Regulatory Guide 1.174

an Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis

ML17317A256
Person / Time
Issue date:	01/31/2018
From:	Anders Gilbertson NRC/RES/DRA/PRB
To:
Karagiannis H
Shared Package
ML17317A196	List: ML17331B413 Regulatory Guide 1.174
References
DG-1285 RG-1.174, Rev. 3
Download: ML17317A256 (53)
v • d • e

U.S. NUCLEAR REGULATORY COMMISSION

REGULATORY GUIDE 1.174, REVISION 3 Issue Date: January 2018 Technical Lead: Anders Gilbertson AN APPROACH FOR USING PROBABILISTIC RISK

ASSESSMENT IN RISK-INFORMED DECISIONS ON

PLANT-SPECIFIC CHANGES TO THE LICENSING BASIS

A. INTRODUCTION

Purpose This regulatory guide (RG) describes an approach that is acceptable to the staff of the U.S. Nuclear Regulatory Commission (NRC) for developing risk-informed applications for a licensing basis change that considers engineering issues and applies risk insights. It provides general guidance concerning analysis of the risk associated with proposed changes in plant design and operation.

Applicability This RG applies to light-water reactor (LWR) licensees subject to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities (Ref. 1), and

10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants (Ref. 2).

Applicable Regulations

• 10 CFR 50.90, Application for Amendment of License, Construction Permit, or Early Site Permit (Ref. 3), requires that, whenever a holder of a license, including a construction permit and operating license under this part, as well as an early site permit, combined license, and manufacturing license under 10 CFR Part 52, desires to amend the license or permit, an application for a license amendment must be filed with the Commission to fully describe the changes desired.

• 10 CFR 50.92, Issuance of Amendment (Ref. 4), provides the general considerations that govern the issuance of initial licenses, construction permits, or early site permits to the extent applicable and appropriate.

Written suggestions regarding this guide or development of new guides may be submitted through the NRCs public Web site in the NRC Library at http://www.nrc.gov/reading-rm/doc-collections/, under Document Collections, in Regulatory Guides, at http://www.nrc.gov/reading-rm/doc-collections/reg-guides/contactus.html.

Electronic copies of this RG, previous versions of this guide, and other recently issued guides are also available through the NRCs public Web site in the NRC Library at http://www.nrc.gov/reading-rm/doc-collections/, under Document Collections, in Regulatory Guides. This RG is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under ADAMS Accession No. ML17317A256. The regulatory analysis may be found in ADAMS under Accession No. ML16358A156. The associated draft guide DG-1285 may be found in ADAMS under Accession No. ML16358A153, and the staff responses to the public comments on DG-1285 may be found under ADAMS Accession No. ML17261A618.

Related Guidance

• NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (Ref. 5), provides guidance to the NRC staff in performing safety reviews of construction permit or operating license applications (including requests for amendments) under 10 CFR Part 50 and early site permit, design certification, combined license, standard design approval, or manufacturing license applications under 10 CFR Part 52 (including requests for amendments). NUREG-0800, Section 19.2, titled Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance, is designed to guide the NRC staff in its evaluations of licensee requests for changes to the licensing basis that apply risk insights. Guidance developed in selected application-specific RGs and the corresponding chapters of NUREG-0800 also applies to these types of licensing basis changes.

• NUREG-1855, Revision 1, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decisionmaking (Ref. 6), provides guidance on how to treat uncertainties associated with probabilistic risk assessment (PRA) in risk-informed decisionmaking. This guidance is intended to foster an understanding of the uncertainties associated with PRA and their impact on the results of PRA.

• NUREG/CR-6268, Revision 1, Common-Cause Failure Database and Analysis System: Event Data Collection, Classification, and Coding (Ref. 7), provides an overview of common-cause failure analysis methods for use in the U.S. commercial nuclear power industry. In particular, Section 3 describes the concepts of coupling factors and defense mechanisms.

• RG 1.175, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Testing (Ref. 8), provides guidance on acceptable methods for using PRA information with established traditional engineering information in the development of risk-informed inservice testing (RI-

IST) programs.

• RG 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications (Ref. 9), provides the guidance on acceptable methods for using risk information to evaluate changes to nuclear power plant technical specification completion times and surveillance frequencies in order to assess the impact of such proposed changes on the risk associated with plant operation.

• RG 1.178, An Approach for Plant-Specific, Risk-Informed Decisionmaking for Inservice Inspection of Piping (Ref. 10), provides guidance on acceptable approaches for meeting the existing requirements in Section XI of the American Society of Mechanical Engineers (ASME)

Boiler and Pressure Vessel Code, as referenced by 10 CFR 50.55a, Codes and Standards (Ref. 11), for the scope and frequency of inspection of inservice inspection programs, including the application of risk-informed inservice inspection programs.

• RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities (Ref. 12), provides an approach for determining whether the base PRA, in total or the parts that are used to support an application, is acceptable for use in regulatory decisionmaking for LWRs. RG 1.200 currently endorses a PRA

standard developed by the ASME and the American Nuclear Society (ANS) ASME/ANS RA-Sa-

2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications (Ref. 13), which addresses PRA for core damage frequency (CDF) and large early release frequency (LERF) for internal and external hazard groups during at-power operations.

RG 1.174, Rev. 3, Page 2

• RG 1.201, Guidelines for Categorizing Structures, Systems, and Components in Nuclear Power Plants According to Their Safety Significance (Ref. 14), provides guidance on an acceptable method for use in complying with the Commissions requirements in 10 CFR 50.69, Risk- Informed Categorization and Treatment of Structures, Systems and Components for Nuclear Power Reactors (Ref. 15), with respect to the categorization of structures, systems, and components that are considered in risk-informing special treatment requirements.

• RG 1.205, Risk-Informed, Performance-Based Fire Protection for Existing Light-Water Nuclear Power Plants (Ref. 16), provides guidance for use in complying with the requirements the NRC

has promulgated for risk-informed, performance-based fire protection programs that comply with

10 CFR 50.48(c), National Fire Protection Association Standard NFPA 805 (Ref. 17), and the referenced 2001 Edition of the National Fire Protection Association (NFPA) standard, NFPA 805, Performance-Based Standard for Fire Protection for Light-Water Reactor Electric Generating Plants (Ref. 18).

• RG 1.206, Combined License Applications for Nuclear Power Plants (LWR Edition) (Ref. 19),

provides guidance on the information contained in and submitted with a combined license application.

Purpose of Regulatory Guides The NRC issues RGs to describe to the public methods that the staff considers acceptable for use in implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific problems or postulated events, and to provide guidance to applicants. Regulatory guides are not substitutes for regulations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act This RG provides guidance for implementing the mandatory information collections in 10 CFR Parts 50 and 52 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. seq.). These information collections were approved by the Office of Management and Budget (OMB), under control numbers 3150-0011 and 3150-0151. Send comments regarding this information collection to the Information Services Branch, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202 (3150-0011, 3150-0151), Office of Management and Budget, Washington, DC

20503.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB

control number.

RG 1.174, Rev. 3, Page 3

B. DISCUSSION

Reason for Revision This revision of the guide (Revision 3) presents up-to-date defense-in-depth guidance using precise language to assure consistent interpretation and implementation of the defense-in-depth philosophy. Revision 3 contains significant changes including expansion of the guidance on the meaning of, and the process for, assessing defense-in-depth considerations.

In addition, this revision adopts the term PRA acceptability (and its variations) in place of terms such as PRA quality, PRA technical adequacy, and technical adequacy to describe the appropriateness of the PRA used to support risk-informed licensing submittals. Other changes in this revision include expanding the discussions of uncertainties, including aggregation of risk results, consistent with NUREG-1855; updating the risk acceptance guideline figures; and adding discussions of the application of this guide to new reactors.

Background In the two documents below, the Commission directed the staff to revise the defense-in-depth guidance in this RG using precise language to assure that the defense-in-depth philosophy is interpreted and implemented consistently.

• Staff Requirements Memorandum (SRM) on SECY-11-0014, Staff RequirementsSECY-11-0014Use of Containment Accident Pressure in Analyzing Emergency Core Cooling System and Containment Heat Removal System Pump Performance in Postulated Accidents, dated March 15, 2011 (Ref. 20).

• SRM on SECY-15-0168, Staff RequirementsSECY-15-0168Recommendations on Issues Related to Implementation of a Risk Management Regulatory Framework, dated March 9, 2016 (Ref. 21).

Both the NRC and the nuclear industry recognize that PRA has evolved to the point that it can be used increasingly as a tool in regulatory decisionmaking. In August 1995, the NRC issued a final Commission policy statement on the use of PRA methods in nuclear regulatory activities, titled Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement (Ref. 22). The statement adopted the following policy.

• The use of PRA technology should be increased in all regulatory matters to the extent supported by the state of the art in PRA methods and data and in a manner that complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy.

• PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, RGs, license commitments, and staff practices. Where appropriate, PRA should be used to support the proposal for additional regulatory requirements in accordance with

10 CFR 50.109, Backfitting (Ref. 23). Appropriate procedures for including PRA in the process for changing regulatory requirements should be developed and followed. This policy intends compliance with existing rules and regulations unless these rules and regulations are revised.

RG 1.174, Rev. 3, Page 4

• PRA evaluations in support of regulatory decisions should be as realistic as practicable, and appropriate supporting data should be publicly available for review.

• The Commissions safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties when deciding on the need to propose and backfit new generic requirements on nuclear power plant licensees.

In its approval of the policy statement, the Commission stated its expectation that implementation of the policy statement will improve the regulatory process in three ways: (1) foremost, through safety decisionmaking enhanced by the use of PRA insights, (2) through more efficient use of agency resources, and (3) through a reduction in unnecessary burdens on licensees.

One significant activity undertaken in response to the policy statement is the use of PRA to support decisions to modify an individual plants licensing basis. Such modifications are related to changes to a plants design, operation, or other activities that require NRC approval. These modifications could include, for example, exemption requests under 10 CFR 50.12, Specific Exemptions (Ref. 24),

and license amendments under 10 CFR 50.90. This RG does not address licensee-initiated changes to the licensing basis that do not require NRC review and approval (e.g., changes to the facility as described in the final safety analysis report (FSAR), the subject of 10 CFR 50.59, Changes, Tests and Experiments (Ref. 25)).

This RG also uses the Commissions Safety Goal Policy Statement, dated August 4, 1986 (Ref. 26). As described in Section C, one key principle in risk-informed regulation is that proposed increases in risk are small and are consistent with the intent of the Commissions Safety Goal Policy Statement. The safety goals and associated quantitative health objectives (QHOs) define an acceptable level of risk that is a small percentage (0.1 percent) of other risks to which the public is exposed. The risk acceptance guidelines in Section C.2.4 of this RG are defined for LWRs in terms of CDF, LERF, and the change in CDF and LERF (i.e., CDF and LERF) risk metrics. These risk metrics are based on subsidiary objectives derived from the safety goals and their QHOs. In particular, the CDF risk metric is used as a surrogate for the individual latent cancer fatality risk, and the LERF risk metric is used as a surrogate for the individual early fatality risk.

As discussed in Section A of this RG, RG 1.200 is an important related guidance document that describes one acceptable approach for determining whether the base PRA, in total or the parts that are used to support an application, is acceptable for use in regulatory decisionmaking for LWRs. Figure 1, which is taken from RG 1.200, illustrates the relationship of this RG to some risk-informed activities, other application-specific guidance, RG 1.200, consensus PRA standards, and industry programs.

RG 1.174, Rev. 3, Page 5

Figure 1. Relationship of RG 1.174 to other risk-informed guidance This RG describes an acceptable approach for assessing the nature and impact of proposed licensing basis changes by considering engineering issues and applying risk insights. These assessments should consider relevant safety margins and defense-in-depth attributes, including success criteria and equipment functionality, reliability, and availability. The analyses should reflect the actual design, construction, and operational practices of the plant. Consideration of the Commissions Safety Goal Policy Statement is an important element in regulatory decisionmaking. Consequently, this guide provides acceptance guidelines for evaluating the results of assessments that are consistent with this policy statement. This guide also addresses implementation strategies and performance monitoring plans associated with changes that will help to ensure that assumptions and analyses supporting the change are verified.

In theory, one could construct a more generous regulatory framework for consideration of those risk-informed changes that could increase risk to the public. Such a framework would include, of course, assurance of continued adequate protection (the level of protection of the public health and safety that must be reasonably assured regardless of economic cost). However, it could also provide for the possible elimination of all measures not needed for adequate protection, which either do not substantially reduce overall risk or result in continuing costs that are not justified by the safety benefits. Instead, in this RG,

the NRC has chosen a more restrictive policy that would permit only small increases in risk and only when the maintenance of sufficient defense in depth and margins, among other things, is reasonably assured. The NRC has adopted this policy because of uncertainties and to account for the continuing emergence of safety issues related to design, construction, and operational matters, notwithstanding the maturity of the nuclear power industry. These factors suggest that nuclear power reactors should operate routinely only at a prudent margin above adequate protection, to provide reasonable assurance that adequate protection will be maintained. The safety goal subsidiary objectives are an example of such a prudent margin.

RG 1.174, Rev. 3, Page 6

Finally, this RG indicates an acceptable level of documentation that will enable the staff to reach a finding that the licensee has performed a sufficiently complete and scrutable analysis and that the results of the engineering evaluations support the licensees request for a regulatory change. Other related guidance documents such as RG 1.175, RG 1.177, and RG 1.178 provide guidance on the acceptable approaches for using risk information in specific risk-informed applications.

Harmonization with International Standards The International Atomic Energy Agency (IAEA) has established a series of safety guides and standards constituting a high level of safety for protecting people and the environment. IAEA safety guides present international good practices and increasingly reflect best practices to help users striving to achieve high levels of safety. Pertinent to this RG are the following documents:

• IAEA Safety Guide SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants Specific Safety Guide (Ref. 27),

• IAEA Safety Guide SSG-4, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants Specific Safety Guide (Ref. 28),

• IAEA Safety Standards SSR-2/1, Safety of Nuclear Power Plants: Design (Ref. 29), and

• IAEA Safety Standard SF-1, Fundamental Safety Principles (Ref. 30).

These safety guides provide recommendations for performing or managing a probabilistic safety assessment project for nuclear power plants and using it to support safe design and operatio

n. This RG

discusses some of the same principles with respect to changes to a plants licensing basis.

Additional international guidance documents, including those that offer different perspectives on and interpretations of the defense-in-depth philosophy, were considered as part of the development of related guidance in this RG. NUREG/KM-0009, Historical Review and Observations of Defense-in- Depth, (Ref. 31), summarizes the various descriptions, discussions, and definitions of defense in depth that have been used in these related international guidance documents and other guidance documents and summarizes historical observations on the concept of defense in depth.

RG 1.174, Rev. 3, Page 7

C. STAFF REGULATORY GUIDANCE

In its approval of the policy statement on the use of PRA methods in nuclear regulatory activities, the Commission stated its expectation that the use of PRA technology should be increased in all regulatory mattersin a manner that complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy. The use of risk insights in licensee submittals requesting licensing basis changes will assist the staff in the disposition of such proposals.

The staff has defined in this RG an acceptable approach to analyzing and evaluating proposed licensing basis changes. This approach supports the NRCs desire to base its decisions on the results of traditional engineering evaluations, supported by insights (derived from the use of PRA methods) about the risk significance of the proposed changes. Decisions on proposed changes are expected to be reached in an integrated fashion, considering traditional engineering and risk information, and may be based on qualitative factors as well as quantitative analyses and information.

The staff recognizes that the risk analyses necessary to support regulatory decisionmaking may vary with the relative weight given to the risk assessment element of the decisionmaking process. The burden is on the licensee who requests a change to the licensing basis to justify that the chosen risk assessment approach, methods, and data are appropriate for the decision to be made.

In risk-informed decisionmaking, licensing basis changes are expected to meet a set of key principles. Some of these principles are written in the terms typically used in traditional engineering decisions (e.g., defense in depth). Although the principles are written in these terms, the use of risk analysis is encouraged to help ensure and show that these principles are met. These principles include the following.

• Principle 1: The proposed licensing basis change meets the current regulations unless it is explicitly related to a requested exemption (i.e., a specific exemption under 10 CFR 50.12).

• Principle 2: The proposed licensing basis change is consistent with the defense-in-depth philosophy.

• Principle 3: The proposed licensing basis change maintains sufficient safety margins.

• Principle 4: When proposed licensing basis changes result in an increase in risk, the increases should be small and consistent with the intent of the Commissions policy statement on safety goals for the operations of nuclear power plants.

• Principle 5: The impact of the proposed licensing basis change should be monitored using performance measurement strategies.

Each of these principles should be considered in the risk-informed integrated decisionmaking process, as illustrated in Figure 2.

RG 1.174, Rev. 3, Page 8

Figure 2. Principles of risk-informed integrated decisionmaking The staffs evaluation approach and acceptance guidelines follow from these principles. In implementing these principles, the staff expects the following.

• All safety impacts of the proposed licensing basis changes are evaluated in an integrated manner.

The evaluation is part of an overall risk management approach in which the licensee is using risk analysis to improve operational and engineering decisions broadly by identifying and taking advantage of opportunities to reduce risk and not just to eliminate requirements the licensee sees as undesirable. For those cases in which risk increases are proposed, the benefits should be described and should be commensurate with the proposed risk increases. The approach used to identify changes in requirements should also be used to identify areas in which requirements should be increased, as well as those in which they can be reduced.

• The engineering analyses (including traditional and probabilistic analyses) conducted to justify the proposed licensing basis change should (1) be appropriate for the nature and scope of the change, (2) be based on the as-built and as-operated and maintained plant, and (3) reflect operating experience at the plant. The ASME/ANS PRA standard endorsed by RG 1.200 defines as-built, as-operated as a concept that reflects the degree to which the PRA matches the current plant design, plant procedures, and plant performance data, relative to a specific point in time (see Section C.2.3 of this RG for additional information on the relationship between RG 1.174 and the ASME/ANS PRA standard). Acceptability of the engineering analyses is determined by assessing the scope, level of detail, supporting technical analyses, and plant representation.

• The plant-specific PRA supporting the licensees proposals has been demonstrated to be acceptable.

• Uncertainty receives appropriate consideration in the analyses and interpretation of findings, including use of a program of monitoring, feedback, and corrective action to address key sources of uncertainty. NUREG-1855 provides acceptable guidance for the treatment of uncertainties in risk-informed decisionmaking.

• The use of CDF and LERF as bases for PRA acceptance guidelines is an acceptable approach for addressing Principle 4. Use of the Commissions Safety Goal QHOs in lieu of CDF and LERF is acceptable in principle, and licensees may propose their use. However, in practice, implementing RG 1.174, Rev. 3, Page 9

such an approach would require an extension to a Level 3 PRA, in which case the methods and assumptions used in the Level 3 analysis, and associated uncertainties, would require additional attention. Later parts of this section present guidance on risk metrics for plants licensed under

10 CFR Part 52.

• Increases in CDF and LERF resulting from proposed licensing basis changes should be limited to small increments. The decision process should track and consider the cumulative effect of such changes, whether they result in an increase or a decrease, if available, in risk. For purposes of this guide, a proposed licensing basis change that meets the acceptance guidelines discussed in Section C.2.4 is considered to meet the intent of the policy statement.

• The licensee should evaluate the acceptability of the proposed licensing basis changes in an integrated fashion that ensures that all principles are met.

• Data, methods, and assessment criteria used to support regulatory decisionmaking should be well documented and available for public review.

When used as a surrogate for the early fatality QHO, LERF is defined as the sum of the frequencies of those accidents leading to rapid, unmitigated release of airborne fission products from the containment to the environment before the effective implementation of offsite emergency response and protective actions such that there is the potential for early health effects. Such accidents generally include unscrubbed releases associated with early containment failure shortly after vessel breach, containment bypass events, and loss of containment isolation. This definition is consistent with accident analyses used in the safety goal screening criteria discussed in the Commissions regulatory analysis guidelines.

NUREG/CR-6595, Revision 1, An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events, (Ref. 32), describes a simple screening approach for calculating LERF.

Given the principles of risk-informed decisionmaking discussed above, the staff has identified a four-element approach to evaluating proposed licensing basis changes. This approach, shown in Figure 3, supports the NRCs decisionmaking process. This approach is iterative rather than sequential.

Figure 3. Principal elements of risk-informed, plant-specific decisionmaking The NRC considers the following approach to be acceptable for use in assessing the nature and impact of proposed licensing basis changes. This approach assesses the impact of the risk associated with the proposed changes in plant design and operation by considering engineering issues and applying risk insights.

Plants submitting design certification or combined operating license applications use the CDF,

large release frequency, and conditional containment failure probability risk metrics and associated RG 1.174, Rev. 3, Page 10

guidelines. These plants should transition at or before their initial fuel load (e.g., following the 10 CFR 52.103(g) finding) from the use of those three risk metrics to the CDF and LERF risk metrics and acceptance guidelines for risk-informed applications covered in this RG. The SRM on SECY-12-0081, Staff RequirementsSECY-12-0081Risk-Informed Regulatory Framework for New Reactors, dated October 22, 2012, presents more information on this transition (Ref. 33).

In addition, consistent with the SRM on SECY-12-0081, the deterministic containment performance objective should also be maintained for plants licensed under 10 CFR Part 52. Specifically, plants licensed under 10 CFR Part 52 should ensure that the containment maintains its role as a reliable, leaktight barrier for approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the onset of core damage under the more likely severe accident challenges and, following this 24-hour period, the containment should continue to provide a barrier against the uncontrolled release of fission products. More information is available in the following documents:

• SECY-90-016, Evolutionary Light-Water Reactor (LWR) Certification Issues and Their Relationship to Current Regulatory Requirements, dated January 12, 1990 (Ref. 34).

• SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, dated April 2, 1993 (Ref. 35), as approved by the June 26, 1990, SRM on SECY-90-016 (Ref. 36) and the July 21, 1993, SRM on SECY-93-087 (Ref. 37).

1. Element 1: Define the Proposed Change Element 1 involves three primary activities.

First, the licensee should identify those aspects of the plants licensing basis that may be affected by the proposed change, including but not limited to rules and regulations, FSAR, technical specifications, licensing conditions, and licensing commitments.

Second, the licensee should identify all structures, systems, and components (SSCs), procedures, and activities that are covered by the licensing basis change being evaluated and should consider the original reasons for including each program requirement. When considering licensing basis changes, a licensee may identify regulatory requirements or commitments in its licensing basis that it believes are overly restrictive or unnecessary to ensure safety at the plant. The corollary is also true; that is, licensees are also expected to identify design and operational aspects of the plant that should be enhanced consistent with an improved understanding of their safety significance. Appropriate licensing basis changes should reflect such enhancements.

Third, the licensee should identify available engineering studies, methods, codes, applicable plant-specific and industry data and operational experience, PRA findings, and research and analysis results relevant to the proposed licensing basis change. With particular regard to the plant-specific PRA,

the licensee should assess the capability to use, refine, augment, and update system models as needed to support a risk assessment of the proposed licensing basis change.

The above information should be used collectively to describe the licensing basis change and to outline the method of analysis. The licensee should describe the proposed change and how it meets the objectives of the Commissions PRA Policy Statement, including enhanced decisionmaking, more efficient use of resources, and reduction of unnecessary burden. In addition to improvements in reactor safety, this assessment may consider benefits from the licensing basis change such as reduced fiscal and personnel resources and radiation exposure. The licensee should affirm that the proposed licensing basis RG 1.174, Rev. 3, Page 11

change meets the current regulations unless the proposed change is explicitly related to an exemption (i.e.,

a specific exemption under 10 CFR 50.12).

1.1 Combined Change Requests Licensee proposals may include several individual changes to the licensing basis that have been evaluated and implemented in an integrated fashion. With respect to the overall net change in risk, the NRC staff considers combined change requests (CCRs) in the following two broad categories, each of which may be acceptable.

• CCRs in which any individual change increases risk, or

• CCRs in which each individual change decreases risk.

In the first category, the contribution of each individual change in the CCR should be quantified in the risk assessment, and the uncertainty of each individual change should be addressed. For CCRs in the second category, qualitative analysis may be sufficient for some or all individual changes. Guidelines for use in developing CCRs are discussed below.

1.2 Guidelines for Developing Combined Change Requests The changes that make up a CCR should be related to one another (e.g., they affect the same single system or activity; they affect the same safety function or accident sequence or group of sequences;

or they are the same type, such as changes in outage time allowed by technical specifications). However, this does not preclude acceptance of unrelated changes. CCRs submitted to the NRC staff for review should address in detail the relationships among the individual changes and how they have been modeled in the risk assessment, since this controls the characterization of the net result of the changes. Licensees should evaluate the individual changes, and also the changes taken in aggregate, against the safety principles and qualitative acceptance guidelines in Part C of this RG. In addition, the acceptability of the cumulative impact of the changes that make up the CCR should be assessed with respect to the quantitative acceptance guidelines discussed in Section C.2.4 of this guide.

CCRs in the first category should not increase the risk from significant accident sequences, and the frequencies of the lower ranked contributors should not increase so that they become significant contributors to risk. No significant new sequences or combinations of events and failures (i.e., cut sets)

should be created. In assessments of the acceptability of CCRs, (1) risk increases related to the more likely initiating events (e.g., steam generator tube ruptures) should not be traded against improvements related to unlikely events (e.g., earthquakes) even if, for instance, they involve the same safety function, and (2) risk should be considered in addition to likelihood. The staff also expects CCRs to lead to safety benefits, such as simplifying plant operations or focusing resources on the most important safety items.

Proposed changes that modify one or more individual components of a previously approved CCR

should also address the impact on the previously approved CCR. Specifically, the licensee should address whether the proposed modification would cause the previously approved CCR to become unacceptable. If this is the case, the submittal should address the actions the licensee is taking with respect to the previously approved CCR.

2. Element 2: Perform Engineering Analysis The engineering analyses conducted to justify any proposed licensing basis change should be appropriate for the nature and scope of the proposed change. The licensee should appropriately consider uncertainty in the analysis and interpretation of findings. In selecting appropriate engineering analyses to RG 1.174, Rev. 3, Page 12

support regulatory decisionmaking, the licensee should use judgment on the complexity and difficulty of implementing the proposed licensing basis change. Thus, the licensee should consider the appropriateness of qualitative and quantitative analyses, as well as analyses using traditional engineering approaches and those techniques associated with the use of PRA findings. Regardless of the analysis methods chosen, the licensee should show that it has met the principles described in Part C of this RG through the use of scrutable acceptance guidelines established for making that determination.

Some proposed licensing basis changes involve the categorization of SSCs according to safety significance. An example is grading the application of special treatment requirements commensurate with the safety significance of equipment under 10 CFR 50.69. The staffs review of licensing basis change requests for applications involving safety categorization should follow the acceptance guidelines associated with each key principle presented in this RG, unless the licensee proposes alternative and equivalent guidelines. Since risk-importance measures are often used in such categorizations, Appendix A

to this RG provides guidance on their use. Other application-specific guidance documents address guidelines associated with the adequacy of programs (in this example, special treatment requirements)

implemented for different safety-significant categories (e.g., more safety significant and less safety significant). Licensees are encouraged to apply risk-informed findings and insights to decisions (and potential licensing basis requests).

As part of Element 2, the licensee should evaluate the proposed licensing basis change with regard to the principles of maintaining consistency with the defense-in-depth philosophy, maintaining sufficient safety margins, and ensuring that proposed increases in CDF and LERF are small and are consistent with the intent of the Commissions Safety Goal Policy Statement.

2.1 Evaluation of Defense in Depth and Safety Margins One aspect of the engineering evaluation is to show that the proposed licensing basis change does not compromise the fundamental safety principles that are the basis of plant design and operation (i.e., activities such as maintenance, testing, inspection, and qualification). During the design process, plant response and associated safety margins are evaluated using assumptions of physical properties and operating characteristics. National standards, the defense-in-depth philosophy, and the General Design Criteria are additional engineering considerations that influence plant design and operation.

A licensees proposed licensing basis change might affect safety margins and defenses incorporated into the current plant design and operation; therefore, the licensee should reevaluate the safety margins and layers of defense to support the proposed change. As part of this evaluation, the licensee should determine the impact of the proposed licensing basis change on the functional capability, reliability, and availability of affected equipment. The plants licensing basis is the reference point for judging whether a proposed licensing basis change adversely affects safety margins or defense in depth.

Sections C.2.1.1 and C.2.1.2 below present guidance on assessing whether the proposed licensing basis change remains consistent with the defense-in-depth philosophy and maintains adequate safety margins.

2.1.1 Defense in Depth The engineering evaluation should demonstrate whether the implementation of the proposed licensing basis change is consistent with the defense-in-depth philosophy. The intent of this key principle of risk-informed decisionmaking is to ensure that any impact of the proposed licensing basis change on defense in depth is fully understood and addressed and that consistency with the defense-in-depth philosophy is maintained. The intent is not to prevent changes in the way defense in depth is achieved.

The licensee should fully understand how the proposed licensing basis change impacts plant design and operation from both risk and traditional engineering perspectives.

RG 1.174, Rev. 3, Page 13

Section C.2.1.1.1 presents a brief background on the defense-in-depth philosophy.

Section C.2.1.1.2 discusses the seven considerations that should be used to evaluate the impact of the proposed licensing basis change on defense in depth. Section C.2.1.1.3 provides guidance on evaluating the seven defense-in-depth considerations, and Section C.2.1.1.4 offers guidance on the integrated evaluation that should be conducted to demonstrate the application of this guidance.

Background Defense in depth is an element of the NRCs safety philosophy that employs successive compensatory measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally caused event occurs at a nuclear facility. The defense-in-depth philosophy has traditionally been applied in plant design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material. It has been and continues to be an effective way to account for uncertainties in equipment and human performance and, in particular, to account for the potential for unknown and unforeseen failure mechanisms or phenomena that, because they are unknown or unforeseen, are not reflected in either the PRA or traditional engineering analyses. The SRM on SECY-98-144, Staff RequirementsSECY-98-144White Paper on Risk-Informed and Performance- Based Regulation, dated March 1, 1999 (Ref. 38), provides additional information on defense in depth as an element of the NRCs safety philosophy.

In addition, nuclear plants that leverage the defense-in-depth philosophy in the design of the plant can gain some flexibility in operations and maintenance. For example, testing and maintenance of SSCs or corrective action to restore an engineered safety system might be allowed for short periods while remaining at-power consistent with established technical specifications. The NRC recognizes and allows these temporary configurations within these established programs. If a licensee proposes a licensing basis change that permits new or extended entry into a temporary condition, the licensee should demonstrate that entry into that temporary condition is justified and that consistency with the defense-in-depth philosophy is maintained as described in this section.

Defense in depth is often characterized by varying layers of defense, each of which may represent conceptual attributes of nuclear power plant design and operation or tangible objects such as the physical barriers between fission products and the environment. The NRC implements defense in depth as four layers of defense that are a mixture of conceptual constructs and physical barriers (see NUREG/KM-0009 for further detail). For the purposes of this RG, nuclear power plant defense in depth is taken to consist of layers of defense (i.e., successive measures) to protect the public:

• robust plant design to survive hazards and minimize challenges that could result in an event occurring,

• prevention of a severe accident (core damage) if an event occurs,

• containment of the source term if a severe accident occurs, and

• protection of the public from any releases of radioactive material (e.g., through siting in low-population areas and the ability to shelter or evacuate people, if necessary).

Considerations for Evaluating the Impact of the Proposed Licensing Basis Change on Defense in Depth The proposed licensing basis change might adversely impact any one or more of the layers of defense discussed above. The NRC has identified seven considerations that should be used to evaluate the RG 1.174, Rev. 3, Page 14

impact of the change on defense-in-depth. These are discussed in detail below. Section C.2.1.1.3 presents more detailed guidance on how to apply these considerations.

The NRC finds it acceptable for a licensee to use the following seven considerations to evaluate how the proposed licensing basis change impacts defense in depth.

1. Preserve a reasonable balance among the layers of defense.

A reasonable balance of the layers of defense (i.e., minimizing challenges to the plant, preventing any events from progressing to core damage, containing the radioactive source term, and emergency preparedness) helps to ensure an apportionment of the plants capabilities between limiting disturbances to the plant and mitigating their consequences. The term reasonable balance is not meant to imply an equal apportionment of capabilities. The NRC recognizes that aspects of a plants design or operation might cause one or more of the layers of defense to be adversely affected. For these situations, the balance between the other layers of defense becomes especially important when evaluating the impact of the proposed licensing basis change and its effect on defense in depth.

2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.

Nuclear power plant licensees implement a number of programmatic activities, including programs for quality assurance, testing and inspection, maintenance, control of transient combustible material, foreign material exclusion, containment cleanliness, and training. In some cases, activities that are part of these programs are used as compensatory measures; that is, they are measures taken to compensate for some reduced functionality, availability, reliability, redundancy, or other feature of the plants design to ensure safety functions (e.g., reactor vessel inspections that provide assurance that reactor vessel failure is unlikely). NUREG-2122, Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, (Ref. 39),

defines safety function as those functions needed to shut down the reactor, remove the residual heat, and contain any radioactive material release.

A proposed licensing basis change might involve or require compensatory measures. Examples include hardware (e.g., skid-mounted temporary power supplies); human actions (e.g., manual system actuation); or some combination of these measures. Such compensatory measures are often associated with temporary plant configurations. The preferred approach for accomplishing safety functions is through engineered systems. Therefore, when the proposed licensing basis change necessitates reliance on programmatic activities as compensatory measures, the licensee should justify that this reliance is not excessive (i.e., not overly reliant). The intent of this consideration is not to preclude the use of such programs as compensatory measures but to ensure that the use of such measures does not significantly reduce the capability of the design features (e.g., hardware).

3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.

As stated in Section C.2.1.1.1 above, the defense-in-depth philosophy has traditionally been applied in plant design and operation to provide multiple means to accomplish safety functions.

System redundancy, independence, and diversity result in high availability and reliability of the function and also help ensure that system functions are not reliant on any single feature of the design. Redundancy provides for duplicate equipment that enables the failure or unavailability of RG 1.174, Rev. 3, Page 15

at least one set of equipment to be tolerated without loss of function. Independence of equipment implies that the redundant equipment is separate such that it does not rely on the same supports to function. This independence can sometimes be achieved by the use of physical separation or physical protection. Diversity is accomplished by having equipment that performs the same function rely on different attributes such as different principles of operation, different physical variables, different conditions of operation, or production by different manufacturers which helps reduce common-cause failure (CCF).

A proposed change might reduce the redundancy, independence, or diversity of systems. The intent of this consideration is to ensure that the ability to provide the system function is commensurate with the risk of scenarios that could be mitigated by that function. The consideration of uncertainty, including the uncertainty inherent in the PRA, implies that the use of redundancy, independence, or diversity provides high reliability and availability and also results in the ability to tolerate failures or unanticipated events.

4. Preserve adequate defense against potential CCFs.

An important aspect of ensuring defense in depth is to guard against CCF. Multiple components may fail to function because of a single specific cause or event that could simultaneously affect several components important to risk. The cause or event may include an installation or construction deficiency, accidental human action, extreme external environment, or an unintended cascading effect from any other operation or failure within the plant. CCFs can also result from poor design, manufacturing, or maintenance practices.

Defenses can prevent the occurrence of failures from the causes and events that could allow simultaneous multiple component failures. Another aspect of guarding against CCF is to ensure that an existing defense put in place to minimize the impact of CCF is not significantly reduced;

however, a reduction in one defense can be compensated for by adding another.

5. Maintain multiple fission product barriers.

Fission product barriers include the physical barriers themselves (e.g., the fuel cladding, reactor coolant system pressure boundary, and containment) and any equipment relied on to protect the barriers (e.g., containment spray). In general, these barriers are designed to perform independently so that a complete failure of one barrier does not disable the next subsequent barrier. For example, one barrier, the containment, is designed to withstand a double-ended guillotine break of the largest pipe in the reactor coolant system, another barrier.

A plants licensing basis might contain events that, by their very nature, challenge multiple barriers simultaneously. Examples include interfacing-system loss-of-coolant accidents, steam generator tube rupture, or crediting containment accident pressure. Therefore, complete independence of barriers, while a goal, might not be achievable for all possible scenarios.

6. Preserve sufficient defense against human errors.

Human errors include the failure of operators to correctly and promptly perform the actions necessary to operate the plant or respond to off-normal conditions and accidents, errors committed during test and maintenance, and incorrect actions by other plant staff. Human errors can result in the degradation or failure of a system to perform its function, thereby significantly reducing the effectiveness of one of the layers of defense or one of the fission product barriers.

The plant design and operation include defenses to prevent the occurrence of such errors and RG 1.174, Rev. 3, Page 16

events. These defenses generally involve the use of procedures, training, and human engineering;

however, other considerations (e.g., communication protocols) might also be important.

7. Continue to meet the intent of the plants design criteria.

For plants licensed under 10 CFR Part 50 or 10 CFR Part 52, the plants design criteria are set forth in the current licensing basis of the plant. The plants design criteria define minimum requirements that achieve aspects of the defense-in-depth philosophy; as a consequence, even a compromise of the intent of those design criteria can directly result in a significant reduction in the effectiveness of one or more of the layers of defense. When evaluating the effect of the proposed licensing basis change, the licensee should demonstrate that it continues to meet the intent of the plants design criteria.

Evaluating the Impact of the Proposed Licensing Basis Change on Defense in Depth It is acceptable for a licensee to use the seven defense-in-depth considerations described in Section C.2.1.1.2 to evaluate the impact of a proposed licensing basis change on defense in depth. It is presumed that, before the implementation of the proposed licensing basis change, the as-built and as-operated plant is consistent with the defense-in-depth philosophy. However, there might be situations in which a plant is not in compliance with its design basis or licensing basis or new information might arise indicating that the design basis or licensing basis is deficient. In such cases, the as-built and as-operated plant might not be consistent with the defense-in-depth philosophy before the implementation of the proposed licensing basis change. When this occurs, the licensee should ensure compliance with existing requirements (e.g., regulations, license conditions, orders, etc.) and address any noncompliances.

When addressing these deficiencies or noncompliances, consideration should be given to the concepts in this document to help achieve consistency with the defense-in-depth philosophy.

The seven defense-in-depth considerations could be arranged as a hierarchy. For example, the first consideration is an overarching high-level description of how defense in depth is achieved.

Considerations 2 through 6 might apply to any of the layers of defense to aid the analyst in determining that the proposed licensing basis change preserves a reasonable balance among the layers of defense.

Finally, Consideration 7 helps ensure completeness of the assessment of how the proposed licensing basis change could impact defense in depth. Nevertheless, in the interest of completeness, the licensee should address each of the seven considerations for any proposed licensing basis change. If the proposed licensing basis change has no impact on a given consideration, the licensee should state as much and include a brief justification. Licensees should structure their discussion of how the proposed licensing basis change impacts defense in depth by explicitly addressing the seven considerations. This approach would facilitate the licensees analysis and contribute to a more efficient review by the NRC staff.

It is important to note that the focus here is on the effect of the proposed licensing basis change on defense in depth. The seven defense-in-depth considerations presented in Section C.2.1.1.2 are not intended to define how defense in depth is implemented in a plants design but rather to help licensees assess the impact of the proposed licensing basis change on defense in depth.

The following discussion provides guidance on how to evaluate the proposed licensing basis change for each of the defense-in-depth considerations:

1. Preserve a reasonable balance among the layers of defense.

RG 1.174, Rev. 3, Page 17

The proposed licensing basis change should not significantly reduce the effectiveness of a layer of defense that exists in the plant design before the implementation of the proposed licensing basis change.

The evaluation of the proposed licensing basis change should consider insights based on traditional engineering approaches; insights from risk assessments might be used to support engineering insights but should not be the only basis for meeting this consideration.

To evaluate this consideration, the licensee should address each of the layers of defense in turn. A

reasonable balance among the layers of defense is preserved if the proposed licensing basis change does not significantly reduce the effectiveness of a layer of defense that exists in the plant design and operation before the implementation of the proposed licensing basis change (i.e., the effectiveness has not been reduced to the extent that the layer no longer provides an acceptable level of defense).

A comprehensive risk analysis can provide insights into whether the balance among the layers of defense remains appropriate to ensure protection of public health and safety. Such a risk analysis would include the likelihood of challenges to the plant (i.e., initiating event frequencies) from various hazards as well as CDF, containment response, and dose to the public. Understanding the drivers of the change in risk (i.e., at the level of initiating events, accident sequences, cut sets, etc.) can focus attention on which aspect of defense-in-depth is likely to be affected. In addition, qualitative and quantitative insights from the PRA might help justify a determination that the balance across all the layers of defense is preserved.

The risk acceptance guidelines in this RG are based on the surrogates for the Commissions QHOs (CDF and LERF). These risk metrics, developed as part of the risk assessment, can help inform the licensees assessment of the relative balance between the prevention of core damage and containment of the radioactive source term.

However, to address the unknown and unforeseen failure mechanisms or phenomena, the licensees evaluation of this defense-in-depth consideration should also address insights based on traditional engineering approaches. Results and insights of the risk assessment might be used to support the conclusion; however, the results and insights of the risk assessment should not be the only basis for justifying that this defense-in-depth consideration is met. The licensee should consider the impact of the proposed licensing basis change on each of the layers of defense.

• Robust plant design to survive hazards and minimize challenges that could result in the occurrence of an event. The change should not significantly increase the likelihood of initiating events or create new significant initiating events.

• Prevention of a severe accident (core damage) if an event occurs. The change should not significantly impact the availability and reliability of SSCs providing the safety functions that prevent plant challenges from progressing to core damage.

• Containment of the source term if a severe accident occurs. The change should not significantly impact the containment function or SSCs supporting that function such as containment fan coolers and sprays.

• Protection of the public from any releases of radioactive material. The change should not significantly reduce the effectiveness of the emergency preparedness program, including RG 1.174, Rev. 3, Page 18

the ability to detect and measure releases of radioactivity, notify offsite agencies and the public, and shelter or evacuate the public as necessary.

2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.

The proposed licensing basis change should not substitute programmatic activities for design features to an extent that significantly reduces the reliability and availability of design features to perform their safety functions without overreliance on programmatic activities.

The evaluation of the proposed licensing basis change should demonstrate that the change does not result in an excessive reliance on programmatic activities that are used to compensate for an intended reduction in the capability of engineered safety features (or previously approved programmatic activities).

To evaluate this consideration, the licensee should first determine whether the proposed licensing basis change necessitates compensatory measures. If not, this should be stated as the reason for finding that this consideration is met. If compensatory measures are needed to support the proposed licensing basis change, the licensee should determine the extent to which it is relying on programmatic activities instead of design features. The intent of this consideration is not to preclude the use of programs as compensatory measures but to ensure that reliance on programmatic activities to compensate for a reduction in the capability of a design feature is not excessive.

A proposed licensing basis change that does not affect how safety functions are performed or does not reduce the reliability or availability of the SSCs that perform those functions would meet this defense-in-depth consideration. However, a licensee could contemplate a change in which a reduction in the capability of those SSCs is compensated for by reliance on plant programs (i.e., programmatic activities). In such a case, the licensee should assess whether the proposed licensing basis change would increase the need for programmatic activities to compensate for the lack of engineered features. If the proposed licensing basis change requires reliance on new programmatic activities or additional reliance on existing programmatic activities as a substitute for a design feature, the licensee should justify that the proposed reliance on the programmatic activities in place of design features is not excessive. Reliance on a programmatic activity as a compensatory measure might be considered excessive when a program is substituted for an engineered means of performing a safety function or when the failure of the programmatic activity could prevent an engineered safety feature from performing its intended function.

The NRC also recognizes that compensatory measures are sometimes associated with temporary conditions. A licensee might propose a risk-informed licensing basis change to permit occasional entry into conditions requiring measures that rely on plant programs to compensate for reduced capability of engineered systems or for one-time entry to allow corrective action to restore engineered systems to match the design and licensing basis. For such situations, the licensee should demonstrate that the plant condition requiring such compensatory measures would occur at a sufficiently low frequency or that the timeframe to take corrective action is commensurate with the significance of the nonconforming condition.

3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.

RG 1.174, Rev. 3, Page 19

The proposed licensing basis change should not significantly reduce the redundancy, independence, or diversity of systems.

The evaluation of the proposed licensing basis change should demonstrate that the change does not result in a significant increase in the expected frequency of challenges to the system or consequences of failure of the system functions as a result of a decrease in redundancy, independence, or diversity.

To evaluate this consideration, the licensee should demonstrate that any reduction in redundancy, independence, or diversity of systems does not result in a significant increase in risk. This evaluation should determine whether the proposed licensing basis change (1) is consistent with the assumptions in the plants safety analysis, if applicable, (2) increases the frequency of challenges to the plant resulting from failure of the system, and (3) decreases the reliability or availability of the system to perform its intended functions. For items 2 and 3, the licensee should consider whether any increase in frequency or decrease in availability or reliability results in a significant increase in risk from one type of hazard or scenario. If the risk impact of the proposed licensing basis change is significant, then it is not commensurate with the importance of the system. The ability to accomplish a safety function might be substantially reduced if one of the plant features that provides system redundancy, independence, or diversity is defeated. The introduction of a new dependency that could potentially defeat the redundancy, independence, or diversity of the affected equipment could produce this adverse impact. Plant changes that introduce new dependencies among systems or functions or that introduce new CCFs (addressed under Consideration 4) should not disproportionately increase risk.

Some proposed licensing basis changes allow the plant to be in an operational condition in which certain design features are not available to perform their intended functions for some specified period of time. For example, a single train of a multitrain system might be out of service. This consideration of defense in depth is not intended to preclude such temporary plant configurations.

Other controls on temporary plant configurations, such as the technical specifications, limit the exposure to risk during such periods.

4. Preserve adequate defense against potential CCFs.

The proposed licensing basis change should not significantly reduce defenses against CCFs that could defeat the redundancy, independence, or diversity of the layers of defense; fission product barriers; and the design, operational, or maintenance aspects of the plant.

The evaluation of the proposed licensing basis change should demonstrate that the change does not result in a significant reduction of existing CCF defenses or introduce new CCF

dependencies.

Two general approaches exist for defending against CCF: (1) defend against the failure cause or event and (2) defend against the CCF dependencies or coupling factor. A combination of both approaches may be employed. The licensee should determine that the proposed licensing basis change does not reduce existing defense strategies or introduce a new cause, event, or coupling factor.

To evaluate this consideration, the licensee should determine whether the proposed licensing basis change could do any of the following.

RG 1.174, Rev. 3, Page 20

• Introduce a new potential CCF cause or event for which a defense is not in place.

• Increase the probability or frequency of a cause or event that could cause simultaneous multiple component failures.

• Introduce a new coupling factor for which a defense is not in place.

• Weaken or defeat an existing defense against a cause, event, or coupling factor.

It is recognized that the PRA model explicitly models some types of CCF so that the risk assessment provides some insights into this consideration. However, to judge whether this consideration has been met, the licensee should also qualitatively evaluate whether the change has resulted in any of the four impacts listed above.

5. Maintain multiple fission product barriers.

The proposed licensing basis change should not significantly reduce the effectiveness of the multiple fission product barriers.

The evaluation of the proposed licensing basis change should demonstrate that the change does not (1) create a significant increase in the likelihood or consequence of an event that simultaneously challenges multiple barriers or (2) introduce a new event that would simultaneously impact multiple barriers.

To evaluate this consideration, the licensee should consider achieving the following objectives to ensure that the proposed licensing basis change remains consistent with the defense-in-depth philosophy.

• The change does not result in a significant increase in the frequency of existing challenges to the integrity of the barriers.

• The change does not significantly increase the failure probability of any individual barrier.

• The change does not introduce new or additional failure dependencies among barriers that significantly increase the likelihood of failure compared to the existing conditions.

6. Preserve sufficient defense against human errors.

The proposed licensing basis change should not significantly increase the potential for or create new human errors that might adversely impact one or more layers of defense.

The evaluation of the proposed licensing basis change should demonstrate that the change does not significantly reduce the ability of plant staff to perform actions.

To evaluate this consideration, the licensee should determine whether the proposed licensing basis change would (1) create new human actions that are important to preserving any of the layers of defense for which a high reliability cannot be demonstrated or (2) significantly increase the probability of existing human errors by significantly affecting performance shaping factors, including mental and physical demands and level of training.

RG 1.174, Rev. 3, Page 21

Consideration of human actions should include errors by operators, maintenance personnel, and other plant staff.

7. Continue to meet the intent of the plants design criteria.

The proposed licensing basis change should not affect the plants ability to meet the intent of the design criteria referenced in the licensing basis.

The evaluation of the proposed licensing basis change should demonstrate that the change does not significantly compromise the ability to meet the intent of the plants design criteria, thereby significantly reducing the effectiveness of one or more layers of defense.

To evaluate this consideration, the licensee should consider the current licensing basis of the plant and determine how the proposed licensing basis change would meet the intent of the plants design criteria. For plants licensed under 10 CFR Part 52, the licensee should also consider whether the change would meet the intent of the severe accident design features. In doing so, the licensee should demonstrate a full understanding of any impacts that the proposed licensing basis change might have on the design criteria or severe accident design features of the plant. In general, the consideration of applicable regulations under the first principle of risk-informed regulation might fully address this defense-in-depth consideration. Also, this consideration is not intended to preclude requests for changes to the plants design criteria or severe accident design features.

For some hazards and for some licensees, the plants licensing basis might define defense in depth. For example, the fire protection program for licensed nuclear power plants requires the maintenance of fire protection defense in depth, which is scenario based. Any proposed licensing basis change should be evaluated against any plant-specific defense-in-depth requirements in the licensing basis, in addition to the guidance presented here.

For plants licensed under 10 CFR Part 52, this consideration should also address those design features for the prevention and mitigation of severe accidents that are described and analyzed in accordance with 10 CFR 52.47(a)(23) and 10 CFR 52.79(a)(38). Section C.I.19.8 of RG 1.206 provides guidance on implementing these requirements and ties the requirements to the issues and performance goals identified in SECY-90-016 and SECY-93-087, which the Commission approved in the SRM on SECY-90-016 and the SRM on SECY-93-087.

Also, RG 1.216, Containment Structural Integrity Evaluation for Internal Pressure Loadings above Design-Basis Pressure (Ref. 40), provides acceptable methods for an analysis that specifically addresses the issues and performance goals identified in SECY-90-016 and SECY-93-087 and related SRM on containment structures in nuclear power plants under severe accident conditions. For this consideration, the potential impacts on these severe accident design features should also be evaluated to ensure that licensees continue to meet the intent of these design features.

Integrated Evaluation of the Defense-in-Depth Considerations The guidance for evaluating the seven considerations described above should enable the licensee to demonstrate the impact of a proposed licensing basis change on defense in depth. The licensee should be able to conclude whether the change maintains consistency of the plant design with the defense-in-depth philosophy by showing that the intent of each consideration would still be met following the implementation of the proposed licensing basis change. Although the guidance is presented separately RG 1.174, Rev. 3, Page 22

for each consideration, the evaluation of the proposed licensing basis change should be performed in an integrated fashion. The proposed licensing basis change is considered to maintain consistency with the defense-in-depth philosophy if the integrated assessment demonstrates no significant impact on a single consideration (i.e., the intent of each defense-in-depth consideration is met) or there is not a significant impact collectively across all seven considerations. Such an evaluation of the proposed licensing basis change against the seven considerations might be quantitative, qualitative, or both.

The evaluation should demonstrate the licensees understanding of how the change impacts plant design and operation both from risk and traditional engineering perspectives.

2.1.2 Safety Margin The engineering evaluation should assess whether the impact of the proposed licensing basis change is consistent with the principle that sufficient safety margins are maintained. Here also, the licensee is expected to choose the method of engineering analysis appropriate for evaluating whether sufficient safety margins would be maintained if the proposed licensing basis change were implemented.

This section summarizes an acceptable set of guidelines for making that assessment, though licensees may use other equivalent guidelines.

With sufficient safety margins, (1) the codes and standards or their alternatives approved for use by the NRC are met and (2) safety analysis acceptance criteria in the licensing basis (e.g., FSAR,

supporting analyses) are met or proposed revisions provide sufficient margin to account for uncertainty in the analysis and data.

2.2 Evaluation of Risk Impact, Including Treatment of Uncertainty The licensee may use its risk assessment to address the principle that proposed increases in CDF

and LERF are small and are consistent with the intent of the Commissions Safety Goal Policy Statement.

For purposes of implementation, the licensee should assess the expected change in CDF and LERF. For licensing basis changes that may have a substantial impact, an indepth and comprehensive risk assessment, in the form of a PRA that is appropriate to derive the total impact of the proposed licensing basis change, may be necessary to provide acceptable justification. As discussed in RG 1.200, a method or approach is considered to be a PRA when the method or approach (1) provides a quantitative assessment of the identified risk in terms of scenarios that result in undesired consequences (e.g., core damage or a large early release) and their frequencies and (2) comprises specific technical elements in performing the quantification. Section C of RG 1.200 defines the technical elements.

As discussed in Section C.2.4 of this guide, the risk acceptance guidelines are intended for comparison with the results of a full-scope risk assessment. However, the necessary sophistication of the evaluation, including the scope of the PRA (e.g., internal hazards only, at-power only), depends on the contribution of the risk assessment to integrated decisionmaking, which depends to some extent on the magnitude of the potential risk impact. Because the hazards and plant operating states are independent, addition of the mean value risk results (also referred to as aggregation of the results) of the contributions is mathematically correct.

In other applications, calculated risk-importance measures or bounding risk calculations may be adequate. In still others, a qualitative assessment of the impact of the licensing basis change on the plants risk may be sufficient.

The remainder of this section discusses the use of quantitative PRA results in decisionmaking.

This discussion has three parts.

RG 1.174, Rev. 3, Page 23

1. A fundamental element of the NRCs risk-informed regulatory process is a PRA of sufficient scope, level of detail, conformance to technical elements, and plant representation for the intended application. Section C.2.3 of this guide discusses the staffs expectations with respect to the acceptability of the PRA for an application.

2. PRA results are to be used in this decisionmaking process in two ways: (1) to assess the overall base CDF/LERF of the plant and (2) to assess the CDF/LERF impact of the proposed change.

Section C.2.4 of this guide discusses the acceptance guidelines for each of these measures.

3. One of the strengths of the PRA framework is its ability to characterize the impact of uncertainty in the analysis, and it is essential that these uncertainties be recognized when assessing whether the principles are being met. Section C.2.5 of this guide provides guidelines on addressing uncertainty in the decisionmaking process.

The staff bases its decision on the proposed licensing basis change on its independent judgment and review of the entire application.

2.3 Determining the Acceptability of a Probabilistic Risk Assessment The PRA analysis used to support an application is measured in terms of its appropriateness with respect to scope, level of detail, conformance with the technical elements, and plant representation. These aspects of the PRA are to be commensurate with its intended use and the role the PRA results play in the integrated decision process. The more emphasis put on the risk insights and on PRA results in the decisionmaking process, the more requirements have to be placed on the PRA in terms of both scope and how well the risk and the change in risk are assessed.

Conversely, emphasis on the various aspects of the PRA can be reduced if a proposed change to the licensing basis results in a risk decrease or a very small change, or if the decision can be based mostly on traditional engineering arguments, or if compensating measures are proposed such that it can be convincingly argued that the change is very small. A PRA used in risk-informed regulation should be performed in a manner consistent with accepted practices. RG 1.200 describes one acceptable approach for determining whether the acceptability of the base PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decisionmaking for LWRs. Specifically, RG 1.200 provides guidance for the following:

• an acceptable PRA,

• the NRCs position on PRA consensus standards and industry PRA peer review program documents,

• demonstration that the baseline PRA (in total or specific parts) used in regulatory applications is acceptable, and

• documentation of the acceptability of the PRA to support a regulatory submittal.

Other approaches may also be acceptable but may increase the scope of the staff review or result in a lower priority based on the availability of staff resources.

RG 1.200 endorses an ASME/ANS PRA standard that addresses the base PRA for CDF and LERF for internal and external hazard groups at-power. Other standards (e.g., for low-power and shutdown modes of operation and Level 2 PRAs) are under development.

RG 1.174, Rev. 3, Page 24

This RG is intended for a variety of applications; consequently, the scope, level of detail, conformance with the technical elements, and plant representation may vary. The PRA should realistically reflect the actual design, construction, operational practices, and operational experience of the plant and its licensee. This should include the licensees voluntary actions as well as regulatory requirements, and the PRA used to support risk-informed decisionmaking should also reflect the impact of previous changes made to the licensing basis.

2.3.1 Scope of a Probabilistic Risk Assessment to Support an Application The scope of a PRA is defined in terms of the causes of initiating events and the plant operating modes it addresses. The causes of initiating events are classified into hazard groups, which are defined as groups of similar hazards that are assessed in a PRA using a common approach, methods, and likelihood data for characterizing the effect on the plant. Typical hazard groups considered in a nuclear power plant PRA include, but are not limited to internal events, internal floods, seismic events, internal fires, high winds, and external flooding. For additional guidance on the scope of the base PRA, see Section C of RG 1.200.

The assessment of the risk implications in light of the acceptance guidelines discussed in Section C.2.4 of this guide suggests that all plant operating modes and hazard groups be addressed.

However, it is not always necessary to have a PRA of such scope. A qualitative treatment of the missing modes and hazard groups may be sufficient when the licensee can demonstrate that those risk contributions would not affect the decision; that is, they do not alter the results of the comparison with the acceptance guidelines in Section C.2.4 of this guide. However, as stated in the SRM on SECY-04-0118, Staff RequirementsSECY-04-0118Plan for the Implementation of the Commissions Phased Approach to Probabilistic Risk Assessment Quality, dated October 6, 2004 (Ref. 41), when the risk associated with a particular hazard group or operating mode would affect the decision being made, the Commissions policy is that, if a staff-endorsed PRA standard exists for that hazard group or operating mode, then the risk should be assessed using a PRA that meets that standard. Section C.2.5 of this guide discusses this further.

2.3.2 Technical Elements of a Probabilistic Risk Assessment to Support an Application A PRA used in risk-informed regulation should be performed correctly and in a manner consistent with accepted practices. In general, this means that the methods used to develop the PRA are implemented correctly and the assumptions and approximations are reasonable. Additionally, the PRA

scope and level of detail should be commensurate with that required for a given activity, as discussed in Sections C.2.3.1 and C.2.3.3 of this RG, respectively. Further, the PRA should appropriately represent the plant, as discussed in Section C.2.3.4 of this RG. RG 1.200 describes one acceptable approach for determining conformance with the technical elements needed in a PRA (in total or the parts that are used to support an application).

The assessment of the risk implications in light of the acceptance guidelines discussed in Section C.2.4 of this guide generally suggests a risk analysis in the form of a PRA. As described in RG 1.200, a risk analysis method or approach is considered a PRA when the method or approach

(1) provides a quantitative assessment of the identified risk in terms of scenarios that result in undesired consequences (e.g., core damage or a large early release) and their frequencies, and (2) comprises specific technical elements in performing the quantification. The technical elements are the basic technical analyses needed to develop and quantify a PRA model and are defined in the ASME/ANS PRA standard.

The specific technical elements can vary depending on the scope of the PRA model and therefore as dictated by the application.

RG 1.174, Rev. 3, Page 25

The ASME/ANS PRA standard provides technical supporting requirements for each technical element in terms of capability categories. The capability categories increase from a lower to a higher number depending on the degree of detail, plant specificity, and realism. In general, the staff anticipates that current good practice (i.e., Capability Category II in the ASME/ANS PRA standard) is acceptable for most applications. RG 1.200 defines current good practice as those states of practice that are generally accepted throughout the industry and have been shown to be technically acceptable in documented analyses or engineering assessments. However, for some applications, meeting a lower capability category may be sufficient for some requirements; for other applications, it may be necessary to meet a higher capability category for specific requirements. For additional guidance on the technical elements in a base PRA, see Section C of RG 1.200.

2.3.3 Level of Detail in a Probabilistic Risk Assessment to Support an Application The level of detail in the PRA should be sufficient to model the impact of the proposed licensing basis change. The characterization of the problem should include establishing a cause-effect relationship to identify portions of the PRA affected by the issue being evaluated. Full-scale applications of the PRA

should reflect this cause-effect relationship in a quantification of the impact of the proposed licensing basis change on the PRA elements. For applications like component categorization, sensitivity studies on the effects of the proposed licensing basis change may be sufficient. For other applications, it may be acceptable to define the qualitative relationship of the impact of the proposed licensing basis change on the PRA elements or only to identify the impacted elements.

If the impacts of a proposed licensing basis change to the plant cannot be associated with elements of the PRA, the PRA should be modified accordingly or the impact of the change should be evaluated qualitatively as part of the integrated decisionmaking process discussed in Section C.2.6 of this guide. The assessment should properly account for the effects of the changes on the reliability and unavailability of SSCs or on operator actions. For additional guidance on the level of detail for the base PRA, see Section C in RG 1.200.

2.3.4 Plant Representation in a Probabilistic Risk Assessment to Support an Application The PRA results used to support an application are derived from a base PRA model that represents the as-built and as-operated plant to the extent needed to support the application. Consequently, the PRA should have been maintained and upgraded, where necessary, to ensure that it represents the as-built and as-operated plant. For additional guidance on plant representation for the base PRA, see Section C of RG 1.200.

2.4 Acceptance Guidelines The risk acceptance guidelines presented in this RG are based on the principles and expectations for risk-informed regulation discussed in Part C of this RG. The guidelines are structured as follows.

Regions are established in the two planes generated by a measure of the base risk metric (CDF or LERF)

along the x-axis and the change in those metrics (CDF or LERF) along the y-axis (Figures 4 and 5).

Acceptance guidelines are established for each region as discussed below. These guidelines are intended for comparison with a full-scope (including internal and external hazards, at power, low power, and shutdown) assessment of the change in risk metric and, when necessary, as discussed below, the base value of the risk metric (CDF or LERF). However, it is recognized that many PRAs are not full scope, and PRA information of less than full scope may be acceptable as discussed in Section C.2.5 of this guide.

RG 1.174, Rev. 3, Page 26

Figure 4. Acceptance guidelines* for core damage frequency Figure 5. Acceptance guidelines* for large early release frequency

• The analysis is subject to increased technical review and management attention as indicated by the darkness of the shading of the figure. In the context of integrated decisionmaking, the boundaries between regions are not definitive; the numerical values associated with defining the regions in the figure are to be interpreted as indicative values only.

The two sets of acceptance guidelines, one for CDF and one for LERF, should both be used.

• If the application clearly shows a decrease in CDF, the change has satisfied the relevant principle of risk-informed regulation with respect to CDF. The region associated with such a change is not represented graphically in Figure 4 given that the figure uses a logarithmic scale.

RG 1.174, Rev. 3, Page 27

• When the calculated increase in CDF is very small (i.e., the increase in CDF falls within Region III of Figure 4), which is taken as being less than 10-6 per reactor year, the change is considered regardless of whether there is a calculation of the total CDF. While there is no requirement to calculate the total CDF, if there is an indication that the CDF may be considerably higher than 10-4 per reactor year, the focus should be on finding ways to decrease rather than increase it. Such an indication would result, for example, if (1) the contribution to CDF calculated from a limited scope analysis, such as the individual plant examination (IPE) or the individual plant examination of external events (IPEEE), significantly exceeds 10-4, (2) a potential vulnerability has been identified from a margins-type analysis, or (3) historical experience at the plant in question indicates a potential safety concern.

• When the calculated increase in CDF is in the range of 10-6 per reactor year to 10-5 per reactor year (i.e., the increase in CDF falls within Region II of Figure 4), applications are considered only if it can be reasonably shown that the total CDF is less than 10-4 per reactor year.

• Applications that result in increases to CDF above 10-5 per reactor year (i.e., the increase in CDF

falls within Region I of Figure 4) would not normally be considered.

AND

• If the application clearly shows a decrease in LERF, the change has satisfied the relevant principle of risk-informed regulation with respect to LERF. The region associated with such a change is not represented graphically in Figure 5 given that the figure uses a logarithmic scale.

When the calculated increase in LERF is very small (i.e., the increase in LERF falls within Region III of Figure 5), which is taken as being less than 10-7 per reactor year, the change is considered regardless of whether there is a calculation of the total LERF. While there is no requirement to calculate the total LERF, if there is an indication that the LERF may be considerably higher than 10-5 per reactor year, the focus should be on finding ways to decrease rather than increase it. Such an indication would result, for example, if (1) the contribution to LERF calculated from a limited scope analysis, such as the IPE or the IPEEE, significantly exceeds 10-5, (2) a potential vulnerability has been identified from a margins-type analysis, or

(3) historical experience at the plant in question indicates a potential safety concern.

• When the calculated increase in LERF is in the range of 10-7 per reactor year to 10-6 per reactor year (i.e., the increase in LERF falls within Region II of Figure 5), applications are considered only if it can be reasonably shown that the total LERF is less than 10-5 per reactor year.

• Applications that result in increases to LERF above 10-6 per reactor year (i.e., the increase in LERF falls within Region I of Figure 5) would not normally be considered.

These guidelines are intended to provide assurance that proposed increases in CDF and LERF are small and are consistent with the intent of the Commissions Safety Goal Policy Statement. As indicated in the footnote to Figures 4 and 5, the boundaries between regions are not definitive. In applying these guidelines, it is particularly important to recognize that the risk metrics calculated using PRA models are a function of the assumptions and approximations made in the development of those models. This is particularly important when the results from PRA models for multiple hazard groups are combined, since the results from some hazard groups, depending on the state of practice, may be conservatively or nonconservatively biased. Section C.2.5 discusses this further. Section C.6.3.2 addresses the tracking of cumulative changes.

RG 1.174, Rev. 3, Page 28

As indicated by the shading on the acceptance guideline figures, the change request is subject to an NRC technical and management review which becomes more intensive as the calculated results move closer to the region boundaries.

The guidelines discussed above are applicable for at-power, low-power, and shutdown operations.

However, during certain shutdown operations when the containment function is not maintained, the LERF

guideline as defined above is not practical. In those cases, licensees may use more stringent base CDF

guidelines (e.g., 10-5 per reactor year) to maintain an equivalent risk profile or may propose an alternative guideline to LERF that meets the intent of Principle 4 (see Figure 2).

The technical review related to the risk evaluation addresses the acceptability of the analysis, including consideration of uncertainties as discussed in the next section. Section C.2.6 of this guide discusses aspects covered by the management review, which includes factors that are not amenable to PRA evaluation.

2.5 Comparison of Probabilistic Risk Assessment Results with the Acceptance Guidelines This section provides guidance on comparing the results of the PRA with the acceptance guidelines described in Section C.2.4 of this guide. In the context of integrated decisionmaking, the acceptance guidelines should not be interpreted as being overly prescriptive. They are intended to give a numerical indication of what is considered acceptable. The lines between the regions are intentionally blurry to indicate that the NRC has discretion when making licensing decisions involving the risk acceptance guidelines. Thus, the numerical values associated with defining the regions in Figures 4 and 5 of this RG are approximate values indicating changes that are generally acceptable. Furthermore, the approximate nature of PRA models as discussed below and the state-of-knowledge uncertainties associated with PRA calculations preclude a definitive decision with respect to the region in which the application belongs based purely on the numerical results.

However, licensees should not consider that the acceptance guidelines have been met if the risk metrics exceed the acceptance guidelines when implementing self-approval processes. If the risk associated with changes identified in self-approval processes exceeds the acceptance guidelines, licensees may submit additional information for NRC review and approval consistent with this guide.

The intent of comparing the PRA results with the acceptance guidelines is to demonstrate with reasonable assurance that Principle 4 (i.e., proposed increases in CDF or LERF are small and are consistent with the Commissions Safety Goal Policy Statement) is being met. A PRA models the continuum of possible plant states in a discrete way and is an approximate model of the world. This results in some aspects of the world not being addressed except in a bounding way (e.g., different realizations of an accident sequence corresponding to different loss-of-coolant accident (LOCA) break sizes, within a category, are treated by assuming a bounding LOCA), with the time of failure of an operating component assumed to occur at the moment of demand. These approximations introduce conservative or nonconservative biases into the results. In principle, the analysis could explore the degree of conservatism or nonconservatism by increasing the level of detail in the PRA model, but this would typically be necessary only when the decision boundaries are challenged.

As discussed in Section C.2.3.1, the scope of the PRA needed to support a particular application may include several hazard groups or plant operating modes. The process of combining the risk contributions from different hazard groups is sometimes referred to as aggregation. When the assessments of the risk implications from different hazard groups must be combined, it is important to understand the relative level of realism associated with the modeling of each of the hazard groups. For example, the analysis of specific scope items, such as internal fire, internal flooding, or seismic initiating RG 1.174, Rev. 3, Page 29

events, typically involves a successive screening approach that allows the detailed analysis to focus on the more significant contributions. The analysis of the less significant contributions is generally more conservative. In addition, for each of the risk contributors, there are unique sources of model uncertainty.

The assumptions made in response to these sources of model uncertainty and any conservatism or nonconservatism introduced by the analysis approach discussed above can bias the results. This is of particular concern for the assessment of importance measures (as contrasted with mean-value risk results)

with respect to the combined risk assessment and the relative contributions of the hazard groups to the various risk metrics.

Therefore, this comparison of the PRA results with the acceptance guidelines should be based on an understanding of the contributors to the PRA results; the robustness of the assessment of those contributors, including any conservative or nonconservative biases resulting from modeling assumptions and approximations; and the impacts of the uncertainties, including uncertainties that are explicitly accounted for in the results and those that are not. This process is somewhat subjective, and the basis for the decisions should be well documented. Section C.2.5.1.3 of this guide provides guidance on what should be addressed. However, the types of uncertainty that impact PRA results and methods typically used to analyze those uncertainties are briefly discussed first. NUREG-1855 provides acceptable guidance on the treatment of uncertainties in risk-informed decisionmaking.

2.5.1 Types of Uncertainty Three types of uncertainty affect the results of PRAs: parameter uncertainty, model uncertainty, and completeness uncertainty. Completeness uncertainty can be regarded as one aspect of model uncertainty, but because of its importance, it is discussed separately. The following sections summarize the treatment of PRA uncertainty. NUREG-1855 describes these different types of uncertainty and provides acceptable guidance for the treatment of uncertainties in risk-informed decisionmaking. The bibliography in this guide may also be consulted for additional information.

2.5.1.1 Parameter Uncertainty Each of the models used, either to develop the PRA logic structure or to represent the basic events of that structure, has one or more parameters. Typically, each of these models (e.g., the Poisson model for initiating events) is assumed to be appropriate. However, the parameter values for these models are often not known perfectly. Parameter uncertainties are those associated with the values of the fundamental parameters of the PRA model, such as equipment failure rates, initiating event frequencies, and human error probabilities that are used in the quantification of the accident sequence frequencies. Parameter uncertainties are typically characterized by establishing probability distributions on the parameter values.

These distributions can be interpreted as expressing the analysts degree of belief in the values these parameters could have, based on the analysts knowledge and conditional on the underlying model being correct. Most PRA codes can readily propagate the distribution representing uncertainty on the basic parameter values to generate a probability distribution on the results of the PRA (e.g., CDF,

accident sequence frequencies, LERF). However, the analysis should be done to correlate the sample values for different PRA elements from a group to which the same parameter value applies (the state-of- knowledge correlation (SOKC) (Apostolakis and Kaplan, Pitfalls in Risk Calculations (Ref. 42)).

2.5.1.2 Model Uncertainty The use of models for specific events or phenomena supports the development of the PRA model.

In many cases, the industrys state of knowledge is incomplete, and opinions may vary on how the models RG 1.174, Rev. 3, Page 30

should be formulated. Examples include approaches to modeling human performance, CCFs, and reactor coolant pump seal behavior upon a loss of seal cooling. This gives rise to model uncertainty.

In many cases, the appropriateness of the models adopted is not questioned, and these models have become, de facto, the consensus models to use. NUREG-1855 defines a consensus model as one that has a publicly available published basis and has been peer reviewed and widely adopted by an appropriate stakeholder group. In addition, widely accepted PRA practices may be regarded as consensus models.

Examples of the latter include the use of the constant probability of failure on demand model for standby components and the Poisson model for initiating events. For risk-informed regulatory decisions, the NRC

has used or accepted the consensus model approach for the specific risk-informed application for which it is proposed. For some issues with well-formulated alternative models, PRAs have addressed model uncertainty by using discrete distributions over the alternative models, with the probability associated with a specific model representing the analysts degree of belief that the model is the most appropriate. A

good example is the characterization of the seismic hazard, as different hypotheses lead to different hazard curves, which can be used to develop a discrete probability distribution of the initiating event frequency for earthquakes. Other examples can be found in the Level 2 analysis.

Another approach to addressing model uncertainty has been to adjust the results of a single model through the use of an adjustment factor. However it is formulated, an explicit representation of model uncertainty can be propagated through the analysis in the same way as parameter uncertainty. More typically, however, particularly in the Level 1 analysis, the use of different models would result in the need for a different structure (e.g., with different thermal-hydraulic models used to determine success criteria). In such cases, uncertainties in the choice of an appropriate model are typically addressed by making assumptions and, as in the case of the component failure models discussed above, adopting a specific model.

In interpreting the results of a PRA, it is important to understand the impact of a specific assumption or choice of model on the predictions of the PRA. This is true even when the model uncertainty is treated probabilistically, since the probabilities, or weights, given to different models would be subjective. The impact of using alternative assumptions or models may be addressed by performing appropriate sensitivity studies or by using qualitative arguments, based on an understanding of the contributors to the results and how they are impacted by the change in assumptions or models. The impact of making specific modeling approximations may be explored in a similar manner.

2.5.1.3 Completeness Uncertainty Completeness is not in itself an uncertainty, but a reflection of scope limitations. The result is, however, an uncertainty about where the true risk lies. The problem with completeness uncertainty is that, because it reflects an unanalyzed contribution, it is difficult (if not impossible) to determine its magnitude. Some contributions are unanalyzed not because methods are unavailable, but because they have not been refined to the level of the analysis of internal hazards.

Examples are the analysis of some external hazards and the low-power and shutdown modes of operation. However, methods of analysis have not been developed for some issues, and this has to be accepted as a potential limitation of the technology. For example, the impact on actual plant risk from unanalyzed issues such as the influences of organizational performance cannot now be explicitly assessed.

The issue of completeness of scope of a PRA can be addressed for those items for which methods are available in principle. Therefore, some understanding of the contribution to risk can be gained by supplementing the analysis with additional analysis to enlarge the scope, using more restrictive acceptance guidelines, or by providing arguments that, for the application of concern, the out-of-scope RG 1.174, Rev. 3, Page 31

contributors are not significant. The next section includes approaches acceptable to the NRC staff for dealing with incompleteness.

2.5.2 Comparisons with Acceptance Guidelines The different regions of the acceptance guidelines indicate that different depths of analysis may be needed. Changes resulting in a net decrease in the CDF and LERF do not need an assessment of the calculated base CDF and LERF. Generally, it should be possible to argue on the basis of an understanding of the contributors and the changes being made that the overall impact is indeed a decrease, without the need for a detailed quantitative analysis.

If the calculated values of CDF and LERF are very small, as defined by Region III in Figures 4 and 5, a detailed quantitative assessment of the base values of CDF and LERF is not necessary.

However, if there is an indication that the CDF or LERF could considerably exceed 10-4 and 10-5, respectively, in order for the change to be considered, the licensee may need to show why steps should not be taken to reduce CDF or LERF. Such an indication would result, for example, if (1) the contribution to CDF or LERF calculated from a limited scope analysis, such as the IPE or the IPEEE, significantly exceeds 10-4 and 10-5, respectively, (2) a margins-type analysis has identified a potential vulnerability, or

(3) historical experience at the plant in question has indicated a potential safety concern.

For larger values of CDF and LERF, which lie in the range used to define Region II of Figures 4 and 5 in Section C.2.4 of this guide, an assessment of the base values of CDF and LERF is needed.

To demonstrate that the numerical guidelines are met, the level of detail needed for the assessment of the values and the analysis of uncertainty related to model and incompleteness issues depends on both (1) the licensing basis change being considered and (2) the importance of the demonstration that Principle 4 has been met. In Region III of Figures 4 and 5, the closer the CDF or LERF results are to their corresponding acceptance guidelines, the more detail should be provided.

Similarly, in Region II of Figures 4 and 5, the closer the CDF or LERF and CDF and LERF results are to their corresponding acceptance guidelines, the more detail should be provided. In a contrasting example, if the value of a particular metric is very small compared to the acceptance guideline, a simple bounding analysis may suffice with no need for a detailed uncertainty analysis.

Because of the way the acceptance guidelines in Section C.2.4 were developed, the appropriate numerical measures to use in the initial comparison of the PRA results to the acceptance guidelines are mean values. The mean values referred to are the means of the probability distributions that result from the propagation of the uncertainties on the input parameters and those model uncertainties explicitly represented in the model. While a formal propagation of the uncertainty is the best way to correctly account for state-of-knowledge uncertainties that arise from the use of the same parameter values for several basic event probability models, under certain circumstances, a formal propagation of uncertainty may not be necessary if it can be demonstrated that the SOKC is unimportant. If it can be demonstrated that the SOKC is unimportant to the regulatory decision under consideration, then the mean value that is quantified without consideration of this correlation can be used. This demonstration involves, for example, showing that the bulk of the contributing scenarios (cut sets or accident sequences) do not involve multiple events that rely on the same parameter for their quantification. Section 6 of NUREG-1855 provides acceptable guidance on addressing the SOKC.

Consistent with the viewpoint that the guidelines are not to be used prescriptively, even if the calculated CDF and LERF values are such that they place the change in Region I or II, it may be possible to make a case that the application should be treated as if it were in Region II or III. For example, RG 1.174, Rev. 3, Page 32

the licensee could argue that there are unquantified benefits that are not reflected in the quantitative risk results or that some contributors have been addressed using conservative approaches. However, care should be taken that there are no unquantified detrimental impacts of the proposed licensing basis change, such as an increase in operator burden. In addition, if compensatory measures are proposed to counter the impact of the major risk contributors that influence the ability to demonstrate that the acceptance guidelines are met, the PRA model that supports the application should include those compensatory measures.

While the analysis of parametric uncertainty is fairly mature and is addressed adequately through the use of mean values, the analysis of the model and completeness uncertainties cannot be handled in such a formal manner. Whether the PRA is full or partial in scope, and whether only the change in metrics or both the change and base values need to be quantified, the licensee should demonstrate that the choice of reasonable alternative hypotheses, adjustment factors, or modeling approximations or methods adopted in the PRA model would not significantly change the assessment. In the ASME/ANS PRA standard endorsed by RG 1.200, a reasonable alternative assumption is broadly accepted within the technical community and has a technical basis for consideration at least as sound as that of the assumption being made. This demonstration can take the form of well-formulated sensitivity studies or qualitative arguments. The NRC does not intend that the search for alternatives should be exhaustive or arbitrary. For the decisions that involve only assessing the change in metrics, the number of model uncertainty issues to be addressed should be smaller than for the case of the base values, when only a portion of the model is affected.

The alternatives that would drive the result toward unacceptability should be identified and sensitivity studies should be performed or reasons be given as to why they are not appropriate for the current application or for the particular plant. Such alternatives are those associated with key sources of model uncertainty, which are defined in the ASME/ANS PRA standard endorsed by RG 1.200 as sources of model uncertainty that could impact the PRA results used in a decision and, consequently, may influence the decision being made. In general, the results of the sensitivity studies should confirm that the guidelines are still met even under the alternative assumptions (i.e., change generally remains in the appropriate region). Alternatively, this analysis can be used to identify candidates for compensatory actions or increased monitoring. Section 8 of NUREG-1855 provides additional, acceptable guidance on treating PRA uncertainty in the decisionmaking process. The licensee should pay particular attention to those assumptions that impact the parts of the model being exercised by the proposed licensing basis change.

When the PRA is not full scope, it is necessary for the licensee to address the significance of the out-of-scope items. The importance of assessing the contribution of the out-of-scope portions of the PRA

to the base case CDF and LERF is related to the margin between the as-calculated values and the acceptance guidelines. When the contributions from the modeled contributors are close to the guidelines, the argument that the contribution from the missing items is not significant should be convincing and, in some cases, may warrant additional PRA analyses. When the margin is significant, a qualitative argument may be sufficient. The contribution of the out-of-scope portions of the model to the change in metric may be addressed by bounding analyses, detailed analyses, or by a demonstration that the change has no impact on the unmodeled contributors to risk. In addition, the licensee should demonstrate that proposed licensing basis changes based on a partial PRA do not disproportionately change the risk associated with accident sequences that arise from the modes of operation not included in the PRA.

One alternative to an analysis of uncertainty is to design the proposed licensing basis change so that the major sources of uncertainty do not have an impact on the decisionmaking process. For example, in the region of the acceptance guidelines where small increases are allowed regardless of the value of the base CDF or LERF, the proposed change to the licensing basis could be designed so that the change does RG 1.174, Rev. 3, Page 33

not affect the modes of operation or the initiating events that are missing from the analysis. In these cases, incompleteness would not be an issue. Similarly, in such cases, it would not be necessary to address all the model uncertainties, but only those that impact the evaluation of the proposed licensing basis change.

If only a Level 1 PRA is available, in general, only the CDF is calculated and not the LERF.

NUREG/CR-6595 presents an approach that allows a subset of the core damage accidents identified in the Level 1 analysis to be allocated to a release category that is equivalent to a LERF. The approach uses simplified event trees that can be quantified by the licensee on the basis of the plant configuration applicable to each accident sequence in the Level 1 analysis. The frequency derived from these event trees can be compared to the LERF acceptance guidelines. The approach described in NUREG/CR-6595 may be used to quantify LERF only in those cases when the plant is not close to the CDF and LERF

acceptance guidelines.

The varying levels of detail and conservatisms (and nonconservatisms) in the different hazards and plant operating states need to be considered when combining the results. The impact of these variations on the PRA results can be larger for different risk contributors. However, these concerns do not preclude combining results from different risk contributors. The licensee needs to consider the differences in the confidence with which the significant contributors to the risk metric results are representative of the associated risk. Section 4.3 in NUREG-1855 provides additional, acceptable guidance on this issue.

2.6 Integrated Decisionmaking In making a regulatory decision, risk insights (including their associated uncertainties) are integrated with considerations of defense in depth and safety margins. The degree to which the risk insights (and their uncertainties) play a role, and therefore the need for detailed staff review, depends on the application.

For risk-informed licensing basis changes, quantitative risk results from PRAs (including their associated uncertainties) are typically the most useful and complete characterization of risk, but they should be supplemented by qualitative risk insights and traditional engineering analysis where appropriate. Qualitative risk insights may include generic results that have been learned from previous PRAs and from operational experience. For example, to decide which motor-operated valves in a plant can be tested less frequently, the plant-specific PRA results can be compared with results from similar plants. This type of comparison can support the licensees analysis and reduce the staffs effort in reviewing the licensees PRA. However, as a general rule, applications that affect many SSCs benefit from quantitative risk assessment, as discussed in Sections C.2.5 through C.2.5.2 of this guide and in NUREG-1855.

Traditional engineering analysis provides insight into available margins and defense in depth.

With few exceptions, these assessments are performed without any quantification of risk. However, a PRA can provide insights into the strengths and weaknesses of the plant design and operation relative to defense in depth.

The results of the different elements of the engineering analyses discussed in Sections C.2.1 and C.2.2 of this guide should be considered in an integrated manner. None of the individual analyses is sufficient in and of itself. In this way, it can be seen that the decision is not driven solely by the numerical results of the PRA. These results are one input into the decisionmaking and help in building an overall picture of the risk implications of the proposed licensing basis change. The PRA has an important role in putting the proposed change into its proper context as it affects the plant as a whole. The PRA analysis (including consideration of its uncertainties) is used to demonstrate that Principle 4 has been satisfied. As the discussion in the previous section indicates, both quantitative and qualitative arguments may be used.

RG 1.174, Rev. 3, Page 34

Even though the different pieces of evidence used to argue that the principle is satisfied may not be combined formally, they need to be clearly documented.

The acceptability of the proposed licensing basis change supported by the risk-informed decision depends on the confidence the NRC staff has in the results of the analysis. As indicated, one important factor to consider when determining the degree of implementation of the proposed change is the ability to monitor the performance to limit the potential risk. In many applications, defining specific measures and criteria to be monitored subsequent to approval can limit the potential risk. When relying on performance monitoring, the staff should have assurance that the measures truly represent the potential for risk increase and that the criteria are set at reasonable limits. Moreover, the staff should also ensure that degrading performance can be detected in a timely fashion, long before a significant public health issue results. The impact of the monitoring can be fed back into the analysis to demonstrate how it supports the decision.

The NRC review of an application considers all these factors. In particular, the review of the acceptability of the PRA focuses on those aspects that impact the results used in the decision and on the degree of confidence required in those results (which includes addressing the associated uncertainties).

For a limited-scope application, the staff would conduct a more limited review of the risk results, placing less emphasis on PRA acceptability than in the case of a broad-scope application.

Finally, when implementing a decision, the licensee may choose to compensate for a lack of confidence in the analysis by restricting the degree of implementation. Several applications involving SSC categorization into low or high safety significance have used this technique. In general, unless there is compelling evidence that the SSC is of low safety significance, it is considered to be of high safety significance. This requires a reasonable understanding of the limitations of the PRA. Another example of risk limitation is the placing of restrictions on the application. For example, risk-informed changes in the completion times of technical specifications are accompanied by implementation of a configuration risk management program, which requires licensees to examine their plant configuration before voluntarily entering the approved condition.

Section C.2.4 of this guide indicates that NRC management would give increased attention to the application if the calculated values of the changes in the risk metrics and their base values, when appropriate, approach the acceptance guidelines. Therefore, if the risk metrics approach or even slightly exceed the acceptance guidelines, the licensees submittal should address the following:

• an identification of the significant contributors to the risk metrics and assessment of the realism with which they have been evaluated, which is particularly important if some contributors are known to have been assessed conservatively or nonconservatively;

• the cumulative impact of previous changes and the trend in CDF (the licensees risk management approach);

• the cumulative impact of previous changes and the trend in LERF (the licensees risk management approach);

• the impact of the proposed change on operational complexity, burden on the operating staff, and overall safety practices;

• plant-specific performance and other factors (for example, siting factors, inspection findings, performance indicators, and operational events) and Level 3 PRA information, if available;

• the benefit of the change in relation to its CDF/LERF increase;

RG 1.174, Rev. 3, Page 35

• the practicality of accomplishing the change with a smaller CDF/LERF impact;

• the practicality of reducing CDF/LERF when there is reason to believe that the base CDF and LERF are above the guideline values (i.e., 10-4 and 10-5 per reactor year, respectively); and

• the treatment of uncertainties, as discussed in Section C.2.5.1.

3. Element 3: Define Implementation and Monitoring Program Careful consideration should be given to implementation of the proposed change and the associated performance monitoring strategies. The primary goal of Element 3 is to ensure that no unexpected adverse safety degradation occurs because of the change(s) to the licensing basis. The staffs principal concern is the possibility that the aggregate impact of changes that affect a large class of SSCs could lead to an unacceptable increase in the number of failures from unanticipated degradation, including possible increases in common-cause mechanisms. Therefore, an implementation and monitoring plan should be developed to ensure that the engineering evaluation conducted to examine the impact of the proposed changes continues to reflect the actual reliability and availability of the SSCs evaluated. This ensures that the conclusions drawn from the evaluation remain valid.

Decisions on the implementation of licensing basis changes should be made after considering the uncertainty associated with the results of the traditional and probabilistic engineering evaluations. Broad implementation within a limited time period may be justified when uncertainty is shown to be low (e.g., data and models are acceptable, engineering evaluations are verified and validated). A slower, phased approach to implementation (or other modes of partial implementation) would be expected when uncertainty in evaluation findings is higher and when programmatic changes are being made that could impact SSCs across a wide spectrum of the plant, such as changes in inservice testing, inservice inspection, and graded quality assurance (i.e., graded special treatment). In such situations, the licensee should fully consider the potential introduction of common-cause effects and include this in the submittal.

The licensee should propose monitoring programs that adequately track the performance of equipment that, when degraded, can affect the conclusions of the licensees engineering evaluation and integrated decisionmaking that support the change to the licensing basis. The program should be capable of trending equipment performance after a change has been implemented to demonstrate that performance is consistent with the assumptions in the traditional engineering and probabilistic analyses conducted to justify the change. This may include monitoring associated with nonsafety-related SSCs if the analysis determines that those SSCs are risk significant. The program should be structured such that (1) SSCs are monitored commensurate with their safety importance (i.e., monitoring for SSCs categorized as having low safety significance may be less rigorous than that for SSCs of high safety significance), (2) feedback of information and corrective actions is timely, and (3) degradation in SSC performance is detected and corrected before plant safety can be compromised. The potential impact of observed SSC degradation on similar components in different systems throughout the plant should be considered.

Licensees should integrate, or at least coordinate, their monitoring for risk-informed changes with existing programs that monitor equipment performance and other operating experience on their site and industrywide. In particular, monitoring under 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (the Maintenance Rule) (Ref. 43), can be used when the monitoring performed under the Maintenance Rule is sufficient for the SSCs affected by the risk-informed application. If an application requires monitoring of SSCs not covered by the Maintenance Rule or that have a greater resolution of monitoring than specified in the Maintenance Rule (component versus train- or plant-level monitoring), a licensee may find it advantageous to adjust the Maintenance Rule monitoring program rather than to develop additional monitoring programs for risk-informed RG 1.174, Rev. 3, Page 36

purposes. In these cases, the performance criteria chosen should be shown to be appropriate for the application. Because plant or licensee performance under actual design conditions may not be readily measurable or monitorable, whatever information most closely approximates actual performance data should be used. For example, establishing a monitoring program with a performance-based feedback approach may combine some of the following activities:

• monitoring performance characteristics under actual design-basis conditions (e.g., reviewing actual demands on emergency diesel generators, reviewing operating experience);

• monitoring performance characteristics under test conditions that are similar to those expected during a design-basis event;

• monitoring and trending performance characteristics to verify aspects of the underlying analyses, research, or bases for a requirement (e.g., measuring battery voltage and specific gravity, inservice inspection of piping);

• evaluating licensee performance during training scenarios (e.g., emergency planning exercises, operator licensing examinations); and

• component quality controls, including developing pre- and post-component installation evaluations (e.g., environmental qualification inspections, reactor protection system channel checks, continuity testing of boiling-water reactor squib valves).

An important part of the monitoring program is the inclusion of provisions for specific cause determination, trending of degradation and failures, and corrective actions. Such provisions should be applied to SSCs commensurate with their importance to safety as determined by the engineering evaluation used to support the licensing basis change. A determination of cause is needed when performance expectations are not being met or when a functional failure of an application-specific SSC

poses a significant condition adverse to performance. The cause determination should identify the cause of the failure or degraded performance to the extent that corrective action can be identified that would preclude the problem or ensure that it is anticipated before becoming a safety concern. The determination of cause should address failure significance, the circumstances of the failure or degraded performance, the characteristics of the failure, and whether the failure is isolated or has generic or common-cause implications as defined in NUREG/CR-5485, Guidelines on Modeling Common-Cause Failures in Probabilistic Risk Assessment, (Ref. 44).

Finally, in accordance with Criterion XVI, Corrective Action, of 10 CFR Part 50, Appendix B,

Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants (Ref. 45), the monitoring program should identify any corrective actions to preclude the recurrence of unacceptable failures or degraded performance. The circumstances surrounding the failure may indicate that the SSC

failed because of adverse or harsh operating conditions (e.g., operating a valve dry, overpressurization of a system) or failure of another component. Therefore, corrective actions should also consider SSCs with similar characteristics with regard to operating, design, or maintenance conditions. The licensee does not need to report the results of the monitoring to the NRC but should retain them on site for inspection.

4. Element 4: Submit Proposed Change Requests for proposed changes to the plants licensing basis typically take the form of requests for license amendments (including changes to or removal of license conditions), technical specification changes, changes to or withdrawals of orders, and changes to programs under 10 CFR 50.54, Conditions of Licenses (Ref. 46) (e.g., quality assurance program changes under 10 CFR 50.54(a)). Licensees RG 1.174, Rev. 3, Page 37

should (1) carefully review the proposed licensing basis change to determine the appropriate form of the change request, (2) ensure that information required by the relevant regulations in support of the request is developed, and (3) prepare and submit the request in accordance with relevant procedural requirements.

For example, license amendments should meet the requirements of 10 CFR 50.90; 10 CFR 50.91, Notice for Public Comment; State Consultation (Ref. 47); and 10 CFR 50.92. The amendments should also meet the procedural requirements in 10 CFR 50.4, Written Communications (Ref. 48). Risk information that the licensee submits to support the licensing basis change request should meet the guidance in Section C.6 of this RG.

Licensees may submit risk information in support of their licensing basis change request. If the licensees proposed change to the licensing basis is consistent with currently approved staff positions, the staffs determination is generally based solely on traditional engineering analyses without recourse to risk information (although the staff may consider any risk information submitted by the licensee). If the licensees proposed change goes beyond currently approved staff positions, the staff normally considers information based on both traditional engineering analyses and risk insights. If the licensee does not submit risk information in support of a licensing basis change that goes beyond currently approved staff positions, the staff may ask the licensee to submit such information. If the licensee chooses not to provide the risk information, the staff reviews the proposed application using traditional engineering analyses and determines whether the information provided is sufficient to support the requested change. However, if new information reveals an unforeseen hazard or a substantially greater potential for a known hazard to occur, such as the identification of an issue related to the requested change that may substantially increase risk, the NRC staff requests that the licensee submit risk-related information. The NRC staff will not approve the requested licensing basis change until it has reasonable assurance that the public health and safety will be adequately protected if the requested licensing basis change is approved.

In developing the risk information in this RG, licensees may identify SSCs with high risk significance that are not currently subject to regulatory requirements or are subject to a level of regulation that is not commensurate with their risk significance. In such cases, licensees should propose licensing basis changes that would subject these SSCs to an appropriate level of regulatory oversight, consistent with the risk significance of each SSC.

5. Quality Assurance As stated in Section C.2 of this guide, the engineering analyses conducted should justify proposed licensing basis changes are appropriate for the nature of the change. For traditional engineering analyses (e.g., deterministic engineering calculations), the NRC staff expects that existing provisions for quality assurance (e.g., Appendix B to 10 CFR Part 50 for safety-related SSCs) will apply and provide the appropriate quality needed. Likewise, when a risk assessment of the plant is used to provide insights into the decisionmaking process, the NRC staff expects that the PRA is subject to quality control.

To the extent that a licensee elects to use PRA information to enhance or modify activities affecting the safety-related functions of SSCs, the following (in conjunction with the other guidance presented in this RG) describes methods acceptable to the NRC staff to ensure that the pertinent quality assurance requirements of Appendix B to 10 CFR Part 50 are met and that the PRA is sufficient for use in regulatory decisions:

• Use personnel qualified for the analysis.

• Use procedures that ensure control of documentation, including revisions, and provide for independent review, verification, or checking of calculations and information used in the RG 1.174, Rev. 3, Page 38

analyses. (An independent peer review or certification program can be an important element in this process.)

• Provide documentation and maintain records in accordance with the guidelines in Section C.6 of this guide.

• Use procedures to ensure appropriate attention and corrective actions if assumptions, analyses, or information used in previous decisionmaking are changed (e.g., licensee voluntary action) or determined to be in error.

When performance monitoring programs are used in the implementation of proposed changes to the licensing basis, those programs should include quality assurance provisions commensurate with the safety significance of affected SSCs. An existing PRA or analysis can be used to support a proposed licensing basis change, if it can be shown that the appropriate quality provisions are met.

6. Documentation

6.1 Introduction The NRC staffs review of a requested licensing basis change is to ensure that the analyses conducted by the licensee were sufficient to conclude that the key principles of risk-informed regulation are met. To facilitate the staffs review, documentation of the evaluation process and findings are to be maintained. Additionally, the information submitted should include a description of the process used by the licensee to ensure its adequacy and some specific information that staff can use to support its conclusion regarding the acceptability of the requested licensing basis change.

6.2 Archival Documentation Archival documentation should include a detailed description of engineering analyses conducted and the results obtained, irrespective of whether they were quantitative or qualitative, or whether the analyses used traditional engineering methods or probabilistic approaches. The licensee should maintain this documentation as part of its quality assurance program, so that it is available for examination.

Documentation of the analyses conducted to support changes to a plants licensing basis should be maintained as lifetime quality records in accordance with RG 1.33, Quality Assurance Program Requirements (Operation) (Ref. 49).

6.3 Licensee Submittal Documentation To support the NRC staffs conclusion that the proposed licensing basis change is consistent with the key principles of risk-informed regulation and NRC staff expectations, the licensee should submit the following information:

• A description of how the proposed change impacts the licensing basis. This relates to the risk-informed decisionmaking principle that the licensing basis changes meet regulations.

• A description of the components and systems affected by the change, the types of changes proposed, the reason for the changes, and results and insights from an analysis of available data on equipment performance. The staff expects evaluation of all safety impacts of the proposed licensing basis change.

RG 1.174, Rev. 3, Page 39

• A reevaluation of the licensing basis accident analysis and the provisions of 10 CFR Part 20,

Standards for Protection against Radiation (Ref. 50), and 10 CFR Part 100, Reactor Site Criteria (Ref. 51), if appropriate. This relates to the risk-informed decisionmaking principles of the licensing basis changes meeting the regulations, maintaining sufficient safety margins, and maintaining consistency with the defense-in-depth philosophy.

• An evaluation of the impact of the licensing basis change on the breadth or depth of defense-in-depth attributes of the plant. This relates to the risk-informed decisionmaking principle that the proposed licensing basis change maintains consistency with the defense-in-depth philosophy.

• Identification of how and where the proposed change will be documented as part of the plants licensing basis (e.g., FSAR, technical specifications, licensing conditions). This should include proposed changes or enhancements to the regulatory controls for high-risk-significant SSCs that are not subject to any requirements or the requirements are not commensurate with the SSCs risk significance.

The licensee should also identify:

• Key assumptions in the PRA that impact the application (e.g., voluntary licensee actions),

elements of the monitoring program, and commitments made to support the application. As defined in the ASME/ANS PRA standard endorsed in RG 1.200, an assumption is labeled key when it may influence (i.e., have the potential to change) the decision being made.

• SSCs for which requirements should be increased.

• Information to be provided as part of the plants licensing basis (e.g., FSAR, technical specifications, licensing conditions).

• Whether provisions of Appendix B to 10 CFR Part 50 apply to the PRA.

The last item comes into play if the PRA forms part of the basis for enhancing or modifying safety-related functions of SSCs subject to those provisions. Thus, the licensee would be expected to control PRA activity in a manner commensurate with its impact on the facilitys design and licensing basis and in accordance with all applicable regulations and its quality assurance program description.

An independent peer review (as described in RG 1.200) is an important consideration in risk-informed applications. The licensees submittal should discuss measures used to ensure the PRA is acceptable for the application PRA, such as a report of a peer review augmented by a discussion of the appropriateness of the PRA model for supporting a risk assessment of the licensing basis change being considered. The submittal should address any analysis limitations that are expected to affect the conclusion as to the acceptability of the proposed change.

The licensees resolution of the findings of the peer review that have not been closed by an NRC-accepted process should also be submitted (see Section C.4.2 of RG 1.200 for additional guidance).

For example, this response could indicate whether the PRA was modified following the peer review or could justify why no change was necessary to support decisionmaking for the licensing basis change under consideration. As discussed in Section C.2.2 of this guide, the staffs decision on the proposed license amendment is based on its independent judgment and review.

RG 1.174, Rev. 3, Page 40

6.3.1 Risk Assessment Methods To generate confidence in the risk assessment used to support the proposed change, the licensee should submit a summary of the risk assessment methods used. Consistent with current practice, information submitted to the NRC for its consideration in making risk-informed regulatory decisions will be made publicly available, unless such information is properly identified as proprietary in accordance with the regulations. Licensees should submit the following information to show that the engineering analyses conducted to justify the proposed licensing basis change are appropriate to the nature and scope of the change:

• A description of the risk assessment methods used.

• Documentation showing that the base PRA is acceptable.

• A description of the licensees process for ensuring PRA acceptability and a discussion of why the PRA is acceptable to support the current application.

• The key modeling assumptions necessary to support the analysis or that affect the application. A

modeling assumption is related to a model uncertainty and is made with the knowledge that a different reasonable alternative assumption exists. A reasonable alternative assumption is one that has broad acceptance within the technical community and for which the technical basis for consideration is at least as sound as that of the assumption being made. An assumption is considered key when it may influence (i.e., have the potential to change) the decision being made. NUREG-1855 provides useful insights related to this expectation.

• Information related to consideration of uncertainty in the analyses used to support the application.

NUREG-1855 provides acceptable guidance for the treatment of uncertainties in risk-informed decisionmaking.

• The event trees and fault trees that require modification to support analyses of the proposed change with a description of their modification.

• A list of operator actions modeled in the PRA that affect the application and their error probabilities.

The submitted information summarizing the results of the risk assessment should include the following.

• The effects of the proposed change on the more significant sequences (e.g., sequences that contribute more than 5 percent to the risk) to show that the licensing basis change does not create risk outliers and does not exacerbate existing risk outliers.

• An assessment of the change to CDF and LERF, including a description of the significant contributors to the change.

• Information related to the assessment of the full-scope base CDF (the extent of the information needed depends on whether the analysis of the change in CDF is in Region II or Region III of Figure 4).

RG 1.174, Rev. 3, Page 41

• Information related to the assessment of the full-scope base LERF (the extent of the information needed depends on whether the analysis of the change in LERF is in Region II or Region III of Figure 5).

• Results of sensitivity analyses showing that the conclusions as to the impact of the licensing basis change on plant risk do not vary significantly under a different set of plausible assumptions; and

• Information related to issues identified in Section C.2.6 if the risk metrics approach the acceptance guidelines.

6.3.2 Cumulative Risks As part of the evaluation of risk, licensees should understand the effects of the current application in light of past applications. Optimally, the PRA used for the current application should already model the effects of past applications. However, qualitative effects and synergistic effects are sometimes difficult to model. Tracking changes in risk (both quantifiable and nonquantifiable) that result from plant changes would provide a mechanism to account for the cumulative and synergistic effects of these plant changes and would help to demonstrate that the proposing licensee has a risk management philosophy in which PRA is not just used to systematically increase risk, but is also used to help reduce risk where appropriate and where it is shown to be cost effective. The tracking of cumulative risk also helps the NRC staff in monitoring trends.

As part of the submittal, the licensee should track and submit the impact of all plant changes that have been submitted for NRC review and approval but have not yet been incorporated into the base PRA

model and are therefore not reflected in the base risk. Documentation should include the following.

• The calculated change in risk for each application (CDF and LERF) and the plant elements (e.g., SSCs, procedures) affected by each change.

• Qualitative arguments used to justify the change (if any) and the plant elements affected by these arguments.

• Compensatory measures or other commitments used to help justify the change (if any) and the plant elements affected; and

• Summarized results from the monitoring programs (where applicable) and a discussion of how these results have been factored into the PRA or into the current application.

As an option, the submittal could also list (but not submit to the NRC) past changes to the plant that reduced the plant risk, especially those changes related to the current application. The licensee should also include a discussion of whether these changes are already included in the base PRA model.

RG 1.174, Rev. 3, Page 42

D. IMPLEMENTATION

The purpose of this section is to provide information on how applicants and licensees1 may use this guide and information regarding the NRCs plans for using this RG. In addition, it describes how the NRC staff complies with 10 CFR 50.109, and any applicable finality provisions in 10 CFR Part 52.

Use by Applicants and Licensees Applicants and licensees may voluntarily2 use the guidance in this document to demonstrate compliance with the underlying NRC regulations. Methods or solutions that differ from those described in this RG may be deemed acceptable if they provide sufficient basis and information for the NRC staff to verify that the proposed alternative demonstrates compliance with the appropriate NRC regulations.

Current licensees may continue to use guidance the NRC found acceptable for complying with the identified regulations as long as their current licensing basis remains unchanged.

Licensees may use the information in this RG or applicable parts to resolve regulatory or inspection issues.

Use by NRC Staff The NRC staff does not intend or approve any imposition or backfitting of the guidance in this RG. The NRC staff does not expect any existing licensee to use or commit to using the guidance in this RG, unless the licensee makes a change to its licensing basis. The NRC staff does not expect or plan to request licensees to voluntarily adopt this RG to resolve a generic regulatory issue. The NRC staff does not expect or plan to initiate NRC regulatory action which would require the use of this RG. Examples of such unplanned NRC regulatory actions include issuance of an order requiring the use of the RG, requests for information under 10 CFR 50.54(f) as to whether a licensee intends to commit to use of this RG,

generic communication, or promulgation of a rule requiring the use of this RG without further backfit consideration.

During regulatory discussions on plant specific operational issues, the staff may discuss with licensees various actions consistent with staff positions in this RG, as one acceptable means of meeting the underlying NRC regulatory requirement. Such discussions would not ordinarily be considered backfitting even if prior versions of this RG are part of the licensing basis of the facility. However, unless this RG is part of the licensing basis for a facility, the staff may not represent to the licensee that the licensees failure to comply with the positions in this RG constitutes a violation.

If an existing licensee voluntarily seeks a license amendment or change and (1) the NRC staffs consideration of the request involves a regulatory issue directly relevant to this new or revised RG and

(2) the specific subject matter of this RG is an essential consideration in the staffs determination of the acceptability of the licensees request, then the staff may request that the licensee either follow the guidance in this RG or provide an equivalent alternative process that demonstrates compliance with the

1 In this section, licensees refers to licensees of nuclear power plants under 10 CFR Parts 50 and 52; and the term applicants refers to applicants for licenses and permits for (or relating to) nuclear power plants under

10 CFR Parts 50 and 52, and applicants for standard design approvals and standard design certifications under

10 CFR Part 52.

2 In this section, voluntary and voluntarily mean that the licensee is seeking the action of its own accord, without the force of a legally binding requirement or an NRC representation of further licensing or enforcement action.

RG 1.174, Rev. 3, Page 43

underlying NRC regulatory requirements. This is not considered backfitting as defined in

10 CFR 50.109(a)(1) or a violation of any of the issue finality provisions in 10 CFR Part 52.

Additionally, an existing applicant may be required to comply with new rules, orders, or guidance if 10 CFR 50.109(a)(3) applies.

If a licensee believes that the NRC is either using this RG or requesting or requiring the licensee to implement the methods or processes in this RG in a manner inconsistent with the discussion in this Implementation section, then the licensee may file a backfit appeal with the NRC in accordance with the guidance in the NRC Management Directive 8.4, Management of Facility-Specific Backfitting and Information Collection (Ref. 52), and NUREG-1409, Backfitting Guidelines, (Ref. 53).

RG 1.174, Rev. 3, Page 44

REFERENCES3

1. U.S. Code of Federal Regulations (CFR), Domestic Licensing of Production and Utilization Facilities, Part 50, Chapter 1, Title 10, Energy.

2. CFR, Licenses, Certifications, and Approvals for Nuclear Power Plants, Part 52, Chapter 1, Title 10, Energy.

3. CFR, Application for Amendment of License, Construction Permit, or Early Site Permit, Part 50, Chapter 1, Title 10, Section 50.90, Energy.

4. CFR, Issuance of Amendment, Part 50, Chapter 1, Title 10, Section 50.92, Energy.

5. U.S. Nuclear Regulatory Commission (NRC), NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Section 19.2, Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance, Washington, DC.

6. NRC, NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decisionmaking, Revision 1, March 2017, Washington, DC.

7. NRC, NUREG/CR-6268, Revision 1, Common-Cause Failure Database and Analysis System:

Event Data Collection, Classification, and Coding, Washington, DC, September 2007.

8. NRC, RG 1.175, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Testing, Washington, DC.

9. NRC, RG 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Washington, DC.

10. NRC, RG 1.178, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Inspection of Piping, Washington, DC.

11. CFR, Codes and Standards, Part 50, Chapter 1, Title 10, Section 50.55a, Energy.

12. NRC, RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Washington, DC.

3 Publicly available NRC-published documents are available online through the NRC Library on the NRCs public website at http://www.nrc.gov/reading-rm/doc-collections/. The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD; the mailing address is USNRC PDR, Washington, DC 20555; telephone 301-415-4737 or (800) 397-4209; fax (301) 415-3548; and e-mail pdr.resource@nrc.gov.

RG 1.174, Rev. 3, Page 45

13. ASME/ANS RA-Sa-2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, Addendum A to RA-S-2008, ASME,

New York, NY, American Nuclear Society, La Grange Park, Illinois, February 2009. 4

14. NRC, RG 1.201, Guidelines for Categorizing Structures, Systems, and Components in Nuclear Power Plants According to Their Safety Significance, Washington, DC.

15. CFR, Risk-Informed Categorization and Treatment of Structures, Systems and Components for Nuclear Power Reactors, Part 50, Chapter 1, Title 10, Section 50.69, Energy.

16. NRC, RG 1.205, Risk-Informed, Performance-Based Fire Protection for Existing Light-Water Nuclear Power Plants, Washington, DC.

17. CFR, National Fire Protection Association Standard NFPA 805, Part 50, Chapter 1, Title 10,

Section 50.48(c), Energy.

18. NFPA 805, Performance-Based Standard for Fire Protection for Light-Water Reactor Electric Generating Plants, 2001 Edition, National Fire Protection Association, Quincy, MA. 5

19. NRC, RG 1.206, Combined License Applications for Nuclear Power Plants (LWR Edition),

Washington, DC.

20. NRC, Staff Requirements Memorandum (SRM) on SECY-11-0014, Staff Requirements SECY-11-0014Use of Containment Accident Pressure in Analyzing Emergency Core Cooling System and Containment Heat Removal System Pump Performance in Postulated Accidents, Washington, DC, March 15, 2011. (Agencywide Documents Access and Management System.

(ADAMS) Accession No. ML110740254)

21. NRC, SRM on SECY-15-0168, Staff RequirementsSECY-15-0168Recommendations on Issues Related to Implementation of a Risk Management Regulatory Framework, Washington, DC, March 9, 2016. (ADAMS Accession No. ML16069A370)

22. NRC, Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement, Federal Register, Vol. 60, No. 158: pp. 42622 (60 FR 42622), Washington, DC,

August 16, 1995.

23. CFR, Backfitting, Part 50, Chapter 1, Title 10, Section 50.109, Energy.

24. CFR, Specific Exemptions, Part 50, Chapter 1, Title 10, Section 50.12, Energy.

4 Copies of American Society of Mechanical Engineers (ASME) standards may be purchased from ASME, Two Park Avenue, New York, New York 10016-5990; Telephone (800) 843-2763. Purchase information is available through the ASME Web site store at http://www.asme.org/Codes/Publications/.

5 The National Fire Protection Association (NFPA) makes important safety codes and standards available for free online and documents are available at http://www.nfpa.org/codes-and-standards/document-information-pages. They may also be purchased by calling NFPA Customer Sales 800.344.3555 or writing NFPA 1 Batterymarch Park, Quincy, MA

02169-7471.

RG 1.174, Rev. 3, Page 46

25. CFR, Changes, Tests and Experiments, Part 50, Chapter 1, Title 10, Section 50.59, Energy.

26. NRC, Safety Goals for the Operations of Nuclear Power Plants; Policy Statement, Federal Register, Vol. 51, pp. 30028 (51 FR 30028), Washington, DC, August 4, 1986.

27. International Atomic Energy Agency (IAEA), Safety Guide SSG-3, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants Specific Safety Guide, Vienna, Austria, April 2010.6

28. IAEA Safety Guide SSG-4, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants Specific Safety Guide, Vienna.

29. IAEA Safety Standards SSR-2/1, Safety of Nuclear Power Plants: Design, Vienna, Austria.

30. IAEA Safety Standard SF-1, Fundamental Safety Principles, Vienna, Austria, November 2006.

31. NRC, NUREG/KM-0009, Historical Review and Observations of Defense-in-Depth, Washington, DC, April 2016.

32. NRC, NUREG/CR-6595, Revision 1, An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events, Washington, DC, October 2004.

33. NRC, SRM on SECY-12-0081, Staff RequirementsSECY-12-0081Risk-Informed Regulatory Framework for New Reactors, Washington, DC, October 22, 2012. (ADAMS

Accession No. ML12296A158)

34. NRC, SECY-90-016, Evolutionary Light-Water Reactor (LWR) Certification Issues and Their Relationship to Current Regulatory Requirements, Washington, DC, January 12, 1990.

(ADAMS Accession No. ML003707849)

35. NRC, SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, Washington, DC, July 21, 1993. (ADAMS

Accession No. ML003708021)

36. NRC, SRM on SECY-90-016, Evolutionary Light-Water Reactor (LWR) Certification Issues and Their Relationship to Current Regulatory Requirements, Washington, DC, June 26, 1990.

(ADAMS Accession No. ML003707885)

37. NRC, SRM on SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, Washington, DC,

July 21, 1993. (ADAMS Accession No. ML003708056)

38. NRC, SRM on SECY-98-144, Staff RequirementsSECY-98-144White Paper on Risk-Informed and Performance-Based Regulation, Washington, DC, March 1, 1999. (ADAMS

Accession No. ML003753601)

6 Copies of IAEA documents may be obtained through the IAEA Web site (www.iaea.org/) or by writing the International Atomic Energy Agency, P.O. Box 100 Wagramer Strasse 5, A-1400, Vienna, Austria.

RG 1.174, Rev. 3, Page 47

39. NRC, NUREG-2122, Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, Washington, DC, November 2013.

40. NRC, RG 1.216, Containment Structural Integrity Evaluation for Internal Pressure Loadings above Design-Basis Pressure, Washington, DC.

41. NRC, SRM on SECY-04-0118, Staff RequirementsSECY-04-0118Plan for the Implementation of the Commissions Phased Approach to Probabilistic Risk Assessment Quality, Washington, DC, October 6, 2004. (ADAMS Accession No. ML042800369)

42. G. Apostolakis and S. Kaplan, Pitfalls in Risk Calculations, Reliability Engineering, Vol. 2, pp. 135-145, 1981.7

43. CFR, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Part 50, Chapter 1, Title 10, Section 50.65, Energy."

44. NRC, NUREG/CR-5485, Guidelines on Modeling Common-Cause Failures in Probabilistic Risk Assessment, Washington, DC, November 1998.

45. CFR, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, Part 50, Chapter 1, Title 10, Appendix B, Energy.

46. CFR, Conditions of Licenses, Part 50, Chapter 1, Title 10, Section 50.54, Energy.

47. CFR, Notice for Public Comment; State Consultation, Part 50, Chapter 1, Title 10,

Section 50.91, Energy.

48. CFR, Written Communications, Part 50, Chapter 1, Title 10, Section 50.4, Energy.

49. NRC, RG 1.33, Quality Assurance Program Requirements (Operation), Washington, DC.

50. CFR, Standards for Protection against Radiation, Part 20, Chapter 1, Title 10, Energy.

51. CFR, Reactor Site Criteria, Part 100, Chapter 1, Title 10, Energy.

52. NRC, Management Directive 8.4, Management of Facility-Specific Backfitting and Information Collection, Washington, DC.

53. NRC, NUREG-1409, Backfitting Guidelines, Washington, DC, July 1990.

7 Copies of the non-NRC documents included in these references may be obtained directly from the publishing organization. This document may be found at http://www.sciencedirect.com.

RG 1.174, Rev. 3, Page 48

BIBLIOGRAPHY

U.S. Nuclear Regulatory Commission Documents NUREG-Series Reports NUREG/CR-4836, Approaches to Uncertainty Analysis in Probabilistic Risk Assessment, January 1988.

NUREG/CR-2300, PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, January 1983.

NUREG/CP-0138, Proceedings of Workshop I in Advanced Topics in Risk and Reliability Analysis, Model Uncertainty: Its Characterization and Quantification, October 1994.

Miscellaneous Non-Federal Documents Apostolakis, G.A., Probability and Risk Assessment: The Subjectivist Viewpoint and Some Suggestions, Nuclear Safety, 19(3), pp. 305-315, 1978.

Kaplan, S., and B.J. Garrick, On the Quantitative Definition of Risk, Risk Analysis, Vol. 1, pp. 11-28, March 1981.

Parry, G.W., and P.W. Winter, Characterization and Evaluation of Uncertainty in Probabilistic Risk Analysis, Nuclear Safety, 22(1), pp. 28-42, 1981.

Reliability Engineering and System Safety (Special Issue on the Meaning of Probability in Probabilistic Safety Assessment), Vol. 23, 1988.

Reliability Engineering and System Safety (Special Issue on Treatment of Aleatory and Epistemic Uncertainty), Vol. 54, Nos. 2 and 3, November/December 1996.

RG 1.174, Rev. 3, Page 49

APPENDIX A

USE OF RISK-IMPORTANCE MEASURES TO CATEGORIZE

STRUCTURES, SYSTEMS, AND COMPONENTS WITH RESPECT TO

SAFETY SIGNIFICANCE

A-1. Introduction For several of the proposed applications of the risk-informed regulation process, one of the principal activities is the categorization of structures, systems, and components (SSCs) and human actions according to safety significance. This appendix discusses one way that this categorization may be performed to be consistent with Principle 4 (see Figure 2 in this regulatory guide (RG)) and the expectations discussed in Section C.2.1 of this RG.

The safety significance of an SSC is related to the role the SSC plays in preventing the occurrence of the undesired end state. Thus, the position adopted in this RG is that all the SSCs and human actions considered when constructing the PRA model (including those that do not necessarily appear in the final quantified model because they have been screened out initially, assumed to be inherently reliable, or have been truncated from the solution of the model) have the potential to be safety significant since they play a role in preventing core damage.

In categorizing SSCs with respect to safety significance, it is important to recognize the purpose behind the categorization, which is to sort the SSCs and human actions into groups (e.g., those for which some relaxation of requirements is proposed and those for which no such change is proposed). The proposed application motivates the categorization, and the potential impact of the application on the particular SSCs and human actions and on the measures of risk ultimately determines which of the SSCs and human actions should be regarded as safety significant within the context of the application. This impact on overall risk should be evaluated in light of the principles and decision criteria identified in this guide. Thus, the most appropriate way to address the categorization is through a requantification of the risk measures.

However, the feasibility of performing such risk quantification has been questioned when a method for evaluating the impact of the change on SSC unavailability is not available for those applications. An acceptable alternative to requantification of risk is for the licensee to categorize the SSCs and human actions in an integrated manner, making use of an analytical technique, based on the use of PRA importance measures as input. This appendix discusses the technical issues associated with the use of PRA importance measures.

A-2. Technical Issues Associated with the Use of Importance Measures In the implementation of the Maintenance Rule (Title 10 of the Code of Federal Regulations

(10 CFR) 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants) and in industry guides for risk-informed applications (e.g., the PSA Applications Guide8), the Fussell-Vesely Importance, Risk Reduction Worth, and Risk Achievement Worth are the most commonly identified measures in the relative risk ranking of SSCs. However, several issues should be addressed when using these importance measures for risk-informed applications. Most of the issues are related to

8 D. True et al., PSA Applications Guide, Electric Power Research Institute, TR 105396, August 1995.

RG 1.174, Rev. 3, Appendix A, Page A-1

technical problems that can be resolved by the use of sensitivity studies or by appropriate quantification techniques. These issues are discussed in detail below. In addition, the licensee should be aware of and adequately address two other issues: (1) risk rankings apply only to individual contributions and not to combinations or sets of contributors and (2) risk rankings are not necessarily related to the risk changes that result from those contributor changes. When performed and interpreted correctly, component-level importance measures can provide valuable input to the licensee.

Many factors can affect the risk-ranking results from a probabilistic risk assessment (PRA). The most important are model assumptions and techniques (e.g., for modeling of human reliability or common-cause failures (CCFs)), the data used, or the success criteria chosen. The licensee should therefore make sure that the PRA is acceptable, consistent with the guidance in this document and in RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities.

In addition to the use of an acceptable PRA, the robustness of categorization results should also be demonstrated for conditions and parameters that might not be addressed in the base PRA. Therefore, when importance measures are used to group components or human actions as low-safety-significant contributors, the information to be provided to the analysts performing qualitative categorization should include sensitivity studies or other evaluations to demonstrate the sensitivity of the importance results to the important PRA modeling techniques, assumptions, and data. Issues that should be considered and addressed are listed below.

Truncation Limit: The licensee should determine that the truncation limit has been set low enough that the truncated set of minimal cut sets contains all the significant contributors and their logical combinations for the application in question and is low enough to capture at least 95 percent of the core damage frequency (CDF). Depending on the PRA level of detail (module level, component level, or piece-part level), this may translate into a truncation limit ranging from 10-12 to 10-8 per reactor year (or possibly even lower for some advanced light-water reactor designs). In addition, the truncated set of minimal cut sets should be determined to contain the important application-specific contributors and their logical combinations.

Risk Metrics: The licensee should ensure that the ranking process considers risk in terms of both CDF and large early release frequency (LERF).

Completeness of Risk Model: The licensee should ensure that the PRA model is sufficiently complete to address all important modes of operation for the SSCs being analyzed. Safety-significant contributions from internal hazards, external hazards, and shutdown and low-power initiators should be considered by using PRA or other engineering analyses.

Sensitivity Analysis for Component Data Uncertainties: The licensee should address the sensitivity of component categorizations to uncertainties in the parameter values. Licensees should be satisfied that data uncertainties do not affect SSC categorization.

Sensitivity Analysis for Common-Cause Failures: CCFs are modeled in PRAs to account for dependent failures of redundant components within a system. The licensee should determine that the safety-significant categorization takes into account the combined effect of associated basic PRA events, such as failure to start and failure to run, including indirect contributions through associated CCF event probabilities. CCF probabilities can affect PRA results by enhancing or obscuring the importance of components. A component may be ranked as a high-risk contributor mainly because of its contribution to CCFs, or a component may be ranked as a low-risk contributor mainly because it has negligible or no contribution to CCFs.

Appendix A to RG 1.174, Rev. 3, Page A-2

Sensitivity Analysis for Recovery Actions: PRAs typically model recovery actions, especially for significant accident sequences. Quantification of recovery actions typically depends on the time available for diagnosis and for performing the action, as well as the training, procedures, and knowledge of operators. A certain degree of subjectivity is involved in estimating the success probability for the recovery actions. The concerns in this case stem from situations in which very high success probabilities are assigned to a sequence, resulting in related components being ranked as low-risk contributors.

Furthermore, it is not desirable for the categorization of SSCs to be affected by recovery actions that sometimes are modeled only for the significant scenarios. Sensitivity analyses can be used to show how the SSC categorization would change if all recovery actions were removed. The licensee should ensure that the categorization has not been unduly affected by the modeling of recovery actions.

Multiple Component Considerations: As discussed previously, importance measures are typically evaluated on the basis of an individual SSC or human action. This raises the concern that single-event importance measures could dismiss all the elements of a system or group even though the system or group has a high importance when taken as a whole. (Conversely, there may be grounds for screening out groups of SSCs, owing to the unimportance of the systems of which they are elements.)

There are two potential approaches to addressing the multiple component issue. The first is to define suitable measures of system or group importance. The second is to choose appropriate criteria for categorization based on component-level importance measures. In both cases, the licensee should demonstrate that the cumulative impact of the change has been adequately addressed.

While there are no widely accepted definitions of system or group importance measures, if any are proposed, the licensee should ensure that the measures capture the impact of changes to the group in a logical way. The remainder of this paragraph provides an example of the issues that can arise. For frontline systems, one could define a measure of system importance of the Fussell-Vesely type as the sum of the frequencies of sequences involving failure of that system divided by the sum of all sequence frequencies. Such a measure would need to be interpreted carefully if the numerator includes contributions from failures of that system caused by support systems. Similarly, a Birnbaum-like measure could be defined by quantifying sequences involving the system, conditional on its failure, and summing those quantities. This would provide a measure of how often the system is critical. However, again the support systems make the situation more complex. For example, in a two-division plant, frontline failures can occur as a result of failure of support Division A in conjunction with failure of frontline Division B.

Working with a figure of merit based on total failure of support system would miss contributions of this type.

In the absence of appropriately defined group-level importance measures, the appropriate determination should rely on a qualitative categorization by the licensee, as part of the integrated decisionmaking process.

Relationship of Importance Measures to Risk Changes: Importance measures do not directly relate to changes in risk. Instead, the risk impact is indirectly reflected in the choice of the value of the measure used to determine whether an SSC should be classified as being of high or low safety significance. This is a concern whether importance is evaluated at the component or the group level. For example, the PSA Applications Guide suggested values of Fussell-Vesely importance of 0.05 at the system level and 0.005 at the component level. However, the criteria for categorization into low and high significance should relate to the acceptance criteria for changes in CDF and LERF. This implies that the criteria should be a function of the base case CDF and LERF rather than being fixed for all plants. Thus, the licensee should demonstrate how the chosen criteria are related to, and conform with, the acceptance guidelines described in this document. If component-level criteria are used, they should account for the risk increase resulting from simultaneous changes to all members of the category.

Appendix A to RG 1.174, Rev. 3, Page A-3

SSCs Not Included in the Final Quantified Cut Set Solution: Importance measures based on the quantified cut sets should not factor in those SSCs that have either been truncated or were not included in the fault tree models because they were screened out on the basis of high reliability. SSCs that have been screened out because their credible failure modes would not fail the system function can be argued to be unimportant. The licensee should ensure that these SSCs are considered.

Appendix A to RG 1.174, Rev. 3, Page A-4