810 likes | 990 Views
Risk management thinking …outside of regulations. 医師は、自分自身を癒します. Risk Bukai Seminar 03/25/18. Woody Epstein. The Risk Alliance www.riskalliance.org info@riskalliance.org. Part #1 A view from the USA: Using Quantitative Risk Assessment in a Risk Informed Framework. Woody Epstein.
E N D
Risk management thinking …outside of regulations 医師は、自分自身を癒します • Risk Bukai Seminar • 03/25/18 Woody Epstein The Risk Alliance www.riskalliance.orginfo@riskalliance.org
Part #1A view from the USA: Using Quantitative Risk Assessment in a Risk Informed Framework Woody Epstein
Why do we say quantitative risk assessment? QRA = PRA and DRA
What does it mean to imagine credible accidents? How does understanding uncertainty help? Cliff Edge Deterministic Probabilistic Safety Curves
What does it mean to imagine credible accidents? How does understanding uncertainty help? Cliff Edge Deterministic Probabilistic Safety Curves
What are the real questions? • Why expand PRA to a Risk Informed Defense in Depth and Safety Margin Framework (DRA)? • How are PRA and DRA balanced? • What is the outcome if we do not expand this approach?
Insights from Risk Informed Analyses • Internal Events at Power calculated Core Damage Frequencies (CDFs) are ~ E-5/year for operating plants • Non-safety systems and operator actions are important • Fire calculatedrisk may be higher than previously determined: Spatial • External Flooding (Hazard, Capability, Reliability): Spatial Event • Deterministic Analyses may challenge current design basis • Risk Informed approaches are being refined • Probabilistic Hazard Assessment is major challenge • Failures of Flood Prevention and Mitigation Features can be important • Insights can be “blurred” by effort required to assess actual capability • $1 good result; $2 poorer result; $5 good and justifiable result • Especially the case for spatial events on Gen I-II Plants • Need to blend quantitative insights with Defense in Depth Insights
What do PRA Results/Insights Suggest? • PRAs DO NOT replace the “Deterministic” Approach • Need a Design Basis (Sizing, capacity, protect investment, etc.) • Traditional Defense in Depth (DID) and Safety Margin practices address uncertainties in Traditional Practices and somewhat in PRA analyses and PRA scope, and can offset the potential for optimistic estimates for low frequency events • Deterministic approaches can provide unintended margin, such as designing containment for LBLOCA and Large Main Steam Line Break • PRA provides a perspective on DID not easily achievable deterministically, as redundancy-diversity and availability-reliability are explicitly addressed, and their influence on a scenario-functional basis can be assessed • Scenarios can be reviewed for frequency versus mitigation capability • Scenarios with lower/higher than anticipated frequencies can be identified • E.g. is a “smart” fire with a calculated frequency of 1E-6/yr and a Conditional Core Damage (CCDP) of 0.1 equivalent to a “dumb” fire with a calculated frequency of 1E-3/yr and a CCDP of 1E-4? • DID is quite different; What is the uncertainty in 1E-7/yr?
Example Insights – Fire Protection • Many US Plants are transitioning to and National Fire Protection Association (NFPA-805) Licensing Basis • NFPA-805 is a voluntary alternative to deterministic rules and guidance • The transition requires-needs a high quality detailed Fire PRA • Others are conducting Fire PRAs for Insights and Applications • For NFPA-805 FPRAs are used to assess the risk significance of Variance from Deterministic Requirements (VFDRs) so as to support their disposition and to identify improvement opportunities • Disposition Alternatives for VFDRs include • Design/operational change to eliminate/reduce the VFDR risk • Risk acceptable with Recovery Action (RA) (Can Retain RA for DID) • Risk acceptable without an RA as the risk increase without the RA is insignificant and DID is robust (RG 1.174 basis) • Cost beneficial enhancements are being identified • Many VFDRs are Risk Insignificant • Smart, i.e., changes which are more effective in reducing risk, Modifications can be much better than verbatim compliance • E.g. making 2 versus 1 power source available, where only 1 is required for compliance
Fire Protection Defense in Depth Insights • The Traditional, Deterministic DID approach for Fire Protection has 3 parts • Prevent fires from occurring • Detect and suppress fires thereby limiting fire damage, and • Have a safe shutdown (SSD) path free of fire damage (although this may use RAs to address damaged equipment). • Mitigation portion of the fire protection (FP) design basis provides for a single safe shutdown (SSD) path, which may require RAs • Typically Design basis events, e.g. LOCAs, also have these 3 levels of defense in depth • E.g. ISI to prevent, leakage detection to detect and conduct orderly shutdown • However, most design basis events also require at least 2 safe shutdown paths. • Fires which most impact DID typically drive results • Example: Train 1 DC cable 2 feet above Train 2 AC bus duct with no protection
Risk Informed Evaluation • Risk Informed Evaluations consider • Each level of DID and the actual degree of DID achieved • Fire frequency and Ability to detect and suppress a fire before significant damage occurs • The actual impacts of a fire scenario, including equipment damaged, time available for operator action, instrumentation, and the availability and reliability of potential SSD paths • Uncertainty and sensitivity of results to key assumptions and modeling • Results are reviewed using an Integrated Decision Making Panel with the objective to act on “Imbalances” (E.g. where the conditional probability of core damage is high) • Deterministic approach to Fire Protection basically treats all fires as equal, as long as a single SSD path is available • Robustness of DID is addressed based on judgment • Fire frequency is not addressed • Availability and reliability are not addressed • Operator actions are deemed feasible if time available exceeds the time needed to perform the action • A Go-No Go Approach
Fire PRA Insights • Calculated results do not suggest that Fire Risk is “insignificant” • Firm belief of conservatism in the methods and data • Removing expected conservatism does not change the conclusion on risk significance • May change relative significance • DID approach to Fire Protection constrains achieving Results which are risk insignificant • Single Safe Shutdown (SSD) Path • In some cases large fires require Recovery Actions to maintain-regain a SSD path • Loss of Offsite Power (LOOP) can be caused by fires; resulting in reliance on an Emergency Diesel Generator (EDG) • FPRAs have identified scenarios where no SSD Path is available
Defense in Depth Insights Typical Results • Redundant trains are affected by a Fire Damage State (FDS) and the SSD strategy includes RAs where the time available is comparable to the time required to complete the actions • The frequency associated with the FDS is in the range of 1E-4/year to 1E-5/year and a single SSD path is available with or without the need for a RA • The SSD strategy uses Alternate Shutdown (ASD) • Most of the FDSs in ASD fire areas can be managed from the Main Control Room (MCR) • Fires which fail electrical equipment are most risk significant
Insights • The traditional approach to risk management and DID is invaluable as it addresses: • Preventing fires, • Having quality detection and suppression systems and • Provides high assurance of a SSD path with associated procedures and training. • PRA insights used in a RI framework provide improved assurance in balance and can support identification of reasonable modifications to reduce risk and improve DID, as well as relax requirements for low risk areas. • This should not be interrupted that existing traditional practices are inadequate. • Operating experience in the US demonstrates that there have been no fires since Browns Ferry in the mid-1970’s which have placed a plant in a high conditional risk situation. • But given the insights achievable from PRA, PRA insights should be applied to provide even higher confidence that a high conditional risk situation for credible fires does not occur in the future.
Scenario 1 Example • “Smart” transient fire occurs (calculated frequency of 1E-6/year) and spreads before detection and suppression (manually actuated) can prevent damage to risk significant equipment. • Results in an initial station blackout (SBO), where both onsite and offsite ac sources are unavailable. • With local, time sensitive field operator actions the Conditional Core Damage Probability (CCDP) is 0.1; without the actions the CCDP is 1.0 • Equipment that could be damaged could be protected by an engineered shield. The CCDP with the shield is calculated to be 1E-3 (without any time sensitive local field actions), and the plant would not be placed in a SBO situation • Given the uncertainty and potential damage a decision was made to install an engineered shield. • This decision significantly improves defense in depth and addresses the high uncertainty in transient fire frequency and operator response.
Scenario 2 Example • An electrical panel fire (frequency of 1E-4/year) with successful detection and mitigation occurs, and which has a calculated CCDP of 2E-2. • Key contributor to CCDP is failure of the available emergency diesel generator (EDG) to operate. • Analyses indicate that adding a local, field recovery action (RA) will make available a second train of electrical power with supply from offsite power. • The calculated CCDP with the action is 1E-3. • Having two trains available considerably reduces risk and improves DID; in addition offsite power is a diverse power source. • The action is straightforward and does not adversely impact other operator actions. • A decision was made to add the action to procedures and train accordingly.
Challenges and Opportunities • Effectiveness of existing practices and their ability to evolve; • belief in numbers vssearch for risk insights guided by numbers and uncertainty; • belief in lagging indicators; • cost; • communications.
Current Processes • Current US processes have proven effective and are adaptable based on experience and new knowledge; so why make significant changes? • These processes have been periodically changed based on experience and new information • Use of PRA to inform decisions has been a key to improved operational decision-making in terms of the conduct of plant operations, risk reductions and safety/risk management. • In addition, NRC and the nuclear industry has, and can, react quickly to issues. • Note the extensive actions taken to address the events at Fukushima Daiichi (NTTF). • So, if current processes are effective and adaptive why make a major change?
Nuclear Industry Experience • The experience of most members of the industry involves meeting requirements using prescriptive metrics • (i.e., meet the design basis and existing regulations aimed at managing beyond design basis risk). • This is obviously important and fundamental to Industry stability. • PRA results are “fuzzy” to many of these members of industry. • So if changes are made should they be prescriptive? • Or is a risk informed process which embraces both DRA and PRA informed practices better? • How do we get this mindset changed given the evolving role of PRA and risk informed decision making in current operations and regulatory oversight? • Do we really think we cannot do better? • Opportunity: In the US NRC and Industry are moving towards a more Risk Informed Approach
DRA and PRA Informed Balance • Some PRA members do not have an appreciation of the importance of design bases and traditional means to support safety decisions. • They think PRA can improve everything. • Some fail to recognize that without a design basis supporting a PRA, the PRA would have even more uncertainty, and perhaps not be useful at all. • So how do we get these members to understand the critical role of traditional practices? • Opportunity: Senior PRA and safety Industry people have developed in their appreciation of the importance of blending DRA and PRA informed approaches • Regulatory guides have been developed • Industry guidance has been developed • Defense in Depth and mining PRA results for insights has increased significantly as a result of NFPA-805
Programs and Processes • Some industry members believe that the programs and processes in place will provide sufficient leading indicators so that action will be taken to avert a major event. • Considerable DID and safety margin, perhaps more than currently exists, is needed to support this belief. • For some hazards DID has less balance than for typical non-spatial events. • Spatial events can challenge the perceived level of DID, and because their frequencies are generally very low, even experts can be challenged in appreciating their potential significance. • So how do we achieve a more complete perspective? • The only leading indicators for some potential events accepted globally by the Industry is new information if it is acted on effectively in advance of the event. • Analyses, walk-downs, modifications, rule making, etc. to improve on capability and DID • Opportunity: Industry is reacting to the tragic events at Fukushima Dai-ichi and Fire Lessons Learned
PRA Cost and Burden • Development and maintenance of PRA requires funding and can be burdensome. • Perhaps a phased approach or more complete integration of PRA functions within existing engineering organizations could provide more robust development and maintenance of PRAs. • In comparison, PRA organizations at operating utilities are typically provided with a small fraction of the resources provided to design basis engineering organizational functions. • Opportunity: This is occurring gradually and more and more senior executives understand the importance of a successful risk assessment and management program
Communication • Communicationsis a challenge as the language used by technical experts with expertise in different technical fields varies considerably. • For example, how many traditional engineers use terms such as epistemic vsaleatory, Fussell-Vesely, risk reduction worth, risk achievement worth, Birnbaum, complementary cumulative distribution function, conditional core damage probability, correlated events? • And are such terms neededin communicating with industry experts outside of the “PRA community”? • The response is straightforward: “No”. The actual definition for each of these terms, and others, is straightforward and does not require PRA expertise. • Communications may be the number 1 challenge faced in transitioning to an improved, more risk informed decision making framework. So who will take on this challenge? • Opportunity: Industry recognizes this challenge and is involving experienced members with broad backgrounds to improve on communications
Response to Q1: Why Expand Use of PRA • First, existing practices have resulted in safe plants and operating experience and evaluations provide strong evidence that risk has been reduced considerably. • Existing practices have changed, and will change, based on events and new information. • We need look no further than past history and actions taken and underway to address lessons learned from the events at Fukushima Daiichi. • However, if we do not expand the use of PRA then we will be basing our understanding of limiting features on current practices (directed evaluations (such as those for external flooding and earthquakes), insights from generic studies, operating experience, new knowledge), which is invaluable and is very effective in supporting decision making. • Mining of PRA insights provides a perspective on highly unlikely events (i.e., beyond design basis events) which has proven elusive using traditional mostly qualitative practices.
Response to Q1: Why Expand Use of PRA • Second, an integrated RI DID and safety margin framework is most effective at addressing three key questions: • Have we identified the most likely types of scenarios and have we acted to maintain the frequency and or consequences sufficiently low? • Have we identified credible scenarios where the level of DID should be revisited? • How do we more effectively address new knowledge and experience so we do not need to react in a short term basis because we already have the answers or a framework available? • Third, recent experience with analyses of spatial hazards, such as internal fires, provides strong bases for using the unique capability of PRA within a RI DID and safety margin framework to increase the confidence in decisions. • Finally wiser, more effective decisions can be made on a plant-specific basis using a PRA or risk informed framework. Plant characteristics vary. This is an extremely important point as all risk is local and plant-specific.
Response to Q2: Blending Deterministic and PRA • PRA does not replace “Deterministic” Practices • Design Basis is needed for: • Component, System, Structure capacity/capability determination • Programs and Practices development • Operating Margins, Basic Defense in Depth and Safety Margin • Addressing events and sequences less severe than core damage • Note: Part of the design basis can explicitly depend on probabilities, such as for tornados, seismic hazard, and other external hazards • As discussed, however proper PRA use provides insights not easily achievable using traditional approaches
Response to Q3: Outcome without Expanded Use? • Only speculation is possible, as the existing processes have been effective for design basis events if not as efficient as ideally possible. • First, we may miss an opportunity to more fully develop potentially important lessons from the events at Fukushima Dai-ichi. • Second, absent an improved risk informed DID and safety margin framework we may, as in the past, misallocate resources on the basis of generic changes to plants which are not generic. • The “all risk is local” belief implies that the risk must be evaluated on a location and plant specific basis. • Finally, continually challenging our understanding of safety and risk and reacting accordingly is prudent • Would the Industry and NRC have preferred to be able to respond to the events at Fukushima Dai-ichi with a statement such as the following: “We have completed an initial review of the causes and determined, based on routine updates to potential hazards such as external flooding and tsunamis, that credible hazards have been fully addressed. We will continue to seek lessons act accordingly.”
Conclusions • A changed framework will require investment and should be deliberate. • Reduce the conservatism in some of the existing PRA methods, • Understand uncertainties in calculated results, • Enhance some methods to improve their bases. • In addition, an improved and agreed upon risk informed, performance based, DID and safety margin framework will further improve how Industry balances DRA and PRA informed methods and results. • I cannot provide a roadmap for addressing the noted challenges. However, each much be addressed if a transition to a more risk informed decision making process is to be achieved, and many organizations as noted are considering such a roadmap. • I am confident we started this transition several decades ago and will continue to evolve
Conclusions – Ongoing Activity • Measured, periodic changes has been the norm, and such changes are indicative of a healthy, learning Industry. • Measured, tested change is good! • Traditional practices are critical to supporting development of a quality PRA and its subsequent application. • Meeting the design basis does not guarantee that the business risk (i.e., protecting the asset), as measured throughout the world, is sufficiently low • Defense in depth for all potential challenges varies (e.g. there is more defense in depth for large break LOCAs than for certain credible fires • Even the most effective programs and processes cannot be guaranteed to provide the leading indicators needed to avoid a severe event • Effective communications among Industry experts with differing backgrounds is absolutely a key to optimizing further improvement in decision making.
Conclusions • US Industry Response to Fukushima is Risk Informed • Considers External Hazards and Internal Hazards as appropriate • Deterministic Assessments and Decisions Benefit from a RI Approach: • Risk Impact and Defense in Depth (e.g. Frequency of challenge versus prevention and mitigation capability) • Identify unintended consequences of design based assessments • A Regulatory Structure which further “blends” PRA and DRA (i.e., a Risk Management Structure) could improve on the Current Structure • There is uncertainty in the numbers: There is more uncertainty when you have not characterized the numbers • PRA can provide a DID perspective simply not achievable deterministically • Potential, unexpected Outliers can be identified
Traditional Practices • Barriers and Basic Design (Fuel, Clad, RCS, Containment, SSCs for Operations and Protecting Barriers): These are established • Operating Regimes (Full Power to Refueling): These are established • Stable Operation: Design accordingly with sufficient margin and flexibility • Initiating Events (IEs) and Relative Frequency: These are identified and established by group (generally frontline functional level challenges) • Support system challenge approach has changed considerably with experience • Includes external hazards and internal to plant spatial events, which has also changed considerably • Acceptance Criteria (e.g., Fuel, Barrier Integrity, Dose): Establish by Relative Sequence and/or Initiating Event Frequency • SSCs and Human Actions to Mitigate IEs (“Strength”, Capacity, Availability and Reliability): Establish based on Requirements • Includes External Hazards and Spatial Events
Traditional Practices • Event Sequence Analyses: Identify and Analyze “Conservatively” and Demonstrate Acceptance Criteria are Met (Range of Operating Conditions, Single Failure, Loss of Offsite Power (LOOP), etc.) • Capacity/Capability, Availability and Reliability of SSCs and Human Actions • Increase beyond minimum required? • Based on Operating Experience • Based on Designer Judgment • Based on Regulator Input • Aimed at Reducing the Potential for a Severe Accident • Siting Criteria (Part 100, etc.) • Operating Procedures and Limits • Monitoring and Feedback
Traditional Practices • Practice has Evolved • Operating Experience • Analyses • Testing • Examples • Fuel Design • Single Active Failure Criterion • SBO, ATWS, Post TMI, Fire Protection, Spatial Events, Support System Challenges • Emergency Operating procedures (EOPs), Severe accident Mitigation Guidance (SAMGs), Extensive Damage Mitigation Guidance (EDMGs) • Configuration Risk Management and Indicators such as Mitigating System Performance Indictors (MSPI)
Risk Informed Role • The Formal Engineering Method for Addressing • Completeness in Initiating Events (IEs) • Integrated Impact of IEs and Frequency combined with • Plant Response • SSC Reliability, Availability, Capability and Capacity • Human Interaction • To Understand and Demonstrate Accident Prevention and Mitigation Performance • Are there cliffs and is the risk appropriate? • Is DID sufficiently understood and appropriate? • To Provide an Integrating Framework • To Support Establishing Operational Performance Expectations and Assessing the Significance of Operating Experience • There is no alternative “Checklist” Approach to gain this insight
Part #2ROP Dress Rehearsal Assessments(NRC Special Inspection for Fire Protection) To be forewarned is to be forearmed Arakajime go ryōshōsuruniwa “forearmed” shimasu Paul Boulden Barry Collyer
Why do an ROP dress rehearsal? Simple: To identify possible problems and bring the findings to the regulator’s attention before the regulator brings them to you. This is one kind active risk management … you do NOT want an SDP red finding and risk closure/fines. We have done these dress rehearsals in both the USA and Japan … here is an example of one of them
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire ProtectionPreparation & Self Assessment280 to 700 hours (assuming no major issues identified during self assessment) • Phase I consists of document review and interview. • Phase II consists of plant walk-down with verification and follow-up of some Phase I items. • Phase I and Phase II when combined match the typical NRC fire protection inspection. This is expected to be similar to the NRA fire protection inspection. • The basis for the assessment is: • US NRC Fire Protection (Triennial) inspection guidance (NRC Inspection Procedure 71111.05T) • Our experience (as utility employees subject to NRC inspections and as consultants supporting clients during NRC inspections) 37
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • The NRC typically picks three to five areas for review. For this example, the following representative areas were selected: • EP Room (I/B1-4) • AFW Hallway (I/B1-8) • Switchgear Room A (I/B3-2) • Wiring Room (C/B4-1) • Reactor CCW (I/B2-1) • Generic items impacting most plant areas were also reviewed • Key program elements for this example: • Fire Prevention • Fire Detection, Suppression and Control • Post-Fire Safe Shutdown • Fire Protection Quality Program • Each program element has several topical areas 3
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Symbols Used in This Example The graphic is used to illustrate the potential risk significance that would be identified as part of the NRC Significance Determination (SDP) process. Where appropriate, a range of significance is illustrated. It should be noted that a detailed evaluation of risk for items that are more than minor can be an extensive effort and is beyond the scope of this assessment. 4
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Prevention • Topical Area – Administration • Observations for this Program Element • Pre-fire plans should be prepared to be consistent with nuclear industry best practices. Pre-fire plans will directly impact the effectiveness of the fire brigade. • A TRM or equivalent type document should be prepared to be consistent with nuclear industry best practices. • Operability requirements for FP equipment. • Action statements when FP equipment is out of service. 5
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Prevention • Topical Area – Evaluation of Potential Fire Hazards • Observations for this Program Element • The Fire Characteristics Tables (FCT) are used as equivalent to a Fire Hazards Analysis document and are controlled as part of the fire protection program. • The FCT will be reviewed for the selected areas during Phase II. 6
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Prevention • Topical Area – Control of Combustibles • Observations for this Program Element Plant programs related to combustible controls appear adequate. Further verification should be performed under Phase II (Plant Visit). 7
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Detection, Suppression, and Control • Topical Area – Fire Detection Systems • Observations for this Program Element • Additional review (physical verification) should be performed during Phase II (Site Visit) 8
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Detection, Suppression, and Control • Topical Area – Water Suppression Systems • Observations for this Program Element • A suppression effects analysis should be performed and documented. • Inadvertent operation of water suppression systems should not damage safety related equipment. • Redundant trains of safe shutdown systems located in the same area should not be subject to damage due to rupture of the suppression system piping. • Additional field review should be performed during Phase II. 9
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Detection, Suppression, and Control • Topical Area – Gaseous Suppression Systems • Observations for this Program Element • A review should be performed to document that a fire in one area (and resulting smoke, heat and hot gases) will not result in the actuation of a Halon system in an adjacent area. This could impact identification of the location of the actual fire as well as availability of Halon gas supply. This review should also document that inadvertent operation will not result in damage to safety related equipment. An example would be an unwanted automatic closure of a damper impacting the cooling of an area. 10
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Detection, Suppression, and Control • Topical Area – Portable Fire Extinguishers and Hose Stations • Observations for this Program Element • Additional review should be performed during Phase II (site visit) regarding the hydraulic matching of the available pressure, hose pressure drop and pressure requirement of the nozzle. 11
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Detection, Suppression, and Control • Topical Area – Fire Brigade • Observations for this Program Element • The offsite (public) fire department should participate in drills in various areas of the plant so that they have the experience to efficiently and effectively fight a fire in a nuclear plant. This include dress out, the use of SCBAs, coordination with the plant fire brigade and operations, as well as using the plants pre-fire plans to make informed decisions. 12
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Detection, Suppression, and Control • Topical Area – Fire Brigade • Observations for this Program Element • The fire brigade should receive additional review during Phase II. This review should include witnessing a fire drill in a plant area considering items such as fire fighting tactics, command and control, use of pre-fire plans and mitigation of damage to safe shutdown equipment. • Much information can be gained by US experience. All US NRC FP Triennial inspections include the NRC witness of an unannounced fire drill. • Phase II should include an announced drill for review. 13
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Fire Detection, Suppression, and Control • Topical Area – Fire Barriers • Observations for this Program Element • This program element is typically reviewed during field inspection (Phase II). 14
ROP Dress Rehearsal - Phase ISpecial Inspection for Fire Protection • Program Element – Post-Fire Safe Shutdown • Topical Area – Fire Safe Shutdown Analysis • Observations for this Program Element • Safe shutdown systems and components selected to perform each of the reactor shutdown functions as documented in the NRC restart safety assessment were generally well thought out and adequate to meet the performance requirements. • Several examples were identified in which components important to post-fire safe shutdown were not identified. Each of the components not identified were electrical components including electrical circuit breakers, and DC power components necessary for proper breaker operation to support electrical coordination. See Circuit Analysis below. 15