possible that a particular change to a plant's current licensing basis (CLB) may influenl J change may result in:
. New accident initiators.
e Higher risk contribution of(initially) screened out initiator (s), and
. Change in the frequency of modeled initiator (s).
For ewry sisk-informed regulatory chaage, the potential for these three items should be exa should enander structure, systems, and components (SSCs) modeled in the PRA as well as those SSCs not modeled in the PRA should be subject to a failure modes and effects analysis (FMEA) (or e assess their impact on accident initiators scope and frequencies. Note that a proposed CLB change may necessitate reconsideration of the initiating events the base.line PRA to bring sharper focus on a subgroup ofinitiators that may be sensitive to the change. 2.1.1.3 laterface with Other Tasks Results of revwws of this task should be considered before the onset of re iewing the data aral the accident sequence analysis (Secnon 2.1.2) tasks. A special emphasis should be given to PRA (or its documentation) related to scope, screenmg. and grouping of initiators which can co samuhess ofresults of these two inserfacing tasks, and consequently the adequacy of the baselin 1 proposed r.sk informed applicanons 2.1.1.4 Doemmentation 1
'Ihe d6xasnenenhon of the initistmg event task should be sufficient such that a peer reviewer ca l At a muumum, the following information pernnent to initiating events should be hsted:
. A list or general description of the information sources that were used in the task.
Draft.NUREG-1602 26 s0 l l
! 4 ie e ,- 2 Level 1 PRA Modeling for Fullpower Operations
- Specific information/ records of events (plant specific, industry experience. " generic" data) used to identi 4 the applicable initiating events.
* 'Ihe initianng ewnts considered including both the events retained for further exanunation and those that were eliminated. along with the supporting rationale.
i'
- A::y qu:.:::it: tin et qu:!itstive en!ustions or menpriens that were made in identifying. screening or grouping of the initiaung even as wcil as the bases for any assumptions and their impact on the fmal results.
l 1
- Docummtanon of the FMEA performed to identify support system initiators and the expected effects on the l
plant (especially on mitigating systems). 1 !
- Speci6e remrds of the grouping process including the success criteria for the final accident initiator groups.
l
- - Docummitation offindings of FMEA (or equivalent) performed on SSCs within the scope of the change but j not modeled in the PRA, to assess their impact on the scope and frequency ofinitiators.
2.i.2 Ar-ident Sequence Analysis . The objectiw cf the accidet sequence analysis task is to determine the possible plant I (sequences)that could occur as a result afinidatmg ewnts. These plant responses are defmed in terms of the different possible combinations of= C and unsuccessful functions or systems and operator responses required to mitigate an accident initiator. For abe level I pornon ofan analysis, the following discussion is provided for those plant responses or sequences that ed with either the plant in a stable state or when the plant has entered into a " severe accident" state in which the onset of core damage is immment. Accident sequences are aa i..ir.sd by implementing a logical method for identifying the different possible plam responses to the initiasmg events. The plant safety functions and corresponding plant systems and operator responses that need to occur to mitigate each initiator are used to represent the differett possible plant responses (or accident progressions sequenew). Ddierent models can be used .o develop the accident sequences Among these, the two principal anethods used are event sequence diagrams and event nues. There are also different types of event trees (e.g., fu=*a=1 versus system and differet ways ofdocumennng the response to each accident initiator (e.g., separate event trees for each initiating ewnt group or a general tree with the initiating event impacts included in rystem fault truus, or inclusion of support systems and shared equipment in the event tree rather than at a fault tree level). All of these different event tree approaches can be used. The following discussion presents the attributes of the event tree approach to acciden sequenc analysis since it is the most prevalent technique. 2.1.2.1 Coseiderations for the Basehne FRA This saacnon identdies several key factors to consider in evaluating the baseline PRA used in a risk-informed regulatory application. Draft,NURIG 1602 27 1r
i e i 2 Level 1 PRA Modeling for Fullpower Operations E.stablishing Success Criteria Accident sequence analysis catablishes the success criteria which should be m criteria are thus dependent on the definition of core damage. Core damage ha vanous ways. usually through peak claddag temperature limits or designated damage generally means that no imniinent recoscry of sumcient coolant inje substamic! ,uncunt (equisslent to or greater than the design basis) of the radioact between the claddmg and the fuelis subsequently released. Comparable dermitio - phenomena can be used. Whatever the definitionid chosen cesfor thedamage with core onset of co 1 r=Imlanam Note that considerable fuel nielting may also be expected in most acc ent sequen oue=nes The accident sequence model may include as the event tree headsgs the necessa operator'responm to prevent the onset orcore damage. Accident sequence m required to protect the containment and influence the amount otradioactive mate modeled in a level 1 PRA include reactivity control, reactor coolant system (RCS) overpre coolant inventory control and heat removal, and containment over pressure protection comamment over-pressure protection functions are listed in the Level I considerations condition can adversely impact the core heat removal and inventory control functions. ; The success criteria for each o(these fimenons required to prevent core damage shoild b; mvenacry consol fimcman can be expressed in terms of required flow rate). Once establ resporaes modeled in a PRA include those fronthne, support systems, and operator al the modeled safety function success criteria. The minimusti hardware for each identifiel pump trains) and operator responses required to meet the function success criteriaI respondmg to euh initiating event group. The use of renhsac success criteria provides additional asswatee that the relative importance sequences is as accurate as possible. To further ensure a 'sealistic' analysis, the use excessively limiting (such as the success criteria used in design basis assessments) is a bcensing basis may require two out of four emergency core cooling pumps when "best e only one out of four pumps will prevent the onset of core damage.
" Realistic" success criteria, rather than the licensing-bases criteria, can be used for both th individual systems that perform those functions. Therefore, the evaluation does not have
,,.m -g the ,
syarns when non-safeny relased equipment may be available to perform the needed functio j onset ofcore damage. For grouped initiators, the accident sequence snodeling should reflect the most suingent coolant injecnon requirements for LOCA initiators (which usually involve a spectrum of break si
'The attributes provided in this section do not address event trees where the eed state goes past damage, Functions required for establishing the conessanwat performance and release of radioactive m misumfied in the Level 2 discussion. Further event tree modeling to establish plant damage states is not Section.
Draft,NUREG 1602 28
___._.__.m__. __
. e o e q 2 Level 1 PRA Modeling for Fullpower Operations the upper end of the break spectrum. For other functions, the requirements may have to be based upon a differe initiator included in the group.
De success criteria for preventing core damage can be dependent on the accident progression and timing. For example, for a BWR, the control rod drive (CRD) system may not provide sulTicient flow for coolant injection at the beginning of a small LOCA: however, at 4 hours into the ac:ident (given coolant injection has been occurrmg), the coelant imcemery rmtremems are nduced and CRD flow is adequate. In aMmon. she time required to align a rystem may influence what time frame it can be credited in (e.g., firewster may not be credited early on in an accident (e.g., a LOCA) since it could require conneenon of multiple fire hoses, insertion of spool pieces, or openmg of remote valves. In determimng " realistic" success criteria, particularly when such criteria are considerably diferent from the SAR design basis or is not even addressed in the SAR, supportmg analyses (e.g., thermal-hydraulic ententanons) should be the basis for the success criteria that is credited in the PRA. Repr~ertative examples ofcriteria onen used in PRAs that differ considerably or are not addressed by the design basis criteria are (a) feed and bleed mode for PWR core coohng (b) pnmaryhecondary system dep essurization and use of low pressure safety injection and/or condensate to the steam generators whenever high pressure safety injection and/or main and auxiliary feedwater are unavailable in PWRs and (c) in ras: of BWRs, use of alternate injection systems (such as control rod drive flow or firewster) under conditions when all other invecnon systems are unavailable. These represent conditions tiiat so well beyond the single failure considerations applied in the design basis and hence did not have to be treated in the original licensing basis I for the plant. While plant-specific calculations are preferred, non-plant specific calculations (e.g., use of"similar" j plant analyses perhaps with modification) are acceptable provided appropriate justification is established. The computer codes used to calculate success criteria (either plant specific or for a similar plant) should contain the modeling detail present in codes such as RELAP and TRAC (Ref. 2.4) and should be verified for the conditions that exist in the success criteria application. For instance, anticipated transient without scram (ATWS) represents a complicated and "beyond design basis" set of scenanos requiring analysis and supporting calculations to properly ch.i s the success critaria. De estimated risk contribution of ATWS events is in part a function of modeling approaches and asociated assumptions used in interpreting the success criteria. For PWRs, what constitutes successful pressure control often sets the stage for the rust of the analysis. An acceptable basis for successful pressure control is the use of the stress level C limits of the American Society of Mechanical Engineers (ASME) code for the assumed failure point for the vessel and primary piping from overpressurization. Supporting calculations (preferably plant-specific) are performed to address the cnncal Moderator Tmare Coef5cient (MTC) necessary to ensure the unacceptable stress limit is not reachal (i.e., the pernan of the fuellife when the MTC is sufficiently negative). Furthermore. plant specific analyses are preferred to dese-m ne the pressure increases associated with failure to trip the turbine during an ATWS. For BWRs, a similar basis for success during an ATWS can be established and the, plant-specific considerations are used to interpret the need for: .
. Recirculation pump trip (RPT) inchuling whether all pumps should trip.
. Standby liquid control (SLC) system operation particularly the time the system should be initiated for successful mitigation.
= Inhibiting emergency core cooling system (ECCS) iniection inside the shroud and inhibiti.ag r.;winanc depressurization.
Draft NUREG 1602 29 3 'l ,
i . , 1 2 1.evel 1 PRA Modeling for Fullpower Operations s Requirement for vessel level control during injection by both high and low pressure systems.
~
I
- Cuniewsa and suppression pool cooling to avoid adserse impacts on continued operabilit One cor.cern regarding accident sequence modeling is the loss ofreactor cookt pump (RCP) se concem aris:s during consideration ofloss of pump cooling events and loss of a!! AC esents, both o '
i j loss of pump sest cooling and the potential for a primarv system IOC A (through the pump ) cookt makeup. Pump seal failures can also be initiating events for the PRA. 1 The proper model depends on the pump manufacturer (Westinghouse, Byron Jackson. Another consideration which may make a difference is whether or not the pump has been tripp j coohng/irgecoon. In addition, there is a tange ofopinion as to what would be the proper seal 4 the probability of a certain Sow rate vs. time) for a given pump. The chosen model can sig k considerably ahering both the rankmg of dominant accident sequences as well as affecting tj j frequency. The treatment of RCP seal LOCAs is an example of an area where there is a I l uncertainty in the accident sequence modeling. i 1 j i Because of the less than defmitive conclusions that have been made as to the appropriate model j purposes, this document provides suggested RCP scal LOCA models for incorporation! i applicanons until (and if) more information becomes available. Altemate models may b; l is petmded for their use. 'Ihe mge=*i model approaches provided below are based on t 4 clicitation issue in the NUREG-II5O study (Ref. 2.5), and consider the modeling approaches used b in their individual plant exammations (IPEst f l Case 1 -Pumps-tripped condition: The RCP sealleakage modelis based on the discussion in Section 5 of NUREG/CR 4550 (Ref. 2.6 l wish to group similar leak rates fiom the tables in Section 5, but needs to consider the ful , i j and probabilities provided in the referenced report. It is suggested that an acceptable l d Westinghouse old" o-ring design pumps is to use the old" o-ring values (or a suitable eq I provided). It is also suggested that an acceptable approach for plants with the newe Wesonghouse design (and all other pump manufacturer designs) is to use the new" o-r l ' equivalent, with justification provided). j Case 2 - Pumps-not-tripped condition: i The bcensee determines the maximum possible flowrate for the applicable pump manufa suge are 4 # and no longer pamde a flow restr.ction within the labyricth. The calcul i to occur by 30 minutes following the initiating event. y l The significance of the above models to the PRA results is still dependent on such facto affected, coohng system configuration, and hence probability asserined v.th a total loss to provide reactor coolant system injection auring sw* conditions (for instance, the B olda designs, are generally better able to cope with such a LOCA even under loss of high-pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) systems), etc. l I Draft, NUREG-1602 2-10 i 1W l
d e , l 2 Level 1 PRA Modeling for Fullpower Operations i l l Modeling Accident Progressions The =ad liaa of the accident sequence progressions necessitates that the response of the plant systems and the operator accurately reflect the system capabilities and interactions. procedural guidance, and the timing of the accident i sequences. Therefore, the development of the accident sequence models should correctly incorporate the plan l response to an initiator that exists in the plant emergency and abnormal operating procedures and as practicedl sunulator excretses. In fact. the procedural gudance along with timing information el tained through thermal-hydraulic miculations serves as the guide in the actual development of the accident sequence models. Operator actions require so mitigate an acculent sequence (e.g., manual initiation of systems or special actions such as controlling vesse ' during an ATWS in a BWR) should be modeled (see .Section 2.1.5). 'Iherefore, event tree headmgs should be chronologically placed in the order that the system or operator action is expected to be challenged. Deviations froml l the chronological representation of the procedural guidance should be well documented. In Aveloping tl accident sequences, the accident progrnsion .:ss represented by the logic structure of the model) should also account for Age 4=ies and interfaces between and among the plant safety functions, systems and operator actions needed for accident mitigation. 'Ihe Ag-M=ies and interfaces that should be considered include functional, pba-ological, and operational Ag=b= es and interfaces. Functional dependencies exist where the success of one function is dap-dant or otherwise affected by the success / failure of another function. There are two ir .im.ies that should be addressed. These dapaad-cies include (1) interaction of the initiating group with mitigating systems and operator actions. and (2) interaction among the mitigating systems and operator actions. The interactions of the initiating event group with available mitigating systems and actions are accounted for either in the accident sequena model or at the system model level. Both immediate effects (c.g., loss of systems such as the power conversion system (PCS) following loss of offsite power) and delayed effects (e.g., loss of a system due t loss of HVAC should be included. Delayed impacts 2 he subtle and require that both harsh en ironmental impacts (dhd in more detail below) and protective trip logic be considered. An example of protective trip logic concems is the occurrence of a steam leak detection trip signal reculting due to a high room temperature that could result from a loss of room cooling. The loss of room cooling may occur for various initiators including loss ofoffsite power, loss of a cooling water systems, or loss of the HVAC system itself. The interacnons among mitigating systems and operator actions are also accounted for either in the accident sequence f model or at the system model level. One type ofinieraction is the successful operation of a system precluding the , for a redundant system performing the same funcnon The second type ofinteraction is the failure of one system precluding the operanon of another sysusn. An example of these types of functional ig-r b=les in both a BW ' PWR is the requirement for the success of primary system depressurization before low-pressure coolant injection be utiliz-d. Alternatively, vessel depressurization may cause loss of a system due to pump run-out inducing a
=f- pump trip. Another common example of a functional dependency is that battery depletion during a st blackout precludes continued operation of steam-driven systems.
Phenomenological &se '= = manifest themselves vAere the emironmental conditions generated during an accide sequence influence the operability of systems and equipment. Phenomenological impacts can include g harsh omronments that result in protective trips of systems (e.g., due to high pressures or temperatures), loss of E pump net positise suction head (NPSli) when contamment heat remoni is lost, clogging of pump straine generated during a LOC A. failure of components outside the containment following containment failure Draft, NUREG-1602 2 11
%f
- 9 i e ,
2 Level 1 PRA Modeling for Fullpower Operations resulting harsh environment, closare of safety relief valves (SRVs) in BWRs ' pipe breaks following containment failure. Ib.ws.alolpcalimpacts can also be indirect. For example, failure of containme cause the operator to depressurize the vessel per procedures to maintain su an action can sesult in loss of driving steam for systems such as HPCI and RCIC ; fai!= mo&s such as 'typuing of protective trips. mirching cucrinn sources fnr pumps cooling can be credited cither in the accident sequence mokling or system m accomplished considering available staffing, the available time ito perform th the accons should be pcrfonned Most ofthese pics..csological der,ca&acies are ide basis as part of the systems analysis (see Section 2.1.3). Operational dependencies that are hardwired or are configuration dependent are'
- ;s--w An eenple of an operational afa.sacy is that the suppression pool cl best removal is not available when the system is in the low pressure coolant injection mode.
For example, an initial ! Consideration should also be giwn to sequences in which the nature of the accident changes. i : tranant may become s LOCA event due to reactor coolant pump seal failure or a dem relief valve. Proper modeling of this progression change accounts for any depen
- discussed. Transt'ers to other sequence models to reflect the change in the sequei consideranon given to any differences between the modeled initiators. Screenin J but should follow the truncation considerations provided in Section 2.1.6 (sequen) reevaluated for each risk-informed regulatory application. l 2.1.12 Application impact Considerations It is possible that a particular change to a plant's current licensing basis (CLB) m analysis task. The proposed change may result in:
- New/ fewer event trees being considered;
- Revised success criteria;
- New dependencies orinterfaces; New/ fewer and/or rearranged event tree headmgs due to changes in proc specifications, etc.;
- Revised sequence logic.
2.1.2.3 laterfaces whb OtherTasks laitiating event analys3 and systems analysis will provide information on the functions. Systems analysis and human reliability analysis (HRA) will provide info mitigating systems and operator actions, phenomenological interactions and o analysis will provide informanon used to obtain success criteria and accid 2 12 Draft, NUKEG-1602 Y
. e o a ,
i 4 3 2 level 1 PRA Modeling for Fullpower Operations t is used in various aspects of this taik, e.g., for success criteria, timing, environmental effects, etc. The output of the l j sequence analysis is used as an input the HRA task, and to generate cutsets used for sequence quantification task. The sequence analysis will also guide the systems analysis, as reference is made to certain systems or functions in the event j trees and the success criteria. 1 2.1.2.4 Documentation 3 j The following informauon concermng the accident sequence modeling should be reportcd: l ? ]
- A list or general description of the information sources that were used in the task.
i j = 1he success criteria established for each initiating group including the bases for the criteria (i.e., the system t capacities required to mitigate the accident and the ne*===ry components required to achieve these capacities). { I = The event trees or other types of models used (including all sequences) for each initiating event group. i !
- A description of the accident progression for each sequence or group of similar sequences (i.e., descriptions of the sequence timing, applicable procedural guidance, expected environmental or phenomenological impacts, dependencies between systems, and other pertinent information required to fully establish the sequence of events).
- Any assumptions u.at were made in developing the accident sequences, as well as the bases for the assumptions and their impact on the fmal resnits.
- Exisung analyses or plant specific calculations performed to arrive at success criteria and expected sequence phenomena including necessary timing considerations.
- Sufficient system aaaranan informanon (refer to the following section) to support the modeled dependencies.
- Input, ralenlanaae, etc. (particularly to justify equipment operability beyond its " normal" design parameters and for which credit has been taken).
- How the application changes the baseline model in this task. ,
i 2.1.3 Systems Analysis There are different analytical techniques that can be used to perform or support a systems analysis. Examples include: FMEA, reliability block diagrams, and fault trees. Fault trees are the preferred method since they are deductive in nature and. if properly performed. can identify all potential failure modes of a system and thus can be used to calculate th: unavailability of the system. 2.1.3.1 Considerations for the Baseline PRA Desailed fault tree models are generally required in analyzing tha system, although somenmes, a simplified fault tree or the black box approach (treating the system as a basic esent)it acceptable, as delineated below. The basic concepts Draft,NUREG 1602 2 13 37
2 Level 1 PRA Modeling for Fulipower Operations for constructing fault trees are described m "The Fault Tree fianobook" Se . l to this method are discussed below. f A fault tree can be simplified to include only the dominant types of failures. sufficient experience exists, can be used to represent system's unavailabilit model those aspects of the system which form dependencies with other systems events arc preperly handled. An example ofwhere a simplified fault tree could be utilized is for the auto system in a BWR. Here, common cause valve failure and an operator er shown to be the dommant failure modes for the ADS. Since this system is da power and instrument air) used by other systems, these support system ii example of where a data value is permissible is the reactor protection system J in this case, the reactor protection system (RPS) failure modes are i~'aami-t of other sy l Establishing System Analysis Boundaries i l An accurate representauon of the design. operation and mamter.ance of each mol operanon and mamianana requartments and practices are rniewed to ensure l and as operated sptan Speem walkdowns are performed to confum the design system procedure (abnormal, operaung. mamtenance, and testing) rniews. and invol~ ! ' are also necessary. l l De failure criteria defuung the top event of the fault tree for each system should match the acl criteria. Note that in some cases. multiple models for the same system may be needed to add All equipment and components necessary for the system to performTheitsboundaries functionof (as de success criteria) during tFe postulated accident mission time are considered in the system model. . these equipment and components should also be defined. Dese definitions should statistical data exists in tietermining their failure probabilities. In addition, the dermed b reflect the dependencies and interfaces between equipment and systems. All relevant and possible failure modes for each component should be considered. Th include the following: f
. Hardware faults
- Failure to change state !
- Failure to operate !
= Out of-service unavailability
. Common cause fnults l
= Operator faults
. Conditional operability faults including equipment capability and phenomenological faults 2 14 DraA. NUREG-1602
. ,e a
2 Level 1 PRA Modeling for Fullpower Operations Hardware faults are those physical breakdowr,s of the equipment such that the system or component canno as designed (e.g., pump stoft breaks). - . . - . In modeling the out-of-service unavailability, both planned and unplanned test and maintenance con:ributions a consulered The type of testing and maintenance modeled should be consistent with the actual practices of the p for removing equipment from service for maintenance. These considerations might include technical specificat
*@i;n=t :0n5;:: !ien control violations as well as previously identified implemenantion and prngrain deliciencies with the equipment configuration control process.
Common cause equipment failures are multiple failures that result from a single event or failure. The NRC's Ofice of Analysis and Evaluation of Operational Data (AEOD) report, " Common Cause Failure Data Collectien and Analysis Systen"(Ref. 2.8)y.M in six volumes, provides a suggested common cause failure modeling approach. Volumes 5 and 6 of that report are particularly useful as they directly apply to the modeling-(Volume 5) and the do"we (Volume 6) applicable to PRA. Given the current stateef-the-art of common cause failure analysis and the data available, only intra-system common cause failures are generally modeled. Inter system common cause failures should be considered when indicated. :. is e-ty done in the case of the BWR HPCI-RCIC systems, cited in the AEOD report. How common cause events are included in the model may vary (e.g., included in the system fault trees, added after initial cutset review of LWAant failure combinations) but the approach should demonstrate that quantitatively imponant common cause combinations are not missed. Truncation considerations should be consistent with those expectations provided in section 2.1.6, accident sequence quantification (i.e., truncation of any common cause events would be based on low cutset frequency arguments). In addition. the truncation of any common cause events should be revaluated for every risk. informed regulatory application of the PRA. For caser where the PRA involves the I evaluation of common cause among a component type not covered by the AEOD report, the co.nponent type closest in design and similarity in the AEOD report can be used to perform the evaluation. In evaluating the human error probabilities, the analyst vmuld also consider common causes and incorporate performanre shaping factors (PSFs) to account for dapandaacies. Certain types of human error events should also be considered in the systems analysis. These events include, at a muumum. those human actions that cause the system or component to be inoperable when demanded These events (also refened to as pre-initiator human events) are analyzed as part of the human reliability analysis, discussed in Susion 2.1.5. Other human events can be included in the systems analysis model. These events include those actions needed for the operation of th: system or component. These events (also refened to as post-initiator human events) are also analyzed as part of the human reliability analysis, discussed in Section 2.1.5. 1 Synem models should also trust conditional faults. These failures are discussed below under system tecies and interfaces. . Supercompanents or modules can be used. However. the modularization process should be performed in a manner that avoids grouping evaits (i.e., e , =; failures, testing and mainter.ance unavailabilities, and human errors) with different recovery potential (e.g., hardware failures that cannot be recovered versus actuation signals which can), human error events. events which are mutually exclusive of other events not in the module, and events which occur in other fault trees (especially common cause events). Note that some risk-informed regulatory applications of PRA may necessitate certain events to be removed from modules. DrafL NUREG-1602 2-15 31
t 0 3 Level 1 PRA Modeling for Fullpower Operations J-Modeling System Dependencies andInterjaces A PRA should model the ipceiscies and interfaces between and among the systems and muumum, the following dependencies and interfaces should be modeled: .
- System initiation, Acruation and Operation - those systems that are required fo continued operation of the system (i c., for both the frontline mitigating systems and su identified. e g., AC and DC power and instrumem air, in modelmg the mmanon For and actua conditions needed for initiatum and actuation (e.g., low RPV water leval) shouM also be ad example, a condition required to initiate a system automatically may not exist in some Thus, failure of that portion of the automatic actuation system has a probability of 1.0 sequences
. System isolation, Trip or Failure - those conditions that can cause the system to iso conditicas that once exceeded can cause the system .o fail. At a muumum, conditions tha include envim..~.;.1 conditions, fluid temperature and pressure being pm*M external water leve water and air temperatwe, pressure, humidity, and radiation levels. These conditions may systems fail to function. Examples ofrequired systems include HVAC. service / comp tracing on piping and tanks to prevent boron solution precipitation, instrumentation (pressure, level, etc.), and water transfer systems to ma,intain tank levels. ..
Examples of conditions that can isolate, trip or fail a system or component include:
- For BWRs. high pressure in the RPV will prevent opemng of the low pressure injection sys isolation valves.
- A diesel generater will trip when the high jacket water temperature setpoint is reached condition can occur when the supporting cooling water supply to the diesel generator is lost.
- 'W-~ pump NPSH due to low succon source level or high temperatures, cloggmg of st steam binding of aexiliary feedwater pumps, and steam environment effects are a conditions that can fail pumps.
Because of the anempted realistic nature of PRAs, there are many examples of where allo the operability ofequipment beyond its design basis. This credit is allowed to account built-in to most equipment used in a nuclear power plant and hence to recogmae that equi in conditions that aie beyond those accounted for in the design basis. Examples include ope under satucated water sucnon conditions, steam selief ulve operability even when the valve two-phne flow conditions, battery operability given all charging to the battenes has bee performance under undesirable emironmer.t or radiation conditions, etc. While crediting the poicntial for this operability supports tie intent to provuie a realistic aca judgments of operability can often-drive" the results of the analysis and sigm6cantly im sequences and contributing equipment that most affect the core damage frequency therefore, such judgments should be supported. Test data, actual plant experience, vend regarding experience of similar equipment in other applications, and technical analy Drah, NUF5.G-1602 2-16
l e a s lr l l 1 2 Level 1 PRA Modeling for Fulipower Operations acceptable esidence Otherwise, it should be assumed that once the expected conditions in the scenario exceed the design basis limits for the equipment, the equipment then fails with a probability of 1.0.
- System Capability - those conditions that can cause the system, though operable, to not meet the required l
! function. Examples of this nature include fanv diversion and insufficient inventories ofair, water or power to support continued operation of the system for th: assumed mission time. Such " failures" are explicitly l treated in the modeling process using realistic ooerability considerations and should be supported with analysis; othmvise, it should be assumed once these conditions exist that the equipment / system fails with a l probability of 1.0.
- Shared M-t - thosew e and equipment that are shared among systems. Passive components not typically modeled are included when their failure impacts more than one system (e.g., a discharge pipe from a tank feeding two seperate systems).
Screening and Excludmg Components and Failure Modes it is not alwiys necessary to model every component or failure mode. However, certain risk-informed regulatory applicanons of the PRA may necessitate that component and/or failure modes not generally included be added to the system models. In screemng or excluding components or faihve modes, the following criteria are suggested:
- Screen / Exclude Component - The foral failure prbability of the component (sum of all failure modes) is at least two orders of magnitude lower than the next highest failure probability of another component in the scme system train and the component (to be screened / excluded) does not have any dependencies or interfaces with other components or systems. In some cases passive components are excluded based on the fact that failure rates for these components are substantially less than active components.
- Screen / Exclude Failure Mode -The probability of the failure mode is at least two orders of magnitude lower than the next highest failure probability of another failure mode of that compenent (ard there is no high potential for common cause failure). An example is the probability of spurious closure of an MOV compared to the probability ofit failing to open.
2.1.3.2 Application Impact Considerations it is possible that a particular change to a plant's CLB may affect the systems analysis task. 'Ihe proposed change may l result in:
= Additional / fewer systems being modeled.
- A chante in mod: ling of component / system unavailability,
- Additional / fewer cc rnponents may be modeled.
- The type cf component failure modes included in the model.
= Change in common cause modeling,
. Change in HRA modeling within the system's fault tree,
- Comgionent/ system operability limits may change, a Removal of events from the supercomponent modules, or addition of events to them.
Draft, NUREG 1602 2-17 ut
9 O g 2 Lael 1 PRA Modeling for Fullpower Operations 2.1.3.3 Interfaces with Other Tasks The sequence analysis task identifies the plant systems tint need to be analyzed. Data analys the systems analysis task to insure that the same events are treated in both and that the com same in both.' Systems analysis task may provide some initiating events and assesses the impact ofin on systems (used in sequence analysis). Systems analysis cutsets may be used to generate sequ petwides informatinn nn varinus types ordependencies for the sequence snaipis. Infomiatio erident progression is also provided. 2.!J.4 Documentation The following system analysis information should be documented:
. A list or general description of the informatio . that was used in the development of the system m ir.cluding a brief discussion of the following:
- System function and operation under normal and emergency operations
- . Actual operational history indicating any past probicms m the system operation
- System success criteria and relationship to accident sequence models
~
- Human actions necessary for operation of system
- List of all test and maintenance procedures
- System schematic illustrating all equipment and components neenary for system operation
- Records / notes of walkdowns and significant discussions with plant staff.
- System sp= ' =-cies and shared component interfaces documented using a ig- ='=cy ma ii= E-y diagram indicatmg all Wses for all components among all systems (frontline and support)
- Table listing failure modes modeled for each c ==;re:=t and event quantification
- General spatial information and layout drawings to support external event analyses
- Assurr.ptions or simplifications made in development of specific system models.
= The nomenclature for the basic events modeled.
. The freeze date used to represent the design and operation of the plant.
. Any general am.f i e. s that were made in the development of the systems models, as wel the assumptions and their impact on the ftnal results.
. list of all e- =-:- == and failure modes included in the model, along with justification for any exc components and failure modes
. Infonnation and calculations to support eqtJpment operability considerations and assumptions.
. References to specific controlled input %-aats used for modeling (e.g., piping and instrum diagrams).
- Documentation ofmodularization process (if used).
2-18 DraA.NUREG-1602
r .* , 4 2 Level 1 PRA Modeling for Fullpower Operations
= Records of resolution oflogic loops developed during fault tree linking (if used).
= How the application changes the baseline model.
2.1.4 Data Analysis
*Ihc input per:: meter; fe the 1 ra.cl I ,= tim nf the PR A inchules initiating event frequencies. equ unavailabilities due to out of-scrsice time, and common c=se failure probabilities =d associated uncertaint distributions. For each of these four types of pw., the task activities incJudes: identifying the dass sources, selectmg and screenmg the raw data, and quantifying data parameters 2.1.4.1 Considerations for the Baseline PRA Tu llowingo paints are typically considered in performiag data enslysis:
Initiating Event Frequencies Selmion and grouping ofinitiating events followina, the discussion in Sa: tion 2.1.1 would form the insis fo reviewing and identifying the particular plant events or generic data that could be used_for estimating the event frequencies. For transient initiating event frequencies. the number and nature of plant scrams a l shutdowns and the hours the generator is on line should be identified. For initiators where there is little or no pla speci6c events, generic initiating event frequencies should be used for estab!ishing prior distribution updating with available plant specific data. NSAC-182 (Ref. 2.9) provides data on the frequency ofl power (LOOP) events. NUREG/CR-5032 (Ref. 2.10) provides an acceptable method of Bayesian u specific data. Expert judgement clicitation can be performed according to the method in NUREG/C estimating special parameters such as constructing the site specific seismicity curve for seismic analyl ' initiator frequencies (e.g., loss of support systems) may be estimated by constructing and quantifying i fault trees. Equipment heliability The scievant p..m . for equipment reliability are the demand failure probability (for standby equipment, requ to start or change state), and the operating failure rate (for equipment that should operate for some time aft accident or transient to mitigate its effect or impact.) The preferred method for estimatmg equipment reliabi p- - =. is Bayesiar. updanng in which generic data are used as a prior disaibution and updated data. Generic data sources should be +Mve of the plant s-t-:==ts and the nature of the failures and demand in the pooled data set should be conristent with the plant specific applications modeled in the PR in the mos'el would be pedigreed and justified for the applicability to the specific-plant under study. The componen boundaries and failure modes dermed in the model are to be consistent with those in generic and plant-spe j EPR1/fR 100381 (Ref. 2.1I) prcvides useful information on the process for data collecuon, and reduction l examples ofequipment boisalanes. The raw data needed to estimate these parameters are the numb number of demand failures, the number of failures observed while runnmg and the runnmg (operstag) time. l In quannfymg ww. ~.s.t reliability, actual demands and those that reasonably approximate condit accident / transient response should be used. For those cases where demands are not nonnally tracked (e.g safety pump to regularly fill a tank), demands can be estimated based on establishing a representativ Draft.NUKEG-1602 2 19 C
. _ .- ..- . --. . .- - . - - . - - . . . - - - - . - - - - . - - - - - ~ . - -
[, i 3 Lesel 1 PRA Modeling for Fullpower Operations Demands and their associated failures should be collected and tabulated l by spunous, type of test,etc.). Pooling demands and associated failures c are sumlar,2) the nature of the failures are similar. and 3) the fcilure probabilit similar statistical populations: j i Data used in the component failure probability estimations should ii dhbe repre 4 and operation. Therefore failure events may be examinedi in detail t iousi3 to show if
' types of failures previously identified and have not introduced other credible failu observed Failures recovered promptly imm the control room such that the fonction J the compromised can be excluded as failures from the data set, provided that 4
elsewhere Repeated failures occurnng widun a small time interval should b , j failure if there is a single, repetitive problem that causes the failures. (For exa subsequently inceives multiple demands to open, only one failure and one d discovered by means other than a valid demand, the equipment unavailability , counted against the accumulated equipment unavailability. (f or example, an o] readsgs that a pump has no oil in its lubrication reservoir reading it inoperable.) i l lhe failure to run rate is used for operanng equipment that should operate for a I This would normally be a time after which the equipment reached rated speed o ' judged a accessful :t:rt (generally an equilibrium operating state.) The d standby) are the cumulatin hours ofopersoon aAer a ~~~M start and the num , hours of operation. For equipment normally operating, the data needed are the cumulative o number of failures observed during these hours of operation. For test surveillanc actual run times are distinctly less than the length of the mission time modeled i 4 whether the failure rate derived from nuncated tests or demands is applicable over the miss The stanstical esumation techniques would consider the types of parameters t , or plant-specific data in ' raw" or treated forms. These considerations shoI distribution in case Bayesian techniques are implemented. Equipment Unavailabihties Out of gervice unassilability data are needed for equipment removed from service id for p a testing The data required are the outd-service time for each =a. =*at and the d tota to be operable. Coincident outage times for redundant equipment (both intra- and i i and accoun.ed for based on actual plant +ta Calculations of outage unavailabilities experience. Common Cause Failures (1) Aloha factor models,(2) the Beta factor Options for estimating common caase failure (CCF) parameters are: model,(3) the Multiple Greek Leact model, and (4) the Binontial failure rate model. The common cause failure probabilities are the number ofindependent failures and the n 1 a common cause. Since there is generally insufficient data to derive plant-specific estimate failee parameters, generic data should be used. However. the generic data sh applicability to a specific plant. In those cases where some plant specific data 2-20 Disft NUP.EG-1602
- . - - . - . . _ - . . - . . . . - . . . - - . . ~. - . _ - - .._ - - - . - . - ..
- e e r s ,
2 Level 1 PRA Modeling for Fullpower Operations the genene data with Bayesian methods. The methods and database from the AEOD report (Ref. 2.8) for deriving common cause failure probabilities. 2.1A.2 Application Impact Considerations ( l It is quiu:likely that proposed changes to the CLB impact the results ordata analysis and the estimated paramet I L proposed duuiges may result in: 1
- 1. Changes in the frequency ofmodeled initiator (s),
- 2. Changes in the estimated component unavailability contribution due to out ofsersice time,
- 3. Changes in thee=* =t:=; unavailability contribution due to changes in the component failure rates, and
- 4. Potential changes in CCF contributions and new CCF mechanisms. .
For every risk-informed regulatory change, the potential for these four items should be e-i-d his exanunation i should consider SSCs modeled in the PRA as well as SSCs not explicitly modeled (specially those capable of l impacting the initiating event frequencies). Plant specific experience data , industry wide experience data, and appropriate engineering and reliability model could be used for such examinations.
- 2.1A.3 Laerfaces v.ith Other Tasks Review fmdings and considerations for selecting, screening. and grouping initiating events (Section 2.1.1) would be used as needed in nefirung the initiating event fn:quencies. he mission times used for component reliability estimations are provided by the accident sequence analysis task. The component specification, failure mode identification, initial operating conditions are determined from system analysis task. System analysis task also identifies the grouj of components for CCF analysis and the potential CCF mechanisms. De results from data analysis are used fo accident quantification task. '
2.lAA Documentation The following information is normally in the baseline PRA documentation. His information would be revised or supplemented as needed following the completion of this task. This information includes:
. The initiating event frequencies.
. The distribution for demand failure pmbability, standby failure rate, failure-to-run failure rate, and equipment out-of-service unavailability (as applicable) for each event.
- System and component boundaries, mission times. and reliability models used.
- he sources of raw data, generic data, and other information used in estimating minating event firqucacies, equipment reliaoitity, or CCF probabilities.
. The time period from which plant specific data were gathered.
1 I DraA, NUREG 1602 2 21 af
e o y 2 1.evel 1 PRA Idodeling for Fullpower Operations
- Key assumptions made in the data analysts. (The bases ibr the assumptionl 7 results should be discussed in the sensitivity analyses.)
i a Raw' data records and related interpretations of those secords teed to derive the d available for review, but need not be part of the PRA submittal. a l
- Rationale for and distributions used as priors for Baycsian updates. )
l i Changes resulting from the proposed CLB changes. 1
/
2.1.5 Hurnan Reliability Analysis (HRA) i f l An HRA is essential in a PRA to identify and evaluate those human actions relevant t! j analyzed. Given the high degree of hardware reliability and redundancy, human interface in causing, preventing and mitigating an accident, in fact, h,anan errors have been sh to the frequency of core damage and the potential for a large early release. Appropris:: m actions in the baseline PRA and in specific risk-informed applications is thus critical. L 2.1.5.1 Considerations for the Baseline HRA Key factors to consider in reviewing (or supplementing or refming) portions of a biis human reliability analysis model, selecting human events to model, screening / excluding quantifying human events, integrating HRA into sequence quantification, and docum areas is discussed below. l 1 Selecting HRA Model/ Method i Several HRA methods (including da:a bases) are available to evnluate and estimate the probab (Ref. 2.12). The strengths and weaknesses of each method should be considered, a l appropriate to the human events and situations being analyzed should be sele l selected has certain inherent characteristics (as described below). Identifyrng and Selecting Human Events Generally, a baseline HRA identifies and quantifHes relevant errors of omission (e initiate a specific action). Cunently, methods to address errors of comnussion (errors have not suf5ciently evolod to the point that they are typically included in PRAs. The re , are incimled m a baseline PRA are those human actions hat can cause a system or com J dananded (refened to as pre-initiators), and those human actions needed to prevent or initiator has occuned (referred to as post-initiators). j e A PRA considers pre-initiator human events that could result in an unrevealed unavslability component. At a muumum, these events include restoration enors in returning nonnal state after completion of testing and maintenance, and miscalibration enors o
] mdependent enors and common cause miscalibration where appropriate).
i i 2-22 i m muo-ia2 1 4
) ..
a
- a e' . .
1 3 f i 2 Level 1 PRA Modeling for Fullpower Operations l Events should be included that represent: l l
- failure to restore equipment to correct standby status as a result of carrying out tests in which the equipment l
. required to respond to an initiating event is realiped aw3y from its required position, and for which the demand signal is bypassed or defeated (e.g.. testing of S!.C system in BWRs). !
- failure to rerlap those componuits (typically sahes) which. for the execution of maintenance acts arc l 1
! required to be realiped away from their normal positions, and are either marmally operated. or power i operated with power removed or automatic realignment disabled. I
- sensors which if miscalibrated could cause failure of a required system to initiate or realip e.g., steam
- generator level sensors l
l A PRA should s.nasider both response and recovery post-initiaior human events. Response actions include those human actions performed in direct response to the acci.aent (i.e., actions delineated by the emergency operating
- procedures). Human response cetions that are included in a PRA are those actions required to manually initiate, i operate control or termmate those system and components needed to prevent or mitigate core damage. The modeled
! response actions include those action needed to ensure that the systems or components meet the requurments of the , l success criteria dermed for those systems or r- 3---- --ts in the systems analysis. l l Recovery actions include those human actions performed in recoverhrg a failed or unavailable system'or component. Recomry actions may also include using systems in relatiwly unusual ways. However, credit for recovery actions may not be giwn unless at least some pros.edural guidance is provided or operators receive frequent training that would lead them to perform the required acnons Recovery accons can alw include restoration and repair of failed equipment (i.e., l hardware failure). Generally. restoration and repair of(LOOP), loss of PCS, loss of diesel generators and loss of DC l huses have been credited. These are usually treated by using actuanal data rather than by HRA methods Table 8.2-10 l. ofNUREG/CR-4550. Volume 1 (Ref. 2.13) prmides acceptable values for these events. NSAC-188 (Ref. 2.10) or
~
I a later NSAC report such as NSAC-194 is also an acceptable source of data for restoration of offsite power. Due to l the general lack of acceptable data, restoration and repair of other equipment is generally not credited in a PRA. ! 1he human events selected for es3luation in a PRA reflect the actual operating and maintenance practices of the plant. At a minimum, plant walk taroughs, interviews with plant personnel (e.g., training, maintenance, operators, shift l i supervisor, shift technical advisors), and procedure resiew are performed in identifying and selecting the human events j for a PRA. Observation of simulator exercises of the modeled accident sequences can be used to provide additional
- information regarding control room operational practices and crew performance Similarly, observations of
! innintenance crew performance can also be made. i 1he HRA should address both the " diagnosis" and "exacttion" portion of each post-initiator human event. Diagnosis ! ss usually assumed to include detecting and evaluating a changed or changing condition and then deciding what ! response is required. Obviously, the complexity can vary, but a diaposis may entail no more than detecting an adention in the control mom and deciding to execute a prescribed response r.ccording to symptom-based emergency { operating procedures (EOPs). Esaluation of the execution of a human action entails exammmg the activities to be 3 ] conducted as indicated by the disposis. i i i 4 Draft NUREG-1602 2 23
. 41 l
- - - ~
w ,= .
,o - -, .- -.,-e
~ . . . -
t . .
. o a 2 Level 1 PRA Modeling for Fulipower Operations
- l
' la a PRA, post initiator human events are generally assumed to entail a diagnosisl diagnosis phase include those instances when the diagnosis of a previously mo) ' include that for a subsequent event'. 1 Faihme to explicitly model and evaluate the execution of a human action is appro used stipulates that the likelihood orpotential execution faileres is included in the d of events. Howntr. relatively complex actions may not be contained within the diagnosis
, performed outside the control room). The application of an.v HRA method assumptions and characteristics of the method are appropriate for the event beitig provide alternatives for treatment of different types ofewnts.
i Screening /E.xcluding Human Events
%ere are msnerous human events that do not play a " critical" role in initiating. preventing, o A screemng analysis can be performed to identify and exclude these events from deta screened lumnan events should be reconsidered for every risk-informed regulatory applicat all of the risk contributing aaions are included in the application analysis.
Human events, such as all pre-mitiators, generally cannot be excluded from consideration b these events are included in the component hardware data. Many human events (such as m ' and are not necessarily reflected in the random failure data. Further, their effects iian be sub multiple systems and thus can play a key factor in contributing to core damage, la screening human events, the following criteria can be used:
. if the components that are reconfigured are misaligned but not disabled and would receiv signal on system demand, events associated with realignment of the components ca is already embedded in the selection criteria suggested above.)
- if the activity is a mamtenance activity and a full functional test is carried out on completion o misalignment of components can be screened oct.
. if the status of reconfigured compouents is indicated in the control room, and the eW fre reconfiguration is low, compared to the frequency of status checking, the failure to out.
. quantitative screemng values for post-initiator human errors are typically used in t quannficanon process when the human events are modeled in the event trees as to The screenmg values assigned should be high enough to ensure that the impact of depende events are not underesumated. If screenmg values are too low and potential dependenci important sequences may be trancated. If scnenmg values are assigned before the without any examination of the events and potential si#=:ies, screenmg values not le (assuming that cutset truncation values around IE 9/ty are used in the quantification p recommended for post initiator human events.
Draft, NUREG-1602 2 24 id
% 6 8 1 l# d 4
2 Level 1 PRA Modeling for Fullpower Operations in the final quantification step, if screemng values remain for any of the human events, care should be taken so tha this situaton does not distort the results. Screemng values, by dermition, are relatively high probabilities, and when mixed with human events of more realistic values, could erroneously-drive" the results. Hat is, a sequence could
- become dommant because it included a human event with a screening value that did not properly represent the actual
" reliability" of the operator. Following the initial quantificaric,n. a!! the human events not in the truncated sequences and cutsets, should be quantified with a detailed HR A model in order to bring the true significance of human actions to the final results.
Evaluating and Quannfying Human Events The actual performance of the operators is reflected in the estimated likelihood of an operator failing to diagnose, perform or properly execute the needed action. Therefore, the quantification of the human events, in a PRA, iswrporates plant-specific factors and practices. These factors include the following: l
= Plant " conditions" affecting operator performance including:
- The quality (type and frequency of training) of the operator training. the written procedures and of the administrative controls.
- De environment (e.g., lighting. heat, radiation) under which the opesotor is working.
- n: secessibility of the equipment requiring manipulation.
- ne necessity, adequacy and availability of special tools, parts. clothing, etc.
- ne quality of the human-machine interface.
- The availability ofinstrumentation needed to take corrective actions.
- The time available to the operator to determine and perform the desired action, compared with time that is actually needed to deternune and perform the action. De available time is accident sequence specific and
/ ;. --;..J from engineering analysis wEch include actual time measurements derived from walk throughs and simulator observation. The point at which the operators receive relevant indicators is also considered in detennining available time. Dermal-hydraulic calculations can be used to help determine the time available for performing required actions.
- Task characteristics such as the number of subtasks and their complexity.
- De potential for additional checks (e.g., due to indication of changing plant p.i.a ; ,5) on operator actions (immediate recoveries) and the expected arrival of additional support such as an emergency response team.
- Dependencies and interfaces between the human ennts and their relationship to the accident scenario including the following:
- For pre-initiaants. the caosbility of the operator to impact more than one canponent, train or system.
is considered. (For example, the likelihood of the operator mis:alibrating all level and pressure instrumentation sunaltaneously should be considered.)
- For post initiators, the human event is esaluated relative to the specific context of the accident
, progression. Derefore, for different accident sequences, the human event is evaluated for each
=~m De influence of previous human actions and system performance are considered relative Draft.NUREG-1602 2 25
1
> r ,
2 Level 1 PRA Modeling for Fullpower Operations to their influence on the human event under consideration. Time dependency is also the sense that the local anilable time should be considered across the entire sequenc if most the total time available is allomted to the"first operator action in a sequence, th potential success of remaming actions is impacted The following cnteria can be used to help ensure that no deperidencies exists bemeen hum are truly indepenin0.
. No common " environmental" factors exists (lighting. temperature, etc.)
No common human-related factors exists (e.g..same/similar procedure; conunon. cues, sam multiple calibrations on the same day, etc.) Different personnel are involad in diagnosing and executing the human action or series Errors made in performance by the original operator can be ' recovered by the same operator (e.g information) and by other plant personnel (e.g., post raamtesiance verification by a separate op techrucal advisor, role of emergency response team). Total credit for all rt :h " recoveries" should n of 10 (higher credits should be identified and justified). This suggested limit is based on the u with determuung the actual mdependence of the plant personnel and the ability to ;;tecisely quantify h performance, particularly considering all the different uncertainties. Operators can perform numerous activities during an accident to prevent core damage from likelihood of these actions can bxeme questionable if too taany or unrealistic operator actions are m all reasonable actions for which time is availt.ble can be modeled, it is recognized that an operator or failure in one instance (e.g., failure to follow procedure) has the potential to influence the likelihood oflater success. Thus, potential dependencies should be considered and it is recommended that for a gi
" crew" (both control room and ex-control room operators plus any and all other personnel such as the response team) failure probability be bounded to reflect resource limitations and other uncertain fac The above factors are used in determinmg what data are selected from the various HRA methods i human error probabilities (HEPs). The quantified HEPs are characterned as disated in the l selecte For exarnple, the Techrdque for Human Error Rate Prediction (THERP) charactenzes data as m log normal distribution. However, the alues input into the sequence quantification should be m dap mag on the HRA method being used, conversion to a mean might be necessary. Furthe distribunon can potentially result in a ponion ofit being greater than 1.0 (e.g., HEP mean value of 0.8 w factor of 15 will result in the 95% confidence limit being greater than 1.0). In such cases. modification dismo.aion is required. An acceptable approach is en: use of the maximum entropy distribution which upper and lower limits.
An essential aspect in the quantification of the human events is a" sanity" check of the HEPs. Yne ana review the fmal HEPs relative to each other to check their reasonableness given de plant history and oper pracnces and w,rh For example, the human events with the relatively higher failure probabilitie events invohing more complex difficult activities that are performed t:nder more burdensome, time con stressful circumstances. The human events with the relatively lower failure probabilities are generally events performed under enore common, routine and straightforward circumstances Dr A,NUREC 1602 2-26 9
l e' , i . 'a A , . 2 Lesel 1 PP.A Modeling for Fullpower Operations I l j
]ntegrating HM Into Sequence Quant:Jication i
l De human events in a PRA are integrated into the overall modd using several methods. Pre initiator human events l are included directly in the system fault trees where the process of model quantification accounts for human error I I impact on the results. However. post initiator human errors can be modeled as a top event in the accident se I development e.g., event trees), as a basic event in the fault trees, and/or incorporated directly into the cutsets. However post imnator events are isoq,wmed imo the models, care shuuhl be taken so that the actua! human c l probability used in the quantification process addresses dependencies between operator acnons, sequence (mung, a the other factors influencing the HEP. The attributes for this incorporation are provided in Section 2.1.6. 2.1.5.2 Appliestion Impact Considerations It is possible that a particular change to a plant's CLB may influence the HRA models and results. Proper use o PRA in a risk-idaned regulatory application requires that the tr. pacts of proposed plant or procedural changes be inciudad in the PRA. %c actual nature ofimpact will be application specific. However, in general, the proposed change should be evaluated for the impact on the follovnng HRA consideratioGs:
- The appropriateness of the selected HRA methooology.
- l
- Identify if any new human event may occur as a result of the CLB change. Alternatively. determine if an existing human action modeled in the baseline PRA is no longer of concern due to the CLB change.
- Review the human actions excluded in the baseline PRA to ensure the exclusion is still appropriate for the
- CLB change evaluation.
- Identify if the CLB change would impact any factor used in quantifying the baseline PRA human events and modify the quantification as appropriate.
identify if the CLB change would impact human eve its included in the evaluation of the containment
=
performance during a severe accident. 2.1.5.3 laterfaces with Other Tasks ne HRA pomon of a PRA interfaces with several other PRA tasks. Begmrung with the initiating event task, the HRA may be used to support the idenafication of human-related initiating events. The HRA task also identiSes the human events to be included in the plant logic model (i.e. the human error events included in the event tree structure) and in the systems models (both pte acculent human errors and response actions). The quantification of post-accident human error probabilities is performed wuhm the context of the ac:ident sequence cutsets and thus can only be performed af a prelmuury qaannfication of the PRA model prc' ides the combination of events and their timing that result in core damage. he HRA also presides support to the Level 2 portion of a PRA. Human actions required to mitigate a core damage accident and prevent a release can be evaluated using the same techniques used in the Level 1 analysis. j 1 Draft.NUREG-1602 2 27 0
- v
. 4 ,
2 Level 1 PRA Modeling for Fulipower Operations 2.1.5.4 Documentation he documentation of an HRA should be sufficient that a peer reviewer can reproduce the the following information pertment to the basehne HRA should be documented HRA should be documented for each CLB change application evaluation.
. A list c,r general descriptinn nf the plant information that was used in the HRA.
- A list of all human actions evaluated (both pre- and post initiator).
. A list of all HEPs for each human action.
A list of factors used ine the quar fratum of the human actions, how they were derived they were incorporated into the quantification process:
- time available versus time required
- dependencies
- plant specific PSFs
- diagnosis and execution.
. Source of data used to quantify human actions.
. Screening values and their bases.
. Any assumptions that were made in the human reliability analysis, as well as the and their impact on the fmal results.
2.i.6 Accident Sequence Quantification The model results include point estimates, as well as results of uncertamty analyses and app measures and sensitidry analyses, to the extent that these provide additional ins Factors imports to the accident sequence quantification task are discussed in this section. 2.1.6.1 Considerations for the Baseline PRA Selecting the Quantification ModelCode Sewral accepted computer codes are avadable to perfann the quantificauon, howeve should be benchmarked. De compuur codes can une the rare event approximation when 0.1. However, use of the mmimal cutset upper bound is always suggested as a minimu results. De code shoukibe capable of accounting for system semaa in addition to system This can be accomplished usmg either complimentary logic or a delete term of accident sequence cutsets.
"fbe use of imponance measures if provided in Appendix A.
2 28 Draft NUPS.1602
, )
1 l' 2 Level 1 PRA Modeling for Fullpower Operations approximation used in many existing codes. In either case, success probabilities of equipment failures errors are used in the computation when the probability is not close to 1.0. Initial sequence quantification can be performed using point estimates. The vahues u; 1 the mean values of the probability distributions for the basic event failure probabilities. As previously indicated, ! i Section 2.1.$ when screemng values are used for post-initiator human error probabilities during the initial I l quindacalm they should be scloc:cd to ensure that .o potentia!!y important accident sequence cursets are l Cutsets peerated from the intial quantification should be reviewed to elmunste mvalid cutsets. Fmal quantdicauca should be performed to replace the post-initiator human screening values with appropriate human error values i discussed subsequently. ! Selecting Truncation Values Truncanon is an iterative process of eliminating accident sequences and cutsets from further consideration, based on low frequency of occurrence. This truncation is done to simpi.fy the quantification process and make it less time intensive. Truncation is generally performed 0 a cutset level during the evaluation of each accident sequence where all cutsets of a frequency less than the selected truncation limit are eliminated. Cutset truncation based on the order of the cutset is not peiformed because cutset order is indepetident of the quantitative significance of the cutset. 4q- with low frequencies can be truncated in either the initial or fmal quantification process, but the truncation , l should be p fvin i to avoid missing any accident sequences that significantly contribute to the model estimation of total core damage frequency At least 95% of the total core damsge frequency and 95% of the early and late release , I l frequencies should be expressed in the model results. Also,it should be verified that lowering the truncation limit does not significantly increase the model estimation of total core damage and release frequencies. Truncation has to be considered both before and after operator recovery actions are applied to avoid discarding i.apoiwd sequences The fmal truncation limits can be established by an iterative process of demonstrating that the overall model results are not significantly changed and that no important accident sequences are inadvertently eliminated. As a guide, a truncation value that is four orders of magnitude lower than the final CDF is usually sufficient. Note that the process of quantification including truncation should be performed for each risk informed regulatory application of the PRA since the impact of the regulatory change can potentially impact widch cutsets an sequences can and cannot be truncated. Integrating HM Into the Quantupcation Process Besides the iru,ryorwion of human error events directly into the event or fault tree models, events depicting the non-recovery probability ofproceduralued (or otherwise expected) human actions to mitigate an accident sequence should be added during the qM'd+a phase of the analysis. The nurr.ber of operator recovery actions added to an accident acquence r.hould be limited to " reasonably expected" operator actions. Reasonably expected means that the operator actions are specified in procedures and do not consist of heroic type actions. Also, as discussed in the previous section, ! the total credit orpost-initiator human actions for a given sequence or cutset should be reasonably boumled (e.g., not less than 1.E-6/ry). \ l Regardless of the type of human error, care should be taken to identify dependencies among multiple human error events which occur in individual cutsets so that the combined hurun error probability is not optimistically evaluated. ! This implies that cutset-specific timing and conditional information should be used in the calculation and application Draft,NUREG-1602 2-29 5'3
..-- - . - - - - - - - - - - . - - - - _ . ~ .- . - --- .
* ' =
y l 2 Level 1 PRA Modeling for Fullpower Operations l j ofpost initiator operator ac.tions and other recovery actions. Application of s l generally be performed i f Estimating Uncertainties The use of PRA in risk-informed regulation should takc mio accoun: the poten l cstimcte can be mat!c of the confidence level applied to the quantitative result l The mean values obtained from the PRA are used in the decision making proce decision maLmg process does not, however, resolve the needli to quantify fthe (to those imponant uncertainties involved in the PRA and particularly in the risk informe ] i PRA. i There are two general types of uncerteinty. ' Parameter uncertainty' results fro l t failure rates used in the models. "Model uncertsinty" occurs when alternate I represent the accident sequence behavior. (This includes conce..a about significant phenomena). Parameter uncertamty should be incorporaaed into the model. This insolus prop , calculated in the data analysis task through the FRA models. Events in the PRA repre , failure with the same failure rate are correlated in the uncertainty analysis (correla j resulting core damage frequency uncertainty distribution). To the extent practic j be irm,vipu. iinto the PRA. This can involve applying weights to different models fh and prop j these models through the entire PRA. An attemative is to perform sensitivity analyse different models. l Acceptable methods for performing unceruinty analysis include Monte Carlo s l latin Hypercube Sampling. Equivalent means of propagating uncertainties m used for the uncertamty analysis should haw been 1,c.atr.sked to verify that d the j uncertamty analysis should be performed for each risk informed regulatory ap
- accident sequences (i.e the sequences reflecting 95% of the CDF arJ 95% of 3
in addition, the uncertainty analysis should be performed using a large enou the results, i. Computmg importance Measures and Performing Sensitivities i 4 i The sensitivity of the model resuhs to model boundary conditions andTheother k j sensitivity analyses to look at key assumptions or y--..=s both individually or in comb'uutions analyzed should be chosen such that inwractions among the varia fully s=-- i for. Areas typically needmg evaluation using a sensitivity analysis are modelin j error probabilities, common cause failure probabilities, and safety function l i sensitivity analyses are needed to primde some confidence in the PRA res regulatory applications. I i
- in performing sensitivity analyses, the analyses s significantly influence the results (e.g., dommant accident sequences an
+
h 2 30 j Draft NUREG 1602 L % w , n , - - - - _ . - , _ __ .g _
.~ -- . - - . - - - - - ._ - -_. - _ -.- - . - . . - . _ - _ _ . -
- l. s e e
. er
- e ,
2 Level 1 PRA Modeling for Fullpower Operations analyses should be performed by requantifying the entire FRA model unless it can be s accident sequences and cutsets are impacted. Impanance measute calculations should be performed to provide information regarding the i l u and basic events to the model estimation of total core damage frequency. Typical importance measurI l
- are Fussell-Vesely. risk achievement, risk reduction and Bimbaum. The definition and use ofimportan l are discussed in Appsdix A.
2.1.6.2 Applications impact Cassiderations l It is quite likely that proposed changes to the CLB will impact the results of this task. De pro ) be reviewed to determine if they result sn. ; l l t
- Previo*Hy truncated cutsets becoming important;
- Reordering of sequences based on their importai :e; i
- Changes in the uncertainty analysis:
- A necd for additional sensitivity analyses to be performed;
- Changing in results ofimportance analyses;
- Different operator recovery actions. -_
\
2.1.6J laterfaces with Other Tasks The systems analysis task may provide information needed to debug the quantification task (e.g., e cutsets exist. or show where errors were made in modeling). He data analysis task will provide input data for th l model to be quantified. De sequence analysis task provides the framework for the model which is quan l output of the quantification task (e.g., the cetsets) can be used to fuu! any errors in the modeling also used to provide insights about the plant's risk profile. 2.1.6.4 Documentation , he following information regarding the PRA quantifica; ion should be documented: j
- A general description of the quantification process including accounting for systems successe
]
values used, how recovery and post-initiator human errors are applied, and a description of the computer codes used. l
= he total plant CDF and concibutions from the different initiating ewnts and accident classes.
+ 4 list of the donunant accident sequences and their :ontributing cutsets. (A dominant accident sequence a frequency perspective, rather than a risk persocctive. is defined here as one whose contribution l CDFis greater than 1%)
= Equipment or human actions that are the key factors in causing the accidents to be non d=%=t.
'
- De results of all sensitivity studies.
Draft.NUREG-1602 23! ( SY l l '
2
*
- e.
t 2 Level 1 PRA Modeling for Fullpower Operations
* ' Die uncertainty distribution for the total CDI and for each commant accioent sequence. >
- Importance measure results, incialing at least Fussell Vesciy, risk reduction, A list of mutually exclusive events eliminated from the resulting cutsets and t A list cf all sequences retamed aAer the final quantification, including a brief d its CDF.
Records of the actual quantification process such as file manipulations, settin logic either on or off, etc.
*. Records of the process /results when adding non-recovery terms as part of the fin Recorcs of the cutset review process and any manyulations therein such as elimin requantifying multiple but dependent human errors in the same cutset. etc. P 2.2 Internal Flooding Analysis i While tne internal flooding analysis of a PRA uses much the same processes and ha t aditional full power imernal events PRA (Section 2.1.1), the internal flooding analys ,
of work to define and screen the most important flood sources and possible scenarios I The major tasks associated with the level i portion of an internal floodmg analysis include:
- Flood source ar.d propagation pathway identification and screenmg !
- Flood scenario identification and screenmg ,
- Flooding model development and quantification. !
l The information developed du ing the flooding source and propagation pathway used to identify and quantify the flood scenarios. Results from the identification scenanos an: then used in the flooding model development and quantification tas event identification and exclusion portions of the full power internal events PRA, t consideration of different plant characteristics with particular emphasis on the spa Consideration of structures, bamers, drainage designs, and different failure mod equipment, water spray on elessncal equipment) are examples of aspects internal floodmg analysis that are not necessarily addressed in the traditional in ; flooding scenarios have been screened for detailed quantification, the third t quantification aspects already carried out in the internal events analysis with re "three scoping saributes should be met to better ensure canpleteness of the a not only Goods as imastmg events, but also include the possibility of flooding occu other initiator. Second, both waner and steam source effects (i.e., jet impingem and cWarion) should be considered. Finally, flooding induced by both equipment faih induced events (such as failure to properly isolate a potential flood source before 2-32 Draft,NUFEG-1602 6
,_ - w.-c --, , w -
y
! __ _.. c, _ _ _,i c) o a 2 1.evel 1 PRA Modeling for Fulipower Operations M Attributes that are unique to the internal floodmg analysis (compared to the internal ewnts analysis) are l addressed below. f 2.2.1 Considerations for the Baseline PRA 2.2.1,1 Identification and Screening of Flood Sources, Propagation Pathm sys, and Flood Scenarios The first two tasks identified above are performed together in a somewhat iterative manner because there are numerous snaracnons between the tasks. %e guidance provided in NUREG/CR 4832 (Ref. 2.14) can be used for performing i she specific steps necessary to identify and screen the flood scenarios. Dese specific steps are not reproduced here; howewr, cenam owmchng anribules that should be met in performing a sound baseline internal flooding ana!) sis are highlighted below. All subsmnhal water and steam sources should be carefully screened As a muumum, possible sources should include piping, valves, pumps, tanks, heat excl. angers, room coolers, chillers, fire suppression systems (including both-inadvenent actuation and piping failures), relief valves, potentially large bodies of water in the plant (such as the suppression pool in BWRs and the spent fuel pool), and nearby reservoirs, lakes, rivers, and oceans that are connected to the plant through some plant systems or structures (such as the ultimate heat sink that is connected to the plant through service water system). Any qualitative arguments used to screen or otherwise eliminate flood sources (e.g.. i small size, !acation argu nents, effects are similar and greater for another flood source, etc.) should be well documented I and based on sound engineering principles and judgment. While probabilistic arguments can be used at this stage. they should meet the initiating event exclusion principles provided in Section 2.1.1. Both leakage and rupture failure modes should be considered as well as the potential for human-induced flooding. Sources ar.d locations of concem (particularly the identification of propagation pathways) should be supponed by ! actual walkdowns of the plant. Flood zone dermitions should consider the existence of barriers and drains that can I confine the flood to an area. Propagation paths from one flood zone to another should consider stairways, doorways, leks Door and will penetrations and cracks, drain lines, HVAC ducts, piping / conduits, etc., and should consider the potential failure of barriers to propagation (e.g., normally closed door failing open once the Dood water reaches a certam height belund the door). Any assumptions or otherjudgment used to derme and screen out possible locations and patnways should be documented and based on analyses, calculations, or sound engmeermg judgment. Isolation arguments should consider methods ofdeseccon. access, and available means to isolate or otherwise mitigate the flood source, and the time to cany out appropriate actions. In addition, the availability of other flood mitigation systems or accons such as drain lines or sump pumps need to consider sizing and the potential for plugging. With regard to determining possible flowrates, the analyst should consider whether forced flow (such as from an active pump) or passive flowrates are expected he above informanon leads to the formulanon of possible flood scenarios that should be considered. Dese scenarios are more completely dermed by considering what (and how) equipment is affected in the context of the possible accident sequenas that can lead to core damage (as indicated by the internal events analysis). It is therefore important that the possible flood-induced failure modes (i.e., susceptibility) of equipment be considered besides the random failures of equipment covered in the internal events analysis. Any guidance used in the flooding analysis with regard to the failure modes to be considered should be clearly defined and have a reasonable basis. For instance, electrical equipment (buses, motor control centers, batteries, inverters, motors for valves and pumps and fans, etc.), if submerged, or exposed to a high steam environment should be aswmed to short out and therefore be unable to operate, l I at kast during the screemng steps conducted in the analysis. Mechanical equipment may be considered to fail under DraA,NUREG 1602 2 33 P1
1 O A 4 3 Level 1 PRA Modeling for Fullpower Operations 4 special circumstances such as when HVAC ducting is flooded and fails because of the Screemng ofpoterstial accidst g- on the basis of what equipment is or is not affected as w l of the above failure modes, should be clearly identified and supported. 2.2.1.2 Flooding Model Developenent and Quantification With some modifications. the modeling of the resulting unscreened scenarios uses many of the s . The (typically event trees) and system failure models (fault trees) used in the traditional mterna l mitigating system fault trees should be modified to account for possible combinations of fl random failures of equipment. The types ofinitiating events resulting from internal floods shou l transients but also 1.OCAs induced through spunous valve operation. As stated earlier, considera j ' toboth floods as initiators as well as floods that occur during or as a result of some other transien for multiple initiating events should be reviewed. The intemal event trees can generally be u l W should also reflect additional mitigating systems and actions as appropriate. l 1 The quantification portion of the analysis is essentially the same as described in Section 2.1.6 i the potennal for new or more severe PSFs when considering human failure probabilities and ' However, an initial boundmg quantificanon can be performed using pessimM assumptions on flood i equipment susceptibility. Flooding scenarios that survive such bounding assessments should be requanutted refined estimates of the flooding impacts (obtained through engineering analysis) to, provide a. realistic 2.2.2 Application Impact Considerations in general, the application impact considerations that impact the internal event models identified applicable here, in addition. application impacts on the flooding specific po: ions of the analy addressed. For example, if an applicanon has the potennal ofincreasing the failure probability as I then the screenmg performed as part of the original flooding analysis should be reexanuned to dete the new failure probability has on the screened scenarios. Areas that should be reviewed include:
. The potential for the introduction of a new flooding source or the removal of an existing flood source. .
- De potential for changing the flood propagation potential for an existing or new flood source
. The mitigation of a flood source (e.g., isolation) may possibly be affected and should be reviewe
- The impact of a flooding event on accident mitigating equipment may be altered by a plant 1
modification and should be reviewed.
. De potential for new or additional initiating events resulting from plant modification and impacts on the models used in the accident sequence quantification (i.e., event trees, fault trees, and HRA) s should also be reviewed.
Draft, NUREG-1602 2 34 O
- _ -. - - . - . . _ - . . . . - - - - .-. - ~.-- - - . - - - - . . - - - - - . . -
- e '
.y e , , l 2 Level 1 PRA Modeling for Fulipower Operations 2.2.3 Interface with Other Tasks This task uses extcasively the informanon gathered and models dewloped in the internal event analysis. In particu the fault trees and event trees developed for internal events are modified and used for modeling floods. 2.2.4 Documentation l The process ofidennhing flood sources, flood pathwa,ss, Good scenanos. and their screenine. and internal flood
- deve opment and quantification should be docurs.ented for both the baseline PRA and any Mhons made in anstrdng a modification to the plant CLB. In addition to the informanon normally documeated in a traditional internal evr.e5 analysis, at a nummum, the following information should be documented for an internal flooding analysis
- a definition of the flood zones used in the analysis and the reason for eliminating any of these areas from further .n;ysis.
- a list of flood sources -onsidered in the analysis and any rules used to eliminate these sources.
- a discussion on the propagation pathways between flood zones.and any assumptions, calculations. or other bases for eliminating any of these propagation pathways, .-
a a listing of accident mitigating equipment located in each flood zone not screened from further analysis, a a list ofany assumptions concernmg the impacts of submergence. spray, temperature, or other flood-induced l cffects on equipment operability.
. a discussion of how the internal event analysis models were modified for the internal flooding analysis, )
- a list cf the flood frequencies and ccmponent failure probabilities from flood effects and their bases, and
- a discussion of any calculations or other analyses used to refme the flooding evaluation. ,
2.3 Internal Fire Analysis A full power intemal fire PRA utilizes the same overall analysis approach and procedures used in performing a full power traditional internal events PRA (Section 2.1). In fact, there are many points of ===aa=11 t y between the traditional internal events analysis and an intemal fire risk analysis. These include the use of the same fundamental plant systems models (ewnt trees and fault trees), similar treatment for random failures and equipment unavailab fziors. s'.nitar methods orovemil risk and uncertainty quantification, and similar methods for the plant exovery and human factors an:hsis. Consistency of treatment of these w,....cs.elities is an important feature in a fire ok analysis. It is also !vpd that ihe documentation of an internal fire risk analysis parallel that of a traditional internal events PRA, with supplemental documentation of the unique fire reisted aspects of the analysis prosided as necessary. Although the overall caluation process is the same, there are differences in the events postulated to occur in response to an intemal fire event as compared to those from a traditional internal event. These unique features should be Draft NUKEG 1602 2-35
- ff
1 * * . 1 2 Level 1 PRA Modeling for Fulipower Operations d for in a sound baseline fire nsk anaints. uc r.m ;!!!fere;:::s benveen s tr:ditiens! intern:1 crems :nstym and an internal fire analysis are as follows:
- Physical Plant Partitioning - physical panitioning of the plant into fire analysis areas and zones
- Equipment Identification and Mapping -identification of plant components not typically considere l
internal ewnts analpis, including in particular electrical pour, instrumentation, and control cables, and l mapping of such eqmpment so specific loativas
- Fire Source Identification and Quantificanon -identificsoon ofignition sources and quantification of their frequency
. Fire Growth and Spread Quantification - determmation of fire growth and spread 1
- Fire Damage Assessment - the assessment of fire inJ.:ced damage to plant equipment
- Fire Detection and Suppression - determmation of the effectiveness of fire detection and suppression
. Human Intervention and Plant Recovery - identification of the impact of a fire event on the possibility and likelihood of post-fire human actions (including the impact of contradictory or failed indication).
The major analysis elements described in Section 21 for a traditional internal events analysis are also appl an internal fire analysis. Differences that arise come from the fact that the fire analysis has to ac:ount for the effec of the fire and should provide for the specific treatment of the actual fire phenomena associated with the postula fir": vent as presented above. A fire analysis generally consists of three phases:
- initial area screemng a secondary area screemng, and a detailed analysis.
The initial area screening phase of the analysis identifies the limited subset of plant fire areas which should be considered for more detailed analysis. This initial screening is based on consideranon'or the nature of the components / systems located within a fire area without specific consideration of the phent-ma involved in youth and damage proce== 'Ibe components located within a given fire area are identified and the impa failures on plant systems are ==d to deternune the potentia! for a fire in the fire area to represent an initiati event. The secondary area screenmg phase is then applied to further refine the areas requiring detailed quantifica inclusion of a rudimentan treannent of the fire phenomena This se.c4-y screemng process may be performed at progressive levels of detail, laitially, the secondary screemng analysis includes a high estimate of the to frecuency from all fire sources in a parucular area, with the further assumption that all fires would result in dam to all equipment in the affected area with a Trobability of 1.0. If the 'resulting fire risk estimate falls below t specified truncanon value, then the area requires no funher consideration. If an area cannot be truncat then funher screemng can be applied in which low estimates of fire intervention factors are introduced. However, as the analysis becomes more refined, the level of detail consirlered should also become more refined, result "blumng* of the "line" between a secondary smemng analysis nd a detailed area quantification (see next par l Draft. NUR EG-1602 2-36 9
. . i I
a . . 2 Level 1 PRA Modeling for Fullpoper Operations For example,ifsome credit for successful fire suppression before critical fire damage is to be gi she:ald include considere of physical factors which might make it unrealistic to assume that intervention w l l successful A typical ewie of this would be a case in which a critical cable was located directly abo potential fn source such as a switchgear cabinet such that if the fire were to be ignited, then da J a very short time. l For the subset of fire areas which survive the initial and secondary screening phases of the analysis, a dctailed quantification of the fire risk for each fire source postulated to exist in that fire area is performed. point in the analysts, the fire areas dermed in the screcrung analyses are further partitioned into fire i quaren== This partitiomng essentially results in the definition of what specific components are cons threatened by a fire event. As part of each phase in a fire PRA, the potential effects of a fire within a single fire area or zone and th i insw eres and inter zonal considerations (i.e., the effects of multiple f= areas or fire zones in combination to represent 1 sigmficant contributors to fire risk) are determined. The usessment of the potential that a fire in one fire area or z might impact equipment in an adjacent fire area or zone ii particularly important for the high hazard fire are which a fn might threaten even a three-hour rated boundary), zones bounded by fire barriers ofless than three-h ratir g. and fire areas or zones separated by active fire barrier elements-(such as normally open fire doors, wate i curuuns, ventilation dampers. etc.). Consideration should be given to the likelihood tharfire banier penetration seals might fa2 ;inder cer*.ain types of fire conditions (such as larger fires or fires immediately proximate to the seals)l Within each of the assessment phases, the fire-specific differences between a traditional internal events analysis an an internal fire analysis should be dealt with. The level of detail applied to the assessment of each of these spec differences depends largely on the phase of the fire analysis. That is, the screening phases may include only a rudimentary treatment of certain differences, whereas the detailed quantification phase will require a specifi comprehensive treatment of each difference Attributes for each specific difference are presented in the fo seenons in addition, fire-unique attributes for each of the PRA analytical tasks identified in Section 2.1 are preside 2.3.1 Considerations for the Baseline PRA This section provides the attributes of a detailed fire PRA that could be utilized as the base model in the ev of a CLB modification. The fire-specific aspects of the PRA are discussed as well as the interfaces with the internal event PRA models. 2.3.1.1 Defining Fire Areas or Fire Zooes Since the physical partitioning of the plant effectively dermes wtiich components and systems will be consi simultaneously winerable to a common fire ennt (with the exception of the final inter area or inter-zonal fire an stage), the partitioning pocess significantly impacts the final analysis results. The termsfer arec andfre zone are widely used in fire risk assessment and are also recogmzed terms with definitions in the context of fue protection. Afire area is generally defined in the fire protection context as a physica
^
regen which is fully bounded by three-hour rated fue barner systems (as certified by the ASTM El19 fire perfo test). The above traditional fire protection community defmition of a fire area is consistently applied in fire risk analyses, but it should be r-a=W that the term fire zone can represent many different levels of physical separ That is, the termfre zone has a 'more Dexible and judgmental dermition, and is generally associated with any Draft,NUREG 1602 2 37 bl
. . _ _ _ . _ _ _ _ . ~ . _ _ . _ _ _ _ _ _ . _ _ - _ _ _ _ _ _ _ . _ _
2 Level 1 PRA Modeling for Fullpower Operations regmn bounded by lesser fn barner elemets in some cases fire zones can be dennec in i with no specific physical boundary elements which are nonetheless considered s influence for any fire in that region. For example, a muki-level fire area separated by , I equipmmt hatches might be defined for the purposes of analysis as several an cpen pathway between the zones. Similarly, a physical region of twsnty feet I intervening combustibles (an Appendix R provision) ccn be ci:cd as derming the i of any physical barrier between adjacent fire zones. Since there is flexibility in t) i analysis should define each fire zone identified and used in the analysis. 4 With aspect to the three analysis phases identified above, a fire PRA can use the follo f Initial area screemng is based on the consideration of fire areas as traditionally defi context. Fire zones, as used in fire risk assessments, are not used.
- 2. As the screemng becomes progressively more
- Secondary arca screenmg is inmally based on the use fire at::
detailed, the use of fire zones becomes acceptable as long as such use is suppor:c consideration of the fire phenomena involved. (NOTE: This is generally inconsisten screemng process, but is acceptable if all relevant fire phenomena are considered.)
=
Detailed ares quantification is based on the use of fire areas or fire zones,ytiichever is a 2.3.1.2 Equipment Identification and Mapping The critical plant systems and components ofinterest to the analysis should be ide an examination of the risk important systems considered in the traditional internal e Section 2.1, supplemented by consideration of fire-related plant documentation suc WM and venfied by plant walkdouts. Consideration of only the plant Appendix R sy2 e basis for analysis in a fire PRA. Electrical cables (power, astrumentation, and con components should be included in this assessment. After identifying the equi
-pts identified should be tramd to specdic plant locations. This step can involv j example, for the purposes of initial screenmg, mapping a piece of equipment secondary screemng, mapping to fa areas or fire zones is warranted. In contrast, Thisis del tone fire risk requires that the equiprnent be mapped to very specific locanons within the fire are because the area ofinfluenz ormost fires will be limited to a subset of the fire are '
of the critical equipment to the fire source will directly and profoundly impact the timing 2.3,1J Fire Source IdestlGcation and Quantincation
*lhe fire analysis should both identify possible fire soerces in a given plant loc which each of those fire source might initiate a fire event. .'Ihis includes both fixed fire so cisemcal panels, switchgear transformers, fuel ax! oil storage medsa, hot pip elecmcal cables, etc.) and transient sources (trash, maintenance actisities mcluding e afliquid or gaseous flammable material leaks, short term storage items, long t data base is typically used to support this part of the analysis. In general, a fire sources. Consideration of only the single most significai.t or largest fire source considered an adequate basis for the analysis. This is because the fire threat i 2 38 Draft,NUREG 1602 W
o .o
- D e i
.i o . 4 2 Level 1 PRA Modeling for Fullpower Operations l the largest or most significant perceived fire threat may not, in fact, represent the bounding condition in the context of Are risk. l 2.3.1.4 Fire Growth and Spread Quantification l 4 I The fue analysis should also quannfy the potenual for an initial fire source to both grow within the limits of that initial , fire source and for the f:re to spread to other nearby flammable materials by cortsidering the maximum credible size (both the intensity and physical extent) associated with the imual source and the potennal for that fire source to agmte I other nerby matenals. The analysis offire gr,wth within the initial fire source may be based on either a fire computer model or on available test data, but the analysis of fire spread to other nearby materials requires the application of a l 1 proven fire growth cocoputer model of some type ] 2.3.1.5 Fire Daciage Analysis l B J on the Sre growth analysis, a prochenon is made as to aow the fire will impact the environment surroundang the l l , ! critical components ofinterest and in turn how that en ironment will impact the operability of those components. In a fire PRA the unung ofequipment damage is one of the two most critical factors to be determined (the w=1 is fire i dete don and suppression, discussed in the next section below). In order to pass beyond the irdtial screemng steps i to final quantification. the analysis should consider not only if damage will likely occur. but also the time mterval a between ignition of the fire and the onset crequipment damage. This process should include the identification of both ! the modes or mechanisms of fire damage (typically simple heating of the component but also potentially including I smoke deposition) and the threshold exposure associated with the onset of equipment damage (such as damage temperature). 2.3.1.6 Fire Detection and Suppression in general, the quantification of fire risk involves an assessment of the competing process of fire growth and damage f i behasior and that offire intervennon through detecnon and suppression (unless it is judged that time to damage is very ! short). The analysis of fire detection and suppression, including the timing of these intervention mechanisms, is the l second of the two most criti:al factors associated with a fire risk analysis. This is a multi-path process which shonid i include consideration of both fixed systems and manual imervention (both the detection and suppression events may 1 involve actions by either fixed fire protection systems or plant personnel). The detection and suppression analyses
, should be linked (detection alone is largely worthless without suppression, but suppression shot #.d be predicated on fire detecnon unless fire self extinguishment is postulated), and the fire damage and fire intervention analyses should be performed on a consistent basis because comparison of fire damage times to fire intervention times is the ultimate driving force for the risk quantification. Hence, both pans of the analysis should be based on consistent treatment of the relwat fire pb-pa=
in addinon to the potential for the Sre itself to damage the endcal equipment ofinterest, a fire analysis should consider the possibility that application of fire suppressants (e.g., water, Hain or Carbon Dioxide) might also lead to supplemental equipment damage. Tais aspect of the analysis requires consideration of both the potential effects of the fixed fire suppression systems and the possible intervention by fire fighting personnel. The most difficult aspect of this analysis typically involves the manual inte vention aspects. This is because the analysis should include consideration offire fighting access routes, the potential for the build.up of a dense smoke layer (which would increase the Ibu=i ofmisdirected water sprays), and the level of training and pre-fire planning provided to the fire fighting personnel. Draft. NUREG-1602 2 39 y O
. ' o. ,
2 Lvel 1 PRA Modeling for Fullpower Operations 2.J.1.7 Human Intervention and Plant Receery The faal step in quantifscation involves an assessment of human intervention and pla event by using the same process as that used in the traditional internal events ana level ofoperator sness, and hence, the likelihood that operators might make mistak be considered. Second. the presence of a fue in a given area is generally assumed to preve . taking recovery actions which require access to or through the affected fue area until w exdnguisixxi. If operator initisied repairs (recosery) of equipment damaged in a five is should be provided that d~aaamstes tk operatois ability to make the repairs. This ansivs s should also include careful exammation of the plant's alternate shutdown capability for certam plant fire scenarios inwiving the main control room or cable spreading rooms). This aspect of the analysi potential fire-induced failure. which might not be evident at the remote shutdown st equipment and systems control which is available outside the main control room. 2.3.LS Fire EJef Development and Quantification 1' The following paragraphs idertify the unique fire analysis attributes associated with the PRA sal modification of the internal events models for use in the fire anal > sis. initiating Events .
~
The same set ofinitiating ewnts identified in the traditional internal events analysis are considered analysis. For example, if LOCAs are considered, then fue-induced LOCAs (i.e., spurious v considered. Initiating events that cannot be caused by a fue-induced equipment failure, or by potentia . responses to a fue event, can be eliminated. Note, for example, that even though fue-ind a giwn fire area or zone might not directly lead to an initiating event, the analysis should con operators might take actions on a preventative basis to shut down the plant in the event of a the p~~1=d fire might render safe shutdown systems inoperable or unavailable. Fire-induc fires in two noncontiguous fire areas can be elimmated from the analysis. Accident Sequence Analysis The analysis should include a specific treatment of each of the specific fire scenarm differe discussed in Sections 2.3.1.1 through 2.3.1.7. In addition. any fuc unique sg - '= += should be consi l SystemsAnalysis The fire PRA should include consideration of spatial s;-: shies for the followng:
= cables (e.g., power, mstrumentation, and control)-the location of the cables both to and thr areas / zones.
- all other components vulnerable to fire induced damage or failure (e.g., pumps, valws actuators, mo
- switches, and electrical panels).
2-40 Draft NURFG-1602 bu . . . - - y - - - -
. ,e o * ,
2 Level 1 PRA Modeling for Fullpower Operations
* --- ; = a not udnerabic to fire-induced damage or fadure may be eliminated from time analy sis (e g., la piping is not typically included in fire risk analyses).
Fire-induced system ig '=:es :hould be considerad in a fire PRA. In particular, the analysis should consider the posennat for common <suse failure ofmultiple E- ;-:=^:/ systems due to the effects of a given fire. 'Ihis po is unique from a traditional internal events analysis because the effects of a fire (e.g., heat and smoke) can tra quickly throughout a giwn fire area or zone, and can also extend bevond the limits of a single fire area or zone u senaan cinuma. EEccas which should be addressulixtude. anoke', suppression agent effects. and temperamre. Ifany of these can affecs the perfortnance afa componet, then their impact should be considered. The fire PRA s also include consideration of direct thermal heating of components due to convective and radiative heatmg of targets by the fire. l l For power and control cables, fire PRA should include some consideration of the three recognized potential failure l I modes; namely, conductor to-ground shorts (which might result in simple loss of function or power bus failure), randwww-to conductor shorting within a multic~"i *= cable (,viuch might simulate the effects ofa switch closing or cause a shortmg of a power supply bus), and *~-to conductor shomag between adjacect cables (which might cause spurious operation of plant equipment, or cause destnactive voltages to be applied to a lower voltage system). Each mode should be considered, and screenmg of failure modes is based on physical proximity and systems impact considerations. _ Fim Modeling Lessons learned from previous fire PRA studies indicate that ca:: tion should be exercised in area., such as:
'. Selection of cable ignition and damage criteria,
- Credit taken for in<abinet smoke detection.
- Performance shaping factors associated with emergency HEPs, especially in a degraded environment caused ,
by fire, 1
,
- Modeling ofinitiation and effectiveness of automatic suppression, and
. When "FIVE' is used to address NRC-mandated enhancements such as additional fire initiating events, proper consideration of certain passive components, thermal damage thresholds, self-ignited cable fires, earthquake induced fires, and containment fires.
'A potentistly important mode of fire damage not usually included in a typical fire PRA is smoke damage. As research is this area matures, failures associated with smoke should be included in a the fire analysis.
Draft NUREG-1602 2-4I bf
.. . . -n- - - _ . - -. - _. - -.- - . - . . _ . - - . . . . . _ . ~ . - - _
o e & y 2 Levcl 1 PRA Modeling for Fullpower Operations DataAnalpis Current sources of fire data shoul ~9 g 4 2 Level 1 PRA Modeling for Fullpower Operations 1 j 2.3.2 Application impact Considerations 1 J J - In general, all applicanon impact considerations identified in Section 2.1 are applicable for the intern used in the fue analysis. In addition, a proposed CLB change can impact the fire-specific portions of the a l example. if an application has the potential ofincreasing the failure probability associated with a mot then any screerdag pafv..wd as part of the baseline fire analysis should be reexamined to determine wha j new failure probability has on the screened sequences 1 < ! ) ! Specific factors which should be reviewed for each application include: l; I
- The appropnateness of the fire zones and area defmitions used in the analysis and correspondmg equi
! mapping.
- The poustial for the introduction of a new fire source gor conversely, the climination of a fire source).
i l ! . The potential for a change in the fire growth and propagation potential.
)
-* The potential for a change in the fire damage potential of equipment.
f 1
+ Changes in the fire PRA model including the potential for different initiating events, additional sp stial failure modes required in the system fault trees, and modified human event error probabilities.
{ I 2.3.3 Interface with Other Tasks In general, the M-;s identified in Section 2.1 are also applicable here. Moreover, ti the ar? cable Level 1 intern events logic models should be identified and modified to account for fire induced damage. Fire induced acciden ) scenarios are assigned to plant damage states similar to those used in the conventional internal event analysis. ! In addition, the following interfaces among fire-specific analysis tasks should be considered: i the fire area and zone defmitions will be used to identify the components can be affected by a fire. i . b i e the affected components will impact the development of the system models. 4
= the fire source identification and quantification results will impact the initiating event identification and j quantification task, h
- results from the fire growth and spread task. the fire damage assessment task, and the fire detection and l
i suppression task will impact the final sequene: quantificatioro and
. information from the fire growth and spread task and fire damage assessment task will influence the human reliability analysis task.
l 2.3.4 Documentation In addition to the information normally documented in a traditional internal events analysis, the following information j should be reported in a fire PRA: Draft. NUREG.I602 2-43 47 w ,c - --. , -- n.
2 Level 1 PRA Modeling for Fullpower Operations
=
A discussion of how the sub-set ofinitiating events relevant to the fire analysis was oevelopea particular, how the internal events set was screened for relevance to fire. A list or general description of the information used to develop the fire area / zone loca
- A desenption of the process used to identify the fire arcas/ zones.
- A list and description of the identified fire areas / zones.
- A list of the cables and components considered in the analysis.
- A mapping of risk important components and systems to fire areas or zones. .
Justification for any system or component / cable for which location information was not pro A list of any data bases, expenmental results, plant procedures. plant experience, or ana fire computer models ur correlations) used to support each step of the fire phenomena ana
- A list of(and justification for) the specific parameter values associated with the analysis o ho fasts.
A list of the critical inputs and outputs associated with each scenario analyzed in a format s ird ycr.dcr.t verification of the analysis resuhs and in a level of detail appropriate to the under consideration (e.g , screening versus detailed quantification).
. A specific discussion ofhow the HRA operator recovery analysis was "custornized" or ' mo for the unique conditions of a fire event. including how manual fire detection and suppression mcorporated into the quantification of the fire growth, damage and intervention models.
Resuhs from the initial screening, secondary screemng (if applied), and detailed quantifica analysis. 2 44 Draft.NUP.5G 1602 A
a y a g l i 2 Level 1 PRA Modeling for Fullpower Operations l REFERENCES FOR CHAPTER 2 !
\
2.1 D.M. Ericson, Jr. (editor), et al, %nalysis of Core Damage Frequency: Intema! Events Methodology," l
- NUREG/CR4550 Volume I, Revision I,Sandia National Laboratory, January 1990. l 2.2 W.J Geyean, P.G. Ellison. J.A. Schrocdct. -ISLOCA Re:e::ch Program Fins! Report," EG&G Idaho Falls. ;
NUREG/CR 5928. July 31,1993. 2.3 " Safety Related Motor Operated Valve Testing and Surveillance," U.S. Nuclear Regulatory Commission, Generic Letter 89-10 June 28,1989. j 2.4 V, H. Ransom. et. Al.,"RELAP5fMOD3 Code Manual," Volumes 15, NUREG/CR-5535. EGG-2596, EG&G Idaho Inc., June.1990. J. C. Lin, et. Al.." TRAC-PFl/ MOD 2 Code Manual," Volumes 1-4, l.os Alamos National Laboratory, LA. 12031 M, NUREG/CR 5673,1994. 2.5 USNRC," Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG 1150, December 1990. 2.6 Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation on Internal Event issues ," NUREG/CR-4550, SAND 86-2084, Volume 2 April 1989. 2.7 USNRC," Fault Tree Handbook," NUREG-0492, March 1980. 2.8 H. M. Stromberg, et al.,-Common Cause Failure Data Collection and Analysis System,"INEL-94/0064, Volumes I thr'ough 6, Idaho National Engineermg Laboratory, December 1995. 2.9 -Loss of Offsite Power at U.S. Nuclear Power Plants '!hrough 1991," Nuclear Safety Analysis Center, NSAC-188. March 1992. 2.10 R. L. Iman and S. C. Hora,"Modeling Time to Recovery and initiating Event Frequency for Loss of Offaite Power Incidents at Nuclear Power Plants," NUREG/CR-5032 Sandia National laboratories, January 1988. 2.11 T. Morgan, G. W. Parry and C. S. Chuan," Nuclear Plant keliability: Data Collection and Usage Guides," EPRI/TR 100381, April i192. 2.12 J. Wreathall. HRA Modeling in IPEs: An Evaluation of Methods and Their Application," NUREG/CR-6520, Brookhaven National Laboratory, to be published. , 2.13 Table 8.2-10. D.M. Ericson, Jr. (editor), et al., " Analysis of Core Damage Frequency: Internal Events Methodology,' NUREG/CR4550. Volume I, Revision 1 Sandia National Laboratory, January 1990. 2Il4 W.L. Ferrell, et al.,
- Analysts of the l4Salle Unit 2 Nuclear Power Plant: Risk Methods Integration and Evaluation Program (RMIEP),* NUREG/CR 4832. Volume 10, Sandia National Laboratory, October 1992.
Draft NUPJG 1602 2-45 bt
- 3. INTERNAL EVENT LEVEL 2 Pita FOR Fl'LL POWER OPERATIONS i l i This chapter prmides attributes for performing a Level 2 probabilistic risk assessment (PRA) of a plant full power. A Level 2 PRA evaluates containment response to sesere accidents and determines the ma timing of the radionuclide release from contamment. Consequently. those PRA applications that deal w performance obviously need a Level 2 analysis as described in this chapter. A Level 2 analysis is al 3
application requires llut a nunscriul salue for tlic ficquency of a partieuiar release be determined Finall , i particular PRA application requires estimates of offsite consequences and integrated risk. as. for examp calculation of the U S Nuclear Regulato.) Commission (NRC) Safety Goal Ouamitative Health Obiectives (OHOsi then a level 2 PRA coupled with a Level 3 PRA is needed. Accidents initiated by intemal events includhig internal fires and floods are add.c-ed in the following section. Accident mitiated by various external events are addressed in Chapter S. i The pnmary objective of the Level 2 ponion of a PRA is to d dze the potential for, and the magnitude and timing of a release of radioactive material to the emironment given the occurrence of an accident that results in sufficient
' damage to the core to cause the release of radioactive material from iuel. To satisfy this objective. a quality Lev PRA is comprised of three major pr.rts:
+ A quality Lcwl / PRA. whkh prosides information regardmg the accident sequences to be examined nd their frequency. The attributes fcr performing the analys:s associated with this aspect of a PRA are described in Chapter 2 and are not discussed further here.
4
- A structured and comprehensive evaluation of containment performance in response to the accident sequences identified from the Level I analysis
. A quantitative characters:ation ofrodiological reIcase to the ennronment that would result from accident segaences which breach the containment pressure boundary.
A detailed description of the attributes for conducting the technical analyses associated with each part is prosided below. The current state of knowledge regarding many aspects of severe accident progression and (albeit to a lesser extent) the state of knowledge regarding containment performance limits is imprecise. Therefore, an assessment of containment performance should be performed in a manner that explicitly considers uncertamties in the knowledge of severe accident behasior, the resulting challenges to contamment integrity, and the capacity of the containment to l withstand various challenges. The potential for a release to the emironment is typically expressed in terms of the conditional probability of containment failure (or bypass) for the spectrum of accident sequences (determmed from Lesel 1 PRA analysis) that proceed to core damage. In addition to estimating the probability of a release to the en ironment. the Level 2 portion of a PRA should charactenze the resulting radiological release to the enuronment in terms of the magnitude of the core inventory that is releasei :: ming of the release and other attributes imponant to an as ,essment of offsite accident consequences. This information proudes (1) a quantitatise scale with which the relative severity of various accider.1 sequences can be ranked and (2) represents the ' source term
- for a quantitatise evaluation of offsite consequences (i.e., health effects.
propen) damage. etc.) which are estimated in the Lesel 3 portion of a PRA. 6 Draft. NUREG 1602 3-1 18
> _ _ . . _ _ _ _ ___m _ _ _ . _ . . _ _ _ . _ _ . _ _ _ __ _ _ ...__._ _ . __ .__.
. ,e jr o . ,
l l 3. Intemal Event Level 2 PRA for Full Power Operatim i I
- in the descripuon of the Lesci 2 PRA below. emphasis is piaced on the ierci of aeran associated with the major l elements of a Lesel 2 analysis. rather than the specific techniques used to conduct the analysis. This approach is
! emphasized because several different methods can be used to calculate the probabilistic aspects of severe accident j behavior and containment performance. The most common methods are those that use event- and/or fault-tree logic j structures: honeser. other techniques can also be used Funher. the specific methods of quantifying similar logic j structures can differ from one study to another . in principic. any of these methods can be considered adequate provn/ed n encompasses the ics el of detail desenbed below. 4 As indicated abow the two major products ofa Level 2 PRA are (1) the conditional probability of containment failure { i or bypass for accident senuences that proceed to core damage and (2) a characterization of the radiological source term
- to the environment for each sequence resulting in containment failure or bypass. Although the analyses conducted to
! generate these products are closely coupled the characteristics of the analysis to generate them are best described l separately. Hence, characteristics of a probabilistic evaluation of containment performance are desenbed in Section j- 3.1; characterist... of the accompanying esumates of radionuclije release are described in Section 3.2. i 3.1 Evaluation of Containment Performance l . Although the specific analysis tasks withm various Lesel 2 PRAs may bhrganized differently, the followig three critical elements are included: l
- An assessment of the range of challenges to containment integrity (i.e., determmation of possible failure i- mechanisms and range of stnictural loads);
l
- Charactenzation of the capacity of the contamment to withstand challenges (i.e.. determination of performance
! limits); and i {
. A process of organizing and integrating the uncertainties associated with these 'wo evaluations to generate j an esumate of the conditional probability that containment would fail (or be bypassed) for a given accident sequence.
j 4 Attributes for deseloping each of these elements are described below. j 3.1.1. Assessment of Challenges to Containment Integrity 4 ! The primary objective of this element of a Level 2 PRA is to characterize the type and severity of challenges to l contamment in'.egnty that may anse during postulated severe accidents. An analysis to determme these characteristics j acknowledges the dependence of containment response on details of the accident sequence. Derefore. a critical first [ step is d: elopmg a structured process for defming the spwific accident conditions to be eununed. Attributes for j determuung wtuch of the many accident sequences generated by Level 1 PRA analysis should be further exanuned for ( impact on containment are dermed in two parts: 4-j 1. Attributes for reducing the large number of accident sequences developed for Level 1 PRA analysis to a i practical number for detailed Lesel 2 analysis. and i 4 j 2. Attributes for performing and coupling the assessment of contairanerit system performance (i.e.. reliability
- analysis) with Level I accident sequence analyses.
l Draft. NUREG 1602 32
~1r
, o '
3 ....emal Event Level'2 PRA for Full Power Operations t
' 3.1.1.1 Defining the Anident sequeneva su isc A>>cesco i
4
'The primary purpose of Lesel i PRA analysis is to identify the specific combinations of system or com 1
(i.e.. accident sequence cutsets) that would allow core damage to occur. Unfortunately. the number o q by a Level I analysis is very large (typically greater than 10.000). It is impractical to evaluate severe a progression end resulting containment loads for each of these cuttet< As a result. the common pmetice the Lesel I cutsets into a sufliciently small number of' Plant Damage States (PDSs)' to allow a practical assessment of the ch.iilenges to conwnuneut mteg:a3 se>ulung liom the iusi >pecuum ofacesuem >cquensc>. Considerations for the Baseline PRA Any characteristic of the plant response to a given initiating event that would influence either subsequent con response or the resulting radionuclide source term to the ensironment would be represented as an attribute in (t binning scheme. These characteristics include:
- 1he status ofestems that have the capaciy to iniect water to either the reactor vesselor the contamment cavmyor de ell pedcetalt Defining system status simply as -failed" or ' operating" is not sufficient in a Lesel 2 analysis. Low pressure injection systems may oc available but not operating at the onser ofcore damage because they are ' dead-headed' (i.e.. reactor vessel pressure is above their shutoff head.) Such states j
ve distinguished from low-pressure injection ' failed' to account for the capability of dead-headed systems
- to discharge after reactor s essel failure (i.e.. providing a mechanism for flooding the reactor casity).
- The starna ofnstems thatprovsde heat removalfrom the reactor vessel or contamment. Carefut attention should be paid to the interactions benveen such systems and coolant injection systems For example, hmitations in the capability for dual-function systems such as the Residual Heat Remos31 (RHR) system in most boiling water reactors (BWRs) (which provides pumping capacity for low-pressure coolant injection (LPCI) and heat removal for suppression pool cooling) should be properly accounted for.
- Recoverabihy of ' f ailed' systems after the onset of core damage. Typical recovery actions include restoration of attemating current ( AC) power to active wmye.sts and alignment of non-safety-grade systems to preside (low-pressure) coolant injection to the reactor sessel or to operate containment sprays. Constraints on recos erability (such as no credit for repair of failed hardware) are defmed in a manner that is consistent with recovery analysis in the Lesel 1 PRA.
The mierdependence ofvarious 4stemsfor successfid operation. For example. if successful operation of a LPCI system is necessary to provide adequate suction pressure for successful operation of a high-pressure coolant injection (HPCI) system, failure of the low-press:ure system (by any mechanism) automatically renders the high-piessure system unassilable. This information may only be indirectly available in the results of the Lesel I analysis, but should be explicitly represented in the PDS attributes if recovery of the low-pressure s) stem (after the onset of core damage) is modeled. , Seseral subtle aspects of the mapping of accident sequence cutsets from the Level I analysis to the PDSs used as input to a Lesel 2 analysis should be noted at this point.
- The entire core damage frequency (CDF) generated by the Level 1 analysis is camed forward into the defuution of the PDSs which are the entry points to the Level 2 analysis. A muumum (' cut off) frequency Draft. NUREG-1602 33
+ .
- - - - , - -- -. r
-. , s . .
- r e a 3 Intemal Event Lesel 2 PRA for Full Power Operations ts not detined as a means orscreenmg out 'lcss imponant accident sequences. The oojectn e is to allow the risk contribution from low frequency /high-consequerice accident sequences to be captured-l
- The mapping from tbc Lesel 1 analysis to the PDSs is performed at the cutset level. not the accident sequence
] les el. i ' + For some accident sequences. the status ofall systems may r.ot be determined from the sequence cutsets. for example, if the success enteria for a large break loss of-coolant accident (LOCA) in a pressurized water I reactor (PWR) require successfu'. accumulator operation. the large LOCA sequence cutsets invohing failure ' ofall accumulators will contain no information about the status of other coolant injection systems. Realistic resolution of the status of such systems. howeves, often presides a mechanism for representing secident sequences that are arrested before substantial core damage and radionuclide release occurs. In a Level 2 analysis. these systems are not simply assumed to operate as designed. Their failure frequencies are estimated in a manner that preserves relevant suppon system dependc=ics. These are then numerically combined with the sequence cutset frequencies from the Level I analyus. Application Impact Considerations it is possible that a panicular change to a plant's current licensing basis (CLB) may affect the my in witich accident f sequences are binned into PDSs. Foi instance if the proposed change involves the operability of a panicular containment system. this could influence the manner in which the system is accounted for in the PDS amibutes. Interfaces with Other Tasks This task provides the in'.erface between the accident sequences identified by the CDF analysis and the subsequent accident progression analysts. The large number of cutsets generated by the Level I analysis' is reduced to a practical number of PDSs which sene as the starting point for the Level 2 analysis. This task is a crucial ster in assunng that the accident sequences are correctly characterized in terms of containment performance and radionuclide release. Documentation in general, sufficiem information should be provided in the documentation to allow an independent analyst to reproduce the results. At a minimum. the it. lowing should be presided:
- a thorough description of the procedure used to group (bin) individual accident cutsets into PDSs. or other
, reduced set of accident scenarios for detailed Lesel 2 anahsis.
- a listing of the specific amibutes or rules used to group cutsets. and
+ a listing and/or computerized database pmviding cross reference for cutsets to PDSs and sice versa.
3.1.1.2 Assessment of Containment System Performance The rehabihty ofsystems whose pnmary function is to maintain containment integrity during accident conditions are not alays completely incorporated in the acciAnt sequence ana:ysis performed by Level i PRA. Such systems.may include containment isolation. fan coolers disuibuted contatnment sprays. and hydrogen ignitars. Neglecting these Draft NUREG-1602 3-1
o a s 4 3 Internal Esem Lesel 2 PRA for Full Power Operations
>)htcut)(of d sillipiified lepichemduou of them) m Leses a mids >>es a wnunon placuce becaus not play any role in preventing core damage following a postulated accident initiatin reliability of these systems is. therefore, incorporated m a Level 2 analysis to ascertain w designed to provide containment response during core damage accidents.
Considerations for the Baseline PRA The methods. scope and tecitnical rigos used to evaluaic the reiiability of the containment iso systems are comparable to that used in the Level 1 artalysis ofother frontline' systems (re models (or other techniques) for estimating failure probabilities are developed and linked dire sequence models from the Level 1 PRA. His linkage is necessary to properly capture th mutual dependencies between failure mechanisms for containment systems and other syste include suppon system dependencies such as electrical power. component cooling witter. an W dependencies that need to be represented in a manner consistent with the Level I system models. more subtle. For example.
+ Indirect failure of ccntainntent safety systems due to harsh environmental conditions (resulting fro One of a support system) should be represented in the assessment of containment s>< tem reliabili unportant example is failure of reactor or auxiliary building room cooling causing the failure o systems due to high ambient temperatures. _
+ The impact orcontainment systern operation prior to the onset of core damage should be acco evaluation of system operability after the onset of core damage.
. The human reliability analysis associated with manual actuation of containment systems (e.g.. hydroge igniters) should take into account operator performance during earlier stages of an accident s analysis should follow the sana practices used in the Level 1 analysis as described in Chapter 2.
The long-term performance of containtnent sptems should also be evaluated although the issues to be c differ substantially from those listed above. Digradation of the emironment within which systems are required operate as an accident sequence proceeds in time should be taken into account. In all cases, the assessment of failure probability for containment systems should be based on realistic performance limits rather than boundmg (design basis or equipment qualification) uiteria. Application impact Considerations As r.et:d 3 the introduccon. the containment systems may be incorporated into the PRA model in a rather simplif fashion. It is possible that a particular change to a plant's CLB may affect the way a containment system perf or is operated. The codeling of this system should. therefore. be at a level of detail which can reflect this c performance or c,peration. Interfaces with Other Tasks The results from this task provide some of the information necessary for the quantification of the containment event trees. This task also interfaces with the system performance esaluations performed for the Level 1 analysis. Draft NUREG 1602 35
- . . ~.- - . - - - - - - - - - . - .~ - - . .-_.. . -... _ - - .
. e e 8 !F- # 6 l } 3 Internal Esent Level 2 PRA for Full Power Operaticns Documentation - Documentation of containment system perfonnance assessments should include a description ofinformation used to deselop contamment systems' analysis models and link them with other system reliability models. This documentation should be prepared in the same manner as that generated in the Level 1 analysis of other sy stems (previously discussed Chapter 2L i l 3.1.1.3 Evaluation of Severe Accident Progressaos l Accident analysis codes [ruch as the Modular Accident Analysis Program (MAAP) (Ref. 3.1) or MELCOR (Ref 3.2)J provide a framework within which the evolution of events in a severe accident can be accounted for in an integrated fashion Consequently. the results of these calculations typically provide a basis for estimating the timing of major accident events and for characterizing a range of potential contamment loads. AL.. gh code calculations aie a useful part of an evaluation, of severe accident progression. their results do not form the sole basis for characterizing challenges to containment integrity in a quality Level 2 PRA. There are several reasons for this:
+ Many of the models embodied in severe accident analysis codes address highly uncertain phenomena. In each case. certain assumptions are made (either by the model developers or the code user) regarding controlling phy sical processes and the appropriate formulation of models that represent them. In some instances, the importance of these assumptions can be tested via parametric analysis.. However, the extent to which the results of any code calculation can be demonstrated to be robust in light of the numerous uncertainties insolved is severely limited by practical constraints of nme and resources. Therefore. the assumptions inherent in many code models remain untested.
+ None of the intepal severe accident codes contain models to represent all accident phenomena ofinterest.
For example, models for certain hydrodynamic phenomena such as buoyant plumes, intra. volume natural , circulation. and gas-phase stratification. are not represented in most integral computer codes. Similarly. certain severe accident phenomena. such as dynamic fuel coolant interactions (i.e., steam explosions) and j hydrogen detonations. are not represented.
+ lt is simply impractical to perform an intepal calculation for all severe accident sequences ofinterest.
As a result. the process of evaluating severe accident propession involves a strategic blend of plant-specific code calculacons. applications of analyses performed in other prior PRAs or severe accident studies, focused engineering analyses of particular issues. and egenmental data. The manner in which each of these sources ofinformation arc used in a Level 2 PRA is described below. Considerations for the Baseline PRA The following are used to determine the number of plant-specific calculations that would be performed using an intepal code to cupport a Level 2 PRA: l
+ At least one intepal calculation (addressing the complete time domain of severe accident propession) is performed for each plant damage state. Howes er. this may not be practical depending on the number of plant Draft. NUREG-1602 3-6 1S~
.-w- , - - .
3 'ti.rnal Event Level 2 PRA for Full' Power Oper%tions *l l umnge me> uewivpeu au.onumg w u.c a J.>eun;en At a m.nmm:n. ca:enisticns are prf~ nett m ' address the dominant accident sequences (i.e.. those with the highest contribution to the tota! core damage frequency). Calculations are also performed to address sequences that are anticipated to result m high radiological releases (e.g.. contamment bypass scenarios).
- In addition to the calculations of a spectrum of accident sequeneet described abose. seseral sensimity calculations are performed to exanune the cfTects of major uncenamnes on calculated accident behauo eunpic. muiupie cakulauotts oia suigie sequence we pufvimed m u h;ch code inpm parameters are chanpc!
to imestigate the effects of altemative assumpoons regardm3 the tumng of.cochasti esems (such as oper actions to restore water injection) or the models used to represent uncertain phenomena (such as the size the opening in containment following overpressure failure). These calculations provide infonnation that essennal to the quantitative characterization of uncertainty in the Level 2 probabilistic logic models (refer the discussion oflogic model development and assignment of probabilities below). Table 31 lists ph,t .nena that'can occur during a core meltdo.u accident and involve considerable uncertainty. Th list was based on information in NUREG 1265 (Ref. 3.3) NUREG/CR-1551 (Ref. 3.4) and other stu recognized that considerable disagreement persists within the technical community regarding the magnitude (and some cases. the specinc source) of uncertainty in several of the phenomena listed in Table 3.1. A major objectiv the panels assembled as pan of the research program that culmmated in NUREG-1150 (Ref. 3.5) was to tran range of mchnical opinions within the severe accident research community into a quantitative measure of uncer on specific technical issues. In a Level 2 PRA. the results of this effort are used as stiidance for defining the values of uncertain modeling parameters to be used in the sensitivity calculatioas described above. Table 3.1 Sesere accident phenomena Phenomena Charseteristics of accident phenomena Hydiogen generauon and . Enhanced steam generation from meltdebris relocation combustion . Steam starvation caused by degraded fuel assembly 11ow blockage
+ Clad ballooning
+ Recovery of coolantinjection systems
- Steam hvttrogen distnbunon within containment
+ De-inerung due to sicam condensation or spray operation Induced failure of the reactor a ' Natural circulation 11ow pattems withm the reactor vessel upper pienum, hot legs, and coolant ssstem pressure steam generators boundary . Creep rupture of hot leg nozzles. pressuruer surge kne, and steam generator U-tubes Debns bed coolabilits and core-' = Debns spreading depth on the containment floor concrete micractions + Crust formation at debns bed surface and effects on heat transfer
. Debns fragmentation and coohng upon contact with water pools
. Steam generation and debns oxidation Fuel coolant mieracuons . Potenual for dynamic loads to boundmg structures
+ Hydrogen generatum dunns melt coolantinterscuon Draft NUREG 1602 37
8 c- =
- p
- a e i 1
3 Internal Event Lewi 2 PRA for Full Power Operations l_ f - Table 3.1 Severe accident phenomena 4 Phenomena Characteristics of accident phenomens ] Meltdebn ejection folloump . Melt debns sute and compositio.. in the lower head j' Med: oflower hed nib:re g at.n w d :..L:e . Dehns Smers! and he:: unmfer (n!!owi::p high-precure meh cieetian I f Shell meh-:hrough Dilure in . Melt spreading dynamics . i Mark I containments . EfTects of water
. Shell heat transfer and failure mechanism i i l
1 A funda.nental design objective of the integral severe accident analysis codes used to support e Level 2 PRA (e.g.. MAAP. MELCOR) is that they be fast running. Efficient code operation is necessary to allow sensitisity calculations to be performed within a reasonably short time and with minimal resources One consequence of this objective. honeser. is that many complex phenomena are modeled in a relatively simple manner or, in some cases. are not represented at alt Therefore. a le el 2 PRA addresses the inherent limitations ofintegral code calculations in two respects First. the importance of phenomena not represented by the integral codes are evalumed by some other means j (i.e.. cithu applicaticn of specialized computational models er by comparison with expenmental investigations). ; Secondly. the effects of modeling simplifications are enmmed bv comparisens with mechanistic code calculations. l l In summary, evaluating severe accident progression involves a complex process of plant-specific sensitisity studies using integral codes. mechanistic code calculations, use of prior calculations. expenmental data and expertjudgement. Examples of this process are given for each of the phenomena in Table 3.1 in the following sections. Hydrogen Generation and Combustion Hydrogen phenomena was identified in the NUREG-1150 study as an area where considerable uncertamty existed and. hence. issues associated with hydrogen phenomena wwe addressed by NUREG 1150 panels. Since these expett panels eglicitly considered the uncertainties associated with key phenomena and accounting for smcertamties in the initial and boundary conditions. developed distributions that characterized these uncertainties, the information from these panels provides a convenient and important framework for assessing uncertainties for this application. l "the uncertamty in the amount of hydrogen produced during the in vessel phase of a severe core damage accident was j addressed in the NUREG ll50 study by the In-Vessel Panel. Results from this panel are prosided in i NUREG/CR-4551. Volume 2. Part 1. for both PWRs and BWRs. In that report. distributions are prosided for the percentage ofin vessel zirconium that is oxidized. , 1 I Clearly as evident by the NUREG 1150 distributions. there is considerable uncertamty in the amount of zirconium oxidized in vessel and the use of a single number (fot example from a MELCOR or MAAP code calculation) is not adequate. While these codes can all predict the amount of hydrogen produced during an accident the amounts that they predict often vary since they model the phenomena different 3. Similarly, a series of sensitisity evaluations with , a single code is usually not sufficient to assess the uncertainties since typically a single code will not include all of the Draft. NUREG-1602 3-8
~I ~1
1 3 Intcmal En at Level 2 PRA for Full llower Opdaco ,l u, mur, um.oru v .... ... . m. . . . .. reiciam phenomena. InstcaJ. o ih shouid ub.aud., am..uuuva .w characterize the uncertainty in the amount of hydrogen generated during the inoesse Uncertainties in the impact of hydrogen combustion phenomena on the contain NUREG-1150 study by the Comainment Loads Expert Panel. For PWRs. hydrogel concern in the smaller volume ice condenser containrrnts th:n it is in the large sclum hydrogen combustion is typically only a concem for plants with Mark !!! cont1 Mari li conumunems are inened during nonnat operwon and pm PRAs namouaide most accident condmons. Hence. the Contamment loads Panel assessed the combus plant (BWR. Mark III) and the Sequoyah plant (PWR. Ice Condenser). f 3,6) for the Inform this information into the NUREG-1150 PRAs are provided in NUkEG/CR4551. Volume 5 (Re f Sequoyah plant ana!> sis and in NUREG/CR4551. Vol. 6 (Ref. 3.7) for the Grand I Since information relevant to hydrogen combustion tends to be specific to the plant and analyzed. relesant detenninistic calculations are used to provide guidance when d the contamment atmosphere and for determining the distribution of gases in the various these dismistics. the concentrations of hydrogen. oxygen, and steam are detemuned for e where combustion is a concem hese concentrations are then used to det Of particular concern are local areas where hydrogen can accumulate and thereb detonate. For comparanentalized containments, such as ice condenser containments. there , uncertainty in these concentrations for the various compartments necessitating-the deve distributions A discussion of these uncertainties for an ice condenser con NUREG/CR4551. Vol. 2. Pan 2. Rev.1. The calculation of the total concentration of hydrogen into account both the hydrogen produced in vessel and en essel (through the core-concrete inte the containment does not fail at vessel breach. Combustible mixtures that form in the containment can be ignited from a number of sources in powered equipment. and hot surfaces. For situations where there are no identifiable ign a station blackout. it is still possible for a combustible mixture of hydrogen to ignite since ignition r energs. he ignition of hydrogen under this last condition was addressed in NUREG 1150 by; Panel. Results from this panel are provided in Section 5.1 for the Grand Gulf plant (BWR. Mark III)! for the Sequoyah plant (PWR. Ice Condenser) NUREG/CR4551. Vol. 2. Part 2. The panel p that charactenred the uncenainty in the ignition frequency for situations unere AC power is not ava containment. Quasi static loads from hydrogen combustion events were assessed in the NUREG-1150 study b Loads panel for bosh the Grand Gulf and the Sequoyah plants. Generally, the experts based the pea nn tha adiabatic isochoric complete combustion uodel and then corrected the pressures to account for bur wi+b.cas. heat transfer and expansion into non-participating companments. For the PWR pla that the uncertainty in the peak overpressure was small compared to the uncensinties in the hydro ,
'Here combustion refers to combustion inthe contamment. Howeser, following failure of the contammen of hydrogen in the reactor buildings surroundmg Mark I rnd Mark 11 contauunents can also be in the reactor building surrounding a Mark I plant was addressed by the Containment Loads Expert Pan discussed in Section 5.3 of NUREG/CR4551. Vol. 2. Rev.1. Part 2.
Draft. NUREG 1602 39 15
__ ___ .___._._...-_ _ _._._ __ _ _ . _ . _ . ~ . _ _ -_ _ _ _ . . _ _ _ - _ o . e . e 3 Internal Event Lesel 2 PRA for Full Power Operations and i; irien fe;uencie< cnd hence s eing!e estimate of the peak eve pret=ure ne 3 a fbnetien cf h dregen ennee j' was prodded instead of a probability distribution. These estimates are provided in Section 5.2 in NUREG/C Vol. 2. Part 2. Rev.1. For the BWR plant the uncertainty in th: peak overpressure was driven by the uncenainty in l the burn completeness (although it was also acknowledged by these experts that the uncenainty in the ignitio frequency is a key uncertainty associated with the hydrogen combustion phenomena) and. hence probability i distnbutions were deseloped. The distnbutions deseloped by this panel are provided in Section 5.1 of a NUREG.CR4551. Volmue 2. Pout 2. } Since the publication ofNUREG 1150. some addiuonal research has been conducted on combustion of hydrogen f steam mixtures in condensing environments (Ref. 3.8). In these expenments. ignition was provided by thermal
)
l igniters. These experimental results provide relevant information that was not assilable during the NUREG 1150 l l d study and may be referenced when assessing the peak pressure in a rapidly condensing environment with igniters available. l I j i N"- een detonations in the Grand Gulf and Sequoyah conliaments were also addressed by the Containment Loads ' i Panel and are d==ad in Sections 5.1 and 5.2 of NUREG/CR4551. Vol. 2. Part 2. Rev.1. respectively. The panel assessed the frequency of a deflagration to detonation transition (DDT). He DDT frequency was analyzed considering i, different locations within the containment and different concentrations.of hydrogen within each location. The I probability distributions that characterize the uncertainry ia the DDT frequsy are broad for both the BWR ad the l.
~ PWR plants. Given that a detonacon occurs, the expert panel also assessed the resulting peak impulse. De geometry in the area where the ignition occurs is a key uncenainty that affects the likelihood that a DDT will occur. Similarly. j the interaction between the detonation wive and structures is a key uncenainty that affects the peak impulse.
Induced Failure ofthe Reactor Coolant .Kvstem (RCS) Pressure Boundary f The possibility of a temperature-induced rupture of the steam generator (50) tubes is affected by several factors
- includmg the thermal hydraulic conditions at sarious locanons in the pnmary system. which determine the temperatures j (and the ame at those temperatures) and the pressures to which the SG tubes are subjected as the accident progresses.
1 Other relevant factors include the effective temperature required for creep rupture failure of the SG tube. and the ,
- presence of pre existing defects in the SG tubes which increase the likelihood of rupture.
in NUREG ll50. this issue was treated in the expen elicitation process. All experts agreed that hot leg failure. f j including failure of the surge Itne. was much more likely to occur before a rupture of a steam generator tube. Two experts felt that pre existing defects in the SG tubes could lead to a higher probability of SG tube rupture (SGTR). l i j- he tiurd expert felt that due to the long time lag between temperatures in the hot leg and the SG tubes. the frequency of temperature induced SGTR was so small that it could be expressed as a (small) constant value regardless of pre- i existing defects. A wnditio.s! probability distribution of temperature induced SGTR was developed in NUREG-1150 by aggregating j the individual distributions provided by three experts. A discussion of the ph*== anon and the assignment of the condinonal probability distribution of temperature induced SGTR is contained in NUREG/CR-4551 Vol. 2. This distribution was applied in the accident progression event trees developed for the Zion and for the Surry plants in NUREG 1150. De Zion and Surry reports [NUREG/CR4551. Vol. 7 (Ref. 3.9) arid NUREG/CR-4551. Vol. 3 (Ref. 3.10) respectivel>] can be consulted for information related to how the conditional probability distribution of temperature-induced SGTR should be applied to obtain the solit fractions for the containment event tree for this issue. Draft. NUREU-1602 3 10 n
3 in :rnal Event Level 2 PRA for Full Power Operations 4 i
&!>o,> BcJ Coulahlit.s ana'C. re-Cuaasis lasaaeva.. < tiL Debris coolability is an imponant issue because if the debris is brought to a coolable geometry. th contamment pressurization will be the generation of steam from boiloff of the overlying water. This and. in the absence of containment heat removal, would result in very late containment failure allowing am
' for remedial actions. Funhermerc. a coolable debris geometpuould limit basemat pencrratien. j 3 la additivii. if.wwloble J:bii, bed is foimed in the cadty tu pedesul and makeup watei is cominuousl 1,upphed interactions between the core debns and concrete with be mmimized and release of ra source would be avoided. ' if CCI does occur (i.e. the debris bed is not coolable), experunental results indicate that the presence or a an overlying water pool does not have much effect on the downward progression of the melt front. ' The mechanisms 2: govem debris coolability are conduction her.t .rensfer. shnnkage cracking, gas spargi eruption. and entst failure under the weight of the water. Experimental research (Ref. 3.11) has been ! imestigate this issue. Dese tests include the SWISS 1 (Ref. 3.12) and -2. FRAG-3 and -4 (Ref. 3.13) W (Ref. 3.14) and MACE (Ref. 3.15) series of tests. This experimental information would be considered in PRA when doeloping distributions for the likelihood of forming a cootable debris bed for a particular plant configurauon. The apen panel convened for NUREG il50 specifically for moltensore-concrete interaction l l is an example of how major input parametess for this issue are quantified. ) Fuel-Coolant Interactions i For an accident leading to a snerely damaged core, the probability of an in-vcssel steam explosion causing early containment failure was assumed in WASH 1400 to be between 0.1 and 0.01. In 1985, the first Steam Explosion Roiew Group (SERG-1) workshop was held to sF"*1ly asluate the alpha-mode failure issue. He exl:. ens who participated in that workshop reviewed the then current understanding of the potennal for contamment fa in-vessel steam explosion. and reached a nearly unammous opinion that the probability of alpha mode failure i than that used in WASH 1400. NRC-sponsored research carned out since 1985 has played a major role in developing i i an understanding of the key physical processes involved in energetic fuel coolant interactions (FCis). In June 1995, the second SERG (SERG-2) workshop was held to rnisit the alpha-mode failure issue. and to n aluate the current understanding of other FCI issues that could potentially contribute to risk. such as shock loading of the lower head and ex6tssel suppon structures The estimates of failure probability expressed by SERG-2 expens were generally an order of magnitude lower than the SERG-1 estimates. Melt Debris Electson Follomng Reactor Vessel Failure
- In cenain severe accidents. the failure of the reactor pressure s essel (RPV) can occur while the RCS is at elevated pressure In these accidents the expulsion of the molten core debris and blow down of the RCS could lead to a ve rapid and efficient heat transfer to the contairiment atmosphere. possibly accompanied by oxidation reaction j
hydrogen combustion that funher enhances the energy transfer, nese processes, which lead to containmen i pressurization are collectisely referred to as direct containment heating (DCH). Overpressurization resulting DCH is a significant containment challenge that can lead to early containment failure. Draft. NUREG-1602 3 11 i a
o . J
. o 3 Intemal Event Level 2 PRA for Full Power Operations ne sesuits of a probabih>ue as>essment uiDCH-mdue.d comanunem failme for the Zion Nuclear Power Piara were published in NUREG/CR 6075 (Ref. 3.16) and its supplement. NUREG/CR-6338 (Ref. 3.17) used the methodology
' and scenarios desenbed in NUREG/CR-6075 to address the DCH issue for all Westinghouse plants with large volume containtnents. including 34 plants with large dry containments and seven plants with subatmospheric containments.
- DCH loads versus strength evaluation were perfomied in a consistent manner for all plants. The phenomenological modelme was closely tied to the esperimental database. Diant-specific analyses were perfomied. but sequence l
uncenamues were emeloped by a small number of sphnter scenanos without assignment of probabilities. The results l ofscreemng calculauons reponed ui NUREG/CR-6338 indicate that only one plam showed a conditional containment failure probability (CCFP) based on the mean fragility curves greater than 0.001. He CCFP for this one plant was found to be less than 0.01. These results can. therefore. be used for Level 2 PRAs for Westinghouse plants with large volume containments. For BWRs and other PWR plants. the methodology reported in NUREG/CR-63.18 for pudhg load / strength evaluations using the plant-specific input to the two-cell equilibrium model or appropriate containment analysis codes. can be used to proside a PRA-integrated perspective on this issue. For plants with ice condenser containments. it is beliesed that the ice chamber in the ; knt can. to a certain extent. trap dispersing core debns and provide coating to moderate the e.8fect of DCH. ShellMelt-th.-ough Fmlure in Mark 1 Containments To address the shell melt issue in NUREG-1150, a panel ofexperts was comened to proside input as to the probability of shell melt for fn e scenarios: (1) low and medium flow with water. (2) low and medium flow without water. (3) high flow with water. (4) high flow without water and two of three parameters (pressure, fraction of metal, and superheat) high. and (5) high flow without water and two of three parameters (pressure. fraction of metal. and superheat) low. De individual clicitations uere then as eraged and presenteel in Table 6-1 of NUREG/CR-4551. Volume 2. Pan 2. In a more recent repon. Deofanous et al. published a probabilistic methodology in NUREG/CR-6025 (Ref. 3.18) as an overall systematic approach for addressing the Mark 1 shell melt through issue. The above approaches are cumples of generating probabilistic information on shell melt-through. A Level 2 PRA would investigate plant-specific design features. including pedestal door arrangement (and relative alignment of dowiicemers). drywell floor area and sump volumes, and in particular, the amount of fuel in the reactor and the downcomer entrance height above the dr>well floor. The downcomer entrance height affects not only the amount o.f - water attainable on the floor, but 'more imponantly if the amount of fuel is sufficient that melt can run directly into the downcomer. liner failure is sinually assured. The probabilities of shell melt through should apply to a steel lined re;nforced concrete contamment. however. if sufficient technical basis is provided, the effective failure size in the containment structure may be adjusted accordingly (though there should be no credit given for'self-healing" of the containment boundary). 1 Application impact Considerations A change in a plant's Cl B can affect the way a plant system performs or operates. If the plant rystem(s) in question could has e an influence on the accident progression. then the accident progression analysis should acce4mt for the change in the sy stems' performance or operation. For example. a degraded power supply to hydrogen igniters could influence the likelihood and ses enty of a hydrogen combustion event in the containment. or the removal of a backup i water supply could reduce the chances for achiesing debris bed cociability and increase the possibility of core-concrete interaction. An operational cumple would be a change in procedures related to the restart of the reactor coolant Draft. NUREG 1602 3 12 SI
-- ew -
-.---. - .~ ~ . .- - . - - . - _ - - . - - - . - . . - - . - - - - . . - . _ . - _ .
l
- l 3 Int.rnal Escut Lesel 2 PRA for Full hower Operations pumps under oegraoed core conaiuons uruen cousa miluence ute likennoou on an mouceu taiiure of tne R boundary.
Interfaces with Other Tasks Tlus usk proudes the bu!L orth.: mformation for quantify me the enntainment esent trecs The conditi by the unnut sescre accident phenomena should also be considered for the assessment of the p comamment syst:ms. Documentation Documentation of analyses of sesere accident progression should include the following:
- a description of plant-specific accident simulatinn models (e.g.. MAAP or MELCOR) including extensive references to source documentation for input data.
. a listing of all computer code calculations perfonned and used as a basis for quantifying any event in the contamment probabilistic logic model including i unique calculation identifier or name. a description of ke modeling assumptions or input data used. and a reference to documentation ofcalculated results. (!finput and/or output data are archived for quality assurance records or other purposes, an appropriate reference to calculation archive records is also provided.).
1.
. a description of key modeling assumptions selected as the basis for performing " base case" or "best-estim calculations of plant response and a description of the technical bases for these assumptions.
- a desenption of plant-specific calculations performed to cumine the effects of attemate modeling approaches or assumptions.
- if anal)ses of a surrogate (i.e.. 'similar') plant are used as a basis for characterizing any aspect of severe accident progression in the plant being analyzad. references to, or copies of documentation of the original anal) sis. and a description of the technical basis for assuring the applicability of results, and
- for all other original engineenng calculations. a sufficiently complete description of the analysis method.
assumptions and calculated results is prepared to Ecc =-:date an indap-laat (peer) review. l 3.1.2 Establishing Containment Performance Limits l I he ooyctive of this element of a Les el 2 PRA is to detmnme the loading limits (or capacity) that the contamment can withstand giwn the range and magnitude of the potential challenges. These challenges take many forms. including intemal pressure rises (that occur os er a sufficiently long time frame that they can be considered " static" in terms of the structural respome of the containment). high temperatures. thermo-mechanical erosion of concrete structures. and under some circumstances. localized dynamic loads such as shock uves and intemally generated missiles. Realistic estimates for the capacity of the containment structure to withstand these challenges are generated to proside a benchmark against which the likelihood of containment failure can bc estimated. i Draft. NUREG-1602 3-13
, , a l 1
i* W & . j . 3 Internal Event Level 2 PRA for Full Power Operatio is f
- in a Lesel 2 PRA the attributes oithe anai>ses necessary to charactenze conuiinmem performance Imuts are consistent I with those of the containment load analyses against which they will be compared:
They focus on plant-specific contamment performance (i.e.. application of reference plant analyses as generall3 )-
- j inadequate).
i i a They consider design details of the containment structure such as:
- contamment type (free-standmg steel shelt concrete-backed steel shell: pre-stressed, post-tensioned.
or reinforced concrete) 4 - the full range of penetration sizes. types. and their distribution (equipment and personnel hatches. piping penetrations. electrical penetration assemblies, ventilation penetrations) l j - penetration seal configuration and materials anscontinuities in the containment structure (shape transitions. wall anchorage to floers. changes in j - i steel shell or concrete reinforcement). l
- They consid r interactions between the containment structure and neighboring structures (the reactor vessel f and pedestal. auxiliary building (s). and intemal walls).
] ! 3.1.2.1 ' Considerations for the Baseline PRA ! A shorough assessment ofcontamment performance generally begins with a structured process ofidentifying potential 4 contamment failure modes (i c., mechanisms by which integrity might be siolated). This assessment commonly begins
- by resiewing a list of failure modes identified in PRAs for other plants to determine their applicability to the current design. Such a list was incorporated in the NRC's guidance for performing an indisidual plant examination (IPE) 4 (Ref. 3.19). This resiew is then supplemented by a systematic examination of plant specific design features and emergency operating procedures to ascertain whether additional. unique failure modes are conceisible. For each 4
plausible failure mode containment performance analyses are oerformed using salidated structural response models. j as well as plant-specific data for structural materials and their properties. For many contamment designs oserpressure has been found to be a dommant failure mechanism. In a quality level 2 4 PRA. the evaluation of ultimate pressure capacity is performed using a plant-specific, fmite-element model of the contamment pressure boundarv including sufficient detail to represent major discontinuities such as those listed abos e. The influence of time-sarying contamment atmosphere temperatures is taken into account by performing the calculation for a reasonable range ofintemal temperatures. To the extent that intemal temperatures are anticipated to be elevated for long periods of time (e.g.. durtng the period of aggressive core-concrete interactions), thermal growth and creep rupture of steel contamment structures is taken into account. Tie charact,;rization of containment performance limits is not sim' ply a matter of defming a threshold load at which the structure " fails." A Lesel 2 PRA attempts to distinguish between structural damage that results in " catastrophic failure" of the contatnment from damage that results in significant leakage $t o the ensironment. Leakage is often characterized b) a smaller opening (i.e.. one that may not preclude subsequent increases in containment pressure). i l l Significant leakage is defined relative to the design basis leakage for the plant. Leakage rates greater than 100 times the design basis have been found risk significant in past studies. 1 ~ Draft.NUREG 1602 3 14 SS
,,yy. - . c-.---
. _. ._ ..__ _ _ . - _. _.__ - _ _ . _ . __ . _ _ . _ . - . ~
i 3 Int. mal Event Lesel 2 PRA for Full Power Operauons
)
I a Failure to isolate the contaisunem is also considerca. h is ses) imposunt to as>ess both ti e contamment failure because of the implications for the source tem calculation. e g. sessel releases inside containment. a rupture in the dr>well of a Mark 11 containment the environment than a leak in the wenvell. Cunent models for the response of compics structures to s en ' simple' loads (such as intem sameicm!) robust to allow simultanenm prediction of a failure threshold and resulti uue foi suuwstuss w.upo.eJ of nca-homogenecu> materiah unh highly non linear mech sv.fM concrete. As a result, calculations to establish performance limits are supoleme expenmental observations orcontainment failure characteristics and expert judgmen be found in NUREG 1150. i Failure location and d size b3 3namic pressure loads and internally generated missiles sho exanuned. The structural response panel for NUREG-1150 assessed the size and locatio by dynamic pressue loads for Grand Gulf (reinforced concrete) aad Sequoyah (frl ruptures were predicted to occur in the contamment response to detonations'at Gl to occur at Sequoyah. Alpha mode failure (for all NUREG 1150 plants) and steel shell mel w311 by direct contact of core debris (for Peach Bottom and Sequoyah) were treated a l in NUREG 1150.
~
Basemat melt-through is generally treated as a leak in most Level 2 PRAs because of the p l as well as the predicted radionuclide retention in the soil. If a bypass of contamment such as l LOCA. is predicted to occur. then its effective size and location (e.g.. probability that the b are also estimated in order to perform the source term calculations. 1 3.1.2.2 Application impact Considerations The containment structural A change in the plant's CLB could impact the limits of containment performance capability or the reliability of containment isolation could be affected by changes in equip etc if this is a consideration. the analysis of the containment performance limits should be detailed en for such an impact For instance. if a change in the CLB could affect the contamment isolation system, this syste should be modeled in sufficient detail to reflect this change. 3.1.2J Interfaces with Other Tasks The contamment perfonnance limits established by this task form a crucial input to the probab containment performance and the ability of the containment to withstand the challenges fkom seve 3.1.2.4 Documentation In general. sufficient information in the documentation of analyses perfo med to establish quan performance hmits is provided that allows an independeint analyst to reproduce the result l following information is docurnented for a PRA: [ i
. a general description of the containmenti structure ncludmg' illustrative figures to indic I
configuration. penetration types and location. and major construction materials. i ! 3 15 Draft. NUREG.I602 U4 l l
1 a , e
- f. 8 a 4
< 3 Internal Event Lesel 2 PRA for Full Power Operations l j - a dscription ofil.e mod 4% appicach used u calculate or alerwise derme conuinment failure critena. 1 + if computer models are used (e.g.. finite element analysis to establish overpressure failure criteria). a l description of the way in which the containment structure is nodalized including a specific discussion of hou 5 local discontinuities. such as penetrations. are addrcssed, and 4
- 81 cxpenmentally determmed failure data are used, a sulhciently detaded desenpuon of the expenmentc! f I
conditions to demonstrate applicability of tcsults to plant-spccific containment structurcs. 3.1.3 Probabilistic Modeling of Containment Performance 5 The way in which uncenainties are represented in the characterization of containment performance is an important consideration in a Level 2 PRA. In particular, explicit and quantitatise recognition should be given to uncenainties in the individual processes and parameters that influence sese.. accident behasior and attendant containment performance. These uncenainties are then quantitatively integrued by means of a probabilistic logic structure that allows the conditional probability of containment failure to be quantitatively estimated, as well as the uncenainty in the containment failure probability.
~
Two elements of such an assessment are described below. First, the characteristics ofthe logic structure used to organize the various contributors to uncertainty are described. However the major distinguishing element of an approach to characterizing containment performance is the assignment and propagation of uncertainty distributions for major events in the logic model. De key phrase here is uncertamty distributions (i.e.. point estimates of probability i are not universally applied to the logic model). Characteristics of these distributions and the manner in which they are used in a typical logic model are desenbed later in this section. 3.1.3.1 Considerations for the Baseline PRA The primary function of a " containment event tree." or any other probabilistic model evaluating containment performance. is to proside a structured framework for organmng and ranking the attemative accident progressions that may esohe from a gisen core damage sequence or a plant damage state. In developing this framework. whether it be in the form of an ewnt tree. fault tree or other logic structure, ses eral elements are necessary to allow a comprehensive assessment of contairu..ent performance:
. Explicit recognition of the important time phases of sewre accident progression. Different phenomena may control the nature and intensity of challenges to containment integrity and the release and transpon of radionuclides as an accident proceeds in time. He following time frames are of particular interest to a Level 2 ana;ysis:
- . After the initiating event, but before the onset of core damage. his time period establishes imponant imtial conditions for containment response aAer core' damage begins.
'Uncenamties in the esumation of radionuclide source terms are also represented in a Level 2 PRA: however, this topic is discussed in Section 3.2.
Draft NUREG 1602 3 16
. . _ _ . . _ _ . _ _ _ _ _ _ ~ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ - _ . _
4 4 3 Intcmal Event Level 2 PRA for Full Power Operations
- After the cure damage begbrs. but prior rvjuliure v) the reactor vessellower inead. Tius p is characterized by core damage and radionuclide release (from fuel) while core material is within the reactor vessel.
- Immediatelrfallowingresdor vesse/ failure. Prior anal 3 sis ofcontainment performance suggests that many of the important challenges to containment integrit3 occur immnfimely foHoning sers:1 failur: These challenges may he shon lived. but often occur onb as a direct consequence dw:eiease of molien core matensis som the r=or sessel immediately following low er heac! tadare
- Long-term accident behavior. Some accident sequences evolve rather slowly and generate relatively benign loads to contamment structures ear!y in the accident progression. Howev absence of some d=m by which energy g. wd within the containment can be safely rejected to the emironment. these loads may steadily increase to the point of failure in the long term.
When linked end-to-end. these time frames constitute tS outline for most probabilistic containment performance models. Within each time frame. uncertainties in the occurrence or intensity of phenomena are systematically evaluated.
- Consistency in the treatment of sesere accident esents from one time frame to another. Many phenom occur during several different time frames of a severe accident. However..certain limitations apply t composite (integral) contribution of some phenomena oser the entire accident sequence and thes represented in the formulation of a probabilistic model.
A good example is hydrogen combustion in a PWR containment. Hydrogen generated during core degradation can be released to the contamment oser several time periods. However an importa to the uncertainty in containment loads generated by a combustion event is the total mass of hydrogen imohed in a pamcular combustion event. One possibility is slut hydrogen released to the containment ove the entire in-s essel core damage penod accumulates without being burned (perhaps) as a result of the absenc of a sumciently strong ignition source. Molten core debris released to the reactor casity at sessel br could represent a strong ignition source, which w ould initiate a large burn (assuming the cavity at is not steam inert). Because of the mass of hydrogen involved this combustion event might challenge contamment integrity. Anoth:r possibility is that while the same total amount of hydrogen is bemg re to the containment durin'g inoessel core degradation. a sufficiently strong ignition source exists to cause several small burns to occur prior to vessel breach. In this case. the mass of hydrogen remammg in the containment atmosphere at vessel breach would be very small in comparison to the first case, and the 4 likelihood of a significant challenge to comainment integnty at that time should be correspondingly lower. Ther: fore. the logic for evaluating the probability of containment failure associated with a large combust
.sent occumng at the time of sessel breach is able to distinguish these two cases and preclude the poss of a large combustion esent if hydrogen wits consumed during an earlier time frame.
, . 1 Most severe accident phenomena and associated events
. Recognition ofthe inter % Wies t of h=
- require cenam initial or boundary conditions to be relevant. For example, a steam explosion cat. on ifmolten core debris comes in contact with a pool of water. Therefore. it may not be meamngful to consider ex-vessel steam explosions during accident scenarios in which the drywell floor (BWR) or reactor casity
" (pWR) is dry at the time of vessel breach. Logic models for evaluatmg containment performance capture these and many other such interdependencies among severe accident events and phenomena. Explicit Draft NUREG 1602 3-17 O
l o 4 9 4 e a . a i I 3 Internal Event Lesel 2 PRA foi Full Pcuer Operanens repia.nuaan of thae interdep.r.L:ne;e4 picdda the sac.l au m fu at:enin;; comp ae tweabi!!t. b.tucea a panicular accident sequence (or PDS) and a specific containment failure mode. l l There are many approaches to transforming the technical information concerning containment loads and performance j l limits to an estimate of failure probability, but three approaches appear to dominate the literature. In the first (least rigorous)approa h. qualitative terms expressing vanous degrees of uncertainty are translated into quantitative (point esumates probabsbnes. t or example, terms such as 'likely ~ or uniikci)~ are assigned numencal saiues (such as 0.9 and 0. l). Supcriatiscs. such as "ver)" likcly or "hij;h!)" unlikcly. arc then used to suggest ^grecs ofconfidence that a parucular event outcome is appropriate. The subjectivity associated with this method is controlled to some extent
- by developing rigorous attributes for the amount and quality ofidrmation necessary tojustify progressively higher confidence levels (i.e.. probabilities approaching 1.0 or 0.0;. Nonetheless. this method is not considered ar.
appropriate technique for assigning probabilities to represent the state ofknowledge uncenainties'in a PRA. Among
- its weaknesses. this approach simply produces a point estimate of probability and is not a rigorous technique "
developing probuiity distributions. i The smond technique involves o convolution of paired probability density functions. In this technique, probatmity density functions are developed to represent the distribution of credible values for a parameter ofinterest (e.g.. contamment pressure load) and for its corresponding failurc entenon (e.g ultunate pressurt capacity). This method
)
is more ngorous than the one de.:cribed above in the sense that it explicitly represents the uncenainty in each quantit) in the probabilistic model. The basis for deseloping these listnbutions is the collective set ofinformation generated from plant specific integral code calculations. correspealing sen itivity calculations other releunt mechanistic calculanons, experimental observations. and expen judgment. The conditional probability of containment failure (for i a given accident sequence) is then calculated as the convolution of the two density functions. While this technique presides an explicit treatment of uncertainty at intermediate stages of the analysis it still ultimately generates a point l 1 estimate for the probability of containment failure caused by a panicular mechanism. He contributions to (and l magmtude of) uneenainty in the fmal (total) containment failure probability is discarded in the' process. j 3 ne third technique involves adding an additional feature to the technique described above. That is. the probability i density functions representing uncenainty in each term of the containment perfonnance logic model are propagated throughout the enure model to allow calculation of statistical attnbutes such as imponance measures One means for accomplishing this objective is the application of Monte Carlo sampling techniques (such as Latin Hypercube
, sampling) The application of this technique to Lesel 2 PRA logic models pioneered in NUREG 1150. accommodates s a large number of uncertain variables. Other techniques have been developed for specialized applications. such as the direct propagation of uncenainty technique developed to ass:ss the probability of containment failure as a result of direct contamment heating in a large dry PWR (Ref. 3.16). However, these other techniques are constrained to a small number of vanables and are not currently capable of applications involving the potentially large number of uncertain sanables addressed in a quality Level 2 PRA.
3.1.3.2 Application impact Considerations A change in a plant's CLB could a$ect the likelihood with which certain containment failures occur and the i.ncenamties associated with these failures, if this is the case. the probabilistic containment model should be detailed enough to account for the effects of such changes. f
'Such uncertainties tend to dominate a Lesel 2 PkA. rather than uncenainty associated with random behasior.
Draft. NUREG-10 3 I8 87
- l
~
a s
. s1 3 Im. mal Event Level 2 PRA for Full Power Operations j 1
i 3.1.3.3 Interfacen witi Other Ta.k.
}:
This task iritegrates many of the results produced from the other tasks discussed. For instance. the containment performance limits established under the previous task proside many of the anchor points for the probability distributions used in this task.
- 3. h3..I Darumentarism J The following documentation is generated to provide the results and describe the process by winich the conditional probability of containment failure is calculated:
. tabulated conditional probabilities of various containment failure modes with specific characterizations of time phases of sesere accident progressions (e.g.. carly vs. late containment failures).
. a listing .nd description of the structure of the ovem:I logic model used to assemble the probabilistic representation of containment performance (graphical displays of events trees, fault trees or other logic formats are crovided to illustrate the logic hierarchy and event ig-Weies).
4
. a description of the technical basis (with complete references to documentation of original engineering analyses) for the assignment of all probabilities or probability disnibutions with the logic structure.
a a description of the rationale used to assign probability values to phenomena or events inmiving subjective. expertjudgment, and
. a description of the computer program used to exercise the logic model and calculate fmal results.
3.2 Radionuclide Release Characterization The second. albeit equally imponant, product of a Level 2 PRA is a quantitative charactertzation of radiological release ! i to the unronment resulung from each accident sequence that contributes to the total CDF. In many Level 2 analyses. this informanon is uwd solely as a semi quantitative scale to rank the relative ses rity of accident sequences in such circumstances, a rigorous quantitative evaluation of radionuclide release, transport. and deposition may not be necessary. Rather order.of-magnitude esumates of the release for a few important radionuclide species provide a sansfactory scale for rankmg accident senrity. In a imel 2 PRA. however, the derAzauon of radionuclide release to the environment pro ides sufficient information to completely defme the source term for use in a level 3 PRA to calculate offsite consequences Further, the level of rigor required of the evaluation of radionuclide release. transport. and depos tion directly parallels that used to evaluate containment performance That is.
. Source term analyses (deterministic computer code calculations) reDect plant specific features of system desist and operation. In particular, plant-specific charactenstics. such as quantity of fuel control rod material, asia in-core support structure composition and spatial distribution; configura: ion and deposition areas of pnmary coolant system and contamment structures. reactor cavity (e dr>well floor) configuration and concrete composition; and the topologv of transport pathwws from the fuel and/or core debris to the environment are faithfully represented in the models .ased to calculate radionuclide source terms.
t i Draft. NUREG-1602 3 19 a
e a 9 ) ) d a , 3 Internal Esent Level 2 PRA for Full Power Operations
. Calculation of radionuelide selease, transper. and deposa;cn represem sequence-specific miaocas .a pnmary coolant system and contammem s.r-stics. For example, reactor vessel pressure during in-vessel ,
core melt progression and the operation (or failure) of containment mitigation systems such as distributed sprays are spM in a manner t!.at allows for their effects on radionuclide release and/or transport to be i directly accounted for Radionuclide release calcu ations also need to take into account scrubbing of the release by passite systems. such as overlying pools or water in the reactor cavity or the suppression pool in isW Ks. . i
\
. Uncenamties in the processes gommng radionuclide release, transport and deposition are quantified. In the I same wy uncenamnes in the p == gowning severe accident progression are quantified to characterize unanamty in the probability of containment failure (described above), uncensinties related to radionuclide i behasior under severe accident conditions are quantified to characterize uncertainty in the radionuclide source term associated with individual accident sequences.
The specific manner in which radionuclide source terms are chJractenzed in a level 2 analysis is described first. Attributes for coupling the essluation of radionuclide release to analyses of severe accident progression for particular sequences are also described. Finally attributes for add essing uncensinties in radionuclide source :,rms are described. .
.5.2.1 Definition of Radionuclide Source Terms 3.2.1.1 Considerations for the Baseline PRA
. De analysis ofoffsiw consequences resulting from an accidental release of radionuclides performed in a Level 3 PRA requires specification of several parameters from a Level 2 PRA which defme the environmental source term. Ideally, the following information is developed:
. the time at which a release begins.
. ine time history of the release of all important radioisotopes that contribute to health effects.
. the chemical form of the isotopes.
. the elevation (above local ground level) at which the release occurs.
. the energy with which the release is discharged to the ensironment. and
= the size distribution of radioactive n.aterial released in the form of an aerosol (i.e particulate).
As in many exher aspects of a comprehensive PRA. it is impractical to generate this information for the full spectrum of accident condmons produced by lesel I and 2 anaipes. To address this constraint. seve al simplificanons a e made in a Level 2 analysis. De most significant of these are outlined below. The following assumptions are typically made in a Level 2 anal)s6 regarding the radioactive material ofinterest:
. All isosopes of a single chemical element are released from the fuel at the s.vne rate.
Draft. NUREG-1602 3-20 t1
i a
. . 4 a l ,i 3 Im. mal Event Level 2 PRA for Full Power Operations i
I . Chemical cicmenti c.diibitmg sului.u piopeities nuesm> of dieu meu>wed ime oleele.ame 00m lue transpon through the reactor coolant system and the containment and chemical behas f interaccons with other elemental species and structural surfaces can be effectnely modeled as o radionuclide specie. T3pically, the specific properties of a single (mass dominant) element are i represent the propenies of all species within a group. A!! hough the radiomielide <pecin are released from fuel in their elemental form. many spec odu denous to fonu compounds as du) nugrau aus) &om dwir pems of seicase. The fonnation of these l and the -d change in the physico-chemical properties of individual radionuclide groups are takeri into ac l in the analysis of radionuclide transport and deposition. In panicular.' volatile radionuclide spec cesium. may be transponed in more than one chemical form--cach with different properties that af h fi d ndence of
' Another simplification in the charactenzation of radionuclide release involves t e treatment o t me- epe
^ viese. In a Level 2 PRA. these variations are reducer' to a series of discrete periods of radiological release.
I ofwhichis described b3 a staning time. a duration, and a (constant) release rate. He release rate may be sim 2 to represent major characteristics of the release history such as an early. shon lived large release following containment failure follov ed by a longer perind(s) of a sustained release. Theb specific charac l these discrete release periods may vary from one accident sequence (or plant damage state) te a characteristics (i.e stan ame and duration) should be the same for each radionuclide group (i.e.. only the release saries from one group to another for a given release penod). De total number of release periods is typically s 3 or 4) and represent distinct periods of severe accident progression. For example. the following time period representative of an accident leading to early structural failure of containment:
. Very early (comainment leakage prior to contamment failure)
. Puff release (immediately following containment failure)
. Early (relatively large release rate period during aggressive corium-concrete interactions).
. Late (long-term. Iow release rate following corium concrete interactions).
Note that the above time penods are for illustratise purposes only; others are developed. as necessary, to suit the specific results of a plant-specific assessment. i 3.2.1.2 Applicatin apact Considerations 9 he impact of any suggested changes on assilability of systems that mitigate radionuclide releases should be as 3.2.1J Interfaces with OtherTasks T.u Manuclide groupings and release periods chose i will prmide the basis for the remanmng radionuclide sourr.: term tasks. 3.2.1.4 Documentation Documer istion of anal)ses performed to ch&wize radiological source terms should proside sufficient information to allow an independent analyst to repro y* 6e results At a minimum, the following information should be documented in a PRA'. i Draft. NUREG 1602 3 21
>; o 9
~.- - . . - . - . - - . - - . - - - - --,.-- -- - ~ - - - - . . . . - -
= a 1 ;
*
- a ,
?
I 3 Internal Esent Lesel 2 PRA for Full Power Operation-t ( l-
- R: r:lfent: lid: ; ret:; in; se! ne used a*be ste; 9m made te r Stain it cher!d 1 e clearly d-<cribd
[- l~
- The time periods considered for the release and the rationale for the choices made.
l
. 3.2.2 _ Coupling Source Term and Severe Accident Progression Analyses 1 The number of unique sesere accident sequences represemed in a Lesci .! FKA can be exceedmgly large. !
l Cumpachesane pub biliatiuvasidesation of the awnerous uncensintics in sevm accid-t progression can casily l l l ! propagate one accident sequence (or plant damage state) from the Lesel I systems analysis into IU'to 10' al severe accident progressions. A radionuclide source term should be estimated for each of these accident progf l Clearly. it is impractical to perform that many deterministic source term calculations. 1 3.2.2.1 Considerations for the Baseline PRA A nmon practice in many Level 2 PRAs (although ins. Scient for a comprehensive assessment) is to reduce the analysis burden by grouping the ahernatiw sewre accident progressions into " source term bins
- or ' release categ This arouping process is analogous to the one used at the interface between the Les el I and Level 2 analysis to group accident sequence cutsets into plant damage states. He principal objective of the source term grouping (or binning) exercise is te reduce the number of specific severe accident scenarios. for whicn deterministic source term calcuiations should be performed, to a practical value. A structured process similar to the one described in Chapter 2 (related to the assessment of accident sequences addressed in a quality Level 2 PRA) is typically followed to perform the grouping. Characteristics of severe accident behavior and containment performance that have a controlling influence !
on the magnitude and timing of radionuclide release to the environment are used to bin (or group) the attematise accident progressions into appropriate release categories. A determmistic source term calculation is then performed for a single (typically the Itighest frequency) accident progression within each release category to represent the entire group. As indicated above. this approach is inadequate for a Level 2 analysis because the radionucli!4 source' term for any gis en sesere accident progression cannot be calculated with certainty. The influence of uncertainties related to the myriad processes goseming radionuclide release from fuel. transpon through the primary coolant system and _j
~
comamment. and deposition on intervening structures is significant and should be quantified with a similar level of rigor afforded to sewre accident progression uncenamties. Exarnples of these uncenainties wve given in Chapter 2. Funher. a Level 2 PRA is performed in a manner that allows the relative contribution ofindividual parameter uncertainties to the owrall uncertamty in risk to be calculated directly (i.e.. sia rank regression or some other statistically acceptable manner). This requires a probabilistic modeling process that combines the uncertainty distributions associated with the evaluation of accident frequency. sewre accident progression. containment perfonnance. and radionuclide source terms in an integrated. self-consistent fashion.
!n penbnu.ng tius h: W uncenamty analysis special cart should be taken to ensure consistency between uncenain parameters ===wi with radionuclide release, transport and deposition. and other aspects of accident behavior. In panicular. unponant currelanons bety.cen the behasior of radionuclides and the other charr.cteristics of sewre accident ,
progression should be accounted for. These conelations and other similar relationships are described in NUREG/CR 8551(Ref 3.20). I Draft. NUREG 1602 3 22 9I
_ - .= _ . .- . _. 4 a e 3 Ir. ernal Esent Lesel 2 PRA for Full Power Operations 3.2.2.2 Application impact Considerations ! If the complete integrated uncertainty approach associated with a Level 2 a changes in a plant's CLB will impact the coupling of the source term and th If a grouptng or bmning process is chosen and onlybldeterministic f fl ting any impact source t midem sccrarios. then care should be tal.cn that the chosen accident scenarios are capa e o re a cimge m the plami CLB nwy iwse on dioowce ternu 3.2.2.3 Interfaces with OtherTasks As noted in the description above. this task requires the integration of the distribu of accident frequency, accident progression. containment performance. and radionuclide source 3.2.2.4 Docume.:tation Documentation of anAses perfo-med to characterize radiological source ldterms be sho to allow an independent snahst to reproduce the results. At a nummum. the fo!!owing documented in a PRA:
+
A summarv of all computer code calculations used as the basis for estimating pla selected accident sequences. specifically identifying those with potential for large releases.
= A description of modeling methods used to perform plant specific source term ca l
description of tha method by which source terms are assigned to accident sequ l (e.g.. MAAP or MELCOR) calculations were not performed. l f
- If analyses of a surrogate (i.e. similar') plant are used (as a basis for character i radionuclide release):
transport or deposition in the plant being analped. references to, or co documentation of the original analysis, and a descriptien of the technical basis for I I results. 1 3.2 3 Treatment of Source Term Uncertainties Results of the Level 2 PRAs described in NUREG II5O indicate that uncertainties associated; govermng radionuclide release from fuel, transport through the primary coolant appli able). and comamment. and deposition on boundmg structures. can be a ml ' some measures of risk. Uncertainties in the processes specifically related to radionuclide source term assessm represented in a 1.m el 2 PRA. A sy stematic process smd calculation tools to ac into the oserall esaluaion of severe : cident risks were developed for the Level 2 PRAs A detailed description of this prou:ss and the associated tools is not provided here and NUREG'CR.4551. W1. 2. Pan 4 (Ref. 3.20). NUREG 1335. Appendix A(Ref. 3.19). NU and NUREO'CR 5747 (Ref 3.22) tot additional information on these topics. 3 23 Draft. NUREG-1602 p
- e 1 !
*
- a 3 Intemst Event Les el 2 PRA for Full Power Operations 3.2.3.1 Considerations for the Baseline PRA The areas in which Ley uncertainties are addressed m a Level 2 analysis are summartzed below:
- Magnitude of radionuclide release from fuel during wre damage and relocation of the released material in-sessel (primarily for s olatile and semi-solatile radionuclide species).
- Chemical form ofiodine for transport and deposition. ,
- Retention efficiency during transpon through the primary and secondary coolant systems,
- Magnitude of radionuclide release from fuel (primarily refractory metals) and non-radioactive aerosol generation during corium-concrete interactions.
- Decontammation efficiency of radionuclide flow streams passing through pools of water (BWR suppression i pools and PWR containment sumps). .
- Late revaporization and release ofiodine initially captured in water pools, and i
. Capture and retention efficiency of aerosols in containment and secondary enclosure buildings.
1 When detemunistic codes are being used to estimate the source term, it is impon. ant to account for all of the relevant phenomena even when the code does not explicitly include models for all of the phenomen. When a model is not available for certain important phenomena it is not acceptable to simply ignore the phenomena. Instead alternative i methods. such as consulting diffe ent code calculations using specialized cod.es, or assessing relevant experimental results. should be used. When consequences are being estimated in the PRA. it is important to accurately represent the timing of the release. Past studies have show that the number of early fatalities can be particularly sensitive to when the release occurs relative to when eraergency response actions such as a general evacuation of the close-in population are initiated. Hence, it is also important that tl.e approach used to estimate the source term properly accounts for timing i characteristics of the selease. 3.2.3.2 Application Impset Considerations it is not likely that changes in a plant's CLB will impact the treatmer.t of uncertainties in the radionuclide source term. 3.2.3.3 Interfaces with Other Tasks The establishment of uncrrtainties in the radionuclide source terra requires correct propagation of uncertainties through the accident progression. Draft. NUREG 1602 3-24 f3
3 Internal Even* Level 2 PRA for Full fower Operations 3.2.AJ Documentation Documentation of analyses performed to characterize radiological source terms should proside sufficie to allow an independent analyst to reproduce the results. At a minimum a description of the method uncertainties in source terms are addressed should be documented for a quality PRA. i 1 a
~
o I 1 i i i I 1 j i 4 I i J t i 1 l DrafL NUREG-1602 3 25 l l l 1
e 4 l
*? .a .
3 Intemal Event Level 2 PRA for Full Power Operatiens
~~
REFERENCES FOR CHAPTER 3 3.1 EPRI. "MAAP4 - Modular Accident Analysis Program for LWR Power Plants." RP313102. Vols.1-4. Electric Power Research Institute.1994. 3.2 R. M Summers. et al.. "MELCOR Computer Code Manuals - Version 1.8.3. NUKtG/CK 6119. SANDv3-2185. Vols.12. Sandia National Laboratories.1994 3.3 USNRC. " Uncertainty Papers ca Severe Accident Source Terms." NUREG-1265.1991. 3.4 F. T. Harper. et al.. " Evaluation ofSestre Accident Risks: Quantification of Major Input Parameters. Expen Opinion E!icitation on In4tssel issues." NUREG/CR-4551. Volume 2. Revision 1. Part 1. Sandia National l I LaboratWs. December 1990. 3.3 USNRC. " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants." NUREG-1150. i December 1990.
- 3.6 J. J. Gregory. et al., " Evaluation of Severe Accident Risks
- Sequoyah. Unit 1." NUREG/CR-4551. Volume
! 5. Resision 1. Parts I and 2. December 1990. i i 3.7 T. D. Browit. et al. "Enluation ofSevere Accident Risks: Grand Gulf. Unit 1." NUREG/CR-4551. Volume l 6. Resision 1. Parts I and 2. December 1990. f 3.8 T. Blanchat ard D. Stamps. " Deliberate ignition of Hydrogen Air Steam Mixtures Under Conditions of j Rapidly Condensing Steam". SAND 94-310lf. 22nd Wr.ter Reactor Safety Meeting. Bethesda. MD. October i 24-26.1994. j 3.9 C. K. Park. et al.,
- Evaluation of Severe Accident Risks: Zion 1%it 1." NUREG/CR4551. Volume 7.
- Revision 1. BNL-NUREG 52029. Brookhaven National Laboratory. March 1993 i
3.10 R. J. Breeding. et al.. -Evaluation of Severe Accident Risks: Suny Unit 1. -NUREG/CR-4551. SAND 86-1309. Vol. 3. Rev.1. Part 1. Sandia National Laboratories. October 1990. i 3.11 1. S Basu. "An Overview of the Ex-Vessel Debris Coolability issue." Presented at the 21st Water Reactor Safety Meeting (WRSM). Bethesda. MD. October 26.1993. 3.12 R. E. Blose. et at. "SWISL Sustained Heated Metallic Melt / Concrete Interaction with Overlying Water Pools." NUREG/CR 4727. July 1987. 3l' W W. Tarbell. et al. " Sustained Concrete attack by Low Temperature. Fragmented Core Debris." , NUREG/CR 3024. July 1987. 3.14 R. E. Blose, et al. " Core-Concrete Interactions mth Overlying Water Pools - The WETCOR-1 Test." NUREG/CR 5907. Nosember 1993. 3.15 B. W. Spencer. et al., *Results of MACE Tests M0 and Mt." Proceedings of the 2nd CSNI Specialists Meenng on Molten Core Debns Conen:te Interactior.s. Karlsruhe. Germany. Report No. NEA/CSN1/R(92)l0. April 1992. Draft. NUREG 1602 3-26 W . .
3 In. :rnal Event Level 2 PRA for Full Power Operations 3.16 .M. M. Pileh. et al.. "The Probability of Containmem Fail;r: by Direct Contammcm H stmg m Z.ca. j NUREG/CR-6075. Sandia National Laboratories.1994. i 3.17 M. M. Pilch. et al.. " Resolution of the Direct Containment Heating issue for all Westinghouse Plants with Large Dry Containment or Subatmospheric Containment." NUREG/CR-6338. SAND 95-2381. February 1996 lI 3.1 N T. G. Theofanous et al.. "T1.c Probability of Mark-! Con:sinment Failure by M !r Atta:k of tir.: Liner." f 3 NUREGCR-.6025. November 1W3. 3.19 USNRC. -Individual Plant Exammation: Submittal Guidance." NUREG-1335. August 1989. 3.20 F. T. Harper. et al.. " Evaluation of Severe Accident Risks: Quantification of Major input Parameters." NUREGCR 4551. SAND 86-1309. Vol. 2. Rev.1. Part 4: Experts' Determination of Source Term issues. Sandia National Laboratories.1992. 3.21 H-J. Jow, et al.. "XSOR Codes User Manual." NUREG/CR 5360. SAND 89-0943. Sandia National - Laboratories.1993, i a 3.22 H. P. Nourbakhsn. -Estimate of Radionuclide Release Characteristics into Containment Under Severe Accident Conditions. NUREG/CR 5747. BNL NUREG 52289. November 1993. 4 9 4 I t
)
Drah. NUREG 1602 3-27 14
. ai ) * *
- 4. INTERNAL EVENT LEVEL 3 PRA FOR FULL POWER OPERATIONS ,,
This chapter prosides attributes for a Level 3 probabilisuc nsk assessment (PRA) for accidents initiated du power operations of a nuclear power plant. A Level 3 PRA evaluates the consequences of an accidental re
,radioactnity to the emvonment Therefore. those PRA applicanons (c'g.. averted dose. impact of evacuation on early fatahties, etc.) that need information on offsite consequences should include a Level 3 PRA. A Level ts also needed if the application necessitates that numerical values for nsi be detennined le g.. for compwim uitii the U.S. Nuclear Regulatory Commission's [NRC'sj quantitatise health objectives. QHO) Accidents initiated by internal esents including intemal fire and floods are addressed in the folloning section. Accidents initiated by external events are addressed in Chapter 5.
Analysis tasks performea as part of the Level 3 portion of a full-scope PRA consist of two major elements:
- accident consequence analysis, and a computation of risk by integratmg the results of Level 1. 2 and 3 analyses.
Attributes for an analysis in each of these areas are described below. 4.1 Accident Consequence Analysis - The consequences of an accidental release of radioactive material from a nuclear power plant can be expressed in several forms, for example. impacts on human health, the environment, and economic impacts. The consequence measures of most interest to a Level 3 PRA focus on impacts to human health. Specific measures of accident consequences developed in a Level 3 PRA should include-
- Number of early fatalities
. Number of early injunes
. Number oflatent cancer fatalities
- Population dose to vanous distances from the plant
. Individual early fatality risk defined in the early fatality QHO (i.e., risk to the average indisidual within 1 mile of tne site boundary)
. Individual latent cancer risk dermed in the latent cancer QHO (i.e.. risk to the average individual within 10 miles of the plant).
. Land contamination.
Draft. NUREG-1602 41 17 . l 1
l .* s 4 Internal Event Level 3 PRA for Full Power Operations 4.1.1 Considerations for tiie Bueline PRA Several probabilistic consequence assessment (PCA)hes are currentl.s in postulated radiological releases. The MACCS computer code'* is supported by plant Level 3 PRAs. An earlier version of this code us used in the analyses re The MACCS c(;de necessitates a substantial amount of supponing information f on loca wimispeed. atmospheric stability, and pn. :ipiration. demography. Land use. propen 3 a complete description of the input data necessary). In a full-scope evaluation of information should represent currer.t. site-specific conditions. In addition. MACCS requires that the analyst make asswnptions on the values of several implementation of protective actions following an accident. for exarnple
- De (site-specific) tirr e needed to wwn the public ano initiate the emergency response sheltering).
- The effective evacuation speed.
+ The fraction of the offsite population which effectively panicipates in the emergency response
+ The degree of radiation shielding afforded by the building stock in the area.
+ he projected dose limits assumed to trigger nonnal and hot spot relocation during the
+ The projected dose limits for long term relocation from contammeted land arid
+ he projected ingestion doses used to interdict contammated farmland Since the values assumed for the above parameters have a sigrdficant impact on the conse selected values need to be justified and documented.
4.1.2 Application impact Considerations it is unlikely that a cbnge in a plant's cunent licensing buis (CLB) w :4 effect the meident consequen l assessment. However. if the application necessitates knowledge of a panicular risk measure (e. for cost-benent analysis or indnidual nsk for comparison to the NRC's quantitative health objec conwys.ence model used should be able to calculate stese paraneters.
"D.I. Chanm. et al.. -MELCOR Accident Consequence Co6e System (M ACCS), User's Guide.'
NUREGICR-4691. S AND86-1562. Sandia National bbon tories.1990. ' l. ! 'tSNRC .-Severe Accident Risks: An Assessment for Fhe U.S. Nuclear Powe Deccenber 1990. 4-2 Draft.NUREG.1602 6
s o , s e d e 4 Internal Esent Lesel 3 PRA for Full Power Operations 4.1.3 Interfaces with Other Tasks , This task interfaces with the output of the Level 2 PRA and provides the magnitude of various risk measures conditional on a release occurring. The output of this task is used in the computation of risk (Section 4.2). 4.1.4 Documentation ( Documentanon of analyses performed to estimate consequences associated with ".e accidental release of radioactis e material to the environnient should preside sufficient information to allow an independent analyst to reproduce the results. At a muumum. the following information should be documented for a PRA:
- A description of the site-specific data and assumptions used to perform the consequence calculations.
~ 4.2 Computation of Risk The final step in a Level 3 PRA is the integration of results froin all previous analyses to compute the selected measures of nsk. The severe accident progres: ion and the fission product source term analyses conducted in the Lesel 2 ponion of t!" PRA. as we" s the consequence analysis conducted in the Lc. vel 3 part of the PRA. are performed on a conditional basis. That is the evaluations of alternative severe accident progressions. resulting source
- terms and consequences. are performed without regard to the absolute or relative frequency of the postulated accidents.
The final computation ofrisk is the process by which each of these portions of the accident analysis are linked together in a self-consistent and statistically rigoaous manner. 4.2.1 Considerations for the BaseUne PRA The important attribute by which the rigor of the process is judged is the ability to demonstrate :raceability from a specific accident sequence through the relatise likelihood of alternative severe accident progressica and measures of auendant contamment performarace (i.e.. early versus late failure) and ultimately to the distribution of fission product source terms and accident consequences This traceability should be evident in both directions: i.e.. accident sequence to a distnbunon ofconsequences and from a specific level of accident consequences back to the fission product source terms. containment performance measures. or accident sequences that couribute to that consequence level. i 4.2.2 Application Impact Consiocrations ] l
;t is unlikely that a change in a plant's CLB would effect the method used to compute risk. However, if the application necessitates knowledge of a particular risk measure (e.g.. population dose for cost-benefit anaiysis or indisidual risk for companson to the NRC's quantitative health objectives) the the risk integration model used should be able to calculate these parameters. )
4.2.3 Interfaces with Other Tasks This task interfaces with the output of the Level I and 2 PRA tasks and calculates various risk measures. , i l Draft. NUREG.1602 43 i 41 1
o 4 Imernal Event Level 3 PRA for Full Power Operatinne 4.2.4 Docunientation Documentation of analyses perfonned to estimate risk should provide sufficient information to h ld be documented for a PRA:
. analyst to reproduce the results. At a minimum. the following information s ou
- A description ormodeling methods used to assign consecuences to ind:vidual accidem se the prubabilistic logic model; this meludes a description of the method by which the fu accideal som6e tenn.t guierated as part of the uneenaintv anal.ssis are hnked to a knured num consequence calculations. ,,
- A description of the computational process used to integrate the entire PRA model (Level I
. A summary of all calculated results including frequency distributions for each risk measure, f
i d b l l Draft. NUREG-1602 44 309 h
i 3
- 5. EXTERNAL EVENT PRA FOR FULL POWER OPERATION a
De analysis c(external events in a Probabilistic Risk Assessment (PRA) necessitates different considera those for an intenal events analysis. His chapter discusses the attributes which should be considered in perfornun or rewewing a basehne external even2RA for full power operation. In addition, considerations for using the e event PRA models b evaluating the risk-significance of a proposed licensing modification are also presented. 1 5.1 Level 1 Analysis This secnon presents the considerations for performing a Level I seismic PRA while at full pour. In addition, consuleranons for pafornung a Lesel 1 PRA analysis ofother external events which can be important at various plant; sites (e.g., high winds, tornados, humcanes, and nearby transportation accidents) are also presented. The evaluat ofexternal event during lower power shutdown conditions is di-eal in Chapta 6. Since the analysis ofexternal events senmally milize the nedels amerated for the internal events analysis, the considerations discussed in Chapter are also appbcable for these events. The PRA consideranons presented in this section thus focuses on those Level I modehng aspects which are imique to the exnernal events. Howser. the irdluence of the external events on the internal event Level I : odels (e.g., the impact of stress level, equipment accessibility, and lack ofindications caused bv an external event on the human reliability assesment) is also discussed. 5.1.1 Seismic Analysis The objective of a seismic PRA is to analpe the risk due to core J. age accidents iiiiitined by earthquakes. His means that the frequency and severity of earthquakes should be coupled to modeL of the capacity of plant structures and -- -- == to survive each possible earthquake. The effects of structural failure should be a-d. and all the resulting information aboct the likelihood of equipment failure can be evaluated using the internal events PRA logic model of the plant modified as sppropriate to include seistnic-inducsi events. De basic elements of a seismic PEA include (1) hazard analysis (2) saucture response analysis, (3) evaluation of s ,--= fragilities and failure modes,(4);lant system and sequence analysis, and (5) contamment and contamment system analysis. His section highlights the major points to consider in the performance of a seismic PRA. Further details are contained in NUREG-1407 (Ref. 5.1) NUREG/CR-2300 (Ref. 5.2) and NUREG/CR 2815 (Ref. 5.3). 5.1.1.1 Ceesiderations for the Baseline FRA In a seismic PRA. seismic-induced failures in addition to randorn hardware failures are modeled. hey can lead to acculet initianng events as mil as failures of components and systems that are needed to mitigate an accident. In an internal events PRA, usually only active components are snodeled. In a seismic PRA, passive components, such as pipe sections, tanks, and structures, have to be included. Unique failure modes of these components have to be i identified and added to the logic model. In addition, re%y chauer is a unique component failure mode during an i carthquake that should be addressed. l One important aspect of a seismic event is that all parts of the plant are excited at the sane. time. This means that , there may be significant correlation between cnmponent failures, and hence, the redundancy of safety systems could l be compromised. The correlation could be inaduced by common lootion, orientation, and/cr vibranon frequery. l 1 This type of common cause' failure represents a unique risk to the plant that is reflected in a seismic PRA. An additional considersoon in the performance of a seismic PRA is the formation of both a well organized walkdown team and a peer review team with combined experience in both system analysis and fragility evaluation. Ideally, the l peer review should be M_~d by indisiduals who are not associated with the initial evaluation to ensure ideally, both technical quality control and technical quality assurance of the PRA results and documentation. Draft, NUREG-1602 5-1 l ct
n s , 5 External Event PRA for FulNower Operation i Entinemive vi struuurn,5pm., . J Caimam ;,,:,. L..h..!.u! !n the Sch:n!r .*.na!pir S i 23),
'Ihe sysanns, semcawes and r =;-:=ts (SSCs) modeled in the internai cents PR and internal flood PRA (Section 2.2) can be used in th includedin the seisnuc analysu in addidon, a review of the fire and11ood an for seismic induced fires and floo6. For example, failure ofs hest exchanger or other components. Similarly, rupture of an oil storage tank can cause a fire.
During the plant familiarization in preparanon for performing a seismic PR 4 equipmmt layout, d f gn, and construction of the k S egwpmentasyout and -a-- e ===Hanna and anchonag should identify SSC of the plant. The plant walkdown is critical to identify as<lesigned, as-built plants. Information is gathered to detenmne the significant failure f il modes would impact other equipment needed to mitigate the accident. For example, failu j or equipment nearby due to falling debris. More detaile4. attributes for a wa of the Electric Power Research Institute (EPRI) 3cismic Margins Methodology (Ref. 5 A Initiating Events Analysis Seismic-induced initiating events typically include transients, loss of offsite pow acculents (LOCAs). The parnilarad collapse c(a major structure, such as the react be considered as an additional initianng event er as a basic cause for an initia V i previously, seisnucally induced fire and flood events can also be in theintemalevents PRA. As r identi6ed. It is possible to have multiple initiatmg ennts for a given seismic even by chocsic;; the initiator with the worst impact from the standpoint of core additional failwes that are seisrmcally induced. A systematic evaluation of the SSC of poemna! initiating ennes la a manner similar to the way initiating ld produce even the seistrue failures can be grouped based on their impact en the plant. ification The of the results 3 list of failures for each initiating event. The i:lentified failures are then used to guide the frequencies of the initiatinpvents. Hazard Analysis
' In the 1980's, the unethodologies for performmg seismic hazard analysis w Lswtence Liwrmore Nanonal Laboratory (LLNL) (Ref. 5.5) and EPRI (Ref. 5.6) by these two twshadologies wee significantly different for many of the e of the LLNL hazard curws (Ref 5,7), either approach is currently considered to aNo initiated to develop a method to produce more consistent seismic haz EPRI, and the U.S. Departmet of Energy [DOEl). This recent development in used for futwe seismic PRAs. In the seismic hazar should also be considered in a site specific evaluation.
To quantify boti the seismic hazard and cc:- =t fragilities, a ground mon Traditierelly, die peak ground acceleranonti intensity d or zero this problem, the average spectral acceleration is r
~W for use since it expresses the groun mo onin tenns i o eqmpment (e.g.,5 Hz to 15 Hz). Ifan upper bound cutoff to ground monon 52 Draft NUREG-1602 4os . . - .
_ ~~ _ _ _ _ _ ._._._ _ . _ . _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ e es W 4 p . 5 External Event PRA for Full Power Operation is assuaal, sensitivity studies shhld be cenducted to d: :rmine v h:th:r the use of this cutoff affeci and rankmg of seismic sequences ,
- . I 1
Fragility Analysis The fragility ofa component or strucase is defined as the conditional probability of failure give moton perameter. All the potential failure modes. both structural and functional, need to be e fragility value ora cxenporent. The sauras ofinformation that can be used in a fragility evaluano specific clesign and test data, availab!c experunental results, experience in past inrthqu ':es ( loss), aM generic fragility values from past studies. However, the Generic fragility p.w . can be used in the initial screening of 9==r ==ts and structures appropn==== of the genmc fingility paramesers has to be verdied during the plant walkdown as well the docasnentanon on component and structure fragilities. The high confidence-and-low-probability (HCLP can be used to Screen components and structures without quantificatien of the seismic fault trees or event trees. Screening using a specified g-level for components and structure can be used to eliminate compon
- HCLPFs from further consideration in the PRA. However, if the cor . s frequency (CDF) resiJes indicate sigmficant ;wp.a of----q-- -= at the specified g level,11 -n components screened at this level should be added to the model and the results recalculated. 1 In ibe fmal PRA m~'el, all compo--ts and structures that appear in the donunant accident cut sets should have s specific fragility p. ras, that are derived based on plant-specific information, such as anchoring and i of the component or structure The methodologies for fragility analysis are discussed in a number ofrefei example,NUREG/CR 2300 and EPRI NP4041. It is desirable to incorporate the results of the latest ava data into the analysis and to also include aging effects in the component and structure fragility evaluanon. ,
l Seisasie Model Development and Quantification l Seismic event trees can be developed by roodifymg the event trees developed for the internal events PRA, as I appropriate. The event trees should consider events that can occur during an earthquake includinj blackout (SBO), other transants, and IDCAs ofddierent sizes as well as multiple initiators. The fault trees de for internal events can also be moddied to include failures induced by carthquakes, as well as the impact of f astrumentanon or contradicting indications. 1hr. random failure and human errors included in the fault trees for th masnal events analysis should be retamed for the seismic analysis. Relay chatter and recovery actions can be in the analysis using the information given in Section 3.1.1.4 of NUREG-1407. The logic models should demonstrate that simultaneous failures of multiple SSCs (including a cross system if applicable) as a result of the earthquake are adequately modeled. Most of the ea==w-mduced failures c adequately modeled by adding seismic-induced failure events in the fault trees for the affected system initiating events, a combination of multiple initiating events has to be considered. For example, a LOCA with simultaneous LOOP or SBO shou'd be considered in the risk assessment. The fault nues and event mens should be quantified with a sufli isnt number of g values to cover the range of possi earthquake levels. For each g-value, the event trees are quantified to oesern-ie % ditional core damage cutsets and conditional core damage probability. Integration / summation of the products of the conditional core damage l probability and the hazard curse over all g values provides the ovenall CDF due to seismic events. Quanti 6 cation can be done in two or more iterations. The initial screcrung quantification can be done by Jp l using genenc x m- =; fragilities. The final quantification should use site-specific fragilities for those components < that appear in the domment cutsets. Care should be taken to treat system successes and high failure prob properly by the computer algorithm used. The uncertainties in the results should be fully quantified an Draft, NUREG-1602 5-3
/01
,c .
- 6. y 1
5 External Event PRA for Full Power Operation 5.1.1.2 Application laipact Consideratives A pamcular change to a plant's cunent licensing i li i The b I necessitates that the impact of proposed plant or p for the impact on the following seismic PRA considerations. tdemfy if any additional SSCs should be included in the seismic model. result in ti.e removal of a SSCs from consideration. Review the impact of the proposed change on the identified seismic-ind grouping. The fragility ofs mnpancar or stmetore may potentially be affected by a The appropnateness of genene and phnt-specific fragilities should be r The structu e and quantification of developed event trees and fault trees us modafied as appropriate to reflect the proposed plant modafication. 5.i.iJ laterfaces with OtherTasks A seismic PRA can utilize the PRA models used to evaluate internal events include seismic-induced failures in addition to the random failures modeled performance ora seismic PRA neassitales interfaces with several interna identification, accident sequence analysis, systems analysis, data analysis and 5.1.1.4 Docussestation l l The documentation of a seismic PRA should be sufficient to enable a peer re; process ofidentifying SSCs tc, be included in the seismic analysis slaa l demonstnad to be systematic and complete. An id d exa l with the screemng cntena/assumpoons A list of SSCs that were included in the seis along with the fin:!ings and procedures of the plant walkdown. The following information should be hamted for each SSC:
. The type of component and the plant-specific identification amnber,
. The location and orientation of the component in the plant,
. Suppoit and anchorage details.
- Evaluatica results of possible seismic inscraccons,
. Inspection results on the condition ofe == - = and anchorages,
. Photographs (irappropnate),and
. Results of soe.amg.
The screenmg cntena foi senmucally mdmed avustmg ever'ts should ibe d with those used in the internal events analysis. The gaantification of seisaucally documented with enough detail so that a knowledgeable reader could reproduce th 1he desenpoon of the seismic hazard method should be provided, together j the sensaucity near the site, the local soil conditions and the potential for soil liquefaction. i 5-4 Dran,NUREG-1602 i Isk
O 9 9 D C 5 External Eveat PRA for Full Power Operation Le results of the scismic hazard analysis includes the seismic hazard curves for different confidence levels (typically for 5,10,20,30,40,50,60,70,80,90,95 percentile), and the correspondag response spectra The seismic hazard should be quanti 6cd for both horuontal and vertical components. De following information for M=~ating the seismic hazard evaluation should be considered: i a Description orthe setsmic hazard analysis method, including the identification of cornputer codes used in the analysis. 1
- If a plant specific hazard analysis method is used, all the assurnptions/pei w;ers regarding the seisnue l zoung, source par =warrs ofench seiscuc zone (magnitude-frequency relationship), atte.nuation formula and the local soil conditions.
- Hazard curves and the =<=acimud response spectra-De mediodologies used to quantify the fragility values of components, together with key assumptions, should be descnbed =&% to allow for a peer review. A detailed list of the component fragility values should be provided that includes the method of seismic quahrion, the dommant failure mode, source ofinformation, and the location of the component. He fragility descriptors (median acceleration, unceruinty, and randomness) should be tabulated for all SSCs modeled, and the technical bases for the values used for each SSC should be provided.
~
Identification of the HCLPF values of all SSCs modeled is also ma=W along with the basic fragility parameters Both seqws4 cal and s-- +r-lewi HCLPF ulues should be pro,ided to support decisions related to the identification and listing of seismic vulnerabilities. The following information should be considered for documenting a fragility analysis: a ne description of the fragility analysis methodologia and key assumptions,
- Detailed fragility tables, a Results of screemag, and
. HCLPF values.
The ibliowing information on seismic model development and quantification should be darmented:
- A description of the modeled initiating events including how SSC failures may cause the imtianng events.
= A desenpnan of the seisnue event trees with descriptions of the top events and seismic-induced failure events modeled. De modifications made to the event trees dc4b ,ed i for the internal events PRA should be discussed in detail.
. De assumptions made related to correlated failures and how they were applied. Fcr example, pumps from adiadant trains of the same system are ust, ally located in the same building and have the same ori-otation.
Seismic-induced failures of pumps located in the same building are pessimistically assumed completely correlated unless more detailed analysis is performed to better quantify the correlation. A table containing all the correlated failures should be provided. The basis of the assumptions for correlations or lack thereof l should be elaborated. ! l
. The impact ofstructure failures. A table haung all the stnetures considered and the components or functions they affected should be provided Draft,NUREG 1602 55 Iof
- - ~ _ _ . . . - - - . .- -- .-. . . . - . . . . . - . - . . .- ..
4 & g 5 External Event PRA for Full Power Operauon Detti!d
- Failures of components can lead to fire and hxl in addition to loss of their functions.
beatarion of the evaluation of seismically induced fires and floods should be provided.
- Description of quantification methodology.
- A discussion of the risk profiles and dominant scenarios is for each earthquake magnitude.
A discussion on considerations for uncertainties in Jsmic risk quantifkation. This should tree: ment of uncertainties for both hazard and fragility cun es. 5.1.2 Analysis of"Otber" External Events Analysis of"other" external events for full power considerations should generally fo pmvided for full power analysis ofinternal event initiators. However, there are a few discussed below. I i 5.1.11 Considerations for the Baseline PRA The determination of what "other" external events need to be considered necessitates the r events that could occur. NUREG/CR-4839 (Ref. 5.8), for mstance, provides a list of possible should be considered for inclusion in this portion of the PRA. This topic is further complicated by the fact that unlike the internal initiators,' the "other" l need to be described using a hazard curve rather than a single frequency estimate. This com screen out "other" external events on probabilistic grounds Hence, acreemns of these events s {~ sound determirusuc arguments. He screemng of any external events therefore necessitate documentation. . Modehng of accident g . equipment failures, and human errors generally follows the intemalcents-fu l anribunes, except that spatial and plant layout factors become relevant as is the case for in l For instance, structural and barner considerations need to be included; equipment, barrier, ' to be modeled using fragility cunes; new relevant failure modes and equipment operability in the analysis based on the effects of the external event; and the models should allow of external event induced failures with the random failures already included in the internal event: 1 Caricapandmaly, tLe data values (or curws) used for thi failure probability of equipm j human error should consider the effects of the exted event as the hazard severity changes l greater failure probabilities are used than in the internal events analysis. j ) 4 Finally, the quannficanon aspects of the analysis necessitate a much more sopiustica ccsuputer code capabilities and vahdacon)in order to property determme the CDF evous. This anchnique should integrate the full spectrum of hazard potential (as delinea the spectrurn of failure probabilities in the model (defined by 6 agility curves and ot probabilities of plant equipment and human ermes change as a function of the hazard arve 5.1.2.2 Applicatine Impact Ceesiderations As with the case of the analysis ofinternal events (including fires and floods) and seismic el in a plant's CLL can potentially impact the risk from other external events. The actua w iWi . or procedural change will determme hmv the PRA evaluation of these other ex In general, the following factors should be considered in the risk evaluation of such a change: DraA,NUREG 1602 56 l IQb
e *
- y o +
5 External Event PRA for Full Power Operation
. %c screening of other extema! events should be reviewed for a proposed modification to a plant's CLB to deternune if the other external events considered or not considered in the baseline analysis are still appropnate - __
= Potential changes to SSC fragilities resulting from the CLB change for the modeled external events should be considered.
+ ne potential for additional spatial related failure mechanisms should be reviewed.
= Changes to the existing baseline PRA models and data (including HRA values) necessary to account for the CLB moddication should be identified.
5.1.2.3 Interfaces with OtherTasks The evaluation ofother external events can utilize the PRA medels used to evaluate internal events. The internal event models are mootfied to include additional failure modes induced by the external events. Ihus, the analysis of other external events necessitates interfaces with the internal even: PRA ~, .cluding primarily initiating event identification, accident sequence analysis, systems analysis, des analysis, and HRA. 5.1.2.4 Documentation ,
~
He following information should be considered for documenting a PRA analysis of other" extemal events:
- A discussion of the process and the results of the screening of *other" external events.
i
- Details regarding how the retained events are modeled, particularly how the internal event models are
- mo Sfied for the analyses to include spatial impacts.
i
- A discussion of the external event hazard curves and the fragility curves for components and structures.
I
- A discussion on how die human error rates are impacted by the external events.
4
- ne results of the analyses.
5.2 Level 2 Analysis This secnon addresses some factors to consider when performing a Level 2 seismic PRA while at full power it also , pnmdes considerations for performing a level 2 PRA analysis for other external events (e.g., high winds, tornados, hurricanes, and nearby transportation accidents). In general, the considerations for performing Level 2 PRA for '
- carnal events are the sann as for an internal event Level 2 PRA. Thus, only those factors unique to external events are provided in the subsequent sections.
5.2.1 Seistnic Analysis As with the Level ! pomon of the seisnue analysis, the level 2 analysis should consider the impact of an earthquake ) en the core damage mitigating systems and the containment. De attributes for performing and documenting both the , I baselme and applicanon-specdic Level 2 pomon of the seismic analysis includes the same considerations as discussed for the intemal events analysis. In addition, the potential for an earthquake resulting in the failure of containment ! molanon valves to close, failure of contauunent spray systems, or failure of standby gas treatment systems all should be evaluated. This can be accomplished as is done in the level I analysis by including seismic-induced failures in I I the internal events Level 2 models. Draft,NUREG 1602 57
/p7 l
l l
e 1 * ' ol 5 External Event PRA for Full Power Operation I 5.2.2 Analysis of"Other" External Events l As with the Level I portion of the analysis of *other" external events, the baseline and analysis should consider the impacts of the external events on'the autigation of cl of the Ann &d extemal events on mitigating systems thus necessitates the same cons other I.evel I analyses in addition, any direct impacts on the contamment from the e and documented. 5,3 Level 3 Analysis . This praan idetifies some facsors to consuler when performing a level 3 analysis of th events that occur during full power operation. In general, the performance of the level 3 an models used in evaluation ofinternal events. The major difference is in the consideration events on cenergency response accons such as evacuation of the close-in population. It would unpact the level 3 modeling. ' 5.3.1 Seismic Analysis i The attributes in Ch::pter 4 is also,in genersi, applicable for a seismic analysis. However, undl an eenhquake can present conditions that would change the cor. sequence assessm analysis in addition to changmg the potential source terms, an earthquake can influ sunnunoing a plant to evacuate upon declaration of a genual emergency. A Level 3 s include consideration of the impacts of different levels of earthquakes on the consequence thcrough discussion and documentation of the assumptions used in the consequenc 5.3.2 Analysis of"Other" External Events The impact on the Lew! 3 analysis should be included in the evaluation of other external e is tbs impact of the external events on the potential for evacuation.1he attributes p for the Level 3 analysis of *other" external events. How any unique ways in which the ex
- l the level 3 analysis should be evaluated and hw.ted.
I
'l
)
l 1 l l l 1 I i i i j 2 Draft, NUREG-1602 58 ie4
,-,- - v,-- _ ' - ~ - - , - - , - , . _ . _ _ . _
- -.. .- - -- .. - -_ . - .- - - - - . ~ . - , , e l > # d 5 Extemal Event PRA for Full Power Operation REFERENCES FOR CHAPTER 5 5.1 J. T. Chen, et. Al.," Procedural and Subinitial Guidance for the Individual Plant Ev==iaation of External Events (IPEEE) for Sewre Acculmt Vulnerabilities," NUREG-1407. U.S. Nuclear Regulatory Commission.
j June 1991,
. l 5.2 J.W. Hickman,"PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for ]
Nuclear Power Plants," NUREG/CR 2300, Vols. I and 2. American Nuclear Society and Institute of Electrical and Electronic Engineers; January 1983. ! 5.3 . M. McCann, et al.,"Probabilistic Safety Analysis Procedure Guide," NUREG/CR-2815, Vol. 2, Revision 1, Brookhaven National L.aboratory, August 1985. 5.4 "A Methodology for Assessment of Nuclear Power plant Seismic Margin " EPRI Report NP-6041,1988.
- 5.5 D. L h, J. B. Savy, R. W. Mensing and J. C. Chen," Seismic Hazard Characterization of 69 Nuclear i Plant Sites East of the Rocky Mountains," NUREG/CR 5250, Lawrence Livermore National L.aboratory, l January 1989.
- 5.6 Elecaic Power Research Institute,"Probabilistic Seismic Hazard Evaluations at Nuclear Power Plant Sites in
- he Central and Eastem United States: Resolution of the Charleston Earthquake Issue," Prepared by Risk ,
l j Engineenng Inc., Yankee Atomic Power Company and Woodward Clyde Consultants, EPRI Report NP. l 6395-D, April 1989. ' 4 5.7 US NRC," Revised L.ivermore Seisnue Hazard Estunates for 69 Nuclear Power Plant Sites East of the Rocky
- Mountains," NUREG-1488, October 1993.
5.8 M. K. Radndra, H. Banon,-Methods for Extemal Event Screemng quanti 6 cation: Risk Methods Integration and Evaluation Program (RMIEP) Methods Development," Sandia National L.aboratories, NUREG/CR-l 4839, July,1992. , 1 5.9 R. J. Breeding, et al.. Evaluation of Severe Accident Risks, Surry Unit 1," Sandia National Laboratories, l
- NUREG/CR 4551. October 1990.
3 Drah,NUREG 1602 5-9
l , a r v
)
- 6. INTERNAL AND EXTERNAL EVENT PRA FOR LOW POWER AN SHUTDOWN OPERATIONS The purpose of this chapter is to specify the necessary attributes of a full-scope probabi of low power and shutdown (LPAS) operating conditions. The tasks discussed are basically I
described in Chapters 2 through 5. This chapter will focus on any differences and/or additional r However. note that it is not the iat:nt of this discussian to prescribe how to perform a analysis of LP&S ennditions PRA for LP&S conditions For those LPAS tasks tha: are sigruficantly different from those of full power operation. the differe considerations are discussed for the baseline PRA. In addition. the potential impacts of risk-inform mierfaces with other tasks and required documentation are discussed in separar.e sub-sections. For that are wry similar to the tasks of full power operation, this fact is stated a .d references to the fu l ! ~'e without further elaboration l The scope of the LP&S analysis includes all plan't operating conditions exc.p; for full power, wh Chapters 2 through 5. Examples of states included in an LP&S analysis are low power (e.g. pow shutdown / standby. cold shutdown. and refueling. \ I The risk associated with the operanon of a plant in a particular operational state is estimated based on th l per year. 'Inus. the fractions of time associated with the operation of the plant in the various state l This implies that if the full power risk has been calculated based on being in full power operation for then the results of the full power analysis should be reduced by the fraction of time the plant is not at full pow a per year basis (e.g., if the plant is at full power 70% of the' time on a per year basis, the full power basis would be 0.7 timer the originally calculated full power risk value). Likewise, the risk associated with any j individual operating state should include the fraction of time the plant is in that particular plant operatio (POS). J For LP&S conditions. the fuel is assumed to remain in the reactor vessel. Risk associated with spent fuel sto the spent fuel pool. and cases where fuel is partially or 'otally off loaded to the spent fuel pool during considered out of the scope of this document. Typically. the plant operating states of a refueling cycle can be grouped into four distinct categories: ,
- Power operation (i.e.. full power operation).
- Controlled shutdown to below x% power (where x represents the transition point from low power to full power operat i ons).
- Scram. and l
l
- Refueling outage.
i l As stat:d previously, the analysis of full power operation is described in earlier Chapters 2 through 5. T I of "OK" sequences originating from a full power analysis are excluded from the LP&S analyses; thus, the fr j of time spent in operational states resulting from a plant scram an: not included in the analysis of risk du 1 d Draft NUREG-1602 61 no
e , 4 7 / v - 6 PRA for Low Power and Shutdown Operations he basis for this is the attumntion that the mmion tiw used in the full pewer analysis is suffi:i:nt to adeqtmu!) cowr the operation of the plant during these states and that the data used to determine component unavailabilities for full power conditions already accounts for the known component unavailabilities dcing these states. This leaves controlled shutdowns and refueling outages. In both cases, plant-specific historical data and cunent operating procedures are used to determine both the fraction of time spent in these states and to determine the unavailability of equipment in each operating state. 6.1 Internal Events Level 1 Analysis As stated in Chapter 2. a Level 1 PRA is comprised of three major elements. For LP&S condiCons an additional consideration should be added to the accident sequence delineation task of a PRA. The purpose of this addition is to j subdivide the operating cycle of th: plant into sufficiew lant operational states (POSs) to allow the analysts to adequately repruent the plant as it transitions from one onnating state to another. While the nurnber of POSs may ' vary from plant-to-plant owing to the different operational charccteristit .. .. plants, the important concept is the subdivision of the operation cycle into sufficient detail to allow .he PRA analysts to accurately represent the status of the plant both from a systems availability and a decay beat siewpoint.
~
6.1.1 Plant Operational States ne objectiw of the POS identification and quantification task is to subdiside the plant operating cycle into sufficient detail suct' that the analysts can represent the plant operating within specific POSs and transitioning from one POS to another, and to determine the fraction of time spent in each POS. 6.1.1.1 Considerations for the Baseline PRA Identifying POSs A POS is a plant condition for which the status of plant systems (operating, standby, unavailable) can be specified with sufficient accuracy to model subsequent accident events" (Ref. 6.1). In addition to the status of plant systems. knowledge about the decay heat load. and thus changes in smcess criteria. is important when identifying the POSs. In'an LP&S PRA. the plant's operating cycle is subdivided into different POSs. He characteristics important to the identification of the POSs are as follows:
. reactor power level.
in-vessel temperature. pressure, and coolant level.
=
equipment normally operating and required to maintain the current operating parameters aad
+
changes in the deca) heat load or plant conditions (e.g.. raised water level with upper pools connected during refueling at a boiling water reactor [BWR]) that allow new success critena. Examples of POSs for pressurized water reactors (PWRs) and BWRs can be found in NUREG/CR-6144 (Ref 6.2) and NUREG/CR-6143 (Ref. 6.1). respectivel). It is possible that some special tests and operational actisities. that Draft. NUREG-1602 6-2 til
e e q t S , 6 PRA for Low Power and Shutdown Operations are of relatis ely shon duration. require that the plant be placed in a configuration the very different from the normal configuration of a POS. Such a configuration may not need to be treated as a separate POS. Howner. such test j configurations should be identified and their contribution to risk evaluated. Determining POS Fractions l 1 For cach POS identified. detailed plant-specific information is collected, such that the time spent in each POS can be determined To determine the POS fractinnt for a refnelin; niits:c. pbnt-specific infornmion on the preuesreyr refuchng outages is collected. Ifless than four ou: ages are available. then information from all outages except the first is used For controlled shutdown POSs. the fractions are determined by collecting plant-specific information from the previous five years of operation. Ifless than five years are available. the data from all years are used. Screening of POSs Screening of POSs should be performed by identifying as ailable diverse and redundant means ofremoving decay heat and mitigating accidents. Supporting deternunistic analyses and quantitative screening risk calculations are used to providejusufication for screenmg out a POS. For example. during refueling operation with the refueling casity filled. calculations should be performed to demonstrate that time to core damage is very long in different postulated accident sCer.*.rios. 6.1.1.2 Application impact Considerations A change in the current licensinst basis can affect this task in the following way: l
. Changes in the frequency of outages.
+ Changes in the number of POSs.
- Changes in the duration of the POSs. and
+ Changes in the other parameters used in derming the POSs.
The potennal for these changes has to be evaluated for each risk-infonned change in the cunent licensing basis (CLB). l i i in evaluating the risk impacts of plant changes. the inclusion of contributions from LP&S prosides a more complete i - risk assessment. 6.1.1.3 laterfaces with Other Tasks This task defines the initial conditions of the plant to be analyzed in all the subsequent tasks. In this task. the key parameters are specified for each POS. In the subsequent tasks. further characterization of the POSs is needed to complete the assessment. A PRA model similar to that for full power operation is developed for each POS. 6.1.1.4 Documentation The following information are documented for an LP&S PRA: i I
+ A list or general description of the information sources used in the task.
i Drafk NUREG-1602 6-3 l 1 l n l l i
o o* ) b o 6 PRA for Low Power and Shutdown Operations
. A 6scussien of the POSs identified during the t <k The disenuien should <pecifically define each POS and descri'ur how each POS was determined.
. Assumptions that were made during the identification of the POSs. The bases for the assumptions and their impact on the final results are also discussed
= A descnpuon of the configuration of the sysicms, including those that are needed for continuous operation in the POSS
- The time history informa: ion used to determme the POS fractions, including the amount of time spent in each POS for each refueling and controlled shutdown outage.
! . The fractions of time calculated for each POS for both refueling and controlled shutdown outages.
- A list c'special tests and operational sctivities that significantly change the plant configuration of a POS.
- List of PRA changes from risk informed applications.
I 6.1.2 Accident Sequence initiating Event Analysis - The objective of the initiating events task is the same as that described in Section 2.1.1, with the exception that for I those POSs where the reactor is already shutdown the requirement for a reactor trip is elimmated. however, the possibility of recriticality events is considered. l i l The LP&S specific considerations are provided for identifying additional initiating events, e :cluding events from ;
- consideration. grouping the individual initiating events. and documenting the work only when they differ from or are l j
l in addition to those contained in Section 2.1.1. t ! l In an LP&S PRA. all those internal events that cause an upset of normal plant operation (some of which require a l reactor tnp) mth the subsequent need for core heat removal are identified as initiating events. These events fall into one of four categories as follows:
- Loss of coolant accidents (LOCAs)- For LP&S conditions, those events that result in a diversion of water from the reactor sessel to some location where the water is recoverable, plus pipe rupture events in operating systems connected to the reactor vessel where the inventory loss may or may not be recoverable, are considered.
l
+ Transients - All full power ewnts applicable to the 1 P&S cenditions are considered.
l r
- Decay Heat Removal Challenges - All events that result in the isolation or loss of the normally operating decay heat removal system during shutdown cond.tions are considered.
. Reactisity Excursions - All events that lead to inadvertent reactisity insertion or problems with flow instability where the core is operated with a local lugh power-to-mass-flow ratio are ,onsidered.
l l Draft NUREG-1602 6-4 1/3 l
e 4 g 6 PRA tor Low Power and Shutdown Operations
- Sp::ir.1 issues or s:enari:s - 5::narics and issu:s id r.t!E:d in esistin; studi:s sh=!d b; m;!ul.:. Fo:
example. reactisity accident scenario identified in the French Study (EPS 900) (Ref. 6.3). Iow-tempe , overpressurization. failure of cavity seal, and failure of thimble tube seals should be addressed. l In ensunng " completeness" in identifying all potential initiating esents for an LP&S PRA. the analyst sh an engineenng evaluanon considering all esents as described in Section 11 1. plus the anal)st should el esents that are unique to or hate happened dunng shutdown ogerational states. Table 4.1.2 of NUREG/CR-6143.i r Ye!. 2 (Ref. 6.!) and Table 413 e NL' REG'CR 61 II. Vo!. 2 (Ref. 6.2) eentain lists crevents considered during previous LP&S analyses. The considerations associated with excluding and grouping initiating events are the same as those provided in l Section 2.1.1. In addition. application impact considerati:ns. interfaces with other tasks. and documentation guidelines are similar to those discussed in Section 2.1.1 for 611 power operation. , 6.1.3 Accident Sequence Analysis For this task. considerations are presided for selecting the accident sequence model. establishing the success criteria. modehng the accident dependencies. and documenting the work ortly when th y differ from or are in addition m those presemed in Section 2.1.2. In addition to the considerations described in Section 2.1.2. top events representEg the fractions of time spent in different system con 5gurations (e.g., fraction of time the primary contamment is open or the fraction of time a specific decay heat removal systeni is operating) are required if such information is needed to model accident progression to core damage. As discussed in Section 2.1.2. inclusion of operator actions in the models is important. Due to the nature of shutdown conditions. more reliance may be placed on operator intervention. Thus, particular care should be given to the incorporation ofhuman accons in the desclopment of the event tree structure used to model the plant's response to any pamcular initiating esent. Plant operanng procedures should be exammed carefully to determine how they will impact the operator's response during an accident. Gnen the nme depuxiency of the decay heat load. an LP&S PRA will exanune the systems for unique configurations that may prove successful dunng shutdown conditions (e.g.. grasity injection, redux cooling. and alternate decay heat remosal system). If these system configurations are deemed success critena, then the LP&S PRA will make use of the systems by funher subdividing a POS into different time windows. These time windows, which could be represented by sub-POSs. allow for more realistic assessments of the impact of the decay heat loads on accident scenarios. Regardless of whether these subdivisions are classified as time wmdows or sub-POSs. the accident 6.we..c. models contained in an LP&S PRA will properly ar. count for the differences introduced into the accident sequence progression models. The considerations associated mth the modeling of accident dependencies and documentation are the name as those provided in Section 2.1.2. In addition. application impact considerations. interfaces with other tasks, and documentation are similar to those discussed in Section 2.1.2 for full power operation. l l l I 1 Do.,t. NUREG-1602 l 6-5 1N .. - 1 1
j ) E *
- l 1
1 6 PRA for Low Power and Shutdown Operations l 6.1.4 Systems Analysis The LP&S considerations are the same as those described in Section 2.13. It should be noted that during shutdown i conditions the alignment of systems may oc significantly different as compared to that of full power operation. many mstruments and mdications may not be available. and consequently a higher likelihood of human initiated accidents may occur 1 6.1.5 Data Analysis For this task. consideratic,as are provided for identifymg the data sources and models selecting the data input needs. quantifying data parameters, and documenting the work only when they differ from or are in addition to those presented in Section 2.L4. For selecting data mput, the only modtfacations to the considerauons described in Section 2.1.4 are as follows: l
- In reviewing incidents f or potential initiators, all incients that meet the defmition of an initiating event as l given in Section 6.1.2 are considered in an LP&S PRA. However, the frequency of these events will be I different frem the frequenc; .t full power operation. Plant-specific operating experience during LP&S should be used to estimate the frequency of these events in each plant operating state. ~
l
- In reviewing the incidents on component performance, all incidents that could affect the performance of l equipment during the POS are considered in an LP&S PRA in quantifying equipment reliability parameters l and common-cause failure probabihties. data from all plant operational states should be used to quantify these phrars as described in Secnon 2.1.4. However. each event should be considered to determine if there are conditions such that the probability or rate of the failure event would be different depending on the plant operational state.
- In quantifying component unavailability from test and maintenance, only incidents occurring during the POS are meluded in an LP&S PRA. Only plant specific operational experience during LP&S operations should be used in estunating equipment unavailability. Additional consideration of concurrent unavailability and plant operanonal procedures during each POS. outage tunes for redundant equipment (both intra- and inter-system) should be exammed and accounted for based on actual plant experience.
- It is very likely that in a selected POS the cer. figuration of some systems and components changes. The fraction of time that a system or component spends in each possible configuration has to be estimated using plant specific data supplemented with plant specific operation procedures and outage schedules.
Appbcauon tmpact considerations and interfaces with other tasks rt similar to those discussed in Section 2.1.4 for full power operanon For documentation. the only additional information to be reponeo ass ow fraction of time associated with being in a particular POS, the conditional probability associated with being in a specific system configuration. cad the mformation used to generate these salces. i Draft. NUREG-1602 6-6 af
-e . .
4 i b 6 PRA for Low Power and Shutdown Operations 6.1.6 Human Reliability Analysis (if RA) Gisen the increased dependency on the human for performing actions during shutdown conditions human interfa become even more critical in causing. preventing. and mitigating an accident than is the case during full power conditions. l l The LP&S considerations are the same as those desenbed in Section 2.1.5. It should be noted that during shutdown conditions, m:ny sys: ms may be in a configuration very different from those during full pones opeintion. many l msuumentauon may not be available and a higher likelihood of human ininated accidents can exist. ! i J 6.1.7 Accident Sequence Quantification The LP&S considerations are the same as those described in Section 2.1.6. l 6.2 Internal Flood Level 1 Analysis The purpose of this se: tion is to describe the attributes of a state of-the-art intemal flood PRA for a plant during L operations. Only those anributes that an: unique to floods during LP&S operations are discussed. The PRA tasks th are the same as those for a full power intemal flood PRA and LP&S internal events PRA are discussed in Sections 2.2 arv'it, respectively. The approach used in performing a full power flood analysis PRA can be used for an LPAS PRA flood analysis. However, the differences between LP&S and full power operation have to be accounted for in its application. The l main differences between LP&S and full power operation are the initial conditions of the plant, definition ofinitiating i l esents, and systemvfunctions swwlM to mitigate an accident. These are the subjects that are discussed in this section in terms of the key tasks of an LP&S internal flood PRA.
. I I
The considerations associated with the potential impacts of the changes in CLB. interfaces with other tasks. and documentation of an LP&S intemal flood analysis are the same as those discussed for a full power PRA. 6.2.1 Definition and Characterization of POSs A main difference between an LP&S intemal flood PRA and a full power internal flood PRA is the initial conditions of the plant. The initial conditions defmed and characterized in the LP&S internal events PRA. i.e.. outage types and POSs. should be used in an LP&S internal flood PRA. 6.2.2 initiating Event Analytis A flood initiating event during LP&S conditions can be defund as a flood that causes an initiating event as defined in the LP&S intemal eveins PRA. The causes of intemal floods idenufied in the full power intemal flood PRA should be evaluated, taking into ; consideration the unique plant configuration s.nd operstmg conditions during LP&S operations to determme their ! applicabihty to LP&S conditions. For example, a pipe section that is a source of flood for full power operation may
- be isolated dunng shutdown condations. If a source of floods is found applicable to LP&S conditions. the method of l
Draft. NUREG-1602 67 ill,
. ,e ) # #
6 PRA for Low Power and Shutdown Operations quanti $ing its frequency used in the full power analysis shculd be miewed for its applicability to LP& S conditions. For example, a pipe section that is a source of floods during full power operation may be subject to much lower pressure and temperature during shutdown. Therefore. the likelihood ofits rupture may be significantly different from that of full power operation. In addition to those flood sources identified in the full power internal flood PRA. a review of the shutdown configurations of plant sysicms and the operating procedurcs used during LP&S operations should be perfonned to identify unique sources of flonds during LPAS conditions. A plant walkdown during shutdown should also be performed to identify such sources of floods. 6.2.3 Flood Propagation The same approach as that used in a full power flood PRA can be used in an LP&S internal flood PRA. Flood propagation modeling mcludes estimatmg the quantity of water the may be involved, identifying the pathways and barriers for flood propagation. identifying the failure modes of the components that would be affected by the floods, and estimating the timing of the scenarios. He unique shutdown conditions of the plant have to be taken mto consideration. For example. the refueling water storafe tank (RWST) inventory during refueling operation may be significantly lower than that during full power operation and flood barriers including dams. floor plugs. and anti-reverse flow devices in drain lines may be removed during shutdown condition. _ , 6.2.4 Flood Model Development and Quantification J-4 LP&S intemal flood event trees should be developed by modifying the event trees developed for the LP&S internal { events PRA The fault nees developed for the LP&S intemal events PRA should be modified to account for the flood , ) induced failures. 1 i 6.3 Internal Fire Level 1 Analysis he purpose of this section is to describe the attributes of an intemal fire PRA for a plant during LP&S operations. Only those attnbutes that are unique to fires during LP&S operations are discussed. The PRA tasks that are the same l as those for a full power intemal fire PRA and LP&S intemal events PRA are discussed in Sections 2.3 and 6.1. respectnely. De approach used in performing a full power intemal fue PRA can be used for an LP&S intemal fire PRA. However, the differences between LP&S and full power operation have to be accounted for in its application. The main differences between LP&S and full power operation are the initial conditions of the plant, definition ofinitiating ewms, and systems / functions needed to mitigate an accident. These are the subjects that are discussed in this section in terms of the key tasks of an LP&S internal fire PRA. The censiderations associated with the potential impacts of the changes in CLB. interfaces with other tasks. and documentation of an LP&S intemal fire analysis are the same as those discussed for a full power PRA. Draft.NUREG 1602 6-8
*!7 j
4 % 6 6 PRA for Low Power and Shutdown Operations , 6.3.1 Definition and Characterization of Plant Operational States A main difference between an LP&S internal fire PRA and a filll power internal fue PRA is the initial c the plant. He initial conditions defined and characterized in the LP&S intemal events PRA. i. POSs. should be used in an LP&S internal f re PRA 6.3.2 Initiating Event Analysis A fue induced iniuating event during LP&S condinons can be defmed as a fue that causes an initiating ev defined in the LP&S intemal events PRA. For example. a fue that causes intermption of the residual heat r (RHR) system is a fue induced initiating event. The dermition of a fire induced initiating event sho identification of critical fue locations of an LP&S PRA. m fire frequency quantification should be perfonned in the same way it is done for full power operation incidence database including incidents during shutdown should bc used. In reviewing the database, those eve are applicable to LP&S conditions should be identified. 6.3.3 Identification of Critical Fire Locations A critical fira location for an LP&S condition is a location of a postulated fue that would lead to an initiating event and at the same time affect the sy stems and components needed to mitigate the accident. The approach developed a full power fire PRA can be used in an LP&S fire PRA. He informatian collected during a full power fire PR includmg entical fac locations, provides useful background information for an LP&S PRA. However, in an PRA. a somewhat different set of systems and components needs to be taken into consideration, and the identificat of critical locations has to be performed based on the defmition of applicable initiating events. For example, loss l RHR can occur due to a fire that affects the RHR system or its support systems. Such a fire may not constitute an l initating event for full power operation. To identify possible ftre locations. tracing of the cables for the components of these systems wwld be reur) Similarly, the systems / functions needed to mitigate an accident during shutd are not exactly the same as those needed for full power crperation. Herefore, the critical fire locations of an LP& PRA are not necessanly the same as those of a full power fue PRA. 6.3.4 Fire Propagation and Suppression The same approach as that which was used in a full power,ftre PRA can be used in an LP&S internal fire PRA. However. the shutdown conditions of fue barriers and systems needed for detection and suppression of a fire should be taken into consideration. For example, a fue door being kept open during shutdown to facilitate mosement of equipment will impact the propaE.. tion of a fire. and add;tional activities during shutdown may increase the l of a fire oeing detected early. 6.3.5 Fire Model Development and Quantification LP&S internal fire event trees should be developed by modifying the event trees developed for the LP&S internal events PRA ne fault trees developed for the LP&S imemal events PRA should be modified to account for the fire induced failures. DmfL NUREG.1602 6-9 Il%
! . , a E f P l l 6 PRA for Low Power and Shutdown Operations l 6.4 Seismic Level 1 Analysis he purpose of tLs section is to describe the attnbutes of an LP&S seismic PRA. Only those attributes that are unique to an LP&S seismic PRA are discussed. The PRA tasks thar are the same as those for a full power seismic PRA and l l LP&S intemal esents PRA are discussed m Sections 11.1 and 6.1. respectis el:. The approach used m perfomung a full power PRA can be useo for an LP&S PRA. Howeser. the ditlerences between l LP&S and fiill power operadon ime to be accounted for in its application. The mr.ia differ.2es between LP&S and l full power operanon are the initial conditions of the plant. defmition of uunatmg events, and systems / functions needed to mitigate an accident. Rese are the subjects that are discussed in this section in terms of the key tasks of an LP&S seismic PRA. The considerations associated with the potential impacts of the changes in CLB, interfaces with other tasks, and l documentation of an LP&S seismic intemal fire analysis are the same as those discussed for a full power PRA. 6.4.1 Definition and Characterization of Plant Operational States A rnain diffe:ence ber. sten an LP&S .ismic PRA and a full power seismic PRA is the initial conditions of the plant. ) Le initial coruhtions oe6ned and charactenzed in the LP&S internal events PRA. i.e. oulage types and POSs, should l be used in an LP&S seismic PRA. l I 6.4.2 Initiating Event Analysis I A seismically induced initiating event during LP&S condinons can be defined as an earthquake that causes an initiating esent as defined in the LP&S intemal esents PRA. The seismic-induced initiating events should include loss of offsite power (LOOP). loss of RHR. and LOCAs. Seismically induced fire and flood events should also be identified. 6.4.3 Identification of Structures, Systems, and Components (SSCs) l The SSCs to be considered in an LP&S scismic PRA should not be limited to those considered in the full power setsmic PRA His is due to the fact that the SSCs that either can affect an initiating event or are needed to mitigate an accident dunng LP&S operations are not identical to those considered in a full power seismic PRA. However, the same approach as that used in a full power seismic PRA can be used. 6.4.4 Bazard Analysis The hazard analysis performed for a full power seismic PRA can be used. 6.4.5 Fragility Analysis l The fragibty analysis of an LP&S setsmic PRA should account for the shutdown-specide conSguration of systems and components. For example, the RWST may be only pamally filled during the refueling operation and its fragility would be significantly different from the case when it is full. and the steam generators are maintained at
- wet laymp" (filled with water) and their fragility would be sigmficantly different from that of full power operation.
Draft NUREG 1602 6-10 ny
6 PRA for Low Power and Shutddhm Operatkns e 6..t .6 Model Development and Qtmntif:e%n Setsmic event trees for LP&S operations should be developed by modifying the event trees intanal events PRA. The fault trees developed for internal events should be modified to includ canhquakes. I 6.5 Level 1 Analysis of "Other" External Events l Much of what should be considered for other" (e.g. high winds tornados. etc.) external events duri operation has already been covered in Section 5.1.2 of this repon. The following covers beyond those aircady included in that section. The inclusion or exclusion of other' initiating events needs to be re examined and may need to be alte expected plant configurations or activities during LP&S operation. For instance, expected recon7 barriers (opening of doors normally closed during full power op: ration), introduction of temporary r as scaffolding. periods of an open containment. fuel potentially in more vulnerable configurations than a and introduction of new extemal hazards by personnel (e.g.. caustic cleaning solvents. more vehicles owice, etc examples of why previously eliminated other" external events may need to be reconsidered for analysis Simdarly.1: expected changes in plant configurations and equipment ope'rability periods should be co modelmg th'. possible mitigation patheys and hence the success and failure scenarios should an external eve Addmonally. the hazard frequencies need to be re exanuned and may need to be changed in cases where affected by plant personnel, such as greater vehicle use affecting the frequency of transportation accidents. And fmally. the data values (or curves) for both plant equipment failure and human errors need to be re-exa acmunt for such things as W.y installations, possible temporary degradation of equipment. less operability status indication for the operators and detnmental effects for some human performr.ce shaping factors (more noise, c conditions. etc.). The considerations associated with the potential impacts of the changes in CLB. interfaces with other tasks, and documentation of an LP&S other" extemal event analysis are the same as those discussed for a full power PRA. 6.6 Level 2 Analysis "The object of the level 2 analysis is to assess the potential for release of radionuclides due to accidents durin cond tions. 6.6.1 Considerations for the Baseline PRA Generally. the considerations prosided in Chapter 3 for full power operation are also applicable to LPAS conditions. However, it should be noted that,just as the equipment required to pre .t core damage during the Level I analysis can be alTected by LP&S operating conditiom. so too can the equipment considered during a Level 2 analysis. If certain recovery actions. e.g., restoration of RHR pumps. need to be performed inside the containment after bulk boilmg of the reactor sessel inventory has commenced. the impact of emironmental conditions inside the containment Draft. NUREG-1602 6-1 I l>*
) d O 6 PRA for Low Power and Shutdown Operations on the chances of success of such actions need to be assessed in addition. the containment may be open d shutdown PO%. Rese factors should be accounted for in the Level 2 analysis. Furthermore, care shou when accotmting for the physical and phenomonological differences associated with the characteriz release during shutdown states. i De followmg are Lesel 2 considerations that should be esalvated- l
- Les el 2 systems - Containment sptems, such as sprays. may not be required in some of the shutdn As a result. they may be out of senice for extended periods of time. De status of such systems should identified.
- Containment status - In some shutdown POSs. containment closure is not required. As a result, personnel hatches. equipment hatches. and containment penetrations may be left in an open position. The probability of an initially open containment has to be taken into consM-ation in the Level 2 analysis. De possibility that the operator would re-establish containment intea.rity subsequent to an accident in,tisting event has to be evaluated Consideration should be given to the status of electric power. equipment. and material r. cded to re-establish containment ir tegnty.
+ Decay of radioactise isotopes -The impact of low decay heat levels on acciint procression in LP&S POSs and the decay of short-lived radioactive isotopes which m. pact early health effect should be properly accounted for.
- These key uncertainties are derived. in part. from the results of the LP&S PRAs (Refs. 6.1 and 6.2) as well as more recent statements of key source term uncertainties published by the NRC for light-witter reactor licmsing purposes (Ref. 6 4) Configurations where air can enter the reactor vessel. such as when the vessel head has been remosed for refueling have been postulated to cause an enhanced release of certain radionuchdes The effect that air ingression has on the source term in such configurations needs to be assessed and. ifimportant. included in the Lesel 2 model.
6.6.2 Application impact Considerations he consideranons in assessing the risk impact of a change in the CLB are the same as those discussed in Chapter 3 for full power operation. In addition. the impacts en the shutdown specific issues discussed in Section 5.3.1 should be evaluted. 6.6.3 Interfaces with Other Tasks The interfaces between a Level 2 LP&S analysis and Lesels ! and 3 analyses are the same as those for full power operation. 6.6.4 Documentation The documentation requirement of a Level 2 LP&S analysis is the same as that of a Level 2 analysis of full power operation. Dnift.NUREG 1602 6-12 .
/A4
e* 4 i 0 6 PRA far Low Power and Shutdon Operations 1 6.7. level 3 Analysis , i The discussions provided in Chapter 4 for full power operation are also applicable to LP&S conditions. l I I I l l 1 1 i I 1 I I 1 l 1 1 I 1 Draft NUREG-1602 6-13 4W ,
. oa
) 4 ) . 6 PRA for Low Power and Shutdown Operations REFERENCES FOR CHAPTER 6 6.1 D. Whitehead. et al.. -Enluation of Potential Severe Accidents during 1.ow Power and Shutdown Operations at Grand Gulf. Uni' l." NUREG/CR-6143. SAND 93 2440. Sandia National Laboratories.1994. Volume 1. Swmay of Results Volum: 2. An:!: su ofCore Dmnag: Frequency from Internal Events for Opectional Stme 5 During a Refueling Outage Volume 3: Analysis ofCore Damage Frequency from Internal Fire Events for Plant Operational State 5 During a Refueling Outage . Volume 4: Analpis ofCore Damage Frequency from Internal Flooding Events for Plant Operational State 5 During a Refs.eling Outage Volume f Analysis of Core Damage Frequency from Seismic Events for Plant Operational State 5 During a Refueling Outage Volume 6: Evaluetion of Severe Accident Risi s for Plant Operational State 5 During a Refueling Outage 6.2 T-L Chu. ~ al.. Evaluat'- of Potential Severe Accidents during' Low Power and Shutdown Operations at Surry Unit-1." NUREG/CR-6144. BNL-NUREG 52399, Brookhawn Nationial laboratory,1994. Volume 1: Summary of Results Volume 2: Analysis of Core Damage Frequency from Internal Events during Mid loop Operations Volume 3: Analysis of Core Damage Frequency from Internal Fires during Mid-loop Operations Volume 4: Analysis of Core Damage Frequency from Internal Floods during Mid-loop Operations Volume 5: Analysis of Core Damage Frequency from Seismic Events during Mid-loop Opections Volume 6: Evaluation of Severe Accident Risks during Mid-loop Operations 6.3 EPS 900. A PSA for the Standard French 900 MWe PWR," Main Report, April 1990. 6.4 L. Soffer, et al. " Accident Source Terms for Light-Water Nuclear Power Plants," Final Report. NUREG-1465. U.S. Nuclear Regulatory Commission.1995. Draft NUREti 1602 6 14
p' . APPENDIX A. PRIORITIZATION OF SSCS AND HUMAN AbT A.1 Introduction and Objective he objectives of this appendix are two fold. De first objective is to discuss the role ofimportance measures within the risk informed regulatory framework. This is necessary because the framework does not ex; licitly rely on risk-ranking methods for the acceptance of the proposed regulatory modifications. The second objective is to proside discussions on the following three areas:
- methods and limitations of quantitative prioritization,
. techniques for qualitative prioritization, and
. attributes of an integrated approach to prioritization in support of risk informed applications.
Prioritization is typically performed both quantitatively and qualitatively. Quantitative prioritization is done based on probabilistic risk assessment (PRA) and by use of quantitative importance measures. Qualitative prioritization are done based on the defense-in-depth concept and by use of both PRA information and current determmistic safety considerations. Regardless of the specific regulatory application, prioritization can be conducted as an intermediate , step to differentiate between the high safety significant" and low safety significant components (HSSCs/LSSCs). Relaxing requirements for LSSCs is expected to have less aggregate risk impact than if requirements are relaxed for HSSCs. 'a nis application of rankmg (e.g., relaxing requirements for LSSCs) does not guarantee that the acceptance criteria are met. Howeser, importance measures can be used as a part of a systematic process of adding' and removing components from the LSSC list. Risk rarkng prtnides an information base that can be used for implementation and monitoring phrJes ofrisk-informed I and performance-based regulatory ahematives as h a in Secnon 2.5 of DO-1061". This is especially important in those applications where the risk impact of the proposed changes in requirements cannot be accurately estimated. l Qualitative engineering and operational reasoning along with a database of the i pu.i.oce measures can be used to helpjustify proposed changes to the current licensing bases. If the importance analysis indicates that a particular SSC is an HSSC. then it probably is; on the other hand, if the importance analysis indicates that the SSC is not important. then this conclusion should not be accepted without careful investigation of the reasons. l The remainder of this appendix discusses the theoretical bases and physical interpretations for various importance measures. It also discusses the use ofimportance measures in risk prioritization and identifies their potential limitations. This general guidance is tailored to support specific applications, as appropriate, and may be further described in application-specific guides.
^; Letter from A. Thadani (NRR Associate Director for Technical Review) to C. Pipton (Vice President, NEI),
-Terminology for Categorizing Systems Components and Structitres in Risk-Informed Regulatory Applications," dated May 8, '19%
^2USNRC, An Approach for Using Probabihstic Risk t.ssessment in Risk Infonned Decision on Plant- l Specibe Changes to the Current Licensing Basis,' Draft Regulatory Guide DG 1061, February 1997.
A1 Appendix A l au l l
e o s 1
? Y 'A l
l Appendix A Prioriuzation of SSCs and Human Actions l A.2 PRA-Based Importance Assessment t Several different importance measures are typically calculated on the basis of PRAs ^3"^* Some importance measures use the numerical risk information contained in PRAs. these are referred to as quantitabe importance measures. Quantitative importance measures typically detemune the change in nsk mesc'tres associated witi. the failure or success ofequipment or human actions Here. risk measures refer to both core darry frequency (CDF) ano large early release frequency (LERF). By contrast, PRA-based qualitative importance -easures do not use the risk contribution ' information, rather they use the logic informadon contained in PRAs Qualitalise importance measures typically detemune the reduenon or increase in the number oflayers of defense agamst an accident as a result of the failure or l success of equipment or human actions. Defmitions of various imporunce measures, their formulation, physical interpretation, and limitations are discussed in this section. Various sensitinty analyses are suggested to account for the known limitations" in using the results of vanous imponance measures. Some considerations for group;ug of various equipment using the calculated imponance meat _res are summanzed. A.2.1 Quantitative Irnportance Measures A.2.1.1 Definitions ofImportance Measures Fussell-Vesely (TV) and Risk Reduction Worth (RRH) Importance Measures An important element of the results of a PRA is the soned li[t of the accident sequence mirumal cutsets. For those applications where PRA assumptions and data are not challenged, the ranked list of smrumal cutsets could proside a means for pnoritization. In some applications where PRA assumptions, model, and data may be questioned (e.g., predously unrecognized motor-operated valve [MOV] failure modes in MOV testing applications), the PRAs may first have to be updated. The ranked list of accident sequence muumal nem provides important insights concemmg the combination of failure events that contnbute to core damage and public risk. "Ris information could be used to establish defenses against the major nsk contnbutors. A rankmg schenz using the muumal curset contribution is the most straightforward. Since the nummal cursets are soned on the basis of their frequencies, one may decide to identify all components within the scope of the application that also show up in the dommant mmimal cutsets. Depending on the applicatiori, the dominant muumal cursets could be determmed based on their total contribution to risk (e.g., account for 95 percent of the CDF for all ininators from inten.al and external events including shutdown PRA). Rankmg based on muumal curset contributions is typically performed in order to focus resources and refine the requuements to gain a significant safety beneSt.
"W. E Vesely and T. C. Davis," Evaluation and Utihzation of Risk Imponan< NUREG/CR-4377, August 1985 "W. E. Vesely, M Belhadj, and J. T. Rezos. -PRA imponance Measures for Maintenance Priontization Appbcations." Journal of Reliabihty Engmeenng and System Safety, Vol. 43, pp. 307-318,1994 "W. E. Vesely. -The Use of Risk Importances for Risk-Based Applicauons ar d Risk-Based Regulations,~
Proceedmgs of the PSA '96, Park City, Utah, September 29-October 3,19% Appendix A A-2 W }
9 4 4 r Anpendix A Prioritintion of SSCs and Human Acuons he maior deficienev with this ranking scheme is its poor disenminanon capability For example. a component that belongs to a cutset contributing 5 percent to the CDF will be ranked higher than a component that may belong to several muumal cutsets each contributing 1 percent or less to core damage. even though the net contribution of all of these cursets could be more than 5 percent. To overcome this deficiency. specific importance measures known as the FV measure and RRW have been developed. The FV measure is defined by the probabilities of the cutsets em. taming an event dnided by the sum of all cutsets. Mathematically. the FV measure is calculated bv the change in risk when the component is unoperational minus the risk when the component is operational over the baseline risk mshiplied by the component unavailability. That is, M '= P(r)[ E(Rk = 1 ) -E(Rhr = 0)]/[E(R)] where P(x) is the unavailability of component x? E(R) is the baseline expected risks, and E(Rlx=1) and E(Rlx=0) are conditional expe:ted risks when the component x is unoperational and operational res),ectively, he conditional and the unconditional crpected risk are related based on the following probabi!!stic equadon: E(R)=P(x)E(Rpr=1)+(1-Ptr))E(R>r C) Substituting die auxiliary probabilistic equation for the FV equation would yield thifollowing result: D '= 1 -[E(Rpr=0)/E(R)l = 1 -(1/RRH) where RRW in the second term in the right-hand side of the equation is known as the RRW importance measure. Therefore. the FV and RRW measures are closely related. Either FV and RRW perfonn the same function as rankmg based on muumal curset contributions. but do so in a more refined manner he pnmary objective of these importance measures is to identify components within the scope of the application that can result in the greatest risk benefit if more rese uces are allocated to improve their rehability. An example to illustrate the use of FV and RRW measures for relaxing requirements is discussed below. He FV and RRW importance measures can be used to justify relaxation ofiequusats when the effect of relaxing requirements can be estimated in terms of component reliabilities. However, in this case, the analyst should first assume that the requirements are relaxed for all components within the scope of the regulatory requuement. He impact of such relaxation on component reliabilities should then be estimated. and the PRA input data should be undated he use of the FV measure with the new oas:line PRA can also identify components for which the requirements should not be relaxed Relaxation of the requirements for the remaining compontnts could then be justified. In the latter approach. the impact of the requirements is integrated into the rankmg analyses. l Birn baum Measure (BM) and Risk A chievement Worth (RA W) he BM is simply the contribution of all cutsets invohing an event x divided by the nominal unavailability of that esent. Mathematically, a single component BM is dermed by: A-3 Appendix A l IU , . - -
. ae l l
Appendix A Priori'.tzation of SSCs and Human Actions { BM(x> -GRe,- 1) E(kP,-0) i where E(RlP /
- 4) and E(RIP,=1) are the expected risks when the unavailability ofcomponent x respectively.
The BM =! PJ.W mer.s:,:rcs =c c!:sely related. By dniding the above equation with the nominal e , following relationship is obtained. [BM(r)/E(R)]=RANtr)-(l/RR#tr)) where RAW (x)is the RAW for x. and it is defmed by the expected risk when the unavailability of comp to one divided by S expected nonunal risk salue. Since RAW is asually much greater than one and very close to one (but alnys greater tha i one), an approxnnate relationshio fm 54M would be as follows: BM(r)=E(R).lRA Hir)-1]. This equation shows the close relationship between RAW and BM. However,it should'bc noted that the I absolute measure ana it is not normalized with the expected risk (E(R)). This is in contrast with all other importance measures discussed so far (FV, RRW. and RAW). which are normalized by the expected risk. Use of absolute measi.res would facilitate the comparison ofi...yva sce results for different sensitivity runs within a plant. A '=d-ul probability relationship between the BM nessure and the change in the expected risk as a result of change in component unavailability can be established using the following relationship: AE(R)=BM(r).AQ(x) where AE(R) and AQ(x) are the changes in the expected risk and the unavadability of the component x. A.2.1.2 Ceesiderations in Calculating importance Measures The theoretical bases of various imponance measures and their physical interpretations were discussed earlier. The basis of the importance measures were discussed independent of the application. This section discusses practical considerations for calculating the following E+-r-rs.t-level ; .yos r.4 measures:
. truncation limit.
= completeness of risk models.
- measures of risk.
- component fadure modes.
- implicit contributors.
+ explicit dependencies, and
- implicit dependencies.
i Appendix A A4 137
l o' = 4 av ' A; pendix A Prioritintion of SSCs and Human Actions Consideration of Truncation Limit he nuncation limit is an important aspect of a risk evaluation and. therefore, plays an important role in the process Some PRA codes are designed to provide an upper bound estimate on the frequency of These codes typically accumulate the frequencies of the cutsets truncated in a residue bin. Therefore. to identify the fraction of risk (e.g . CDF) captured given a probabilistic truncation limit. Truncation lim therefore be chosen such that at least 95 percent of the CDF or risk is captured. Depending on the PRA lev (module level. component level. or piece-part level). this inas generally translate into a cutset trunation limit from i.0E-12 to 1.0E-3 (per year). Another unportant consideration for decemunmg a truncation limit is imposed by the FV measure an As an example, if the numerical cutoff criteria of 0.1 percent (0.001) is proposed for the FV importance measure, a trweion limit with enough resolution for estimating a FV of 0.001 should be at least 1000 times smaller than the total calculated risk (or CDF). This would ensure the sunival of at least one nummal curse contribution of 0.1 percent of total CDF. However, the FV measure for a component is the summation of the contribution of all muumal cutsets containing that component, therefore. it would be important for more than one muumal cutset to sunive the truncation. This would require that the truncation limit be lowered at least by a factor of 10 to ensure appropriate coverage. The third .onsideration for determuung a truncation limit deals with the extent to which the basic PRA events are covered by the PRA-generated nummal cutsets that sunive the tnmcation limit. PRAs tipically model up to a of thousands of basic events. Depending on the truncation limit, some of these basic events may not show up in the fmal muumal cutsers generated by the PRA (i.e.. those that sunive the tnmcation limit). The importance measures associated with these basic events then cannot be evaluated. He truncation limit, therefore, must be selected such tha the fraction of basic events not account:d for in the fmal list of muumal cutsets is less than IQ percent of all basic events This truncation limit criterion could be application dependent. For example, in in-senice testing (IST) application. 90 percent of all basic events related to pumps and valves modeled in the PRA may correspond t nuncation limit of IE-11. However, to satisfy the same criteria for graded QA may require a much lower truncation limit (which may not be practical). Application-specific truncation criteria are re-visited in each application-specif guide. In summary, three requirements should be met for selecting a probabilistic tnmcation limit for the purpose of r based rankmg: a he tnmcation limit should be low enough to capture a large fraction of risk measures (e.g., at least 95 percent of the CDF and LERF).
- The truncation limit should be low enough to ensure capturing components within the range of FV criteria ofinterest (e g. 10' multiplied by the total estimated CDF and LERF).
- The tnmcation limit should be low enough to account for at least 90 percent of all basic events in the futal set of muumal cutsets. This entenon may be too restrictive, and depending on the application may need to be modified.
I A-5 Appendix A sa %
o aO *
- Cf A Appendix A Pnoritization of SSCs and Human Acuons Compiereness ofthe Risk Model importance rneasures may be calculated based on a portion of the risk (e.g., for internal events at full power) or the overall plant risk (intemal and external events inclu6ng shutdown risk). Depending on the completeness of the risk model. qualitative assessments (safety based) should be utilized for portions of the plant operation not included in the PRA assessment. When the importance measures are calculated. care should be taken in accounting for all contributors to the impenance measure as ue!! as the apprepnat
- nermalization (:ensistent with the PRA scope) When importance maures need to be calcula:ed for oserall risk. the results could be tabulated to show specific contributors to the importance measures from the PRA scope (intemal, extema!. etc.) along with the overall importance measures.
Considerations ofMeasures ofRisk. Importance measures can be calculated for various risk measures (e g., CDF, containment failure probability, and release category frequency). Currently, importance measures are calculated for CDF and LERF. LERF covers all scenarios involving early containment failure and containment bypass. Importance measures (both normalized and non-normahzed) calcult.ted at different PRA levels cannot be combined (summed). Consideration of Component Failure Modes A mmpanmt can perform several different functions, each with its ovm c.ique failure mcEes modeled in a PRA. For examole, failure to open and re close could be two different failure : nodes modeled in a PRA for an MOV. Importance measures can be calculated for all failure modes. Care should be taken in evaluating the overall in.portance of a wuycent (to amid missing some failure modes). The overall component imponance measure and the contribution of each ofits failure modes to the overall measure could be tabulated. Here, a combined measure could be used as the overall importance measure. Consideration ofimplicit Contributors Many components are not explicitly modeled in PRAs; however, their risk contribution is implicitly accounted for. For example. many components in the balance of plant are not explicitly modeled in the PRA. but their risk conmbutions are unplicitly accounted for through the frequency ofinitiating events. Some importance meuures could be calculated for the impbeitly modeled components. For a component not explicitly modeled in the PRA, the analyst should first identify those basic PRA events that could be affected by the failure or success of the given component. In the second step. the analyst should determine the contribution of the implicitly modeled component to the , unavailability of the explicitly modeled PRA basic events. For example, the importance of the rupture of a pipe I segment not included in the model could be evaluated based on the failure of the modeled component located in that ! segment. For those cases where such evaluation could not be performed quantitatively, qualitative evaluation i discussed later in this appendix could be used. The above 2-steo analysis would provide sufficient information for ) calculating all types ofimportance measures discussed earlier for a component that is implicitly modeled in a PRA. l Consideration of Explicit Dependencies l Various types of dependencies are expbcitly accounted for in PRAs. For example, common-cause failures (CCFs) are sometimes explicitly accounted for through use of CCF perameters (such as beta factors). Importance measures calculated for a component should account for the contributions from the explicit dependencies. In most cases, PRAs j are structured such that these dependencies could be easil) accounted for in calculating importance measures l l Appendix A A-6 l l Gf l
A b p Appendix 3 Prioritization of SSCs and Human Actions i npeci& ally IT measuret howeser. this i< not alway 5 the case Carc should be taken to ensure that all d.pem!.:ncy ' contributors are accounted for and the results ofimportance measures are tabulated to show the indisidual dependency contributions. Consideration ofinplicit Dependencies Vanous igninses are unphcit m PRAs. For example. many trusducers arc explici ly t modeled in PRAs as a part of actuauon logic and can also preside infonnation needed for succe>sful manual m. tion. On the other hand. some mstrumentation. monitors, or fault indicators may not be modeled in the PRA. Information from these items may be l needed for successful recovery actions. Care should be given to consider their impact on other (explicitly modeled) basic events. l A.2.2 Qualitative Importance Measures l
.. 1 isn-based qualitarise risk rankmg (QRR) is sometimc, perfonned to show that defense-in<lepth 'would not be compromised as a result of changes in requirements or design. There are tv.o rypes of qur.litative rankmg designed !
explicitly to address the defense-in depth concept. These are mmunal cutset rankmg (MCR) and muumal pathset ranking (MPR). Since in most cases these two methods provide consistent results, only the MCR method will be discussed here. A simplified system block diagram (Figure A.1) is used to facilitate the discussion of this rankmg j method. Xs (x - x2 X3 h ,, 1 Figure A.! Example system block dugram for discussion purposes l MinimalCutset Ranking (MCR) The MCR method ranks components based on the lowest order of the nummal cutsets when the component is removed. The lowest order of the nummal cutsets (number of elements in the muumal cutset) asse**d with the above system (Figure A.1) is one, and there is only one nummal cusset oforder ou (failure of X3 will render the system inoperable). tf component X3 is removed. the lowest order of the muumal cutsets would be zero. However, if any other component (e.g.. XI.X2. X4. or X5)is removed. the lowest order of muumal cutsets would be one and, in all cases, there would be two inm. mal cutsets oforder one. Therefois. we infer that X3 is structurally more imponant than other components. The following procedure is typically used for MCR:
- For each cwnponent or basic event. the mmunum order of cutsets (m) and the number of unique muumal cutsets witi: that order (n) is determmed when tne basic event is set to true. For this application, the order A */ Appendix A l
I I3o l l
. _ _ \
_ . _ _ _ _ _ _ _ _ _ _ _ . . _ . . _ _ _ . _ _ _ _ _ _ . _._. ._ _ _ _ -._.~.___ _ _ __.._
> . f k. .
Appendix A Priontization of SSCs and Human Actions of cutsets is determined by excluding all recoverv actions, and the initiating events (i.e.. the cutset rank is based only on e- ; ==c failures). 1
- The ws..i,c c.ts are then ranked based on the increasing values of m (i.e., the lowest order of minimal l cutsets). For those basic events that have the same value of m. the ranking would be based on the decreasing value ofn (the number of tmmmal cursets with the lowest order). This step is typically done for each initiator separsuly ,
MCR is a qualitative method and does not rely on the probability or quantitatiw risk as a result ofremosing a basic event from consideration. It can be used as a supplementaljustification for quantitative @; ;c rankmg. A.2.3 Considerations for Ranking Using importance Measures One application a..a considered for use ofimportance measures is risk rankmg. Risk ranking applications involve relative rankmg of all components based on their imponance measures. a**"quent binning of the components in two (high and low) or three (high. medunn. and low) classes Th: binning is usually performed to allocate resources commensurate with component grouping. This may also result in enhancing the requirements for the components in the high bin category and may relax reouirements for components in the low bin category.' In this regard. care should be taken to ensure tt. . relaxing req.J anenu for components in the low bin category could not potentially degrade - plant safety or multiple lines of defense. , i The remamder of this section identifies special considerations for risk rankmg. including those resulting from limitations orimportance measures penammg to rankmg applications. This section also provides i+ u ra=tions to deal with following issues in order to ensure that the components in the low bin category will not degrade safety:
+ multiple component considerations.
+ consideration for defense-in-depth. '
+ consideration for allowable plant configurations.
+ consideration for binning criteria. and
+ consideration for uncertainty evaluation.
Multiple Congponent Considerations For those b-- ;=^= assigned to the low risk category, the aggregate impact of changes in requuements of multiple components on safety should be assessed. For example a set of MOVs may be in s low category since each MOV individually does not have a significant importance measure. If the requuements for this set of MOVs are changed. however, the failure rate of each individual MOV may increase The aggregate impact of the increased failure rates for all MOVs might contribute sigruficantly to risk. The underlying reason could be the appearance of some combinanon of these MOVs in the same curset. The multiple componer.t :...'.
- 4esigned to identify which combination of these MOVs might be risk significant (therefore. requiring them to be shifted to a higher category). ,
it should be emphasized that this concem about multiple components is also valid for components of different types. as long as they show up in the same cutset and are assigned to the low risk category. One acceptable way to address L this issue is to idatify all nuruma! cutsets containing at most one component from other categories (high or medium). If such a muumal cutset exists. some of the low category components should be moved to a higher bin to ensure that at least two or more higher category components are in all rmrumal cutsets. Appendix A A-8 I31 4 _ _ _ . _ _ _ _ _ _ . _ _ _ _ _ _ m . -.. - --- . .
- s *- .
p
/, yufa A Tm-&.ntimof SSCs and han Actb Considerationfor Defense-in. Depth i The following sensitivity analyses are recommend d to ensiae siat tankrpk his cidef defense-in<lepth concept is not comoronused as a result of relaxing the requennests or Ensure that all muumal cutsets contain at least two component faihres for which requi relaxed. His ensures that there are at least two lines of defense in each cutset not a i change. tEither outside the scope of die applica isn or estegorized as medium or high i)
- Identify sets of contributors associated with major lines of defense, prunary prelj funcnons, and contamment systems Prioritize the contributors within each set to assu J
of alllines ofdefense. } l Considerationfor Allowable Mant Con)igurations I Plant Technical Specifications (TS) allow two or more components to be down simultane I activities. W embedded assumption in the TS is that the rernmimng components providel If these remammg cc.mponents are assigned to the low category their high reliability m ' foll::i.ing analyses could be performed to ensure that multiple lines of safety are ma configurstbns: _. j The applicant should first identify those configurations that are allowed by plant Tl sequence muumal cutsets composed entirely of components categorned as LS l Such configurations should be prevented. or some of the low category 9=r+=== s l high category tc, ensure that no minunal cutsets totally rely on low category e_ configurations. j Considerationfor Binning Criteria The cutoff criteria for binning components based on their importance measures may v another. Nonetheless, these criteria should be determined such that the total risk increa requuements for low casegory sq+= = are controlled. As an example, relaxing cer the unavailability of the affected components at most by a factor of 2. At the same time, the result of such relaxation is planned to be controlled under 10 percent of the baseline c binning criteria then should assure that the contribution of all basic events assign unavailabilities are iwd by a factor of 2 stays below the 10 percent of the baseline d CD therefore, could vary dq="Eag on the application and the expected changes in the una
+--- ,
ts. The above procedure and criteria for binning are more appropriate than cutoff cri measure. his process also explicitly accounts for the impact of the relaxation in terms ofin unavailability; therefore, the cutoff c iteria can vary from one application to another application) Wiag on the extent of relaxation requested. Appendix f A-9 3F
i
.- *e 4 A Appendix A Prioritization of SSCs and Human Acuons Considerationsfor lincertainy Evaluation The effects af PRA uncertainties on the risk importance measures and their utilization need to be add though formal uncertainty analysis can be performed, such an evaluation may not be necessary could be performed as a substitute for a formal uncenainty evaluation. De following sensitivity a to rescal any additional high risk or marginal risk importance that could occur under different plaus er scenarios which then can b: in:luded in the high:r class ~as a precautien against PR A uncerninriec Component-Specifc Sensitivity Analyses his smsitivity analysis is designed to address the failure rate uncertainty of a component and its potential l
rankmg For those ww that are ranked low, a sensitivity analysis using the 95th percentile of the unavailability distributions of the < =f= = could be performed to determine the impact on FV measures. This could be done fo endi component or human error individually. De unavailabilitt of some components with large uncertamtie as check salves. could cause them to shift from the low to high categories. If this occurs, the components could be shifted to a higher category to account for the uncertainty distribution. Sensitivay Analysesfor a Component G. oup . Sensitivity analyses are designed to address the correlated change m . failure rate c(a s'roup of components. Th sensitivity analyses could also address the correlated changes in the failure rate of a group of components from su causes as aging and wear. For a group of components (e.g., br:akers), identify those that are binned in the low category increase the mean failure rate of all selected components in a snanner consistent with a generic error factor associated with the component type. Identify those components that are stufted to a higher category for further consideration to be removed from the low bin category. Sensitmy Analystsfor CCFs CCFs are modeled in PRAs to accour.t for Apadam failures ofredundant components within a system. Dependencies among similar components performing redundant functions but across systems (in two different s) stems) are generally not modeled in PRAs. Component-level importance measures (e.g., RAW, RRW, and FV) are typically calculated based on assumed nommal ulues of modeled basic events. Some component importance measures (i.e., FV measure) could account for the direct risk contributions from associated basic component events, such as failure to start and failure to run. and indirect contributions through the impact on the probability of other basic events (such as human errors, recovery actions, and most importantly CCFs). Derefore, a component may be ranked HSSC mainly because of its contnbution to CCFs, or a component may be ranked as LSSC mamly because it has negligible or no concibution to CCFs A component may be ranked insignificant either because of omission of CCF contributors or because of the assignment of an insignificant CCF contribunon. Dus, removing or relaxing requirements may increase the CCF contribution thereby changing the rankmg order. The following approach ensures that relative rankmg of , components include proper consideration of the CCF contributions:
+ If a e -- ;--- - is ranked low because the CCF is not included in the PRA model, revisit the CCF inodels to ensure that the assumption of no CCF is valid (especially under the potential relaxation of requirements for low risk components).
Appendix A A-10 I31
Anpendix A Prioritization of SSCs a8 Human / Mons g
+ Set all(TF conmbutim te zero and rw4 the compon.mts SperiM .v: 'he'M H F*a ***rMiaa l'ai's usedin PRA ?=arifcation for this case run. Identify components that shift to a higher category. To d3 against the uncertainties associated with CCF contribution, these components should be trea category n_ -g--mts.
Sensitivitv Analysisforbecovery Actions
- PR As typicnHy moriel reemery actiont ecpecially feu stominant Ecident T quences (htti not for .*ll ca Quantification of recovery actions typically depends on the time availabic for diagnosis and perfonnin tramng, prrxedures, and knowledge of operators. There is a certain degree of subjectisity involved in success probability for the recovery actions. The concerns in this case stem from situations where very probabilities are assigned to a sequence, resulting in related components being ranked risk insignificant Sensitivity analyses can be used to show how the SSC ranking may change ifone removes all recovery unca failure probability to onel The objective is to dete aine its component that was ranked low will move up t a high or medium risk category. If so. the component should be removed from II e low category A.3 Safety-Based Prioritization The major objective for safety-based prioritization is to evaluate and identify those areas where proposed changes may result in potentially undesirable safety deg#n= which cannot be easily shown with the P prioritizanort This could include those items (SSCs and human actions) that either are not explicitly m or are not within the current scope of the PRA. It also could include those safety concerns that are not capture severe accident risk typically modeled in PRAs. Specific areas of safety concerns are defense-in depth and safety margins. The specific issues to be addressed are da==d below.
l Defense-be-Depth To assure that the philosophy of defense in depth is maintained, the following should be exanuned. i 1. Assure reasonable balance among prevention of core damage, prevention of contamment failure. and consequeisee mitigation. Compliance with decision guidelines for CDF and LERF could assure to a great extent balance prevention of core damage and early contamment failure. Considerations for emergency p potential for laae contamment failwes should also be =rer== tat for to assure that these m the associated SSCs are not degraded by the proposed change.
- 2. Avoid overreliance is, - -ic activities to compensate for weaknesses in plant design.
There could be instances that meetmg the quantitative guidelines for CDF and LERF are suongly depe on the credit taken for programmanc acavities. Ourrehance on programmatic activities such as mainten survedlance, and recovery amans 'o rr==paa==w for the proposed change should be avoided. The analyses on the recovery actions projiosed earlier and the data related discussion in the body could be used for addressing this issue. Appendix A A 11 19 8f _ _._ _ _ _ _ _ _ __ __ _ _ _ _ _ _ _ _ __ _. - - - _ - .~
o Ao . ) d A . Appendix A Priontization of SSCs and Human Actions
- 3. Maintain ssstem redundancv. independence. and disersirv The quahtative PRA results. i.e.. the accident sequence minimal cutsets, show what combinations of passive i
and active failures would cause core damage or radioactivity release. and thereby reflect directly on the ' defense-in<icpth concept. The mimmal cutsets can show the effective redundancy and diversity of the plant design. Qualitatn e PRA results should be used to demonstrate that system redundancy, independence and
&versn> are mainmined comnunsurs:: m2 $c epected frequency =d ccncequences of cha!!enges to the ss. stern.
~
- 4. Maintain defense against potential CCF and the avoid introduction of new CCF mechanisms.
Relaxation of programmatic activities could exacerbate an existing CCF mechanism or could introduce new l sources of CCFs. Even though the CCF treatment is reserved for CCFs within a system, here we are concern about the CCFs across systems. i.e., concurrent trends of deading reliability among a set ofcomponents for i 1 which requirements are relaxed. ,
- 5. Independence of barriers is not compromised.
Generally. Se barriers are ssive and of such a diverse nature that changes in requirements are unlikely to cause them to fail or degrade dependently. However. there are some failure mechanisms that could be of ' concem under certam application specific proposals One such mechanism. which could cause failure of more than one defense-in-depth banier, is the CCF mechanism. For example. if a new CCF mechanism is introduced for both inboard and outboard isolation valves, then primary coolant rupture outside the containment could bypass the containment. In this case. the potential could exist for failure of two defense-in- l depth bamers even though highly unlikely. Identification and proper application specific treatment of such ( mechanisms capable of failmg or degradmg multiple barriers should be considered in proposed ch=ges.
- 6. Defenses against human errors are maintained. l Considerations to avoid overTeliance on human actions for protecting the core and the defense-in-depth l barriers were discussed earlier. Defenses against human errors which under a change request may become more hkely and concibute significantly to risk should also be taken. 'Ihe proposed changes and its effect on potential human errors should be assessexi Careful attention should be paid to those cases where a proposed change could impact the performance and reliability of those equipment used by the operators to perform the necessary actions. e.g. lighting. communication devices. instrumentation and control desices, and other operator aids, such as alarms and displays.
Safety Margins To assure adequate safety margins are maintained, the following saould be exammed
- 1. Code and standards or altematives approved for use by the NRC are met.
Specific consideranons outimed in application specific guide should be followed to assure that the proposed changes are not in confhet with NRC approved codes and standards (e g.. ASME standard referred to in 10 CFR Part 50.55a). Appendit A A-12 lW
p
. .ppendix A Priontization of SSCs aff Human A
- 2. Safety analysis acceptance entena in the Fmal Safety Analysis Repon FSAR) are met The impact of the proposed changes on the assumptions initial. and boundary condition safety analysis should be exammed to assure the changes are within the acceptable lim safety margins are maintained. .
Here are other quahtatise consideranons that need to be examined to assure that categorizing will not result in an adverse saferv impact There shnnld be at least one ser of suppomns ASCs shar are emegonmi high and could prevent the occurrence of the initiators and the failure of the supercomponents t PRAs. His is one way of assurmg that the low frequencies for the initiators and high reliabihty of supercomp The that are. credited in PRAs are maintained specially when they are either of high or medium importanc-exammation of the follomr.g questions can help the qualitanvc prioritization of those SSCs not explicitly m PRAs: 1. Can the failure of the SSC result in the eventu:1 occurrence of an initiating event?
- 2. Can the failure of the SSC result in a failure of a supercomponent that is modeled in the PRA and expe to be either nigh or medmm SSC?
- 3. Does the SSC belong to a set of redundant components such that they are susceptible to a CCF and failure could cause eventual failure of a supercomponent or an initiator in PRA which is expected to be eith in high or mediurn categories?
- 4. Does the SSC belong to a component class in which relaxing the requirements may significantly impact reliability (e g.. the role ofperiodic overhaul in circuit brealert)?
- 5. Can the SSC support operator and recovery actions specially those credited in the PRA?
- 6. Is the SSC currently included in the scope of current regulatory requirements?
- 7. Does the SSC play an important role in the post severe accident actisities (e.g.. monitoring)?
When an SSC is categorued based on qualitative considerations. discussion should be provided on the SSC funct reasons for selecung the category, why it was not modeled in a PRA, and the potential impact of proposed changes ifany. A.4 Integration . Following the carber d=" ion. an SSC or a human action may be assigned to a category by a quantitative PRA-b priantization. a qualitanve PRA based priontization. or a qualitative safety-based prioritization. An integral lis SSCs and human errors belonpng to a given ca: ego.y taking into account theses differer.t prioritization methods needs to be constructed for most of the applications. A process for this integration is summanzed below. A-13 Appendix .* i
-I Y l l
1
. 4 .
*O A Appenda A Priontization of SSCs and Human Actions Combined Quantitative List Results of the quanntanvc prioritization using the baseline PRA (based on CDF and LERF) are combined si idennfying as HSSCs based on either CDF or LERF. I.ow risk significant list (LSSCs) is comprised ofitems l comm to both CDF and LERF. A combined list of the HSSCs and the LCCSs that are covered by the scope of the risk-informed application and are within the scope of PRA then could be constmeted.
Ccmbi: red Cu:!!:e:ive List items (SSCs and human actions) within the scope of risk-informed application under consideration and not identi5ed in the combined quanntatiw list as high rish significant would be the subject for qualitatin prioritization. Qualitative ranimg (as desenbed in Sections A.2.2 and A.3) would include both the qualitative PRA-based and the qualitative. safety-based items. Qualitative rankmg is done based on examination of the PRA nummal cutsets, defense-in-dept consideranon. safety margin consideration, and general safety consideration, especially for those items that are either not expliGtly modeled in the PRA or not within the scope of the PRA Itr.ms exammed by different approaches for quahtanw rankmg that are identified as high safety significant are combined and listed Contributing factors arv the reasons behind this rankmg should be documented. Integrated List _ Those items identified as HSSCs (quantitative) and those identified as high safety Wgnificance (qualitative) could be combined mto a more comprehensive safety significance list. All remaining items within the scope of the application then could be listed in a less safety significance i*.em list. There could be some instances where an additional category such as medmm safety significan:e is dermed. The process ofintegration described here could still be applied. Use ofthelategrated List The integrated HSSC and L5 SC lists could be used to identify the candidates for either risk beneficial changes or potennal regulatory relaxations. Compensatory measures could be considered for those items in the integrated more safety sigruficance list since substantial risk reduction could be achieved. Regulatory relaxation could be considered for those items m the integrated LSSC hst since major saving m resources could be obtained without degradmg safety. I The lists of high and low safety significant (HSSC/LSSC) items are expected to be robust and should not change significantly as a result of the proposed changes. However, if post change rankmg indicates that some items have shifted from low safety significant to high safety significant list, those items should be considered for performance momformg and phasing in implementation of Wnges. l l i Appendix A A-14 e37
4 , e- - i i ~ A de a
- 1 i APPENDIX B. PRA PEER REVIEW i
- An indq=d=t peer renew is a way of assunng the adequacy of the probabilistic risk asehai j informed regulatory applications and to av==iaa the validity of the risk impact estunat.J for the proposed
) 1his a@cedtx darn == the objectives and scope of an !Pt peer renew and describes an example pr condrair:g the peer reviews. i j B.1 Objectives of the Review ladq=d-e peer renews are performed to address beth the adequacy of the PRA used for a risk-info submittal and the validity of the estimated risk impact resulting from the proposed changes. The peer revie nuens ofessunng whaie=1 quality of the PRA and its applications. The subject of peer renew is further a i in NUREG/CR4372*" . The specific goals of the peer revicw are: 1 4 l
- to deternune the adequacy of the baseline PRA to support one or more types of applicahons, i
- to dearmme the validity of the input information sources, assumptions, models, data, and analyses formin l the basis for the proposed change (or changes). and l l
- to densame the ulidity of the results obtamed in the analyses and the congpondag conclusions related to 4 the proposed change (or changes). \
I To prende assurance th t use approaches were generally applied appropnately, the peer reviewers l basehne PRA agamst the anributes listed in this report and perform spot checks on each portion of the { and its risk-informed application. The peer reviewer should report those problems that are sigm6 cant e j change the conclusion ofwhether or not a proposed change (s) is risk sigmfiennt. The peer renew l j note prottlems that would not change the conclusions for the particular change being proposed sigmficant for other changes that might be proposed in the future. ! B.2 Review Team Composition and Qualifications b 4 4 1he per renews will normally need to be performed by a team, rather than an individual, bec the analyse peerally unciw expense in multiple disciplines. For the PRA peer renew and dependm f of the h=ahaa PRA, experts may be needed in the followmg areas: systems analysis, data analysis, j analysis (HRA), severe accident phenomena (if a level 2 analysis was performed for the l alevel 2 analysis was performed for the submittal), -- v7 modeling (if a 1.evel 3 analysis was performed for j e the submittal), seismic analysis (u* part of submittal), fire analysis (if part of subminal), and for sm I external events as appropnate for die plant site. Each peer renewer must have experier,:e with nuclear power plants in performing the PR assigned to review. T his experience is --M to inclwie knowledge of typical inputs, assum techmques, =adaic scope, level of Asail, desa, and form of results for the assigned renew l be cosamnt of the issues addnzsed :a this report and understand the impact of the delinea { 1 i
- Senior Seismic Hr.zard Analysis Committee Report
- NUREG/CR4372, to be published,1997.
i B-1 Appendix B i y L__._______.-______--_ . - - -
O. N . Appendtx B PRA Peer Review ofPRA. The resiewers should also Imc at 1:ast a g:n==1 familiarity with the plant design being analyi.ed. At 1:ast one member should have a good knowledge of the specific plant and its operation. B.3 Review Process and Considerations lhe peer review proceeds in two phases In the first phase, the adequacy of the beseline PRA to support the intended applications is determined. In the second phase. the use of the baseline PRA for estimating the risk impact for one or more applicanons is reviewed. It is more efficient to conduct peer rmews it. an inte.xtive maner, especiaffy bdore the completion of the appiscanon. In the second phase review, the peer renewers could accept a previous peer renew kam's ** for the baseline PRA model but would nam- any prenously unresolved issues that were drn==*rt by the previous peer renew team (s) to determine whether they are important for the current application. The pen renewers also exanune any changes made to the baseline PRA to determme the acceptability of the change, and the reasonableness of the results. A mecong of the review team would begin with a discussion of the proposed change, to ensure that the team has a saod understandmg of the proposed change and its implicanons The two major functims to be performed by the peer reviewers a.: to determme if the analyses are acceptable, and the resuh are reasonable. The peer revieurs should substantiate their conclusions. These two peer review functions are applicable for each PRA tasks an.' "or both of the two review phases. The first function of the peer review is to examme the inputs. techniques, and analyses for the PRA. 'n performing the renew, anention is given to the completeness and the accuracy ofinformation so that the PRA reflects a realistic picture of the as-built, as operated plant. The analyses assumptions are based on the use of plant walkdowns, controlled doeurnentation concerning the plant design and operation, involvement of plant staff, and a " freeze date" for the analysis (including an; updates). The peer review would exanune the analyses inputs to deternune that the sources of data are justifiable and traceable. The second funcnon of the peer review is to verify that the results of the study are reasonable. The peer renewers compare the results against studies from similar plants. Major differences are identified and r=M~d Selected portions of the study, especially those with significant impact on the conclusions of the study, are selected for b '-7= %t re evaluation. The comments generated by the peer renewer would be documented and specific recome-wi=hane highlighted. The utility response including their comnutments regardmg potential modifications to the analyses would also be documented for future renews The following provides a summary discussion on the major inputs and outputs to the baseline PRA tasks that are ex== mart by the peer review team. The level of detail for the renew should be cam =*a= rate with the scope of the applications. A list of example issues and consideranons for : valuating the risk impact of the proposed changes on a Level 1 internal event PRA is provided in Table B.I.
. 0 Appendix B B-2 M
s . e Appendix B PRA Peer Review k b 9 Table B.1 Example ofissues and considerations for risk impact evaluation of pr Level 1 (Intemal Event FRA) Initiating Events Does the application introduce potential for new initiating events?
=
Does the application address changes that lead to a modification of the initiat e Docs the application necessi:ste a reasse::n:ent of the Sequencies of the initia h C dteria Does the applicanon necessitate moddicanon of the success crisseis eithe Evest Trees Does the appbcanon ===nense the introducnan of new branches or top events to adequately addressed in event tries? Does the application affect the spJ,..wy among the event tree branches ther branch points? Synem or Coswponent Reliability Modelsuoes the appi; canon unpact syste a by the current simpli5cd models ? Does the applicanon impact the support fur.crions to systems and components dependency in the models? FRA Data a Does the application change the conditions and environment under wiuch systems an demanded such that the current failure rates may need to be changed? ) Does the appbcance changes the failwe rases such that the previous plant sp
= Does the applicatica changes the data such that it may require additional test a Dependent Failure Analysis Does the applicanon introduce the po:ential for new commonause failures (CCFs)?
Could the applicanon changes the CCF component groups already anodeled in the PRA
- Could the application affect the CCF probabilities? How is this addreesed?
Human Reliability Analysis
- Does the applicanon involve procedure changes?
- Could the applicanon mooduce new human error potentials?
- Does the applicanon change the available time for human accons? l
- Does the application affect the recovery actions?
Appendix B B3 til0 - - - - - - _ _ _ _ _ _ - _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ' ~ ~ - - - ~ ~ - - - - - _ _ _ _ __
4e , ed ,A Appendix B PRA Peer Review Level 1 Modeling ., . The insas'ac, he exanuned for the overall examinaten are discussed first. The haentation tha to the renew seem is discussed in Chapeur 3 ofDG 1061" and throughout various chapters in th for review for the overall exanunation are:
- The inicianng evens included in the FRA we seviewed to assess the comp!cu: ness of the to assess Weher the basis for excluding any initiators is adequate, to check for new initiators in the proposed change (s), and to deterame the reasonableness of the initiator frequencies The renewers consider whether the success criteria for each initiator is reasonable, check the proposed changes in these criteria, and deternune if there is an adequate basis for any s is not typical for the type of plant being renewed.
,. 1
. The seeident sequence models are exanuned to deter rune whether the plant response to the initiators appropriately accounted for in the event nees.
- The modeling of systems is renewed to determme whether the failures considered are comprehensi Operability during accadent and harsh ermmaments (e.g., trip points for reacter c_ ore isolatio would be consider:d as well as the completeness of the fr.mc modes (e.g., failure to start, run), including eneman-cause failures and human errors.
(
- The system f = '- =-y matrix is renewed to assess whether Wies are appropriately considered the PRA.
. The operator actions that are included in the PRA, the failure probabilities for the actions, and th excluding actions from the analysis are renewed to detersune the completeness of the analysis an reasonableness of the probabdmes estunated for each operator acnon (in the baseline and post change
. While the peer renew is not av1=reat to pnmde a detailed review of all failure frequencies / probab in the PRA, the methods used for deternunmg the failure frequencies / probabilities (including cormnon<:ause treatment) are exanuned. The adequacy of data sources are also assessed together with the failure frequencies / probabilities (including common cause values), and the asanc= tad uncenainties.
- The adequacy of the quanti 6caten method, including the screcsung criteria, cutset truncanon level, a of recovery actions are addressed
. The .S. .Ly.. .; of plant operstmg states (POS) and the calculated fracnon of time in each POS is review if the PRA includes a low power / shutdown evaluation.
* *USNRC,"An approach for Using Probabilistic Risk Assessment in Risk-trformed Decisions on Plant-Specific Changes to the Current Licensing Basis," DraA Regulatory Guide DG-1061, February 1997.
B-4 ApPendax B M/
g a AppendixB kPeerItaview a If s !h r.:::!) sis is it:&d:d i *' ? D* A t' e MM; 4 mmined:
- develvy,w.t of fire areas / zones, including the basis for screemng.
- adequacy ofcable tracing, including adequacy ofjustification provided by utility for an traced,
- adequacy of damage modes consideral in the analysis.
- adequacy of fire propagation analysis, including treatment of fire suppression and ba probabiliti:s, c::d
- adequacy of HRA models.
- If a seismic analysis is inchuied in the PRA, the adequacy of the seismic hazard curve rae aviewed. De reviewers also exanune the approach used to calculate component fragilities and t fragilities for reasonablencas , , .
~
. .upplement the items listed above, the independent Txt rniewers also perform detailed aczadet sequence madele (e.g., event trees), systems models (e.g., fault trees), and the ass reviewes are also si - =- to spot check the documentation of plant walkdowns (done for any oper for internal or external events).
Level 2f3 Modeling
~
De review needed for the level 2/3 analysis will depend on the approach used by the licensee to use the simplified approach described in Appendix B of DG-1061, then the review will only approach used to map the 1.evel I results into the simplified event trees (unless Se 1061 Appesv'ix B partitioring factors to be inadequase). Ifa full level 2/3 analyms is psi need to evaluate the adequacy of the level 2/3 analyses relative to the attributes described in th If the simplified level 2/3 treatment is used, the following would be checked. Examine the criteria used to group the level I cutsets into categones for calculatmg the system response branches in the simplified event tre s to assess whether or no appropriately ch-w M for the Level 2 results.
. Review the approach used to calculate the split fractions to ensure Ency are calculate the *w plit fracnons s to deternune whether they appear reasonable, if a fulllevel 2/3 analysis is performed, the following would be chaciad against the attribu
. E-ia, the criteria used to group the level I cutsets into appropnate plant damage states. l The event trees (or equivalent system models) are reviewed to determme whether t accident phenomena is comprehensive for the plant under consideration. De phenomena are reviewed, including the basis for probabilities, to determm attributes providedin this report.
De containment failure modes and the associated probabilities are reviewed to Appendtx B i B-5 l 1 14 > ~ _ _ _ . _ _ . - - . _ - . - - _ .-
~ d= ! i . 1 AWN B PRA Peer Review
. De source tenn and wv.s modeling and inputs are reviewed to determine whether they are consistent with the attributes provuled in this damnant T The process used to bin results for the level 2/3 analysis are checked (e.g., plant damage states, accident progression bias, or source term groups) to ensure that the grouping maintains the separate eff'ects of the key factors affecsing the results. De acmal "W of the binning are examined for selected cases to detemune whether the calculations were performed corrce:ly.
Rauw ofPM Resuks In addition to renewing the inputs to the PRA, the peer review team would also provide an independent evalumnon of the sensibility of the results. De renew would focus on the appropriateness of the identi6ed danninant acculent sequences, and when a full 1.evel 2/3 analysis is pedbrmed, the contamment failure modes, releases and consequences The renew woulhlso consider whether the aspects of die plant design, operation, and maintenance that are found to contribute most to risk in the PRA are reasonable. He results exa:nined ve-
. De top cursets are scanned, loolmg for unreasonable combinations of events.
. De seque .:e level contrS sons to CDF calculated before and 'aAer crediting _ recovery actions are scanned for reasonableness.
i
. The total plant CDF (including uncertamty) calculated before and aAer the proposed change are assessed for reasonableness.
- The fr-W for the early containment failure and containment bypass are reviewed for reasonableness if the utility is performing a simplified level 2 analysis. The frequencies of accident progression pathways as l grouped for source term C-% the 6equencies and magnitudes of source terms, the indivulual early and j latent fatality frequencies, and the uncertamty charactenzanons for these ihq---M= are assessed for reasonableness if the utility is performing a full level 2/3 PRA.
B.4 Documentation of Findings Le docurnememnon al=1A include dessnpoons of the peer renew process and findings and the utility responses to the peer renew fmdass For the peer review of a baseline PRA, the adequacy of the indindual PRA tasks as compared to the amibuses of an acceptable PRA should be documenned. Any waknesses of the PRA should be clearly identified. For a perncular appbcanon of the PRA, the appropnateness of the PRA manipulanon should be documented especially with regards to identified went==ee in the baseline PRA. De M-tation of findings should be included with the submittal of the proposed change to the NRC. Appendix B B-6
/N3 l
1 +- . A ta 9 GLOSSARY t ment ' Accident analysis - steps taken by a PRA analyst to model and qua sosponse, and public risk attributable to a specific accident or class of acciden d in the Acriderst conditions -emistavnental or operational conditions occurri
' course of plant operation but are posadated for design or analpis purposes Accident initiaton - initianng events that can 9%r plant systems and components f
Accident progression analysis - #90deling of that part of the arJden damage, including marmament response to sewre accident condl perfannance (also referred to as a Level 2 PRA) d held =r sequence anrJysis - the process af desemuung the con.1)inat system failures and s== that may lead to core damage (also referred to i l d As-built, as operated - a phrase used to refer to the conformity of the PR design conditions at the nuclear plant Availability - the probability that a system or cornponent f will functio dability) ! a readnmly occumng initianng event or systerhst challenge (unavailabihty is Best estimate - the poi at estimate of a parameter used.in a computa 1 OPtumsm Burden - in human reliability analysis, any of the factors that Mag l t d to decisiaa= affect op time constraints (short anilable time), dsagnosis constraints (confusing indications), i te), (ccrnpeting resources), coenmand and control WM ar= (remoteness and physiological factors (hostile envvcement) Common cause event - a ed=v of dependent events in which two or time, or within a short time interval, and are the direct result of a shared cause Conunon cause failure - a single event that advenely affects two or more campr==ar - an element c(piant hardware designed to l) pnmde a pam a wt is at the iowest level of detail in the represear=rion of plant hardware i nd as a probability, that the contamment will Condmonal contammesd failurt probabihty - the Eb3hwi fail, given that core damage has occurred Condsbonal prnhahnny- the conditional probability of event A occ i is given as: P(A\B) = P(AnB)/P(B) March 7,1997 (3.apm) G-1 Draft,NUIGG-1602 ee
- .. - .. - .~.. - . -
.- A Glossuy raaemiaawar bypass - an event widch opens a flow path that allows the release ofr the avvoament bypassing the enrtasaraent atmosphere Castainment failure -loss ofinsegrity dahe centsnment pressure boundary (caused
- which results in leak :stes to the environment that exceed the design limits CarMnmeat fat!ure mechanisms - accident eendities that een cause Inu of containment in sewre acx:adets include fadwes resulting from direct contamment heating, steam explos bydrogen aaanha aanha.ea=== and shcIl metterough) r==*=iaa==* falhare modes - decripnans used to casesify the type dcontamment failure, such as is bypass failure, and early or late failure Coetainement isolation failure - failure to isolate all lines that penetrate the caarniaracar (the contmaraent isolanon failure includes the &%, xy of pre <xisting unisousele leaks)
Containment performance - a measure of the reeranee of nuclear plant caatmaraente to sewre a (canemian==t performance is typica*i represented by the conditional contmannerit failure probability Core conertte interaction - interacnon orniolten core matenal with concrete su actures in the anaema a severe =crirican in wiuch the reactor pressure vessel fails Core damage - uncovery and bestup of the reactor core as a result of a loss of core cooling to the p prolonged clad oxidation and fuel damage is anticipated j Core damage frequency - the frequency, per reactor year, of an accident lendmg to core damage Core melt - severe damage to the reactor fuel and core internal structures following the onset of core damag including the melting and relocation of core materials Creep rupture - a aiachmaien af failwe naulang from anana== defonnanon at cannenar stress; han=tary in contact with r=pnaen*= at elevated temperatures, such as steam genentor tubes or a steel cont ===wat saoleen core matenal Cutset - nummum combinanon of a set of events (e.g., initiating event and carag-ar failures) that, if they occur, willasult in the onset o(core damage Dependency - requuement external to an item and upon which its funcnon depends . Diagnosis - exasunanon and evalumnon of data to deternune either the condition of a structure, system. or ' casapaarne or the cause of the condition Dominant contributor - an accident class that has a major impact ca the total core damage 3%wy or a caatmament failure mechanism having a major impact on the total radionuclide release 0%, ;y 02 March 7,1997 (3:12pm) Draft,NUREG 1602 145"
Glh
.2 ,;
4- 'cwhc in :lw ew21 timinc , Earty contamment failure- thuure ne an auur.:;, a *f ilxre5= = or within a few hours before of the sevne accident (typically, carty contamment failure is dent ed as contam i of teactor vesselbreach) i hin a few hours of Earty micase - a radioactive release 5i from the containment tha vessel breach)and typia.t!!y before c0L tis e impi: mentation of the o s te em the she equipment Equipment spaniencanan - requuements the gene;3non dunng design and matmenaru basis Wdaara dasta will operate on desmand to meet system p L d progresses through Event see - a quenafiable logmai neswork that begins with an accid a series of branches that repnmens possible system performance, human acnon stable state or an undesirable one, such as core damage or caranament failure mens, or phes- logicalevents) Event tree top event - the conditions (system behavior or operabinty, h c that are considered at each branch point in an event tree ili f lant systems an event initid outside the plant systems that can affect the operab t E:::rnal event d s and floods and fares from sources outside the plant)
. (examples include earthquakes, torna o ,
d t established FaBure-a stase that renders a component incapable d ot funcnon when of required) performm success criteria (the component can fail ifit either funcnons when not requir
"= causes, and root Failure analysis - the syAematic process of determuung and docu cause of failure of a component or system h l physical, Failure nwehanism - any of the proasses that result in failure, in thermal, andhuman factors k alves, motor-Failute mode - manner or state in which a system l d) or componen beenng seizure, excessive leakage, and failure to produce a signal tha W per unit measure oflife in such terms as Failure rate - the numbcr of failures of an item withis the ;-g:
d-and or time cise and orderly
'% amongfaults;petm des acon Fauktar-a graphcal,w 'd=.shoningthelogical ?- li ome y#aad descaspt n of the vanous combinan== of possible fauh evene undesirable event for the system babilities. (Fault ,
I Fauk tree analysis - analysis based on probabilities, h and inatha necessary to cause the j see analysu begms with an un&sared f5 top ewnt and ananpis to iden [
- top event; fault tree analysis contrasts with failure modes and+he e sctsaAer anathisy 4
{ l I Freeze date- the cut off date for the plant model in an individual p l date are notincludedin the model
^4 i March 7,1997 (3:12pm) o.3 i~
4 Draft NUREG-1602 { l% i . . - - _, - ,_ _ _ . _ _ _
Glossary Frequency - the number of occunences of an event per unit time
~
Frontiime system - an engineered safety system used to provide core or contamment cooling and
. damage or contamment failure (such as emergency : ore cooling and containment spray systems) hee 6.cooiant anserncoun - the enerscuc interactice bi dir::: :entact between wat may rcsu!! in a ste:::: :xp!: sic:: (f.:e!-coohet interactions nm occur either in vessel or eurssel.)
-y when the plant feature (e.g., a hasse-Vesely insportance - the fracconal decrease in total core damage 4 ra=paaent train, or system) is assumed to be perfectly reliable (failwe rate = 0.0)
Generic faBure rate - failme rases that apply genencally to a class of equipment rather than speciAcally to an individual piece ofe,epramt. (Raeus for equipent tom a specdic v.:ndor or for a specific applicanon easy
--ful in prelinunary desip analysis, ,
smene values. Generic failwe rases, also called " hand'ack" failwe rates prahcaions, and design plannmg to esamase saberent capability e but should not be ,.1.4 to amor raapaacar data,if available.) Barse environmeru -an omrcou a expected as a result of the postulated accident conditions appropnate for the design basis or beyond-design basis accidents High pressure melt ejection - a reactor vessel failure mode that occurs with the reactor coolant syste presswe and results in rapid dispersal c(molten core matenal, steam, and hydrogen into the canta== l it in two ways:
- l (1) *Ihe high temperstwe core antenal may conie in contact with the cont === eat liner resulting in lin (2) The dispersal of core instenal and steam into the enatai== car atmosphere may result in direct rant ===
beatmg and, possibly, b3i7 combusnan Bisman error probability - a menswe of the likelihood that the operator will fail to initiate the commt, req or specined acnon or response needed to allow the continuous or conect funcnon of an item ofequipment
+=Hy Buenan reliabuity analysis - a structwed approach used to idennfy potennal human errors ad to ep estunate the probability of those errors using data, models, or expert judgement ladividual plant examination - Gemene lener 88-20 requested U.S. nuclear utilities to perfonn an evalumn idenfy any plant opecdic vulacrabdees to severe accidents. Ir respondag to GL 88 20 anost utilities
. ... 4 ullpoweroperanon f
equivalent of a level 2 PRA, and considered accidents initistad by in laitiating etest - see accident initiators Internal events - accident initiators origmanns in a nuclear power plant and, in combination with safety system failures and/or operator errors, lendag to core damage accident sequences (see also external events) G4 March 7,1997 (3:12p...) DraA, NUREG-1602 !41
^~ ^ - ~ ~ - - - -. _ _ _ _ ___ 'A6
+
Glossary Late conrakunent failure - failure of the contamment inhours re than a few a time I severe ==4 car (typically, late contamment failure is defmed as containme past reactor vessel breach) Late tricase a radioactive release from the containment that occu and protectne reactor vessel breach) and typically afict c6cctise unplementa' ion of the o a: tim level I analysis - an i&wir= nan and er=ar#w=t w dahe sequence fh Level 2 analysis - evaluation of contamment response tot severe a
~
mechaniems, amounts, and probabilitics a(subsequent radsosetive matena level 3 analyrN - evaluation and quantification of die resdin; consequ Level of detail - ldifferent evels oflogic modeling used in h oatributors PRA. (A addnss various leveis of detail, dependmg on how much useful information is to ine failure esent) Imr contnbutor- an accident class that has a minor impact (on the ord frequency or a conzamment failure mechanism having a minor impact o Mission time - the tine pened that a system or wups.= is requand i to (For example, a mission tirne of 24 hours implies that containmen order to prevent contamment failure from occurnng within that period) Model- an approximate mathemancal representanon that fsimidate il res as failure rase). (For example, the probability of ia hs>1sem l late <tfailure from theseis synthe more to component failures and human errors. The probability h of system failure s t en ca m eleneremy and bener undermood failures. These models contam parameters, suc as events, that are not knonti precisely.) Modehng assumption - an assumpoon on which a model is base accepted) l Flant - a general arm used to refer to a nuclest power facility (For e unit or a multi-unit site) hi Plant damage state - a set of accident sequerxrs from the Level i h i1t fanaly ce characteristics relevant to the subsequent progression sie sinular. The Plan between the Level 1 and level 2 analysis of a PRA Probabilistic hk Assessment /Analysit of a nuclear power plant,is fh blic. a pnrential risk ===mee<I with the design, operati 3 analysis) March 7,1997 (312pm c.5 Draft NUldG-1602 l
}4%
l l 1 Glossary Reactor year - a period of the reactor operation that accounts for the downtiene during a c 4 1 Recovery action - an operator acnont innendad o bring failed equipment back to operable status .j 1 Release class - a set of accident progression sequences grouped together because they lead releases and for wiuch a smgic represensative reicae caku'stion can be performed 4 5td , fraenen- me fracnon of the taal inventory of a r"~ dde in the reactor core at the start of the wi , i Wluch is released to the envignnmient i
- adiahnny - the probability that a trunpanc=r performs its g-
- --La faaetian and does not fail under given conditions for a prescribed time l
l
" wy,M as fatalities /vr or $/yr);
Risk - typica";;, the expected value of the consequences pei nit time (n ddined more broadly using the " set of snplets' ((s,, f,. x)). (In 'he set of snplets, s, identifies one of sev scenarios, ( is the frequency of that scenano, and x, is the consequence of that scenano The risk is th p:ssible oceannos, th:ir frequencies. and their consequences rhis definition distinguishes between lo high consequence si:nanos and h ' -frequency, low consequence scenanos.) Risk-infortned regulation - a regulanon whose decisianmmbng criteria integrate probabilistic and conven desernumsne evaluations Senpe- refers to the extent ofinitiating events considered in a PRA. A full-scope PRA usually includ unnated by internal and external events during full power and low power & ahundawn conditiccz. T be <Htinguished from the PRA Level, wiuch defines the extent of the analysis (refer to Imel I analy analysis and level 3 analysis). Sensitivity analysis - an analysis in which one or more input pararaeners to a model are vaned in order t their effects on the model predictions Severe accident - an accident that goes beyond the design-basis of the plant and usually involves extensive co damage
;. in PRA =adeling and evaluation State-of-the art in FRA - a PRA that reflects the latest imym Station blacknut - an accident sequence nunated by loss of all oEsite power with failure of onsite emergency power (diesel generators), and failure of tunely recovery of oK;ite power and onsite emergency AC power Success critena - the systesnsk =;+--e and their combinanons that are needed to cany out their mission given an accident initiator Support system - a system that provides a support function (e.g., electric power, control power, and c naarher system (For example HVAC is often considered as a support systern.)
Unavailaldhty - see availability
- - G-6 March 7.1997 (3:12pm)
Draft.NUREG-1f42 9 61 f
k
' Glossary Uncertainty Analysis - the quantification of the imprecision in the PRA formulated PRA models and imprecisely know input variables Unk - refers to a single nuclear pomr scoxor with its s@W systems it ' and sites have either one or more units. A.t multi-unit sites, some support systems ca j ,
r ein,,,,,,2,v preucre venci(RP',', kedr, m:d re!eare e +e ndinnetiv Venel bruch - rer e. e +e 4;,,, amerm! frorn the RPV i 1 1 I ! i i r t l l I 1 i l l 1 l 1 i l l \ l l ', I l l 4
. l l
i e f Mar b 7,1997 (3:42PF' G'7 M MG-l@2
*i ro}}