NUREG-1093

AG, 15

Reliability and Risk Analysis

Methods Research Plan

Manuscript Completed: September 1984

Date Published: October 1984

Division of Risk Analysis and Operations

Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, D.C. 20555
 Foreword

This document presents a plan for reliability and risk analysis methods research
to be performed mainly by the Reactor Risk Branch (RRB), Division of Risk Anal-
ysis and Operations (DRAO), Office of Nuclear Regulatory Research. It includes
those activities of other DRAO branches which are very closely related to those
of the RRB. However, related or interfacing programs of other divisions,
offices and organizations are merely indicated; the reader is referred to
planning documents for those programs for further information.

This document was written to serve three purposes. Its primary use was envi-
sioned as an internal NRC working document, covering about a 3-year period,
to foster better coordination in reliability and risk analysis methods develop-
ment between the offices of Nuclear Regulatory Research and Nuclear Reactor
Regulation. As it took shape, its potential value as an information source
and planning base for contractors began to manifest itself as a second purpose.
It is therefore hoped that NRC staff and contractors alike will benefit from
these more clearly delineated objectives, needs, programmatic activities, and
interfaces together with the overall logical structure within which these exist.
The plan is intended for periodic update and issuance. Following each issue
by approximately six months will be a report describing activities and evalu-
ating progress toward fulfilling needs and attaining objectives.

Publication of this plan will fulfill a third purpose in making visible to

industry and interested individuals what our objectives are and how we are
proceeding in this important area. Comments on this document are welcomed
from all quarters. Comments should not be restricted to activities planned
for the 3-year period covered; welcome also are comments concerning omissions
or what might be considered for the longer term. Please address comments
directly to me.

wAz4A41 gMArkek'.4
Dr. Gary R., Burdick, Chief
Reactor Risk Branch
Division of Risk Analysis and
Operations
Office of Nuclear Regulatory Research

Approved: QS:Xiglag
Frank P. Gillespie, Director
Division of Risk Analysis
and Operations
Office of Nuclear Regulatory
Research
 TABLE OF CONTENTS

Page

1.0 Introduction 1
2.0 Overview of Reliability and Risk Methods Research 3
3.0 Risk Analysis Research Needs (Issue 2) 6

3.1 Plant Systems Analysis 6

3.2 External Event Analysis 11
3.3 Human Reliability Analysis 14
3.4 Data Collection and Analysis 15
3.5 Containment Analysis 16
3.6 Consequence Analysis 18
3.7 Integration of Analysis 20
3.8 Risk Analysis Research Needs Summary 22

4.0 Research Needs for Risk Reduction (Issue 3) 23

4.1 Option Identification and Preliminary Screening 23

4.2 Detailed Option Evaluation 26
4.3 Cost-Benefit Assessment 27

5.0 Research Needs for Maintaining an Acceptable Risk Level

(Issue 4) 29

5.1 Reliability Program Research 31

5.2 Technical Specifications Program 32
5.3 Inspection Effectiveness 34
5.4 Risk Limitation Effectiveness of Regulations Program 34

6.0 Research Plan 36

6.1 Introduction 36
6.2 Research Plan for Risk Assessment Methods 36
6.3 Research Plan for Risk Reduction 69
6.4 Research Plan for Maintaining an Acceptable Risk Level 77
6.5 Implementation Schedule 82
6.6 Future Research 89
6.7 Program Prioritization 90
 TABLE OF CONTENTS (Continued)

LIST OF TABLES

Page

3-1 External Event Research Priorities 13

6-1 Research Programs and Needs 39

6-2 RMIEP Task Deliverables 42
6-3 Deliverables in chronological order 83
6-4 Criteria Definitions 91
6-5 Attributes Determining Program Efficacy 92

iv
 TABLE OF CONTENTS (Continued)

LIST OF FIGURES

Page

2-1 Basic Structure of Risk Analysis Research 5

3-1 Breakdown of Elements of PRA Covered in Research Plan 7

3-2 Plant Systems Analysis 8
3-3 Breakdown of Major External Events 12
3-4 Major Elements of Containment Analysis 17
3-5 Elements of Consequence Analysis 19

4-1 Elements of Risk Reduction Research 24

5-1 Elements of Risk Maintenance Research 30

6-1 Research Program Plan 37

 Division of Risk Analysis and Operations

Reliability and Risk Analysis Methods Research Plan

1.0 Introduction

In recent years, applications of probabilistic risk analysis (PRA) to

nuclear power plants have experienced increasing but cautious acceptance and
use, particularly in addressing regulatory issues. This usage has spanned a
broad range of applications including regulatory priorities, resolving generic
issues, evaluating proposed regulation changes, judging plant safety, and
identifying outlier plant characteristics. Current trends such as the safety
goal evaluation, preparation of guidance for industry use in PRA, and the
staff recommendation for a safety assurance program at the Indian Point plant
foreshadow the potential for and even greater usage of PRA and its methods and
insights within the regulatory process.

Significant strides have been made in PRA methods since the Reactor
Safety Study (RSS) laid the foundation for the PRA activity that followed.
These include a more detailed breakdown of initiating events and better data
on their probability of occurrence. Event tree analysis has become more
proceduralized as well as more detailed. Fault tree methods have been better
delineated. Human reliability methods have been better developed and a hand-
book promulgated. Improved computer programs allow quantification of accident
sequences more efficiently and accurately. Much more experimental evidence
and improved codes now exist for core melt phenomenology and containment
response. Improved codes also exist for offsite consequence analysis.

Under the auspices of the Institute of Electrical and Electronic Engineers

(IEEE) and American Nuclear Society (ANS), wide peer review has been given to
the methods now being used in risk analysis, and widely accepted methods were
selected and published in the PRA Procedures Guide (NUREG/CR-2300). Prescrip-
tive procedures have been developed and tested for the PRA analysis of plant
systems and are delineated in the IREP Procedures Guide (NUREG/CR-2728).

Recently the NRC published a document that describes the current status
of PRA as practiced in the nuclear regulatory process. The document is titled
Probabilistic Risk Assessment (PRA) Reference Document (NUREG-1050, August 1984).
The document reviews the PRA studies that have been completed or are underway,
discusses the levels of maturity of the methodologies used in a PRA and the
associated uncertainties, lists the insights derived from PRAs, discusses the
potential uses of PRA results for regulatory purposes, and highlights areas
where research could improve the utility of PRA information in regulation.

Although progress in the area of PRA development has been notable, the
increasingly broader use of PRA within the regulatory arena has highlighted
the fact that there exists the need for continued improvement in PRA and the
data base. This plan delineates those needs, describes efforts underway
within the Division of Risk Analysis and Operations (DRAO) to fulfill them,

1
and discusses the relationship of these programs with programs elsewhere within
the NRC, other government agencies, and the nuclear industry. The plan is
restricted to the DRAO programs that are directed toward: (1) risk and reli-
ability methodology development and data base; (2) the application of these
techniques to the assessment of reliability and risk of nuclear power plants
and the need for risk reduction; (3) the application of this methodology to
assure that reliability and risk are maintained at acceptably low levels for
nuclear power plants; and (4) regulatory support for the resolution of and
decisionmaking process for current reactor safety issues.

Thus, this plan is intended to meet the following objectives:

1. Identify fundamental agency regulatory needs associated with the

assessment of the reliability and risk from nuclear power plants.

2. Develop a top down logic structure from regulatory needs to subordi-

nate problem areas and needs.

3. Identify ongoing and planned research programs designed to fulfill

identified needs.

4. Provide a framework within which PRA research can be prioritized.

This is the first issuance of this document. Substantial effort has been
expended to identify areas of regulatory need for research and to describe on-
going and planned DRAO research programs to resolve those needs. However, the
timeframe basically is only through 1987. In the first revision to this docu-
ment, Section 6.6 (Future Research) will be expanded to provide a more explicit
discussion of research programs beyond 1987.

Toward this end, it is anticipated that formal and informal comments

received on this document will not only help to improve this document and
better focus research in the near term, but they will also help formulate a
responsible program for the longer term.

Section 2.0 provides an overview of the PRA research underway and planned
within the Division of Risk Analysis and Operations. The "needs" being
addressed by the research are delineated in Section 3.0 (PRA needs), Sec-
tion 4.0 (risk reduction needs), and Section 5.0 (needs for maintaining an
acceptable level of safety). The research plan addressing these needs is
described in Section 6.0.

2
2.0 Overview of Reliability and Risk Methods Research

There are four fundamental questions facing the NRC:

(1) What constitutes acceptable risk from nuclear power plants?

(2) What is the risk from nuclear power plants?

(3) How could that risk be reduced, if necessary?

(4) How can an acceptable level of risk be maintained over the lifetime
of the plant?

The first question is addressed in the Commission's safety goal initiative

(NUREG- 0880, Revision 1). The set of quantitative safety goal criteria are
currently being evaluated for potential use in the regulatory process. How
"acceptable" risk is defined and how that definition is used in the regulatory
process is dependent, in part, on the capabilities of PRA in different appli-
cations.

The Division of Risk Analysis and Operations is supporting the Commission

in the evaluation of the safety goal. The activities of DRA include conducting
sensitivity studies, preparation of a PRA reference document (NUREG-1050),
performing trial regulatory analyses using ATWS and the hydrogen rule, and
evaluating the use of the safety goal and PRA methods in research prioriti-
zation. Alternate formulations of the safety goal are also being evaluated.
These efforts are being done mainly by the staff with some short term help
from contractors. The majority of the work will be finished by early 1985.
Therefore, this plan describes research related to questions (2), (3), and
(4).

PRA is a necessary tool in answering the second question, whether that

question is answered via plant specific PRAs or on a generic basis via programs
such as the Severe Accident Research Program (SARP) (NUREG-0900).

When reduction in risk is found appropriate (question 3), PRA becomes a

vital tool in the risk reduction evaluation to measure the level of reduction
achieved and as part of the value/impact considerations.

In maintaining an acceptable level of risk (question 4), PRA is an impor-

tant tool facilitating the appropriate allocation of resources to risk impor-
tant systems and activities, and measuring the effect of the risk maintenance
program. Resources being allocated could be those of a licensee as well as
those of the NRC.

Thus, PRA is a vital tool in addressing quantitatively all of these four

fundamental questions. The ability of the NRC to address these questions is
directly dependent upon the ability of the NRC to use PRA techniques and, of
course, the acceptability and practicality of the PRA techniques themselves.
This Research Plan has the overall objective of improving the NRC capability
to utilize PRA in a credible manner. This capability of NRC to use PRA in the
regulatory process depends upon several factors. Among these are:

3
 (1) the acceptability and practicality of PRA methods in addressing
plant specific and generic issues

(2) the acceptability and practicality of methods for using PRA in

evaluation of the appropriateness of risk reduction optionc

(3) the acceptability and practicality of Methods for assuring that an

acceptable level of risk is maintained throughout the life of the
plant.

As illustrated in Figure 2-1, the DRAO PRA program plan is structured

around this framework.

Both acceptability and practicality are necessary attributes. Encompassed

in the term acceptability implies methods that allow analysis to be done that
is sufficiently broad in scope to treat issues relevant to a regulatory decision
and that the treatment of the issues will be judged appropriate by the relevant
technical and policy-making community. The attribute of practicality implies
that the resources required to perform the analysis, and the time required,
are compatible with the regulatory process in which the analysis is being
done.

There are additional research needs required to address questions 3 and 4.

In fact, the Severe Accident Research Program (SARP) is underway in response
to question 3. Research programs in response to question 4 are also underway.
Some of the research needs and activities discussed herein are the responsibil-
ity of organizations other than DRAO. They are identified herein for purposes
of discussing the appropriate interfaces.

4
 Risk
Analysis
Research

Develop Methods I Develop Methods I Develop Methods

for Plant for for Maintaining
Risk Analysis I Risk Reduction I Plant Safety Level

Figure 2-1 Basic Structure of Risk Analysis Research

3.0 Risk Analysis Research Needs

This section delineates the research needs for PRA. It is structured using
the analysis breakdown reflected in Figure 3-1. This breakdown reflects the
major parts of a PRA. Each is explained briefly below.

Plant Systems Analysis - This encompasses that part of the PRA that
addresses the engineered systems from both the viewpoint of initiating accident
sequences and their reliability in responding to initiating events. This
includes both so-called independent failure and common-cause failures stemming
from commonalities between components or systems.

External Event Analysis - This encompasses that part of the PRA which
assesses the likelihood of occurrence of so-called external events (e.g., fire,
seismic disturbance, flood), and the phenomenology necessary to determine the
hazard presented to the components identified in the systems analysis.

Human Reliability Analysis - This encompasses that part of the PRA analysis
which assesses the reliability of the human in light of their potential impact
on the systems analysis. This includes human errors causing initiating events,
human errors which occur during test and maintenance, and those made in respond-
ing to the accident initiators.

Data Collection and Analysis - This encompasses the collection and treat-
ment of both generic and plant specific component, system, and common-cause
data.

Containment Analysis - This encompasses the analysis of the core melt

phenomenology leading to potential containment failure and the performance of
the containment and containment systems under accident conditions, and the
release of radioactive material to the atmosphere.

Offsite Consequence Analysis - This analysis encompasses the atmospheric

and ground water dispersion of radioactive material, the evacuation of the
nearby population, and the estimated cost and health effects of the accident.

Analysis Integration - This encompasses the interfacing and integration

of the above tasks, uncertainty and sensitivity analysis, display of final
results, and the placing in perspective of the PRA results. Within the PRA
research plan, this task also encompasses trial uses and demonstration in an
integrated PRA of the methods developed in the other parts of the research
plan.

This section covers the research needs for the PRA per se and is divided
into the elements identified in Figure 3-1; plant systems, external events,
human reliability, data collection and analysis, containment analysis, offsite
consequences and integration.

3.1 Plant Systems Analysis

Plant systems analysis as used herein encompasses those tasks which center
on evaluation of the plant engineered safety systems and necessary support
systems. Figure 3-2 provides a breakdown of this part of the PRA. It is

6
 2.)
Ts.= "w iZ
c >.
V us ctc
convenient to consider the analysis as having four basic parts; plant familiar-
ization, accident sequence delineation, plant systems modeling, and accident
sequence analysis. Each is discussed below.

3.1.1 Plant Familiarization - This task encompasses the steps required

to develop a familiarity with the plant and available information. This
includes preliminary identification of initiating events, functions to be
performed to mitigate each initiating event, plant systems required to perform
these functions (front line systems), identification of systems supporting the
front line systems, developing success/failure criteria for each front line
system, grouping the initiating events into classes according to common respond-
ing system, and success/failure criteria.

These steps are commonly used in PRA. Methods for applying them are
delineated in published procedures guides. There are, however, areas where
research needs exist to make our current PRA capability more acceptable and
practical to use; this is in the area of system success/failure definition
and common-cause initiating events.

Success/Failure Criteria: Past PRAs have drawn from FSAR and other
readily available sources to provide thermal-hydraulic response to accident
conditions which are necessary to define the success/failure criteria for the
systems intended to mitigate an initiating event. The FSARs and other non-PRA
thermal-hydraulic modeling are often done by different organizations using
different assumptions, which gives rise to inconsistencies in PRA analysis.
Thermal-hydraulic modeling is going on within NRC and the nuclear industry on
many fronts. There is not a current effort, however, which will lead directly
to the delineation of the scope and characteristics of the thermal-hydraulic
modeling which should accompany PRA systems analysis. Thus, one PRA need can
be defined as:

(1) A delineation and demonstration of the scope and characteristics of

the thermal-hydraulic modeling for defining success/failure criteria
of mitigating systems in PRAs to be used in the regulatory process.

Special Initiating Events: (Common Cause Initiating Events) The Interim

Reliability Evaluation Program (IREP) identified the importance of initiating
events which both cause reactor trip and simultaneously degrade the reliabil-
ity of mitigating systems. However, the method used was limited to the treat-
ment of single failures which could cause such initiating events. Multiple
failure initiating events of this type may be important to risk and have not
been fully modeled in past PRAs. This PRA need is:

(2) An integrated, evaluated, and demonstrated method for finding multiple

failure initiating events which both cause reactor scram and degrade
the reliability of mitigating systems.

3.1.2 Accident Sequence Delineation - Accident sequences to be analyzed

in a PRA are delineated in the form of event trees constructed for each initiating
event group. Typically, both functional and system event trees are constructed.
The event tree structure reflects functional and system interrelationships and
aspects of accident phenomenology which would affect core conditions, system
operation, and/or accident consequences. Methods for constructing event trees

9
are published in existing procedures guides. The thermal hydraulic modeling
needs described in Section 3.1.1 (Plant Familiarization) are directly applicable
to accident sequence delineation. No additional research needs have been
identified to support accident delineation (i.e., event tree construction).

3.1.3 Plant System Modeling: To perform a PRA, those systems identified

in the accident sequence delineation tasks as front line systems and support
systems must be analyzed to estimate their unavailability and the principal
contributors to this unavailability must be identified. Although this is a
form of reliability analysis and has been practiced using different techniques
for years, fault tree analysis has been found to be the method of choice in
LWR PRAs. Although conceptually simple, difficulties arise in fault tree
analysis in assuring consistency among analysts and in assuring the size of
the trees do not overwhelm the qualitative and quantitative analysis codes
developed for use in PRAs. Modular logic models and similar techniques have
been used to enhance consistency in fault tree modeling. The IREP Procedures
Guide delineated modeling guidelines to limit modeling detail at the appropriate
level. The modular logic models used in IREP are not developed to handle
external event analysis and all common-cause potentials. Past PRAs have used
separate models for external events and internal event initiators; as a result,
questions have been raised about the level of consistency between the two.
Thus, a PRA need is:

(3) Development of proceduralized, integrated plant system modeling

techniques which are applicable to internal event, external event,
and common cause analyses.

This modeling technique should be computer-aided to achieve efficiency,

include a consistent naming scheme for components, systems, etc., should
include criteria for limiting the resolution of modeling, resolving modeling
feedback loops, and should include standardized component failure definitions.

Control system failures which may lead to a continuum of failure states

have not been modeled in a consistent manner in past PRAs. Fault tree anal-
ysis is a binary modeling technique, and this limitation could be important
in control system modeling. Control system failures can be important to risk.
For this reason, another PRA research need:

(4) To develop and integrate into a PRA a method for evaluating control
system failures.

Accident Sequence Analysis: Accident Sequence Analysis encompasses that

part of the analysis in which the event trees, data base, and fault trees are
integrated to calculate sequence frequencies and to identify those combinations
of events which contribute most to the accident sequence probabilities. For
purpose of this discussion, the accident sequence analysis has been broken down
into three steps (see Figure 3-2); cut set development, common-cause delinea-
tion, and sequence quantification. Cut set development encompasses the steps
(usually computerized) for combining the fault trees and event trees to deter-
mine sequence cut sets. The common-cause analysis identifies commonalities
between elements of the cut sets, and the sequence quantification step uses
component failure estimates and common-cause frequency estimates to determine
accident sequence frequencies.

10
 Because of the complexities of the above steps and the large size of the
models involved, this represents a stumbling block in most PRAs. Furthermore,
a complete common-cause analysis has never been done in a PRA. Thus, several
research needs exist in this area. In general, they can be grouped into one
generic need:

(5) To develop an integrated software package which will perform the

accident sequence analysis for the range of initiators (external and
internal) and be capable of handling the range of potential common-
cause events.

This research need would be fulfilled by interfacing existing codes on

cut set development, common-cause analysis and external event hazard develop -
ment. It would include guidelines for preparation of the logic models for
computer input, investigation and development of better pruning techniques,
and inclusion of models for time-dependent failures.

3.2 External Event Analysis

Accident initiators such as seismic events and in-plant and ex-plant

fires and floods are among a special set of initiators referred to as "exter-
nal events." Figure 3-3 displays the types of initiators within the scope of
external events. Generally, these initiators have been excluded from inten-
sive study in past PRAs because the modeling data required for their analyses
were insufficiently developed, their hazard (frequency of exceeding certain
levels) were very uncertain, or it was judged that the contribution to risk of
the events was low. At present, however, methods for treating earthquake, and
fire, have been developed or are being developed to a point that will allow
significantly improved risk assessments for these external events. Table 3-1
shows the external events in their priority research classes. Class 1 events
will be included in DRAO PRA research activities. Class 2 events are provi-
sional depending on work by other RES divisions, while Class 3 events will not
be studied as part of the current PRA research activities due to low priority
and funding limitations. The research needs are summarized below.

3.2.1 Earthquakes: The Seismic Safety Margin Research Program (SSMRP)

has developed methods, codes, and data for probabilistic assessment of earth-
quake risk of a PWR. Additional work in FY 1984 will provide similar capa-
bilities for assessing a BWR. The activities are reflected in the seismic
research plan. These methods have not been folded into a PRA, which includes
internal events and other common-cause and external events. Further seismic
risk methodological development is needed to better assess dependent failures,
including structural collapse and instrumentation and control faults. Thus, a
research need is:

(6) Development, integration, testing and demonstration of the seismic

PRA methodology in a PRA which includes internal events, other
external events, and other common-causes.

11
 Table 3-1 External event research priorities

Priority Class

1. External Events Requiring PRA Treatment

Earthquake
Fire (Internal)
Flood

2. External Events Requiring Further Mechanistic Research

Lightning
Hazardous Materials (Corrosion)

3. External Events Having Low Risk by Virtue of Licensing Process

Wind*
Fire (External)
Hazardous Materials (except Corrosion)
Miscellaneous Hazards (Turbine Missiles, Aircraft)

Further investigation into the risk contribution of metal frame buildings

that are subject to failure under extreme wind may be warranted.

3.2.2 Fire: The development of improved methods for fire risk analysis
and upgrading of the supporting data bases will be performed as part of the
DRAO Fire Risk Analysis (FIRA) Program. Improved methods will be developed
for (a) selecting critical plant areas to be analyzed, (b) describing the fire
hazard in the environment of selected components, and (c) analyzing fire detec-
tion and suppression effects on the fire environment and selected components.
Data base enhancements include (a) updating existing fire frequency data,
(b) developing a data base for transient fuel sources, and (c) improving the
data base for fire detection and suppression. In a related fire protection
research program, fire environment component failure data is being obtained.
The improved methods and data have not been applied as part of a PRA. Thus a
research need is:

(7) Integration, test, and demonstration of improved fire PRA techniques

in a PRA which includes internal events, other external events, and
other common-causes.

3.2.3 Wind: Risk from wind, in general, falls under two broad categories;
hurricane and tornadoes. Tornadoes are judged to represent low risk by virtue
of the licensing process and thus falls in Priority Class 3. Hurricanes are
important to plants sited within 100 miles of the Gulf or east coast and where

13
safety systems are not protected by seismic category buildings. Some research
at some future date may be desirable for addressing plants with metal buildings
protecting systems important to safety. The contribution to risk from wind
will be evaluated for the LaSalle Nuclear Power Station in RMIEP (see 6.2.1).
However, no substantial research activities are planned for wind risk.

3.2.4 Flood: Flood risk stems from two sources; external flooding
(e.g., rivers), or internal flooding (e.g., failed piping, overflowing accumu-
lators). Internal flooding has been found important in the Oconee PRA. The
appropriate methods for assessing floods and folding them into a PRA have not
been fully investigated. Thus, one research need is:

(8) To develop improved methods for assessing risk from internal floods.

External flood differs in principle from internal floods in the nature of

what causes them. External flood frequency estimation is not a systems analysis
task, but must be done statistically from historical data and hydrological
modeling. Such statistical methods, suitable for use in PRA have not been
developed. Thus a second flooding need is:

(9) To assess available methods and, if necessary, develop statistical

techniques suitable for use in PRA for estimating extreme floods.

3.2.5. Lightning: No research is currently planned. Future efforts are

possible if new information changes priorities.

3.2.6 Hazardous Materials: The need for further research in this area
is being evaluated as this document goes to print.

3.2.7 Miscellaneous Hazards: No PRA research is currently planned. The

areas of turbine missiles and aircraft impact appear to be sufficiently covered
by current licensing practice.

3.3 Human Reliability Analysis

Human Reliability Analysis (HRA) encompasses identification of potential

human errors associated with failure to restore equipment to operability
following test and maintenance activities and in response to accident situa-
tions. Human reliability analysis continues to be an area of minimal data,
large uncertainties and major controversy. Several areas of research needs
have been identified. A human factors program plan (NUREG-0985) has been
developed which includes human reliability research needs and programs.
Specific research needs are described below.

Current PRAs do not treat explicitly human errors stemming from misdiag-
nosis of the accident. Such misdiagnosis played an important role in the TMI
accident. These errors may stem from several factors such as instrumentation
failures or plant accident conditions exceeding instrumentation limits or
operator training limits. Diagnostic errors of this type have the potential
for being important to risk, but have not yet been treated explicitly in a
PRA. Thus, a research need is:

14
 (10) An integrated, evaluated, and demonstrated PRA methodology for
evaluating diagnostic errors stemming from plant accident conditions
exceeding instrumentation limits or operator training limits or
stemming from instrumentation failures.

Current human reliability analysis needs improvement in several other

areas to improve both acceptability and practicality. Several specific research
needs have been identified. Programs are already underway to: develop computer-
ized simulation models for maintenance tasks, acquire and apply an improved
human error data base, and improve methods for integrating the HRA techniques
into PRAs. These programs reflect current research needs in HRA. Additional
HRA research needs thus are:

(11) Computerized simulation modeling of selected operations and mainte-

nance tasks in nuclear power plants.

(12) Methods for acquiring and storing human error probability data com-
puter simulation sources; and HRA techniques focusing on cognitive,
performance shaping and interdependent aspects of human behavior for
use in PRAs.

(13) Improved methods for integrating HRA techniques into PRA and methods
for systematically applying HRA/PRA results to resolve human factors
related issues of immediate and potential concern to the NRC and
industry.

(14) Investigation of the practicality, acceptability, and usefulness of

a voluntary, anonymous, non-punitive, third party managed human
error Nuclear Power Safety Reporting System to acquire human error
information.

Recovery actions by plant personnel are discussed in Section 3.6.2.

3.4 Data Collection and Analysis

Data collection and analysis encompasses development of a data base for

quantifying faults appearing in the fault trees of a PRA. This may take the
form of generic data reflecting industry-wide data spreads or it may take the
form of plant specific data developed from plant logs or other plant data
sources. The data may reflect single component failure rates, common-cause
coupling frequencies, or precursor information. These data may also reflect
normal operating environments (design bases) or harsh environments. The
current data base used in IREP is the RSS data base with only modest changes.
This data base is now outdated. Thus, one need is:

(15) To establish a complete and detailed updated data base for faults
important to PRA and for root causes contributing to those faults.

Current PRAs have not adequately included all multiple failures which are
reported in the LERs. This stems from the lack of a compilation of these
multiple failures (called precursors). Thus, another research need is:

15
 (16) To survey and analyze LWR LERs for identifying multiple failures
(precursors) and, based on the results, to estimate the frequency of
different types of precursor for use in PRA.

The generic data base being used on most current PRAs reflects failure
rates of components under design bases conditions. Some components may be
called upon during core melt accidents to operate under environmental condi-
tions beyond their design bases under which case failure rates might be larger.
This implies our current PRAs may be underestimating some component failure
probabilities. No failure data base exists covering LWR components subjected
to these harsh environments. Also, past PRAs have been difficult to interpret
and use by owners and regulators alike. One reason for this difficulty seems
to be that the studies were not carried beyond the component failure modes to
an analysis of root causes for those failure modes. With root cause information
included, owners could use PRAs effectively in their reliability programs.
Inspectors might also find PRAs useful in allocation of limited inspection
resources. Thus, one research need is:

(17) To develop a failure data base for components subjected to harsh

environments (beyond design bases) and other root causes for component
failure modes.

3.5 Containment Analysis

Containment analysis as used herein encompasses that part of the PRA

which predicts the progression of core melt accidents and associated physical
processes and the radionuclide releases to the environment. This section has
been divided into thermal-hydraulic effects, containment structural response
and fission product transport as shown in Figure 3-4. Containment analysis
has progressed significantly since the RSS. However, major uncertainties
continue to exist which have a significant affect on risk predictions. Improved
tools, models, and data are needed (partially to reduce uncertainties) to
develop an integrated capability to perform sensitivity and uncertainty analysis,
and to exercise those tools and capabilities to identify dominant contributor
to both risk and uncertainty and to assist setting research priorities for
further research in phenomenological areas.

3.5.1 Thermal-Hydraulic Effects - The principal research needs of

in-containment thermal-hydraulic analysis relate to identifying and reducing
important uncertainties. The present computer codes used for containment
analysis in risk studies (MARCH 1.1/MARCH 2, CORRAL/MATADOR) have two asso-
ciated types of uncertainties. One type results from lack of physical data
on particular subjects; the second results from oversimplistic or nonexistent
models within the codes and the sometimes opaque or questionable linkage among
models. The research effort also has two parts--one for identifying areas where
improved data are needed and a second for the improvement of modeling methods.

Using results from PRA analyses, priorities for experimental information

and/or verified analytical models to reduce important uncertainties will be
identified. Priority in-containment thermal-hydraulic issues include molten
core interactions in the reactor cavity, time-dependent hydrogen and steam
release rates to containment.

16
 Containment
Analysis

Thermal Hydraulic I I Fission Product

Effects Transport

Containment
Structural
Response

Figure 3-4 Major Elements of Containment Analysis

17
 Deficiencies have been identified in the current risk assessment codes
(MARCH, MATADOR, CRAC), such as inadequate representations of important
phenomena and plant features and undesirable coding characteristics. Thus, a
new integrated package of risk codes to replace the existing codes is needed
to achieve consistent treatments of those phenomena that are essential to the
characterization of severe LWR accidents, will permit the quantitative analysis
of severe accident consequences and associated uncertainties, and will have a
structure that is readily amenable to the incorporation of new models based on
ongoing research programs.

3.5.2 Containment Structural Response - Current RES programs on contain-

ment structural response are basically in two areas: (1) study of modes of
failure (leak, rupture, etc.) and the ultimate capacity of the containments,
and (2) study of the magnitude of internal pressures inside containments under
severe accident conditions. The Accident Source Term Program Office (ASTPO)
is currently conducting a study to collect state-of-the-art information on the
above two elements, primarily through independent calculations by experts, and
to combine these to estimate containment failure probabilities under severe
accidents. Results of the ASTPO study will be updated as more research results
are available.

3.5.3 Fission Product Transport - Research needs for PRA purposes may be
divided in the same way as was done in Section 3.2.1. The prioritization of
data needs would be performed in the same way. Examples of important data
needs include radionuclide release rates from fuel and extent of radionuclide
retention in the reactor coolant system.

As discussed in Section 3.5.1, the need for improved PRA models is also an
important aspect of the overall PRA research program. Modeling areas include:
release from degraded core materials, production of aerosols, transport and
deposition in RCS, transport and deposition in containment, deposition in
leakage paths from containment, and source terms to environment. Thus, two
research needs in this area are:

(18) To identify data needs which can be used as an aid in setting

priorities for the phenomenological experimental programs.

(19) To develop an integrated package of risk codes (MELCOR) to replace

the existing codes to achieve consistent treatments of those phe-
nomena that are essential to the characterization of severe LWR
accidents and will permit the quantitative analysis of severe acci-
dent consequences and associated uncertainties, and will have a
structure that is readily amenable to the incorporation of new
models based on ongoing research programs.

3.6 Consequence Analysis

Consequence analysis as defined here includes the mechanisms for transport,

dispersal, and deposition of radioactive material released from the plant
during an accident, and the resultant health effects, property damage and
costs. Research needs in this area are categorized by the different aspects
of this analysis: transport modeling needs, health effects modeling needs,
and economic effects modeling needs as shown in Figure 3-5. Among and within

18

Ob.
 Consequence
Analysis

Meteorological I Health Economic

Effects Effects Impact

Figure 3-5 Elements of Consequence Analysis

19
these categories, important data needs continue to be identified and include
more accurate wet and dry deposition models for particles, effectiveness and
extent of use of mitigative actions by the exposed public (e.g., sheltering),
improved dose effectiveness models, and improved economic models and data
bases. Additionally improved models and capability for quantitative uncertainty
analysis, better documentation and testing, are needed. Many of these needs
are being addressed in the development of MELCOR.

Improved capabilities to model ex-plant consequences will also provide

NRR with more defensible calculational methods for evaluating the consequences
of Class 9 accidents in environmental impact analyses. These capabilities are
also useful for evaluating siting and emergency requirements, and Commission
Safety Goals. Specific research needs in this area are:

(20) Evaluation of the implications of revised source terms on emergency

planning regulations and the NRC safety goals.

(21) Investigation of the dosimetry and health effects of the deposition

of beta emitters on exposed skin during a severe accident.

(22) Investigation of the potential for near-field (onsite) deposition of

radioactive material discharged to the atmosphere with large amounts
of water vapor.

(23) Development of better models for atmospheric scrubbing by rainfall,

which is associated with high consequence estimates.

3.7 Integration of Analysis

Integration of analysis encompasses not only interfacing tasks between

the preceding analysis, but issues of scope and recovery. It is also within
this area that needs for trial use and demonstration of the preceding analyses
described are addressed. For convenience, the discussion is divided into four
sections: (1) scope, (2) recovery, (3) uncertainty and sensitivity, and
(4) trial use, demonstration and integration.

3.7.1 Scope - Adequacy of completeness has been raised in two additional

(not previously discussed) areas; namely, pressurized thermal shock (PTS) and
cold shutdown. Pressurized thermal shock is being resolved through a proposed
rule (10 CFR 50.61) and a complementary significant research effort. Plant
specific probabilistic analyses of PTS and proposed corrective measures will
be required in the proposed rule for plants projected to exceed a screening
criterion on nil-ductility transition temperature. Guidance and acceptance
criteria are needed for the proposed corrective measures. Thus, a research
need is:

(24) To confirm the technical bases for the screening criterion; to devel-
op methods for estimating the likelihood of a vessel through-wall
crack; to identify important sequences, operator and control actions,
and uncertainties; and to compare the effectiveness of corrective
measures for PTS.

20
 Except for the relatively narrow scope analyses that address PTS, current
PRAs have concentrated on risk under full power operations on the argument
that it is this operating mode that represents the greatest risk to the public.
This assumption has not been fully investigated, and questions continue to be
raised, particularly by the ACRS, about risk from other operating modes,
particularly cold shutdown. Some investigations are underway to investigate
cold shutdown. These investigations have not been integrated into a PRA to
allow comparison between non-full power and full power risk. One PRA research
need is:

(25) An analysis of non-full power risk from LWRs which is integrated

with the full power internal and external analysis allowing direct
risk comparisons and also providing recommendations on scope and
methods of non-full power analysis which could be incorporated in
perspective PRA procedures for regulatory use.

3.7.2 Recovery - Recovery actions performed by plant personnel in response

to accident conditions have played an important role in preventing core melt
accidents. Some of these, such as occurred in the Browns Ferry fire, repre -
sented actions outside written procedures. Modeling of such actions in a PRA
is complicated by the fact that recovery actions are accident-sequence - dependent,
sometimes cut set dependent, and several recovery alternatives often exist.
Nevertheless, some recovery models have been used in PRAs or are under development.
A research need which has been identified is:

(26) An integrated, evaluated and demonstrated PRA methodology for more

thorough analysis of recovery actions under accident conditions.

3.7.3 Uncertainty and Sensitivity Analysis - The importance of understand-

ing the uncertainties in PRA analysis, particularly parameter-estimate and
modeling uncertainties, has been recognized since early reviews of the RSS.
Programs within the NRC and industry address this issue. Recent industry
studies have attempted to integrate the uncertainties in a PRA by folding
together modeling unknowns, analyst judgments, and data-based statistical
uncertainties using Bayesian techniques, but with little use of sensitivity
analysis. There continues to be needed a widely-accepted method to assess and
distinguish between modeling unknowns and parameter uncertainties both data-
based and non-data-based. This research need can be described as:

(27) An integrated, evaluated and demonstrated method for using both

uncertainty and sensitivity analysis to assess and display uncertainties
arising from both modeling and data which appropriately distinguishes
between the two.

3.7.4 Trial Use, Demonstration and Integration - The IREP experience has
demonstrated that to fully test new PRA methodologies for their strengths and
weaknesses requires their trial application in actual reliability and risk
analyses of specific plants. It is only in this environment that the various
elements can be integrated and tested for accuracy and practicality. The
methods and data development efforts discussed in the foregoing section of
this plan must be integrated and tested. Such an effort would have many objec-
tives, the major ones being:

21
 (1) Test and demonstration of new and improved methods and data;

(2) Integration of external event analysis with the system reliability

analysis;

(3) Identification, estimation of the magnitude and propagation of

uncertainties;

(4) Development of improved procedures for conducting an analysis in a

timely manner, and

(5) Recommendations and prioritization of regulatory and research activ-

ities related to PRA based on firsthand experience in conducting
detailed and complete risk analysis.

This leads to a research need which can be summarized as follows:

(28) To integrate and evaluate new individual PRA methods, expanding the
scope of PRA to achieve a higher degree of completeness in evaluat-
ing risk, and to expand the PRA information base.

3.8 Risk Analysis Research Needs Summary

Twenty-eight research needs have been identified in the preceding section.

They are listed below by subject matter for ready reference.

(1) Thermal-Hydraulic Modeling

(2) Special Initiating Events
(3) Integrated Plant System Modeling Techniques
(4) Control System Failure Analysis
(5) Integrated Software Package
(6) Integration of Seismic PRA Methodology
(7) Integration of Fire PRA Methodology
(8) Improve Method for Internal Floods
(9) Statistical Techniques for Estimating Extreme Floods
(10) Diagnostic Error Estimation
(11) Simulation Modeling for Maintenance Tasks
(12) Improved Methods for Application of Human Error Probabilities
(13) Integration of HRA Techniques into PRA
(14) Human Error Reporting
(15) Updated Component Data Base
(16) Precursor Studies
(17) Harsh Environment and Root Cause Data
(18) Phenomenological Data Needs
(19) Integrated Risk Code
(20) Evaluation of Revised Source Terms
(21) Beta Emitter Investigation
(22) Deposition of Wet Plumes
(23) Atmospheric Scrubbing Models
(24) Pressurized Thermal Shock Probabilistic Analysis
(25) Evaluation of Non-Full Power Risk
(26) Improved Recovery Modeling
(27) Integration of Uncertainty and Sensitivity Analysis
(28) Integration and Demonstration of New PRA Methods

22
4.0 Research Needs for Risk Reduction (Issue 3)

The purpose of this section is to discuss the research needs and activ-
ities of Issue 3, "How should plant risk be reduced if needed?" A breakdown of
this area is shown in Figure 4-1. Each of the principal activities shown in
this figure will be described briefly in this section; the following sections
will provide additional detail.

Option Identification and Preliminary Screening - For any nuclear plant,

countless changes to the plant's design or operating characteristics can be
postulated which could serve to reduce the risk of that plant. The activity
of option identification has two basic parts: (1) provide a survey of such
possible changes; and (2) provide a first qualitative or semi-quantitative
screen, separating the more promising options from the large numbers of less
attractive options. Since this is a relatively straightforward process, no
research needs have been identified in this activity.

Detailed Option Evaluation - Once the possible plant changes have been
subjected to a first screening, a more detailed evaluation of the remaining
options can begin. This activity has several parts: (1) compiling a detailed
data base of PRA information for the plants or plant types of interest;
(2) identifying and quantifying how a possible change would update the data
base; (3) evaluating the associated benefits in areas not treated probabilisti-
cally (e.g., improved sabotage protection, enhanced "defense-in-depth"); and
(4) evaluating the cost (and its components) of the change. Research needs
identified for this activity include the development of improved methods for
consistently extrapolating from the available PRA data to other accident
sequences and plant types, for combination of uncertainties, and for consistent
and appropriate consideration of the non-quantifiable aspects of possible
changes.

Cost-Benefit Assessment - The terms value/impact assessment and cost/

benefit assessment are often used interchangeably. Value impact is less
restrictive since it includes unquantifiable factors in the assessment,
removing the misconception that all factors have to be reduced to terms in
dollars. Value/impact assessment is a methodology to ensure that NRC regula-
tory decisions are based on adequate information concerning the need for and
consequences of a proposed regulatory action. This activity consists of two
steps: (1) separating the values and impacts into component terms, assessing
the effect of proposed NRC actions on each term, quantify the effects in mone-
tary terms and sum the net benefit, and (2) display the values (benefits) and
impacts (costs) in a useful format for regulatory decisionmaking.

4.1 Option Identification and Preliminary Screening

The literature of the nuclear industry contains many reports on means to

reduce the risk from LWRs. These documents discuss means for preventing severe
core damage accidents, by reducing the frequency of initiating events or by
improving the emergency systems for protecting the core. Many also discuss
additional means for mitigating core damage accidents, such as filtered-vents,
improving the reliability of existing systems such as containment sprays, etc.
Since TMI, an additional concept--accident management -- has been discussed.
This concept relates to the optimization of the use of existing plant equipment
during an accident by improved operator training, etc.

23
 Risk
Reduction

Option Detailed
Identification and Cost-Benefit
Option
Preliminary Assessment
Evaluation
Screening

Change in Change
Accident Sequence in Cost
Likelihood Consequences

Figure 4-1 Elements of Risk Reduction Research

24
 The first task of the work in this section is a broad survey of the
nuclear literature to characterize the range of suggested plant options to
reduce risk. Such surveys have been performed a number of times. Perhaps the
most notable published survey was performed in 1978; this was NRC's report to
Congress on improved reactor safety, NUREG-0438.

Following such surveys, the second principal step of this section is a

preliminary screening of suggested changes to provide a manageable set for
further evaluation. This can be done either qualitatively (as was the case in
NUREG - 0438) or semi-quantitatively. The latter can be accomplished by perform-
ing calculations which maximize the risk reduction benefit (i.e., assuming that
the proposed change reduces to a probability of zero its associated failure
mode, consequence, etc.). It should be noted that, in order to perform this
first quantitative screening, the assembly of an initial PRA data base is
required. For the plant(s) of interest, the data required at this level con-
sist of the list of important sequences and the functional failures and
successes, likelihood, and consequences of each. With this data and a
preliminary evaluation of possible nonquantitative benefits (e.g., inherent
sabotage protection), the list of changes to be assessed in detail can be
narrowed to a more tractable size.

The proposed NRC Severe Accident Policy Statement states that the existing
plants pose no undue risk to public health, safety and property given what we
know about them and provided that certain activities go on. In support of
this statement, ongoing nuclear safety programs such as the Accident Sequence
Evaluation Program (ASEP) and the Severe Accident Risk Reduction Program
(SARRP) are being conducted to provide additional assurance that this is so.
ASEP is identif(ing and describing the dominant accident sequences and their
likelihoods and ^ SARRP determines the consequence and risk and performs
value/impact assessment for risk reduction, if necessary. The ASEP research
consists of compiling and analyzing current PRA findings, special safety
studies, post TMI fixes and operating experience to develop updated insights
on sequence likelihood. ASEP will use these insights as an inference base for
performing generic reliability analyses to determine the safety characteristics
and generic accident sequence information of all the operating and near-term
operating plants. ASEP is providing the NRC policymaking process and research
and licensing applications with results including: (1) generic groups of
LWRs; (2) generic accident sequences; (3) insights on sequence likelihoods,
their uncertainties, and dominant factors that drive the sequence likelihoods;
(4) LWR event tree and fault tree models; (5) identification of inconsistencies
in PRA estimates of accident likelihoods and system unavailabilities with
precursor experience; (6) safety prioritization of LWRs based on their relative
core melt frequency to support the ISAP program; (7) establishment of a computer-
ized data base on generic accident sequence delineation and; (8) codification
of the event tree and fault tree models for licensing applications. In summary,
these activities satisfy the basic need to:

(29) Identify and describe dominant accident sequences.

The tasks described in this section use established, relatively straight-

forward methods. No additional methods development is anticipated in this
area.

25
4.2 Detailed Option Evaluation

The detailed evaluation of possible plant changes can be performed in a

number of steps. These include: (1) detailed data base development;
(2) identification and quantification of how the change would update the data
base; (3) identification of non-quantifiable attributes and (4) evaluation of
the cost of the change. The following sections provide additional detail on
each of these items.

4.2.1 Assembly of Detailed Data Base - Section 4.1 described what type
of PRA data is required to perform the preliminary screening of suggested
changes. As one moves from such a screening into a more detailed evaluation,
a more detailed data base is required. This data base should include all
accident sequences found in the particular PRA to be important (e.g., those
sequences required to produce the top 99% of the core melt frequency and
risk). Characteristics of each sequence to be compiled include its frequency
(with uncertainty measure), and its physical process/consequence analysis
(again, with uncertainties). The last item should be in sufficient detail to
permit the analysis of "competing risks" resulting from physical processes.

Since the nature of this task is data compilation and is relatively

straightforward, no research need has been identified.

4.2.2. Identification and Quantification of Impact of Suggested Change -

With the data base of Section 4.2.1 now available, it is possible to overlay a
suggested change and identify how this change updates the data base. Effects
can be direct, e.g., a system change can reduce the likelihood of a particular
failure mode included in one or more Boolean statements. Indirect effects can
also result--a change can lead to different physical characteristics of an
accident progression and thus may affect the performance of other systems. In
either instance, the impact of a change can be quantified probabilistically.
This probabilistic change may result from the improved reliability of a core
protection feature or, for accident mitigation devices, the likelihood of a
particular radioactive release (e.g., a release category) can be altered.

At this time, several areas exist related to this task which require
additional consideration. First, since the types of information contained in
the data base each have associated with them a measure of uncertainty, an
appropriate method of uncertainty combination is required. Work on this area
is currently underway.

A second area requiring further work relates to the availability of

state-of-the-art assessments of severe accident physical processes. At the
present time, work by NRC and its contractors on the "source term" issue has
yielded advanced data on radioactive releases for a limited number of accident
sequences in five reference plants. In order to provide risk statements (as
the foundation for risk reduction calculations), the source term data must be
extended to other sequences in each reference plant. Further, since it is
valuable to provide risk statements on more generic plant classes, a systematic
method for extending reference plant risk statements to generic classes is
also needed.

In summary, research needs associated with the work described in this

section are:

26
 (30) A method for combining uncertainties resulting from the various
contributors to risk reduction calculations;

(31) A systematic method for extending advanced source term results for a
few sequences to the remaining sequences in the reference plants;
and

(32) A systematic method for extending source term calculations for

reference plants to generic plant categories.

4.2.3 Identification and Assessment of Unquantifiable Attributes - In

addition to the quantitative sense of Section 4.2.2, a complete analysis of
such a change requires the identification and assessment of its non-quantitative
attributes. These attributes can be of two types--one associated with issues
poorly treated probabilistically, the second with regulatory compatibility. An
example of the first type is sabotage events. For the second type, the issue
is the extent to which a suggested change conforms or deviates from current
regulatory practices.

The identification of the various non-quantitative attributes is presently

in a relatively acceptable state. However, a systematic method for assessing
and displaying the related benefits has not yet been developed. As such, a
research need can be identified as:

(33) A systematic method for assessing and displaying the benefits of

non-quantifiable attributes of possible plant changes.

4.2.4 Assessment of Plant Modification Costs - In order to complete the

impact evaluation of a suggested plant change, a measure of the cost of the
change is required. This cost has a number of components, including not only
the hardware cost, but other items such as plant downtime costs, costs of
occupational exposure, etc. Because of the considerable experience in the
nuclear industry with requirements for plant modifications, both the itemization
of important cost components and the capability for performing cost calculations
is in a relatively acceptable state. As such, a research need has not been
identified.

4.3 Cost-Benefit Assessment

Regulatory decisionmakers must balance conflicting values of different

groups, in an environment sometimes characterized by uncertainty, inadequate
information, and time and political pressures.

In January 1983, the NRC published guidelines for performing the regulatory
analyses required for a broad range of NRC regulatory actions. The principal
purpose of the guidelines is:

"to ensure that the NRC regulatory decisions are based on adequate infor-
mation concerning the need for and consequences of a proposed regulatory
action and to ensure that cost-effective regulatory actions, consistent
with providing the necessary protection of the public health and safety
and common defense and security, are identified."

27
 The guidelines establish a structured framework for NRC regulatory analyses
and describe in general terms the information that must be included. According
to the guidelines, a central element in all regulatory analyses is an evaluation
of the costs and benefits of the proposed regulatory action and any reasonable
alternatives. In the NRC, such cost-benefit assessments have traditionally
been called value-impact assessments.

In December 1983, A Handbook for Value Impact Assessment (NUREG/CR - 3568)

was published. This Handbook provides a set of systematic, but flexible,
procedures for providing information that can be used for performing value/
impact assessments. The principal components of value/impact assessment are
the attributes that are used to characterize the consequences of a proposed
action. These methods can be used by NRC, the Cost Analysis Group of the
Office of Resource Management and other NRC organizations.

At present, no research needs exist in this area. However, it is antici-

pated that as the methods of the Handbook are applied to a wide spectrum of
major regulatory issues, the feedback will be vital in updating these proce-
dures and methods, and in the identification of additional research needs.

Five research needs have been identified in this section. They are listed
below for ready reference.

(29) Identify dominant accident sequences.

(30) Risk Contributor Uncertainty Integration.

(31) Extend source terms to all accident sequences for a given plant.

(32) Extend source terms from reference plant to generic plant classes.

(33) Assessment of non-quantifiable plant attributes.

28
5.0 Research Needs for Maintaining an Acceptable Risk Level (Issue 4)

This section discusses the research needs and activities which are neces-
sary to maintain an acceptable level of safety over the plant's lifetime. These
activities involve the setting of minimum safety related operational require-
ments, licensee programs directed at assuring compliance with safety require-
ments, and inspection and operational safety assessments by the NRC to assure
compliance with regulations and that operational safety levels are being main-
tained.

The interplay and roles of regulators, inspectors and licensee (and by

extension vendors) must be clarified before effective research programs can be
specified. The regulator with input from the licensee sets the minimum accept-
able safety related operational requirements. These are generally in the form
of technical specifications and quality assurance program requirements. Reli-
ability programs which complement quality assurance are implemented by the
licensee to assure that design and operations are adequate to maintain minimum
operational reliability performance objectives relevant to plant safety. The
specification of minimum operational reliability performance objectives and
reliability program content is again the responsibility of the regulators work-
ing in concert with the licensee. Some or all of the reliability performance
objectives and programmatic activities may be part of technical specifications
or other conditions of the operating license. The technical specifications
and other conditions of the operating license. The technical specifications
and other special conditions of the license represent compliance auditables by
which inspectors and operational assessments can gauge operating experiences
to determine if an acceptable level of safety is being maintained. Various
plant operational limitations, activities and reliability requirements are
generally the subject of quality control/assurance activities, inspection
audits, and detailed safety trend analyses.

As a results of the proceeding discussion four distinct yet correlated

research areas relevant to maintaining an acceptable level of safety over the
plant lifetime have been identified:

(1) licensees safety assurance programs (QA/RA)

(2) Technical Specifications
(3) NRC's licensee inspection (and enforcement) and operational safety
assessment activities.
(4) NRC's assessment of the risk limitation effectiveness of its regu-
lations.

These elements are shown in Figure 5-1.

The regulatory need for research in these areas is discussed below. The
first research area involves the development of effective reliability and
quality assurance program requirements which licensees must implement. The
research conducted by DRAO will address reliability programs and interfaces
with quality assurance programs--for which I&E is conducting developmental
research. The second research topic, technical specification requirements, is
primarily focused on the development of practical risk effective technical
specifications. The third research area involves the development of a basis
for setting NRC inspection priorities and focusing inspections on risk sensitive

29
 Maintenance
of Risk
Level

I
Reliability I Inspection Regulatory
Effectiveness Effectiveness Effectiveness

I
Limiting
1 I
1

Surveillance Other Reliability

Conditions
Requirements Elements
of Operation

Figure 5-1 Elements of Risk Maintenance Research

30
(34) Delineation of Reliability Program Elements
(35) Reliability Program Research
(36) TS Evaluation Tools
(37) Surveillance Requirement Methods
(38) Extension Request Evaluation Method
(39) Analytical Models and Data Base for TS
(40) Guidelines for Safety Limit Settings
(41) Risk-based Information for Inspectors
(42) Inspection Module Prioritization
(43) Methods for Risk Evaluation of Regulations

35
6.0 Research Plan

6.1 Introduction

Within the Division of Risk Analysis and Operations, a research program

has been structured around the research needs identified in Sections 3, 4, and
5 of this plan. This plan can best be thought of as having the elements shown
in Figure 6-1; Needs Identification, Program Definition, Program Prioritization,
Program Implementation, and Program Integration. Each of these is discussed
briefly below and covered in more detail in later sections.

Research Needs Identification: Sections 3, 4, and 5 describe the research

needs as we now understand them, and it is these needs around which the current
Research Plan is structured. These needs are summarized in Table 6.1. It is
recognized, however, that the active use of PRA in the regulatory process
results in changing research needs. Thus, this plan must also change as needs
change in the future. To this end the plan will be updated and reissued
periodically.

Program Definition: Currently, several programs have been defined to

meet the needs identified in Sections 3, 4, and 5. These are described in
Sections 6.2, 6.3, and 6.4. Each program is tied to specific needs. The
research programs are summarized in Table 6.1 along with the specific research
needs they address.

Current research programs do not fully meet all of the identified research
needs. Where gaps exist programs will be considered and developed in future
years if prioritization indicates funding is warranted.

Program Prioritization: For purposes of allocating resources and setting

milestones, prioritization of the needs and programs must be done. To achieve
this, an in-house prioritization effort is done each year to establish the
appropriate priorities. This effort is described in Section 6.7.

Program Implementation: An implementation schedule has been set up and

is described in Section 6.5. This may change, however, due to budget
fluctuations and periodic updating of the prioritization.

Program Integration: Most of the program elements reflect new methods

which need to be integrated with other existing PRA methods. A program
has been defined as the principal vehicle for this. It is summarized in
Section 6.2.1 and described in detail in the Risk Methods Integration and
Evaluation Program Plan.

6.2 Research Plan for Risk Assessment Methods

This section describes programs underway which address the previously

identified specific PRA needs. For each program the objective, the research
need it addresses, specific deliverables, and actual or potential interfaces
are indicated.

36
LE
 -6e--"' 3E3

suollep6a8 40 ssaua/4430443 Is1.8 17•7•9

uoll3adsu1 38N 01 uolle3liddv luewssassv Is1H Elc9
8 6uqapow Xrnt3elLa8 luepuadao emu z1c9
4.ea0 0.1 d X1q1clekeH I17 . 9

s88d 1441m a3uaaadx3 uBlaaod cE'9

uopez!l1J 0 iad loaeasa8 9'E'9
soAteuv loedwI anLeA S•E•9
saanseaw a3uelaodwl se'E'9
6upiewuoopao a04 laoddns Oaeasa8 E'E'9
V weaboad u0n3nP08 1s1.8 luapmv wanes vE*9
V weaboad uollemena apuonbas Vial:433V T9

3 VHd 31. 111sos 40 sisAieuy swalsAs u sepulelaa300 bZ - Z*9

3 sokeuly POOH Leuaalui pue Leuaalx3 Evvg
3 wea60ad ipaeasas soALeuy Is!.8 eald

6qopow apuanbasuo3 I9
sawnid laM 40 uolloodaa peztle301 O9
weaBoad u0penLeA3 Xlul.elaaoun )018 pue MoLouawouou 6I9
80313W 43I'Z'9
vogs Lewaeyi pazianssaad a9

saosan3aad apuanbas luarq 33 V 91'Z*9

sanboval uopeowls aalndwo3 bus n apuenuolaed uewnH ST'Z'9

s100n3 Pelel 0 8 X1 0 4eS dd8 .104 5.10.1.13 uewnH 40 sIsALeu8 eI'Z'9
wals4s 6u13aoda8 4°S dN Bulsn uonIsInb38 eleo Almcleips uewnH EUZ*9
suopeaed0 ddN J04 *leg flea XlmcielLoN uewnH ZI9
saanljeJ Peuodwoo 10 sesne3 1008 iT9
uollenLeA3 pue quawdowoo eleo 0I9
slueld aamod aeapnw 00a4 Elea LLqVU lo siskeu8 69
s!.s,(Leuli IsIs ao4 sanbluipai Le314spels 99

V8d J24 spowlaw pue suopelndwoo Almqeqoa uep1443 L'Z'9 • •

luawdowao aaem440S 88d Pequa6a4u1 9'Z'9 •

ddN 0! J2.1.43 uewnH 6upsess8 aol steP0W 3PAteuV woadwi 9•Z'9

01'4 88H O uolleatialul s03adVH VZ*9
Aboopoglaw aanueA 10opuadaa palea6alui • •
luawanoa don sP0 141eW VHd • • •
weaBoad uollenLena pue u01le46alut spoglaw L'Z'9 • • •

a. 0
0
-0
C
0
<
12
01 01
a 0 C -0 0 r 0.
0 00 4,
.0 w o m , 0. 0
W W w r 00 w 4-,
, MP u_ r
10 > 10 0 4.0 ,
r 4- = C0
0 W 0 >, X .0 M r r C
X X •-. W ...., m • 0 01 I- r
01 Mr- ulla., WC 0 < , L
U CeCM •=1-r r 4- ce L w ..
- -4. < ; e W 0 S.. X 0 1.11 I.
,. r 4-, 4, 14er1W OW -0 M M.,
0M0er -^,C 1-0 0 .... W CO ....
MI ..- >, W 0 W -, '0 L 0 .c o cc
s- 4, V) r an V, W 0 U.1 X 4, M C
'0 r 0 '-0 W W a 1- r 4
>,0 12 >1'0 '0'0 0. - uCur00 M
Cr Wv1W 4)4)4-w r 0C r1- pc
4, 4, r r r ..- 00 4, 1- c
70 70 S.!
' `;" 2! E 2! 4:1 2 'St c7, t 2! '-' 1.1
e., on,01 0707 0 W
4)4)01-
C r 4, 0 0.1
a 4-, :
mc
s-ucure 01001.4)10
4)4),C4, ,,...,, r -0 C
Me ,- 0, r E
.00.000 CCWX ...- . , m4.00 0.1
F- ,/, r C-1 t•-• r r 2 w 0VI2E.-..-.= 07.
0
0 C, r C,J ■ni 4.• ..- un 4)
•,- r, 1, en c• Li" '0 i, . CO 01 0 ir r--1 1-1 r, .--1 0 r, ,
O r >
> 0
7:I 0 C
c > <
< r tl'
m < 11
O C C
P a >, m
O r
r 0 r c
0 , r 0
0 >, a r .,
W .0 r
0 > M U
>, r l..I ., W
C
MM TU
■
C 70 CC CT,
<0.
E C
U

.,. X 0 M
m w 2 0
 •

'36(

•
• •
• • • • •
• •
•
• •
• • • • • •
• •
• • •
•

• • • •
• •
• •
•• •
•
•

• •
• ••
0
0
07 4- 4-
C >4 ., 0
.0 f- 4.7 .0 C C 03
.0 .- >4 C ti la U 0 47 N C
'CI 0 41 t 4.1 4.1 4- •-- •n fa 4.- L 7,- 0
W . 0 '0 -NC 0 4- C 03 .- 4.7 I. 4- 4i
> 4‘ 0. 4-7 47 E 0 47
4- •.0 0 ti O. > .0 417 4-, 03 0 E 01 7, ,- 01 44 fa 777 74- 4- 4-- 4-7
4.7 07
47 W Z 0 • •--7 4- '0 '0 L. fa 0 C 41 r - V 0 7 CI -I L fa
C 2
fa E .0 .- 417 44 0 01 0 .- L W C 4- 01 417 •-• C 0 7
t 03 ul Of 7 0 G41 •-- '0 4- .0 t.) 4_1 4.7 11, 4- 0 03 .0 2 E fa V >4
4.7 7717 7 0 10 4.7 1.7 C 7 fa 07 > C 4, 4- L fa
n3 -0 0 47 0- 74- •-- . Z 5 07 42 = .0 C 4) 0 0' ..-• •,J, s..
444 fa 47 47 0. >
0 0 L lof .0 n3 1 r- M •-• 4- 4- fa 444
47 • L'' I ._ 0 01 0)4' .73 E C >0.71 Z
G. In 4-
4.7
C
. E"I'2' L 07 L 0
2 ,00)00 ln
3 44 40 fa
Jr
E
S..
417
•-• 2
4040 1- >W 3 f- 0 • 07 ..-- 07 40 0 Ln ^-
2 47 -0 '0 0 03 • •-• 1- 0 1- .4., 2 41 41 0 1- W 07 47 0 0 vf
(0 >1 13 I. 4- MI •r-
> C 0 4.7 a 4-7 CC 7
RI 0 4- tn 1- 4- 0 fa .0 0 7 07 I. 07 fa 4-- 7 O W 0. C o- o o c o ce
1.0 0 U 44 0 00 P--4 Z
•
IL
fel C 0404
0 7 Gn 07 U '0 07 >4 07 4- g
.0 Li 0 ti .-
7.- C L 4- L O. e 1 >,•2 ei Ig ' tee 1-40

.
4.1 44C VI

e .,.
1. 0 7
413 07 .-- 01

C 47
01
0 0 4-7 C 4-
In 0 4.7 0 S..
4- • n 4- 44
07 C CC 47 Z 44
NO
4-- 7 ,-
C
-0 7 ,- VI ,
07
Of 0
C
4- >4 W
L0
I. 0 7
44 74- 0400W
7

C 44 tn 47 In 44
4.1 L
C4.7
'0+4
0 r- 47 4-7 0
..- 7.7.7 444 fa 011
47 •--7 7 4-
C
0
•-• 1- ve
40 41
Li I. C Gn
13 Gn 0
07 L 0
40O ..--
CC
4-C
...-
IJ 0404007 0) '0 047E4'.0 1-47 417404-47 C4-U 044 L„, c '0< Rj E .4- .-- ,- .0 4- ..- 0 ..- 01 fa .4.7 4-7 Ln 4.7
• 4171-01- EL 47 71:174.7 , -0. 740 >44 400 417 7,-0 US- - o c lc 0) o IA 01 03 .0 413 7 ,- '0 vl 13 47 4- r- C .0 u 1.7
1 WU
Vet
0'-
+40 7 004 471 3 In 40 VI 3 0 L >4 C (11 4, 437 Of C 417 C L 4.7 40 4.1 O 1-41:1>0)000>7 W. , .
0 07 ..- r4- fa 0 0 .0 4- 2 L 47 ,-- 0 I. C 3 2 W 47 7 07 07 C 47 C -- Of ,- 444 0) .0 W .0 •--7 W '0 4 1 2 0. O. .0 7
n11 U 4-7 •-•
1 '0 al 0 444 0)4-4 > 4134-7 o. • a, • u-,cl. u • U 417 0 44'4'044-'04'0
40444-7 -74 •-• 0 •-• S.. 4.1 4-7 4-7 fa vf • r.- 4-7 Gn tn vf +40)
47 417
.00 417>W44444 L> 4- ECC g 4/713 47 4- 0 X417243.-40.- VI ill 4... al 7.41 3 07 X 07 C 413 3 137 4- C C
0.1-040
Ca
0.0-' 2 14..7 433 0 41C 0 - 4 J. .I CC ■-• = 42 GI 1•■• .../ Ce .0 ta.1 , 1.1 Ce a. 44( a. 4000-21-In2:LU2: .CO30, 2 ' I■P ZCC
7 C, 2 L.L..
• Ln .0 ..a cr, 07
Cl r-I n4.1 en
• .- U., )ON. OD Of 7,- 0 r-1 0.4 en 44. vn 70 7-4 CO 0 4-1 n4.1 0-1 0 Re fil JON-
en
CO
en
0
RP 017
.4 Or) r-4 .4 1-1 t-41 v., IN IN 044 1.4 IN IN IN IN IN C n4.1 C740 en en en CV en en e .1 e .1 017 017
' >1 >74 0 0
Gn 40
fa 47 4-7 44- 4.1 01 Gn
M
C fa 01 47 1.7 07 47
C
er U 0 40 >0) C C
, 40 C •r- 4- 07 137
.,- 417 0 4- .0 -1 9- > >
01 fa
4_, 4.7 4, 4,
fa >4 '0' to
r- fel C fa V, >4 L4
47
7 I. 47 C C 7 .- .4-7 YJ 417
C fa 4-
O 0 oc ca CV o 44C CC 4-
••- ¢ CV 07 0 P
•-
• ,
14) 44 44
on
U 47 C 0 47 C 0.
4- . >0
01 C
CV
0
0
L., U0
7 4-7
0
0) 07 7,- 5
• e-
•-• e 40 V+4 -0 C
CV
U'-
C 4.1 4-7 .4?
..7
• c, c • •,- a, 0. • fa
0), - 03 473 CC U
....> •,, L CU
. L. . L.
fa >4
4-7 0 ,-. 2 fa Of
, 011 Ln tn LI'l
C 4- fa 40 47
4-7
o 4- c .,_ a, 0 ■0 C
1•■• CT
, nf 0 er 2 0 4_, er
Li
I °
1
6.2.1 TITLE:

Risk Methods Integration and Evaluation Program (RMIEP)

OBJECTIVES:

• To integrate internal, external, and common cause risk methods to

achieve greater efficiency, consistency, and completeness in the
conduct of risk analyses;

• To evaluate PRA technology developments and lay the basis for

improved PRA procedures;

• To identify, evaluate, and effectively display the uncertainties in

PRA risk predictions which stem from limitations in plant modeling,
PRA methods, or data; and

• To conduct a PRA on a BWR 5, Mark II nuclear plant (La Salle Unit 2),
ascertain the plant's dominant accident sequences, the offsite
consequences, and formulate the results in such manner as to make it
possible to easily update the PRA and to allow testing of future
improvements in methodology, data, and the treatment of phenomena.

NEEDS BEING ADDRESSED:

#1 -
#2 -
#5 -
#6 -
#7 -
#10 -
#19 -
#26 -
#27 -
#28 - Integration and Demonstration of New PRA Methods

DELIVERABLES:

A number of products will result from this particular program.

Table 6-2 summarizes the documents to be generated under this program and
closely associated methods development programs. The documents fulfill the
following deliverables:

1. An integrated, evaluated and demonstrated PRA methodology for exter-

nal events which will allow meaningful risk comparisons between
eternal events and internal events and will lay the basis for pre-
paration of improved procedures.

2. An integrated, evaluated and demonstrated PRA methodology for common-

cause failures which will be suitable for routine use in NRC and will
lay the basis for preparation of improved procedures.

41
 ▪

1-4 v--I r--.1 ,--4 ,--4 f-I C0

4t
I I I >1
i W I W W W I r--•
W W =
W W W W W W
V) V) V) v) c.r)

.4. .4' LO tt tt .4' CO

CO CO CO CO CO CO CO CO
I
CD CD XI > -I-) -1.•) W 1
a = a = a) o 0 0 a)
< < << u_ Z0 o crt

.4- .4- .4- .4- .4- .4- .4- .4-

co co co co co co co co 1
t
C c 1 c cr) c Jo c 5- 1
rct rct rct = rct a) co co
r, r, r") 1.1 - r, X
.." <

E E
Co Co
C C C C C S- 5-
W CU W W W +-) Cp CD
E E E E E E C 0 0
a a a a a Co5- WE 5-
-0 Co 0_
S-
0..
O 0 0 0 0
r- 1-• ■-• r- r- DI C 5-
W W W W (1) 0 WO) W 01
> > > > > 5- a o 5- s-
0 a.) a.) a.) 4.) a.) a. W-
S-
O- W • r- • r-
IA IA IA IA IA 5- e2$ 0) Co Co
• r- 5- LI. Li-
O 0 0 0 0 Li- 0-
_C -C -C -C -C LI-I I-• • • LI-I
4-) 4-) -I-) 4-) +-) < /-1 • r- a 0.
W W W W W CC X al W W X
X X X X X p CC L.L. C) CI CC

.CI U
Lc) Lc)
r--- c..1 C'..1
r--I RI RI
.4- .,:1- ci- r•-- .. .. C'..1 C'..1 i
r--I r--I r--I r-4 .. .CI U r--I r--I i c\I
.4- ci- ci-
,-4 c\I C•1

C 4-)
W 0 CU)
CD) E EL
C W E W
• ,- -C W 0 3 C 5- a.
4-) - 0 0 L)0 o o
C a) cr) c 4:r r- 0- •
CO 7:1 W 4- CC al CI) +-) E 0
,-. 0 CD = 0 CI- C 1.1) C C- RI ■-.1 tt
a. 4-) x c cs 5- a) -a 0 • r- Co .-- U 0- >.)
C • ,- w v) C a) W U)0 E LI) CU RI • ,- CD +-)
4- a) W E cr) -0 0 S- 4-) c .0 E 11) ,- C 4- C C C
O E W RI 0 • ,- • I- C tt -I-I 0 W U 5- • r-
O. 5- Z 4-) _C 4-) L.1... ■--1 L.) W L.) ul = a) 4-) >) al
G) 0 I-- C 4-) al X u) Z 4-) C 4- u) 4-)
s-
o CL •-•
0 a) 4-)
4-) a) a) =
C -0 X •-•
0 0
4-) 4-)
C
0 cf)
4--
0
<
C
X al
L.L.I =
• r- 0)s- cc
4-) u- a) ce
0> •-• a) • , - al E • ,-- S- • ,- CD' C 4-) U 0-
cr) W = > U C > _C _c E1.1) C CS < WC C
CI al L.L.I 0 0 L.L.I U U 0 >-) 0 W 4- W CC CD "C$ • ,- = Co
"C$ Li- < • r- tt al L). • r- 5- 5- a. c t-.1 tt
C ,- 0 4-) . 4 ) 0) 0 0 al 4-) = >, = • ,- -I-) S- C
CTl a.) -0 •,- -0 al C -0 S- 5- -0 C al .- C:r) ,-- S- CL S- S- 0 -,-
-0 a1 in G)0 a) 0 CL CL < W< 0r 0- 00 OW 4-
_c 0 4-) Co 4-) •,-- -0 c..) CL CL ce -I-) • r.- CO 1- CO 4- u 4- u in
U X al ul C0 al 4- C < < a. r(I a) 4-- u... 0 u.. v) C u) -r-
ct S- "CI 5- • r- W X S- 5- • I-- "CI 1.1) -0 >.- -0 = -0 Lr)
O U CD 0 0- 01 4-) CL 1--1 a. a. -a 0)= 4-) W 0 W 4-) 0 -4-I I-- 0 0 >.)
5_ .,- CL) et C
_c ujw 0 1.1j L.L.1 0 0). c u) _c ul c _c C Z _c al
■--1 4..) ru -c ■--1 ■--1 ■--1 0 4-) • r- ttl = 4 -I = rCI + -I W ■-.1 4-) +-I 4-I fa
CL 0 C W X C = C U..1 X X r- CC = tt 0) al •-• 0)> < W ca WC
< _I ■--1 X ce ■--1 czy ■--1 v) ce ce u_ 1--1 L.L. cy c_) X c_) 0_ x LIJ 1- x cm x <
CC
U..I
. . . • • • . L..) •
r--I C\J c-r) el- L.0 (.0 r■ CO cr) co r-4 z cv cr;

42
 ‘1:0 S-
LLJ 03 CV u-) 03 03 (.0 (.0
CC 03 4-) CO 4-) CO
>, >, I 4— 4—
w to S.- r0 4-) c cr) u
cl) 5-0. S-u OW
r) r) r)
Cr) Lr)

U-)
03
4-) 1.1-) U-) U-)
03 _c 03 CO
4-) 0
S.. I I S.. _0 I
CU CU CU
_1 CC U_

03
CO 03 03 03
>, I I
c _0 >.)
CL ro n:S
r) r) r)

0. 0.
0 0
ft,
S.. CC
- o CI) C.)
s- 0 O-
cL. w
t.r) (I) J-4
4-) - 0 X
0 0 CC CL CL CL CL
_C LLJ LLJ LU c LU LU LU LLJ
4-) 4-) -0 1-4
X X CU C X X
CC CC CC X n3 CC CC CC CC

(.0

CU
e•-• -0
_0 tr) r-i
r0 i-r)
CY) i-r) I
t.r) r--I ••• •• ,., C\J CY) I
ft, co) 1----
cv r--I CY) CY)
r--I CV

I /1
CO
S.- C\J
0 1---
t.r) -4-) (V
•r- RI i
0 L. Cr) -I-) tf) CC
>1 cr G.) C S. CU c...)
CC 0. • ,- 0 5- --..
(ti CL 0 ,-. CL = 0
C CU tr) 4-) CU -0 LLJ
< RI 4-- 0
- I < S.- CC CV CC
0-) 0 .- CC 0 U 0
>, c C X RI 0_ Cl. CU 0 Z
4-) •/- V) CU E CU U S-
• ■-• •,- -0 >, (...1 S- C
> V) V V) •1•-• S.- Z CU • ■-• C CU Lf)
•,-. •/-. C V) >, U CV 1--1 _C 0) V
-i•-) V) It CU ,- U > ..-I I- 0 •r- 0 Cr CC 00
s- •,-• >1 •,••• r0 < 0 0 LLJ C tr) 0 CU CL N
o tr) .- CU -0 C 4-) U 0 U • ■-• (1) -C ti) I
C MI U = < 4- C CD 0 •r- ,--- 0 • ■-• C 0) CC
CD C C -i-) 0 CD Ce X -i-) CI.) < r-- 0 C C...)
Cr) < CC) (r) U >
(..)
•f)
• r•• a
0
- CC c cu c...)
........
•1-•
• ti) L.L.i -eJ CI- a ...e 4J (..)
S... >, S- >, .e..) • r- C I-I r- X -J V/ LLJ
0 4-) 0 4-) v) tr) 0) CU _J (13 ('4 4-) ---1 C •,- cc
4-- c c. •,-• 0 •r- 0 C -0 = CU U CCS CU X 0
< •r- E > Z /-• C •r- •r- < CC • r- )-- +I cp E i..L.i Z
cs) cc co i•-■ • r- 1.-1 • 1- Cr) 4-) U CC r- I- 1 C U C
-0 ca. 4-) 4-) -I _CI r0 n3 U 0 4-- = Z CU C • ,- CU ^
0 S- n_ • ,- 11.1 If •,^
•r < ›- OM =ECU RI C./) 4-) •
_c tv cu u..1 ,./) ca _o -ov)-0-) -
= s... = = 4-) LU r0 0)
-P U 1--1 C c) 0 .1-- c:r I CU -0 LLJ U Cf C CC -0 •
CDC C X CD X S-' ,- C CC -1 tf) >, ..-1 a CD 0 = CL G.)
X • r- = CC Cr) GI- X I-I Cl.. < = = --I C1 V) C.)
Z X < i.1.1
< CC Cr) C...)
• • • X • • 1.1J • • . C) •
" 1.1-) l0 = No, CO = Crl < C)
r-I t--I r-I = r-I r-I I-- r--I J C•\ I CV CV CI_ CV

43
 3. An integrated, evaluated and demonstrated PRA methodology for evaluat-
ing diagnostic errors stemming from plant accident conditions exceed-
ing instrumentation limits or operator training limits or stemming
from instrumentation failures. •

4. An evaluated and demonstrated PRA method for more thorough analysis

of recovery actions under accident conditions that will lay the
basis for preparation of improved procedures.

5. A delineation and demonstration of the scope and characteristics of

the thermal-hydraulic modeling that should accompany PRA analysis.

6. An integrated, evaluated and demonstrated method for using both uncer-

tainty and sensitivity analysis to assess and display uncertainties
arising from both modeling and data uncertainties and appropriately
distinguishes between the two.

Currently, the most complete and consistent NRC models for internal event
analysis are the models provided in the IREP, Arkansas Nuclear One PRA. These
are receiving wide use. However, they do not cover external event analysis,
and there exists today no consistent set of models which span the accident
sequences of both external and internal event analysis. Yet, such models are
needed to perform value/impact analysis and to address regulatory issues. To
meet this need, an important product of RMIEP will be:

7. A consistent set of accident sequence (event tree) and system reli-

ability (fault tree) models and accompanying data and quantification
which spans both the internal and external event initiators and which
are suitable for use in integrated PRAs.

The methods integration that will be achieved in the RMIEP will provide
the same types of information as previous PRAs and PRA-type studies with the
important difference of providing, in one integrated and consistent analysis,
a wider scope of analysis than has been done consistently in the past. It is
expected that this will change our present perspectives on what plant features
dominate risk and what uncertainties surround these conclusions. Thus, one
important product will be:

8. A new perspective on plant risk, core melt probability, dominant acci-

dent sequences, important plant features and uncertainty, stemming
from the increased scope of consistent analysis covering internal
events, external events, common cause analysis, expanded diagnostic
analysis, expanded recovery analysis, and improved uncertainty
analysis.

The expanded and improved modeling integrated into PRA via the RMIEP will
serve to further reduce uncertainties which previously had stemmed from the
modeling and data limitation addressed in RMIEP. Thus, one product of RMIEP
will be:

9. A better understanding of PRA uncertainties which stem from the

modeling limitations.

44
 Finally, the importance measure studies performed in the RMIEP will provide
guidance as to where data uncertainties impact risk. This will provide guidance
to where improved data will have their greatest affect in reducing risk. Thus,
the final product will be:

10. A ranking of data uncertainties based on importance to risk and

identification where improved data will have the greatest affect on
reducing LWR risk uncertainties. (Fall 1983)

INTERFACES:

Accident Sequence Evaluation Program (ASEP)

(determination of event sequences contributing to core melt)
Severe Accident Sequence Analysis (SASA)
(methods for system modeling and analysis)
Flood Risk Analysis Methodology Development Project
Seismic Safety Margin Research Program (SSMRP)
Seismic Hazard Characterization Project
Severe Accident Uncertainty Analysis (SAUNA)
Human factors research programs
Dependent Failures Program
MELCOR Program
Root Causes of Component Failure Program
Data Development and Evaluation
IPRDS Program
Statistical Techniques for Risk Analysis

45
6.2.2 TITLE:

PRA Methods Improvement

OBJECTIVE:

To develop and improve PRA methods. Emphasis in short term is to develop

methods for use in RMIEP which include recovery analysis, uncertainty analysis,
quantification, and integration of internal and external event analyses.
Long-term objectives are to assess methods and develop new methods as needed.

NEEDS BEING ADDRESSED:

#2 - Special Initiating Events

#3 - Integrated System Modeling
#5 - Integrated Software
#6 - Integrated Seismic Methods
#26 - Improved Recovery Model
#27 - Integration of Uncertainty and Sensitivity Analysis

DELIVERABLES:

Numerous reports will be developed from this program with RMIEP during
1984, 1985, 1986 (see Table 6-2)
Treatment of micro-processor reliability in PRAs (Sept. 1987)
PRA modeling considerations for reliability monitoring and reliability
assurance (Sept. 1986)
Survey of treatment of design, installation, and construction errors
(1986)

INTERFACES:

Integrated PRA Software Development

Flood
Integrated Dependent Failure Methodology
Time Dependent Reliability Modeling
Risk Methods Integration and Evaluation Program
Efficient Probability Computations and Methods for PRA
Study of Uncertainties in the Systems Analysis in Seismic PRA

46
6.2.3 TITLE:

Integrated Dependent Failure Methodology

OBJECTIVE:

To provide an integrated methodology for the identification, quantifica-

tion, and impact of dependent failures upon system failure and accident sequence
failure. External events as well as adverse environments will be addressed.

NEEDS BEING ADDRESSED:

#3 - Integrated System Modeling

#5 - Integrated Software
#6 - Integrated Seismic Methods
#7 - Integrated Fire Methods
#8 - Methods for Internal Flood.

DELIVERABLES:

Numerous reports will be developed from this program with RMIEP during
1984, 1985, 1986 (see Table 6-2)
Procedure for Treatment of Wind Risk in PRA (October 1986)
Evaluation of PRA Seismic Methods (July 1986)
Treatment of Seismically Induced Fires and Floods (July 1987)
Updated Dependent Failure Analysis Procedure (December 1987)
Harsh Environment Hazard Assessment Guidelines (December 1987)

INTERFACES:

Integrated PRA Software Development

RMIEP
Root Causes of Component Failure Program
External and Internal Flood Risk Analysis
Five Risk Analysis Research Program
Study of Uncertainties in the Systems Analysis of Seismic PRA
Human Factors Programs

47
6.2.4 TITLE:

Integration of Human Reliability Measures into the Probabilistic

Risk Assessment Process

OBJECTIVE:

Develop and test improved methods and techniques for conducting human
risk analysis (HRA) as an integrated part of the PRA processes, to identify,
quantify and report risk likelihood on potential core melt and/or radiation
release sequences involving operator or maintainer actions.

NEEDS BEING ADDRESSED:

#13 - Integration of Human Reliability Analysis Probabilistic Risk

Assessment

DELIVERABLES:

Data on the feasibility of integrating HRA requirements into the PRA

process (Sept. 1984).

Testable method for integrating HRA requirements more fully into the
PRA process (Sept. 1985).

Validated method for integrated HRA requirements fully into the PRA
process Sept. 1986)

INTERFACES:

Statistical Techniques for Risk Analysis

Integrated Dependent Failure Methodology
Human Performance Modeling for Nuclear Power Plant Operations
Risk Methods Integration and Evaluation Program

48
6.2.5 TITLE:

Improved Analytic Models for Assessing Human Error Contribution to NPP

Risk.

OBJECTIVE:

Develop and test analytic models accounting for cognitive, performance

shaping and interdependence aspects of human behavior involved in core melt/
radiation release precursor sequences, to support HRA segments of PRAs.

NEEDS BEING ADDRESSED:

#10 - Diagnosis Error Estimation

#13 - Integration of HRA into PRA

DELIVERABLES:

Data on the feasibility of utilizing human error and related performance

shaping data, to determine the impact of human error on overall NPP risk
(Sept. 1984).

Testable models for utilizing human error and related performance shaping
data, to determine the impact of human error on overall plant risk (Sept. 1985).

Validated models for utilizing human error and related performance shaping
data, to determine the impact of human error on overall plant risk. (Sept. 1986).

INTERFACES:

Statistical Techniques for Risk Analysis

Integrated Dependent Failure Methodology
Human Reliability Model for NPP Maintenance Personnel
Analysis of Human Errors for NPP Safety Related Events
Integration of Human Reliability Measures into the Probabilistic Risk
Assessment Process
Human Performance Modeling for Nuclear Power Plant Operations
Risk Methods Integration and Evaluation Program

49
6.2.6 TITLE:

Integrated PRA Software Development

OBJECTIVE:

To develop an integrated state-of-the-art computer system for PRA. The

system will include capabilities for independent and dependent failure analysis,
including external events.

NEEDS BEING ADDRESSED:

#5 - Integrated Software
#6 - Integrated Seismic Methods
#7 - Integrated Fire Methods
#8 - Methods for Internal Floods
#27 - Integration of Uncertainty and Sensitivity Analysis

DELIVERABLES:

PRA Software Review (Sept. 1984)

PRA Software Plan (Sept. 1984)
FTAP-COMCAN III Documentation and Code (Sept. 1985)
PLMOD Documentation and Code (Sept. 1985)
Design Documentation (Sept. 1985)
Code Development and Documentation (Sept. 1986, Sept. 1987)

INTERFACES:

Severe Accident Research Program

Seismic Safety Margin Research Program
Efficient Probability Computations and Methods for PRA

50
6.2.7 TITLE:

Efficient Probability Computations and Methods for PRA

OBJECTIVES:

To assess and develop a quantification technique that can be used to

calculate system reliability characteristics when the rare event approximation
does not hold and to investigate extensions of the Fault Graph method.

NEEDS BEING ADDRESSED:

#3 Integrated System Modeling

#5 Integrated Software

DELIVERABLES:

SIGPI Comparison - October 1985

SIGPI Portable Code User's Manual and Time-dependent Fault Graphs
- October 1985

INTERFACES:

Intergrated PRA Software Program.

Integrated Dependent Failure Methods.
PRA Methods Improvement.
Risk Methods Integration and Evaluation Program.
Study of Uncertainties in Systems Analysis of Seismic PRA.

51
6.2.8 TITLE:

Statistical Techniques for Risk Analysis

OBJECTIVE:

Develop failure rate data, statistical models, methodologies, and proce-

dures for applying quantitative techniques in risk analysis.

NEEDS BEING ADDRESSED:

#15 - User Data Base

#27 - Integration of Uncertainty and Sensitivity Analysis

DELIVERABLES:

Identification of significant component use conditions (1-85, 12-86)

Methodology for the collection and analysis of subjective data (1-85)
Methodology for common cause Quantification (3-85)
Component Failure Rate Data Report (1-87)
A Methodology for Conservatively Assessing Safety Goal Compatibility.
(1-86)

INTERFACES:

Risk Methods Integration and Evaluation Program

Analysis of Reliability Data from Nuclear Power Plants (IPRDS)
Accident Sequence Evaluation Program
Time Dependent Reliability Modeling
PRA Methods Improvement

52
6.2.9 TITLE:

Analysis of Reliability Data from Nuclear Power Plants (IPRDS)

OBJECTIVE:

To provide improved nuclear component reliability data for use in probabil-

istic risk assessments and to provide better bases for regulatory decisions in
areas such as the setting of component allowed downtimes and test intervals.

NEEDS BEING ADDRESSED:

#15 - Updated Data Base

DELIVERABLES:

Preliminary Report of root causes for component failure modes (11-84)

Circuit Breaker Failure Data Report (10-85)
Instrumentation Failure Data Report (10-85)
Methodology utilizing incipient and catastrophic failure histories to
estimate component reliability and assess maintenance effectiveness
(10-86)
Updated Data Base on Original Plants (10-87)
Expand Data Base to Include 4 additional units. (10-87)

INTERFACES:

Risk Methods Integration and Evaluation Program

Human Factors Program
Aging Program
Data Development and Evaluation
Root Causes of Component Failure Program
Accident Sequence Evaluation Program
Time Dependent Reliability Modeling
Statistical Techniques for Risk Analysis

53
6.2.10 TITLE:

Data Development and Evaluation

OBJECTIVE:

Evaluate existing data bases and develop a comprehensive numerical data

base for use in PRAs and other quantitative studies; perform specific statis-
tical and data inquiry studies; summarize and evaluate nuclear power plant com-
ponent failure data and estimate component failure rates; and develop a compre-
hensive user-friendly NPP data base for use in PRAs.

NEEDS BEING ADDRESSED:

#15 - Updated Data Base

DELIVERABLES:

LER data summaries (covering 1976-1982) of inverters (NUREG, Oct. 1984)

LER data summaries (covering years 1976-1983) of protective relays,
circuit breakers and time delay relays (draft, September 1984)
Pipe break frequency estimates for systems found important in past PRAs
(draft, September 1984).
A thorough statistical analysis (based on all LER data summaries) of
component failure rates formatted for use in PRA data inputs (draft,
September 1985)
A statistical evaluation of the existing NPRDS data base for meeting the
requirements of PRA data inputs (draft, September 1986)
A user-friendly NPP data base for use in PRAs (September 1987)

INTERFACES:

Analysis of Reliability Data from Nuclear Power Plants

Severe Accident Precursor
Risk Methods Integration and Evaluation Methods
Root Causes of Component Failure Program
Statistical Techniques for Risk Analysis

54
6.2.11 TITLE:

Root Causes of Component Failures

OBJECTIVES:

To identify the root causes of failures for components that comprise

safety and safety-support systems of nuclear power plants. All root causes of
component failures from the component design, through manufacture, installation,
maintenance, repair, and use are to be included. The components to be addressed
include all components involved in dominant accident sequences. A categorization
scheme is to be developed that uses existing data bases on component failures
to identify the root causes of failures.

An understanding of the underlying root causes of component failures

should support the plant's reliability assurance program. In addition, regu-
latory inspection activities might focus on how the reliability assurance
program is addressing these root causes. Ultimately the contribution to core
melt frequency from each root cause might be determined and integrated into
risk importance measures.

NEEDS BEING ADDRESSED:

#15 - Updated Component Data Base

#17 - Root Causes of Component Failure

DELIVERABLES:

Identification of Candidate Root Cause

Categories Oct. 84
Definition of Components, Evaluation of
Existing Data on Component Failures and
Trial Application Jan 85
Assessment of Data Bases Feb 85
Selection of Additional Components Mar 85
Modification of Categorization Scheme May 85
Categorization of Component Failure Data Jun 85
Amendments to Data Collection Scheme Sep 85

INTERFACES:

Inspection Effectiveness
Reliability Program
Harsh Environment Data
In-Plant Data Program (IPRDS)
Data Development and Evaluation
RMIEP
Statistical Techniques for Risk Analysis
Accident Sequence Evaluation Program

55
6.2.12 TITLE:

Human Reliability Data Bank for Nuclear Power Plant Operations

OBJECTIVE:

Test the practicality, acceptability and usefulness of a data bank concept

for collating storing and retrieving failure/error data from field training
simulator, expert judgement and computer modeling sources, for use on PRAs.

Determine the feasibility and advisability of integrating human reliabil-

ity, hardware and structural data bank concepts to more efficiently and cost
effectively support PRAs and related human factors and safety systems enhance-
ment activities.

NEEDS BEING ADDRESSED:

#15 - Updated Component Data Base

DELIVERABLES:

Tested human reliability data bank concept to support PRAs (Sept. 1984).

Data on the feasibility of extending human reliability data bank concept

to other human factors activities, and to NPP hardware and structural data
management (Sept. 1985).

Tested method for extending human reliability concepts and techniques

to HPP hardware and structural data management (Sept. 1986).

INTERFACES:

Data Development and Evaluation

Human Reliability Model for NPP Maintenance Personnel
Analysis of Human Errors for NPP Safety Related Events
Human Reliability Data Acquisition Using Nuclear Power
Safety Reporting System

56
6.2.13 TITLE:

Human Reliability Data Acquisition Using a Nuclear Power Safety Reporting

System

OBJECTIVE:

Test the practicality, acceptability and usefulness of an anonymous, non-

punitive, third party managed human error information, for use in HRA segments
of PRAs, and other human factors related activities.

NEEDS BEING ADDRESSED:

#14 - Human Error Reporting

#15 - Updated Data Base

DELIVERABLES:

Tested method for acquiring human error data from a third party managed
Nuclear power Safety Reporting System (NPSRS) (Sept. 1984).

INTERFACES:

Statistical Techniques for Risk Analysis

Integrated PRA Software Development
Accident Sequence Precursors
Analysis of Human Errors for NPP Safety Related Events
Human Performance Modeling for Nuclear Power Plant Operations
Precursor Program
Reliability Program
Inspection Effectiveness Program

57
6.2.14 TITLE:

Analysis of Human Errors for NPP Safety Related Events

OBJECTIVE:

Develop and test improved methods and techniques for acquiring human
error data from field, training simulator and expert judgement sources.

NEEDS BEING ADDRESSED:

#12 - Improved Methods for Determining Human Error Probability (human

error data acquisition)
#15 - Updated Data Base

DELIVERABLES:

Validated methods for acquiring human error data from field, training
simulator and expert judgement sources (Sept. 1984).

Data on the feasibility of systematically applying HEA/PRA results as

baseline measures to evaluate man-machine safety systems, and support develop-
ment of man-machine safety system design guidelines (Sept. 1985).

Testable methods for systematically applying HEA/PRA results as baseline

measures to evaluate man-machine safety systems, and support development of
man-machine safety system guidelines (Sept. 1986).

INTERFACES:

Statistical Techniques for Risk Analysis

Integrated PRA Software Development
Flood
Integrated Dependent Failure Methodology
Data Development and Evaluation
Human Reliability Model for NPP Maintenance Personnel
Integration of Human Reliability Measures into the Probabilistic Risk
Assessment Process
Human Performance Modeling for Nuclear Power Plant Operation
Risk Methods Integration and Evaluation Program (RMIEP)
Reliability Program
Inspection Effectiveness Program

58
6.2.15 TITLE:

Human Performance Assessment Using Computer Simulation Techniques

OBJECTIVE:

Develop and test methodologies, utilizing computer simulation techniques,

to provide a capability for analyzing and predicting human reliability in per-
forming selected NPP operations, maintenance and safeguards functions and
roles.

NEEDS BEING ADDRESSED:

#11 - Simulation Modeling for Maintenance Acts

#15 - Updated Data Base

DELIVERABLES:

Validated method for acquiring human error data from computer modeling of
selected NPP maintenance roles and functions (September 1984).

Data on the feasibility of extending computer modeling concepts and tech-

niques to NPP operations roles and functions (September 1985).

Requirements and logic for computer modeling of selected NPP operations

safeguards and maintenances roles and function (September 1986).

INTERFACES:

Analysis of Reliability Data from Nuclear Power Plants

Time Dependent Reliability Modeling
Human Performance Modeling for Nuclear Power Plant Operations
Risk Methods Improvement for RMIEP
Reliability Program
Inspection Effectiveness Program

59
6.2.16 TITLE:

Accident Sequence Precursors

(Includes Precursor Methodology)

OBJECTIVE:

The objectives of the precursor program are to identify significant or

important sequences that, more likely than others, could have led to severe
core damage; search operational events for the elements or precursors of
severe core damage accident sequences which are not predicted or poorly pre-
dicted in current probabilistic risk analyses (PRA); and analyze operational
events to estimate the frequencies and trends of system failures, function
failures, and overall frequency of severe core damage. This program is comple-
mentary to the nuclear plant probabilistic risk assessments (PRAs) currently
being performed by industry and the NRC. It provides a check on mathematically
modeled nuclear plant safety analyses through the application and use of opera-
tional experience data.

NEEDS BEING ADDRESSED:

#16 - Precursor Study

DELIVERABLES:

Improved methodology (mainly plant specified event

trees and better grouping of failure data) Dec. 1984
Draft 82-84 precursor report Dec. 1985
Draft 1969-1981 precursor re-evaluation Dec. 1986

INTERFACES:

Risk Methods Integration and Evaluation Program

Accident Sequence Evaluation Program
Severe Accident Research Program

60
6.2.17 TITLE:

Pressurized Thermal Shock Analysis

OBJECTIVES:

(1) Estimate the likelihood of vessel through wall crack penetration

due to PTS at three plants (one each B&W, CE, and W).

(2) Identify what is important:

sequences
operator and control actions
uncertainties

(3) Estimate the risk-reduction effectiveness of alternative corrective

measures.

(4) Identify important differences between the B&W, CE, and W plants
studied.

NEEDS BEING ADDRESSED:

#24 - Pressurized Thermal Shock Risk

DELIVERABLES:

ORNL DRAFT REPORT

Plant Frequency of R.V. Failure

Oconee April 1984

Calvert Cliffs Sept. 1984
Robinson Nov. 1984

INTERFACES:

This project is part of TAP A-49. The project uses input from DAE research
on TRAC/RELAP applications and coolant mixing and from DET research on
metallurgy and fracture mechanics (HSST). It uses plant design and operat-
ing information from Duke Power Company, BG&E, and CPRC. The project is
coordinated with PTS research by EPRI and A-47 research by NRC.

61
6.2.18 TITLE:

Development of Improved Physical Process Computer Codes for Risk Assessment

(MELCOR)

OBJECTIVES:

(1) To provide short-term upgrading of the MARCH and MATADOR (CORRAL)

risk assessment codes to account for specific and important defi-
ciencies.

(2) To provide the longer-term replacement risk code (MELCOR) for the
MARCH, MATADOR, and CRAC codes which: has a structure readily
amenable to incorporation of new models based on the ongoing experi-
mental research program; and permits the quantitative analysis of
both "best estimate" severe accident consequences and the associated
uncertainties.

NEEDS BEING ADDRESSED:

#18 - Phenomenological Data Needs

#19 - Integrated Risk Codes
#27 - Integration of Uncertainty and Sensitivity Analysis

DELIVERABLES:

Reports

Uncertainty Analysis Technique Comparisons Sept. 1984

Initial MELCOR version for internal use and
verification Nov. 1984
RIL on content of initial version,
applications, and future plans 1st Quarter, FY 85
Public release of code package 1st Quarter, FY 86
RIL on publicly available code package 1st Quarter, FY 86

INTERFACES:

Severe Accident Uncertainty Analysis

Risk Methods Integration and Evaluation Program
Phenomenology and Risk Uncertainty Evaluation Program

62
6.2.19 TITLE:

Phenomenology and Risk Uncertainty Evaluation Program

RESEARCH NEEDS BEING ADDRESSED:

#19 -
#27 -

OBJECTIVES:

To perform phenomenological uncertainty analyses for RMIEP program

To integrate systemic and phenomenological uncertainties into overall

risk uncertainty measure

To provide testing and quality assurance of MELCOR code.

DELIVERABLES:

Report on results of phenomenological uncertainty analyses

and risk uncertainty analyses for LaSalle (draft, Oct. 1986)
Report on conclusions of MELCOR testing and quality
assurance tasks (Oct. 1987)

INTERFACES:

RMIEP program
PRA Methods Improvement Program
MELCO project and related tasks

63
6.2.20 TITLE:

Localized Deposition from Wet Plumes

OBJECTIVE:

Develop and apply models to account for water content of atmospheric

discharges during severe accidents.

Scope nature and extent of experiments needed to generate required data.

NEEDS BEING ADDRESSED:

#22-

DELIVERABLES:

Model(s) and Revised (Preliminary) Consequence Estimates for LWR Severe

Accidents (December 1984)
Conceptual Designs for Experiments (March 1984)
Choose candidate sites for piggyback experiments (July 1985)

INTERFACES:

MELCOR

64
6.2.21 TITLE:

Consequence Modeling

OBJECTIVE:

Maintain/Utilize/Revise CRAC Consequence Code.

NEEDS BEING ADDRESSED:

#19 - Integrated Risk Codes

#20 -
#21 -
#23 -

DELIVERABLES:

Revisions of Health Effects Models (Sept. 1984)

Protection Factors for Respiratory Protection (Sept. 1984)

INTERFACES:

Severe Accident Uncertainty Analysis

Risk Methods Integration and Evaluation Program

65
6.2.22 TITLE:

Fire Risk Analysis Research Program

OBJECTIVE:

The objectives of this program are to describe state of the art fire risk
analysis methods, develop improvements to these methods, test and evaluate the
improved methods by analyzing fire risk as part of a full scope PRA, and
identify and develop needed improvements to the methods.

NEEDS BEING ADDRESSED:

#7 - Integration of Fire PRA Methodology

DELIVERABLES:

Due Date

Report on Improved COMPBRN & Expt Comparisons (UCLA) March 84

Redraft of "General Approach" Report (NRC) April 84

LR on Approaches to Improved Fire Growth Models (UCLA) April 84

LR on RMIEP Plant Fire Barriers (SNL) May 84

LR on Model Improvements (NBS) June 84

LR on Detection and Suppression Models (UCLA) September 84

LR on Evaluation of Fire Risk Analysis Methods (SNL) September 84

LR on Models for Fire Growth, Spread, Detection, and

Suppression (SNL) September 84

LR on Fire Barrier Effectiveness (SNL) November 84

LR on Probabilistic Fire Growth Model (UCLA) January 85

LR on Improved Models (NBS) March 85

LR on Suppression Effectiveness_ (SNL) April 85

LR on Fire Scenario Quantification (SNL) April 85

Report on RMIEP Plant Fire Risk Analysis (SNL) October 85

INTERFACES:

RMIEP
Fire Protection Research Program
Integrated Dependent Failure Methodology

66
6.2.23 TITLE:

External and Internal Flood Risk Analysis

OBJECTIVE:

To develop a methodology to estimate the overall risk of flooding of

nuclear power plants in terms of the likelihood and consequences of failure of
design flood protection.

NEEDS BEING ADDRESSED:

#8 - Methods for Internal Floods

#9 - Extreme Flood Estimation

DELIVERABLES:

Evaluation of nuclear power plant flood risk methodologies (for external

or internal flooding sources) (June 1984).
Probability of nuclear plant flooding from upstream dam failures, seiche
and tsunami (Sept. 1986).
Methods to estimate the probability of nuclear plant flooding by extreme
floods at and beyond the design flood elevation (Sept. 1986).
Flood methodologies and data tested for a specific site (Sept. 1988)
Evaluation of nuclear power plant flood design criteria. (Sept. 1989)

INTERFACES:

Risk Methodologies Integration and Evaluation Program

Root Causes of Component Failure Program
Integrated Dependent Failure Methods
Integrated PRA Software Program

67
6.2.24 TITLE:

The Study of Uncertainties in the Systems Analysis Part of Seismic PRA

OBJECTIVE:

To understand the qualitative and quantitative effect of more detailed

and realistic modeling of electrical, signal, control and instrumentation
failures and of operator response following seismic activity on the insights
gained from seismic PRAs.

NEEDS BEING ADDRESSED:

#3 - Integrated System Modeling

#4 - Control System Analysis
#6 - Integrated Seismic Methods

DELIVERABLES:

Final Report - Feb. 1986

INTERFACES:

NRR Review of Zion and Limerick PRAs

RMIEP
SSMRP
PRA Methods Improvement
Integrated Dependent Failure Methodology

68
6.3 Research Plan for Risk Reduction (Issue 3)

This section contains a description of the research plan for Issue 3.

69
6.3.1 TITLE:

Accident Sequence Evaluation Program

OBJECTIVE:

ASEP will provide research results to be used by the Source Term work,
proposed Severe Accident Policy Statement and other safety and regulatory
issues. In particular, ASEP will: (1) provide updated LWR accident sequence
information for all operating and near-term operating plants; (2) organize
the LWRs into a plant classification hierachy; (3) identify the dominant
sequences for each plant class; (4) describe the accident sequence likelihood
characteristics; (5) identify the generic accident sequence insights; (6) com-
pare the accident sequence likelihood characteristics with accident sequence
precursor results; and (7) identify NRC research and licensing application
needs.

NEEDS BEING ADDRESSED:

#29 - Identify and describe dominant accident sequences.

DELIVERABLES:

Catalog of PRA Dominant Accident Sequence Information

(Draft NUREG/CR - September 1984; Final NUREG/CR - September 1985)
Event Tree and Plant Grouping (Information Letter (IL) - December 1984)
Sensitivity Analysis Methodology (IL - October 1984)
Interim Accident Sequence Evaluation (IL - March 1984; Draft NUREG/CR -
September 1985; Final NUREG/CR - February 1986; RIL - June, 1986)
Final Accident Sequence Evaluation (IL - October 1986; Draft NUREG/CR -
March, 1987; Final NUREG/CR - September 1987; RIL - February 1988)
Computerized Data Base Management Systems and Information Retrieval
System on Generic Accident Sequence Information - Methodology/User
Manual (NUREG/CR - April 1988, RIL - September 1988)

INTERFACES:

Severe Accident Risk Reduction Program

Accident Source Term Program Office
Severe Accident Sequence Analysis
Accident Management
Human Factors
Accident Sequence Precursors
Inspection Guidance
LCO and Surveillance
IPRDS Program
Statistical Techniques for Risk Analysis

70
6.3.2 TITLE:

Severe Accident Risk Reduction Program

OBJECTIVES:

The objectives of SARRP are: (1) to assemble data on accident sequence

frequencies and characteristics, accident physical processes, and other rele-
vant data; (2) to use this information to generate estimates of the risk of
specific plants and generic classes of plants; (3) to evaluate the risk reduc-
tion potential and costs of alternative means for reducing risk; and (4) con-
tribute to the development and generation of the characterization of this data
in manners which best support decisionmaking. In performing work to meet this
objective, the SARRP program supports the NRC's assessment of the need to
provide additional severe accident protection in existing LWRs, as described
in the Commission's Severe Accident Policy Statement (Draft - 2/21/84).

NEEDS BEING ADDRESSED:

#30 -
#31 -
#32 -

DELIVERABLES:

- Report on the risk of the ASTPO reference plants Jan. 1985

- Report on the cost-effectiveness of changes to the

ASTPO reference plants Jan. 1985

- Report on the risk and cost-effectiveness of risk

reduction for generic plant classes June 1985

- Report on the evaluation of risk and/or cost-

effectiveness of risk reduction for specific issues
requiring attention in NRC licensing/regulatory
process As needed*

- Report on the re-evaluation of the risk and cost-

effectiveness of risk reduction of reference plants
and generic plant classes (using advanced likeli-
hood and consequence data) June 1987

INTERFACES:

Accident Sequence Evaluation Program

Accident Source Term Project Officer (ASTPO)

71
6.3.3 TITLE:

Support for Decisionmaking

OBJECTIVE:

• Develop and Demonstrate Method for Effective Display of Information

for Decisionmakers

• Provide means for Reaching Consensus on Scope and Format of Regula-

tory Analysis

• Provide Feedback to NRC Research Programs

• Prepare Regulatory Analysis to Support Severe Accident Decision

NEEDS BEING ADDRESSED:

#30 -
#33 -

DELIVERABLES:

• Information Display Methodology and Format 11/84

• Regulatory Analysis Reports 6/85

INTERFACES:

Severe Accident Risk Reduction Program

Value/Impact Analysis

72
6.3.4 TITLE:

Risk Importance Measures

OBJECTIVE:

• Develop a Systematic, Risk-based Approach for Structuring and

Prioritizing Safety Assurance Program and Activities

• Develop an Information Data Base for Implementation of the Approach

• Recommend, Develop and Apply Techniques for Assessing and Displaying

the Risk Importance of Reactor Systems and Components

NEEDS BEING ADDRESSED:

#34 -
#35 -
#36 -
#37 -
#38 -
#41 -

DELIVERABLES:

Report Specifying Improved Methodology for 10/85

Importance Measures

Report on "Utilization of Risk Importance Measures 10/85

by I&E"

INTERFACES:

Reliability Program
Inspection Effectiveness
Time Dependent Reliability Modeling

73
6.3.5 TITLE:

Value/Impact Analysis

OBJECTIVE:

• Develop, Document and Demonstrate Uniform Acceptable Value/Impact

Analysis Procedures

• Perform value/impact analysis on Major Regulatory issues.

NEED BEING ADDRESSED:

#30 -
#33 -

DELIVERABLES:

Complete ongoing V/I Analyses on major

regulatory issues 10/85

INTERFACES:

Severe Accident Risk Reduction Program (SARRP)

All proposed generic requirements
Regulatory Analyses for Proposed Rulemaking

74
6.3.6 TITLE:

Research Prioritization

OBJECTIVE:

• Develop a systematic, risk-based approach for research prioritization

• Identify and prioritize research needs from a risk perspective

NEEDS BEING ADDRESSED:

All

DELIVERABLES:

Report on Research prioritization process (February 1985)

Risk-based information for research needs (June 1985)

INTERFACES:

All Programs

75
6.3.7 TITLE:

Foreign Experience

OBJECTIVE:

• Analyze Regulatory Practices Related to Severe Accidents in Nuclear

Power Plants Including:

- Requirements Imposed on New and Existing Plants and the Rationale

for these Requirements

- Process for Making Decisions concerning Severe Accident Protection

- Role of PRA and reliability

• Analyze Other Uses of PRA in the Regulatory Process

• Determine What Lessons learned can be Applied to NRC Regulatory

Practices

NEEDS BEING ADDRESSED:

#33 -

DELIVERABLES:

• Report on Foreign use of PRA and reliability 11/84

in the Regulatory Process in selected foreign
countries. This includes:

- Foreign plant specific requirements

- Foreign generic regulatory applications
- Foreign legal applications
- Applications of Foreign Experience to
potential U.S. practices.

• Continue Data Base development and documentation

of foreign experience using PRA and reliability
analysis. 10/85

• Provide continued support to CSNI to carry out its 10/85

role and objectives.

INTERFACES:

Severe Accident Research Program (SARP)

76
6.4 Research Plan for Maintaining an Acceptable Risk Level (Issue 4)

This section contains a description of the research plan for Issue 4.

77
6.4.1 TITLE:

Reliability Program

OBJECTIVE:

Develop, evaluate, and recommend to NRR and IE reliability program

elements for use by operating LWR licensee.

NEEDS BEING ADDRESSED:

#34 - Designing reliability into systems important to safety

#35 - Prevention of reliability degradation during operation

DELIVERABLES:

• Recommended reliability program elements for reactor operations

- preliminary recommendation prior to trial use - January 1985

- final recommendation after trial use - December 1986

• Recommended Reliability program elements for design of new plants

and replacement equipment

- preliminary recommendation prior to trial use - July 1985

- final recommendation after trial use - December 1987

INTERFACES:

This research is coordinated with:

• NRCs ongoing regulatory programs, which have in place or are develop-

ing various elements of a reliability assurance program and will
implement the results of this research project (e.g., QA, human fac-
tors, ATWS rule, reliability data reporting and feedback systems)

• NRC research on related areas (e.g., reliability analysis methods

and data, risk importance measures, methods for optimizing LOCs and
surveillance intervals, methods to help prioritize NRC inspection,
accident sequence evaluation, and aging, and maintenance)

• Related nuclear industry initiatives at EPRI, NSAC, INPO, and

utilities

• Related reliability practices in aerospace and defense industries

78
6.4.2 TITLE:

Time Dependent Reliability Modeling

OBJECTIVE:

Develop and apply a methodology to evaluate operating procedures for safety

systems in standby, operating, and phased-mission stages; permit setting LCD's
and surveillance requirements; investigate usefulness of design modification in
terms of varying redundancies; and to perform sensitivity analyses to various
testing, operating, and maintenance strategies.

NEEDS BEING ADDRESSED:

#5 - Integrated Software Package

#36 -
#37 -
#38 -
#39 -
#40 - from Technical Specification Program

DELIVERABLES:

A FRANTIC III methods manual and a user manual (March 1985)

Draft report describing a modification to FRANTIC III and an application

to analyze components whose failures are controlled by a leading cause, rather
than being comprised of equally reliable elements. (Sept. 1985)

An application of FRANTIC II and other models to specific NPPs to develop

a methodology to provide a quantitative basis for revising LCOs and surveil-
lance frequencies in the technical specifications (draft April 1985)

Reports evaluating operating procedures for safety systems in standby,

operating, and phased-mission stages; and describing sensitivity analyses to
various testing operating, and maintenance strategies. (September 1986-1987)

INTERFACES:

Risk Methods Integration and Evaluation Program

Reliability Program
Inspection Effectiveness
Risk Importance Measures Program
Accident Sequence Evaluation Program
Statistical Techniques for Risk Analysis
Integrated PRA Software Development

79
6.4.3 TITLE:

Risk Assessment Application to NRC Inspection

OBJECTIVE:

To determine reliability and risk assessment methods and information that

can be used to prioritize and modify NRC inspection activities so that IE can
concentrate their activities in areas having greatest impact on plant safety.

NEEDS BEING ADDRESSED:

#41 -
#42 -

DELIVERABLES:

Risk based information that enables inspection activities to be prioritized

such as importance measures and their combinations. Test case for Arkansas
Nuclear Unit will be developed for testing purposes by the resident inspector
by 9/1/84.

INTERFACES:

Accident Sequence Evaluation Program (Sandia)

Precursor Program (ORNL)
Risk Importance Measures (BCL)
Risk Limitation Effectiveness of Regulations
Reliability Program

80
6.4.4 TITLE:

Effectiveness of LWR Regulatory Requirements in Limiting Risk

OBJECTIVE:

To identify LWR regulatory requirements that have marginal

importance to risk.

NEEDS BEING ADDRESSED:

#43 -

DELIVERABLES:

Program is currently being finalized.

INTERFACES:

Inspection Effectiveness.
Importance Measures.
Time-Dependent Reliability Modeling.
Reliability Program.

81
6.5 Implementation Schedule

This section contains a summary of the deliverables from the research

programs. They are organized chronologically.

82
 Table 6-3 Deliverables in chronological order

SEPTEMBER 1984

PRA software review

PRA software program plan
Revision of health effects models
Protection factors for respiratory protection
Validated method of acquiring human error data from computer modeling of
maintenance roles and functions
Validated methods for acquiring human error data from field, training
simulator and expert judgment sources
Data on the feasibility of integrating HRA requirements into the HRA
process
Tested method for acquiring human error data from a third party manage
NPSRS
Tested human reliability data bank concept
Data on the feasibility of utilizing human error and related performance
shaping data, to determine the impact of human error on overall NPP risk
LER data summaries for protective relays, circuit breakers, and time delay
relays
Pipe break frequency estimates for systems found important in past PRAs
Uncertainty analysis technique comparison
Draft PTS report on Calver Cliffs
Catalog of PRA dominant accident sequence information (draft)

OCTOBER 1984

RMIEP approach to fire PRA

Integrated common cause failure analysis methods for RMIEP
[ER data summarizes for inverters
Identification of candidate root cause categories

NOVEMBER 1984

RMIEP approach to internal flood PRA

Draft PTS Report on Robinson
Information display methodology and format
Report on foreign use of PRA in regulatory process
MELCOR-Initial version for NRC use and verification

DECEMBER 1984

Improved methodology for accident sequence -precursors

RIL on MELCOR-1
Localized deposition models and revised consequence estimates
Methods for uncertainty analysis in PRA for RMIEP

83
 Table 6-3 (Continued)

JANUARY 1985

Reliability program elements for operation recommended for

trial use
Methodology for the collection and analysis of subjective data
Identification of significant component use conditions
Probabilistic analysis of operator misdiagnosis of accident initiating
events
Definition of components, evaluation of existing data on component
failures, and trial application
Report on the risk of the ASTPO reference plants
Report on the cost - effectiveness of changes to ASTPO reference plants

FEBRUARY 1985

Independent evaluation of SEISIM

Document design for a PRA
Report on Research prioritization process.

MARCH 1985

Methodology for common cause quantification

Methods for sensitivity analysis in RMIEP
PRA accident recovery modeling
Conceptual Designs for Experiments for Wet Plume Deposition
FRANTIC III methods manual and user manual

APRIL 1985

Program plan for harsh data collection

FRANTIC II application to NPPs for LOCs

MAY 1985

Use of realistic thermal-hydraulic modeling in PRAs

JUNE 1985

Evaluation of nuclear power plant flood risk methodologies

Report on the risk and cost-effectiveness of risk reduction
for generic plant risk.
Risk-based information for research needs
Regulatory analysis reports

84
 Table 6-3 (Continued)

JULY 1985

Reliability assurance program elements for design recommended for trial use
Candidate sites for piggyback experiments for deposition of wet plume
experiments

SEPTEMBER 1985

FTAP-COMCAN III documentation and code

PLMOD documentation and code
PRA software design report
Improved version of Frantic III
Data on the feasibility of extending computer modeling concepts and tech-
niques of operations roles and functions
Data on the feasibility of extending human reliability data bank concepts
and techniques to NPP hardware and structural data management
Data on the feasibility of systematically applying NRA/PRA results as
baseline measures to evaluate man-machine safety systems, and support
development of man-machine safety system design concepts
Testable method for integrating HRA requirements more fully into the PRA
process
Testable models for utilizing human error and related performance shaping
data, to determine the impact of human error on overall risk
A thorough statistical analysis of LER summaries in format for use in PRAs
Methods of estimate probability of NNP flooding from external sources
Catalog of PRA dominant accident sequence information (final)

OCTOBER 1985

Circuit breaker reliability data report

Instrumentation reliability data report
Report on RMIEP plant fire analysis
SIGPI comparison
SIGPI Portable Code and User's Manual
Time-dependent Fault Graphs
Report of selected V/I analyses
Report on specifying improved methodology for importance measures
Report on utilization of risk importance measures by I&E

DECEMBER 1985

1982-1984 precursor report

MELCOR - public release and RIL

85
 Table 6-3 (Continued)

JANUARY 1986

Recommendations for trial use of alert levels to distinguish when

component failure rates are high enough to become safety concerns
A methodology for conservatively assessing safety goal compatibility
Identification of significant component use conditions
Methods to estimate the probability of nuclear power plant flooding by
extreme floods at or beyond the design flood level

FEBRUARY 1986

Uncertainties in the Systems Analysis Part of Seismic PRA

MARCH 1986

Final accident sequence evaluation report

APRIL 1986

LaSalle accident sequence likelihood report (draft)

JUNE 1986

Probability of NPP flooding from upstream dam failures, seiche, and tsunami

JULY 1986

Evaluation of PRA seismic methods

RMIEP methods reports

SEPTEMBER 1986

PRA software and draft documentation

Tested methods for systematically applying HRA/PRA results as baseline
measures to evaluate man-machine systems, and support development of
man-machine safety system guidelines
Validated method for integrating HRA requirements fully into the PRA process
Tested method for extending human reliability concepts and techniques to
NPP hardware and structural data management
Validated models for utilizing human error and related performance shaping
data, to determine the impact of human error on overall NPP risk
Requirements and logic for Computer Modeling of selected NPP operations,
safeguards and manpower functions and roles
Statistical evaluation of NPRDS for PRA data needs
PRA modeling considerations for reliability monitoring and reliability
assurance
Survey of treatment of design and construction errors
Flood methodologies and data tested for specific site using integrated
dependent failure approach
Probability of NNP flooding from external sources

86
 Table 6-3 (Continued)

OCTOBER 1986

Methodology utilizing incipient and catastrophic failure histories to

estimate component reliability and assess maintenance effectiveness
Transnational reliability data base
Reliability data analysis methodology
Harsh environment data source
Procedure for treatment of wind risk in PRA
LaSalle containment/consequence report (draft)

DECEMBER 1986

Reliability assurance program elements for reactor operations

1969-1981 precursor re-evaluation

DECEMBER 1987

Reliability assurance program elements for design

Criteria for alert levels to distinguish when component failure rates
become high enough to become safety concerns
Updated dependent failure analysis procedure
Harsh environment hazard assessment guidelines

JANUARY 1987

Component failure rate data report

JUNE 1987

Evaluation of nuclear power plant flood risk methodologies (for

internal and external floods)
Report on the re-evaluation of the risk and cost-effectiveness of
risk reduction of reference plants and generic plant classes.

JULY 1987

Treatment of seismically induced fires and floods

SEPTEMBER 1987

PRA software and final documentation

A user-friendly NPP data base for use in PRAs
Treatment of micro-processor reliability in PRAs
User oriented computerized ASEP event tree/fault tree models
Computerized data base management system on generic accident sequence
information

87
 Table 6-3 (Continued)

OCTOBER 1987

Updated data base of original IPRDS plants

Expanded IPRDS data base to include 4 additional units
Report on conclusions of MELCOR testing and quality
assurance tasks

88
6.6 Future Research

This document describes the current plan. It addresses PRA needs as they
are now understood. It is expected that in the future, new needs will arise
as a result of NRC user requests, issues identified in RMIEP, and new regulatory
issues. No new plant PRAs beyond RMIEP are envisioned. The detailed RMIEP
models will lastingly serve as a test bed for new methodologies as they become
sufficiently mature to be integrated with existing PRA methods. The results
of work on the root cause of failures and errors will clearly improve the
usefulness of PRA results in the resolution and prevention of safety problems,
and this work should identify other areas of needed future research.

Comment on this document undoubtedly will focus attention on future needs

more explicitly. Therefore, a more detailed discussion of future needs will be
deferred until the first revision.

89
6.7 Program Prioritization

Each year the research needs will be evaluated, assessed, and prioritized.
The prioritization will follow the steps outlined in the report Research
Prioritization currently being finalized.

The criteria to be used in the research prioritization are defined in

Table 6-4. The last criterion, program efficacy is defined in Table 6-5.

90
 Table 6-4 Criteria definitions
REGULATORY SIGNIFICANCE:
RISK RELEVANCE:
RESEARCH IMPACT:
PROGRAM EFFICACY:
Important with regard to regulatory needs and
regulatory issues
Importance with regard to risk and risk uncertainty
contribution
The impact research can have on addressing the issue
or reducing the uncertainty
The effectiveness and efficiency of the program in
addressing the research need
91
 Table 6-5 Attributes determining program efficacy

Program Scope: Regulatory or research need addressed including

relationship to the larger problem (the research
sub - element)

Program Importance Importance of the need which is addressed in the

program

Timeliness: Degree to which the program schedule meets the

schedule of regulatory needs

Specificity of Tasks: Specificness of tasks and milestones, which enables

program progress to be effectively monitored

Staff and Facilities: Quality of staff and facilities involved in the

program

Costs: Actual projected costs of the program

92
 NRCFoRm335 1. REPORT NUMF.ER (Assigned by DDC)
811
U.S. NUCLEAR REGULATORY COMMISSION

BIBLIOGRAPHIC DATA SHEET NUREG 1093 -

4 TITLE AND SUBTITLE (Add Volume No., if appropriate) 2. (Leave blank)

Reliability and Risk Analysis Methods Research Plan

3. RECIPIENT'S ACCESSION NO.

7. AUTHORS)
5. DATE REPORT COMPLETED
MONTH I YEAR
September 1984
9. PERFORMING ORGANIZATION NAME AND MAILING ADDRESS (Thciude ZIP Code) DATE REPORT ISSUED
MONTH I YEAR
Division of Risk Analysis and Operations October 1984
Office of Nuclear Regulatory Research 6. (Leave blank)
U.S. Nuclear Regulatory Commission
Washington, DC 20555 8. (Leave blank)

12. SPONSORING ORGANIZATION NAME AND MAILING ADDRESS (Include ZIp Code)
10. PROJECT/TASK/WORK UNIT NO.

Same as 9 above. 11. FIN NO.

13. TYPE OF REPORT PERIOD COVE RED (lncluswe dates)

Final

15. SUPPLEMENTARY NOTES 14. (Leave olank)

16. ABSTRACT (200 words or less)

This document presents a plan for reliability and risk analysis methods research to be
performed mainly by the Reactor Risk Branch (RRB), Division of Risk Analysis and Operations
(DRAO), Office of Nuclear Regulatory Research. It includes those activities of other
DRAO branches which are very closely related to those of the RRB. Related or interfacing
programs of - other divisions, offices and organizations are merely indicated.

The primary use of this document is envisioned as an NRC working document, covering about
a 3-year period, to foster better coordination in reliability and risk analysis methods
development between the offices of Nuclear Regulatory Research and Nuclear Reactor
Regulation. It will also serve as an information source for contractors and others to
more clearly understand the objectives, needs, programmatic activities and interfaces
together with the overall logical structure of the program.

17 KEY WORDS AND DOCUMENT ANALYSIS 17a. DESCRIPTORS

Reliability Analysis
Risk Analysis
PRA
Research Plan
Probabilistic Risk Analysis

17b. IDENTIFIERS OPEN-ENDED TERMS

18, AVAILABILITY STATEMENT 1 9. SECURITy C.LASS (Th,s report) 21 NO. OF PAGES

nclassified
U

Unlimited 2briEiLaRsir.T.f.1_,,eds (Th,s pagei 22 :RICE

NRC FORM 335 ?nen