ML20045F573: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot insert) |
(No difference)
|
Latest revision as of 11:11, 19 December 2024
| ML20045F573 | |
| Person / Time | |
|---|---|
| Issue date: | 05/06/1993 |
| From: | NRC - REGULATORY REVIEW GROUP |
| To: | |
| References | |
| NUDOCS 9307080062 | |
| Download: ML20045F573 (62) | |
Text
o
$0k Regulatory Review Group, PRA Subgroup Public Meeting,.May 6,1993 i
SUPPLEMENTARY INFORMATION The attached document is the Supplementary Information described in the April 6,1993 announcement for a May 6 Public Meeting. This meeting is to solicit public comments solely on this attached document.
L The meeting room has been moved to IF7/9, sign in will not be required.
For further information, please contact M.T. Drouin at (301) 491-3917, Fax (301) 443-7836.
Notification of attendance is appreciated so that adequate space is assured.
i
[
I s
i l.
l 9307080062 930506 j
- ll J
DRAFT Volume Five i'
REGULATORY REvrew GROUP Risx TECHNOLOGY APPLICATION t
T
- U.S. Nuclear Regulatory Commission i
I i
DRAFT J
DRAFT-TABLE OF CONTENTS Section Page EXECUTIVE S UMMARY..........................................
1 5.1 INTROD U CTION...........................................
5 5.2 PR A S UMMARY..........................................
1 1 5.2.1 PR A Element s........................................
1 1 5.2.2 PR A Scope and Level of Detail............................
12 5.2.3 PR A Limit ation s....................................... 17 i
5.2.4 PR A R e s u l t s.......................................... 18 5.3 PR A APPLICATIONS.......................................
20 5.4 PRA APPLICATION FOR GRADED QA IMPLEMENTATION.........
22 5.4.1 Importance Definition...................................
22 5.4.2 Importance Classification................................
23 5.4.3 Graded OA Reauirements................................
27 5.4.4 PR A Cri t eri a.........................................
2 8 5.4.5 Other Graded Type Applications...........................
30 5.5 PRA APPLICATION FOR CONFIGURATION ANALYSIS............
32 5.5.1 Conficuration Application Recardine AOTs...................
32 5.5.2 Conficuration Application Recardine STTs....................
34 5.5.3 P R A Cri t eri a.........................................
3 5 5.6 PRA APPLICATION FOR ON-LINE CONFIGURATION CONTROL.....
37 5.7 RELATIVE IMPORTANCE OF REGULATIONS...................
38 5.7.1 Work R eauirment s.....................................
3 8 5.7.2 Technical Approach....................................
3 8 5.7.3 El i ci tati on............................................
3 9 5.7.4 R e sul t s.............................................
3 9 5.7.5 Conclusions and Recommendations........... -..............
39 5.8 FO REI G N I N S I G HTS......................................
4 0 DRAFT page i or 53 J
DRAFT i
+
i TABLE OF CONTENTS Section Page
5.9 CONCLUSION
S...........................................
41 5.9.1 NRC-Sponsored Programs...............................
41 5.9.1.1 AEOD-Sponsored Programs....................
43 5.9.1.2 NRR-Sponsored Programs......................
44 5.9.1.3 RES-Sponsored Programs......................
45 5.9.2 Recommen d ation s.....................................
5 2 f
1 1
7 s
DRAFT Page ii of 53
\\
DRAFT LIST OF FIGURES Figure Page 5.4-1 Generic Classification of Q List SSCs.............................
24 5.4-2 Plant-Specific Classification of Q List SSCs.........................
26 -
5.4-3 Classification of Q List Pans...................................
27 5.4-4 Graded Approach Process......................................
31 5.5-1 Comparison of Core Damage Probability of Continued Operation versus S hut down.................................................
3 4 f
4
?
e f
DRAFT Page m... of 53
DRAFT LIST OF TABLES Table Page 5.2-1 Example of Plant Systems Versus PRA Modeled Systems..............
14 5.9-1 Summary of Staff PRA/PSA Uses...............................
42 5.9-2 Summary of NRC-Sponsored PRA/PSA Programs....................
53 i
h r
r 1
i I
i DRAFT page1,or53 1
DRAFT EXECUTIVE
SUMMARY
The current state of the art in probabilistic risk technology was examined to determine under what circumstances information, either qualitative or quantitative, gleaned from probabilistic analysis methods could be used in the regulatory process. Risk analysis methods provide an integral tool that can be used to help ensure coherence and consistency in the regulatory process, and provide a means of converting diverse detemunistic requirements to perfonnance based requirements, providing equivalent protection to public health and safety, while offering increased flexibility to licensees, provided the risk-based criteria are met.
In this process we first assessed the current state-of-the-an in probabilistic assessment methods and explored the strengths and weaknesses associated with the current situation, considering how the many strengths of these methods could be exploited, while minimizing the significance of those weaknesses which still remain in the application of risk-based methods in regulation.
I We also stuveyed the work in progress under NRC sponsorship devoted to the research, development, and application of risk-based methods to aid the regulatory process. NRC has had an active program investigating use of PRA methods in regulatory practices since 1983, and much (but not all) of work done by others in this area in the U.S. draws heavily from this research. The more important elements relative to use of risk-based techniques in regulation, are described in Section 5.9.1.
I A number of papers sponsored by the regulated industry which dealt with the potential use of risk-based techniques in regulation have been published in the literature. We have become aware of the contents of these papers, and held informal discussions with several of the authors. Broad-based industry research on use of probabilistic methods for regulatory purposes, as reflected in the literature, is fairly recent, but several utilities have had long-term ongoing programs on use of risk methods to improve operations. These could be extended i
to the regulatory environment.
i Further, we have reviewed the international literature addressing the potential for risk-based regulations, particularly the information contained in reports and workshops sponsored by OECD/CSNI Principal Working Group 5. Because of their current substantial efforts in this regard, we have also held detailed discussions with utility and/or regulatory authorities in
[
Mexico and the United Kingdom to gain the benefit of their experience.
Based on the above, we have examined the various ways that risk-based techniques can be used in the regulatory process and believe they can be characterized into three general classes, each having similar requirements in terms of the boundary conditions and assumptions used in the analysis, as well as similar requirements in terms of the depth and breath of the review l
that would be required by the NRC staff if such an application were to be implemented.
t DRAFT Pagei or53
DRAFT These categories consist of the following:
i Limited reliance on cuantitative plant-specific PRA results. This category of risk-related regulatory actions would utilize the risk analyses to separate the "chcff" from the " wheat", to distinguish the potentially imponant components and systems from j
those found ununportant from a risk perspective, relying on both plant-specific studies as well as on compilations of the results of risk-based studies on similar plants.
This type of usage could be based on the type of PRA modeling effort which is common in responses to the IPE Generic Letter 88-20, and the type of review currently being applied to IPE reviews would likely suffice. Generic failure rate data could generally be employed and frequent updates of the PRA studies would not generally be required.
Performance based responses to the Maintenance Rule and risk based approaches to graded quality assurance are possible examples of potential usage.
Reliance on plant-specific ouantitative results in selected areas. Effons of this type would require careful attention to the PRA methods and analyses in selected areas, but would not involve close scrutiny of the entire plant risk analyses. It could be used to improve regulatory flexibility for a given component, or applied broadly to selected portions of the plant at the train level, without examming the detailed modeling at lower levels in the analytical trees.
This type of application would also generally require average PRA modeling. Generic failure data would be sufficient in most instances, but it would need to be augmented with plant-specific data in those selected areas where heavy reliance was placed on the plant-specific results. For greater than one-time use, the PRA would have to be i
modified as necessary to reflect any changes in the current plant design and operational practices. This would likely require updating at least each refueling outage.
Examples of this category would include optimization of selected Technical Specifications, evaluations of "unreviewed safety question" under 10 CFR 50.59, and use of pre-calculated configuration management analyses to suppon extension of allowed outage times under certain circumstances.
Primary reliance on overall cuantitative results. In this category, regulatory decisions would be based almost exclusively on the numerical results. It would require a very comprehensive analytical effort, since in this type of application, apparently minor changes in assumptions or boundary conditions may significantly affect regulatory decisions.
DRAFT page 2 or ss E
i
DRAFT In our opinion, such application would require a level of detail that either stretches or exceeds the current state-of-the-an. It would require a comprehensive plant-specific data analysis, and would require the PRA be reviewed at a depth equivalent of that afforded to a FSAR in the course of a Part 50 operating license review.
An example of this type of usage would be the development of risk-based technical specifications requiring on-line updating of PRA models.
In the discussion which follows, for each example in each class discussed above, we have developed candidate requirements for the boundary conditions and assumptions used in the analyses. These should be regarded as candidate regulatory positions and can serve as a jumping off point for detailed discussions with the public and the regulated industry.
Beyond the more specific and technical results of our study, we have also reached some more general conclusions regarding the nature of the regulatory environment needed to introduce the of risk-based analyses in a broad fashion.
We believe the current state of development and utilization of probabilistic techniques in the industry can support use of risk-based regulatory approaches at the present time.
Several utilities have ongoing programs using risk methods and "living" probabilistic analyses to improve operations and maintain plant safety and efficiency that could be extended to the regulatory environment if the individual utilities so proposed and the NRC staff were receptive to such proposals. We recommend that the Commission indicate its willingness to entertain proposals in this regard which could lead to increased licensee flexibility while maintaining or improving the safety envelope.
The development by NRC of methods for optimizing Technical Specifications using risk-based techniques is nearing completion and, with publication of a handbook early in CY 1994, will provide a technical basis for judging the acceptability of risk-based approaches proposed by licensees. Consideration should be given to publishing this handbook as a regulatory document, perhaps as a Regulatory Guide. Altematively, this handbook could serve as the point of departure for discussions between the NRC staff and the industry leading to industry proposed guidance, suitably endorsed by NRC. Use of these methods or similar techniques in a pilot program can be initiated
]
in the near future if there is industry interest in such an application.
NRC programs and interests on the development and implementation of risk-based methods in regulation currently span multiple offices and organizations. An integral agency plan covering the research, development, implementation and use of risk-based techniques in regulation would be helpful in maintaining a consistency of approach throughout the agency and in allocating scarce resources. This plan would also assist in the efficient use of the limited number of NRC staff with expertise in quantitative risk assessment.
1
)
i DRAFT page3 or53 i
DRAFT
+
In this regard, if the agency is to proceed rapidly to a transition to risk-based regulatory practices, a senior level " advocate" is needed in the implementing office who can facilitate interfaces between offices, and who can act as a single point of contact with the industry on such matters.
As detailed in this report, possible risk-based regulatory approaches span a continuum from modest applications of conventional probabilistic methods to techniques for risk-based configuration control on a real-time basis. They represent an increasingly valuable complement to our present regulatory structure. In the discussions below, we have provided our preliminary estimate of the requirements of analysis and review which would be associated with broad categories of such usage. The required resource a'
commitments for both the licensee and NRC are likely to increase as more complex approaches are investigated; however, these more comprehensive approaches will also offer the most flexibility to the licensee while maintmnmg the safety envelope. We recommend a reasoned approach to the transition to the more risk-based approaches, testing benefits gained v. costs of implementing in pilot programs before proceeding l
to complete implementation industry-wide. As indicated above, we believe cenain risk-based approaches can be implemented now, while others will be suitable for trial investigation in the near future. We suggest we exploit the usages that are compatible with the current strengths and limitations of risk methods. Full transition to a completely risk-based regulatory structure which may require real-time updating of PRA models will be difficult to accomplish in the near future given the constraints of the current state of the art, and the availability of both generic and plant-specific failure data.
I DRAFT Page 4 of 53
DRAFT l
5.1 INTRODUCTION
i In 1975, the U.S. Nuclear Regulatory Commission completed the first quantitative study of the probabilities and consequences of severe reactor accidents in commercial nuclear power t
plants-the Reactor Safety Study, published as WASH-1400. This work for the first time used the techniques of probabilistic risk analysis (PRA) for the study of severe core damage accidents in two commercial nucicar power reactors. The product of probability and consequence, a measure of the risk associated with severe accidents, was estimated to be low, relative to other man-made and naturally occurring risks for the two plants analyzed.
Following the completion of WASH-1400, and similar efforts conducted in parallel in other countries (most notably, Phase A of the German Risk Study), research efforts were initiated j
to develop advanced methods for assessing accident frequencies, improved means for collecting and analyzing operational plant data were put in place, methods were initiated to improve the ability to quantify the effects of human errors, and studies to better predict the nature and effect of common cause failures were begun. Funher, limited research was begun on those key severe accident physical processes identified in the Reactor Safety Study.
The 1979 accident at Three Mile Island substantially changed the character of the analysis of severe accidents world-wide.
Based, at least in part, on the comments and recommendations of the major investigations of that accident, a substantial research program on severe accident phenomenology was planned and initiated with international sponsorship.
l This program has been the subject of many reviews and comments, and included both experimental and analytical studies. It was also recommended in the various Three Mile Island investigation repons that probabilistic risk analysis techniques be used to complement the traditional non-probabilistic methods of analyzing nuclear plant safety.
A large number of nuclear power plants have been or are being analyzed using probabilistic techniques throughout the world. Individual plant examinations (IPEs) are being or have been performed on all U.S. plants. At the present time, most nuclear power plants have oeen or j
are being analyzed to identify potential vulnerabilities and to determine the frequency of severe accidents. Important insights are being gained relative to the actions that might be I
taken to the maintain or improve the plant safety envelope while providing increased flexibility to the plant operator.
In 1984, a study was performed by the U. S. Nuclear Regulatory Commission to evaluate the state-of-the-an in risk analysis techniques, and a summary of PRA perspectives was published (NUREG-1050, Probabilistic Risk Assessment (PRA) Reference Document).
Before commenting on the proper usage of PR.A analyses at present, we shall revisit the general conclusions of that document relative to the current state of the art, recognizing both the
(
strengths and weaknesses in the technology at present.
In the area of systems modeling, much of the basic methodology remains unchanged from DRAFT pages or53
DRAFT that of the Reactor Safety Study. However, there is now a wealth of experience in applying these methods, and improved computer codes now permit the efficient handling of the more complex models required to analyze the effects of fires and external events such as earthquakes. Much, if not all, of the analysis of internal events can now be performed on personal computers, substantially reducing the cost and improving the efficiency of studies performed today. Techniques are available to calculate importance measures of plant systems and components from a variety of viewpoints, in a form amenable for use in determmmg the relative importance of systems and components to plant safety. The decision of the detail to which systems are modeled, however, is generally left to the judgement of the analyst, usually based on a perception of what may be important relative to other components or subsystems.
Little guidance is available in the literature in this regard. Thus, before the results can be
~
used in a regulatory application, the boundary conditions and assumptions used in the analysis must be examined to ensure they are appropriate to the specific usage envisioned.
Considerable data have been acquired on initiating event frequencies and component reliability, although this data may vary somewhat from plant to plant. Thus, while a comprehensive plant-specific analysis is within the current capabilities, it sometimes is not performed because of the costs and resource allocations required. Thus, before a current probabilistic analysis is relied upon to support plant-specific regulatory initiatives, the degree to which the PRA analysis is also plant-specific may need to be ascertained. As discussed in the sections which follow, generic data may well suffice when using the PRA as a coarse screening device to separate the important from the ummportant, but plant-specific data may be needed for more complex usages.
Detailed methods have been developed for evaluating the significance of dependent failures, which address not only the quantitative aspects of the analysis, but, more importantly, the qualitative knowledge gained which can help prevent their occurrence. At the present time, we are limited more by the lack of readily accessible root cause data on dependent failures from operating and maintenance logs, rather than the methods for analyzing the data. (The raw data is generally available to the plant owner / operator, but in many cases it may is not in readily useable form to the PRA analyst or to the regulator.) Guidance on acceptable ways of analyzing the raw data for dependent failures have been developed jointly by EPRI and NRC.
j In contrast, methods for evaluating the reliability of solid-state control and protection devices are not yet available for routine application, particularly with respect to the adequacy of the software associated with the solid-state device. Information is available from the aerospace and defense industries in this regard and this information, when coupled with research efforts currently undenvay should do much to improve the situation. However, at the present time, quantitative results when software driven solid state devices are analyzed should be viewed with considerable caution.
In the area of human interactions, improved methods are available and additional data has DRAFT page s or 53
DRAFT I
been acquired that permits a more detailed analysis of the likelihood of failing to follow procedures for a number of situations. The state of the art is still relatively weak in the ability to address cognitive and comprehension errors, or to consider the pervasive effect of a poor safety attitude at a plant. Substantial work is underway in these areas in many countries, and some improvements are expected in the future. However, at the present time, l
the use of PRA information in a regulatory framework will be enhanced if such application are structured such that they minimize the influence of the uncenainties inherent in the human error probabilities. Even when human errors are treated in a relative manner, however, care must be taken to ensure that dependencies and boundary condition changes are properly considered.
As identified above, a detailed and comprehensive research program is directed to those elements necessary to reach regulatory closure on severe accident issues. The most recent assessment of the uncertainties in these ponions of the analyses was contained in the USNRC-sponsored NUREG-1150, Severe Accident Risks, An Assessment for Five U.S.
Nuclear Power Plants, which considered uncenainties associated with both input parameters and modeling. While, in general, the central estimates (means, medians) of the distributions associated with the releases of the various radionuclides to the environment in NUREG-1150 are lower in magnitude than those predicted in earlier studies such as WASH-1400, the uncertainty range remains large. In the area of consequence analysis, models have been substantially improved, and many sensitivity analyses are now available.
- However, comprehensive uncenainty analyses of the models are only now being performed.
I Thus, to the extent possible, the use of probabilistic information in developing performance-based criteria may be more appropriate and robust when applied to the potential for severe core damage or to system availability under given conditions, rather than public risk. The inherent uncertainties in assessments of individual or societal risk make analyses of such parameters more amenable to comparisons with goals, rather than determination of compliance with criteria.
The ability to analyze the effect of fires, floods, and other extemal events has improved substantially. Major limitations still exist relative to the ability to estimate recurrence frequency for very rare catastrophic events (such as great earthquakes) and it does not appear that the uncertainties associated with such estimations will be narrowed substantially in the i
near future. Similarly, some of the subtle effects associated with cenain other external events will require more study before they can be quantified without considerable uncenainty (e.g.,
effects of smoke and soot dunng fires). These factors may limit the use of probabilistic-type approaches in these areas of regulation unless consideration is given to the impact of the uncertainties involved on the regulatory decision-making process.
i The ability to perform comprehensive uncenainty analyses, including consideration of both modeling uncenainties as well as those associated with input parameters, has improved greatly. The most detailed study of this type is included in NUREG-1500. However, that DRAFT page, or sa
DRAFT
- \\
method relies heavily on expen elicitation and is extremely resource intensive and time consuming. Improved, more efficient methods are needed if such analyses are to be used in regulatory decisions-making. Altemately, means must be devised to utilize risk insights in a manner consistent with a somewhat limited overall assessment of uncenainties.
Given these strengths and weaknesses, how can probabilistic results be utilized?
A comprehensive discussion appears in Probabilistic Safety Assessment in Nuclear Power Plant Management, edited by N. J. Halloway and sponsored and published by Principal Working Group 5 (Risk Assessment), OECD/NEA. It evaluates the value of PRA as an increasingly valuable complement to general engineering analysis for assessing and managing the safety related operations of a nuclear power plant. The repon draws the following conclusions:
The application of PRA provides plant management with a general systems engineering tool which generates insights not readily available from the traditional deterministic safety and licensing analyses. While some of these insights derive from i
probabilistic evaluation, the majority do not, but simply arise from the systematic yet unprejudiced nature of the PRA procedures. Some of the most imponant new insights have been derived from the integrated model of plant system behavior and operator actions which PRA can create.
The existence of a PRA capability within a plant operator's organization provides for a logical framework of regulatory discussion and negotiation to be created.
Furthermore, this framework is plant-specific, and can thus be used for plant-specific evaluation and more logical resolution of generic safety bsues.
The benefits derived by plant oprators are generally greatest when there is a full commitment to development anc maintenance of an internal PRA capability, with minimal dependence on outside expens except for an initial technology transfer phase.
Although such commitments are quite expensive, those who have undertaken them are generally of the opinion that the benefits more than compensate.
The application of PRA to an existing plant has always resulted in the identification of effective ways of achieving plant safety, and has thus contributed to the overall i
effectiveness of plant operation.
t Therefore, the report comes to the conclusion that the implementation of PRA as an aid to nuclear power plant safety management is directly beneficial to those implementing it in suppon of their plant designs or operations, and to all those concemed to ensure nuclear plant safety.
It is in this vein that the NRC has initiated the IPE process, in which each licensee is requested to conduct plant-specific risk-based searches for vulnerabilities.
DRAFT page a a sa
DRAFT Probabilistic analysis techniques also are ofinterest to the regulator in a variety of ways, and most of the comments addressed to utility use in the OECD/NEA report referenced above are applicable in this venue as well. These techniques provide a unique perspective that permits an independent consideration of the body of regulatory requirements to ensure that potentially risk significant factors are properly considered and that regulatory resources are not needlessly expended on unimponant matters by either the regulated or the regulator. They can be used to identify those systems, trains, and components that are imponant to maintainmg the likelihood of severe core damage at a low value, and, conversely, can also identify those items that have little influence on the likelihood of an accident. However, such analyses must be done with a clear appreciation for the strengths and weaknesses discussed above. Also, a detailed understanding of the messages gained from operational data, panicularly in those areas where we know the PRA methods are still not mature, such as those areas associated i
with operator cognitive and comprehension errors. Even here, however, the probabilistic techniques can be used to gain valuable insights through sensitivity and uncenainty analyses, and by examining relative comparisons which recognize the limitations and are performed conditional on the response of the items which are still developmental must be considered.
The results of PRA studies including detailed uncenainty analyses provide information useful in prioritizing the expenditure of resources for plant evaluations and future safety research.
The models generated in a probabilistic study are useful in evaluating the significance of both plant-specific and generic issues. They are also useful when developing strategies to react to or manage a severe accident as it occurs. As before, this must be done with an appreciation of the boundary conditions and assumptions used in the original analyses. While items found risk-significant might warrant further analysis or regulatory attention, this will depend on the specifics of the situation, the degree to which existing regulatory instruments are met, and the potential for approaching or exceeding any safety goals which might be established. Similarly, items cannot be dismissed on the basis of low risk until it is clear the analysis is sufficiently robust in the area of interest and that it adequately supports the decision.
In summary, the strongest insights gained from a probabilistic analysis derive from (1) the integrated and comprehensive examination that analyses of these types entail, (2) the attention devoted to interactions between systems, the operating staff and the plant systems, and (3) the structured examination of operating experience. In general, those insights and imponance rankings developed from the analysis of a system, or from analyses of groups of systems to assess the frequency of severe core damage are more robust than those which require an evaluation of overall risk, since the analyses are simpler and the uncertainties involved are not as broad. The weakest insights are those that derive primarily from the quantitative rankings alone, without considering the meaning of the results in an engineering context.
While the quantitative results are imponant, they should be considered as most useful for a screening of the results to identify important accident sequences and plant features, and to give indication of areas with relatively little or relatively high imponance in a probabilistic context.
DRAFT Page 9 of 53
DRAFT 48
)
Probabilistic analysis presents an additional tool, an additional source of information which can be used to focus regulatory decision-making in many areas, identifying features most important to plant safety. Used properly, with recognition of the its limitations and proper attention to the scope, boundary conditions, and assumptions of the analysis, it can be used to exploit the flexibility presently existing within the regulatory environment to improve plant safety while reducing undue regulatory burden. It can also be used to suggest areas where performance-based regulatory practices can be employed in the future. Techniques are now being developed and employed to improve plant configuration control and to optimize the required plant response to equipment outages or mode changes.
Recognizing these strengths and weaknesses, we have developed a set of general guidelines regarding the constraints we feel are needed on the boundary conditions and assumptions of a probabilistic analysis used to support various types of regulatory initiatives. These are presented in Sections 5.3 through 5.7.
DRAFT page to a 53
DRAFT 5.2 PRA
SUMMARY
In utilizing a probabilistic risk assessment (PRA) type analysis to proved additional flexibility l
in the regulations and their implementation, it is necessary to understand the purpose, limitations and type of results associated with this type of analysis.
l A PRA of a nuclear power plant is an analytical process that quantifies the potential danger l
of the design, operation and maintenance of the plant to the health and safety of the public.
l The danger or hazard that has been identified as posing the greatest risk to the public are the consequences associated with possible core melt accidents. Therefore,in the calculation of the risk, those events that could potentially lead to a core melt and a release of fission products are identified and their pmbability quantified.
A PRA can be performed to different levels. The first phase of a PRA, called a Level 1 PRA, involves the calculation of the potential core damage frequency. The second phase, a Level 2 PRA, calculates the frequency of the core damage progressing to a core melt and the release of fission products to the environment. The last phase, a Level 3 PRA, calculates the consequences of the fission product releases to the environment.
Each PRA level consists of numerous elements of which several are critical when considering various applications of the PRA. That is, the attributes of each element in the PRA will dictate the ability of the PRA to be utilized beyond its original purpose (for example, the original ptupose might be an Individual Plant Examination (IPE)). Only those attributes associated with a Level 1 PRA are discussed since the applications under consideration l
generally involve the Level 1 portion of the PRA. Ultimately, some expansion will be needed to consider engineered safety featuers with mitigative functions.
5.2.1 PRA Elements A Level 1 PRA is comprised of three essential elements as follows:
The delineation of those events that, if not prevented, could result in a core damage state and the potential release of fission products.
The development of the models representing the core damage events.
The quantification of the models in the estimation of the core damage frequency.
The first element of a Level 1 PRA delineates those events that, if not prevented, could result in a core damage state and the potential release of radionuclide fission products. This process, generally referred to as the Accident Sequence Analysis,is typically divided into two parts: identification of the initiating events, and development of the potential core damage accident sequences associated with the initiating events.
DRAFT Page 11 or 53
DRAFT The initiating events generally modeled in current PRAs include loss-of-coolant accidents (LOCAs), balance-of-plant (BOP) transients, and non-BOP transients. Event trees are developed for each of these initiators which delineate the core damage accident sequence that could potentially occur. The accident sequences are comprised of those sequences of events (i.e., success and failure of the functions and systems) that if they occur, will result in core damage. The initiating events and accident sequences, therefore, identify the various systems for which a mathematical (i.e., boolean algebra) model is required.
The boolean models are developed in the second element of a Level 1 PRA. These models depict the different failure paths associated with each system in determining the system's unavailability and unreliability.
Two different types of fault trees are generally used to model a system's potential performance. The "large fault tree" concept involves developing a single fault tree that models each of the different failure configurations of a system. House events are modeled in the fault trees which are used activate each configuration. The " support statefault tree" concept involves developing a separate fault tree for each different failure configuration (or support). Each support state fault tree is, therefore, comprised ofindependent events.
The third element of a Level 1 PRA estimates the plant's core damage frequency. This estimation is performed by first quantifying the failure probabilities and unavailabilities of the various SSCs, and quantifying the human error probabilities (HEPs) associated with the various operator actions. The frequency for each event tree core damage accident sequence is then quantified by integrating the failure probabilities (i.e., event data) of the SSCs and the HEPs into the boolean models. These frequencies are summed to yield the overall core damage frequency of the plant. This value represents the average core damage frequency associated with the design, operation and maintenance of the analyzed plant.
5.2.2 PRA Scope and Level of Detail PRAs examine the consequences of events that involve a reactor scram' or forced shutdown with the need for subsequent core heat removal. These events can occur at different reactor operating states, from full to low power and various shutdown modes.
The core damage frequency is estimated based on either internal events or external events or both. Internal events only considers equipment failure internal to the component when examining the potential failure of SSCs. Internal flooding is, however, considered part of the internal events analysis for the purpose of this discussion. External event analysis involves the examination of the effects of fire, earthquakes, high winds, flooding, etc.
- The resulting reactor scram is an "immediate" occurrence. That is,inoperability of a system that requires the plant to go to shutdown conditions after, for example,8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, would not be considered an initiator.
DRAFT page 12 of 53
l i
DRAFT
'l Initiating Event Analysis -
1 The initiating events are generally incorporated in the current PRA models by a single event which represents the average annual frequency of the event. A boolean model explicitly depicting the various systems and components contributing to the initiator occurrence is generally not developed and incorporated into the PRA model.
The initiating events generally modeled in current PRAs include loss-of-coolant accidents (LOCAs), transients associated with balance-of-plant (BOP) systems such as loss of feedwater, and transient associated with non-BOP systems such as loss of a vital AC bus.
Event Tree (Accident Sequence) Analysis -
The accident sequences are generally depicted at the functional or systemic level of detail.
The selected functions or systems are dependent on the scope of the success criteria analysis.
Generally, in most PRAs, the core is assumed to be in a safe condition when the consequences of the radionuclide releases from the damaged fuel would be negligible.
Typically, this state is assumed to be prevented if reactor water level is not allowed to decrease below 2 feet above the bottom of the active fuel for BWRs and below the top of the 2
active fuel for PWRs. The plant-specific functions and systems modeled in a PRA are, therefore, limited to those supporting this defined state.
An example of the number of plant systems as compared to those modeled irt s PRA is shown in Table 5.2-1.
It is easily seen from this table that a PRA, while successfully integrating the impact of design, operational and maintenance faults on the plant from a core damage prevention perspective, is limited to a narror; set of systems.
Systems Analysis -
The fault trees constructed for the various systems are developed to different levels of resolution as follows:
Component Resolution - The individual components comprising the function or system and the possible failure modes of the components are explicitly depicted in the fault tree model. It should be noted that not every system component and failure mode is modeled. Generally, only those components whose failure results in the loss of system function with a relatively significant probability (e.g.,21E-6) are modeled.
The level is much higher for PWRs since steam cooling is not inherently pan of its design.
DRAFT page is or 53
DRAFT Table 5.2-1 Example of Plant Systems Versus PRA Modeled Systems eSYSTEMS2 i PRO
}SYSTEMSi fPliAG Auxiliary Steam System Nuclear Boiler System o
o Recirculation System Condensate System e
o CRD Hydraulic System Feedwater System e
o Redundant Reactivity Control Condensate Cleanup System o
o Feedwater Control o
Heater, Vents Drams System o
Standby Liquid Control System Turbine Systems o
i Neutron Monitoring System Generator Systems o
o Remote Shutdown System Condenser Systems o
Off Gas Systems o
Plant Annunciator System Circulating Water System o
o Fire Protection System Chlorination System o
Meteorological Monitoring Water Storage and Transfer o
o Seismic-Instrumentation System Emergency Service Water o
Vibration Monitoring System Component Cooling Water e
o Loose Pans Monitoring System Turbine Bldg Cooling Water o
o Normal Service Water Transient Test System o
o Drywell Monitoring System Plant Air System o
o Residual Heat Removal System Instrument Air System Plant Chilled Water System Low Pressure Core Spray o
High Pressure Coolant Injection Drywell Chilled Water o
Leak Detection System Diesel Generator Systems o
MSIV Leakage Control System Transformer Systems o
o Switchgear Systems Feedwater Leakage Control o
o RCIC System
. Auxiliary Bldg Vent System o
Liquid Radwaste System Radwater Bldg Vent System o
o Reactor Water Clean-up System Turbine Bldg Vent System o
o 125V & 24V Batteries Drywell Vent System 125V DC Power Supplies e
Wetwell Vent System 125V Battery Chargers Emer Swgr and Batt Rm Vent o
Static Inverters Other Bldg Vent Systems o
Cont./Drywell All Monitoring Control Bldg HVAC System a
o Drywell Cooling System Control Room HVAC System o
o Main and Reheat Steam System e
Load Seq and Shedding o
Component level of resolution model e Eventlevelof resolution model e Failure mode level of resolution model Not modeled e
DRAFT Page 14 of 53
i DRAFT A component in a PRA is generally the major piece of equipment that is essential to the function of the system such as pumps, valves, heat exchangers, diesel generators, etc. Parts that are essential to the component's function (e.g., valve disk) are not explicitly modeled, but are included within the boundary of the component (e.g.,
valve). Only those failure modes which prevent system function are usually modeled.
Failure Mode (Train) Resolution - The individual components are not explicitly depicted in the fault tree model, only the failure modes (e.g., system hardware, system out for maintenance, loss of power) of each train are modeled.
Event (System) Resolution -The function or system is represented by a single event; that is, a boolean model explicitly depicting the components and the failure modes is not constructed in computing the system failure probability. This level of resolution can be referred to as a " black box" model.
Data Analysis -
The data analysis basically involves the quantification of the different failure mode probabilities associated with the SSCs modeled in the system fault trees. The failure modes considered in current PRAs generally include the following:
Hardware faults - This failure mode examines the potential for demand and time-related type failures associated with random hardware faults caused by such items as crud buildup on valve disk.
Test and maintenance faults - This failure mode examines the potential for a
=
component (or system) to be unavailable when demanded because it is out-of-service for a test or maintenance activity.
Common cause faults - This failure mode examines the potential for several components to dependently fail from the same specific cause such as replacing the same part in several components where each replacement part is defective.
The identified events and their defined failure modes dictate what plant information is required to quantify their failure rates and unavailabilities. The estimation of the probabilities and unavailabilities is dependent on the supporting plant documentation that provides the necessary information on plant history.
If adequate plant documentation exists, then plant-specific equipment failure rates and unavailabilities are computed; however, if i
DRAFT rage is at 53
DRAFT o
inadequate plant documentation exists, " generic"' data must be utilized which places a limitation on the PRA application.
The period of time of the plant's history that is used to compute equipment failure rates and unavailabilities must be considered. A plant's historical performance changes over time; design, operational and maintenance changes are occurring which affects the reliability and unavailability of systems and components. It is important that the data reflect, as much as possible, the current performance of the plant.
Human Reliability Analysis (HRA)-
The estimation of event probabilities also involves the quantification of human performance events. This task is very diversified and standardization among PRAs does not exist. This task, however, has the ability to change the dominant accident sequences; that is, change the results of the PRA. The HRA, therefore, not only impacts the estimated core damage frequency, but what are identified as the most likely contributors to realizing a core damage state.
The human events include those operator actions conducted during normal plant operation that result in inoperable equipment without causing an initiating event. Also evaluated are those operator activities that are required to achieve a safe plant shutdowm.
Quantification -
Using the event data and human error probabilities (HEPs), the quantification of the core damage frequency is performed by integrating the initiating event models* with the system models as depicted by the event trees. This computation is typically performed on a sequence basis, with the core damage frequency equal to the Boolean summation of the core damage frequencies of the individual sequences.
The core damage frequency is generally based on the summation of only the dominant accident sequences, and not every defined accident sequence. Those accident sequences whose calculated core damage frequency is typically less than lE-8 may be truncated; they are not integrated into the overall PRA model. If the PRA contains quantified conclusions, i.e., importance measures, these conclusions are generally based on the dominant accident sequences alone.
}
- Generic data is a based on compilation of data of the operating history of components taken from the nuclear industry.
- These models. as mentioned previously, are generally a single event.
DRAFT Page 16 of 53
DRAFT r
5.2.3 PRA Limitations t
'~
In reviewing the scope and level of detail of a Level 1 PRA, cMain limitations can be identified that have the potential to impact the application of a PRA. Tusse limitations need '
to be addressed when considering utilizing a PRA in the regulatory process.
The limitations include the following:
7 Scope - The PRA must address at least internal events (including intemal flooding).
=
Structure, System and Components - The application of the PRA is limited to those SSCs that are part of the PRA. If the SSCs are not modeled in the PRA,it does not mean they are unimponant to core damage prevention, but that from a probabilistic perspective, they do not contribute significantly to the core damage frequency.
Therefore, for these SSCs, utilizing a PRA for insights relative to potential changes, it is difficult to ascenain if these SSCs are not considered.
Level of Resolution - The usefulness of a PRA is dependent on the level of resolution of its SSCs. If a PRA is performed at a system level, the insights or the PRA are at a system level. Conversely, a component level of resolution provides insights at the component level.
Failure Afodes - Although a PRA may be performed to a component level, the application will be restricted to those failure modes modeled for the component. A component level of resolution does not mean that each failure mode is modeled in the PRA.
i Data - The degree of plant-specific data that is utilized in the quantification of component failure rates and unavailabilities provides the degree of actual plant-specific representation. Therefore, whether generic data or plant-specific data is used will determine the extent of the use of the PRA in the regulatory process.
HRA - The incorporation of human activities into the PRA model has the ability to determine the dominant accident sequences and the dominant contributors to core damage. Insights from a PRA can, therefore, be misleading dependent on the type of human activities that were modeled. There are considerable uncertainties in the 1
current ability to model human actions, and different assumptions can lead to significant changes in results.
j Truncation -In quantifying the core damage frequency, truncation oflow probability events and sequences is generally performed. Although this truncation is normally i
preformed such that ~95% of the core damage frequency remains after truncation, the DRAFT Page 17 or 53 i
1
)
DRAFT 1
insights (e.g., importance measures, sensitivities) do not generally include the impact
)
on the truncated events and sequences.
These limitations are discussed in more detail for the individuals applications in Sections 5.3 through 5.6.
5.2.4 PRA Results The form of the results will dictate, in a sense, the usefulness of the PRA. Importance measures can be computed as part of the PRA. These measures show different types of I
insights if changes were made to a SSC.
The importance measures generally seen in PRAs include one or all of the following:
Reduction Importance Measure - provides a ranking of the events (e.g.,
components) by those most crucial for safety improvement. The importance value for each event is the potential reduction in the core damage frequency if the event's (e.g.,
component's) probability was quantified as 0.0, or for example, the component was assumed to be perfectly reliable. This measure, therefore, indicates how much the core damage frequency can be improved (i.e., reduced) if it can be assured that a SSC will function as required when demanded.
Increase Impor. nce Measure - provides a rankmg of the events (e.g., components) by those most crucial to maintammg safety at the current estimated level. The importance value for each event is the potential increase to the core damage frequency if the event's probability was quantified as 1.0, or for example the component was assumed to be always unavailable. This measure, therefore, indicates how much the core damage frequency can be hurt (i.e., increased)if failure of the SSC was certain.
Fussell-Vesely Importance Measure - provides a ranking of the events (e.g.,
r components) by contribution to the core damage frequency by computing their potential to change the core damage frequency. The importance value for each event 5
is the summation of core damage frequencies of the cut sets containing the event under consideration divided by the total core damage frequency.
[
These imponance measure are significant because they can indicate the relative safety importance of an issue without requiring further manipulation of the PRA model. That is, safety insights can be gained from these measures. For example, the Reduction Imponance Measure shows both those events (e.g., components) that are most likely to cause a core damage and those events that have little-to-no impact on core damage. The Increase
- The minimum, unique combination of events that will result in the defined end state, e.g.. core damage.
DRAFT pagela or n
DRAFT Importance Measure, on the other hand, indicates those events (e.g., components) that are critical to maintaining the current level of safety. That is, if their reliability and availability were to decrease, they would have the most significant impact on the core damage frequency.
These measures can then be used to define generic categories to provide safety insights in the regulatory process.
1 DRAFT rage 19 or 53
DRAFT 5.3 PRA APPLICATIONS The utilization of PRA to provide additional flexibility in the implementation of the i
regulations requires that general sets of PRA principles be defined. These principles need to define a set of general rules or guidelines which will establish major boundary conditions and assumptions; however, it needs to be recognized that this set will change as one changes application. It will be most useful, therefore, to construct these principles in terms of requirements as the application progresses from the generic to the plant specific.
A possible structure from the more generic to the plant specific would be as follows:
l' GROUP 1 Maintenance Rule-required analyses and characterizations.
Graded QA.
GROUP 2 Individual Line Item Improvements in the new STS.
Configuration Management using pre-calculated tables or matrices.
GROUP 3 Configuration Management using PRA model updating on-line.
Risk-based Technical Specifications.
The first group would involve applications where great precision in the PRA is not required to identify general categories of plant SSCs in terms of their safety significance. Conversely, the regulator does not require a high degree of precision in the PRA, and therefore, it would not be necessary to conduct a thorough de novo review of the PRA.
For this type of utilization, generic failure rate data would probably suffice, supplemented with plant-specific data only where a qualitative examination of operating experience might indicate some anomalous behavior relative to the overall generic data base for such components. Because the real purpose underlying Group 1 type uses is the separation of the important from the unimportant, and, only secondarily, the development of rank ordered J
groups of the "important", frequent updates of the PRA would not be required. Rather, they would need to be done only when there was a major redesign of one of the plant systems, or a major modification in the basic operational principles.
For the second group, emphasis would be placed on those areas of the PRA which would be used directly in developing a probabilistic-based :trategy to implement or modify a given
]
regulatory practice. In general, these applications vill fallinto two general categories. The i
l l
l DRAFT Page 20 or 53 1
. DRAFT i
first would emphasize relative. improvements in risk, and. would provide a measure of-effectiveness in terms of the ratio of the calculated risk measure before the regulatory action.
t is taken, to that which would obtain after implementation. Simplistically, many areas of l
uncertainty _would " cancel" and - thus - emphasis in both analysis and review could be sharply focused. This does p_ot imply that it would not be necessary to ascertain that the elements in question did not affect other parts of the analyses.
1 In 'the second instance, the PRA would rely on coarse models of the plant,' perhaps at the train level. -In planning configuration control, for example, it probably is unnecessary to develop trees below the train level, as long as the interactions with supporting systems are understood' and modeled appropriately. Again, the analysis and the associated review would have to be focused on the specific application envisioned, but the requirement for assured confidence in the results would be limited, rather than global. These applications would require a comprehensive analysis of in-plant data in the selected areas under analysis, and updates of the PRA models would be desired each refueling outage.
The third group would involve applications that are within the state-of-the-art in theory, but the application would be difficult for both the industry and the regulator. A PRA of high calibre would be required. -As an integral part of the regulatory structure, the PRA would-require a comprehensive review by the staff. Perhaps of most significance, a comprehensive analysis of plant data would be required, since many of the methods currently available to optimize regulatory practices have imbedded assumptions regarding the characteristics of the-
-i failure data of the various components.. Updating of the system status would be needed on a frequent basis; perhaps even in real tune.
l The inherent difficulties in progressing beyond Group 1 type applications suggest that pilot programs be organized between the NRC and the regulated industry to test the viability of the more complex applications, before they are offered to the industry as a whole.
lj A discussion of an application from each group is provided in the following sections. These j
discussions focus on the general sets of mies for the PRA relative to its application.
1 a
1 J
i i
a DRAFT Page 21 or 53 i
)
DRAFT 5.4 PRA APPLICATION FOR GRADED QA IMPLEMENTATION (Group I) 10CFR%50, Appendix B states that "the Quality Assurance program shallprovide control over activities affecting the quality of the identified structure, system and components, to an extent consistent with their importance to safety " A PRA provides a tool which can categorize the SSCs according to their relative imponance to safety, and therefore, defme different categories of QA implementation.
The utilization of a PRA to suppon a graded QA implementation of the regulation requires that criteria associated with the application be defined. These criteria need to ensure that the PRA application does not negatively affect the current level of safety associated with the design, operation and maintenance of the plant. Therefore, criteria determming the definition of importance, criteria used to identify the imponant SSCs, and criteria establishing the basic conditions of the PRA in identifying importance are each necessary.
5.4.1 Importance Definition The major element of the Graded QA Application is identifying those sy:tems, trains, and components that are imponant and then determining their relative imponance. It is, therefore, necessary to define what is meant by imponance and define the criteria for relative importance. These definitions are both base.d on insights from PRA.
Importance is initially defined as those SSCs that are necessary to mamtain the current level of safety which is defined as core damage prevention. Those SSCs necessary to core damage prevention are, therefore, defined as important.
The relative imponance of the SSCs necessary to core damage prevention can be determined from PRAs. The Achievement Imponance Measure is an excellent measure to use in defining different importance categories of SSCs. It provides a ranking of the events (i.e., SSCs) that are critical in maintaining the core damage frequency at its current estimation (i.e.,
maintaining safety at te current estimated level)! Therefore, those SSCs whose reliability and availability need to be closely maintained are identified by this measure. For example, QA controls need to be assured for the relatively imponant SSCs so that their reliability and availability is not impacted.
Based on the Achievement Importance Measure, the relative importance of SSCs to core damage prevention can be determined. The relatively important SSCs are dermed as those whose Achievement Imponance Measure impact on the core damage frequency is greater than or equal to a factor of ten as shown by the following equation:
This measure provides the impact on the core damage frequency if an event's failure probability is 1.0; that is, it identifies how badly the core damage frequency is impacted if the availability and reliability of a SSC is degraded to the point where failure is certain.
DRAFT Page 22 or 53
I t
DRAFT-1 Achievement Importance MeasureSSC 2
10 Core Damage Frequencyg For example, if 'a SSC's estimated Achievement Imponance-Measure is 4E-4, its unavailability impact on a core damage frequency of IE-5 is a factor of 40. For this -
j example, the SSC would be classified as "relatively imponant" to core damage prevention.-
If its estimated importance measure is, however, SE-5, its unavailability impact to the core 1
- damage frequency of IE-5 is only a factor of 5. In this case, the SSC would be classified as "relatively non-imponant" to core damage prevention.
i 5.4.2 Imt>ortance Classification The objective of the Graded QA Application is to define different categories of QA implementation based on the relative imponance of a SSC. Based on the results of PRA, the.
l SSCs of a plant's "Q" list can be identified and classified into different imponance groups. -
j These groups are determined based on PRAs of plants of similar design. Therefore, for each class of similar plants, relatively imponant and relatively non-important SSCs are identified.
Initially, similar designs would be considered one of the following:
a
'i BWRs 1-4.
-l BWRs 5&6.
.j PWR Westinghouse.
1 PWR-B&W.
]
In utilizing a graded implementation for QA, the SSCs on a plant's Q list would be ranked
~
according to their imponance to core damage based on PRA _infonnation. Only the SSCs j
identified as relatively imponant from a plant's Q list would be subject to the current 1
implementation in meeting the QA regulatory requirements. The SSCs, however, identified -
l as relatively non-important, would be subject to a graded implementation in meeting the QA l
regulatory requirements. This process is illustrated below in Figure 5.4-1.
i i
l i
f 1
-I i
i t
f DRAFT Page 23 of 53 i
~.
1
' DRAFT 1
l l
'i Cunent QA l
Current QA i
[Regulaton' Regulam y,pi,,,gg j
Implementation
- SSk.
!!im.A W.Ilst'ofs
/ g j
[SSCsi!!
S 7
l
-\\
Graded QA j
Regulag j
Implementation 1
i i
Figure 5.4-1. Generic Classification of Q L JSCs.
i For each class of plants, the relatively imponant SSCs are those SSCs that have been found ii to be relatively important in any of these PRAs. Therefore, for each of these SSCs, the ratio i
of their Achievement Imponance Measure to the core damage frequency is greater than or j
equal to a factor of ten for at least one of the plants in that class. These SSCs', because of their relative imponance to core damage' prevention, would be subject to the current i
implementation in meeting the QA regulatory requirements.
.The remaining Q list SSCs are then classified as relatively non-imponant since _n_g PRA (of I
- a similar designed plant) identified any of these SSCs as relatively important. Although these SSCs have been determined to be probabilistic ummportant to core damage prevention, they have been identified as deterministically imponant to core damage prevention; therefore, removing these SSCs from the Q li.st is inappropriate. These SSCs would then be subject to a graded implementation of the QA regulatory requirements. This graded approach might~
l focus on pre-operational functional testing, installation inspection, and compliance with j
. recognized industrial procurement practices.
l DRAFT rage u or53 1
-)
i DRAFT l
4 i
The initial identification of the relatively imponant and relatively non-important SSCs is i
performed based on probabilistic criteria. There are, however, SSCs that have been identified 1
as deterministically important (i.e., identified as pan of the "Q" list), but have not been y
modeled in the PRA. They are determined to be probabilistically ummponant; their failure probability is estimated to be negligible as compared to other SSCs. However, because of i
their deterministic imponance and unless appropriatejustification is provided, they would still be classified as relatively important to core damage prevention and would be subject to the l
current QA implementation requirements. An example of this category would be the reactor pressure vessel.
~
The SSCs of a plant that are not identified as pan of the Q list, have been determined to be i
deterministically unimportant. These SSCs are not subject to the cmrent QA implementation j
requirements. If one of these SSCs were identified as probabilistically imponant, that is modeled in the PRA and determined to be relatively important, this SSC should be subject j
to QA requirements and subject to a graded implementation of the QA regulatory
{
requirements in accordance with its risk imponance.
1 A plant's Q list has now been divided into two groups of SSCs. One group of relatively-important SSCs where the current regulatory implementation is maintained. The second l
group of relatively non-imponant SSCs, however, will now be subject to a graded regulatory implementation.
The initial classification of the relatively imponant SSCs of a plant's Q list is based on the l
results of PRA of plants of similar design and is a generic classification. There could, i
~
however, be a plant-specific SSC that is relatively non-imponant based on its plant-specific j
PRA. For example, this difference could be due to plant-specific design differences. Another
]
classification of imponance can then be defined - plant-specific relatively non-important i
SSCs. The SSCs in this class are plant-specific SSCs that are relatively non-imponant, but i
a PRA of a similar designed plant found to be relatively imponant. This group of SSCs
'j would not he subject to the current QA implementation, but to a graded QA implementation.
This implementation.for these SSCs, however, would be more ' stringent 'than the implementation for those SSCs identified as relatively non-imponant. As a possible exmaple, these components might be subjected to most elements of the present QA program, but the
^
need to maintain the " pedigree" of the component could be eliminated. Further requirement reductions might be obtained if it could be shown that commercially available equipment of I
this type met the expected reliability characteristics of the PRA. This plant-specific process
~
is illustrated below in Figure 5.4-2.
i 1
DRAFT rage 25 or 53
' DRAFT L
8 I
l i
q Cuent QA (Izvel1) j Cuent QA
"""*"Y Implementatinn
-i Imnlementation 8D g
Nahqmnsu SSG PlanPRA SinAPRAh-GradedIevel2 QAf
.I Regulatory Implementation -
j I
Graded QA
~
Regulatory Gradedlevel3 QA Implementatim Regulany j
Implementation ij i
Figure 5.4-2. Plant-Specific Classification of Q List SSCs.
i It must be remembered that the PRA definition of a " component" is different then perhaps l
a Q list's definition. Many of the items on a Q list either are not modeled in a PRA, or if modeled are not explicitly depicted in the PRA model. These items are referred,in the PRA,
.l as " parts."
j In a PRA, if a component pan is essential to the function (as defined by the PRA) of the component, then the part is included in the component boundary. There may be pans that -
are not essential for the component to perform its function even though the component has been identified as relatively imponant in the PRA. These pans would not be classified as
.{
relatively imponant and subject to the current implementation of the.QA regulatory.-
requirements. They would be classified as relatively non-imponant, and subject to a graded.
implementation in meeting the QA regulatory requirements. This' determination would be l
based on an engineering evaluation of the need for the piece pan, considering the.faiaure modes involved. For example, if an 0-ring failure led to rnmimum leakage, but did not :
1 1
prevent functional performance, it could receive reduced QA' coverage. This classification is illustrated below in Figure 5.4-3.
u 1
DRAFT Page 26 of 53 j
i
DRAFT Current QA Current QA "E" * "I Regulatory Implementat. ion Implementation
!!P5Ss mt to
- Parts 05 5!Ds...-yd
= Funaica i
- ]Relatively$ttant (Componentj to
/
t Function
\\
Graded QA Regulatory Implementation Figure 5.4-3. Classification of Q List Pans.
5.4.3 Graded OA Recuirements Utilization of PRA for graded QA application potentially results in three imponance groups of SSCs:
Group 1 - Those SSCs that have been found to be relatively important to core damage prevention in a PRA of plants of similar design. Also included in this group are those SSCs that have been found to be deterministically imponant, but not probabilistically imponant; and those SSCs that have been found to be probabilistically important, but not deterministically important.
Group 2 - Those SSCs that have not been found to be relatively imponant in the plant-specific PRA, but have been found to be relatively important to core damage prevention in a PRA of plants of similar design.
Group 3 - Those SSCs that have not been found to be relatively imponant to core DRAFT eage 27 or 53
DRAFT damage prevention in any PRA of plants of similar design.
For each of these groups, the actual implementation of QA needs to be defined.
Comments are particularly solicited in ilefining the QA categories and their implementation.
5.4.4 PRA Criteria In utilizing a PRA to identify relatively important SSCs and subsequently define different categories of relatively important SSCs, the PRA must be performed to certain criteria. These criteria address those limitations associated with a PRA (discussed in Section 5.2).
In addition to the criteria in Section 5.2, there are several others that must also be addressed when considering the use of PRA in the regulatory process. These criteria include the updating of the PRA and the level of revie-w of the PRA.
In performing a PRA, the time period involved is generally two to three years. The models developed as part of the PRA reflect the design, operation and maintenance of the plant typically at the start of the PRA. As the PRA is used, the potential, therefore, exists for the i
PRA to be outdated and not reflect the current core damage frequency estimation (i.e., current level of safety) of the plant since the design, operation and maintenance of the plant does change. How often the PRA needs to be updated must be addressed when considering the PRA application. This criteria can be divided into three categories as follows:
Outage Dairen - The PRA is updated at each plant outage considering the plant design, operational and maintenance changes.
PRA Driven - The PRA is updated at the time of the plant design, operationak or maintenance change if the change has the potential to affect the PRA.
Real-time Driven - The PRA is made "living" such that it continually reflects the status of the plant in real-time.
From a regulatory perspective,in considering the utilization of the PRA, the adequacy of the PRA for the identified use must be addressed. This determination will be based on the type and level of review that is performed by the NRC. The different levels and types of review that can be performed include the following:
Process - The review primarily focuses on the methods, boundary conditions and assumptions of the PRA such that it can be determined that the SSCs important to core damage prevention are adequately addressed and identified in the PRA.
DRAFT Page 28 of 53
DRAFT 1
Detailed - The review focuses on the accuracy of the core damage frequency estimation. The methods, boundary conditions, assumptions, scope, level of detail, models and data of the PRA are reviewed.
PRA Criteria For Generic Importance Classification -
This categorization is basically determmmg relative imponance of a plant's SSCs based on generic insights. Since only those SSCs that have never been shown to be relatively important in any PRA receive graded QA, generic types of criteria are adequate.
The PRAs need only to have addressed intemal events, including internal flooding.
The classification of relatively non-important SSCs is bounded by the level of detail of the PRAs. For a SSC of a plant's Q list to potentially be considered as relatively non-imponant, the PRAs need to have addressed these SSCs. Therefore, the SSCs not addressed by any PRA (or parts of any component modeled), but on the plant's Q list, are classified as relatively import: ult (unless appropriate justification is provided).
The PRAs only need to have addressed the probabilistically significant failure modes for each classified SSC (as either relatively important or non-important). Probabilistically significant is defined as an unavailability greater than or equal to 1E-5, at the component level.
The level of model resolution determines the degree of application of a plant's SSCs. To determine that a SSC may potentially be classified relatively non-imponant, then that SSC needs to be explicitly represented in the model. For example, if a SSC is modeled in the PRA, but not explicitly represented, then it should be classified as a relatively imponant SSC.
The PRA quantification process may take advantage of truncation of low probability events, cut sets, or sequences. The truncation value must ensure, however, that at least 95% of the core damage frequency is captured.
The utilization of generic data for the quantification of events failure rates and unavailabilities is adequate for this generic application.
HRA has the ability to impact the identification of the dominant sequences. Inadequate HRA could, therefore, erroneously result in identifying relatively important SSCs as relatively non-important. To preclude this possibility, the classification of the SSCs is performed with the HEPs for the various operator activities set equal to 1.0 in the PRA.
It is recognized that this requirement is a conservative criteria. Comments are particularly solicitedfor other suggestions in dealing with HRA.
The PRA needs to be current at the time ofits application. Generafly, updating the PRA at DRAFT Page 29 of 53
DRAFT every outage will provide this currency.
An NRC review needs to have been performed of the plant-specific PRA of the licensee utilizing the application. A review of the PRAs of the similar plants also needs to be performed. A process type review of these PRAs similar to that afforded to IPE submittals is adequate for this generic application.
PRA Criteria For Plant-Specific importance Classification -
Tids categorization credits plant-specific differences for the relatively important SSCs. Those plant-specific SSCs that are determined from the plant-specific PRA to be relatively non-imponant are differentiated from the generic list of relatively imponant SSCs.
This category of SSCs would not be subject to the current level of regulatory implementation, but to a graded implementation. The implementation, however, would be more stringent than for those SSCs that have been found to be relatively non-imponant in any PRA. The higher level of implementation is imposed since some PRA of a similar plant has found this SSC to be relatively important.
To categorize SSCs on plant-specific information, the criteria imposed on the plant-specific PRA is also more stringent. This stringency is applied to the data and truncation criteria.
The other criteria is the same as for the generic application.
The data for those SSCs under consideration needs to be based on plant-specific information.
For example, if a specific SSC is determined as relatively imponant from a PRA of a similar plant, but this SSC is determined relatively non-imponant from its plant-specific PRA, the data used to estimate the plant-specific SSC's reliability and availability needs to be based on plant-specific information.
In quanGGing a PRA, it is natural to truncate low probability events, cut sets or sequences.
I When this truncation is performed, the imponance measures are only computed for those SSCs that are not truncated and do not consider the effect on the truncated ponion. For a plant-specific SSC determined to be relatively non-important from its plant-specific PRA (although some PRA of a similar plant found it to be relatively imponant), the quantification of this SSC's imponance measure needs to consider the effect of the SSC's unavailability and unreliability on the entire PRA model.
i 5.4.5 Other Graded Type Applications A graded QA implementation is one example of fullfilling a regulatory request, a generic j
letter, etc. This type of approach - defining different categories of implementation for the SSCs commensurate with their relative imponance, is not unique. For those regulations, generic letters, etc. where a ranking approach is appropriate, a similar process would be j
DRAFT page so a sa
DRAFT followed as illustrated below in Figure 5.4-4.
Generic Plant-Specific Application Application 3
Cmmt cuent(Level 1)
Cuent Implementatim implecim Implemm:ttim i
i Gradedlevel2
\\
\\
/ple neratinn Im
\\
SSC SSCs hapanni
- h AISA':
~'~~AIRA Nahnpanct
'thidsscs'.
h IRA I
g
?,
/
/
G:nded C:aded Level 3 Implementatim
!=h ada t
r-Figure 5.4-4. Graded Approach Process.
The criteria used in classifying relatively important and relatively non-imponant SSCs would be the same. In addition, the criteria established for the PRA would be the same.
4 The requirements for the various categories would need to be defmed. These requirements should be commensurate with their relative imponance.
Comments are particularly solicited here, suggestions for other applications i
along with their criteria are welcome.
I f
DRAFT page 31 e 53
=
^ DRAFT r
5.5 PRA APPLICATION FOR CONFIGURATION ANALYSIS (Group 2).
j
. One aspect of the regulatory process involves technical specifications that, in a sense, control i
the configuration of a plant. The configurations are established by the allowed outage times -
l (AOTs) associated with the limiting conditions of operation (LCO) in the technical-specifications. The AOT defines that period of time that a SSC is allowed to be out-of-service before a plant shutdown is required.
}
i The technical specifications also provide the surveillance test intervals (STIs) required for j
various plant SSCs. The stuveillance test is performed to ensure that important standby systems will function as demanded when required.
i The AOTs and STis are modeled in a PRA as they affect the SSCs availability.. The AOTs control SSC unavailability due to maintenance by the specified AOT time. The STIs control -
SSC unavailability due to failures by limiting the fault exposure time. A PRA can, therefore, be used to optimize these conditions.
A discussion of the types of applications and their associated criteria are provided below.
5.5.1 Confituration Application Recardine AOTs f
Currently, technical specifications require a plant to shut down when an AOT is exceeded.~
This requirement may, however, pose a challenge if the AOT applies to as system needed for shutting down or continued shutdown. Therefore, the required shutdown of the plant may present a greater risk than remaining at power for an additional amount 'of time. The risk should then be evaluated for remaining at power versus shutting down when an LCO occurs to determine whether it is best to repair the SSC with the plant at power or in shutdown. The 1
risk of concem, in 'this context, is the occurrence of core damage.
The probability of a core damage state occurring from remaining at power when an AOT is
[
exceeded is computed by analyzing the specific configuration using the PRA model. 'Ihe i
PRA, however, provides the core damagefrequency for an average configuration and any possible event.
The PRA model must then be modified to account for the specific j
configuration and quantified for the core damage probability of the specific configuration.
l The various SSCs in the plant are in a specific state. They are either "up" (i.e., available),
or they are "down" (i.e., unavailable). These specific availabilities are modeled instead of the -
average annual availability.
j The probability of a core damage state occurring from continued operation is compared to the
{
probability of a core damage state occurring from shutting down. This latter state is I
comprised of three phases. A core damage state could potentially occur during the period of i
shutting down, during the shutdown period, or during the period of' starting up. Each'of these l
DRAFT
- page 32 a 53 y_
DRAFT phases should be evaluated and compared to the probability of a core damage state from remaining at power.
It can be assumed that the probability for a core damage state occurring during the period of shutting down is comparable to one of a manual shutdown with the specified equipment out-of-service. The potential accident sequences associated with a manual shutdown, or normal t
transient, are delineated in a PRA. Therefore, the core damage probability associated with a normal transient is computed considering an initiating event probability of 1.0.
For a single line item AOT relief, comparison of the probability of a core damage state from continued operation to the probability of a core damage state from shutting down is adequate.
PRAs can, however, be utilized in the optimization of AOTs.
For this application, consideration of the average annual core damage frequency should be included.
The average annual core damage frequency provides the risk level for a normal power operation where no existing failures and no ongoing maintenance are known. This value sets the limit, or upper bound, for the plant.
In this type of application, predetermined extensions of the AOTs for each SSC are evaluated.
There could be a configuration where the core damage probability exceeds the average core damage frequency. This increase would imply that the current estimated level of safety is not met. It is, therefore, important to ensure that any individual AOT extension does not cause the current estimated level of safety to be increased. The probability of a core damage state from any extended AOT must then be equal to or less than the average core damage frequency.
Utilizing this ground rule, the maximum pre-determined AOT extension for any single SSC can be computed as follows:
CDPdday AOT
=
u CDPeo/ day - CDF,y where CDPus=
core damage probability of manual shutdown CDPco =
core damage probability of continued operation CDF,,=
average core damage frequency Note that if a train were successfuylly tested, showing evidence of continued operability, the core damage frequency for continued operation would decrease thus extending the AOT In this manner, a family of AOTs could be calculated for a variety of train operability
- Sandstedt, Johan. "Living-PSA Application for a Swedish BWR with the Aid of Risk Spectrum,3rd Workshop on Living-PS A Application Hamburg, Gennany, May 1992.
DRAFT Page 33 of 53
-DRAFT configurations.
Figure 5.5-1 illustrates this concept of continued operation versus shutdown.
.__._..._.___._..[
x Uc0m
$c o
to es Ey Cnntimwd Opemtion Shutdown o
5 Core Damage Frequency --------
U Maumum AOT TiP\\E Figure 5.5-1. Comparison of Core Damage Probability of Continued Operation versus Shutdown.
5.5.2 Conficuration Application Regardine STIs The technical specifications state the frequency at which standby components need to be tested. These requirements, however, have been argued to pose adverse effects on safety by causing plant transients or causing undue wearing of SSCs. A PRA can be used to optimize the STIs without affecting the current level of safety.
In considering an STI change, the core damage frequency based on the new STI needs to be compared to the core damage frequency based on the current STI.
As noted above, the STIs control SSC unavailability by limiting the fault exposure time. In DRAFT rage sa a ss
DRAFT as PRA, this unavailability is computed as follows:
AT where Q
Q component unavailability
=
=
A component failure rate
=
T
=
component STI Based on the above equation, if the STI for a SSC were increased, it can easily be seen that the unavailability of the component, not the failure rate, is increased. Conversely, the opposite is true. If the STI were decreased, the unavailability is decreased. Note that if one train is failed. '.he availability of the second train can be improved be increased surveillance testing.
Utilizing the average core damage frequency as the upper limit, one approach to optimizing STIs is to investigate functional availabilities rather than the availability of a single SSC. In this approach, the functional availability is held constant while manipulating the availabilities of the systems comprising the function. That is, the STIs for some of the SSCs could be increased, but decreased for others with the availability of the function remaining constant.
This application would require specifications at the functional level to remain constant.
The functional availability would be established from the average core damage frequency based on the current STIs. The STIs for those relatively non-important SSCs could be increased, since the limits on the relatively important SSCs would control, and the current estimated safety level not impacted.
Comments are particularly solicited on this application; suggestions for implementation of this approach are welcome. Comments slwuld address how to implement such an approach in a manner consistent with the existing defense-in-depth philosophy.
5.5.3 PR A Criteria In utilizing a PRA to optimize AOTs and STIs, the PRA must be performed to certain criteria. These criteria address those limitations associated with a PRA (discussed in Section 5.2).
The PRA needs only to have addressed internal events, including internal flooding.
l Proposed AOT and STI changes for SSCs are bounded by the level of detail of the PRAs.
For a change to be considered, the PRA needs to have addressed these SSCs.
The failure modes that characterize the AOT and STI for the SSCs under consideration needs to be included in the PRA model.
DRAFT Page 35 or 53
DRAFT a
1 The level of model resolution determines the degree of application of a plant's SSCs. To 1
determine the impact of changing an AOT or STI of a SSC, then that SSC needs to be-i explicitly represented in the model.
1 The PRA quantification process may take advantage of tmncation oflow probability events, cut sets, or sequences. The truncation value must ensure, however, that at least 95% of the core damage frequency is captured.
If tnmcation is performed, the 'quantification of importance measures, for the sinige line SSCs. needs to consider the effect of the SSC's l
unavailability and unreliability on the entire PRA model.
The utilization of generic data for the quantification of events failure rates and unavailabilities is adequate for most of the SSCs. For the SSCs involving single line item type reliefs, plant-i specific data is required.
HRA has the ability to impact the identification of the dominant sequences. Inadequate HRA could, therefore, erroneously result in identifying relatively important SSCs as relatively non-important. To preclude this possibility, the classification of the SSCs is performed with the HEPs for the various operator activities _(including recovery actions) set equal to 1.0 in the PRA.
l It is recognized that this requirement is a conservative criteria. Comments are particularly solicitedfor other suggestions in dealing with HRA.
The PRA needs'to be current at the time of its application. Generally, updating the PRA at every outage will provide this currency.
l A NRC review needs to have been performed of the plant-specific PRA of the licensee utilizing the application. A process type review for the majority of the PRA is adequate for this type of application; however, focus needs to be particularly emphasized in the data area regarding the computation of the core damage frequency value.
i i
i e
A i
P DRAFT Page 36 or 53
l DRAFT 5.6 PRA APPLICATION FOR ON-LINE CONFIGURATION CONTROL (Group 3)
PRA, at its most optimum, can be utilized in a living manner. In this type of application, the probability of a core damage state is computed in real-time and plant decisions -
operational, maintenance, etc. - are made based on the core damage probability.
A real-time computation of the core damage probability would mean that the PRA model and the entire PRA process is computerized such that the PRA inputs are automatically fed in to the PRA model form the plant. Therefore, at any given time, a core damage probability for the plant is known. A system would then need to be designed and implemented that could perfonn this task.
In this application, some plant safety decisions would be made based on a calculated core damage probability.
A baseline core damage probability (or upper limit) would be established, and the plant would be designed, operated and maintained within this baseline.
Therefore, the absolute value of the core damage probability becomes critical.
A standardization for PRA regarding such items as boundary conditions, assumptions, scope, level of detail, etc. would need to be established, and uncertainties resolved.
Since the PRA would be used to regulate the plant, assurance would need to be provided of both the adequacy and accuracy of the PRA, supporting software and hardware. Also, the real-time input of plant conditions to the PRA computer model would have to meet standards of acceptance. This provision would need to occur at all levels; therefore, requirements, audits, inspections would more than likely be required at each level.
Although PRA can provide valuable insights, and a living-PRA can be a tremendous asset to the internal operations of a licensee, it is felt that the state-of-the-art of PRA will not currently support this type of application.
Comments are particularly solicited on this application; suggestions for implementation of this approach are welcome.
l DRAFT Page 37 or 53
DRAFT 5.7 RELATIVE IMPORTANCE OF REGULATIONS (This section will contain a description and results of a feasibility study now underway.)
The objective of this effort is to assess the consistency of regulations with the safety goals by examining the feasibility of determining the relative " safety imponance" of regulations considering their importance to public safety and health.
5.7.1 Work Reauirments For the Surry or Peach Bottom NUREG-1150 model, considering the plant systems impacted.
by the regulatory requirements and license commitments and considering the systems modeled in the PRA and their relative safety.importance, the feasibility of estimating the relative l
importance of these requirements and commitments to the plant's core damage frequency and 1
its potential impact to public health and safety is determined. This process was performed 3
per the following:
-l identify the regulations to be examined and differentiate between programmatic type regulations that impact the inherent PRA model assumptions (e.g., quality assurance, training, equipment qualification) and y
ones that explicitly impact systems and components modeled in a PRA (e.g., ATWS rule, station blackout rule).
]
Identify the plant systems impacted by the identified regulations.
i I
Estimate the imponance measures of the systems modeled in the PRA.
relative to the core damage frequency.
-i Determine " weighting factors," where appropriate, of the various
-I regulations accounting for the number and the systems impacted.
i Estimate, if necessary, the importance measure of the systems not j
explicitly modeled in the PRA, but whose function is inherently part of the PRA (e.g., reactor vessel).
l System is defined as a structure (e.g., reactor vessel), fluid, air, electrical or actuation system.
la 5.7.2 Technical Approach i
[TO.BE WRITTEN]
-i DRAFT Page 38 of 53 i
DRAFT 5.7.3 Elicitation
[TO BE WRITTEN]
1!
4 5.7.4 Results
[TO BE WRITTEN]
1 5.7.5 Conclusions and Recommendations -
[TO BE' WRITTEN]
DRAFT Page 39 or 53
-: i i
1
. DRAFT t
E 4
-5.8 FOREIGN INSIGHTS
.I
[TO BE. WRITTEN].
i
-1 s
E i
1
.f r
ii
-i
- i s
s P
t t
l i
j, i
^ DRAFT enge 40 a 53
DRAFT
5.9 CONCLUSION
S h
[TO BE WRITTEN]
5.9.1 NRC-Sponsored Programs
[section'is not yetl cleaned up]
PRA applications having the potential to significantly reduce regulatory burden or provide more flexibility in the regulations and in the implementation of the regulations while maintaining :afety are those that primarily address configuration control and quality assurance (QA) issues. Configuration control applications generally involve the utilization of PRA/PSA methods to optimize surveillance test intervals (STIs) and allowed outage times (AOTs). QA applications generally involve the utilization of PRA/PSA to support " graded" QA; that is, optimizing QA for those structures, systems or components that are safety significant based on PRA/PSA insights. Current NRC-sponsored programs were examined to identify those efforts that are utilizing PRA/PSA that could provide potential insights in these areas.
The use of PRA/PSA by the NRC has been both broad and narrow. The broad application is seen in the many various and diverse activities which have increased over time, particularly since the TMl accident. The utilization of PRA/PSA, however, has been narrow in that it has been limited to a small set of applications.
These activities have been defined and summarized into several catagories (as reported in the draft NRC PRA Working Group Report) as follows:
Licensing of reactors which involves utilizing PRA/PSA in the review of analyses submitted as part of advanced reactor design certification applications, and plant-specific licensing actions such as technical specification modifications, justifications for continued operations, etc.
Regulation ofreactors which involves utilizing PRA/PSA in monitoring of operations (with risk-based inspections); screening of events for significance (including operational event screenings, generic safety issue screenings, and facility screening risk analyses): analyses of events and issues (including operational events analyses, component and system failure data analyses and trends, reliability monitoring now developing as a result of the man.tenance rule, generic safety issue analyses, and severe accident research studies); facility analyses (both those performed by the staff such as NUREG-1150 and those performed by licensees in the individual plant examination process); and in regulatory analyses supporung regulatory actions such as backfits.
DRAFT Page 41 of 53
DRAFT Licensing offuel cycle and materials which involves utilizing methods similar to risk analyses (called perfonnance assessment methods) H ve being used as part of the licensing of proposed high level waste repositorie.
..ed in NMSS.
These activities are summarized below in Table 5.9-1.
Table 5.9-1 Summary of Staff PRA/PSA Uses CATEGORL 2.1. PPLICA,TIO.Ni
- a.. M <^
Licensing of Reactors Reviews of advanced reactors.
Reviews of plant-specific licensing actions.
Regulations of Reactors Monitoring operations by inspection.
Issue screening of operational events, generic safety issues, and facility screening risk analyses.
Issue analyses of operational events analyses, operational data and trending analyses, n':.intenance rule regulatory guide, generic safety issues, and severe accident issues.
Facility analyses involving staff studies and individual plant examinations.
Regulatory actions including regulatory analyses.
Licensir.c of Fuel Cycle and Reviews involving high level waste facilities.
Mater':c a As can be seen, these PRA/PSA efforts are relatively diverse; and although each NRC Office (i.e., AEOD, NRR and RES) is involved in programs utilizing PRA/PSA, cunent udlization of this type of integral analysis by the NRC is rather limited when focused on attempts to reduce regulatory burden or provide additional flexibility with the regulations and licenses.
Current NRC-sponsored programs that can provide insights in suppon of this area primarily involve configuration control regarding technical specification optimization. No hTC-sponsored programs supporting graded QA based on PRA/PSA were identified.
DRAFT Page 42 of 53
DRAFT These specific types of activities are summarized below for each NRC office.
5.9.1.1 AEOD-Sponsored Programs The Office for Analysis and Evaluation of Operational Data (AEOD) utilizes PRA/PSA techniques and insights in the accomplishment of its mission. Although their ongoing PRA/PSA-related progruns are not focused on determming ways to reduce regulatory burden 3
and provide flexibility in licensing and regulatory actions, the Trends and Patterns Analysis and the Reactor Operations Analysis Branches within the Division of Safety Programs are involved in effons that can ultimately assist in providing the data requirements and insights for PRA/PSA-based programs supporting configuration control and graded QA (from a regulatory perspective).
The Trends and Patterns Analysis Branch have ongoing programs that analyzes operational data to identify and provide a quantitative content for new safety issues; evaluates the effectiveness of current regulations, regulatory actions and initiatives taken by licensees to resolve safety issues concerns; and helps guide and focus engineering evaluations. These programs support four major activities as follows:
Hardware performance studies of risk-important components, systems, initiating events and accident sequences Safety and regulatory studies of trend performance for selected regulatory issues through an appropriate parameter related to the specific issue to determine effectiveness of implementation.
Data base studies involving common cause failure event data and a human performance data base that trends human actions important to plant safety and risk.
Risk assessment studies evaluating the risk implications of trending results from the hardware, safety issues and special data analyses.
The Reactor Operations Analysis Branch's ongoing Accident Sequence Precursor (ASP)
Program also provides needed support for the PRA/PSA utilization in configuration control and graded QA optimization. The ASP program provides a safety significance perspective of nuclear plant operational experience. The program uses PRA/PSA techniques to provide estimates of operating event significance in terms of the potential for core damage; that is, accident sequence precursors are events that are important elements in core damage accident sequences. Such precursors could be infrequent initiating events or equipment failures that, when coupled with one of more postulated events, could result in a plant condition leading to severe core damage. The precursors are selected and evaluated using an evaluation process and significance quantification methodology. The types of events evaluated include initiators, DRAFT Page 43 of 53
-e.
DRAFT degradations of plant conditions, and safety equipment failures that could increase the probability of postulated accident sequences.
5.9.1.2 NRR-Sponsored Programs The Office of Nuclear Reactor Regulation (NRR) have current PRA/PSA effons directly supponing licensing and regulatory activities that can provide regulatory burden reduction and flexibility in the implementation of the regulations. These efforts are being performed in the Operational Reactor Support and Systems Safety Analysis Divisions by the Technical Specifications and Probabilistic Safety Assessment Branches, respectively.
In 1987, the Commission issued its interim " Policy Statement on Technical Specification Improvements for Nuclear Power Reactors" encouraging licensees to voluntarily implement a Technical Specification Improvement Program. As a result of this policy statement, five sets of improved Standard Technical Specifications (STS) were developed; one for each NSSS vendor (i.e., Westinghouse, Babcock and Wilcox, Combustion Engineering, General Electric BWR 4, and General Electric BWR 6). PRA/PSA was utilized in the development of these STS as follows:
A number of completion times (i.e., allowed outage times, AOTs) and surveillance test intervals (STIs) were relaxed based on NRC staff-approved topical repons and on draft NUREG-1366, " Improvements to Technical Specifications Surveillance Requirements."
In their topical repons justifying the relaxations, the NSSS vendors based their conclusions on PRA/PSA insights.
NUREG-1366 used qualitative rather than PRA/PSA insights to support such relaxations.
Utilizing the Grand Gulf and Suny PRAs from NUREG-1150, the core damage frequencies were recalculated with the new STS changes to identify any potential concerns. No significant increase in core damage frequency was observed as a result of these changes.
A " lead" plant for each NSSS STS has been identified by industry.
As the implementation of the improved STS and development of line-item improvements proceeds, the staff's intends to utilize PRA/PSA along with deterministic bases to suppon its decisions. This utilization will primarily be based on evaluations of industry's proposals.
The information from the programs currently in progress in RES will be used to support or validate, as appropriate, industry's risk-based proposals.
Currently the staff is evaluating risk-based changes to technical specifications proposed by the South Texas Nuclear Project. This effort is currently in progress in RES.
The Probabilistic Safety Assessment Branch activities that directly involve PRA/PSA efforts DRAFT rage u a ss
DRAFT to improve plant operations and maintenance primarily include providing risk assessment of potentially safety significant issues and reviewing applications submitted by the licensees.
The issues reviewed for their risk impact are a result of identified safety concerns. Recent examples include:
Intersystem LOCA Shutdown Risk Alternative Tube Plugging Criteria The applications submitted by the licensees are generally requests for exemptions (or waivers) from regulatory requirements. The justification for requesting and granting the exemption is primarily based on PRA/PSA insights. Recent examples include:
Waiver to allow refurbishment of service water system Minor actions involving man-made hazards, tomado protection, containment penetrations, toxic gas detectors 5.9.1.3 RES-Sponsored Programs The Office of Nuclear Regulatory Research (RES) has several ongoing PRA/PSA efforts directly supporting licensing and regulatory activities. These programs are being performed in the System Research, Safety Issue Resolution and Engineering Divisions by the Human Factors Branch, the Severe Accident Issues and Probabilistic Risk Assessment Branches, and the Electrical and Mechanical Engineering Branch, respectively.
The PRA/PSA programs in the Human Factors Branch are currently those that have the greatest potential in assisting in the assessment of risk technology for providing regulatory burden reduction and flexibility while maintaining safety. These efforts are primarily focused on developing methods in direct suppon of technical specification improvements as follows:
Risk impact in varying AOTs and STIs at power and during shutdown and considering.
the effects of test errors on optimum test intervals.
Risk impact from action statements requiring shutdown, if equipment needed during shutdown (e.g., residual heat removal), fails.
Risk implications of taking equipment out-of-service for maintenance looking at rolling maintenance schedules, optimizing the frequency of schedule maintenance, and integrating surveillance with preventive maintenance.
Dependent failures examining improved methods for recognizing and preventing dependent failures.
DRAFT rage 45 or 53
DRAFT Configuration management considering a conceptual framework for risk-based
=
configuration management.
The methods that are being developed are reliability-engineering tools that analyze technical specification requirements within the framework of a PRA/PSA and which can estimate the i
risk impact of changing the level of a particular requirement in technical specifications; and therefore, they can provide a risk perspective on the bases for these technical specification requirements and for related maintenance guidelines.
These applications share the strengths and weaknesses of PRA/PSA. They are useful to integrate and prioritize only those considerations that can be quantified in tenns of reliability and availability; therefore, they are applicable to only a fraction of the requirements in technical specifications. In general, these methods are directly applicable to evaluating AOTs and STIs for active, front-line systems and suppon systems. The methods are only marginally applicable to instrumentation, and are not applicable to concems not modeled in PRA, such as security and occupational health. In general, these methods are not yet sufficiently refined to treat uncenainties in detail. It is expected that consideration of uncenainties will be incorporated with use of these methods.
There are currently five ongoing programs that are developing these methods as described below.
Procedures for Evaluating Technical Specifications In 1983, a te,k force established by the EDO provided recommendations to improve surveillance testing requirements in technical specifications. The resulting actions formed the Technical Specification Improvement Program. In 1987, a Commission Interim Policy Statement on Technical Specifications Improvement encouraged licensees to voluntarily implement a Technical Specification Improvement Program that included applying risk-analysis methods and human-factors principles to improve technical specifications. In support of this program, research began to develop methods for evaluating the risk impact of requirements in technical specifications, to explore altemative approaches, and to provide a technice.1 basis for improvements.
This research, which is largely completed, has published methods to evaluate the risk impact of AOTs and STIs (including the impact of test errors). The work also outlined a conceptual approach for operational configuration control. The remaining work on this project, which is being completed in 1993, will provide a method to evaluate the risk impact of scheduled maintenance intervals. The approach analyzes the balance between beneficial and adverse effects of maintenance, and models three states: operable, degraded (i.e., ready for preventive maintenance), and failed. The method can use NPRDS data for incipient, degraded, and complete failures. The results of this research will allow analysis of the risk impact ofissues such as not permitting cenain preventive maintenances during power operation, and instead DRAFT rage as ct 53
DRAFT requiring that AOTs during power operation be used only for corrective maintenance.
One of the new STS's will be used as a testbed for a limited pilot application of the methods described in this report for evaluating requirements in technical specifications. This pilot application involves developing a strategy and criteria that will result in clear, simple statements of requirements that integrate risk and practical considerations to control risk efficiently. These criteria are intended to address:
The scope and frequency of updating of the PRA/PSA and data base that form the basis for the licensee's risk analysis.
What risks must be assessed to support technical specification changes and acceptable ways to model them (e.g., test intervals, test effectiveness, test errors, and aging effects).
Prioritizing risk contributors in technical specifications.
Acceptable changes in risk.
Experience feedback, if appropriate, in updating technical specification requirements.
Technical specification Requirements During Shutdown NRC is reevaluating regulatory requbements for nuclear power plants during shutdown. One aspect of this reevaluation is to consider how effectively technical specifications control risk during shutdown.
In support of this endeavor, this project was established to develop methods for evaluating the risk impact of plant configurations pennitted and surveillance required by technical specifications during shutdown; to explore altemative approaches; and to provide a technical basis for improvements. These analysis methods use as a framework the low-power-and-shutdown PRA/PSAs (described elsewhere in this report).
These models and trial applications to a PWR and a BWR will be completed in late 1993.
Action Statements That Require Shutdown As part of the program to improve technical specifications, action statements that require plant shutdown if an allowed outage time is exceeded are being developed.
The issue concems a few systems, such as residual heat removal,(RHR), standby service water (SSW), and auxiliary feehater, that may be required.to cool the plant during shutdown. Currently, action state i in tecimical specifications typically require that plants l
DRAFT rage n or sa
DRAFT s
shut down when an AOT is exceeded, even though shutdown may require use of the system that is out-of-service for maintenance. The work has developed a decision-analysis method for comparing the risk impact of transferring the plant to shutdown versus the risk impact of o
continued power operation.
The method and trial application to RHR and SSW at a BWR-6 are being published this Spring. An equivalent method and trial application to a PWR will be completed in early 1994.
Technical Specification Defenses Against Dependent Failures Technical specifications set surveillance requirements and AOTs in order to assure the availability of a plant's safety systems. These safety systems are designed to achieve high availability through redundancy. Redundancy, however, can be defeated by dependent (e.g.,
common-cause) failures. For example, the Davis-Besse loss of all feedwater in 1985 involved several valves stuck shut (dependent failures). Despite the importance of dependent failures, most technical specification requirements do not explicitly address and protect against dependent failures.
In support of this concern, a method and criteria are being developed for explicitly addressing dependent failures in setting STIs and AOTs. This method uses a NUREG-1150 PRA as the framework within which to model and evaluate the risk impact of postulated technical specification improvements. A recent AEOD analysis of industry-wide experience with dependent-failure events is used as a reality check to supplement the PRA/PSA. Possible improvements in technical specifications that might better defend against such dependent failures are being postulated.
The purpose is to determine whether simple changes in surveillance requirements and AOTs would substantially reduce the risk of operating reactors. The result will be an assessment of the effectiveness of this approach.
Methodfor Monitoring Dependent Failures This effort is a related project that supports AEOD trends and analysis of operational data, This project has developed a method for analyzing failure data to estimate the fraction of failures that are dependent failures. The method compares the distribution of observed times-between-failures with the distribution expected if the failures were independent. The difference reflects dependent failures. The method estimates the fraction of dependent failures (e.g., a beta factor) and the actual safety-system unavailability with this degree of dependency.
The methods-development has been completed, and the report will be published in mid 1993.
AEOD and RES are discussing whether additional work is warranted to make the software DRAFT page ns or 53 a
o DRAFT directly applicable to AEOD screening of data to help recognize dependent-failure events.
These five programs are focused on developing methods for technical specification optimization. The methods developed, given that the limitations, boundary conditions, assumptions, uncertainties, data, and human performance issues associated with PRA/PSA are properly addressed, can provide assistance in detenmning the ground rules or restrictions that would be necessary to maintain the current level of safety while providing additional flexibility in the implementation of the regulations. In addition, there are other ongoing programs within RES which also utilize PRA/PSA, will provide necessary insights, and will provide assistance in addressing the above mentioned concerns.
Technical Analysis of Proposed Changes to the South Texas Technical Specifications Houston Lighting and Power, the licensee for the South Texas Nuclear Project (SThP),
submitted a proposed amendment to its operating license. The Probabilistic Risk Analysis Branch is developing a framework for analysis and a technical basis for evaluating the proposed changes to AOTs and STis for the STNP. The evaluation involves reviewing the system failure models and sequence level cut sets of the STNP PSA, establishing a systematic risk profile for the base case three-train configuration of the STNP, obtaining the overall risk impact of the proposed changes in AOTs and STIs, and developing a framework which will support the bases for approval of the proposed changes in AOTs and STIs based on risk arguments.
Although this effort is not a formal program to develop " generic" methods for evaluating proposed technical specification changes, insights can be used for generic applications.
Individual Plant Examination Data Base On November 23,1988, Generic Letter 88-20 was issued requesting licensees to perform an Individual Plant Examination (IPE) with the general purpose of each licensee "to develop an appreciation of severe accident behavior, to understand the most likely severe accident sequences that could occur at its plant, to gain a more quantitative understanding of the i
overall probabilities of core damage and fission product releases, and (if necessary) to reduce the overall probabilities of core damage and fission product releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents."'
in support of this effort, an IPE Data Base has been developed which catalogs the information provided in each licensee, iPE submittal. The type of information being input to the data base for each IPE includes the following:
' INDIVIDUAL PLANT EXAMtNATION FOR SEVERE ACCIDENT VULNERABILITIES - 10 CFR 550.54(f),
Generic Lener No. 88-20.
DRAFT page 49 of 53
DRAFT Plant information (e.g., reactor and containment type)
Initiating event information (e.g., initiating event and its associated frequency)
Accident sequence information (e.g., accident sequence description and associated frequency)
System and coniponent dependency information Core damage frequency information Plant damage state information The data base will allow users to gather information both by plant and across plants. For example, the data base will identify those plants where a certain issue such as loss of offsite power is a concern; will identify concerns for a group of plants such as identifying the dominant contributors for 3-loop westinghouse plants; will identify those plants where a system concern may exist such as identifying plants where diesel generators are dependent on instrument air. These are a few examples of the IPE data base.
The information currently being entered into the data base only includes IPE data. As part of the JPE effort, licensees were only required to examine internal initiators and internal flooding. NUREG-1407 provides the guidelines for the IPE of external events. The data base will be expanded to include this information for each licensee.
Low Power and Shutdown PRA PRA/PSAs have traditionally examined severe accidents only occurring at full power operation. Analyses have indicated that severe accident occmring at low power and shutdown could be significant. A major program has been in progress to assess the frequencies and risks of accidents initiated during low power and shutdown modes of operation for two nuclear power plants by performing detailed PRAs for the various operational modes. This effort also involves the development of new methods and will compare the assessed risk with those of accident initiated during full power operation.
The work involves examining the accidents initiated by internal events (including flooding and fire) as well as external events (e.g., earthquakes). Ultimately a full PRA (core damage frequency, fission product releases and consequences) will be completed.
Plant Aging
[TO BE WRITTEN]
PRA Working Group DRAFT page so or 53
DRAFT In 1991, the Executive Director for Operations formed a working group of staff management (i.e., PRA Working Group) to " consider what improvements in methods and data analysis are possible and needed, the role of uncertainty analysis in different staff uses of PRA, if improvements are needed in the allocation of existing PRA staff, and the need for recruitment of more staff (or for identifying other means for supplementing staff resources."'
t The objectives of the PRA Working Group are to develop guidance on consistent and appropriate uses of PRA/PSA within the NRC; to identify skills and experience necessary for each category of staff use; and to identify improvements in PRA/PSA methods and associated data necessary for each category of staff use. In support of these objectives, the Group has defined the scope ofits work as follows:
Ascertain present uses of PRA/PSA by the staff; future PRA/PSA uses which are not now well defined (e.g., possible transition to r
-based reactor regulation) are not included in the Group's scope of work.
Review of available or developing risk analysis documents and guides, and develop
=
recommendations for improvement. Such improvements are the responsibilit?' of the user organization, with oversight by the Working Group. It is not within the Group's scope to update or replace such guides, although the group may make recommendations to update them.
Assess staff skills and experience needed to appropriately apply PRA/PSA, including
=
staff organizational considerations, if appropriate. While the skills and experience assessment is within the scope of the Group's work, the development and implementation of plans to change staffm' g levels, staff training, or organizational arrangements are the principal responsibility of the Office of Personnel and the affected offices, as part of the overall development and implementation of the agency's Human Resources Strategic Plan.
Assess needed improvements in PRA?PSA techniques and data to support appropriate
=
staff use of risk analysis. This assessment focuses on improvements needed for particular uses, rather than a broad assessment of needed improvements in risk analysis methods, and uses state-of-the-art risk studies such as NUREG-1150 as reference and resource material. The performance of any such improvements is the responsibility of the appropriate staff organization, not the Working Group.
It must be ensured that the current level of safety is maintained when utilizing an integral analysis, such as PRA/PSA, to provide more flexibility in the regulations and in the 4
1
'Lener from James M. Taylor, Executive Directc< for Operations, NRC, to David A. Ward, Chauman, ACRS, Octoter 1,1991.
DRAFT Page 51 of 53 l
i DRAFT
~
implementation of the regulations. NRC-sponsored programs were inventoried in a first step to determine what types of general rules and restrictions would need to be imposed so that PRA/PSA can be used while maintaining the current level of safety. A summary of these PRA/PSA programs that could provide insights are provided in Table 5.9-2 below.
5.9.2 Recommendations
[TO BE WRITTEN]
i e
i I
i I
DRAFT page 52 et 53
DRAFT Table 5.9-2 Summary of NRC-Sponsored PRNPSA Programs RESPONSIBILITY PROGRAMS-CAPPLICATIONj AEOD/DSP/rPAB Analysis of operational data to identify Data suppon to technical and provide quantitative content for specification and graded QA safety issues optimization AEOD/DSP/ROAB Accident Sequence Precursor Pmgram Data suppon to technical specification and graded QA optimization NRR/ DORS /TSB Technical Specification Improvement Utilization of technical Program specification optimization Risk Evaluation of Safety Issues Information suppon to NRR/DSSA/PSAB
=
Review of Licensee Requests for technical specification and Exemption graded QA optimization Procedures for Evaluating Technical Development of technical RES/DSR/liFB Specifications specification optimization Technical Specification Requirements methods During Shutdown Actions Statements That Require Shutdown Technical Specifications Defenses Against Dependent Failurus Method for Monitoring Dependent Failures RES/DSIR/PRAB Technical Analysis of Proposed Changes Information suppon to to the South Texas Technical technical specification and Specification graded QA optimization RES/DSIR/SAlB Individual Plant Examination Data Base Information support to technical specification and graded QA optimization RES/DSIR/PRAB Low Power and Shutdown PRA Information suppon to f
technical specification and graded QA cpGinization RES/DE/EMEB Plant Aging RES/DSIR/PRAB PRA Working Group Infonnation suppon to technical specification and graded QA optimization DRAFT Page 53 or 53
March 30, 1993 c c.. r e
NOTICE OF PUBLIC MEETING
% APR 20 P7:36 PUBLIC DUCa:. s i FROM:
Frank P. Gillespie Regulatory Review Group _
SUBJECT:
MEETING NOTICE IN ANTICIPATION OF THE PUBLICATION OF A FEDERAL REGISTER NOTICE DATE AND TIME:
MAY 6, 1993 8:00 a.m. - 1:00 p.m.
LOCATION:
U.S. NRC One White Flint North, Rockville, MD Room 128-11 Material is currently under review by the Regulatory Review Group Steering Comittee for placement in the Public Document Room. This material reflects progress to date and some initial recomendations on which coments would be welcome. This material will not be available until' after April 26, 1993.
While this will permit only a limited review by interested parties, we still believe a meeting is warranted. As additional material is developed and draft recomendations finalized the material will be modified on approximately a monthly basis and public meetings held to receive coments or answer questions.
Onginal s;"M DY l
Frank P. GM578 Frank P. Gillespie Regulatory Review Group l
1 cc:
J. Taylor J. Sniezek
- T. Murley R. Bernero E. Beckjord E. Jordan J. Scinto DISTRIBUTION:
Central files PDR ACRS (10) l NRR Mailroom,12G-18 l {j RRG Team Members
(
i i
P0' Dell, ILPB R
0 FGillespie FG lespie:no RRG R/F 3/
/93
[-//??-G
\\
020nsa mus To e m T0M N M l3 ue i
9304080006 930330
'PDR REVOP NROREOUL
,-y f[
nt March 1, 1993 NOTICE OF PUBLIC MEETING 93 APR 12 A9:15 FROM:
Frank P. Gillespie PUBLIC JULLMO:
Regulatory Review Group
-~ m n. a
SUBJECT:
MEETING NOTICE IN ANTICIPATION OF THE PUBLICATION OF A FEDERAL REGISTER NOTICE DATE AND TIME:
T '. "."" P ' ooL -
2:00 P.M. - 4:00 P.M.
LOCATION:
U.S. NRC One White Flint North, Rockville, MD Room 2F-17/21 Material is currently under review by the Regulatory Review Group Steering Committee for placement in the Public Document Room. This material reflects progress to date and some initial recommendations on which comments would be welcome. This material will not be available until after March 5,1993.
While this will permit only a limited review by interested parties, we still believe a meeting is warranted. As additional material is developed and draft recommendations finalized the material will be modified on approximately a monthly basis and public meetings held to receive comments or answer questions.
3 Johns P. Jaudon for Frank P. Gillespie Regulatory Review Group cc:
J. Taylor J. Sniezek T. Murley R. Bernero E. Beckjord E. Jordan J. Scinto DISTRIBUTION:
NRR Mailroom,12G-18 RRG Team Members
+gFGillespie:no p
G/EDO P0' Dell, ILPB FGillespie 260011 RRG R/F 3/
(
/93
~
REIJiiii10 RESull.iSh XiiRii BilS bo
/
9303290131 930301 o
PDR REV9P NROREGUL O>,
.