Text

10/18-19/2022 ACRS Public Meeting - Predecisional - Documents to Support Part 53 - DG-1414 Alternative Evaluation for Risk Insights (Aeri) Methodology
	ML22272A045
Person / Time
Issue date:	09/29/2022
From:	; Office of Nuclear Material Safety and Safeguards
To:	;
	Beall, Robert
Shared Package
ML22272A034	List: ML22272A036; ML22272A038; ML22272A039; ML22272A040; ML22272A042; ML22272A045; ML22272A047; ML22272A049; ML22272A051;
References
	10 CFR Part 53, DG-1414, NRC-2019-0062, RIN 3150-AK31
	Download: ML22272A045 (27)
	v • d • e

U.S. NUCLEAR REGULATORY COMMISSION DRAFT REGULATORY GUIDE DG-1414 Proposed new Regulatory Guide 1.255, Revision 0 Issue Date: Month 20##

Technical Leads: A. Neuhausen/A. Grady This draft regulatory guidance is the latest draft regulatory guidance that the NRC staff has publicly released to support interactions with the Advisory Committee on Reactor Safeguards (ACRS). This version is based on reviews by NRC staff and consideration of stakeholder input. The NRC staff expects to adopt further changes in the draft regulatory guidance.

This guidance has not been subject to complete NRC management or legal review, and its contents should not be interpreted as official agency positions. The NRC staff plans to continue working on the draft regulatory guidance provided in this document.

ALTERNATIVE EVALUATION FOR RISK INSIGHTS (AERI)

METHODOLOGY A. INTRODUCTION Purpose This regulatory guide (RG) provides the U.S. Nuclear Regulatory Commission (NRC) staffs guidance on the use of an Alternative Evaluation for Risk Insights (AERI) methodology to inform the content of applications and licensing basis for light-water reactors (LWRs) and non-LWRs. It describes an approach that is acceptable to support an application that proposes to use the AERI methodology in 10 CFR 53.4730, such that the expectations of the Commissions Safety Goal Policy Statement (Ref. 1) and Severe Reactor Accident Policy Statement (Ref. 2) are met and that risk insights are adequate for use in regulatory decision-making. This RG and Draft Regulatory Guide (DG) 1413 (proposed new Regulatory Guide (RG) 1.254), Technology-Inclusive Identification of Licensing Events for Commercial Nuclear This RG is being issued in draft form to involve the public in the development of regulatory guidance in this area. It has not received final staff review or approval and does not represent an NRC final staff position. Public comments are being solicited on this RG and its associated regulatory analysis. Comments should be accompanied by appropriate supporting data. Comments may be submitted through the Federal rulemaking Web site, http://www.regulations.gov, by searching for draft regulatory guide DG-1414. Alternatively, comments may be submitted to Office of the Secretary, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, ATTN: Rulemakings and Adjudications Staff.

Comments must be submitted by the date indicated in the Federal Register notice.

Electronic copies of this RG, previous versions of RGs, and other recently issued guides are available through the NRCs public Web site under the Regulatory Guides document collection of the NRC Library at https://www.nrc.gov/reading-rm/doc-collections/reg-guides/index.html. The RG is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under Accession No. ML22257A248. The regulatory analysis is associated with a rulemaking and may be found in ADAMS under Accession No. MLXXXXXXXXX.

Plants, (Ref. 3), provide guidance on the selection of licensing events. The guidance provided in this RG relies on DG -1413 (proposed new RG 1.254) for inputs to analyses for the AERI methodology.

Applicability This RG applies to LWR and non-LWR applicants for permits, licenses, certifications, and approvals under the proposed regulations in Title 10 of the Code of Federal Regulations (10 CFR) Part 53, Risk Informed, Technology-Inclusive Regulatory Framework for Commercial Nuclear Plants, licensed under Framework B (Ref. 4), Subpart R, Licenses, Certifications, and Approvals, that propose to use the AERI approach in 10 CFR 53.4730(a)(34)(ii).

Although the conduct of a probabilistic risk assessment (PRA) is not required for applicants eligible to use the AERI methodology, a PRA confers additional benefits such as providing a way to optimize the design and to take advantage of various risk-informed initiatives (e.g., risk-informed completion times, risk-informed categorization of structures, systems, and components (SSCs)) that require an acceptable PRA.

Applicable Regulations

The following are applicable regulations for applicants and licensees that are subject to 10 CFR 53.4730(a). Applicants and licensees are subject to only those regulations below pertaining to them.

o 10 CFR 53.4730(a)(5) requires applicants for construction permits (CPs), operating licenses (OLs), early site permits (ESPs), combined licenses (COLs), standard design approvals (SDAs), design certifications (DCs), and manufacturing licenses (MLs), who respectively use the provisions of 10 CFR 53.4909, 53.4969, 53.4756, 53.5016, 53.4809, 53.4839, and 53.4879, to identify postulated initiating events for anticipated operational occurrences and design-basis accidents using a risk-informed approach for systematically evaluating engineered systems.

o 10 CFR 53.4730(a)(34)(ii) establishes AERI as an alternative to a PRA and provides the entry conditions for an AERI.

Related Guidance

DG-1413 (proposed new RG 1.254), Technology-Inclusive Identification of Commercial Nuclear Plant Licensing Events, is a companion to this RG, and the RGs are intended to be used together in implementing the AERI methodology. DG-1413 (proposed new RG 1.254) provides technology-inclusive guidance on searching for initiating events, delineating event sequences, and identifying licensing events used to inform the design basis, licensing basis, and content of applications for commercial nuclear plants including LWRs and non-LWRs such as, but not limited to, molten salt reactors, high-temperature gas-cooled reactors, and a variety of fast reactors at different thermal capacities.

Trial RG 1.247, Acceptability of Probabilistic Risk Assessment Results for Advanced Non-Light Water Reactor Risk-Informed Activities (Ref. 5), describes an approach for determining whether a design-specific or plant-specific PRA used to support an application is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision-making for non-LWRs.

RG 1.200, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities (Ref. 6), provides an acceptable approach for determining whether a base PRA, in total or in the DG-1414, Page 2

portions that are used to support an application, is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision-making for LWRs.

NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (Ref. 7), provides guidance to the NRC staff in performing safety reviews of CP or OL applications, including requests for amendments under 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, (Ref. 8), and applications for ESPs, DCs, COLs, SDAs, or MLs under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, (Ref. 9) (including requests for amendments).

o NUREG-0800, Section 19.0, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, pertains to the NRC staff review of the description and results of a design-specific PRA for a DC application or the plant-specific PRA for a COL application, and severe accident design features for a DC or COL application.

Policy Statement on the Regulation of Advanced Reactors, (Volume 73 of the Federal Register (FR), page 60612, October 14, 2008) (Ref. 10), establishes the Commissions expectations related to advanced reactor designs to protect the environment and public health and safety and promote the common defense and security with respect to advanced reactors.

Policy Statement, Severe Reactor Accidents Regarding Future Designs and Existing Plants, 50 FR 32138, August 8, 1985 (Ref. 2).

Policy Statement (Corrections and Republication), Safety Goals for the Operations of Nuclear Power Plants, 51 FR 30028, August 21, 1986 (Ref. 1).

Policy Statement, Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities, 60 FR 42622, August 16, 1995 (Ref. 11).

RG 1.70, Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants (LWR Edition) (Ref. 12), provides detailed guidance to the writers of safety analysis reports to allow for the standardization of information the NRC requires for granting CPs and OLs.

RG 1.81, Content of the Updated Final Safety Analysis Report in Accordance with 10 CFR 50.71(e) (Ref. 13), provides methods the NRC staff finds acceptable for complying with the provisions of 10 CFR 50.71(e), requiring periodic development of updates to the final safety analysis report.

RG 1.206, Applications for Nuclear Power Plants (Ref. 14), provides guidance on the format and content of applications for nuclear power plants submitted to the NRC under 10 CFR Part 52, which specifies the information to be included in an application.

RG 1.232, Guidance for Developing Principal Design Criteria for Non-Light Water Reactors (Ref. 15), describes the NRCs guidance on how the general design criteria in 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants, may be adapted for non-LWR designs. This guidance may be used by non-LWR reactor designers, applicants, and licensees to develop principal design criteria for any non-LWR designs, as required by the applicable NRC regulations for nuclear power plants. The RG also describes the NRCs guidance for modifying and supplementing the general design criteria to develop principal design criteria that address two types of non-LWR technologies: sodium cooled fast reactors and modular high-temperature gas-cooled reactors (MHTGRs).

DG-1414, Page 3

NRC Vision and Strategy: Safely Achieving Effective and Efficient Non-Light Water Reactor Mission Readiness, issued December 2016 (Ref. 16), describes the NRCs vision and strategy for preparing for non-LWR reviews.

SECY-90-016 (Ref. 17), SECY-93-087 (Ref. 18), SECY-96-128 (Ref. 19), and SECY-97-044 (Ref. 20) provide Commission-approved guidance for implementing features in new designs to prevent severe accidents and to mitigate their effects, should they occur.

Purpose of Regulatory Guides The NRC issues RGs to describe methods that are acceptable to the staff for implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific issues or postulated events, and to describe information that the staff needs in its review of applications for permits and licenses. Regulatory guides are not NRC regulations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs are acceptable if supported by a basis for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act This RG provides voluntary guidance for implementing the mandatory information collections in 10 CFR Part 53 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. seq.). These information collections were approved by the Office of Management and Budget (OMB), under control number 3150-XXX, respectively. Send comments regarding this information collection to the FOIA, Library, and Information Collections Branch ((T6-A10M), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202 (3150-XXX), Office of Management and Budget, Washington, DC, 20503.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.

DG-1414, Page 4

B. DISCUSSION Reason for Issuance This RG provides guidance on the use of an AERI methodology to inform the content of applications and licensing basis for applications for LWRs and non-LWRs that are submitted under Subpart R, Licenses, Certifications, and Approvals, of 10 CFR Part 53. The regulations at 10 CFR 53.4909, 53.4969, 53.4756, 53.5016, 53.4809, 53.4839, and 53.4879, which largely correspond to the 10 CFR Part 50 and 10 CFR Part 52 requirements at sections 10 CFR 50.34(a)(4), 52.47(a)(4),

52.79(a)(5), 52.137(a)(4), and 52.157(f)(1), for CPs, OLs, ESPs, COLs, SDAs, DCs, and MLs, respectively, include the level of information sufficient to enable the Commission to reach a conclusion on safety questions before issuing a license or certification. These regulations, through reference to 53.4730(a)(34), require applicants to either submit a PRA or, upon meeting certain entry conditions, use the AERI methodology, described herein, to evaluate risk.

Background

The companion DG-1413 (proposed new RG 1.254) outlines a technology-inclusive approach to identify licensing events. Because this RG (DG-1414) applies to applications under Part 53, Framework B, Subpart R, analyses supporting the use of the AERI methodology should consider anticipated operational occurrences, design-basis accidents, additional licensing basis events, and severe accidents.

This RG outlines an approach applicable to reactor designs that meets the AERI entry conditions in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B). What distinguishes reactor designs for which an applicant may employ the option of seeking NRC approval under the AERI methodology from other reactor designs is that the former pose significantly reduced risk of radioactive releases from even the most severe potential accidents as compared to risks from currently operating reactors. An applicant that qualifies to use the AERI methodology is required to meet all applicable regulations in Part 53 Framework B, which includes performing accident analysis for the appropriate licensing events and having a full understanding of the facility design and its offsite dose consequences. The purpose of the AERI methodology is to allow an alternative method for gaining an understanding of the risk of the facility, which may entail describing a conservative or bounding understanding of the risk for those facilities with very low offsite dose consequences. The AERI methodology is an alternative method that may be used if entry conditions are met in lieu of a PRA that conforms to industry consensus standards.

Specifically, applicants need to provide an analysis and evaluation of the design and performance of SSCs with the objective of assessing the risk to public health and safety resulting from operation of the facility, including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents. In addition, applicants could elect to perform a single or multiple bounding analyses and evaluations to demonstrate that the design appropriately mitigates the consequences of accidents. In taking this approach, applicants need to demonstrate that the bounding analysis and evaluation adequately envelopes conditions for the full range of anticipated operational occurrences and design-basis accidents, with sufficient margin. Such an evaluation need not be based on a credible accident to demonstrate that operation of the facility could not exceed the conditions imposed for the bounding evaluation(s).

An applicant confirms that the AERI entry conditions are met by estimating dose consequences using a postulated bounding event or events, considering risk insights, searching for severe accident vulnerabilities, and assessing the adequacy of the design in terms of layers of defense in depth. For an applicant that uses the AERI methodology, a quantifiable very low risk may be established by comparing DG-1414, Page 5

a demonstrably conservative risk estimate using the postulated bounding event with the quantitative health objectives (QHOs), which are derived from the Commission Safety Goal Policy Statement (Ref. 1).

The AERI process may be iterative depending upon the information available at the time of application. The level of conservatism employed to demonstrate that the requirements of paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B) are met could similarly vary based on the details available at the time of application.

This RG provides guidance to demonstrate that the AERI entry conditions are met and provides guidance on using the AERI methodology. The first two steps below provide the steps necessary to demonstrate that the AERI entry conditions are met. The first step along with the final four provide the steps of the AERI methodology that are needed to satisfy paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B). The first step supports the demonstration that the AERI conditions are met and provides guidance on the AERI methodology. In the AERI methodology, the postulated bounding event or events should be used to determine a dose consequence estimate that can be used to demonstrate that the design meets the AERI entry conditions specified in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B); the postulated bounding event should also be used to determine consequence estimates that are then used to determine a demonstrably conservative risk estimate that can be compared to the QHOs. The AERI methodology also includes an adequate evaluation of risk insights as required by 10 CFR 53.4730(a)(34)(ii). The components of the AERI approach addressed in this RG include the following Regulatory Guidance Positions:

(1) identification and characterization of the postulated bounding event or events (2) determination of a dose consequence estimate for the postulated bounding event or events to confirm that the reactor design meets the entry conditions specified in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B)

(3) determination of a demonstrably conservative risk estimate for the postulated bounding event to demonstrate that the QHOs are met (4) search for severe accident vulnerabilities for the entire set of licensing events (5) identification of risk insights for the entire set of licensing events (6) assessment of defense-in-depth adequacy for the entire set of licensing events (7) maintaining and upgrading the AERI risk evaluation (8) application-specific considerations for the Alternative Evaluation for Risk Insights (9) procedural and other non-technical aspects A PRAs capability to identify and eliminate severe accident vulnerabilities and identify risk insights has been established through many years of LWR operating experience, Commission studies (e.g., WASH-1400 (Ref. 21), NUREG-1150 (Ref. 22)), significant events (Three Mile Island-2, Browns Ferry fire, Fukushima), Commission policies (e.g., PRA Policy Statement, Severe Accident Policy Statement, Safety Goal Policy Statement), the Individual Plant Evaluations (IPEs), and the Individual Plant Evaluation for External Events (IPEEEs). However, for an applicant for a reactor with very low risk that does not wish to use PRA, this RG describes an alternative approach for identifying risk insights that does not call for the development of a PRA. Such an application may use a demonstrably conservative analysis using a postulated bounding event to address the NRC safety goals from which the QHOs are derived. The Safety Goal Policy Statement addresses all undesirable consequences of reactor accidents, including impacts to public safety. It states, DG-1414, Page 6

Severe core damage accidents can lead to more serious accidents with the potential for life-threatening offsite release of radiation, for evacuation of members of public, and for contamination of public property. Apart from their health and safety consequence, severe core damage accidents can erode the public confidence in the safety of nuclear power and can lead to further instability for the industry. In order to avoid these adverse consequences, the Commission intends to continue to pursue a regulatory program that has as its objective providing reasonable assurance, while giving appropriate consideration to the uncertainties involved, that a severe core damage accident will not occur.

An applicant may elect to use the AERI methodology when the entry conditions are met, indicating that the safety of the plant and acceptable risk to the public can be demonstrated without relying on the results of an acceptable PRA. An applicant that has not yet developed an essentially complete design may not have sufficient design details available to determine whether the AERI entry conditions are met. In this case, the applicant can elect to use one of the other regulatory frameworks under 10 CFR Part 50, 10 CFR Part 52, or 10 CFR Part 53. An applicant that opts to use the AERI approach without certainty that the entry conditions are met should recognize that this option carries regulatory risk that a PRA may be required in the event that the NRC later determines that it cannot be demonstrated that the design meets the AERI entry conditions.

The discussion that follows covers each of the steps in the AERI methodology. Specifically, this RG sets forth guidance providing one acceptable approach for applicants proposing to use the AERI methodology to support a license application under Part 53 Framework B. Because this RG is applicable to a variety of reactor technologies that use different coolants, fuel forms, and safety system designs, this RG does not provide prescriptive, design-specific guidance. Rather, when practical, this RG provides methodologies acceptable to the NRC for any type of reactor technology. Using these methodologies allows the applicant to focus on those measures needed to address risks posed by the reactor design under consideration and to provide sufficient information on the proposed design and programmatic controls while avoiding an excessive level of detail on less important parts of a design.

Identification and characterization of the postulated bounding event The selection of licensing events is covered in the companion DG-1413 (proposed new RG 1.254) and is used as input to the analyses described in this RG. The identification of the postulated bounding event is based on the results of the consequence analysis performed for the selected licensing events. The determination of the postulated bounding event should consider both core and non-core radiological sources associated with the commercial nuclear reactor or associated with multiple units if the postulated bounding event involves more than one commercial nuclear unit on site. The postulated bounding event should be defined by parameters that include source term, meteorology, atmospheric transport, protective actions, dosimetry, health effects, and consequence quantification and may combine features of several individual licensing events to ensure that it can be appropriately treated as a postulated bounding event. One acceptable method for how the postulated bounding event can be identified and characterized is explained in Regulatory Guidance Position 1 in Section C of this RG.

For some reactor designs, it may not be feasible to identify a single postulated bounding event because several postulated bounding events may exist whose associated characteristics are different such that choosing only one event as the single postulated bounding event does not realistically represent the risk posed by the plant. As an example, it is conceivable that a reactor design has two or three events with approximately similar annual likelihoods of occurrence and with similar overall radiological impacts, but with different radiological characteristics of the analyzed release (e.g., isotopic composition, chemistry, DG-1414, Page 7

timing). In such cases, identifying more than one single postulated bounding event is appropriate. The postulated bounding event as discussed in this RG encompasses this situation where multiple events could be analyzed.

Determination of a dose consequence estimate to confirm that the reactor design meets the entry conditions specified in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B)

Whether a reactor design qualifies to use the AERI methodology is determined by: (A) if the dose from a postulated bounding event to an individual located 100 meters (328 feet) away from the commercial nuclear plant does not exceed 10 mSv (1 rem) total effective dose equivalent (TEDE) over the first four days following a release, an additional 20 mSv (2 rem ) TEDE in the first year, and 5 mSv (0.5 rem) TEDE per year in the second and subsequent years; and (B) if the qualification in 10 CFR 53.4730(a)(34)(A) was demonstrated to be met without reliance on active safety features or passive safety features, except for those passive safety features that do not require any equipment actuation or operator action to perform their required safety functions, that are expected to survive accident conditions, and that cannot be made unavailable or otherwise defeated by credible human errors of commission and omission.

One acceptable method for how the dose estimate can be calculated and used to confirm that the entry conditions are met is explained in Regulatory Guidance Position 2 in Section C of this RG.

Determination of a demonstrably conservative risk estimate for comparison with the QHOs The demonstrably conservative risk estimate is calculated based on the postulated bounding event and allows for an evaluation of risks to offsite populations. The demonstrably conservative risk estimate should be compared with the QHOs for individual early fatality risk and individual latent cancer fatality risk. The use of a demonstrably conservative risk estimate provides confidence in the analysis that the estimated risk exceeds the actual risk for the plant. The demonstrably conservative risk estimate should use the same postulated bounding event as the dose consequence estimate. The differences between the demonstrably conservative risk estimate and the dose consequence estimate are that:

For the demonstrably conservative risk estimate, a frequency is developed by analysis or assumed; for the dose consequence estimate, no frequency is used as an input to the analysis.

The demonstrably conservative risk estimate considers offsite individuals within a 10-mile radius; the dose consequence estimate considers a location 100 meters away from the commercial nuclear power plant.

The demonstrably conservative risk estimate for the postulated bounding event can be used to support a comparison with the QHOs to demonstrate that the proposed design does not produce risks greater than those described in the NRCs Safety Goal Policy Statement.

The NRCs Safety Goal Policy Statement states:

The Commission has adopted the use of mean estimates for purposes of implementing the quantitative objectives of this safety goal policy (i.e., the mortality risk objectives). Use of the mean estimates comports with the customary practices for cost-benefit analyses, and it is the correct usage for purposes of the mortality risk comparisons. Use of mean estimates does not however resolve the need to quantify (to the extent reasonable) and understand those important uncertainties involved in the reactor accident risk predictions.

As described in NUREG-1855 (Ref. 23, a bounding analysis acceptably demonstrates that the outcome that has the greatest impact on the defined risk metric(s) has been considered. This DG-1414, Page 8

demonstration involves assessing whether the bounding analysis is in fact bounding in terms of the potential outcome and the likelihood of that outcome.

The use of a demonstrably conservative risk estimate is a simplified approach that does not produce a mean estimate; however, it is acceptable to use the demonstrably conservative estimate for comparison with the QHOs, in part, because the AERI methodology should only be used when the risk is low enough that cost-benefit analyses would not yield substantial improvements to safety. However, it remains important to be mindful of potential uncertainties involved in the reactor accident analyses. The use of the demonstrably conservative risk estimate in risk-informed decision-making should address any uncertainties.

Search for severe accident vulnerabilities For plants that meet the entry conditions to use the AERI methodology, the staff expects the applicants search for severe accident vulnerabilities to identify any such vulnerabilities, and to eliminate or reduce these severe accident vulnerabilities if the applicant can use reasonable preventive or mitigative measures to do so. The Commissions Severe Accident Policy Statement of 1985 provides the basis for the search for severe accident vulnerabilities. The first major NRC program to search for severe accident vulnerabilities was the IPE program initiated for all then-operating power reactors under NRC Generic Letter 88-20 (Ref. 24), which was expanded later to external events (the IPEEE). The IPE and IPEEE guidance did not provide a definition for the term vulnerability; rather, each power-reactor licensee was left to define the term vulnerability and to specify the parameters for its search. Licensees, for the most part, were able to meet the objectives of the Severe Accident Policy Statement related to a search for severe accident vulnerabilities by using information from their PRA models, such as significant accident sequences. Because the applicants who use the AERI methodology will not have an acceptable PRA consistent with RG 1.200 or RG 1.247, these applicants will not have information from PRA models to provide insights on severe accident vulnerabilities. Regulatory Guidance Position 4 in Section C of this RG provides guidance on how applicants who use the AERI methodology in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B) should search for severe accident vulnerabilities and eliminate or reduce them if that can be accomplished using reasonable preventive or mitigative measures.

In the context of the AERI methodology described herein, severe accident vulnerabilities are those aspects of a facility design that represent an overreliance on a single design feature, whether for accident prevention or mitigation, and that could lead to a severe accident after accounting for SSC reliability, human actions, and defense in depth.

Severe accident vulnerabilities can be related to either accident prevention or mitigation. In essence, the goal of the identification of severe accident vulnerabilities is to highlight them for potential remediation. Examples of possible severe accident vulnerabilities are as follows: (a) a common-cause failure (CCF) from a single initiator; (b) a single component failure which by itself results in a severe accident; (c) a single or combined set of operator errors of omission that results in a severe accident; (d) a single error of commission which by itself results in a severe accident; and (e) a failure of a support system which by itself results in a severe accident.

Additionally, the definition of the term severe accident for the AERI methodology is provided in 10 CFR 53.028, Definitions Specific to Framework B.

When used by an applicant selecting the AERI methodology for licensing, the scope of the vulnerability search should include the following:

DG-1414, Page 9

(1) the entire set of licensing events identified in DG-1413 (proposed new RG 1.254) and any severe accidents that are not identified as licensing events (2) an evaluation of all modes of operation (3) consideration of all sources of radioactivity associated with the plant Early consideration of risk insights during the conceptual design phase should address severe accident vulnerabilities such that no severe accident vulnerabilities are identified during the search. The objective of the severe accident vulnerability search is to identify any severe accident vulnerabilities that need to be addressed for 10 CFR 53.4730(a)(5)(v). The applicant should document how the search for severe accident vulnerabilities is conducted and justify that the approach used to conduct the search is adequate.

Identification of risk insights Risk insights should be derived in a systematic manner and should be based on the entire set of licensing events, identified using the guidance in DG-1413 (proposed new RG 1.254), and severe accidents. Sufficient analysis should be performed for each licensing event and severe accident to understand the sequence of events, the timing, the physical, chemical, mechanical, nuclear, thermohydraulic and other phenomena, and how operators or other personnel (onsite or offsite) interact with and participate in the event sequence. The objective of the search for risk insights is to understand issues such as important hazards and initiators, important event sequences and their associated SSC failures and human errors, system interactions, vulnerable plant areas, likely outcomes, sensitivities, and areas of uncertainty to identify those that are important to plant operation and safety (Ref. 25).

One category of insights emerges from the identification of vulnerabilities. Another category of insights emerges from an evaluation of a designs defense-in-depth adequacy. Other insights may include the extent to which operator actions or human errors contribute to or mitigate the licensing event sequence; how sensitive the design is to features intended to cope with the effects of external hazards; whether important sources of common cause failures (CCFs) exist; whether operation at less than full power or when shut down presents different safety concerns; whether the important safety insights are highly sensitive to the ability to analyze safety; the extent to which the design is amenable to accident precursor analysis - meaning whether it is feasible to detect design or operational parameters that could lead to an accident if such parameters are off-normal, so as to provide adequate warning to allow intervention. Risk insights may also include generic results (e.g., results that have been learned from PRAs and risk assessments performed in the past, and lessons from operational experience, and that are applicable to the design under consideration).

Defense in depth The use of the AERI methodology complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy as reflected in Part 53 Framework B. The search for risk insights and the search for severe accident vulnerabilities should consider relevant defense-in-depth attributes, including success criteria and equipment functionality, reliability, and availability. The necessity of assuring that a new reactor design embeds sufficient defense in depth has been a long-standing NRC policy and its role is described in a 1999 Advisory Committee on Reactor Safeguards (ACRS) letter to the Commission (Ref. 26). The guidance for defense in depth described in RG 1.174 (Ref. 27) was adapted in this RG for the evaluation of defense in depth to support the AERI methodology.

Many documents exist that provide additional NRC guidance on defense in depth. The regulatory guidance positions described below are adapted from Section 2.1.1.3 of Revision 3 of RG 1.174 and DG-1414, Page 10

provide guidance that the applicant should use for the analysis of defense in depth. Additional regulatory guidance positions from RG 1.174 may be informative but do not provide guidance for the AERI methodology - rather, these should be considered with caution because the purpose of RG 1.174 is to support an evaluation of whether a change to a licensing basis (which could include changes to design features) would cause the licensing basis to no longer meet defense in depth.

The licensing modernization project (LMP) was an initiative of nuclear utilities funded by the U.S. Department of Energy (DOE) which developed technology-inclusive, risk-informed, performance-based licensing methods for non-LWRs and was published as Nuclear Energy Institute (NEI) 18-04, Revision 1 (Ref. 28). The LMP provides guidance for the selection of licensing-basis events, safety classification and performance criteria for SSCs, and evaluation of defense-in-depth adequacy for Part 50 and 52 applicants and licensees. Additional information regarding defense in depth which may be informative for the AERI methodology may be found in NUREG/KM-0009, Historical Review and Observations of Defense-in-Depth (Ref. 29), which summarizes the various descriptions, discussions, and definitions of defense in depth that have been used in other documents and summarizes historical observations on the concept of defense in depth. While written for the enhanced use of PRA, Section 5 of NEI 18-04 provides information that may be useful to consider for the AERI methodology related to assessing defense-in-depth adequacy. NEI 18-04 includes guidance for Part 50 and 52 non-LWR applicants and licensees adapted from a process defined in International Atomic Energy Agency (IAEA) standards and guidance, specifically IAEA Specific Safety Requirements (SSR) No. SSR-2/1, Safety of Nuclear Power Plants: Design (Ref. 30).

Maintaining and upgrading the AERI risk evaluation Section 53.6052(b) requires, in part, that each licensee required to develop a risk evaluation under paragraph (a) must maintain the risk evaluation to reflect the as-built, as-operated facility. The risk evaluation must be maintained at least every five years until permanent cessation of operations under 10 CFR 53.4670.

For applicants or licensees using the AERI methodology and therefore relying in part on an AERI risk evaluation, the word maintain is interpreted to cover two areas. First, it is expected that the AERI risk evaluation will be revised so that it continues to reflect the as-built and as-operated facility. Second, from time to time, the AERI risk evaluation should be revised as appropriate due to any of the following circumstances: a new safety issue might arise that had not been understood earlier, or had been understood differently earlier, or was not reflected in the earlier AERI risk evaluation; new information or data might have been developed; or the facilitys design or operational scheme is now different. Also, a possibility to be explored is that perhaps the postulated bounding event used in the earlier AERI evaluation is no longer the appropriate postulated bounding event.

In any of these situations, the words in proposed 10 CFR 53.6052(b) saying that The risk evaluation must be maintained should be interpreted to mean that the AERI risk evaluation is expected to be reconfirmed, revised, and/or upgraded. Section C presents the staff positions on this activity.

Content of applications The development of applications for NRC licenses, permits, certifications, and approvals is a major undertaking, in that the applicant has to provide sufficient information to support the agencys safety findings. The entry conditions for AERI and the demonstration that they are met are part of the information required in the content of application section. The needed information and level of detail for an applicant using AERI under 10 CFR 53.4730(a)(34)(ii) will vary according to whether an application is for a CP, SDA, DC, OL, COL, or other action. Efforts to standardize the format and content of DG-1414, Page 11

applications for LWRs are reflected in RG 1.70, issued in the 1970s, and RG 1.206; however, other formats may also be used.

Intended use of this regulatory guide This RG, along with companion DG-1413 (proposed new RG 1.254), contains the NRC staffs general guidance on the methodology and information to support applications for licenses, permits, certifications, and approvals for designs using the AERI methodology. This RG is technology inclusive and may be used for LWR and non-LWR commercial nuclear plant applications.

The design process and related development of licensing-basis information is iterative, involving assessments and decisions on key SSCs, concept of operations, operating parameters, and programmatic controls to ensure that a reactor can be operated without posing undue risk to public health and safety. To begin the process of translating design information into a licensing application, a developer needs, at a minimum, a conceptual design that includes a reactor and a primary coolant, and a preliminary assessment of how the design will accomplish fundamental safety functions, such as reactivity and power control, heat removal, and radioactive material retention. The guidance contained herein is intended to be used throughout the design process to inform the design evolution, and so that the licensing application contains the appropriate content and level of detail.

The approach described in this RG provides a general framework to identify and characterize a postulated bounding event or event(s), demonstrate compliance with the AERI entry conditions, develop a demonstrably conservative risk estimate, demonstrate that the proposed design meets the NRCs safety goals, support the identification and use of risk insights for licensing decisions, search for severe accident vulnerabilities, and evaluate defense in depth. DG-1413 (proposed new RG 1.254) provides important inputs to the AERI approach described in this RG.

Consideration of International Standards The IAEA works with member states and other partners to promote the safe, secure, and peaceful use of nuclear technologies. The IAEA develops Safety Requirements and Safety Guides for protecting people and the environment from harmful effects of ionizing radiation. This system of safety fundamentals, safety requirements, safety guides, and other relevant reports reflects an international perspective on what constitutes a high level of safety. To inform its development of this RG, the NRC considered IAEA Safety Requirements and Safety Guides pursuant to the Commissions International Policy Statement (Ref. 31) and Management Directive 6.6, Regulatory Guides (Ref. 32).

The following IAEA Safety Requirements and Guides were considered in the development of this RG:

IAEA, SSR, No. SSR-2/1, Safety of Nuclear Power Plants: Design, (Ref. 30)

IAEA, Specific Safety Guide (SSG), No. SSG-2, Deterministic Safety Analysis for Nuclear Power Plants, (Ref. 33)

IAEA, SSG, No. SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, (Ref. 34)

IAEA-TECDOC-626, Safety Related Terms for Advanced Nuclear Plants, September 1991 (Ref. 35)

DG-1414, Page 12

C. STAFF REGULATORY GUIDANCE The Regulatory Guidance Positions 1 - 9 in this section provide acceptable approaches to the NRC to implement 10 CFR Part 53, Framework B, specifically, to (a) identify and characterize the postulated bounding event, (b) demonstrate that the reactor design meets the entry conditions specified in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B), (c) develop a demonstrably conservative risk for comparison with the QHOs, (d) search for severe accident vulnerabilities, and (e) develop risk insights.

The applicant should establish at the earliest practical time a program for quality control that includes, as a minimum, the following elements:

(1) use of personnel qualified for the analysis (2) use of procedures that ensure control of documentation, including revisions, and provide for independent review, verification, or checking of calculations and information used in the analyses (3) documentation and maintenance of records, including archival documentation as well as submittal documentation (4) use of procedures that ensure that appropriate attention and corrective actions are taken if assumptions, analyses, or information used previously are changed or determined to be in error

1. Identification and characterization of the postulated bounding event or events The phrase postulated bounding event should be understood to be an event sequence in the PRA sense. The postulated bounding event or events should be used for two purposes: (a) to determine a dose consequence estimate to show that the AERI condition is met and (b) to provide a consequence estimate for use in a demonstrably conservative risk estimate. The process for identifying and characterizing the postulated bounding event or events should begin with the full set of licensing events identified earlier. The process should search among them to identify that event sequence (or event sequences) with the largest doses and/or largest consequences to the assumed offsite public receptors, using the following analysis constraints. Specifically, the analysis of the postulated bounding events doses and consequences, for use both in showing that the AERI condition is met and also in the required demonstrably conservative risk estimate, should take credit only for inherent and passive safety features

,without reliance on protective actions, active safety features, or passive safety features except for those passive safety features that do not require any equipment actuation or operator action to perform their required safety functions, that are expected to survive accident conditions, and that cannot be made unavailable or otherwise defeated by credible human errors of commission and omission. For the purposes of this analysis, inherent features are those which are characteristic of the system (e.g., material properties that may rely on geometry; configurations that are not subject to change as a result of the initiating event).

Paragraphs (a) - (e) of this Regulatory Guidance Position provide one acceptable approach to identify and characterize the postulated bounding event.

a. The identification of the postulated bounding event or events should be based on the radiological consequence analyses performed for the full set of licensing events identified in accordance with DG-1413 (propose new RG 1.254). The full set of licensing events should include both core and non-core radiological sources associated with the commercial nuclear reactor or associated with multiple units if the event sequence involves more than one commercial nuclear reactor on site.

The applicant may choose to combine features of more than one individual licensing event identified in DG-1413 (proposed new RG 1.254) to develop parameters representative of a single postulated bounding event.

DG-1414, Page 13

b. Applicants should systematically and categorically explore initiators that challenge plant safety functions (overcooling, undercooling, reactivity insertion, etc.) and evaluate system response assuming no positive change to the state of the system. An example of such an initiator is the circumstance in which the reactor does not trip and heat removal can be accomplished using only means that are inherent to the system (e.g., radiation and conduction from the system as it existed when the initiating event occurred). Meeting the dose consequence requirements for this set of entry conditions may call for design choices that result in lower efficiencies such as lower power or use of an always functional decay heat removal system.

c. Applicants should consider parameters provided in Sections 4.3.16, Mechanistic Source Term and 4.3.17, Radiation Consequence Analysis, of American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS), RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants (Ref. 36), to develop a source term and consequence analysis. These parameters include meteorology, atmospheric transport, protective actions, dosimetry, health effects, and consequence quantification. Trial RG 1.247, Acceptability of Probabilistic Risk Assessment Results for Non-Light-Water Reactor Risk-Informed Activities, endorses ASME/ANS RA-S-1.4-2021 with exceptions and clarifications. If an applicant modifies any of the parameters or concludes that any of the parameters provided in Section 4.3.16 or 4.3.17 of ASME/ANS RA-S-1.4-2021 is not applicable to the design, then the application should include justification for that conclusion.

d. Accident sequences consist of an initiating event followed by a combination of SSC failures and human errors. In considering whether one or more of the earthquake-initiated event sequences should be selected as the postulated bounding event (or events), it is important to note that the larger earthquakes can cause more SSC failures than smaller ones, and presumably if an earthquake-initiated sequence is among the leading candidates, the postulated bounding event would be one of those event sequences with the larger number of failures associated with the larger earthquake. The analyst identifying the postulated bounding event needs to understand which SSC failures occur for which earthquake sizes, and to account for them appropriately.

The same considerations also apply and can be used in evaluating candidate sequences initiated by other external hazards (both natural and man-made), such as large tornadoes, extreme flooding, offsite explosions, etc.

e. The sections of ASME/ANS RA-S-1.4-2021 referenced in paragraph (c) above identify parameters that should be considered in an acceptable consequence analysis. These sections do not provide guidance to the applicant on inputs or methods acceptable to the staff for those parameters. Because the guidance in this RG is technology inclusive, the staff has not prescribed specific inputs and methods that an applicant should use. The applicant, therefore, should propose and justify that the methods and inputs chosen for the specific design support and analysis of the dose consequences.

f. Although the estimated dose consequence should be realistic, conservatisms may be justified so long as they are understood and addressed. For instance, the inventory of fission products in the reactor core and available for release to the environment could be based on the maximum full power operation of the core with, as a minimum, proposed values for fuel enrichment, fuel burnup, and an assumed core power equal to the proposed rated thermal power. The period of irradiation could be of sufficient duration to allow the activity of dose-significant radionuclides to reach equilibrium or to reach maximum values. The core inventory could be determined using an appropriate isotope generation and depletion computer code.

DG-1414, Page 14

g. An applicant for a non-LWR could consider using LWR guidance as a starting point and modifying it to reflect the specific design and to propose methods for the consequence analysis.

The development of a source term and radiation consequence analysis that does not follow ASME/ANS RA-S-1.4-2021 as endorsed by Trial RG 1.247 will be reviewed on a case-by-case basis.

2. Determination of a dose consequence estimate to confirm that the reactor design meets the entry conditions specified in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B)

In order to use the AERI methodology to support an application for a license, permit, certification, or approval (i.e., ESP, CP, OL, DC, COL, SDA, ML) under Framework B of 10 CFR Part 53, a dose consequence estimate is used to demonstrate that the requirements of paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B) are met.

Although these requirements must be met for a plant to use the AERI methodology, an applicant may choose the AERI approach before it is known whether the plant can meet the associated requirements. For this reason, the applicant should recognize that the process may be iterative depending upon the type of application and information available. The level of conservatism employed to demonstrate that the requirements of paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B) are met could similarly vary based on the level of design information available at the time of application.

The information submitted for the dose consequence estimate should be sufficient to demonstrate that the requirements of paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B) are satisfied such that the AERI methodology is applicable for the design and application.

a. The applicant should use the dose consequence estimate associated with the postulated bounding event identified earlier in the overall AERI methodology.

b. The dose consequence estimate from a postulated bounding event at a location 100 meters (328 feet) away from the commercial nuclear plant should not exceed 10 mSv (1 rem) TEDE over the first four days following a release, an additional 20 mSv (2 rem) TEDE in the first year, and 5 mSv (0.5 rem) TEDE per year in the second and subsequent years.

c. One acceptable approach to developing a dose consequence estimate is to provide the postulated bounding event source term to MACCS1 (Ref. 37) or a comparable analytical model along with the rest of the inputs described in paragraphs (c) and (d) of Regulatory Guidance Position 1.

Deviations should be justified.

d. A realistic dose consequence estimate with a realistic description of the uncertainties is preferred; however, conservative assumptions may be used. Any conservatisms introduced into the dose consequence estimate should be addressed to ensure that there are no important distortions introduced to the analysis as a result of the conservatisms.

e. One postulated bounding event may not realistically represent the dose consequence estimate. As discussed in Section B, there may be reactor designs for which selecting and analyzing a single postulated bounding event is not an acceptable approach. When this is the case, the applicant should analyze enough postulated bounding events to demonstrate that the AERI condition is met for each postulated bounding event.

1 MACCS is commonly used in the performance of PRAs for commercial nuclear plants to evaluate the impact of accidental atmospheric releases of radiological materials on humans and on the surrounding environment to model the offsite consequences, in terms of health effect risk.

DG-1414, Page 15

f. The application should describe the inputs to the analytical model and the results in sufficient detail to demonstrate that the entry conditions specified in paragraphs 10 CFR 53.4730(a)(34)(ii)(A) and (B) are met.

3. Development of a demonstrably conservative risk estimate for comparison with the QHOs The use of a demonstrably conservative risk estimate for this purpose is predicated on meeting the entry conditions specified in paragraphs 10 CFR 53.4730(a)(34)(ii) (A) and (B) as described in Regulatory Guidance Positions 1 and 2.

As discussed in Section B, the word demonstrably conservative in the phrase demonstrably conservative risk estimate means that the estimate should demonstrate confidence that the actual risk is very unlikely to exceed the estimated risk.

a. The risks being estimated are those associated with the postulated bounding event or events identified consistent with Regulatory Guidance Position 1.

b. One acceptable way to ensure that the analysis has the appropriate scope and level of detail is to follow the corresponding provisions of ASME/ANS RA-S-1.4-2021, which the NRC endorsed in Trial RG 1.247 with exceptions and clarifications. If another analysis method is used, justifications for its technical adequacy and for its effectiveness in developing the needed results should be documented and submitted to the NRC.

c. The endpoints of the demonstrably conservative risk estimate for the postulated bounding event are the risks of both prompt radiation-caused fatalities and latent cancer fatalities to offsite populations that can be compared to the QHOs.

d. An annual frequency is needed to support a comparison with the QHOs, which are frequency-based. In the absence of using a PRA to develop a realistic estimate of that annual frequency, another approach or method is needed. One acceptable approach is to assume a frequency which represents the sum of the event sequence frequencies and is equal to the sum of the initiating event frequencies. Based on LWR statistics, this frequency can be taken to be once per year (1/year). This frequency, while conservative, can be used along with the postulated bounding events consequences to compare to the QHOs.

For example, if the QHO comparison is favorable even when assuming that the postulated bounding event were to occur once annually, then this is a sufficient demonstration that the QHOs are met, if supported by an explanation that the once-annually assumption is clearly very conservative.

The use of a different frequency may be acceptable but will be reviewed on a case-by-case basis and justification for that frequency should be provided.

e. The postulated bounding event and the frequency selected under paragraph (d) of this Regulatory Guidance Position for the postulated bounding event are conservatisms in the analysis. For other parameters, although a realistic analysis is preferred for the postulated bounding events consequences and risks, the introduction of slightly conservative assumptions or data is acceptable if important distortions are not introduced into interpretations of that estimate needed for decision-making. Therefore, a discussion should be provided concerning the extent and impacts of any such distortions.

f. One acceptable approach for developing a demonstrably conservative risk estimate is to provide the postulated bounding event source term to MACCS or a comparable analytical model along DG-1414, Page 16

with the rest of the inputs described in paragraphs (c) and (d) of Regulatory Guidance Position 1.

Deviations should be justified.

g. For a submittal describing the analysis to be acceptable, the documentation should include a description and explanation of the uncertainties, assumptions, and conservatisms in each of the quantitative analysis steps and results relied on, and a discussion of their relative importance.

Although a qualitative description of the uncertainties, assumptions, and conservatisms is expected, applicants should, where feasible, develop and describe them quantitatively, or at least provide an understanding, if known, as to which uncertainties, assumptions, and conservatisms are more important than which others and why.

h. The applicant should identify the software codes used for the consequence analyses and provide information on how the development and maintenance of these software codes meets quality standards commensurate with the application.

i. Risks from multiple postulated bounding events should be considered when using only one postulated bounding event does not realistically represent the risks posed by the facility. The applicant should justify any annual frequency other than 1/year for each postulated bounding event used to support a comparison with the QHOs.

4. Search for severe accident vulnerabilities The search for severe accident vulnerabilities as described in this Regulatory Guidance Position is necessary to meet the requirements in proposed paragraphs 10 CFR 53.4730(a)(5)(v)(B),

53.4730(a)(5)(v)(C), and 53.4730(a)(5)(v)(D) in order to achieve the safety goals identified for applicants using the AERI methodology.

Severe accident vulnerabilities may be eliminated through improvements to plant design, operations, or maintenance that prevent or reduce the possibility, likelihood, or consequence of the identified severe accident.

a. The scope of the search for severe accident vulnerabilities should encompass the entire set of licensing events identified in DG-1413 (proposed new RG 1.254) and severe accidents as identified and evaluated in proposed 10 CFR 53.4730(a)(5)(v)(B).

b. All radiological sources and operating modes should be considered to identify severe accident vulnerabilities during the plant design.

c. The applicant should use a systematic process to search for severe accident vulnerabilities. An applicant should develop the systematic process consistent with the definitions of the terms severe accident and severe accident vulnerabilities provided in this RG. The systematic process should be developed as discussed in paragraphs (d) - (f) of this Regulatory Guidance Position or justification should be provided for any deviations.

d. The systematic process used to search for severe accident vulnerabilities should, at a minimum, include the following:

(1) search for failure of a single component, system, structure, function, or a fission product barrier that could contribute to a severe accident,

The applicant should provide special focus to support systems (e.g., systems that provide alternating current to multiple systems).

DG-1414, Page 17

The applicant should consider the reliability of components, systems, structures, and functions in its search for failures. Failures of multiple components, systems, and functions should be considered based on their overall reliability as well as compared to the reliability of a single component, system, or function.

(2) search for a single or combined set of human error(s) of omission that could contribute to a severe accident, (3) search for a single or combined set of human error(s) of commission that could contribute to a severe accident, (4) search for severe accident vulnerabilities that considers relevant defense-in-depth attributes, including success criteria and equipment functionality, reliability, and availability. and (5) search for a single event initiated by an external hazard for the site (e.g., earthquakes, external floods, high winds, tornadoes) or their plausible combined events (e.g., earthquake with dam failure flooding, storm surge and high wind) that could contribute to a severe accident.

e. The systematic process used to search for severe accident vulnerabilities should include the following attributes related to the spatial layout of SSCs:

(1) search for pipe breaks, structural failures, or component failures whose failure results in loss of multiple systems or functions, (2) search for fires in cables that provide motive or control power to multiple systems or functions or for other internal fire scenarios that could lead to a severe accident, (3) search for internal flooding scenarios that can lead to a severe accident, and (4) search for SSCs that may fail due to earthquakes with low or moderate frequency resulting in failure of multiple barriers or functions.

f. The applicant should search for cliff-edge effects that could constitute severe accident vulnerabilities. One definition of a cliff-edge effect is an instance of severely abnormal conditions caused by an abrupt transition from one status of the facility to another following a small deviation in a parameter value or a small variation in an input value (Ref. 38). Applicants should use this definition when they search for severe accident vulnerabilities associated with cliff-edge effects of the facility or justify an alternate definition.

(1) The search for cliff-edge effects should focus on the facility as opposed to a single system or function.

(2) The applicant should consider all external hazards to identify cliff-edge effects that could constitute severe accident vulnerabilities.

g. If severe accident vulnerabilities are identified in the design phase, the expectation is that the reactor design would be altered to eliminate those severe accident vulnerabilities. The process used to eliminate severe accident vulnerabilities can be through modifications to the design, operations, or maintenance.

h. In the event that a severe accident vulnerability is identified and is not eliminated from the design, justification should be provided as to why the severe accident vulnerability is acceptable for the design, and sufficient detail should be provided to enable an understanding of what role is played by each specific technical contributing factor to the accident scenario, including not only failures of SSCs or human errors, but configuration aspects and other design-choice issues.

DG-1414, Page 18

i. The applicant may credit the systematic process used to identify severe accident vulnerabilities and any analyses performed in support of its defense-in-depth evaluation (See Regulatory Guidance Position 6). The defense-in-depth evaluation should support and complement the applicants search for severe accident vulnerabilities.

j. The applicant should provide documentation relating to severe accident vulnerabilities. The documentation should (i) describe the process used for the severe accident vulnerability search, including scope and definition (if the applicant used a definition different from the definition proposed by the staff); (ii) describe each identified severe accident vulnerability, if any, and how it was addressed; and (iii) provide justification for not eliminating the severe accident vulnerability from the design or state that none were identified.

5. Development of risk insights The risk insights form the basis for the description of the risk evaluation required in proposed 10 CFR 53.4730(a)(34).

a. Risk insights should be identified based on the entire set of licensing events identified in DG-1413 (proposed new RG 1.254) for the AERI methodology.

b. Where feasible, an applicant should develop estimates of the approximate annual frequencies of the various event sequences, or explanations of and rationales for the applicants understanding of the hierarchy of the event sequences ranked by frequency, such as Event Sequence X is understood to occur significantly more frequently than Event Sequence Y.

c. Many of the risk insights associated with any individual licensing event relate directly to or are understood best by focusing on the various technical features of the accident scenario. To that end, a description should be provided of each of the features of the licensing event that contribute to the various risk end points, including features such as -

(1) which failures are the initiating events that lead to the licensing event (equipment failures, human errors, configuration abnormalities, etc.),

(2) which failures, after the initiating event, contribute to or participate in the rest of the sequence of events that characterize the accident scenario, (3) a search for risk insights which considers relevant defense-in-depth attributes, including success criteria and equipment functionality, reliability, and availability, (4) what are the causes(s) of the enumerated failures, including various internally generated upset conditions; external loads from offsite hazards; operator and maintenance errors; loads from internal hazards such as internal fires, floods, electrical upsets etc.; configuration changes due to errors (failure to restore, etc.) etc.,

(5) which features mitigate what would otherwise be a more severe licensing event, and how those features do so, including:

more effective passive features,

features leading to longer time evolutions,

features leading to lower loads, less psychological pressure on the operating staff, fewer complex combinations of events occurring contemporaneously, etc., and DG-1414, Page 19

features associated with smaller offsite impacts, such as population distributions vis-

-vis the site, protective-action features like sheltering and evacuation, site-related topographic or other characteristics, etc.

(6) which features aggravate what would otherwise be a less severe licensing event, and how those features do so (typically these are features that are the opposite of those in the list just above) including:

less effective passive features,

features leading to faster time evolutions,

features leading to larger loads, more pressure on the operating staff, more complex combinations of events, etc., and

features associated with larger offsite impacts, such as protective-action features like sheltering and evacuation.

d. Qualitative descriptions should be provided for the features described in paragraph (c) of this Regulatory Guidance Position. When available, quantitative descriptions should be provided for the features to provide a complete understanding of the identified risk insights.

e. Descriptions should be provided for the methodology and criteria used to distinguish those features that are judged to be important enough to be included from those that are judged not to be.

f. For any individual licensing event, an important type of risk insights may be features for which a design change or a change in operating approach could significantly lower the overall risk. An evaluation should be performed to support identification of any potential for improving the associated plant risk profile, including the extent of the improvement and the difficulties, if any, in implementing the change.

Alternatively, another type of risk insight may be that the risk profile is highly sensitive to one particular plant feature. An evaluation should be performed to understand the importance of this risk insight. Note that this type of risk insight is related to a separate part of the overall evaluation discussed in this RG, namely the vulnerability search in Regulatory Guidance Position 4.

The risk insights are diverse and can seem to be unrelated to each other if a list of them were presented without elaboration. This diversity is acceptable, and indeed expected, because some of the insights might seem important to one safety analyst but not to another. This is especially so, for example, if the insight is that the absence of something is seen as the major reason why the issue is a risk insight.2

6. Defense in depth The guidance in this Regulatory Guidance Position is intended to ensure that a new design using the AERI methodology has adequate defense in depth and should additionally support the results of the search for severe accident vulnerabilities and the search for risk insights described respectively in Regulatory Guidance Positions 4 and 5.

2 For example, suppose that there are no human actions required for the response to the postulated bounding event once it has begun. This might be cited as a way of explaining why that accident is unlikely.

DG-1414, Page 20

a. In the evaluation of defense in depth for the entire facility (in contrast to examining only a specific system or a safety function), the applicant should account for SSCs of the entire facility to make determinations with respect to defense in depth.

b. The facility design should include a reasonable balance among the layers of defense. For example, the applicant should ensure that failure of a single barrier does not result in a severe accident.

c. The design should include adequate capability of design features without an overreliance on programmatic features.

d. The design should include system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty. For example, the applicant should ensure that for events that are likely to occur during the lifetime of a plant, failure of a single function does not lead to a severe accident.

e. The design should include adequate defense against potential CCFs. The applicant should focus on CCFs that could affect the facility rather than CCFs of a system or a function.

f. The design should include multiple fission product barriers. The applicant should ensure that failure of a single fission product barrier does not to lead to unacceptable consequences from a severe accident.

g. The analysis of defense in depth should complement and support Regulatory Guidance Positions 4 and 5. The analysis of defense in depth may be used to support the search for severe accident vulnerabilities as discussed in Regulatory Guidance Position 4. Any risk insights identified from the consideration of defense in depth should be documented in accordance with Regulatory Guidance Position 5.

7. Maintaining and upgrading the AERI risk evaluation The regulatory guidance positions herein describe methods acceptable to assure (a) that the facilitys AERI risk evaluation is appropriately maintained and/or upgraded as necessary, and (b) that its use(s) is also revisited as appropriate if its maintenance or upgrade is performed. The guidance in this section is intended to assure that the AERI risk evaluation continues to be valid and useful, and hence continues to be an adequate basis for regulatory decision-making.

7.1 Postulated bounding event identification The AERI risk evaluation is based on the identification of the postulated bounding event (or more than one in some situations). In evaluating the continuing validity and usefulness of the AERI risk evaluation, it is expected that an assessment will be performed by the applicant or licensee to assure that the postulated bounding event(s) used in the earlier AERI risk evaluation remain appropriate for the facility, or, if not, that one or more different postulated bounding event(s) are identified (based on new information or facility design or operational changes) and then used in the remainder of the risk evaluation. The initial risk evaluation must be performed by the scheduled fuel load date.

7.2 As-built, as-operated facility In any event, it is expected that the AERI risk evaluation reflects the as-built, as-operated facility.

In particular, it is expected that when the assessment is performed as to the continuing validity and usefulness of the risk evaluation, the assessment should ascertain if any important aspects of the facilitys design or operational scheme have changed since the prior risk evaluation. The AERI risk evaluation DG-1414, Page 21

should be updated every five years until the permanent cessation of operations as described in 10 CFR 53.6052(b).

7.3 New safety issue(s)

When the assessment of the continuing validity and usefulness of the AERI risk evaluation is performed, the assessment should ascertain if any new safety issue(s) have arisen since the prior risk evaluation. If so, the AERI risk evaluation should be updated, if appropriate.

7.4 New data, information, or analyses When the assessment of the continuing validity and usefulness of the AERI risk evaluation is performed, the assessment should ascertain if any relevant new data, information, or analyses have arisen since the prior risk evaluation. If so, the AERI risk evaluation should be updated, if appropriate.

7.5 QHO comparison If the AERI risk evaluation requires updating because of any of the reasons cited above, then the QHO comparison discussed in Regulatory Guidance Position 3 should be revisited and modified, if appropriate.

7.6 Vulnerability search If the AERI risk evaluation requires updating because of any of the reasons cited above, then the severe accident vulnerability search discussed in Regulatory Guidance Position 4 of this RG should be revisited and modified, if appropriate.

7.7 Search for risk insights If the AERI risk evaluation requires updating because of any of the reasons cited above, then the search for risk insights discussed in Regulatory Guidance Position 5 of this RG should be revisited and modified, if appropriate.

7.8 Defense in depth If the AERI risk evaluation requires updating because of any of the reasons cited above, then the defense-in-depth evaluation discussed in Regulatory Guidance Position 6 of this RG should be revisited and modified, if appropriate.

8. Application-specific considerations for the Alternative Evaluation for Risk Insights For CP applications, an applicant may have a conceptual design that does not include sufficient information to demonstrate that AERI entry conditions are met at the time of application. In general, an applicant should follow relevant guidance to determine the minimum information necessary for a CP application. The applicant should describe the approach for demonstrating that the conditions for using the AERI methodology are met.

At the CP application stage, the inputs to the AERI methodology are derived from a plant design and operational programs that are less mature than they are at subsequent licensing stages. Therefore, the CP applicant should provide justification that the AERI results are reasonable and should include any necessary commitments to update the AERI so that its completion status at subsequent licensing stages is consistent with the intended reactor design and operation.

A CP applicant may identify risk insights based on assumptions made at the CP application stage with the understanding that such assumptions should be updated at a subsequent licensing stage. In any DG-1414, Page 22

subsequent licensing application, the applicant should update those assumptions and confirm that the AERI methodology is appropriate for the reactor design.

9. Procedural and other non-technical aspects 9.1 Independent review For analyses performed to support the AERI methodology, an independent review should be performed and described in the application.

9.2 Expert opinion Although formal guidance on using expert opinion or expert panels is not provided herein, the application should describe those steps and procedures that have been used to provide assurance that when expert opinion or expert panels are used to support analyses within the AERI method of evaluation, a procedure or methodology has been used that meets broad expectations to assure that the expert opinion or expert panels process has technical integrity. One useful source of expert elicitation guidance is found in ASME/ANS RA-S-1.4-2021, as endorsed by Trial RG 1.247, Section 4 Risk Assessment Technical Requirements.

DG-1414, Page 23

D. IMPLEMENTATION The NRC staff may use this regulatory guide as a reference in its regulatory processes, such as licensing, inspection, or enforcement. However, the NRC staff does not intend to use the guidance in this regulatory guide to support NRC staff actions in a manner that would constitute backfitting as that term is defined in 10 CFR 53.1590 or 10 CFR 53.6090, Backfitting, and as described in NRC Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests (Ref. 39), nor does the NRC staff intend to use the guidance to affect the issue finality of an approval under 10 CFR Part 53, Subparts H or R, Licenses, Certifications and Approvals. The staff also does not intend to use the guidance to support NRC staff actions in a manner that constitutes forward fitting as that term is defined and described in Management Directive 8.4. If a licensee believes that the NRC is using this regulatory guide in a manner inconsistent with the discussion in this Implementation section, then the licensee may file a backfitting or forward fitting appeal with the NRC in accordance with the process in Management Directive 8.4.

DG-1414, Page 24

REFERENCES3

1. NRC, Safety Goals for the Operations of Nuclear Power Plants; Policy Statement; Corrections and Republication, Federal Register, Vol. 51, No. 162, pp. 30028 - 30033, August 21, 1986 (51 FR 30028).

2. NRC, Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants, Federal Register, Vol. 50, No. 153, pp. 32138-32150, August 8, 1985 (50 FR 32138),

3. NRC, DG-1413 (proposed new Regulatory Guide 1.254), Technology-Inclusive Identification of Licensing Events for Commercial Nuclear Plants, Washington, DC.

4. CFR Risk-Informed, Technology-Inclusive Regulatory Framework for Commercial Nuclear Plants, Part 53, Title 10, Energy.

5. NRC, Trial Use RG 1.247, Acceptability of Probabilistic Risk Assessment Results for Advanced Non-Light Water Reactor Risk-Informed Activities, Washington, DC.

6. NRC, RG 1.200, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, Washington, DC.

7. NRC, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Washington, DC.

8. CFR Domestic Licensing of Production and Utilization Facilities, Part 50, Title 10, Energy.

9. CFR Licenses, Certifications, and Approvals for Nuclear Power Plants, Part 52, Title 10, Energy.

10. NRC, Policy Statement on the Regulation of Advanced Reactors, Federal Register, Vol. 73, No.

199, October 14, 2008, pp. 60612 - 60616 (73 FR 60612).

11. NRC, Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement, Federal Register, Vol. 60, No. 158, pp. 42622 - 42629, August 16, 1995 (60 FR 42622).

12. NRC, RG 1.70, Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants (LWR Edition), Washington, DC.

13. NRC, RG 1.81, Content of the Updated Final Safety Analysis Report in Accordance with 10 CFR 50.71(e), Washington, DC.

14. NRC, RG 1.206, Applications for Nuclear Power Plants, Washington, DC.

15. NRC, RG 1.232, Guidance for Developing Principal Design Criteria for Non-Light-Water Reactors, Washington, DC.

16. NRC, NRC Vision and Strategy: Safely Achieving Effective and Efficient Non-Light Water Reactor Mission Readiness, Washington, DC, December 2016.

3 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

DG-1414, Page 25

17. NRC, SECY-90-016, Evolutionary Light Water Reactor (LWR) Certification Issues and Their Relationship to Current Regulatory Requirements, Washington, DC, January 12, 1990.

18. NRC, SECY-93-087 Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advance Light-Water Reactor (ALWR) Designs, Washington, DC, April 2, 1993.

19. NRC, SECY-96-128, Policy and Key Technical Issues Pertaining to the Westinghouse AP600 Standardized Passive Reactor Design, Washington, DC, June 12, 1996.

20. NRC, SECY-97-044, Policy and Key Technical Issues Pertaining to the Westinghouse AP600 Standardized Passive Reactor Design, Washington, DC, February 18, 1997.

21. NRC, Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), Washington, DC, October 1975.

22. NRC, NUREG-1150, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, Washington, DC.

23. NRC, NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making, Washington, DC.

24. NRC, Generic Letter 88-20: Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities - 10 CFR 50.54(f), Washington, DC, June 28, 1991.

25. NRC, NUREG-2122, Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, Washington, DC.

26. ACRS Letter, The Role of Defense -in-Depth in a Risk-Informed Regulatory System, Washington, DC, May 19, 1999.

27. NRC, RG 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decision on Plant-Specific Changes to the Licensing Basis, Washington, DC.

28. NEI 18-04, Revision 1, Risk-Informed, Performance-Based Technology Guidance for Non-Light Water Reactors, Washington, DC, August 2019.4

29. NRC, NUREG/KM-0009, Historical Review and Observations of Defense-in-Depth, Washington, DC.

30. IAEA SSR No. SSR-2/1, Revision 1, Safety of Nuclear Power Plants: Design, Vienna, Austria, 2016.5

31. NRC, Nuclear Regulatory Commission International Policy Statement, Federal Register, Vol. 79, No. 132, July 10, 2014, pp. 39415-39418.

32. NRC, Management Directive (MD) 6.6, Regulatory Guides, Washington, DC.

4 Publications from the Nuclear Energy Institute (NEI) are available at their Web site: http://www.nei.org/ or by contacting the headquarters at Nuclear Energy Institute, 1776 I Street NW, Washington DC 20006-3708, Phone: 202-739-800, Fax 202-785-4019.

5 Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their Web site:

www.IAEA.org/ or by writing the International Atomic Energy Agency, P.O. Box 100 Wagramer Strasse 5, A-1400 Vienna, Austria.

DG-1414, Page 26

33. IAEA, SSG, No. SSG-2, Revision 1, Deterministic Safety Analysis for Nuclear Power Plants, Vienna, Austria, 2019.

34. IAEA, SSG, No. SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Vienna, Austria, 2010.

35. IAEA-TECDOC-626, Safety Related Terms for Advanced Nuclear Plants, Vienna, Austria, September 1991.

36. ASME/ANS, RA-S-1.4, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants, New York, NY, 2021.6

37. MELCOR Accident Consequence Code System (MACCS).

38. IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection, Vienna, Austria, 2018.

39. NRC, MD 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, Washington, DC.

6 Copies of American Society of Mechanical Engineers (ASME) standards may be purchased from ASME, Two Park Avenue, New York, New York 10016-5990; telephone (800) 843-2763. Purchase information is available through the ASME Web-based store at http://www.asme.org/Codes/Publications/.

DG-1414, Page 27

ML22272A045

Text

Background

Navigation menu

Search