Download:
pdf |
pdfJAPAN LESSONS-LEARNED PROJECT DIRECTORATE
JLD-ISG-2012-05
Guidance for Performing the Integrated
Assessment for External Flooding
Interim Staff Guidance
Revision 0
November 30, 2012
ML12311A214
JAPAN LESSONS-LEARNED PROJECT DIRECTORATE
JLD-ISG-2012-05
Guidance for Performing the Integrated
Assessment for External Flooding
Interim Staff Guidance
Revision 0
ADAMS Accession No.: ML12311A214
*Concurrence via e-mail
OFFICE
NRR/JLD/PMB
NRO/DSEA/RHMB
NRR/JLD*
NRR/JLD/PMB
NAME
GEMiller
MBensi
ABaxter
MMitchell
DATE
11/30/2012
11/30/2012
11/30/12
11/30/2012
OFFICE
NRO/DSEA/RGS2*
QTE*
NRO/DSEA
NRR/DE*
NAME
CCook
JDougherty
NChokshi
PHiland
DATE
11/29/12
11/19/12
11/30/2012
11/26/12
OFFICE
NRR/DRA*
NRR/DPR*
NRO/DSRA*
OGC*
NAME
JGiitter
TMcGinty
CAder
GMizuno (NLO)
DATE
11/20/12
11/16/12
11/26/12
11/30/12
OFFICE
NRR/JLD
NAME
DSkeen
(RTaylor for)
DATE
11/30/2012
OFFICIAL RECORD COPY
November 30, 2012
ML12311A214
INTERIM STAFF GUIDANCE
JAPAN LESSONS-LEARNED PROJECT DIRECTORATE
GUIDANCE FOR PERFORMING THE INTEGRATED ASSESSMENT
FOR EXTERNAL FLOODING
JLD-ISG-2012-05
PURPOSE
This interim staff guidance is being issued to describe to stakeholders methods acceptable
to the staff of the U.S. Nuclear Regulatory Commission (NRC) for performing the integrated
assessment for external flooding as described in NRC’s March 12, 2012, request for
information (Ref. 1) issued pursuant to Title 10 of the Code of Federal Regulations
(10 CFR), Section 50.54, “Conditions of licenses,” regarding Recommendation 2.1 of the
enclosure to SECY-11-0093, “Recommendations for Enhancing Reactor Safety in the 21st
Century, the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi
Accident” (Ref. 2). Among other actions, the March 12, 2012 letter requests that
respondents reevaluate flood hazards at each site and compare the reevaluated hazard to
the current design basis at the site for each flood mechanism. Addressees are requested to
perform an integrated assessment if the current design basis flood hazard does not bound
the reevaluated flood hazard for all mechanisms. This ISG will assist operating power
reactor respondents and holders of construction permits under 10 CFR Part 50 with
performance of the integrated assessment. The guidance provided in this ISG describes
methods for use in performing the integrated assessment requested in Enclosure 2 of the
March 12, 2012, letter. This guidance is not intended for use in design basis applications or
in regulatory activities beyond the scope of performing the integrated assessment.
BACKGROUND
Following the events at the Fukushima Dai-ichi nuclear power plant, the NRC established a
senior-level agency task force referred to as the Near-Term Task Force (NTTF). The NTTF
conducted a systematic and methodical review of the NRC regulations and processes and
determined if the agency should make additional improvements to these programs in light of
the events at Fukushima Dai-ichi. As a result of this review, the NTTF developed a
comprehensive set of recommendations, documented in the enclosure to SECY-11-0093
(Ref. 2). These recommendations were enhanced by the NRC staff following interactions
with stakeholders. Documentation of the NRC staff’s efforts is contained in SECY-11-0124,
“Recommended Actions to be Taken without Delay from the Near-Term Task Force Report,”
dated September 9, 2011 (Ref. 3), and SECY-11-0137, “Prioritization of Recommended
Actions to be Taken in Response to Fukushima Lessons Learned,” dated October 3, 2011
(Ref. 4).
As directed by the staff requirements memorandum for the enclosure to SECY-11-0093
(Ref. 5), the NRC staff reviewed the NTTF recommendations within the context of the
NRC’s existing regulatory framework and considered the various regulatory vehicles
available to the NRC to implement the recommendations. SECY-11-0124 and
SECY-11-0137 established the staff’s prioritization of the recommendations based upon the
potential safety enhancements.
As part of the staff requirements memorandum for SECY-11-0124, dated October 18, 2011
(Ref. 6), the Commission approved the staff's proposed actions, including the development
2
of three information requests under 10 CFR 50.54(f). The information collected would be
used to support the NRC staff's evaluation of whether further regulatory action should be
pursued in the areas of seismic and flooding design, and emergency preparedness.
In addition to Commission direction, the Consolidated Appropriations Act, Public Law
112-074, was signed into law on December 23, 2011, which contains the Energy and Water
Development Appropriations Act, 2012. Section 402 of the law requires a reevaluation of
licensees' design basis for external hazards.
In response to the aforementioned Commission and Congressional direction, the NRC
issued a request for information to all power reactor licensees and holders of construction
permits under 10 CFR Part 50 on March 12, 2012 (Ref. 1). The March 12, 2012, 50.54(f)
letter includes a request that respondents reevaluate flooding hazards at nuclear power
plant sites using updated flooding hazard information and present-day regulatory guidance
and methodologies. The letter also requests the comparison of the reevaluated hazard to
the current design basis at the site for each potential flood mechanism. If the reevaluated
flood hazard at a site is not bounded by the current design basis, respondents are
requested to perform an integrated assessment. The integrated assessment will evaluate
the total plant response to the flood hazard, considering multiple and diverse capabilities
such as physical barriers, temporary protective measures, and operational procedures. The
NRC staff will review the responses to this request for information and determine whether
regulatory actions are necessary to provide additional protection against flooding.
On September 28, 2012, the NRC staff issued a draft version of this ISG and published a
notice of its availability for public comment in the Federal Register (77 FR 65417). The
30-day comment period ran September 28, 2012, through October 29, 2012, during which
the staff received 61 public comments. Comments were received related to the following
topical areas: (1) evaluation of mitigation capability, particularly the perceived limitations
associated with use of the scenario-based evaluation method; (2) expectations and
attributes of the peer review; (3) the availability of illustrative examples; (4) equipment
redundancy and quantification of reliability; (5) the evaluation of manual actions associated
with protective and mitgative actions; (6) the evaluation of flood protection and
demonstration of reliability and margin using available performance criteria; and (7) general
and miscellaneous other topics. In public meetings on October 24-25, 2012, and November
7, 2012, the NRC staff interacted extensively with external stakeholders to discuss and
resolve public comments (including discussion of proposed modifications to the text of the
ISG) related to the evaluation of mitigation capability, the expectations and attributes of peer
review, and other topics. Significant modifications were made to text of the ISG in response
to the public comments and the outcomes of the public meetings. In addition, to provide
more detailed guidance, staff has augmented the ISG by providing additional references
related to the evaluation of flood protection and significantly enhancing portions of the ISG
related to the evaluation of manual actions. The comments, staff responses, and the staff’s
bases for changes to the ISG are contained in “NRC Response to Public Comments” to
JLD-ISG-2012-05 (Docket ID NRC-2012-0222) (Ref. 7).
RATIONALE
On March 12, 2012, the NRC issued a request for information to all power reactor licensees
and holders of construction permits under 10 CFR Part 50. The request was issued in
accordance with the provisions of Sections 161.c, 103.b, and 182.a of the Atomic Energy
Act of 1954, as amended (the Act), and NRC regulation in Title 10 of the Code of Federal
3
Regulations, Part 50, Paragraph 50.54(f). Pursuant to these provisions of the Act or this
regulation, respondents were required to provide information to enable the staff to determine
whether a nuclear plant license should be modified, suspended, or revoked.
The information request directed respondents to submit an approach for developing an
integrated assessment report including criteria for identifying vulnerabilities. This ISG
describes an approach for developing the integrated assessment report that is acceptable to
the staff.
APPLICABILITY
This ISG shall be implemented on the day following its approval. It shall remain in effect
until it has been superseded or withdrawn.
PROPOSED GUIDANCE
This ISG is applicable to holders of operating power reactor licenses and construction
permits under 10 CFR Part 50 from whom an integrated assessment is requested (i.e., sites
for which the current design basis flood hazard does not bound the reevaluated hazard for
all potential flood mechanisms). For combined license holders under 10 CFR Part 52, the
issues in NTTF Recommendation 2.1 and 2.3 regarding seismic and flooding reevaluations
and walkdowns are resolved and thus this ISG is not applicable.
IMPLEMENTATION
Except in those cases in which a licensee or construction permit holder under 10 CFR Part
50 proposes an acceptable alternative method for performing the integrated assessment,
the NRC staff will use the methods described in this ISG to evaluate the results of the
integrated assessment.
BACKFITTING DISCUSSION
This ISG does not constitute backfitting as defined in 10 CFR 50.109 (the Backfit Rule) and
is not otherwise inconsistent with the issue finality provision in Part 52, “Licenses,
Certifications, and Approvals for Nuclear Power Plants,” of 10 CFR. This ISG provides
guidance on an acceptable method for responding to a portion of an information request
issued pursuant to 10 CFR 50.54(f). Neither the information request nor the ISG require the
modification or addition to systems, structures, or components, or design of a facility.
Applicants and licensees may voluntarily use the guidance in JLD-ISG-2012-06 to comply
with the request for information. The information received by this request may, at a later
date, be used in the basis for a backfit at a later date. In this case, the appropriate backfit
review process would be followed at that time.
FINAL RESOLUTION
The contents of this ISG, or a portion thereof, may subsequently be incorporated into other
guidance documents, as appropriate.
4
ENCLOSURE
1. Guidance for Performance of Integrated Assessment
REFERENCES
1. U.S. Nuclear Regulatory Commission, Request for Information Pursuant to Title 10 of the
Code of Federal Regulations 50.54(f) Regarding Recommendations 2.1, 2.3, and 9.3, of
the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident,
March 12, 2012, Agencywide Documents Access & Management System (ADAMS)
Accession No. ML12053A340.
2. U.S. Nuclear Regulatory Commission, "Recommendations for Enhancing Reactor Safety
in the 21st Century, The Near-Term Task Force Review of Insights from the Fukushima
Dai-ichi Accident," Enclosure to SECY-11-0093, July 12, 2011, ADAMS Accession No.
ML111861807.
3. U.S. Nuclear Regulatory Commission. "Recommended Actions to be Taken Without
Delay From the Near Term Task Force Report," SECY-11-0124, September 9, 2011,
ADAMS Accession No. ML11245A158.
4. U.S. Nuclear Regulatory Commission. "Prioritization of Recommended Actions to be
Taken in Response to Fukushima Lessons Learned," SECY-11-0137, October 3, 2011,
ADAMS Accession No. ML11272A111.
5. U.S. Nuclear Regulatory Commission. Staff Requirements - SECY-11-0093 - Near-Term
Report and Recommendations for Agency Actions Following the Events in Japan. ,
August 19, 2011, ADAMS Accession No. ML112310021.
6. U.S. Nuclear Regulatory Commission. Staff Requirements - SECY-11-0124 Recommended Actions to be Taken Without Delay From the Near-Term Task Force
Report, October 18, 2011, ADAMS Accession No. ML112911571.
7. U.S. Nuclear Regulatory Commission, NRC Responses to Public Comments, Japan
Lessons-Learned Project Directorate Interim Staff Guidance (JLD-ISG-2012-05):
Guidance for Performing the Integrated Assessment for Flooding in Response to the
March 2012 Request for Information Letter, November 30, 2012, ADAMS Accession No.
ML12311A216.
5
GUIDANCE FOR PERFORMANCE OF AN INTEGRATED ASSESSMENT
1.
Introduction.................................................................................................................... 3
1.1
Actions and Information Requested ......................................................................... 3
1.2
Integrated Assessment Concept .............................................................................. 4
1.3
Scope of the Integrated Assessment ........................................................................ 4
2. Background.................................................................................................................... 7
2.1
NTTF Recommendation 2.3 Flood Walkdowns ........................................................ 7
2.2
NTTF Recommendation 2.1 Flood Hazard Reevaluations ....................................... 7
3. Framework of the Integrated Assessment .................................................................. 9
3.1
Integrated Assessment Process ............................................................................... 9
3.2
Key Assumptions .................................................................................................... 10
3.2.1
Use of Available Resources for Protection and Mitigation .............................. 10
3.2.2
Flood Frequencies........................................................................................... 10
3.2.3
Human Performance ....................................................................................... 11
4. Peer Review ................................................................................................................. 13
5. Hazard Definition ......................................................................................................... 14
5.1
Identification of Applicable Flood Mechanisms and Plant Conditions .................... 14
5.2
Identification of Controlling Flood Parameters ........................................................ 14
5.3
Collection of Critical Plant Elevations and Protection of Equipment ....................... 15
6. Evaluation of Effectiveness of Flood Protection ...................................................... 16
6.1
Process Overview................................................................................................... 16
6.2
Performance Criteria .............................................................................................. 17
6.3
Justification of Flood Protection Performance ........................................................ 17
7. Evaluation of Mitigation Capability ............................................................................ 20
7.1
Process Overview................................................................................................... 20
7.2
Scenario-Based Evaluation of Mitigation Capability ............................................... 21
7.3
Margins-Type Evaluation of Mitigation Capability ................................................... 23
7.4
Use of PRA to Evaluate Total Plant Response, Including Mitigation Capability ..... 25
8. Documentation ............................................................................................................ 28
8.1
Integrated Assessment Procedure ......................................................................... 28
8.2
Plant Evaluation Results......................................................................................... 28
8.2.1
Controlling Flood Mechanism(s) ...................................................................... 28
8.2.2
Evaluation of Flood Protection ........................................................................ 29
8.2.3
Evaluation of Mitigation Capability .................................................................. 30
8.2.4
Peer Review .................................................................................................... 32
8.3
Additional Protection and Mitigation Features ........................................................ 32
8.4
Other Actions Involving Plant-Specific Vulnerabilities ............................................ 33
9. Terms and Definitions ................................................................................................. 34
10. References ................................................................................................................... 40
APPENDIX A: Evaluation of Flood Protection .................................................................. 42
A.1 Individual Flood Protection Features ........................................................................ 42
A.1.1 Exterior and Incorporated Flood Protection Features ............................................. 42
A.1.1.1 Earthen Embankments (Earth Dams, Levees and Dikes) ............................... 43
A.1.1.2 Floodwalls ....................................................................................................... 44
A.1.1.3 Seawalls .......................................................................................................... 45
A.1.1.4 Concrete Barriers ............................................................................................ 45
A.1.1.5 Plugs and Penetration Seals ........................................................................... 46
A.1.1.6 Storm Drainage Systems ................................................................................ 46
A.1.2 Active Features....................................................................................................... 47
November 30, 2012
1
Enclosure to JLD-ISG-2012-05
A.1.2.1 Active Components ......................................................................................... 47
A.1.2.2 Flood Doors and Hatches................................................................................ 47
A.1.3 Temporary Features ............................................................................................... 48
A.1.4 Equipment Necessary to Perform Human Actions ................................................. 48
A.2 Flood Protection Systems .......................................................................................... 49
A.3 References ................................................................................................................... 50
APPENDIX B: Peer Review................................................................................................. 53
B.1 Peer Reviewer Attributes ............................................................................................ 53
B.2 Peer Review Attributes ............................................................................................... 53
B.3 Peer Review Documentation ...................................................................................... 54
APPENDIX C: Evaluation of Manual Actions .................................................................... 56
C.1 Overview....................................................................................................................... 56
C.1.1 Purpose and Scope ................................................................................................ 56
C.1.2 Organization of the Appendix ................................................................................. 56
C.2 Identify and Define the Human Actions ..................................................................... 57
C.3 Determine Whether the Action is Feasible ................................................................ 58
C.3.1 Performance Shaping Factors ................................................................................ 58
C.3.1.1 Cues and Indications ....................................................................................... 59
C.3.1.2 Complexity of the Required Action .................................................................. 60
C.3.1.3 Special Equipment .......................................................................................... 62
C.3.1.4 Human-System Interfaces ............................................................................... 62
C.3.1.5 Procedures ...................................................................................................... 63
C.3.1.6 Training and Experience ................................................................................. 64
C.3.1.7 Perceived Workload, Pressure and Stress ...................................................... 65
C.3.1.8 Environmental Factors .................................................................................... 66
C.3.1.9 Special Fitness Issues..................................................................................... 67
C.3.1.10 Staffing ............................................................................................................ 68
C.3.1.11 Communications.............................................................................................. 68
C.3.1.12 Accessibility ..................................................................................................... 69
C.3.1.13 Scenario-Specific PSFs................................................................................... 70
C.3.2 Timing Analysis ...................................................................................................... 70
C.3.2.1 Timing Elements.............................................................................................. 70
C.3.2.2 Developing Timing Element Values ................................................................ 70
C.3.2.3 Account for Uncertainty and Human Performance Variability ......................... 71
C.3.2.4 Calculate Time Margin .................................................................................... 73
C.3.2.5 Determine Whether the Time Margin Supports a Conclusion that the Manual
Action is Feasible ............................................................................................ 73
C.4 Determine Whether the Action is Reliable ................................................................ 73
C.5 Adjustments ................................................................................................................. 74
C.6 Documentation ............................................................................................................ 74
C.7 References ................................................................................................................... 75
APPENDIX D: Existing References and Resources ......................................................... 79
D.1 Evaluations Performed under Task Action Plan A-45 .............................................. 79
D.2 NUREG/CR-5042, Evaluation of External Hazards to Nuclear Power Plant in the
United States................................................................................................................ 80
D.3 Individual Plant Examination of External Events Program ..................................... 81
D.4 References ................................................................................................................... 81
2
1. Introduction
This document provides guidance for the performance of the integrated assessment. Based
on the results of the site-specific flood hazard assessments, the integrated assessment
evaluates the total plant response to external flood hazards, considering both the protection
and mitigation capabilities of the plant. The purpose of the integrated assessment is to:
(1) evaluate the effectiveness of the current licensing basis under the reevaluated flood
hazard, (2) identify plant-specific vulnerabilities due to external flood hazards, and
(3) assess the effectiveness of existing or planned plant systems and procedures in
protecting against flood conditions and mitigating consequences for the entire duration of a
flooding event.
In general, the types and attributes of flood protection features used at nuclear power plants
are diverse because of differences in factors such as: hazard characteristics (e.g., flood
mechanisms, flood durations, and debris quantity), site topography and surrounding
environment, and other site-specific considerations (e.g., available warning time). As a
result, this guidance must be capable of accommodating the unique environments and
characteristics of nuclear power plant sites while ensuring that the information gathered, as
part of the Nuclear Regulatory Commission’s (NRC’s) March 12, 2012, information request,
provides a sufficient technical basis to determine if any additional regulatory actions are
necessary to protect against external flood hazards. The Information request was issued
pursuant to Title 10 of the Code of Federal Regulations (10 CFR), Section 50.54(f).
1.1 Actions and Information Requested
For the sites at which the reevaluated flood is not bounded by the current design basis for
all flood-causing mechanisms, the March 12, 2012, 10 CFR 50.54(f) letter requests that
licensees and construction permit holders1 perform an integrated assessment of the plant to
identify vulnerabilities and actions to address them.
Consistent with Enclosure 2 (p. 8-9) of the March 12, 2012, 10 CFR 50.54(f) letter,
licensees and construction permit holders are requested to provide the following as part of
the integrated assessment report:
a) Description of the integrated procedure used to evaluate integrity of the plant
for the entire duration of flood conditions at the site.
b) Results of the plant evaluations describing the controlling flood mechanisms
and its effects, and how the available or planned measures will provide
effective protection and mitigation. Discuss whether there is margin beyond
the postulated scenarios.
c) Description of any additional protection and/or mitigation features that were
installed or are planned, including those installed during the course of
reevaluating the hazard. The description should include the specific features
and their functions.
1
This ISG is applicable to holders of operating power reactor licenses and construction permits under
10 CFR Part 50 from whom an integrated assessment is requested. For brevity, the term “licensees”
will often be used in this ISG. It should be understood that, within this ISG, the term applies both to
holders of operating power reactor licenses and construction permits.
3
d) Identify other actions that have been taken or are planned to address plantspecific vulnerabilities.
This Interim Staff Guidance (ISG) provides guidance on methods that NRC staff considers
acceptable for performing the integrated assessment as requested by the March 12, 2012,
10 CFR 50.54(f) letter.
1.2 Integrated Assessment Concept
Figure 1 provides a conceptual illustration of the integrated assessment process. The
outcomes of the hazard reviews performed under the Near-Term Task Force (NTTF)
Recommendation 2.1 flood hazard reevaluations2 provide input into the integrated
assessment process. Upon entering the integrated assessment process, licensees should
evaluate the capability of flood protection systems to meet their intended safety functions
under the reevaluated hazard.
If the licensee can demonstrate the site’s flood protection is reliable and has margin, the
licensee should proceed to documentation and justification of results. If the licensee cannot
demonstrate that the site’s flood protection is reliable and has margin, the licensee should
evaluate the plant’s ability to maintain key safety functions during a flood in the event that
one or more flood protection systems are compromised and unable to perform their
intended functions. In this ISG, this step of the integrated assessment process is referred to
as an evaluation of mitigation capability. After evaluating the mitigation capability of the
plant, the process proceeds to documentation and justification of results.
In lieu of flood protection, some sites may allow water to enter buildings (or other areas that
house structures, systems, or components (SSCs) that are important to safety) by
procedure or design. If the presence of water in these locations may adversely affect SSCs
that are important to safety, then the integrated assessment process should proceed directly
into the evaluation of the mitigation capability of the plant. This is represented by the large
arrow on the rightmost side of Figure 1.
Subsequent sections of this document provide additional details on the integrated
assessment process.
1.3 Scope of the Integrated Assessment
In accordance with the March 12, 2012, 10 CFR 50.54(f) letter, the scope of the integrated
assessment includes full-power operations and other plant configurations that could be
susceptible to damage due to impairment of flood protection features. The integrated
assessment should evaluate the effectiveness of flood protection and mitigation capability of
the plant for the mode(s) of operation that the plant will be in for the entire flood event
duration. The integrated assessment should describe the expected total plant response
under other modes of operation, including a discussion of controls (e.g., programmatic
controls) that are in place in the event that a flood occurs during any of these modes (e.g.,
during refueling). The integrated assessment should also consider whether specific
vulnerabilities may arise during normal and full-power configurations and other modes of
2
See Section 2.2 for additional details on the NTTF Recommendation 2.1 hazard reevaluations and
the relationship to the integrated assessment.
4
operation or configurations (e.g., conditions where flood protection features may be
bypassed or defeated for maintenance or refueling activities).
The integrated assessment should consider plant conditions, including adverse weather that
could reasonably be expected to occur simultaneously with an external flood event
(Reference 1 provides guidance on combined events3) and should consider equipment that
may be directly affected by the flood event (e.g., loss of the switchyard from inundation).
The scope of the integrated assessment also includes flood-induced loss of an ultimate heat
sink (UHS) water source (e.g., due to failure of a downstream dam) that could be caused by
the flood conditions. (The scope does not include the loss of the UHS from causes other
than flooding, such as seismic failure.)
As previously stated, the March 12, 2012, 10 CFR 50.54(f) letter also requests that the
integrated assessment address the entire duration of the flood conditions.
3
As part of the Recommendation 2.1 hazard reevaluations (see Section 2.2), Reference 1 should
have been used in establishing the combined events applicable to a site.
5
Hazard
Evaluation
Integrated Assessment Process
Evaluate Flood
Protection
Protection
systems
reliably
withstand the
flood event
with margin.
- or -
- or -
Some protection
failures and any
SSCs important
to safety are
compromised.
By procedure,
flood waters
allowed to
enter buildings
and any SSCs
important to
safety are
compromised.
Evaluate Mitigation Capability
Results
Figure 1: Conceptual illustration of integrated assessment process
6
2. Background
2.1 NTTF Recommendation 2.3 Flood Walkdowns
The March 12, 2012, 10 CFR 50.54(f) letter requires that licensees perform flood protection
walkdowns to verify that plant features that are credited in the current licensing basis for
protection and mitigation from external flood events are available, functional, and properly
maintained. These walkdowns are interim actions to be performed while the longer-term
hazard reevaluations and integrated assessments are performed. NRC and the Nuclear
Energy Institute (NEI) worked collaboratively to develop guidelines for performing the
walkdowns; this collaboration resulted in NEI 12-07, “Guidelines for Performing Verification
Walkdowns of Plant Flood Protection Features,” issued May 2012 (Ref. 2), which the NRC
endorsed on May 31, 2012 (Ref. 3).
As part of the walkdowns, licensees and construction permit holders will verify that
permanent SSCs, as well as temporary or portable flood protection and mitigation
equipment, will perform their intended safety functions as credited in the current licensing
basis. Verification activities will ensure that changes to the plant (e.g., security barrier
installations and topography changes) do not adversely affect flood protection and mitigation
equipment. In addition, the walkdown will verify that licensees can perform the procedures
needed to install and operate equipment needed for flood protection or mitigation as
credited in the current licensing basis. The walkdown will also verify that adverse weather
conditions that could reasonably be expected to occur simultaneously with a flood event will
not impede the licensee’s ability to carry out the procedures. As part of the walkdowns, the
licensee will enter observations of potential deficiencies, as well as observations of flood
protection features with small margin and potentially significant safety consequences if lost,
into its corrective action program.
It is anticipated that the walkdowns will be a valuable source of information that will be
useful during the performance of the integrated assessment. In particular, the walkdowns
will provide information on available physical margin (APM) under the current design basis
hazard, the condition of flood protection features, the feasibility of manual actions, SSCs
that are subjected to flooding, and the potential availability of systems necessary to mitigate
flood events. However, it is emphasized that the walkdowns are performed to the current
licensing basis. The reevaluated flood hazards performed under Recommendation 2.1 (see
Section 2.2) may result in higher calculated water surface elevations and different
associated effects when compared to the current licensing basis. Therefore, some of the
information from the walkdowns may not be directly applicable to the integrated
assessment. It is expected that any additional information related to the impact of the
flooding hazard reassessment will be considered as part of the integrated assessment, and
that this information would be used to evaluate the flood protection capabilities in light of
potential additional flooding impacts to the site (e.g., higher elevations, accessibility issues)
that may not have been fully considered during the implementation of the Recommendation
2.3 walkdown.
2.2 NTTF Recommendation 2.1 Flood Hazard Reevaluations
The NRC is implementing Recommendation 2.1 of the NTTF in two phases. In Phase 1,
licensees and construction permit holders will reevaluate the flooding hazard(s) at each site
using present-day regulatory guidance and methodologies. If the reevaluated hazard is not
bounded by the design basis flood at the site, licensees and construction permit holders
7
should also perform an integrated assessment for external flooding. During Phase 2, NRC
staff will use the Phase 1 results to determine whether additional regulatory actions are
necessary (e.g., update the licensing basis and SSCs important to safety).
The NRC’s March 12, 2012, 10 CFR 50.54(f) letter requires that licensees and construction
permit holders reevaluate all appropriate external flooding sources, including the effects
from local intense precipitation on the site, probable maximum flood on streams and rivers,
storm surges, seiche, tsunami, and dam failures. The reevaluation should apply presentday regulatory guidance and methodologies used for early site permit and combined license
reviews, including the current techniques, software, and methods used in present-day
standard engineering practice.
For the sites where the reevaluated flood is not bounded by the current design basis hazard
for all flood mechanisms applicable to the site, licensees and construction permit holders
are requested to submit an interim action plan with the hazard reevaluation report that
documents actions planned or taken to address the reevaluated hazard. Subsequent to
submission of the hazard reevaluation report, licensees and construction permit holders are
also asked to perform an integrated assessment. In light of the reevaluated hazard, the
integrated assessment will (1) evaluate the effectiveness of the current licensing basis (i.e.,
flood protection and mitigation systems), (2) identify plant-specific vulnerabilities, and
(3) assess the effectiveness of existing or planned systems and procedures for protecting
against and mitigating consequences for the entire duration of the flood event.
8
3. Framework of the Integrated Assessment
3.1 Integrated Assessment Process
The intent of the integrated assessment is to identify site-specific vulnerabilities and to
provide other important insights.4 As described above, the integrated assessment is based
on a graded approach to ensure the assessment performed is appropriate for the unique
characteristics of a given site. Depending on site characteristics, the graded approach
supports assessments that range from engineering evaluations of individual flood protection
features to evaluations based on probabilistic risk assessment (PRA) techniques5 (e.g.,
system logic models and risk-insights). The integrated assessment process consists of up
to five possible steps, depending on site characteristics:
1.
2.
3.
4.
5.
the definition of peer review scope and the assembly of a peer review team
a determination of the controlling flood parameters
an evaluation of flood protection systems (if applicable6)
an evaluation of mitigation capability (if appropriate)
the documentation of the results
The flowchart in Figure 2 illustrates that integrated assessment process described below.
The first step of the integrated assessment process involves the assembly of an initial peer
review team. Section 4 and Appendix B to this guidance provide additional details on the
peer review and the composition of the peer review team.
The second step in the integrated assessment process involves the determination of the
flood scenario parameters that the assessment should consider based on the results
produced as part of the NTTF Recommendation 2.1 flood hazard reevaluations
(represented by Box 2 in Figure 2). Section 5 provides additional guidance on determining
the flood scenario parameters that the integrated assessment should consider.
Box 3 in Figure 2 represents a decision point. If a site has flood protection to prevent the
entry of water into buildings or other areas containing SSCs that are important to safety, the
process proceeds to Step 3, which involves an evaluation of the effectiveness of the flood
protection system(s) at the site. Section 6 provides additional guidance on the evaluation of
flood protection. Conversely, if a site allows water to enter buildings or other areas with
SSCs that are important to safety (by procedure or design) with potential effects on those
SSCs, the integrated assessment process skips Step 3 and proceeds directly to Step 4.
Step 4 involves the evaluation of the capability of the plant to maintain key safety functions7
during a flood event.
Another decision point occurs after the conduct of the flood protection evaluation (Step 3),
as shown by Box 5 in Figure 2. If the evaluation demonstrates that on-site flood protection
4
It is expected that the integrated assessment will yield insights related to available physical margin,
defense-in-depth, and cliff-edge effects.
5
This ISG describes the use of PRA techniques, however the approaches described in this document
are not intended to be compliant with guidance provided in Reference 9.
6
Some sites may have no flood protection. In these cases, a flood protection evaluation would not
be applicable.
7
See Section 9 for a definition of key safety functions.
9
is reliable and has margin, the integrated assessment process proceeds directly to Step 5
(documentation of the results). However, if the evaluation does not demonstrate that on-site
flood protection is reliable and has margin, the process proceeds to Step 4 to evaluate the
plant’s capability to mitigate a loss of one or more flood protection systems by maintaining
key safety functions (represented by Box 6 in Figure 2). Section 7 provides additional
information on evaluation of the capability of a plant to mitigate the loss of one or more flood
protection systems. Section 8 provides guidance on documentation of results.
3.2 Key Assumptions
The following subsections below provide information on key assumptions applicable to the
integrated assessment.
3.2.1
Use of Available Resources for Protection and Mitigation
The integrated assessment evaluates the current licensing basis protection and mitigation
capability of plants in response to the reevaluated flood hazards, as well as additional inplace or planned resources. In assessing the protection and mitigation capability of a plant,
credit can be taken for all available (onsite and offsite) resources as well as the use of
systems, equipment, and personnel in nontraditional ways. Temporary protection and
mitigation measures, as well as nonsafety-related SSCs can be credited, provided there is
sufficient technical bases to justify the effectiveness of these resources. In crediting use of
systems, equipment, and personnel in nontraditional ways, nonsafety-related SSCs,
temporary mitigation and protection features, or similar resources, the integrated
assessment should account for the potentially reduced reliability of such resources in
relation to permanent, safety-related equipment (Ref. 4). Moreover, if credit is taken for
these resources, the licensee or construction permit holder should justify that the resources
will be available and functional when they are required for the flood event duration.8 The
assessment should consider the time required to acquire these resources and place them in
service, as well as the functionality of the equipment when needed during the flood event
duration. Sections 6 and 7 provide guidance on evaluation of flood protection and mitigation
capability.
The NRC staff recognizes that other parallel activities related to Fukushima lessons learned
are ongoing, the result of which will augment available onsite resources. It is the intent of
this ISG to allow licensees to credit equipment that has been or will be installed by these
efforts. It is important to recognize, though, that the goals associated with the other
activities may differ from those of this ISG due to the difference in the intended uses (i.e.,
determining the acceptability for use in a beyond-design-basis event versus determining the
acceptability of the current design basis). Therefore, much of the analyses and evaluations
done for these other activities can likely be utilized. If crediting these resources, it is
necessary to demonstrate that these resources also meet the intent of this ISG. This
includes demonstration and justification that following NRC or industry guidance related to
these other efforts meets the intent of this ISG.
3.2.2
Flood Frequencies
For most flood mechanisms, widely accepted and well-established methodologies are not
available for assigning initiating event frequencies to severe floods for the performance of
8
See Section 9 for a definition of the flood event duration.
10
probabilistic flood hazard assessment (Ref. 5). For this reason, the integrated assessment
does not require the computation of initiating flood-hazard frequencies. Using initiating
event frequencies to screen out flood events in lieu of evaluation of flood protection features
at the site is not acceptable. However, if desired and if given appropriate justification, the
use of the flood event frequency is acceptable as part of a PRA to evaluate total plant
response.
3.2.3
Human Performance
Human performance may take on added importance during flooding events compared to
normal operations. The establishment of flood protection features may rely heavily on
manual actions such as constructing sandbag barriers, deploying and operating portable
pumps, or relocating equipment. Significant manual actions may also be associated with
mitigation actions, including actions that may leverage equipment, personnel, or other
resources in nontraditional ways. In addition, failed or degraded instrumentation and
controls in the main control room (MCR), as well as the unavailability of equipment and
systems, may challenge the operating crew’s ability to monitor and control the plant to
ensure that key safety functions are maintained. Access to and the functionality of local or
remote control stations may also be compromised. The addition of responsibilities to
oversee and manage flood response activities will increase operators’ workload.
11
1
Results of NTTF Recommendation
2.1 hazard reevaluations
2
yes
Step 1: Define peer review scope and
assemble peer review team
Step 2: Identification of flood scenario
parameters
Water enters
buildings by procedure
or design and affects
any SSCs important to
safety?
3
no
4
Step 3: Evaluation of flood protection
systems
All flood protection is
reliable and has
margin?
5
no
Step 4: Evaluation of mitigation
capability of plant
6
7
Step 5: Documentation of flood
parameters, evaluations, results, and
peer review
Figure 2: Integrated assessment process flowchart
12
yes
4. Peer Review
An independent peer review is an important element for ensuring technical adequacy. The
technical adequacy of the integrated assessment is measured in terms of the
appropriateness of the scope, level of detail, methodologies employed, and plant
representation, which should be consistent with this guidance and commensurate with the
site-specific hazard and inherent flood protection reliability. Specifically, technical adequacy
is determined by ensuring:
the scope of effort is sufficient
state of the art methodologies are correctly employed
input parameters, including plant configurations, are justified
the integrated assessment is performed consistent with this guidance
The licensee’s integrated assessment submittal should discuss measures that it used to
ensure technical adequacy, including the documentation of peer review. Appendix B to this
guidance provides additional details on peer review for the integrated assessment.
13
5. Hazard Definition
5.1 Identification of Applicable Flood Mechanisms and Plant Conditions
The hazard reevaluations performed under Recommendation 2.1 (see Section 2.2 for
background information) identify the external flood mechanisms applicable to a site. Before
the licensee performs the integrated assessment, it should collect or review the flood height
and associated effects9 for all applicable flood mechanisms from the hazard review for use
in the integrated assessment. In addition, for each flood mechanism, the licensee should
collect the following information for use in the integrated assessment:10
the expected plant mode(s) during the flood event duration
available instrumentation and communication mechanisms associated with each
flood mechanism, if applicable (e.g. river forecasts, dam condition reports, river
gauges)
the availability of and access to onsite and offsite resources (including personnel)
and consumables (e.g., fuel)
accessibility considerations to and from the site and around the site that may affect
protective and mitigating actions
the effect of flood conditions on the availability of the UHS and offsite power
other relevant plant-specific conditions
5.2 Identification of Controlling Flood Parameters
As described above, the flood parameters considered as part of the integrated assessment
for a plant are based on the Recommendation 2.1 hazard reevaluations (see Section 2.2 for
background information). Flood hazards do not need to be considered individually as part of
the integrated assessment. Instead, the integrated assessment should be performed for a
set(s) of flood scenario parameters defined based on the results of the Recommendation
2.1 hazard reevaluations.
The licensee should define the following flood scenario parameters and should consider
them as part of the integrated assessment:
flood height and associated effects
flood event duration, including warning time and intermediate water surface
elevations that trigger actions by plant personnel
plant mode(s) of operation during the flood event duration
other relevant plant-specific factors
In some cases, only one controlling flood hazard may exist for a site. In this case, licensees
should define the flood scenario parameters based on this controlling flood hazard.
However, sites that have a diversity of flood hazards to which the site may be exposed
should define multiple sets of flood scenario parameters to capture the different plant effects
from the diverse flood parameters associated with applicable hazards. In addition, sites
may use different flood protection systems to protect against or mitigate different flood
9
See Section 9 for the definition of flood height and associated effects.
This information may be available, in part, from the Recommendation 2.3 walkdown report or
licensee walkdown records (see Section 2)
10
14
hazards. In such instances, the integrated assessment should define multiple sets of flood
scenario parameters.
If appropriate, it is acceptable to develop an enveloping scenario (e.g., the maximum water
surface elevation and inundation duration with the minimum warning time generated from
different hazard scenarios) instead of considering multiple sets of flood scenario parameters
as part of the integrated assessment. For simplicity, the licensee may combine these flood
parameters to generate a single bounding set of flood scenario parameters for use in the
integrated assessment.
5.3 Collection of Critical Plant Elevations and Protection of Equipment
To facilitate the performance of the integrated assessment, the licensee should collect or
otherwise understand following information:
11
the critical elevations11 of plant equipment that is important to safety and the safety
functions affected when the critical elevation of the equipment is reached
the flood protection features or systems used to protect each piece or group of
critical plant equipment (e.g., a site levee, a Category 1 wall and flood doors, or a
sandbag barrier) and any procedures required to install, construct, or otherwise
implement the flood protection
the manner by which the equipment could be subjected to flooding (e.g., site
inundation or building leakage)
potential pathways for ingress of water (e.g., through conduits or ducts)
See Section 9 for the definition of critical elevations.
15
6. Evaluation of Effectiveness of Flood Protection
As part of the integrated assessment, the licensee should perform an evaluation of the
capability of the site flood protection to protect SSCs important to safety for each set of flood
scenario parameters.
Site flood protection may include incorporated, exterior, and temporary features12 with
passive and active functions that are credited to protect against the effects of external
floods. In addition to physical barriers, flood protection at nuclear power plants may involve
a variety of manual actions performed by personnel. These manual actions may be
associated with installation of features (e.g., floodgates, portable panels, and the placement
of portable pumps in service), the construction of barriers (e.g., sandbag barriers), and other
actions.
6.1 Process Overview
The flowchart in Figure 3 illustrates an acceptable process to evaluate flood protection. The
evaluation begins by selecting a set of flood scenario parameters for evaluation. Next, a
flood protection system13 is selected for evaluation. An evaluation is then performed of the
selected flood protection system under the flood scenario parameters. The type of
methodology considered appropriate for evaluating a flood protection system is based on
the types of flood protection features employed in the flood protection system. The flood
protection evaluation should assess the performance of the flood protection at both the
feature- and system-levels. Sections 6.2 and 6.3, as well as Appendix A to this guidance,
provide additional information on the evaluation of flood protection.
If the evaluation demonstrates that the flood protection can reliably accommodate the flood
scenario parameters with margin (Figure 3, Box 4) based on available performance criteria
(see Section 6.2) or on the quantification of flood protection reliability, then the licensee
should document and justify the integrity of the system (Box 5) and should repeat the
evaluation for the next flood protection system. Conversely, if the flood protection system is
not able to reliably accommodate the flood scenario parameters with margin, and
modifications will not be made (Box 6), the licensee should document the credible failure
modes and vulnerabilities along with the direct consequences (e.g., inundation of a room) of
each failure mode and vulnerability. The analysis is then repeated for the next flood
protection system. If modifications to the flood protection system are in-place or planned
(Box 6), the modified flood protection system should be defined (Box 7) and the evaluation
repeated for the modified flood protection system.
12
Section 9 provides definitions of incorporated, exterior, and temporary flood protection features.
Section 9 defines the term flood protection system. A site may have multiple and diverse flood
protection systems. For example, a site may be protected by a levee around the entire site as well as
incorporated barriers at the structure/environment interface for each individual building. The site levee
would constitute one flood protection system while a set of barriers that protects an individual
building, which can be isolated from other buildings (either through separation by location or flood
protection features), would comprise a separate flood protection system.
13
16
6.2 Performance Criteria
To provide confidence in the reliability and margin of flood protection, considering both
qualitative and quantitative performance criteria, the flood protection evaluation should do
the following:
Provide an understanding of potential failure modes of the flood protection system,
including consideration of potential ingress pathways for floodwaters (e.g., through
conduits or ducts).
Demonstrate the soundness of the individual flood protection features under the
loads (i.e., flood height and associated effects) due to the flood scenario parameters
and confirm that the features are:
- in satisfactory condition;
- higher than the reevaluated flood height; and
- structurally adequate based on quantitative engineering evaluations.
Demonstrate that the performance, characteristics, and configuration of the flood
protection feature(s) conforms to accepted practices and is sufficiently robust (e.g.,
demonstrates an appropriate factor of safety) by:
- comparison against appropriate, present-day design codes and standards
- comparison against NUREG-0800, Sections 3.4.1 and 3.4.2 (Refs. 6 and 7)
- assessment of exterior and incorporated flood protection features as
described in Section A.1.1 to Appendix A of this guidance
- justification and quantification (if applicable) of the reliability of active
features as described in Section A.1.2 of Appendix A to this guidance
- assessment of temporary features as described in Section A.1.3
Perform a qualitative assessment of operational requirements such as surveillance,
inspection, design control, maintenance, procurement, and testing.
Develop a timeline showing all manual actions, including cues, indications, and
notifications.
Ensure that the capacity of pumping or drainage systems is sufficient to handle any
inflow through flood protection features for the entire flood event duration.
Evaluate whether manual actions (including construction, installation, or other
actions) are feasible and reliable as described in Appendix C to this guidance,
including justification and documentation as described in Section C.6 of Appendix C.
Also evaluate the continued ability of the operating crew to monitor and control the
plant to maintain key safety functions.
Demonstrate that necessary consumables are available and will remain accessible
for the entire flood event duration.
Evaluate the flood protection system as a whole as described in Section A.2 of
Appendix A to this guidance.
Include sensitivity studies, if uncertainty about the construction or characteristics of
a flood protection feature or system exists (e.g., uncertainty about the parameters of
concrete used in the construction of a concrete wall).
Probabilistic evaluation of the fragility of exterior and incorporated features under the flood
scenario parameters is also acceptable, given adequate justification.
6.3 Justification of Flood Protection Performance
If, based on the flood protection evaluation, a flood protection system is deemed capable of
withstanding the flood height and associated effects for a set of flood scenario parameters,
17
the integrated assessment should justify this conclusion. In addition, the limiting margin
associated with the flood protection system as well as the margin associated with individual
flood protection features should be identified.
Margin should be characterized with respect to physical barrier dimensions,14 structural or
other performance capacity, and time and staffing associated with the performance of
manual actions to establish flood protection systems. Demonstration of the aforementioned
items requires an understanding of the capability of flood protection systems for a range of
flood heights and associated effects (including reasonable variation in warning time and
flood event duration). Physical margin and structural capacity can be demonstrated by
increasing the flood elevation (while accounting for associated effects) and showing the
elevation beyond which the system is no longer capable of reliably performing its intended
function.
The integrated assessment should identify any flood protection features or systems that are
unable to reliably accommodate the flood height and associated effects for a set of flood
scenario parameters with margin. Any flood protection feature or system determined to be
incapable of performing its intended safety function under the reevaluated hazard should be
documented as a vulnerability (see Section 8) for all susceptible plant configurations. In
addition, if a flood protection feature or system cannot accommodate the flood scenario
parameters, the flood protection evaluation should determine at what flood height and under
what associated effects, the flood protection feature or system is able to reliably
accommodate a flood. If the licensee proposes modifications to address vulnerabilities,
improve margin, or otherwise improve the effectiveness of site flood protection, the
integrated assessment should justify that the modified flood protection is reliable and has
margin through comparison to established performance criteria or quantification of reliability
(as appropriate).
14
Margin with respect to physical barrier dimensions is analogous to the concept of APM defined
under the NTTF Recommendation 2.3 flood walkdowns (see Reference 2). However, APM was
computed as part of the NTTF Recommendation 2.3 flood walkdowns with respect to the current
licensing basis flood protection height. In the context of the integrated assessment, margin with
respect to physical barriers is defined with respect to the reevaluated hazard (including flood height
and associated effects).
18
Select a set of f lood scenario
parameters.
1
Select a f lood protection system
relied upon under f lood
2
scenario.
3
Evaluate f lood protection
system.
Flood protection
system is reliable
and has margin?
4
Def ine modif ied flood protection
system.
7
no
yes
Modif ication of f lood
protection system?
6
5
Document and justif y f lood
protection integrity.
no
8
no
10
yes
All f lood protection
systems evaluated
under the f lood
scenario
parameters?
Document credible f ailure
modes and vulnerabilities.
Document consequences of
credible f ailure modes and
9
vulnerabilities.
yes
no
11
All sets of flood
scenario parameters
evaluated?
yes
12
Flood protection evaluation
complete.
Figure 3: Flood protection evaluation process flowchart
19
7. Evaluation of Mitigation Capability
Mitigation capability refers to the capability of the plant to maintain key safety functions15 in
the event that a flood protection system(s) fails or that a site does not have flood protection
under the flood scenario parameters.
An evaluation of mitigation capability is required for sites that have not demonstrated that
the flood protection systems are reliable and have margin. Mitigation capability should be
evaluated for credible flood protection failure modes, including concurrent failures, identified
based on the evaluation described in Section 6. For each scenario involving the
compromise of flood protection under the flood scenario parameters, the mitigation
capability of the plant should be evaluated for the entire flood event duration considering all
available resources.
In addition, as described in Section 3.1, sites that allow water to enter buildings or other
areas with SSCs important to safety by procedure or design (and resulting in the potential
compromise of those SSCs) should evaluate mitigation capability.
7.1 Process Overview
The licensee may demonstrate the mitigation capability of a plant using one of three
potential methods, depending on site characteristics and information needed for decisions:
scenario-based evaluation
margins-type evaluation
full PRA
The scenario-based approach is intended to be a systematic, rigorous, and conservative,
(although primarily qualitative) evaluation used to demonstrate that there is high confidence
that key safety functions can be maintained for the specific purposes to which this ISG is
intended. A margins-type evaluation is quantitative and uses conditional core damage
probability (CCDP) and conditional large early release probability (CLERP) as figures of
merit. The margins-type assessment will be more realistic than a scenario-based
evaluation, but more conservative than a PRA. Moreover, a margins-type evaluation will
typically use logic models that are more complex than a scenario-based evaluation but
simpler than models used as part of a full PRA. The full PRA evaluation uses a
conventional PRA-based approach to evaluate the mitigation capability of the plant. Each of
these methods is described further below.
A margins-type evaluation and a full PRA are acceptable for evaluating mitigation capability
at all sites. However, licensees may opt to perform a scenario-based evaluation, or to use a
scenario-based evaluation as a starting point before proceeding to a margins-type
evaluation or full PRA. When using a scenario-based evaluation to assess mitigation
capability, the licensee is responsible for justifying that the scenario-based evaluation
provides sufficient detail and supporting information (e.g., captures dependencies,
interactions, and total flood effect) to demonstrate that there is high confidence that key
safety functions can be maintained. For example, if the logic structure developed under a
scenario-based evaluation becomes too complex, it would become apparent that a
15
See Section 9 for the definition of key safety functions.
20
scenario-based evaluation is not capable of reaching a justifiable conclusion and a marginstype evaluation or full PRA would be necessary. As another example, if the use of
conservative, deterministic engineering evaluations, logic structures, and conservative
performance criteria using a scenario-based approach do not demonstrate that there is high
confidence that key safety functions can be maintained, the licensee may choose to make
modifications (e.g., to the plant or procedures) or proceed to an evaluation of mitigation
capability using a margins-type evaluation. The margins-type evaluation can account for
more complicated interactions and dependencies. In addition, the margins-type evaluation
quantitatively evaluates the reliability of manual actions and active components. If a more
refined evaluation is needed than is possible in a margins-type evaluation, an external flood
PRA is appropriate.
7.2 Scenario-Based Evaluation of Mitigation Capability
The scenario-based evaluation is used to demonstrate that there is high confidence that key
safety functions can be maintained using qualitative and quantitative information and
insights. Although the scenario-based evaluation does not require the computation of riskbased metrics (e.g., CCDP and CLERP), it should use a systematic, rigorous, and
conservative approach to demonstrate that key safety functions can be maintained with high
confidence under the flood scenario parameters. A scenario-based evaluation must include
the following key elements:
a detailed description of the scenario and its key components
a description of the approach(es) used for mitigation
a timeline showing necessary manual actions, including cues, indications, and
notifications
an evaluation of the reliability of active components
an evaluation of manual actions
the development of logic structures (i.e., event and fault trees) that include each
SSC that must change state and each manual action, to capture dependencies
between SSCs as well as manual actions. The logic structures should show
necessary support systems for each SSC that changes state (e.g., AC or DC power,
cooling water, fuel, equipment required for activation)
a conclusion of the overall reliability of the approach(es) used for mitigation
Additional details on these key elements are provided below.
Figure 4 provides a flowchart that depicts the process for a scenario-based evaluation of
mitigation capability. The evaluation begins by defining the scenario to be evaluated (boxes
1-4 of Figure 4), which consists of specifying:
the flood scenario parameters
the credible flood protection failure mode(s)16
all direct consequences of flood protection failure (e.g., particular rooms inundated)
16
Under a scenario-based evaluation flood protection is assumed to fail in credible ways (i.e., the
probability of flood protection failure is 1.0). Credible failure modes of flood protection systems for a
given set of flood scenario parameters are identified as part of the evaluation of flood protection
systems (see Section 6 and Appendix A to this guidance). Concurrent failures of multiple flood
protection systems (along with associated consequences) should be considered if the flood scenario
parameters could adversely affect multiple flood protection systems.
21
the plant conditions (e.g., identification of whether onsite power and offsite power
are available) and all equipment affected by the consequences of flood protection
failure
Typically, inundation of equipment will cause failure. However, associated flood effects
(e.g., debris, dynamic loads) may also adversely affect equipment; therefore, the evaluation
should consider these effects as well. The scenario-based evaluation should concurrently
consider all failures of flood protection features and equipment that could result from the
flood scenario parameters.
Once the scenario has been defined, the licensee should perform the following:
Define the key safety functions that must be maintained (Box 5 in Figure 4).
Specify equipment available for use in maintaining key safety functions (Box 6 in
Figure 4) and describe in detail the approach(es) used for mitigation.
Perform an evaluation of mitigation capability using available resources (Box 7 in
Figure 4) to demonstrate whether there is high confidence that key safety functions
can be maintained, as described below.
In demonstrating that there is high confidence that key safety functions can be maintained,
the evaluation should:
Demonstrate that any credited equipment will be functional, available, and
accessible when needed (e.g., that it is located above the flood elevation or is
protected by flood protection that is reliable and has margin), throughout the entire
flood event duration, and that it can be deployed when necessary.
Justify the availability and reliability of each active component as described in
Section A.1.2.1 of Appendix A to this guidance.
Evaluate whether manual actions are feasible and reliable as described in Appendix
C to this guidance, including justification and documentation as described in Section
C.6 of Appendix C to this guidance.
Qualitatively assess operational requirements such as surveillance, inspection,
design control, maintenance, procurement, and testing (e.g., whether or not
equipment is included in established plant equipment reliability programs).
Demonstrate that all credited equipment and features (e.g., engineered structures,
pumps, and other components) are capable of performing their design function and
that they have the appropriate factors of safety.
Demonstrate sufficient consumables (e.g., fuel) on site and their continued
accessibility.
Demonstrate redundancy and diversity in approach(es) used for mitigation.
Evaluate the differences between modes of operation relative to the identification
and maintenance of key safety functions.
Consider other quantitative and qualitative attributes that provide confidence in the
reliability of equipment, availability of resources, and feasibility and reliability of any
credited actions.
To capture interactions, dependencies, and overall flooding effect, the licensee should use
logic tools (i.e., event trees and fault trees) and timelines to structure and document the
scenario-based evaluation. The following provides guidance on the development of logic
models and timelines:
22
Logic structures should be developed in sufficient detail to demonstrate that there is
high confidence that key safety functions can be maintained.
The scenario-based evaluation should be conservative and simplifications made in
logic models should result in bounding analyses.
Diversity, redundancy, and other considerations that support the robustness of
approaches used to mitigate the event (e.g., robustness against single failures)
provide increased confidence that key safety functions can be maintained.
Failure branches of event trees should be shown, but need not be fully developed if
not required to justify the conclusions of the assessment.
Timelines should illustrate all required actions and should capture dependencies
such as actions that must be performed in series or in parallel and actions that
depend on the availability of resources or site access.
If the scenario-based evaluation can demonstrate that there is high confidence that key
safety functions can be maintained, the results must be documented and justified. If the
evaluation cannot demonstrate with high confidence that key safety functions can be
maintained, then either: (1) a scenario-based evaluation is not sufficient and a margins-type
evaluation or PRA is necessary, or (2) modifications should be made to the plant to improve
flood protection or mitigation capability such that there is high confidence that key safety
functions can be maintained.
The evaluation should be repeated until all flood protection failure modes and sets of flood
scenario parameters have been evaluated (as directed by Boxes 11 and 12 in Figure 4).
7.3 Margins-Type Evaluation of Mitigation Capability
The margins-type assessment evaluates mitigation capability given set(s) of flood scenario
parameters and credible flood protection failures(s).17 A margins-type evaluation is
quantitative and uses CCDP and CLERP as figures of merit.
Figure 5 illustrates the margins-type method used for evaluating mitigation capability. Like
the scenario-based mitigation evaluation, the margins-type mitigation evaluation begins by
specifying the following:
the flood scenario parameters
the credible flood protection failure mode(s)18
all direct consequences of flood protection failure (e.g., particular rooms inundated)
the plant conditions (e.g., identification of whether onsite and offsite power are
available) and all equipment affected by the consequences of flood protection failure
Typically, inundation of equipment will cause failure. However, associated flood effects
(e.g., debris, dynamic loads) may also adversely affect equipment and should be
considered.
17
The licensee should perform a margins-type assessment for flood protection features or flood
protection feature combinations that are not judged to be reliable or have margin.
18
Credible failure modes of flood protection systems for a given set of flood scenario parameters are
identified as part of the evaluation of flood protection systems (see Section 6). Concurrent failures of
multiple flood protection systems (along with associated consequences) should be considered if the
flood scenario parameters could adversely affect multiple flood protection systems.
23
If crediting the probability of flood protection failure(s) as part of a margins-type assessment,
all credible flood protection failure modes must be considered along with their probability of
occurrence. In logic models, both failures and non-failures associated with flood protection
must be tracked. Moreover, it is not acceptable to utilize the probability of flood protection
failure to justify that an evaluation of mitigation capability is not necessary (i.e., regardless of
the probability of flood protection failure, it is necessary to perform an evaluation of
mitigation capability).19
In some cases, licensees may consider a bounding flood protection failure mode (i.e., a
failure mode that bounds lesser failure modes) to reduce the number of failure modes
considered under the margins-type evaluation. In this case, the failure of flood protection
should be assumed to occur (i.e., the probability of flood protection failure is 1.0).20
Licensees should consider bounding failure modes only if the associated approaches for
mitigation are the same and the effects of timing or other factors of the mitigation approach
are similar.
Once the evaluation has specified the plant conditions along with equipment affected by the
flood protection failure, plant system models should be updated, enhanced, or developed to
reflect the current plant state and available equipment. The internal events PRA model, with
appropriate modifications, can be used to model plant systems. Basic failure events are
added to the internal events PRA model for evaluating the mitigation capability of the plant
during a flood event. Alternatively, it is acceptable to develop a system model(s) specifically
intended to compute CCDP and CLERP under the flood scenario parameters and flood
protection failure mode(s) being analyzed rather than adapting the existing internal events
PRA model. If such a model is developed, it should be consistent with the internal events
systems model with respect to plant response. In updating or developing system models,
the evaluation should do the following:
Consider equipment failures caused directly by the flood event and consider all
random failures of remaining plant equipment (e.g., failure to start and failure to
run).
Quantitatively evaluate the reliability of active components based on operating
experience, testing, and other available information by using traditional PRA or
statistical techniques.
Quantify the reliability of credited human actions by using human factors
engineering and human reliability concepts and approaches. The process
described in Appendix C to this guidance should be used to develop the bases for
HRA quantification. The evaluation should include the considerations described in
Appendix C, including:
- identification and definition of human actions as well as development of a
human failure event narrative (see Section C.2 of Appendix C);
19
The mitigation evaluation should be used if (1) flood protection cannot be shown to be reliable and
have margin by comparison against appropriate performance criteria (as described in Section 6), or
(2) flood protection does not exist for the flood scenario under consideration. Therefore, it is not
acceptable to use the probability of failure to justify the evaluation of mitigation capability is not
necessary. It is also noted that, as described in Section 3.2.2, flood frequencies should not be used
to justify that the evaluation of mitigation capability is not necessary.
20
As an alternative to assuming a failure probability of 1.0 when considering a bounding flood
protection failure mode, it is acceptable to assign a probability to the bounding failure mode that is
equal to the sum of the probabilities of all credible flood protection failure modes.
24
-
evaluation of applicable performance shaping factors (Section C.3.1) ;
a detailed timing analysis including computation of time margin and
consideration of uncertainties (Section C.3.2); and
evaluation of sufficiency of available time margin (Section C.4).
In addition, the evaluation should do the following for all resources and actions credited in
the margins-type evaluation:
Demonstrate that any credited equipment will be functional, available, and
accessible (e.g., that it is located above the flood elevation or is protected by flood
protection that is reliable and has margin) when needed, throughout the entire flood
event duration, and can be deployed when necessary.
Provide a timeline showing necessary manual actions, including cues, indications,
and notifications.
Qualitatively assess operational requirements such as surveillance, inspection,
design control, maintenance (e.g., document whether a component is covered by
established plant equipment reliability programs), procurement, and testing.
Demonstrate that sufficient consumables (e.g., fuel) are on site and are accessible.
Consider other quantitative and qualitative attributes that provide confidence in the
reliability of equipment, availability of resources, and feasibility and reliability of any
credited actions.
Using plant system models, the licensee should calculate CCDP and CLERP. The
evaluation of mitigation capability should be repeated until all flood protection failure modes
and sets of flood scenario parameters have been evaluated.
If the licensee proposes modifications to the plant, it should evaluate the effectiveness of the
modification on mitigation capability as described above.
7.4 Use of PRA to Evaluate Total Plant Response, Including Mitigation Capability
If a PRA is used to assess total plant response, including the mitigation capability of a plant,
the evaluation should be consistent with guidance contained in Section 8 of Reference 8, as
well as Reference 9. However, it is noted that Section 8 of Reference 8 establishes
technical requirements when a reactor is at power. As part of the integrated assessment, it
is necessary to consider mitigation capability during other modes of operation. References
used by staff in the review of lowpower and shutdown PRAs for advanced reactor designs
may provide useful insight for addressing these other modes of operation. For example,
Chapter 19 of the Standard Review Plan (Ref. 10) has been used for the evaluation of
shutdown PRAs for advanced reactor designs and Regulatory Guide 1.200 (Ref. 9) provides
information on the scope and technical attributes for low-power and shutdown PRAs for
internal events.
If modifications to the plant are proposed, the effectiveness of the modification on mitigation
capability should be evaluated as described above.
25
Select a set of f lood scenario
parameters.
1
2
Select a credible f lood
protection f ailure mode(s).
Specif y direct consequences of
f lood protection f ailure mode(s).
3
Specif y plant conditions and
equipment af f ected by direct
4
consequences.
Def ine key saf ety f unctions that
must be maintained.
5
Identif y available equipment.
6
Evaluate capability to maintain
key saf ety f unctions using
7
available equipment.
High conf idence that
key saf ety f unctions
maintained?
8
no
yes
Modif ication of plant
to improve mitigation
capability?
13
Justif y high conf idence that key
saf ety f unctions maintained.
9
no
no
10
All f lood credible
protection f ailure
modes evaluated f or
the f lood scenario
parameters?
14
Perf orm margins-type
evaluation or f ull PRA.
yes
no
11
All sets of f lood
scenario parameters
evaluated?
yes
Evaluation complete.
12
Figure 4: Scenario-based mitigation evaluation flowchart
26
yes
Select a set of f lood scenario
parameters.
1
2
Select a credible f lood
protection f ailure mode(s).
Specif y direct consequences of
f lood protection f ailure mode(s).
3
Specif y equipment af fected by
direct consequences.
4
Def ine plant conditions.
5
Incorporate f lood impacts and
plant conditions in plant system
6
models.
Compute CCDP.
7
Compute CLERP.
8
Modif ications
proposed?
9
yes
no
no
All f lood credible
protection f ailure
modes evaluated f or
the f lood scenario
parameters?
10
yes
no
All sets of f lood
scenario parameters
evaluated?
11
yes
Mitigation capability evaluation
complete.
12
Figure 5: Margins-based mitigation evaluation flowchart
27
8. Documentation
As described in the March 12, 2012, 10 CFR 50.54(f) letter, the integrated assessment
submittal should provide the following (Ref. 11, Encl. 2, p. 8-9):
a) Description of the integrated procedure used to evaluate integrity of the plant for
the entire duration of flood conditions at the site.
b) Results of the plant evaluations describing the controlling flood mechanisms and
its effects, and how the available or planned measures will provide effective
protection and mitigation. Discuss whether there is margin beyond the
postulated scenarios.
c) Description of any additional protection and/or mitigation features that were
installed or are planned, including those installed during course of reevaluating
the hazard. The description should include the specific features and their
functions.
d) Identify other actions that have been taken or are planned to address plantspecific vulnerabilities.
Additional details on documentation of items (a) through (d) are provided in Sections 8.1
through 8.4.
8.1 Integrated Assessment Procedure
Consistent with item (a) above, the integrated assessment submittal should do the following
to describe the integrated assessment procedure used to evaluate the integrity of the plant
for the entire duration of flood conditions at the site:
Describe the methodologies used to demonstrate the effectiveness of:
- flood protection features and systems; and
- approach(es) used for mitigation.
Describe any plant system models, including modifications made to existing internal
event model(s), for the evaluation of the plant’s flood protection and mitigation
capability.
8.2 Plant Evaluation Results
Consistent with item (b) above, the integrated assessment submittal should include the plant
evaluation results describing the controlling flood mechanisms and their effects and
explaining how the available or planned measures will provide effective protection and
mitigation and should discuss whether margin exists beyond the postulated scenarios.
8.2.1
Controlling Flood Mechanism(s)
The submittal should discuss the applicable flood mechanism(s) and the flood scenario
parameters, including flood height and the associated effects, that the integrated
assessment evaluated. In addition, the submittal should discuss the site conditions during
the entire duration of the flood event for each set of flood scenario parameters, including the
following:
the plant mode(s), including the duration of time the plant is expected to remain in
each mode;
28
the availability and quality of cues, indications and notifications, including water
gauges, meteorological gauges, weather and tsunami forecasting tools, or similar
instrumentation and communication mechanisms, as well as any durable
agreements in place to ensure notification from offsite entities;
the basis for action by plant operators in response to onsite cues and indications or
notification from offsite entities (e.g., plant response to notification of an upstream
dam failure);
the availability of and access to onsite and offsite resources and consumables;
accessibility considerations to and from the site and around the site that may impact
protective and mitigating actions;
the condition and access to the ultimate heat sink;
availability of offsite power;
structures and systems important to safety affected by the flood scenario
parameters; and
availability of staff and accessibility to and from the site for staff augmentation.
To aid understanding the flood scenario parameters, the submittal may describe the
conservatisms associated with the flooding analysis that led to the scenario flood
parameters; however, this step is optional.
8.2.2
Evaluation of Flood Protection
The submittal should do the following to provide information on the evaluation of flood
protection:
Describe all site flood protection systems, including all manual actions necessary for
the implementation of flood protection; the number of staff necessary to implement
flood protection procedures, any necessary qualifications and training; and the
ability of offsite staff to return to the site under the anticipated conditions.
Describe performance criteria used to evaluate flood protection, including any codes
or standards used in the evaluation.
Provide technical justification for all assumptions (including the failure modes
considered) used to demonstrate the effectiveness of flood protection features.
For each set of flood scenario parameters and flood protection system, document
and submit the following information:
- credible flood protection modes identified and the justification for any flood
protection modes that were deemed not credible;
- the condition of flood protection features;
- results of quantitative engineering evaluations, including:
justification of the structurally adequacy of features;
expected leakage through barriers; and
implications of identified deficiencies.
- results of evaluations of whether the performance, characteristics, and
configuration of the flood protection feature(s) conforms to accepted
practices and is sufficiently robust, including a detailed description of the
results of the following:
comparison to appropriate, present-day design codes and standards;
comparison against Standard Review Plan Sections 3.4.1 and 3.4.2,
Refs. 6 and 7);
assessment of exterior and incorporated flood protection features as
described in Section A.1.1 of Appendix A to this guidance;
29
justification and quantification (if applicable) of the reliability of active
features as described in Section A.1.2 of Appendix A; and
assessment of temporary features as described in Section A.1.3 of
Appendix A to this guidance.
- description of operational requirements applicable to flood protection
features (e.g., surveillance, inspection, design control, maintenance,
procurement, and testing);
- justification of whether the capacity of pumping or drainage systems is
sufficient to handle any inflow through flood protection features for the entire
flood event duration;
- results of evaluations of manual actions against the criteria contained in
Appendix C to this guidance, including all documentation requirements
described in Section C.6 of Appendix C to this guidance;
- timeline showing all necessary manual actions, including cues, indications,
and notifications;
- the availability and accessibility of necessary consumables for the entire
flood event duration; and
- results of system-level evaluations performed on flood protection systems,
including justification.
- results of sensitivity studies, if appropriate
Provide a discussion of any defense-in-depth considerations that are maintained
under each set of flood scenario parameters.
Discuss any additional margin beyond the postulated scenarios for the flood
protection system(s). Characterize margin with respect to:
- physical barrier dimensions;
- structural and other performance capacity; and
- time and staffing associated with the performance of manual actions.
If flood protection features are not shown to be reliable and have margin, document
and describe at what flood height and under what associated effects, the flood
protection feature or system is able to reliably accommodate a flood.
Provide a summary list of any flood protection features or systems determined not to
be capable of performing its intended safety function under the reevaluated hazard.
If modifications are proposed, provide justification that the modified flood protection
is reliable and has margin through comparison against established performance
criteria or quantification of reliability.
8.2.3
Evaluation of Mitigation Capability
The submittal should do the following to provide information on the evaluation of mitigation
capability:
Summarize the approach used for mitigation
Describe the equipment and manual actions, if applicable, associated with the
mitigation capability of the plant
Describe the performance criteria used to evaluate the mitigation capability of the
plant
Document conclusions (including sensitivity studies, if appropriate) on the
effectiveness of the total mitigation capability
Discuss any defense-in-depth considerations that are maintained under each set of
flood scenario parameters
30
Discuss any additional margin beyond the postulated scenarios for the mitigation
capability of the plant. Characterize margin with respect to physical barrier
dimensions, structural and other performance capacity, and time and staffing
associated with the performance of manual actions
Document and submit the following information for each scenario if a scenario-based
evaluation of mitigation capability is used:
A detailed description of the scenario and its key components, including the
following:
- the flood scenario parameters;
- the flood protection failure modes considered;
- all direct consequences of flood protection failure;
- plant conditions and all equipment affected by the consequences of flood
protection failure; and
- key safety functions that must be maintained.
Justification that the scenario-based evaluation provides sufficient detail and
supporting information to demonstrate that there is high confidence that key safety
functions can be maintained.
Description (including figures) of logic structures and timelines developed to support
the scenario-based evaluation, including the following:
- a timeline showing all necessary manual actions, including cues, indications,
and notifications; and
- the logic structures (i.e. event and fault trees) that include each SSC that
must change state and each manual action to capture dependencies
between SSCs and manual actions. The logic structures should show
necessary support systems for each SSC that changes state.
Demonstration that key safety functions can be maintained with high confidence
under each scenario, including the following:
- demonstration that any credited equipment will be functional, available, and
accessible when needed, throughout the entire flood event duration, and can
that it be deployed when necessary;
- justification of the availability and reliability of each active component as
described in Section A.1.2.1 of Appendix A to this guidance;
- results of evaluations of manual actions against the criteria contained in
Appendix C of this guidance, including all documentation requirements
described in Section C.6 of Appendix C of this guidance;
- a description of operational requirements applicable to mitigation equipment
(e.g., surveillance, inspection, design control, maintenance, procurement,
and testing);
- a demonstration that sufficient consumables are on site and that that these
consumables are accessible;
- description of redundancy and diversity in approach(es) used for mitigation;
and
- other quantitative and qualitative attributes that provide confidence in the
reliability of equipment, availability of resources, and feasibility and reliability
of any credited manual actions.
Document and submit the following for each scenario, if a margins-based evaluation of
mitigation capability is used:
31
A detailed description of the scenario and its key components, including the
following:
- the flood scenario parameters;
- the flood protection failure modes considered;
- all direct consequences of flood protection failure; and
- plant conditions and all equipment affected by the consequences of flood
protection failure.
A summary of system models developed specifically for evaluation of mitigation
capability or modifications made to existing PRA models.
A timeline showing all necessary manual actions, including cues, indications, and
notifications.
Justification for equipment, actions, and resources credited for mitigation, including
the following:
- justification of the reliability of active components as described in Section
A.1.2.1 of Appendix A to this guidance and justification for and results of the
quantification of the reliability of active components;
- results of evaluation of the reliability of manual actions, including a detailed
description of the method used to assess the reliability of manual actions:
identification and definition of human actions;
the human failure event narrative;
evaluation of applicable performance shaping factors;
a detailed timing analysis including computation of time margin and
consideration of uncertainties; and
evaluation of the sufficiency of available time margin.
- a demonstration that any credited equipment will be functional, available,
and accessible when needed, throughout the entire flood event duration and
can that is can be deployed when necessary;
- a description of operational requirements applicable to mitigation equipment
(surveillance, inspection, design control, maintenance, procurement, and
testing);
- demonstration that sufficient consumables are on site and that these
consumables are accessible; and
- other quantitative and qualitative attributes that provide confidence in the
reliability of equipment, availability of resources, and feasibility and reliability
of any credited manual actions.
The CCDP and CLERP calculated for each scenario.
Dominant sequences and CCDP and CLERP contributors identified.
If a PRA is performed, describe and document the analysis and results as outlined in
Reference 8 and include appropriate additional considerations to account for all modes of
operation considered as part of the integrated assessment.
8.2.4
Peer Review
The submittal should include the peer review documentation as described in Section B.3 of
Appendix B to this guidance.
8.3 Additional Protection and Mitigation Features
Consistent with item (c) above, the submittal should describe any additional protection or
mitigation features or both that the licensee has installed or is planning to install, including
32
those that it installed during the course of reevaluating the hazard. The submittal should do
the following in its inclusion of the specific features and their functions:
Describe any flood protection or mitigation capabilities discussed Section 8.2 that
are credited in the plant’s current licensing basis but that were modified during the
course of the hazard reevaluation or integrated assessment. Include specific
features and their functions in the description.
Describe any flood protection or mitigation capabilities discussed in Section 8.2 that
are not credited in the plant’s current licensing basis. Include specific features and
their functions in the description.
Describe any flood protection or mitigation capabilities discussed in Section 8.2 that
are planned and have not yet been installed. Include specific features and their
functions in the description.
Provide a timeline for the completion of all planned actions that were credited as
part of the integrated assessment.
Describe any interim actions that are in place until planned actions are completed.
8.4 Other Actions Involving Plant-Specific Vulnerabilities
Consistent with item (d) above, the submittal should do the following to identify other actions
that the licensee has taken or is planning to take in an effort to address plant-specific
vulnerabilities:
Describe any vulnerabilities (see the definition in Section 9) that the review
identified, including the key safety functions that may be affected.
Describe any actions that the licensee has taken to address these plant-specific
vulnerabilities.
Separately, describe any planned actions to address these plant-specific
vulnerabilities.
33
9. Terms and Definitions
Active (flood protection) feature: An incorporated, exterior, or temporary flood protection
feature that requires the change of a component’s state in order for it to perform as
intended. Examples include sump pumps, portable pumps, isolation and check valves,
flood detection devices (e.g., level switches), and flood doors (e.g., watertight doors).
Available Physical Margin (APM): A margin that describes the flood margin available for
applicable flood protection features at a site (not all flood protection features have APMs).
The APM for each applicable flood protection feature is the difference between the licensing
basis flood protection height and the flood height at which water could affect an SSC
important to safety. A determination of APM for local intense precipitation may not be
possible. Section 3.13 of the flooding design basis walkdown guidance, NEI 12-07 (Ref. 2)
provides additional details.
Cliff-edge: An elevation at which safety consequences of a flood event may increase
sharply with a small increase in the flood height and the associated effects.
Critical elevation: The elevation at which a piece or group of equipment will fail to function,
or a transient will be induced, due to flood height and associated effects.
Current Licensing Basis: The current licensing basis is the set of NRC requirements
applicable to a specific plant, plus a licensee’s docketed and currently effective written
commitments for ensuring compliance with, and operation within, applicable NRC
requirements and the plant-specific design basis, including all modifications and additions to
such commitments over the life of the facility operating license. The current licensing basis
also includes the plant-specific design basis information, defined by 10 CFR 50.2, as
documented in the most recent updated final safety analysis report in accordance with 10
CFR 50.71. The set of NRC requirements applicable to a specified plant’s current licensing
basis includes the following:
the requirements in, and the appendices to, the following NRC regulations:
– 10 CFR Part 2, “Agency Rules of Practice and Procedure”
– 10 CFR Part 19, “Notices, Instructions, and Reports to Workers: Inspection
and Investigations”
– 10 CFR Part 20, “Standards for Protection against Radiation”
– 10 CFR Part 21, “Reporting of Defects and Noncompliance”
– 10 CFR Part 26, “Fitness for Duty Programs”
– 10 CFR Part 30, “Rules of General Applicability to Domestic Licensing of
Byproduct Material”
– 10 CFR Part 40, “Domestic Licensing of Source Material”
– 10 CFR Part 50, “Domestic Licensing of Production and Utilization Facilities”
– 10 CFR Part 51, “Environmental Protection Regulations for Domestic
Licensing and Related Regulatory Functions”
– 10 CFR Part 54, “Requirements for Renewal of Operating Licenses for
Nuclear Power Plants”
– 10 CFR Part 55, “Operator’s Licenses”
– 10 CFR Part 70, “Domestic Licensing of Special Nuclear Material”
34
– 10 CFR Part 72, “Licensing Requirements for the Independent Storage of
Spent Nuclear Fuel and High-Level Radioactive Waste, and Reactor-Related
Greater Than Class C Waste”
– 10 CFR Part 73, “Physical Protection of Plants and Materials”
– 10 CFR Part 100, “Reactor Site Criteria”
Commission orders
license conditions
exemptions
technical specifications
plant-specific design basis information defined in 10 CFR 50.2 and documented in
the most recent updated final safety analysis report (as required by 10 CFR 50.71)
licensee commitments remaining in effect that were made in docketed licensing
correspondence (such as licensee responses to NRC bulletins, license event
reports, generic letters and enforcement actions)
licensee commitments documented in NRC safety evaluations (Ref. 2)
Design bases: As defined by 10 CFR 50.2, the information that identifies the specific
functions that an SSC of a facility must perform, and the specific values or ranges of values
chosen for controlling parameters as reference bounds for design. These values may be:
(1) restraints derived from generally accepted "state of the art" practices for achieving
functional goals, or (2) requirements derived from an analysis (based on calculation or
experiments or both) of the effects of a postulated accident for which an SSC must meet its
functional goals (Ref. 2).
Event tree: A logic diagram that begins with an initiating event or condition and progresses
through a series of branches that represent expected system or human performance that
either succeeds or fails and arrives at either a successful or failed end state (Ref. 8).
Exterior (flood protection) feature: An engineered passive or active flood protection feature
that is external to the immediate plant area and credited to protect safety-related SSCs from
inundation and static/dynamic effects of external floods. Examples of such features include
levees, dikes, floodwalls, flap gates, sluice gates, duckbill valves and pump stations (Ref. 2).
Failure modes and effects analysis: A process for identifying failure modes of specific
components and for evaluating their effects on other components, subsystems, and systems
(Ref. 8).
Fault tree: A deductive logic diagram that depicts how a particular undesired event can
occur as a logical combination of other undesired events (Ref. 8).
Feasible manual action: A manual action that is analyzed and that is demonstrated as
being able to be performed within an available time to avoid a defined undesirable outcome.
As compared to a reliable manual action (see definition), an action is considered feasible if it
is shown that it can be performed within the available time (considering relevant
uncertainties in estimating the time available); but it does not necessarily demonstrate that
the action is reliable. For instance, performing an action successfully one time out of three
attempts within the available time shows that the action is feasible, but not necessarily
reliable (Ref. 12).
Flood event duration: The length of time in which the flood event affects the site, beginning
with conditions being met for entry into a flood procedure or notification of an impending
35
flood (e.g., a flood forecast or notification of dam failure), including preparation for the flood
and the period of inundation, and ending when water has receded from the site and the
plant has reached a safe and stable state that can be maintained indefinitely. Figure 6
illustrates flood event duration.
flood event duration
site preparation
for flood event
Conditions are met
for entry into flood
procedures or
notification of
impending flood
period of
inundation
Arrival of flood
waters on site
recession of
water from site
Water begins to
recede from site
Water completely
receded from site
and plant in safe
and stable state
that can be
maintained
indefinitely
Figure 6: Illustration of flood event duration
Flood height and associated effects: The maximum stillwater surface elevation plus the
following factors:
wind waves and run-up effects;
hydrodynamic loading, including debris;
effects caused by sediment deposition and erosion;
concurrent site conditions, including adverse weather conditions;
groundwater ingress; and
other pertinent factors.
Flood scenario parameters: A set(s) of flood parameters that the integrated assessment
should consider. (see Section 5.2 for additional details).
Flood protection feature: An incorporated, exterior or temporary structure SSC (e.g.,
barrier), or an associated procedure that protects safety-related SSCs against the effects of
external floods, including flood height and associated effects.
Flood protection system: In the context of the integrated assessment, a flood protection
system is a set of flood protection features that are intended to protect a specific SSC or
group of SSCs (e.g., features used to protect the intake structure) or the entire plant (e.g., a
levee around an entire site) and that are primarily separate and independent from the flood
protection features that are used to protect other SSCs.
Human reliability analysis (HRA): A structured approach used to identify potential human
failure events and to systematically estimate the probability of those events using data,
models, or expert judgment (Ref. 8). In the context of the integrated assessment, HRA
approaches and concepts are used to evaluate whether manual actions are feasible and
reliable (see Appendix C to this guidance).
36
Incorporated (flood protection) feature: An engineered passive or active flood protection
feature that is permanently installed in the plant to protect safety-related SSCs from
inundation and static/dynamic effects of external flooding. Examples include pumps, seals,
valves, and gates that are permanently incorporated into a plant structure (Ref. 2).
Important to safety: A phrase that encompasses the broad scope of equipment covered by
Appendix A to 10 CFR Part 50, the General Design Criteria (Ref. 14). In accordance with
Appendix A, “General Design Criteria for Nuclear Power Plants,” to 10 CFR Part 50, the
phrase, “structures, systems, and components (SSCs) important to safety,” refers to SSCs
that provide reasonable assurance that the facility can be operated without undue risk to the
health and safety of the public. The phrase encompasses the broad class of plant features,
covered (not necessarily explicitly) in the General Design Criteria, that contribute in
important way to safe operation and protection of the public in all phases and aspects of
facility operation (i.e., normal operation and transient control as well as accident mitigation).
The phrase “important to safety” includes safety-grade (or safety-related) as a subset
(Ref. 15).
Key safety functions: The minimum set of safety functions that a plant must maintain to
prevent core damage and large early release. These functions include reactivity control,
reactor pressure control, reactor coolant inventory control, decay heat removal, and
containment integrity in appropriate combinations to prevent core damage and large early
release. (Ref. 8).
Manual action (for flooding): Proceduralized activity that plant personnel carry out to
prepare for or respond to an external flood event.
Mitigation capability: In the context of the integrated assessment, mitigation capability refers
to the capability of the plant to maintain key safety functions in the event that a flood
protection system(s) fails (or is otherwise not available).
Passive (flood protection) feature: An incorporated, exterior, or temporary flood protection
feature that does not require the change of state of a component in order for it to perform as
intended. Examples include dikes, berms, sumps, drains, basins, yard drainage systems,
walls, removable wall and roof panels, floors, structures, penetration seals, temporary
watertight barriers, barriers exterior to the immediate plant area that is under licensee
control, and cork seals.
Performance criteria (for flood protection): In the context of the integrated assessment,
performance criteria refer to criteria or standards that are used, in part, to demonstrate that
a flood protection feature is reliable and has margin.
Performance shaping factor (PSF): A factor that influences human performance and human
error probabilities (definition adapted from Reference 13). The integrated assessment
considers the following performance shaping factors:
indications or cues;
complexity;
special equipment;
human-system interface;
procedures;
training;
workload, pressure, and stress;
37
environmental factors;
special fitness issues;
staffing;
communications;
accessibility; and
other scenario-specific performance shaping factors.
Plant-specific vulnerability: Reference 11 defines plant-specific vulnerabilities as “those
features important to safety that when subject to an increased demand due to the newly
calculated hazard evaluation have not been shown to be capable of performing their
intended safety functions.”
Reasonable simulation: A walkthrough of a procedure or activity to verify the procedure or
activity can be executed as specified/written. This simulation requires verification that:
1) All resources needed to complete the actions will be available. (Note that staffing
assumptions must be consistent with site access assumptions in emergency
planning procedures.);
2) Any credited time dependent activities can be completed in the time required
considering the time required for detection, recognition and communication to initiate
action for the applicable flood hazard;
3) Specified equipment/tools are properly staged and in good working condition.
4) Connection/installation points are accessible;
5) The execution of the activity will not be impeded by the event it is intended to
mitigate or prevent (for example, access to the site and movement around it can be
accomplished during the flood); and
6) The execution of the activity will not be impeded by other adverse conditions that
could reasonably be expected to simultaneously occur (for example, winds, lightning,
and extreme air temperatures) (Ref. 2).
Reliable manual action: A feasible manual action that is analyzed and demonstrated as
being dependably repeatable within an available time to avoid a defined adverse
consequence, while considering varying conditions that could affect the available time or the
time to perform the action or both. As compared to an action that is only feasible (see
definition), an action is considered to be reliable as well if it is shown that it can be
dependably and repeatedly performed within the available time, by different crews, under
somewhat varying conditions that typify uncertainties in the available time and the time to
perform the action, with a high success rate. All reliable actions need to be feasible, but not
all feasible actions will be reliable (Ref. 12).
Temporary (flood protection) feature: A passive or active flood protection feature within the
immediate plant area that protects safety-related SSCs from inundation and static/dynamic
effects of external flooding and that is temporary in nature (i.e., their installation must be
done prior to the advent of the external flood). Examples include portable pumps,
sandbags, plastic sheeting, and portable panels (Ref. 2).
Total plant response: The capability of the plant: (1) to protect against flood events
(considering diverse flood protection features); and (2) to mitigate consequences, if the flood
protection system is compromised (or otherwise not available), by maintaining key safety
functions using all credited resources.
38
Unavailability: The probability that a system or component is not capable of supporting its
function including, but not limited to, the time it is disabled for test or maintenance (Ref. 8).
Variety of site conditions: The site conditions considered by the integrated assessment
should be all modes of operation (e.g., full power operations, startup, shutdown, and
refueling) and adverse weather conditions that could reasonably be expected to occur
concurrently with a flood event.
Vulnerability: See definition for plant-specific vulnerability.
39
10. References
1. American Nuclear Society, "Determining Design Basis Flooding at Power Reactor Sites,"
ANS/ANSI 2.8-1992, 1992.
2. Nuclear Energy Institute (NEI), "Guidelines for Performing Verification Walkdowns of
Plant Flood Protection Features," NEI 12-07, Revision 0-A, May 2012, Agencywide
Documents Access and Management System (ADAMS) Accession No. ML12173A215.
3. U.S. Nuclear Regulatory Commission, Endorsement of NEI 12-07, "Guidelines for
Performing Verification Walkdowns of Plant Flood Protection Features," June 14, 2012,
ADAMS Accession No. ML12159A290.
4. U.S. Nuclear Regulatory Commission, "Proposed Orders and Requests for Information
In Response To Lessons Learned from Japan's March 11, 2011, Great Tohoku
Earthquake and Tsunami," SECY-12-0025, February 17, 2012, ADAMS Accession No.
ML12039A103.
5. Rajiv Prasad, et al., "Design-Basis Flood Estimation for Site Characterization at Nuclear
Power Plants in the United States of America," NUREG/CR-7046, November 2011,
ADAMS Accession No. ML11321A195.
6. U.S. Nuclear Regulatory Commission, "Standard Review Plan for the Review of Safety
Analysis Reports for Nuclear Power Plants: LWR [light-water reactor] Edition," NUREG0800, Chapter 3, Section 3.4.1, "Internal Flood Protection for Onsite Equipment
Failures," Revision 3. March 2007, ADAMS Accession No. ML070550043.
7. U.S. Nuclear Regulatory Commission, "Standard Review Plan for the Review of Safety
Analysis Reports for Nuclear Power Plants: LWR Edition," NUREG-0800, Chapter 3,
Section 3.4.2, "Analysis Procedures," Revision 3. March 2007, ADAMS Accession No.
ML070570003.
8. The American Society of Mechanical Engineers, Addenda to ASME/ANS RA-S–2008,
“Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for
Nuclear Power Plant Applications,” ASME/ANS RA-Sa-2009.
9. U.S. Nuclear Regulatory Commission, "An Approach for Determining the Technical
Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,"
Regulatory Guide 1.200, Revision 2, March 2009, ADAMS Accession No.
ML090410014.
10. U.S. Nuclear Regulatory Commission, "Standard Review Plan for the Review of Safety
Analysis Reports for Nuclear Power Plants: LWR Edition - Severe Accidents," NUREG0800, Section 19.0, “Probabilistic Risk Assessment and Severe Accident Evaluation for
New Reactors,” Revision 2, June 2007, ADAMS Accession No. ML071700652.
11. U.S. Nuclear Regulatory Commission, Request for Information Pursuant to Title 10 of
the Code of Federal Regulations 50.54(f) regarding Recommendations 2.1, 2.3, and 9.3,
of the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident,
March 12, 2012, ADAMS Accession No. ML12053A340.
40
12. U.S. Nuclear Regulatory Commission, "Demonstrating the Feasibility and Reliability of
Operator Manual Actions in Response to Fire," NUREG-1852, October 2007, ADAMS
Accession No. ML073020676.
13. D. Gertman et al., "The SPAR-H Human Reliability Analysis Method," NUREG/CR-6883,
August 2005.
14. U.S. Nuclear Regulatory Commission, Generic Letter 84-01, Subject: NRC Use of the
Terms, "Important to Safety" and "Safety Related,” January 5, 1984, ADAMS Accession
No. ML031150515.
15. U.S. Nuclear Regulatory Commission, Memorandum to Staff, Subject: Standard
Definitions for Commonly-used Safety Classification Terms, November 20, 1981.
41
APPENDIX A: Evaluation of Flood Protection
The goal of this appendix is to provide guidance on the evaluation of flood protection.
Section A.1 provides guidance on evaluating individual features of a flood protection
system. Section A.2 provides guidance on evaluating a complete flood protection system.
A.1 Individual Flood Protection Features
This section provides guidance on evaluating individual features comprising flood protection
systems. Section A.1.1 of this appendix provides guidance on the evaluation of exterior and
incorporated flood protection features that are passive and permanent. Section A.1.2
provides guidance on the evaluation of active flood protection features. Section A.1.3
provides guidance on the evaluation of temporary protective measures. Section A.1.4
provides guidance on evaluation of equipment required for manual actions.
A.1.1 Exterior and Incorporated Flood Protection Features
The following steps should be considered in the assessment of exterior and incorporated
flood protection features that are permanent and passive:
analysis of potential failure modes
evaluation of capacities
comparison against present-day codes and standards
evaluation of operational requirements
sensitivity studies, as appropriate, to capture uncertainties
Section 6.2 of this interim staff guidance (ISG) describes high-level performance criteria
applicable to all types of flood protection, including exterior and incorporated flood protection
features that are permanent and passive. The following sections provide points to consider
in evaluating individual exterior and incorporated flood protection features that are
permanent and passive, such as:
earthen embankments (e.g., earth dams, levees and dikes) (Section A.1.1.1)
floodwalls (Section A.1.1.2)
seawalls (Section A.1.1.3)
concrete barriers (Section A.1.1.4)
plugs and penetration seals (Section A.1.1.5)
storm drainage systems (Section A.1.1.6)
In evaluating these types of features, licensees should refer to the guidance in this
appendix, as well as appropriate codes and standards, to assess whether in place or
planned features conform to accepted engineering practices. If an assessment and
evaluation of plant features reveals deficiencies and shortcomings in their capability to
perform adequately as a flood barrier because they do not conform to accepted engineering
practice, the implications of the deficiencies should be summarized. Planned actions to
mitigate and improve the features to function as a flood barrier should be discussed.
Moreover, licensees should identify flood protection features not meeting the implied
expectations associated with the points of consideration provided in this appendix and
provide a technical judgment of the capability and robustness of the feature.
42
A.1.1.1
Earthen Embankments (Earth Dams, Levees and Dikes)
Earthen dikes and embankments come in a variety of configurations. There are differences
in design and construction details between earthen dams, levees, and dikes. However,
since earthen dams, levees, and dikes are subsets of an “earthen embankment,” this
appendix will use that term. This section provides points of considerations for evaluating
earthen embankments, including the following:
•
•
•
•
potential failure modes of earthen embankments
considerations that should be evaluated to determine whether appropriate factors
are considered in the embankment design
material characterization
maintenance and inspection
Potential failure modes of earthen embankments that should be considered for applicability
include the following:
•
•
•
•
•
•
•
seepage, internal erosion, and piping
erosion-induced breaching
shear failure
surface sloughing
excessive deformation
seismically-induced liquefaction
other types of slope movement
The foundation and subsurface design of an embankment, levee, or berm should be
evaluated to determine whether the following factors are appropriately considered in its
design:
foundation stability
positive control of seepage
minimum adverse deformation via good contact between flood protection structure
and foundation
use of cut off walls and drainage systems to control seepage paths through
foundation
The stability of embankments should be evaluated utilizing pertinent geologic information
and in situ engineering properties of soil and rock materials. The geologic information and
site characteristics that should be considered include the following:
groundwater and seepage conditions
lithology, stratigraphy, and geologic details disclosed by borings and geologic
interpretations
maximum past overburden at the site as deduced from geological evidence
structure, including bedding, folding, and faulting
alteration of materials by faulting
joints and joint systems
weathering
cementation
slickensides
43
field evidence relating to slides, earthquake activity, movement along existing faults,
and tension jointing
The materials used in construction of the embankment should be evaluated to determine
whether the following factors are appropriately considered in its design:
use of filter materials to preclude migration of soil materials through the
embankment and foundation
erosion control against surface runoff, wave action, hydrodynamic forces, and debris
In evaluating engineering properties of soil and rock materials used in construction of the
embankment, the licensee should consider the following:
possible variation in natural deposits or borrow materials
natural water contents of the materials
climatic conditions
possible variations in rate and methods of fill placement
variations in placement water contents and compacted densities that must be
expected with normal control of fill construction
The maintenance and inspection regime of the embankment should be evaluated to assess
whether the following is true:
A.1.1.2
The embankment is inspected at regular intervals.
Written procedures are in place for proper maintenance.
Personnel responsible for inspecting the structure have been trained in inspection
techniques, implementing preventative and compensatory measures, and correcting
or repairing deterioration.
Suitable instrumentation is used to obtain information on the performance and
condition of the structure.
Floodwalls
A retaining wall is any wall that retains material to maintain a change in elevation, whereas
the principal function of a floodwall is to prevent flooding (inundation) of adjacent land. A
floodwall is subject to water force on one side, which is usually greater than any resisting
earth force on the opposite side. A wall may be a retaining wall for one loading condition
and a floodwall for another loading condition. The flood loading (e.g., surge tide, river flood)
may be from the same or the opposite direction as the higher earth elevation.
For inverted T-type floodwalls, the crossbar of the T serves as a base and the stem serves
as the water barrier. In evaluating T-type floodwalls, potential failure modes for T-walls that
should be considered include the following:
seepage
wall stability
Planning and design procedure considerations for floodwall projects are described in
References A1 and A2.
44
An I-wall is a slender cantilever wall, embedded in the ground or in an embankment that
rotates when loaded and is thereby stabilized by reactive lateral earth pressures. The
licensee should consider the following potential failure modes of I-walls:
depth of piling
deep seated (global failure)
rotational failure caused by inadequate pile penetration
seepage
Reference A3 provides information on I-Walls, as they relate to hydrostatic loads, static and
dynamic water (wave) loads, seepage and piping, I-wall deflections, and determination of
safety factors.
A.1.1.3
Seawalls
Seawalls are onshore structures with the principal function of preventing or alleviating
overtopping and flooding of the land and the structures behind them caused by storm
surges and waves. The licensee should consider potential failure modes of seawalls,
including instability due to erosion of the seabed at the toe of the structure and increase in
wave impact, runup, and overtopping. References (A4-A6) provide additional information on
seawalls.
A.1.1.4
Concrete Barriers
In assessing whether other concrete barriers can support flood loads, the licensee should
evaluate the foundation and subsurface design of the barrier to determine whether the
following factors were appropriately considered in design of the structure:
static loads from stillwater elevation
hydrodynamic loading from wave effects and debris
foundation design and treatment, including good contact between the flood
protection structure and foundation
removal of problem soils
increasing seepage paths through the foundation by use of deep cut off walls, if
necessary
The licensee should evaluate the material properties of the concrete barrier (using available
documentation and current condition) to assess whether the following is true:
There was a competent investigation of material sources.
Adequate testing was performed of materials in accordance with accepted
standards.
Proper proportioning of concrete was performed to improve strength and durability.
The licensee should evaluate the design of the concrete barrier to ensure it is safe against
overturning and sliding without exceeding the allowable stress of the foundation and
concrete for the loading conditions imposed by the flood and all associated flood effects
The licensee should evaluate the maintenance and inspection regime of the concrete barrier
to assess whether the following is true:
The barrier is inspected at regular intervals.
45
A.1.1.5
Written procedures are in place for proper maintenance.
Personnel responsible for inspecting flood control structures have been trained in
inspection techniques, implementing preventative and compensatory measures, and
correcting or repairing deterioration.
Suitable instrumentation is being used to obtain information on the performance and
condition of the structure (e.g., assessing settlement and tilting of foundations,
condition of the concrete including degradation mechanisms, seepage).
Plugs and Penetration Seals
In assessing whether plugs and penetration seals are watertight and support applied loads
the evaluation should demonstrate the following:
A.1.1.6
the ability to withstand the flood height and associated effects (including static and
dynamic loads) associated with the flood scenario parameters, including the
following considerations:
- all sizes tested to withstand hydrostatic seal pressures for the anticipated
water pressures
- adequate design for the effects of hydrodynamic and debris loading from
floods
leakage restricted to amount within the capacity of drainage or pumping systems
the ability to withstand anticipated temperatures
suitability for applications in water - above ground and direct burial and ability to
provide the electrical insulation where cathodic protection is required
adequate resistance to fires, corrosive fluids, ultraviolet and radiation, as applicable
appropriate qualitative evaluation of operational requirements such as surveillance,
inspection, design control, procurement, maintenance, and testing to provide
confidence in the reliability of plugs and penetration seals
Storm Drainage Systems
If credited, the licensee should evaluate the storm drainage systems to demonstrate they
are capable of passing sufficient flow to accommodate the reevaluated flood flow rate while
maintaining the flood height not greater than the allowable value.1 The evaluation should
consider all effects associated with the flood (e.g., scour). Performance should be
compared against appropriate present-day codes and standards, including Section 2.4.2,
Revision 4, “Floods,” of NUREG-0800, “Standard Review Plan for the Review of Safety
Analysis Reports for Nuclear Power Plants: LWR [light-water reactor] Edition” (Ref. A7).
Storm drainage systems should also be evaluated to demonstrate that they are in
satisfactory condition. Qualitative evaluation of operational requirements, such as
surveillance, inspection, design control, procurement, maintenance, and testing is
appropriate (e.g., a walkdown procedure should be provided for verifying that the system is
clear of debris and objects that could impede flow). If drainage systems are associated with
active components, active components should be evaluated using considerations described
in Section A.1.2.
1
If storm drainage is not capable of handling the reevaluated flood, flood protection should be
provided and evaluated.
46
A.1.2 Active Features
A.1.2.1
Active Components
The availability and reliability of active components (e.g., pumps, valves) should be justified
using:
•
•
•
operational data
performance criteria (e.g., see Table A1)
consideration of operational requirements:
-
surveillance
inspection
design control
maintenance
procurement
testing and test control
If applicable, licensees should further use the following to justify the availability and reliability
of active components and features:
incorporation of equipment in plant programs (e.g., whether the component is
included in established plant equipment reliability programs or subject to
10 CFR Part 50, Appendix B)
conformance to consensus standard developed for similar uses, including
emergency uses (e.g., standards developed by the National Fire Protection
Association for fire protection equipment)
In addition, when information is available, the reliability of active components (e.g., failure to
start on demand and failure to run once started) should be quantitatively evaluated and
documented based on operating experience, testing, and other available information using
traditional probabilistic risk assessment or statistical techniques. In some cases, this
information may not be available. In this case, tests or analyses may be appropriate to
support quantification of reliability. If information is not available and testing is not feasible,
the integrated assessment submittal should: (1) describe why quantification of equipment
reliability is not possible or necessary; and (2) justify why the equipment can be reasonably
credited despite these limitations.
A.1.2.2
Flood Doors and Hatches
In assessing whether watertight doors (flood doors and hatches) perform their intended
functions, the following factors should be considered:
Hydrostatic force resistance – flood barriers should conform to the criteria for
resisting lateral forces due to hydrostatic pressure from freestanding water.
Hydrodynamic force resistance – flood barriers should conform to the criteria for
resisting lateral forces due to moving flood waters.
Debris impact force resistance – flood barriers should conform to the criteria for
resisting debris objects at stated velocities.
47
A.1.3 Temporary Features
Standards, codes, and guidance documents (e.g., References A8 and A9) should be
consulted to determine whether the configuration of the temporary barrier (e.g.,
configuration of a sandbag wall) conforms to accepted engineering practices. Justification
of feature reliability may require laboratory- or field-testing (e.g., Reference A10), analytical
modeling, or demonstrations. If an assessment and evaluation of temporary features
reveals deficiencies and shortcomings in their capability to perform adequately as a flood
barrier because they do not conform to accepted engineering practice, the implications of
the deficiencies should be summarized.
Moreover, it should be demonstrated that temporary features can be moved to the location
where needed and installed. The licensee should use Appendix C to this guidance to
evaluate manual actions associated with construction or installation of temporary protective
measures.
A.1.4 Equipment Necessary to Perform Human Actions
The licensee should use Appendix C to this guidance to evaluate human actions associated
with flood protection features.
Equipment necessary to facilitate performance of manual actions should be functional,
available, and accessible when required. The availability of special equipment required for
the performance of protective or mitigating actions should be considered. In crediting the
availability of equipment for use by personnel, the licensee should consider the following
criteria:
Equipment should not be damaged or otherwise adversely effected by the flood
event (e.g., direct inundation, excessive humidity, hydrodynamic forces, or debris) or
adverse environmental conditions.
Equipment should not be located in an area exposed to the flood (including any
associated effects), unless a strong justification exists for the continued functionality
of the equipment.
All “needs” of the equipment should be met, including, for example, supporting
electrical power, cooling, and ventilation.
Equipment should be easily located and all aids should be readily available.
Physical access and manipulation constraints should be considered in evaluating
whether equipment is available for use.
Plant personnel should be able to find and reach the equipment and should be able to
perform the required actions using the equipment. Credit should only be given if the
equipment is functional, available, and accessible to personnel. Therefore, if any of the
above criteria are not met, the operation of the equipment should be considered infeasible.
The licensee should consider special and portable equipment that may be required to
facilitate performance of required actions. Special equipment may include keys to open
locked doors (doors may “fail closed” in the event of a loss of power), ladders, and special
purpose tools (e.g., equipment required to fill sandbags, portable generators, tools to
manipulate equipment manually) and equipment necessary to cope with environmental
conditions (e.g., flashlights and personal protective equipment such as personal floatation
devices). Equipment should be easily located and readily available so as not to impede or
delay the performance of required actions. Equipment should be controlled and routinely
48
verified. Personnel should be trained to locate and use the required equipment. The
licensee should consider any delays associated with acquisition and use of portable
equipment.
A.2 Flood Protection Systems
Section A.1 provides guidance of the evaluation of individual flood protection features (i.e.,
evaluation at the component level). Some flood protection systems involve multiple features
or components. This section describes the evaluation of flood protection systems as a
whole (i.e., at the system-level) as directed by Section 6 of this ISG. System evaluation
should begin with defining the flood scenario parameter to which the system is subjected.
Next, criteria defining failure of the flood protection system should be identified. In the
context of the integrated assessment, failure may be defined as loss of barrier integrity, a
leakage rate into a room exceeding a specified threshold, or other effects. Failure modes
and effects analysis (FMEA) is a common tool for systematically identifying possible failure
modes of a structure, system, and component (SSC) and evaluating the effects of the failure
on other SSCs and is applicable to the integrated assessment. Once failure criteria have
been defined, individual flood protection barriers within the flood protection system should
be evaluated at the component level under the loads resulting from the flood scenario
parameters as described in Section A.1. Finally, the flood protection system should be
evaluated, accounting for interactions and dependencies between components.
Following the above steps, the system evaluation should progress though the sequence of
subsequent events that can ultimately lead to end states corresponding to failure (or
damage) of the flood protection system and subsequent adverse consequences (e.g.,
leakage of water past a barrier or inundation of a room). Logic structures, such as event
trees, provide a way to represent the various outcomes that can occur as a result of the
flood scenario parameters. An event tree starts with the specification of the flood scenario
parameters and develops sequences based on whether a feature (including a human
action) succeeds or fails in performing the intended functions. The system level evaluation
should account for factors such as the following:
the duration of the flood event2
the reliability of active components (e.g., pumps that are required to remove water
that bypasses flood barriers)
the effect of flood height and associated flood effects on the performance of barriers
the robustness of barriers, particularly temporary barriers
the feasibility and reliability of human actions that must be performed to install or
construct barriers (e.g., flood gates, sandbag walls), including factors that can
influence personnel performance, as described in Appendix C to this guidance
2
For some hazards, flood conditions could persist for a significant amount of time. Extended
inundation on or near the site could present concerns such as site and building access, travel around
the site, equipment operating times, and supplies of consumables. The licensee should evaluate
flood protection feature limitations based on flood duration. For example, if the duration of the design
basis flood is 72 hours and a diesel driven pump is credited with removing water from an area, the
total amount of fuel available for the pump and the operating time it represents should be determined
and included in the assessment.
49
A.3 References
A1. U.S. Army Corps of Engineers, "Engineering and Design - Retaining and Flood Walls,"
EM 1110-2-2502, 1989.
A2. U.S. Army Corps of Engineers, "Engineering and Design – Waterstops and Other
Preformed Joint Materials for Civil Works Structures," EM 1110-2-2102, 1995.
A3. U.S. Army Corps of Engineers, "Design of Sheet Pile Walls," EM 1110-2-2504, 1994.
A4. U.S. Army Corps of Engineers, "Engineering and Design-Design of Coastal
Revetments, Seawalls and Bulkheads,” EM 1110-2-1614, 1995.
A5. U.S. Army Corps of Engineers, "Coastal Engineering Manual-Part VI, Introduction to
Coastal Project Element Design,” EM 1110-2-1100, 2002.
A6. U.S. Army Corps of Engineers, "Coastal Engineering Manual- Part V, Planning and
Design Process,” EM-2-1100, 2002.
A7. U.S. Nuclear Regulatory Commission, "Standard Review Plan for the Review of Safety
Analysis Reports for Nuclear Power Plants: LWR Edition," NUREG-0800, Section 2.4.2:
“Floods,” Revision 4, March 2007, ADAMS Accession No. ML070100647.
A8. U.S. Army Corps of Engineers, Flood-Fight Handbook - Preparing for a Flood. 2009.
Available at: http://www.mvp.usace.army.mil/docs/disaster_response/CEMVP_FloodFight_Handbook_2009.pdf.
A9. U.S. Army Corps of Engineers, Sandbag Construction. [Online] [Cited: November 26,
2012.] Available at:
http://www.mvp.usace.army.mil/docs/flood_fight2009/5Sandbag_Construction_2009_JR
L.pdf.
A10. U.S. Army Corps of Engineers, Laboratory Testing of Flood Fighting Products. Coastal
and Hydraulics Laboratory. [Online] [Cited: August 23, 2012.] Available at:
http://chl.erdc.usace.army.mil/chl.aspx?p=s&a=Projects;182.
50
Table A1: Criteria for Evaluating Active Components
Functional
1. Equipment is capable of performing its required function (e.g.,
characteristics:
functional requirements such as pump flow rate, pump discharge
pressure are met).
2. Equipment is in satisfactory condition.
3. Functionality of the equipment may be outside the manufacturer’s
specifications if a documented engineering evaluation justifies that
the equipment will be functional when needed during the flood event
duration.
4. There is an engineering basis for the functional requirements for the
equipment which:
a. is auditable and inspectable;
b. is consistent with generally accepted engineering principles;
c. defines incorporated functional margin; and
d. is controlled within the configuration document control
system.
Operational
characteristics
1. Equipment is covered by one of the following:
a. existing quality assurance (QA) requirements in Appendix B
of 10 CFR Part 50;
b. existing fire protection QA programs; or
c. a separate program that provides assurance that equipment
is tested, maintained, and operated so that it will function as
intended and that equipment reliability is achieved.
2. Testing (including surveillances)
a. Equipment is initially tested or other reasonable means
should be used to verify that its performance conforms to the
limiting performance requirements.
b. Periodic tests and test frequency are determined based upon
equipment type and expected use. Testing is done to verify
design requirements and basis are met. The basis is
documented and deviations from vendor recommendations
and applicable standards should be justified.
c. Periodic inspections address storage and standby conditions
as well as in-service conditions (if applicable).
d. Equipment issues identified through testing are incorporated
into the corrective action program and failures are included in
the operating history of the component.
3. Preventive maintenance (including inspections)
a. Preventive maintenance (including tasks and task intervals)
is determined based upon equipment type and expected use.
The basis is documented and deviations from vendor
recommendations and applicable standards should be
51
Unavailability
characteristics
1.
2.
3.
Equipment
storage
characteristics
1.
2.
3.
justified.
b. Periodic testing addresses storage and standby conditions as
well as in-service conditions (if applicable).
c. Equipment issues identified through inspections are
incorporated into the corrective action program and failures
are included in the operating history of the component.
The unavailability of equipment should be managed such that loss of
capability is minimized. Appropriate and justifiable unavailability time
limits are defined as well as remedial actions. A replacement would
be for equipment that is expected to be unavailable in excess of this
time limit or when a flood event is forecasted.
A spare parts strategy supports availability considerations.
The unavailability of installed plant equipment is controlled under
existing plant processes such as technical specifications.
Portable equipment is stored and maintained to ensure that it does
not degrade while being stored and that it is accessible for
maintenance and testing.
Credited active equipment is protected from flooding. It is accessible
during a flooding event. Alternatively, credited active equipment may
be stored in locations that are neither protected from flooding nor
accessible during a flood if adequate warning of an impending flood
is available and equipment can be relocated prior to inundation.
a. Consideration should be given to the transport from the
storage area recognizing that flooding can result in obstacles
restricting normal pathways for movement.
b. Manual actions associated with relocation of equipment
should be evaluated as feasible and reliable (see Appendix C
to this guidance).
A technical basis is developed for equipment storage that provides
the inputs, assumptions, and documented basis that the equipment
will be protected from flood scenario parameters such that the
equipment could be operated in place, if applicable, or moved to its
deployment locations. This basis is auditable, consistent with
generally accepted engineering principles, and controlled within the
configuration document control system.
52
APPENDIX B: Peer Review
A peer review is an important element of the integrated assessment. The peer review
increases confidence in the results of the integrated assessment and provides assurance
that these results form a sound basis for regulatory decisions. Where feasible, the peer
review can incorporate established licensee review procedures if compatible with the sitespecific conditions and nonroutine nature of the integrated assessment. The following
sections describe the peer reviewer attributes, attributes of an acceptable peer review, and
required documentation of the peer review.
B.1 Peer Reviewer Attributes
The reviewers should have the following attributes:
Peer reviewers should be independent of those who are performing the integrated
assessment (i.e., the peer review team members should have neither performed nor
directly supervised any work on the portions of the assessment they are reviewing).
The number of peer reviewers is dictated by the scope of the integrated
assessment. This number should include as many people as necessary for review
by individuals with appropriate expertise. Collectively, peer reviewers should have
expertise in all areas of importance to the integrated assessment. For example,
reviewers should have combined experience in the following areas (as applicable):
systems engineering, flood hazard assessment, flood protection engineering (e.g.,
structural and geotechnical engineering), human reliability analysis and evaluation
of manual actions, and application of probabilistic risk assessment (PRA)
methodologies.
One of the peer reviewers should be designated as the peer review team leader.
The team leader is responsible for the entire peer review process, including
completion of the final peer review documentation. The team leader is expected to
provide oversight related to the process, scope, and technical aspects of the peer
review. The team leader will establish the initial scope of the peer review and
assemble an appropriate review team. The team leader should have sufficient
knowledge and experience to determine the scope of the review based on the
above considerations. The peer review team leader should expand the scope of the
review and add members to the team, if necessary, to ensure that all areas of
review are appropriately covered.
Peer reviewers may be selected from within the licensee’s organization if the
attributes described above are met. If reviewers with the above attributes cannot be
assembled from within the licensee’s organization (in whole or in part), then the
licensee should assemble additional reviewers from outside the licensee’s
organization (i.e., external peer reviewers).
B.2 Peer Review Attributes
The peer review should have the following attributes:
To facilitate an efficient and informative review, an in-process peer review is
recommended, though a one-time peer review at the end of the integrated
assessment is also acceptable. In other words, it is recommended that the peer
review be performed contemporaneously with the integrated assessment and
53
observations made by the reviewers should be transmitted to the integrated
assessment team as soon as possible.
The peer review should be conducted as an assembled team. This is particularly
important for critical items such as the following (if credited): (1) manual actions; (2)
temporary protective measures; and (3) nonsafety-related equipment used for event
mitigation. Reviewers should have the opportunity to interact with one another
when performing the reviews, irrespective of the specific areas of review to which a
team member is assigned.
The reviewers should evaluate each of the following if they are a part of the
integrated assessment and assess the rationale, if they are not:
- methodologies used to evaluate capabilities for flood protection and
mitigation
- assumptions made and methods used to formulate and validate the
methodologies
- performance criteria applied
- evaluations of the reliability of flood protection features and systems for
which generally accepted codes and standards are either unavailable or
inapplicable
- evaluations of the feasibility and reliability of nonroutine or new human
actions (i.e., actions that are not routinely performed or have not been
previously evaluated under other processes)
- judgments made regarding the mitigation capability and reliability of credited
systems (applies to both margins-type and full PRA methods)
- judgments made that there is high confidence that key safety functions will
be maintained, including logic models and timelines (applies to scenariobased evaluation methods)
Peer reviewers should pay particular attention to the following:
- assumptions, particularly those that are not thoroughly developed and
documented
- justification for the use of novel models or methods, especially if those
models or methods are inconsistent with current practices
- technical judgments, especially those that are not supported by technical
analyses, such as explicit calculation or appropriate data
- judgments made regarding the reliability of protection or mitigation actions
involving the use of equipment, personnel, or other resources in
nontraditional ways
Peer reviewers should evaluate the completeness, accuracy, and technical bases of
the final integrated assessment report
B.3 Peer Review Documentation
The peer review process should be clearly documented in the integrated assessment
submittal. Documentation of the peer review should be contained in a separate enclosure
report as part of the licensee’s integrated assessment submittal and should include the
following:
a description of the peer review process
the names and credentials (e.g., training, experience, capabilities, and background)
of the peer review team members and leader, as well as the areas on which each
reviewer concentrated
54
a description of how the assembled peer review team met the reviewer attributes
(Section B.1)
a discussion of the key findings and a discussion as to how the findings were
addressed
an assessment of the disposition of comments made by peer reviewers
a review of the final integrated assessment report
the conclusions of the peer review team as to the completeness, accuracy, and
technical bases of the integrated assessment
55
APPENDIX C: Evaluation of Manual Actions
C.1
Overview
C.1.1 Purpose and Scope
This appendix provides guidance for evaluating manual actions associated with flooding
based on concepts and approaches used in human factors engineering and human
reliability analyses (HRA).1 The purpose of the evaluation is to ensure, with high
confidence, that manual actions required for flooding events are both feasible and reliable.
An action is considered feasible if it has been analyzed and the licensee has shown that it
can be performed correctly within an available time to avoid a defined undesirable outcome.
A feasible action is reliable when it is shown to be dependably repeatable within an
available time (while considering varying conditions that could affect the available time or
the time required for performing the action or both). All reliable actions must be feasible, but
not all feasible actions will be reliable (Ref. C1). Results of the evaluation process
described in this appendix may show that an important human action is infeasible or cannot
be performed reliably. In these instances, it may be possible to modify aspects of the task
or the circumstances in which the action is performed to identify acceptable alternatives.
Therefore, the evaluation process described in this appendix may be iterative.
Much of this appendix focuses on manual actions performed outside the main control room
(MCR), including actions taken throughout the plant and around the site associated with
both flood protection and mitigation. Nonetheless, some flooding scenarios may challenge
the operating crew’s ability to maintain situation awareness and command and control.
Therefore, in addition to ex-MCR actions, the scope of this evaluation also comprises
manual actions that are performed in the MCR during a flood scenario with the specific
intent to affect plant operating conditions.2
C.1.2 Organization of the Appendix
This appendix is organized according to the process for evaluating the feasibility and
reliability of flood-related manual actions for the integrated assessment, as described below:
Section C.2 describes a process for identifying and defining important human
actions
Section C.3 discusses evaluating whether manual actions are feasible, including the
following:
- evaluating the impact of performance shaping factors (PSFs) on the action
(Section C.3.1), and
- conducting a timing analysis (Section C.3.2)
1
Due to the nature of and variety of potential flooding events and responses, it is recognized that
additional approaches may be used or developed to augment the guidance provided in this appendix.
2
These include actions to reconfigure flow paths, to recover equipment important to safety, to change
power level, and to switch sources of coolant inventory, among others. Because Emergency
Operating Procedures (EOPs) have been validated during their development and subsequent change
processes, it is expected that actions included in the existing EOPs are acceptable with little further
evaluation, but only if they are applicable to the plant mode and effective under the conditions of the
scenario (e.g., instrumentation and controls for the equipment is not degraded, power is available, no
spurious alarms).
56
C.2
Section C.4 provides a process for evaluating whether manual actions are reliable
Section C.5 discusses adjustments of actions and associated context to improve
feasibility or reliability
Section C.6 describes documentation
Identify and Define the Human Actions
The first step in the evaluation is to identify the manual actions associated with flood
protection or mitigation. This step also entails defining the actions at the appropriate level of
detail to support qualitative analysis and quantification, if necessary. For each human
action upon which flood protection or mitigation depends, the licensee should develop a
timeline that “locates” the human action within the sequence of activities in the flooding
scenario and provide a high-level description of it (i.e., an “operational story” or “human
failure event (HFE) narrative,” as described in NUREG-1921, “EPRI/NRC-RES Fire Human
Reliability Analysis Guidelines,” issued July 2012; see Reference C2). The narrative should
include the following:
the initiating event for the scenario, including flood scenario parameters and credible
flood protection failure modes (if applicable)
the sequence of events (preceding system and functional failures and successes)
leading up to the human action
description of the objective of the action (i.e., what the action is intended to achieve)
description of the credentials and experience of personnel performing the action
(e.g., licensed operators versus maintenance personnel)
description of the cognitive (detection, diagnosis, and decisionmaking) and
execution (actions, behaviors) aspects of the manual action
timing information (as specified in Section C.3.2 of this appendix)
scenario-specific procedural guidance
availability of cues and other associated indications that may be needed to initiate
necessary actions, as well as cues that might subsequently enable personnel to
detect the need to correct an action that has been omitted or performed incorrectly
any preceding human errors or successes in sequence (e.g., previous human errors
modeled in the scenario)
human action success criteria
undesired human responses
physical environment in which the action is performed
a summary of the operating history of human errors (including both plant-level and
industry experiences) associated with (1) establishing and maintaining the flood
protection features and (2) structures, systems, and components (SSCs) involved in
flood mitigation
Guidance for determining the level of detail at which to define the human actions to be
evaluated is available from numerous sources (e.g., References C3, C4, and C5). Section
9.4 of NUREG-1624, “Technical Basis and Implementation Guidelines for A Technique for
Human Event Analysis (ATHEANA),” issued May 2000 (Ref. C6), provides a framework and
detailed guidance for defining HFEs and unsafe acts. As a rule of thumb, the action should
be defined at a level of detail that supports evaluating the impact of the performance
shaping factors (PSFs) listed in Section C.3.1 of this appendix. For example, describing
some actions at the functional level, such as an action to “establish operating routines to
service gasoline and diesel driven equipment,” will not support evaluating PSF impacts
because there will be different locations at which servicing must occur and the locations
57
may vary in terms of accessibility and the environmental conditions to which personnel will
be exposed, among other considerations. Conversely, decomposing an action into highly
detailed steps (e.g., “hammer in the first of four nails”) would be unnecessary for the
evaluation if the same PSFs would impact the performance of each step in the same way.
C.3
Determine Whether the Action is Feasible
A manual action is feasible if it can be accomplished in the context within which it will be
performed and there is adequate time available to perform the action, considering any
adverse contextual or personnel factors that may delay or degrade performance. This
appendix presents a two-step process for determining feasibility.
The first step is to evaluate any performance shaping factors (PSFs) that may adversely
affect the performance of the manual action in a flooding scenario. PSFs that may affect the
performance of actions during flooding events are described in Section C.3.1. Each
subsection (Sections C.3.1.1 to C.3.1.13) includes a general discussion of the PSF, as well
as criteria for determining whether the PSF is expected to be either nominal or degraded.
The second step in determining whether an action is feasible is to conduct a timing analysis.
This analysis (described in Section C.3.2) determines whether the time available to
complete the action is greater than the time required when accounting for uncertainties in
timing estimates (i.e., margin). If the time required to perform the action is greater than the
time available, but there is insufficient margin to account for uncertainties, the action should
be considered infeasible.
Detailed justification should be provided to support the determination that an action is
feasible. The following should be considered when evaluating the feasibility of an action:
•
•
•
whether the PSF associated with stress is categorized as nominal or moderate
whether all other PSFs are categorized as nominal
whether the timing analysis determines that the time available to perform the action
is greater than the time required, when accounting for uncertainties.
If there are strong reasons to believe that an action can be performed despite the presence
of degraded PSFs, the basis for determining that the action is feasible should be justified
and documented in detail. In addition, a timing analysis should be conducted to: (1)
account for the impact of the degraded PSF on the time required to perform the action; and
(2) show that there is margin available to complete the action.
C.3.1 Performance Shaping Factors
The following PSFs are relevant to manual actions associated with flooding:
Cues and indications—the availability and quality of information needed to initiate
and perform the action
Complexity—the ambiguity and mental effort associated with detection, diagnosis
and decisionmaking and any complicated aspects associated with action execution,
such as special sequencing, coordination between multiple individuals at different
locations, or the need for sensitive and careful manipulations
Special equipment—the availability and usability of any special equipment needed
to perform the human action, including portable equipment as well as personal
protective equipment (PPE)
58
Human-system interface—the availability and usability of that part of a piece of
equipment or system with which personnel interact to perform the action
Procedures—the availability, accuracy, applicability, and usability of instructions for
performing a human action
Training—the availability and quality of training provided for performing the human
action
Perceived workload, pressure and stress—the extent to which a crew or individual
experiences time pressure and stress from the need to perform the action in the
available time along with their overall sense of being pressured and/or threatened in
some way with respect to what they are trying to accomplish
Environmental factors—the presence and severity of those factors that could
negatively impact the ability to perform the human action, such as the presence of
water, radiation, poor lighting, temperature extremes, humidity, noise, vibration, and
electrical hazards
Special fitness issues—the extent to which performance of the human action
requires unusual levels of fitness or conditions create fitness concerns
Staffing—the availability of sufficient numbers of qualified personnel to perform the
action, considering concurrent activities and collateral duties
Communications—the availability, accessibility, and functionality of communications
equipment needed to perform the action and coordinate activities among personnel
Accessibility—the ability of personnel and resources to move around the site as well
as the ability of offsite personnel and resources to arrive onsite
Scenario-specific PSFs—other task or contextual factors that have the potential to
adversely affect performance of the action
As described previously, manual actions that are associated with PSFs that are not
categorized as “nominal” should be considered infeasible, with the exception of the
“perceived workload, pressure, and stress” PSF, for which a moderate categorization is
acceptable. This PSF is excepted because, at a minimum, moderate levels of stress can be
expected during flooding events.
The following subsections describe PSFs to be considered in evaluating whether manual
actions are feasible.
C.3.1.1 Cues and Indications
Cues and indications serve the following three functions:
1) Enable personnel to determine that flood protection and mitigation actions are
required or appropriate
2) Direct or guide personnel performing actions
3) Provide feedback on the success or failure of actions
In the context of flood protection, indications should be available to provide notification that
a flood event is imminent if manual actions are required to provide protection against
flooding. Examples of indications include river forecasts, dam condition reports, and river
gauges. If durable agreements are not in place to ensure communication from offsite
entities and the plant does not have an independent capability to obtain the same
information onsite, any manual action initiated by the indication should be considered
infeasible. Consideration should be given to the quality of the agreements in place between
offsite entities and personnel at the nuclear power plant site, as well as the potential for the
communication mechanisms to fail.
59
Cues and indications are also necessary (1) for determining whether and which flood
protection manual actions are required, (2) to direct the performance of those actions, and
(3) to evaluate whether the actions have achieved their objective. Particularly with respect
to active flood protection features, cues and indications should be available to verify that the
needed equipment is functioning as intended. The impact of other postulated conditions on
the availability of cues and indications should also be considered (e.g., communication
difficulties resulting from noise, difficulties in manipulating equipment, or verifying equipment
status in the dark).
In the context of mitigation actions, indications should be available to alert personnel to the
failure of flood protection features and the presence of water in locations that are intended
to be kept dry or otherwise protected from flood effects. For cases in which indications are
not available, the evaluation can consider compensatory measures (e.g., local
observations). Evaluations of the adequacy of time should account for the frequency of
manual checks in the absence of continuous monitoring. If cues or indications are not
available, the mitigation actions should be considered infeasible.
For control room based actions, the presence and the salience of indicators and cues
should be considered. Annunciators, alarms, computer logs, and position indicators may be
more or less effective based on the context (e.g., it may not be feasible to expect an
operator to attend to a single annunciator when 50 or 60 are in alarm coincidentally).
Additionally, consideration should be given to whether spurious alarms resulting from flood
effects are likely to cause unwanted operator responses that could make plant conditions
worse instead of better. In addition to potential effects on cues and indications, some
flooding scenarios may degrade or fail systems normally available to crews in the MCR for
taking actions to control key safety functions. If local control actions are required, the
evaluation should consider the communications burden on the operating crew for directing
the action and verifying that the action has been successful. The evaluation should also pay
attention to the accessibility of data or information in digital or computerized systems (e.g., if
the computer is not functional because of the flood, many alarms and other information will
be inaccessible to operators).
Based on the considerations described above, the PSF for cues and indications should be
evaluated using the following categorization scheme:
•
•
Nominal—Cues and indications are available and can be accessed in time to
support diagnosis and decisionmaking before action execution is required, and the
cues and indications are accurate.
Degraded—Cues and indications are missing, difficult to obtain, or unreliable.
C.3.1.2 Complexity of the Required Action
Complexity refers to the nature of the situation that must be diagnosed, the decision to be
made, or the action to be performed. High levels of complexity, particularly in the absence
of training and practice, reduce the feasibility of manual actions. Sources of complexity that
may affect the timeliness and effectiveness of cognition (i.e., detection, diagnosis, and
decision-making) may include:
diagnostic ambiguity from conflicting or difficult-to-interpret cues and indications
unfamiliar circumstances that require mental effort and, perhaps consultation, to
interpret
ambiguity in the appropriate prioritization of competing goals
60
the need to consider multiple variables simultaneously while implementing a
proceduralized action
Sources of complexity that may affect the timeliness and effectiveness of action execution
may include:
the need for personnel to perform many unfamiliar steps in rapid succession;
the need to perform multiple actions concurrently; and
whether special sequencing or coordination is required for the action to be
successful (especially if it involves multiple persons in different locations)
Actions that require concurrent diagnosis and execution or sensitive and careful
manipulations are also likely to be complex.
Input from personnel should be obtained regarding their perceptions of whether the scenario
is complex or simple. If rarely-used configurations will be necessary, the licensee should
consider the possibilities of new single failures, interfacing loss-of-coolant accidents,
inadvertent system interactions, and unrecognized drainage pathways for the reactor vessel
or important storage tanks. In addition, to evaluate complexity, the following questions
should be considered:
Are there many alarms or indications to which the crew or operator must identify,
evaluate, and respond?
Will communication between several individuals at different locations be necessary?
Will plant symptoms be difficult to ascertain because of instrumentation failures and
spurious indications?
Will component failures have multiple or propagated effects on systems, equipment,
or other components?
Will the action sequence include concurrent tasks that require specific timing to be
successful?
Will the situation include many distractions, crowds of people, or other factors that
could divert attention from the required tasks?
Based on the considerations described above, the PSF for complexity should be evaluated
for cognition and execution using the following categorization schemes:
Cognition
•
•
Nominal—Detection, diagnosis, and decisionmaking associated with the action are
simple, straightforward, and unambiguous or the crew or individual is highly familiar
with and skilled in addressing the situation.
Degraded—The available information is conflicting or difficult to interpret. Resolution
of any ambiguity or response planning requires obtaining validating or convergent
information, consideration of competing goals, multiple variables or consultation.
Sources of distraction are present. Conditions require counter-intuitive responses or
responses that conflict with highly trained responses to similar circumstances.
Execution
Nominal—Execution of the action is simple and straightforward. Coordination
requirements are minimal or highly practiced. Steps in the action sequence are
performed at a single location, involve the concurrent management of one or very
61
few variables, and feedback on the effectiveness of the action is easily available
and accurate.
Degraded—Execution of the action is difficult. Execution requires rapid
performance of multiple, complicated steps, the performance of steps by the same
individual at multiple locations, coordination of steps between two or more
individuals at multiple locations, or very sensitive and careful manipulations. Several
variables may be involved in the action or there is ambiguity in how to perform the
action.
C.3.1.3 Special Equipment
Manual actions associated with flooding may require special or portable equipment and
PPE. Portable equipment may include keys (doors may “fail closed” in the event of a loss of
power), ladders, hoses, torque devices, electrical breaker rackout tools, flashlights, portable
pumps and meters, and rafts or boats, among other items. PPE may include protective
clothing to enter high radiation areas or flood-specific protective clothing, such as life
jackets, hip waders, or other special purpose gear. Section A.1.4 of Appendix A to this
guidance discusses criteria for crediting the functionality, accessibility and availability of
special equipment when needed to perform an action.
The use of special equipment itself may adversely affect action execution. Examples
include increased opportunities for errors and delays from having to hold a flashlight or aim
a headlamp when manipulations are required or from the time required to don PPE;
movement restriction and careful performance to ensure that a raft or boat does not capsize;
reduced vision from wearing face protection; reduced manual dexterity from wearing gloves;
or reduced communications ability from wearing special purpose gear. In addition,
personnel may not be familiar with and highly practiced in using some of the special
equipment that may be required in flooding events, also resulting in discomfort, delay and
an increased likelihood of errors.
Based on the considerations described above, the PSF for special equipment should be
categorized using the following scheme:
Nominal—The number and type of special equipment required is minimal and
personnel are familiar with and practiced at using it.
Degraded—Personnel are not familiar with and practiced using special equipment.
The design of the equipment interferes with action performance, or the action
requires use of multiple types of special equipment.
C.3.1.4 Human-System Interfaces
The availability, functionality, and usability of human-system interfaces (HSIs) will impact the
performance of some manual actions. HSIs involved in flooding events include the controls
and displays provided by portable and temporary equipment, control room HSIs, HSIs for
local control stations, and any other hardware or software with which personnel must
interact to obtain information or change the state of SSCs. NUREG-0700, Revision 2,
“Human-System Interface Design Review Guidelines,” issued in 2002 (Reference C8
provides guidance for the evaluation of HSIs, including evaluation of conventional (noncomputerized) HSIs).
HSI design may affect both the cognition and execution aspects of a manual action and will
likely have a greater impact on local actions than actions in the MCR. For example, if the
62
decision to perform an action depends on readings from meters or gauges that are normally
backlit but there is no backup power to maintain the lighting during a flooding event, the
cognitive portion of an action will be delayed. Action execution may be delayed if time is
required to travel from the location of a display to the equipment to be manipulated.
Labeling of components may become particularly important for local actions that must be
performed in the dark or extreme weather conditions.
Based on the considerations described above, the PSF for HSIs should be categorized
using the following scheme:
Nominal—HSIs required to perform the action are functional, accessible and their
design supports human performance under anticipated flooding conditions.
Degraded—HSIs are poorly designed (e.g., poor labeling, needed instrumentation
cannot be seen from the location where control inputs are made, or there are poor
computer interfaces), have been damaged, or are difficult to use under the expected
conditions. The HSI fails to support diagnosis or post-diagnosis behavior, or the
instrumentation is inaccurate (i.e., misleading). Required information is not
available from any source (e.g., instrumentation is so unreliable that individuals
ignore the instrument, even if it is registering correctly at the time).
C.3.1.5 Procedures
Procedures, or instructions for performing actions, improve human performance by doing
the following:
assisting personnel to diagnose the type of event that may be occurring and
deciding on the required actions to respond to the event
providing guidance for how to perform the required actions and verifying that they
have been effective
minimizing confusion that may result from conflicting signals, including spurious
actuations, or other factors.
Written and maintained plant procedures must be available to cover all credited manual
actions. Written procedures should describe what needs to be done (including interpretation
of cues), how and where the actions should be performed, and what tools or equipment
should be used.
If procedures are not available to guide a manual action, the action should be considered
infeasible, except when a strong case can be made that performing the steps required to
complete the manual action are “skill-of-the-craft.”3
In addition to being available, procedures should be technically accurate, comprehensive,
explicit, easy to use, and validated. Personnel should be trained to implement the
procedures. If the expected conditions in which the procedures will be used make it difficult
or impossible to read the procedure, personnel should either be trained to perform the steps
3
“Skill of the craft” is a term describing those tasks in which it is assumed that the workers know
certain aspects of the job and need no written instructions (e.g., a plumber replacing a washer in a
faucet) (Ref. C11).
63
from memory or provisions should be made to communicate the procedure steps to the
individuals performing them.
The PSF for procedures may affect both the cognition and execution portions of a manual
action. Based on the considerations described above, the PSF for procedures should be
categorized using the following scheme:
Nominal – Procedures support performance of the action, in that they:
– identify parameters to monitor and criteria that trigger action
– are sufficiently comprehensive to apply to the range of circumstances
associated with flooding events
– are technically accurate and up to date
– are written at a sufficient level of detail for the expected users
– are accessible, easy to understand and easy to use in the circumstances of
expected use, and
– they have been validated
Degraded – The procedures PSF should be considered degraded if:
–
–
–
–
–
–
–
–
–
procedures do not exist
procedures have been damaged or destroyed
procedures are not easily available
procedures are incomplete (e.g., precautions, warnings and notes are
missing)
procedures have not been validated
procedures do not apply to the circumstances at hand
special equipment is needed to read or communicate the instructions
the level of detail assumes training that all potential users may not possess,
or
aspects of formatting, terminology or sentence structure in the procedure
make it difficult to comprehend
C.3.1.6 Training and Experience
Personnel performing required manual actions should have been trained in their individual
responsibilities for performing the actions and had opportunities to practice. In evaluating
the effectiveness of training, the following factors should be considered:
Training should establish familiarity with procedures and required actions including
operation of any special equipment.
Training should engender familiarity with potential adverse conditions arising from a
flood event (e.g., dangerous weather).
Training should prepare personnel to handle departures from the expected
sequence of events.
Training should provide the opportunity to practice the skills required to accomplish
the manual action (e.g., construction of barriers using special equipment).
Training and experience may take on added importance for flood protection actions because
it may be necessary to call additional personnel to the site to establish flood protection
features. These additional personnel may be unfamiliar with the layout of the site, as well
as the rigor and procedural adherence expected of personnel in the nuclear industry.
64
Based on the considerations described above, the PSF for training and experience should
be evaluated as follows for ex-control room actions:
Nominal—Specific training has been provided on the affected SSCs and relevant
indicators, procedures, tools and special equipment to be used in flooding events.
Opportunities to practice the actions have been provided to ensure that individuals
are proficient with the actions to be performed in a flooding event and have been
exposed to abnormal conditions.
Degraded (or low) —No specific training was provided before the flooding event on
the affected SSCs and relevant indicators, procedures, tools, special equipment or
action sequence. This level of training and experience does not ensure that
individuals have the knowledge and skills required to adequately perform the
required tasks; does not provide adequate practice in those tasks; or does not
expose individuals to various abnormal conditions.
Based on the considerations described above, the PSF for training and experience should
be evaluated as follows for in-control room actions:
Nominal —Training is provided in accordance with licensed operator requalification
program requirements as required by 10 CFR 55.59(c) and includes training for
flooding scenarios.
Degraded (or low) —Training should be considered degraded (low) if any of the
following apply:
– Training on the action or a specific topic of importance to the action is not
provided.
– Training content is incomplete, incorrect, out-of-date, or otherwise less than
adequate.
– The systems approach to training (e.g., job or task analysis, definition of
knowledge, skills, and abilities, task qualification process) was not used to
ensure that the worker could successfully perform the task in actual job
conditions.
– Assumptions about “skill-of-the-craft” appear to be incorrect (e.g., all
operators do not have the experience assumed regarding the action being
reviewed).
– Simulator training is:
incomplete (e.g., it does not simulate the failure of a particular device,
or include a particular scenario),
inaccurate (e.g., it does not match the actual plant or system
response), or
the simulator is not used for training even though it is capable of being
used.
– Personnel are not familiar with the tools required to perform the action.
C.3.1.7 Perceived Workload, Pressure and Stress
Perceived workload, pressure and stress refer to the extent to which a crew or individual
experiences time pressure from the need to perform the action in the available time along
with their overall sense of being threatened in some way with respect to what they are trying
to accomplish. Stress may also arise from existing or potential conditions that may affect an
individual’s physical well-being (e.g., exposure to an unfamiliar hazard) or that of others
65
(e.g., family members possibly being in danger, the potential for radioactive release). High
workload, time pressure, and stress are generally thought to have a negative impact on the
performance of crews or individuals (particularly if the task being performed is considered to
be complex).
The impact of these factors should be carefully considered in the context of the scenario
and that of the other PSFs thought to be relevant. For example, if the scenario is familiar,
procedures and training are very good, and the crews or individuals typically implement their
procedures well within the available time, relatively high expected levels of workload, time
pressure and stress may not have a significant impact on performance. Alternatively, if the
scenario is unfamiliar, the procedures and training for the scenario are considered only
adequate, and the time available to complete the action has been significantly shortened
because of flooding, then workload, time pressure and stress may have a significant
adverse impact on performance.
Several individuals or crews, as applicable, should be interviewed independently to estimate
the extent to which workload, pressure and stress could affect performance of the action.
Based on the considerations described above, the PSF for workload, pressure and stress
should be categorized using the following scheme:
Nominal—A level which is conducive to good performance, or at least, is not
disruptive.
Moderate —Personnel experience unusual levels of workload, time pressure and
stress that may cause them to narrow their focus or have difficulty focusing.
Moderate levels of stress are more likely to occur when the onset of the event is
sudden and unfamiliar or the situation persists for long periods. Stress will also
increase if the individual or crew has previously made an error or believes that they
made an error.
Degraded—A level at which the performance of most people will deteriorate. This
level may be associated with sudden onset and rapidly degrading conditions, as
well as a feeling of threat to one’s own life or to others’ safety and well-being.
C.3.1.8 Environmental Factors
The environmental conditions at the location where an action is performed may affect an
individual’s physical or mental performance. As a result, an individual’s capability to perform
the required actions may be degraded or precluded. The expected environmental
conditions should be considered at both the locations where the manual actions will be
performed and along the access and egress routes. Personnel performance can be
degraded, if not precluded, by adverse environmental conditions in reaching the location. In
addition, personnel may be unable to perform the action in the conditions existing at the
location. The environment along the egress route after completion of the action should also
be considered to ensure personnel health and safety.
Environmental conditions associated with flooding events that could impair performance
include the following:
adverse weather (e.g., lightning, hail, wind, precipitation)
temperatures (e.g., humidity, air and water temperatures, particularly if personnel
must enter water)
66
conditions hazardous to the health and safety of personnel (e.g., electrical hazards,
hazards beneath the water surface, drowning, structural debris)
lack of lighting
radiation
noise
vibration
NUREG/CR-5680, “The Impact of Environmental Conditions of Human Performance,”
issued in 1994 (Ref. C9) describes the impacts of temperature, lighting, noise and vibration
on cognitive and physical performance and the levels at which these environmental factors
cause performance degradations.
The licensee should consider the presence and severity of each of these environmental
factors in evaluating the cognitive and execution elements of the manual action. For each
environmental factor, the evaluation should categorize the factor using the following
scheme:
Nominal —The environmental factor is at a level unlikely to affect performance or
personnel are highly familiar with and experienced in performing actions under the
expected conditions.
Degraded —The environmental factor is present and at a level likely to challenge
successful performance; multiple adverse environmental factors co-exist at the
location for performance; or, the conditions prevent performance of the action
altogether. Environmental conditions that could prevent performance of an action
include those that present a threat to life-safety or a significant risk to the health and
safety of personnel performing the action.
Determine the appropriate overall category for environmental factors by using the worst
case category among the individual factors.
C.3.1.9 Special Fitness Issues
Manual actions for flood protection or mitigation may require special types of fitness or
involve fitness-for-duty issues related to fatigue. Special physical fitness requirements could
include, for example, having the strength and agility to climb up or over equipment to reach
a device because the flood has caused the ideal travel path to be blocked; needing the
strength to move equipment and connect cables, especially if using a heavy or awkward
tool; or having the stamina to use special purpose gear, which is physically demanding and
hinders communication.
Fitness-for-duty issues related to fatigue include any personal factors that impair an
individual’s ability to safely and competently perform the required manual actions. For
example, fatigue may become problematic if workload prevents the management of acute
fatigue or individuals accrue cumulative fatigue over extended periods of high work hours
and limited sleep. Long and continuous work hours cause mental, as well as physical
impairment. It is appropriate to determine how long a specific individual (worst-case and
nominal schedules) could be on shift for the duration of the flood scenario under both the
restrictions of the current fatigue management plan and under an exemption, if the licensee
plans to request one.
67
For each special fitness issue identified, the licensee should determine whether it adversely
affects cognition, execution, or both. Based on the considerations described above, the
PSF for special fitness needs should be categorized using the following scheme:
Nominal—Special fitness needs are not a barrier to performance of the action and
sufficient personnel are available who are physically capable of performing the task.
Degraded—Special fitness needs make the task difficult to perform, few or no
personnel are physically capable of performing the task, or sources of impairment
(e.g., acute or cumulative fatigue, illness) may adversely affect performance.
C.3.1.10 Staffing
In assessing the feasibility of a manual action, the persons performing the action should be
qualified. In particular, the evaluation should consider whether the action requires a
licensed operator or whether other special qualifications are required. The feasibility
assessment should consider the availability of a sufficient number of trained personnel
without collateral duties during a flood event such that the required manual action can be
completed as needed. Required staff may be normally on site or available from offsite, if
sufficient warning time is available and the flood event does not inhibit access to the site.
Consideration should to given to whether task assignments (or task loads) subject one or
more workers to excessive physical or mental stress or if concurrent tasks challenge the
ability of the person to perform as required. Additional considerations include both normal
staffing and minimum staff requirements associated with technical specifications. If there
are insufficient qualified personnel to complete the action (considering actions that must be
performed concurrently), the licensee should consider the action to be infeasible.
Based on the considerations described above, the PSF for staffing should be evaluated
using the following categorization scheme:
Nominal staffing —Sufficient qualified personnel to perform the required activities
are either: 1) on site; or 2) available offsite with sufficient warning time to arrive on
site and the event does not inhibit site access. The availability of qualified
personnel to perform all concurrent (simultaneously) required activities is also taken
into account.
Degraded (insufficient) staffing —Insufficient qualified personnel are available to
perform the required action.
C.3.1.11 Communications
Equipment (e.g., two-way radios) may be required to support communications between
personnel to ensure the proper performance of manual actions (e.g., to support the
performance of sequential actions, to verify procedural steps). In addition, because of the
long durations of many flooding scenarios and because of the possible need of offsite
support, communications with corporate and governmental organizations is important.
Therefore, the evaluation should consider the flood’s impact on offsite communications.
Because there may be substantial warning time preceding some flood mechanisms, efficient
communications may be less important when evaluating the feasibility of manual actions
associated with preemptive protective measures. However, mitigation may require actions
for which the time available to diagnose, perform, and confirm actions is short.
Communication methods should be checked to ensure prevailing conditions do not
challenge their effectiveness. The availability of alternate means of communications, if the
planned communications system fails, should also be evaluated. Consideration should be
68
given to whether personnel are trained to operate the equipment that is planned to be used
as well as alternatives and whether there is feedback in the control room to indicate that
portions of communication systems may not be functional because of flooding or wind
damage. Training should ensure effective communications and coordination during a flood
event.
Based on the considerations described above, the PSF for communications should be
evaluated using the following categorization scheme:
Nominal—The flooding event does not adversely affect communications (both on
site and off site).
Degraded—The lack of, the poor quality of, or likely failures of the communications
process or equipment negatively affect performance (e.g., too much static,
insufficient number of radios or radiofrequencies to support the amount of work, no
diversity and redundancy designed into the system).
C.3.1.12 Accessibility
Accessibility of the site and the locations in which manual actions must be performed are
uniquely important for flood-related manual actions. Site accessibility for staff augmentation
and replenishment of consumables should not be assumed in the evaluation of manual
actions. For example, a rapid-onset flooding event on the backshift could require the
establishment of temporary flood protection features or performance of manual actions
associated with mitigation with only minimal staff available. Roads may become impassible.
Severe weather conditions may impact the communications infrastructure causing
significant delays in calling out any additional laborers needed. Site inaccessibility issues
could also require sequestering personnel, which may create fitness-for-duty issues related
to fatigue if conditions for sleeping and eating are uncomfortable or additional stress results
from worry about personal property and family members.
The accessibility of locations at which actions must be performed is particularly important
when evaluating manual actions that must be performed after the onset of flood conditions
and throughout the duration of the flood event. The evaluation of accessibility requires the
consideration of the travel path required for manual actions given the location of the flood
waters and associated effects and how the flood might compromise such accessibility.
Other accessibility issues include obstructions (e.g., charged fire hoses) and locked doors.
In particular, the flood may cause electric security systems to fail locked. In this case,
personnel will need to obtain keys for access. Doors that are normally locked should also
be considered.
Inundation of an area and the equipment located there will create unique PSFs. Actions
that must be performed in inundated areas or requiring personnel or equipment or both to
travel through inundated areas, should be considered infeasible unless it can be shown that
elevated pathways or other means are available to enable movement through the inundated
areas and significant hazards to personnel (e.g., electrical hazards due to presence of
water, low temperatures) are not present.
Based on the considerations described above, the PSF for accessibility should be evaluated
using the following categorization scheme:
Nominal—The location(s) can be reached easily and conditions are such that the
action can be performed.
69
Degraded (inaccessible) —Conditions reduce the accessibility of the site or the
location at which the action is performed or one or more of the required actions is in
a location that the personnel will not be able to reach because of the flood.
C.3.1.13 Scenario-Specific PSFs
In addition to the PSFs listed above, performance of a manual action may be affected by
unique PSFs that are specific to the flood scenario in which the action is required. For
example, safety culture issues may have a larger influence in some scenarios.
Decisionmaking may be delayed if actions have high occupational safety, public health and
safety, or economic consequences. This is particularly important if roles and responsibilities
for these decisions have not been clearly defined in advance. On the other hand,
weaknesses in the licensee’s safety conscious work environment within some work groups
could prevent individuals from raising concerns or offering information about a planned
course of action that is necessary to ensure its success. Accessibility of locations,
equipment, resources, and personnel will vary among scenarios, and is an important
consideration. Scenario-specific PSFs should be added to the list of PSFs above and
evaluated, as appropriate.
C.3.2 Timing Analysis
Figure C1 provides a framework for conducting a timing analysis of a manual action to
evaluate whether the time available to perform the action is greater than the time required to
complete it. The figure comprises several elements to capture the various aspects of timing
during the period of time between when conditions exist that will require an action until the
time at which the action is no longer beneficial.
C.3.2.1 Timing Elements
The following terms are associated with each timing element:
T0 = start time, or the point in time in a flooding scenario or HFE narrative at which the
conditions exist that will require the human action (e.g., a weather forecast predicts
excessive precipitation, a dam failure occurs, a levee onsite is overtopped, leakage
develops)
Tdelay = time delay, or the duration of time it takes for the cue to become available that
the action will be necessary (assumes that action will not be taken in the absence of
a cue)
Tsw = the time window within which the action must be performed to achieve its
objective
Tavail = the time available for action = (Tsw - Tdelay)
Tcog = cognition time, consisting of detection, diagnosis, and decisionmaking
Texe = execution time including travel, collection of tools, donning of PPE, and
manipulation of relevant equipment
Treqd = time required, or the time required for an individual or crew to accomplish the
action = (Tcog + Texe)
C.3.2.2 Developing Timing Element Values
It is likely that some flooding scenarios that involve manual actions will not have been
analyzed previously. As a result, it will be necessary to develop values for these timing
elements based on the best available information.
70
The values used for Tsw, Tdelay and Tavail should be established based on evaluations
performed for other parts of the integrated assessment. Uncertainties in these values
should be documented and the basis for the values used to perform the timing analysis
should be justified.
Values for Treqd (Tcog + Texe) can be developed using several methods. Simulations of the
action in the field will provide the most reliable baseline timing estimates. Individuals who
would have to perform the action should perform the simulations and timing data should be
collected from repeated simulations involving different individuals or crews to assess
variability. Reasonable simulations performed under the flood walkdowns (See Section 9
for the definition of reasonable simulation) may also provide a useful source of information.
Prior experience with tasks or subtasks similar to the actions being evaluated may provide
valuable insights for developing estimates of the time required to perform an action. For
certain actions (e.g., actions performed in the MCR), information about manual actions may
be available from the plant-specific Individual Plant Examination (IPE) and Individual Plant
Examination of External Events (IPEEE), existing procedures, controlled system
descriptions, and training documents. Plants that have a Time-critical Action Program (a
configuration control program that validates and protects time-critical actions from
inadvertent changes) may use timing information from that program when it is relevant to
the scenario being evaluated. Timing data used from other analyses should be
supplemented with information about the similarities and differences between those actions
and the flooding manual action being evaluated.
Interviews with personnel who will perform the action can also be used to provide timing
estimates. Maintenance personnel, operators, trainers, and other knowledgeable plant staff
should be involved. Ideally, the licensee should interview those who would have to perform
the action (or set of actions). More than one expert should be involved to obtain more than
one opinion about the timing for the actions being examined in obtaining the estimate.
It may not be possible to collect actual baseline values for some actions because, for
example, it is not safe or reasonable to place equipment in the expected condition (e.g.,
partially inundated) or expose personnel to anticipated hazards. In these cases, it may be
possible to simulate the actions using mockups. Expert elicitation techniques may also be
used to estimate timing values, as described in Appendix B to NUREG-1852,
“Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to
Fire,” issued October 2007 (Ref.C1), or other available guidance for performing HRA (e.g.,
NUREG-1880, “ATHEANA User's Guide,” issued in 2007 (Ref. C10)).
Values for Treqd should be increased above performance times required under nominal
conditions to account for the impact of the perceived workload, time pressure and stress
PSF, if it is categorized as having a moderate adverse effect on performance but does not
meet the “degraded” criterion. The basis for the amount of time by which Treqd is increased
above performance time required under nominal conditions should be documented.
C.3.2.3 Account for Uncertainty and Human Performance Variability
Estimates of time available and time required should account for sources of uncertainty and
human performance variability. The estimates should be bounding values such that:
The estimated time available is the least amount of time available to perform the
action, considering uncertainties and human performance variability.
71
The time required is the greatest amount of time required to perform the action,
considering uncertainties and human performance variability.
The following sources of uncertainty are inherent in estimating the time available for an
action and the time required to complete it:
Variations may occur in the nature of the flooding scenario and related plant
conditions that were not specified in the scenario, but could affect the time estimates
(e.g., fast energetic flooding that fails equipment quickly versus slowly developing
flooding with few or no equipment failures for some time, or flooding in unanticipated
locations).
Factors that cannot be recreated in a simulation, or are not anticipated for an actual
flooding situation could cause further delay in performing the actions (i.e., where the
reasonable simulation may likely fall short of actual flooding situations), as in the
following examples:
–
–
–
–
Personnel may need to recover from or respond to unexpected difficulties,
such as problems with instruments or other equipment (e.g., locked doors, a
stiff hand wheel, or difficulty with communication devices).
Environmental and other effects might exist that are not included as part of
the simulation, such as:
radiation (e.g., the flood could reasonably damage equipment in a
way such that radiation exposure could be an issue at the location in
which the action needs to be taken, requiring personnel to don PPE,
which takes extra time, but which may not be included in the
demonstration)
effects of equipment inundation which are not likely to be actually
simulated
increased noise levels from the flooding itself, the operation of pumps,
and personnel shouting instructions
water in areas that may delay personnel movements
obstruction from charged hoses
too many people in one location provide obstacles to performance
Though all of the above may not actually be simulated, they should be
considered as possible (and perhaps even likely), when determining the time
it may take to perform a human action in a real situation.
The simulation might be limited in its ability to account for (or envelop) all
possible flooding locations where the actions are needed and for all the
different travel paths and distances to where the actions are to be
performed. A similar limitation is that the current location and activities of
needed plant personnel when the flooding occurs could delay their
participation in executing the human action. The intent of the evaluation is
not to address temporary or infrequent situations but to account for those
that are typical and may impact the timing of the action.
It may not be possible to execute relevant actions during the demonstration
because of normal plant status and safety considerations while at power
(e.g., personnel cannot actually operate the valve using the hand wheel, but
can only simulate doing so).
72
Typical and expected variability between individuals and crews may lead to
variations in personnel performance (i.e., human-centered factors), as in the
following examples:4
–
–
–
–
–
–
physical size and strength differences that may be important for the desired
action
cognitive differences (e.g., memory ability, cognitive style differences)
different emotional responses to flooding (e.g., fear of water, concern for
family and personal property)
different responses to wearing any PPE required
differences in individual sensitivities to “real-time” pressure
differences in team characteristics and dynamics
A tradeoff exists between the extent to which the feasibility assessment is realistic and the
amount of uncertainty to be accounted for in the estimate of time required to perform an
action. For instance, more realistic demonstrations of feasibility (e.g., systematic
walkthroughs while simulating flood conditions) translate to less uncertainty with regard to
justifying the time required to complete an action. Similarly, gathering information from a
larger number of simulations with additional personnel can increase the confidence that
estimated completion times bound expected variability in human performance.
C.3.2.4 Calculate Time Margin
The licensee should calculate the time margin available for the action using the values for
time available and time required that have been developed for the analysis. Time margin is
defined as the ratio of the difference between time available and time required (Tcog+Texe) to
the time required to perform the action and is calculated as follows:
Time Margin =
T
T
100%
T
OR, as expanded:
Time Margin =
T
T
T
T
T
T
100%
C.3.2.5 Determine Whether the Time Margin Supports a Conclusion that the Manual
Action is Feasible
For an action to be feasible, the time available must be greater than the time required when
using bounding values that account for estimation uncertainty and human performance
variability. This means that using the calculation under C.3.2.4, the margin must be a
positive percent value for an action to be deemed feasible.
C.4 Determine Whether the Action is Reliable
For an action to be deemed reliable, sufficient margin should exist between the time
available for the action and the time required to complete it. This margin should account for:
4
Given the likely experience and training of plant personnel performing the actions, it need not be
assumed that these characteristics would lead to major delays in completing the actions, but their
potential effects should be considered in the specific flood-related context of the actions being
performed, to confirm this assumption.
73
(1) limitations of the analysis (e.g., failure to identify factors that may delay or complicate
performance of the manual action); and (2) the potential for workload, time pressure and
stress conditions to create a non-negligible likelihood for errors in task completion. One
acceptable method for assessing the adequacy of the time margin is to establish that the
time margin is equal to or greater than the maximum recovery time for any single credible
human error. Event trees may be used to identify potential errors, error detection methods,
and error recovery paths for the purpose of determining the adequacy of the margin. A
simplified alternative criterion for determining if the margin is adequate to deem an action as
reliable is to establish that the margin is not less than 100%. Such a margin may be justified
when recovery from an error in performing the action could be accomplished by restarting
the task from the beginning. The basis for the specific time margin used in the analysis
should be justified and documented.
C.5 Adjustments
If the results of the feasibility and reliability evaluations indicate that a manual action cannot
be performed or cannot be performed reliably, it may be possible to modify the nature of the
task or aspects of the context in which it must be performed. Examples of adjustments
could include changing the anticipated pathway by which personnel will move to the location
at which the action must be performed, relocating equipment, adding resources stationed on
site, developing procedures and providing training on them, or predetermining decision
criteria and command and control authorities for actions with significant potential worker or
economic consequences. The integrated assessment should document planned
adjustments to ensure the feasibility and reliability of manual actions, as well as the basis
and justification for a conclusion that the adjustments will lead to acceptable human
performance.
C.6 Documentation
Documentation of the evaluation of human actions should include the following for each
action:
the HFE narrative (described in Section C.2 of this appendix).
a description of the sources of information used for the evaluation and justification of
their applicability to the action
a detailed description justifying the categorization of all PSFs as well as a summary
of the PSF evaluations, to be documented as shown in Table C1.
a detailed description of the timing analysis including the following:
– the calculated time margin for completing the action
– the values used for each timing element in Figure C1 and justification for the
values used
– a description of how uncertainties in the values used for the timing analysis
were addressed
– a description of the methods (e.g., simulation, talkthroughs, walkthroughs,
mockups, expert elicitation) used to develop and adjust the values for the
timing elements in Figure C1 for each action, including the qualifications and
experience levels of the subject matter experts involved in collecting or
estimating the timing information, and the number of times each action was
simulated to develop the timing estimates or the number of experts who
provided independent estimates
74
a detailed description of and justification for a conclusion that an action is feasible
despite the presence of any degraded PSF and the timing analysis that
demonstrates feasibility, if applicable.
a detailed justification for the determination of whether an action is reliable,
including:
– a description of how available time margin accounts for: (1) limitations of the
analysis; and (2) the potential for workload, time pressure and stress
conditions to create a non-negligible likelihood for errors in task completion
– the basis for the acceptability of the calculated margin
a detailed description and analysis of planned adjustments to assure the feasibility
and reliability of manual actions and the basis/justification for concluding the
adjustment(s) will be effective.
C.7 References
C1. U.S. Nuclear Regulatory Commission, "Demonstrating the Feasibility and Reliability of
Operator Manual Actions in Response to Fire," NUREG-1852, October 2007, ADAMS
Accession No. ML073020676.
C2. U.S. Nuclear Regulatory Commission, "EPRI/NRC-RES Fire Human Reliability Analysis
Guidelines," NUREG-1921, July 2012, ADAMS Accession No. ML12216A104.
C3. Electric Power Research Institute, "An Approach to the Analysis of Operator Actions in
Probabilistic Risk Assessment," TR-100259, Palo Alto, CA, 1992.
C4. Electric Power Research Institute, "Systematic Human Action Reliability Procedure
(SHARP) Enhancement Project: SHARP 1 Methodology Report," TR-101711, Palo Alto,
CA, 1992.
C5. U.S. Nuclear Regulatory Commission, "Human Factors Engineering Program Review
Model," NUREG-0711, Revision 2, February 2004.
C6. U.S. Nuclear Regulatory Commission, "Technical Basis and Implementation Guidelines
for A Technique for Human Event Analysis (ATHEANA)," NUREG-1624, Revision 1,
May 2000, ADAMS Accession No. ML003719212.
C7. U.S. Nuclear Regulatory Commission, "Standard Review Plan for the Review of Safety
Analysis Reports for Nuclear Power Plants: LWR Edition - Severe Accidents," NUREG0800, Section 19.0: Probabilistic Risk Assessment and Severe Accident Evaluation for
New Reactors, Revision 2, June 2007.
C8. U.S. Nuclear Regulatory Commission, "Human-System Interface Design Review
Guidelines," NUREG-0700, Revision 2, May 2002, ADAMS Accession No.
ML021700373.
C9. D. Echeverria, et al., "The Impact of Environmental Conditions of Human Performance,"
NUREG/CR-5680, September 1994, ADAMS Accession No. ML071210164.
C10. U.S. Nuclear Regulatory Commission, "ATHEANA User's Guide," NUREG-1880, June
2007, ADAMS Accession No. ML071770660.
75
C11. Swain, A.D., H.E. Guttmann, "Handbook of Human Reliability Analysis with Emphasis
on Nuclear Power Plant Applications," NUREG/CR-1278, August 1983, ADAMS
Accession No. ML071210299.
76
Table C1: Documentation of Performance Shaping Factors
PSFs
Cues and indications
Complexity
Special equipment
Human-system interfaces
Procedures
Training and experience
Workload, pressure, and stress
Environmental factors
(may require multiple entries)
Special fitness issues
Staffing
Communications
Accessibility
PSF categories
Applicable
category
Summary of
justification
Nominal
Degraded
Nominal
Degraded
Nominal
Degraded
Nominal
Degraded
Nominal
Degraded
Nominal
Degraded (low)
Nominal
Moderate
Degraded
Nominal
Degraded
Nominal
Degraded
Nominal
Degraded
Nominal
Degraded
Nominal
Degraded
Scenario-specific PSFs
added as appropriate
77
Figure C1: Framework for Conducting a Human Action Timing Analysis
78
APPENDIX D: Existing References and Resources
The goal of this appendix is to provide brief descriptions and discussions of existing
assessments of external flood risk at nuclear power plants. These references may provide
useful resources and insights for performance of certain aspects of the integrated
assessment. However, the references provided here are for information only and this
appendix does not necessarily endorse the specific approaches used in the external flood
risk studies referenced here and these references do not supersede the guidance contained
in this interim staff guidance.
D.1
Evaluations Performed under Task Action Plan A-45
The objectives of Task Action Plan (TAP) A-45 was initiated to evaluate the safety adequacy
of decay heat removal systems in existing light water reactor nuclear power plants and to
assess the value and impact of alternative measures for improving the overall reliability of
the decay heat removal function. Probabilistic risk assessment (PRA) and deterministic
evaluations were used to evaluate decay heat removal systems and support systems
required to achieve hot standby and cold shutdown. The program analyzed the following six
plants:
Arkansas Nuclear One-1 (Ref. D1)
Point Beach (Ref. D2)
Quad Cities (Ref. D3)
St. Lucie (Ref. D4)
Turkey Point (Ref. C5)
Cooper (Ref. D6)
It was beyond the scope of TAP A-45 to perform an in-depth PRA. The objective was to
conduct an analysis that quantified the significant threats to the plant. The authors indicate
that the analysis performed “embodies the basic philosophy of a full scope probabilistic risk
assessment.” As such, in many cases, the scope of the TAP A-45 evaluations may be more
limited than the evaluations required by the integrated assessment and TAP A-45 did not
consider all facets pertaining to the integrated assessment.
To evaluate the frequency of plant damage due to external flooding, the following five tasks
were performed:
plant familiarization
hazard analysis
fragility analysis
systems analysis
risk quantification
There are necessary differences in the specific methodologies and techniques used to
evaluate external flood risk at each site. The summary provided in this appendix is intended
to provide a general overview of what was done at the sites and not all parts may be
explicitly used at a given site.
The purpose of plant familiarization (Step 1) was to gather information on the occurrence of
external hazards and the vulnerability of plant structures and equipment to flooding (e.g.,
plant location and flood hazard, plant design basis, and vulnerable structures and
equipment). The hazard analysis (Step 2) was performed in two steps: (1) screening; and
79
(2) evaluation the frequency of occurrence. Because of the differences in flood hazard at
each site, TAP A-45 used site-specific approaches to assessing flood hazard. Fragility
analysis (Step 3) was performed for structures and equipment vulnerable to the effects of
external flooding. A conservative approach was used in developing capacities of structures
and equipment to resist external flood loads. An approach was used that is similar to that
used in seismic applications. Fragility functions were typically computed with respect to
hydrostatic loads and did not consider both flood height and associated effects, as required
under the integrated assessment. Systems analysis (Step 4) involved evaluation of
response of the plant to safety system failures. The systems analysis describes the
component and system failures resulting from external flooding and associated effect on
plant functions. Simple functional event trees were used to model the plant response to
external flooding. Risk was quantified (Step 5) by determining core melt probability using
system failure information and the functional event tree developed under step 4. The core
melt frequency is determined by consideration of flood frequency and conditional core melt
probability given an external flood event.
D.2
NUREG/CR-5042, Evaluation of External Hazards to Nuclear Power Plant in
the United States
NUREG/CR-5042, "Evaluation of External Hazards to Nuclear Power Plants in the United
States," December 1987 (Ref. D7) investigates the effect of external hazards on nuclear
power plants in the United States. The objective of the work was to understand whether
external initiators (internal fires, high winds and tornados, external flood and transportation
accidents) are among the major potential accident initiators. NUREG/CR-5042 documents
a review and evaluation of what was known (at the time) about the risk of core-damage
accidents and potential for large radiological release as a result of external floods. The
report uses two figures of merit as evaluation criteria: (1) mean core damage frequency less
than 1 10-5, and (2) frequency of large early release less than 1 10-6. NUREG/CR-5042
provides a review of U.S. Nuclear Regulatory Commission’s regulatory approach, the
general design criteria found in Appendix A, “General Design Criteria for Nuclear Power
Plants,” to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, “Domestic
Licensing of Production and Utilization Facilities”; Appendix A, “Evaluation Factors for
Stationary Power Reactor Site Applications Before January 10, 1997 and for Testing
Reactors,” to 10 CFR Part 100, “Reactor Site Criteria”; NUREG-0800, “Standard Review
Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR [light-water
reactor] Edition,, regulatory guides, papers and reports, selected plant specific documents,
and PRA literature on flooding a nuclear power plants. Reviewed literature includes the
following sources:
Indian Point probabilistic safety study, 1983
probabilistic risk assessment, Limerick Generating Station, 1981
severe accident risk assessment, Limerick Generating Station, 1983
Millstone Unit 2 probabilistic safety study, 1983
Probabilistic risk assessment of Oconee Unit 3, 1984
Zion probabilistic safety study, 1982
studies performed under TAP A-45, 1987 (see Section D.1)
NUREG/CR-5042 summarizes the above references and offers conclusions based on
available literature. The report also describes a proposed approach for plant evaluation of
external flood risk. The approach involves evaluation of the frequency of large flood events
and contingent likelihood of an accident scenario given a large flood. Bounding analysis is
80
suggested as a mean to easily demonstrate that the figures of merit are met. If a
probabilistic bounding assessment cannot demonstrate that risk is acceptably low (i.e.,
figures of merit are met) then a more extensive plant response analysis is required (e.g.,
through a full-scope PRA).
D.3
Individual Plant Examination of External Events Program
External flooding was evaluated under the Individual Plant Examination of External Events
(IPEEE) Program. NUREG-1742, “Perspectives Gained from the Individual Plant
Examination of External Events (IPEEE) Program,” April 2002 (Ref. D8) documents the
perspectives gained as a result of the review of the IPEEE submittals. The report observes
that under the IPEEE program, 12 submittals reported the contribution of core damage
frequency from external flooding. Typically, submittals treated external flooding as leading to
a loss of offsite power (typically assumed unrecoverable) with additional random failures
that could lead to core damage. Some submittals considered additional flood-induced
damage (e.g., loss of intake structure, failures of diesel fuel oil transfer pumps, as well as
failures of safety-related equipment in the diesel generator, auxiliary, and turbine buildings).
The majority of sites used a qualitative screening rather than a PRA to evaluate external
flooding under the IPEEE program (Ref. D8).
D.4
References
D1. W.R. Cramond, et al., "Shutdown Decay Heat Removal Analysis of a Babcock and
Wilcox Pressurized Water Reactor," NUREG/CR-4713, March 1987.
D2. W. R. Cramond, et al., "Shutdown Decay Heat Removal Analysis of a Westinghouse 2Loop Pressurized Water Reactor," NUREG/CR-4458, March 1987.
D3. S.W. Hatch, et al., "Shutdown Decay Heat Removal Analysis of a General Electric
BWR3/Mark I," NUREG/CR-4448, March 1987.
D4. W.R. Cramond, et al., "Shutdown Decay Heat Removal Analysis of a Combustion
Engineering 2-Loop Pressurized Water Reactor," NUREG/CR-4710, August 1987.
D5. G.A. Sanders, et al., "Shutdown Decay Heat Removal Analysis of a Westinghouse 3Loop Pressurized Water Reactor," NUREG/CR-4762, March 1987.
D6. S.W. Hatch, et al., "Shutdown Decay Heat Removal Analysis of a General Electric
BWR4/Mark I," NUREG/CR-4767, July 1987.
D7. Kimura, C.Y., R.J. Budnitz, "Evaluation of External Hazards to Nuclear Power Plants in
the United States," NUREG/CR-5042, December 1987.
D8. U.S. Nuclear Regulatory Commission. "Perspectives Gained From the Individual Plant
Examination of External Events (IPEEE) Program," NUREG-1742, April 2002, ADAMS
Accession No. ML021270132.
81
File Type | application/pdf |
File Modified | 0000-00-00 |
File Created | 0000-00-00 |