Prioritizing inspections

The purpose of the inspections, tests, analyses, and acceptance criteria (ITAAC) process in the Nuclear Regulatory Commission's 10 CFR Part 52 is to verify that an as-built nuclear power plant has been constructed and can be operated in accordance with the approved plant design and all applicable regulations.

The ITAAC process uses a three-part format consisting of a design commitment, the method of verification (that is, inspection, test, and/or analysis), and the acceptance criteria for each ITAAC. By establishing ITAAC prior to the start of construction, both the licensee and the NRC will have a common understanding of what will be verified, the method of verification, and the acceptance criteria, thereby providing more predictability to the nuclear plant licensing process.

Eight combined license (COL) applicants and six design certification (DC) applicants are currently engaged in the Part 52 licensing and certification processes and more applicants are expected.

A necessary condition for authorizing a licensee to load fuel in the reactor and operate the plant is that the licensee demonstrates that all ITAAC are met and the NRC agrees that they are met. NRC inspection results, together with NRC's review of the ITAAC closure information, required for each ITAAC under 10 CFR §52.99, is the foundation on which the NRC will make its finding on whether the ITAAC acceptance criteria have been met.

The number of ITAAC established for a certified design can be greater than 1000. A site-specific COL application of an approved design will further increase this number. Therefore, a structured ITAAC inspection prioritization process was developed to ensure regulatory effectiveness while applying the agency's finite inspection resources in the most efficient manner to verify ITAAC completion. The result is a targeted subset of the entire ITAAC, that, if found acceptable, will provide reasonable assurance that a significant construction flaw will not go undetected. Figure 1 taken from NRC Commission Paper SECY- 07-0047, shows graphically the share of ITAAC that may receive direct inspection. Direct inspection will include observation of ITAAC-related work at the construction site, vendor facilities, and review of calculations and analyses by the headquarters technical staff. These inspection targets will define the minimum sample set NRC will inspect for each construction project.

Prioritization Process

A structured prioritization process was developed to create a 'smart' sampling approach to the ITAAC verification and closure as opposed to using a strictly statistical sampling approach that relies on successes and failures findings to determine the extent of inspections to achieve a specified confidence level.

The overall ITAAC inspection prioritization process is described in SECY-07-0047. It has two primary objectives.

The first objective is to prioritize the ITAAC so those resulting in the most efficient and effective use of inspection resources are selected for inspection. The second objective is to ensure adequate inspection coverage over the various ITAAC groupings or 'families,' which assures that an acceptably- diverse set of ITAAC has been targeted for inspection such that the results of the process are representative of the entire ITAAC population for a specific design.

ITAAC Matrix

The prioritization methodology first requires that the ITAAC involving the same or similar activities or common characteristics are grouped together using the ITAAC Matrix.

The ITAAC Matrix identifies the 25 core inspection procedures that comprise a comprehensive set of construction programmes and processes that the NRC believes encompasses those COL licensee activities involved in the quality construction of a nuclear power plant, including for example valves, fire protection, piping, structural concrete. They are measured by different aspects: as-built inspections, welding, construction testing, operational testing, qualification criteria and design/ fabrication requirements.
Combining ITAAC of similar activities into groups supports the efficient use of NRC resources. Verification that an ITAAC was performed correctly provides confidence that other ITAAC in the same family were also performed correctly.

Apppropriate inspection coverage is achieved by requiring that at least one ITAAC from each populated ITAAC family be inspected, irrespective of its value of inspection. However, not all ITAAC families are populated.

Value of inspection

The second step of the methodology is the determination of the value of inspection for each ITAAC. This is accomplished based in part on a quantitative process called the Analytic Hierarchy Process (AHP), which establishes the relative importance (that is, weights) of the ITAAC attributes. The following ITAAC attributes are considered in determining the value of inspection:

• Safety significance: risk significance, defence-in-depth, uncertainty, and so on
• Propensity of making errors: complexity of fabrication/installation, and so on
• Construction and testing experience: involvement of new technology/technique, quality/performance history
• Opportunity to verify by other means: timing/access to inspect, availability of additional methods, and so on.

AHP is a method of pair-wise comparison that helps reduce subjectivity in assigning weights to multiple attributes simultaneously. Once determined, these weights w_i are multiplied against the corresponding ITAAC attribute utility values u_ij for each ITAAC and combined to obtain the overall rank Rank_j for each ITAAC. A utility value u_ij represents the numerical value of the ITAAC given by the panel for a given attribute indicating a high, medium or low impact. In these terms, the ITAAC utility function is expressed in Figure 2. This prioritization process is managed such that the final rank given for each ITAAC will correlate to the amount of assurance one can obtain from inspecting that ITAAC. In this way, it is not the ITAAC that are prioritized, but rather the value of inspecting that ITAAC to maximize the NRC's resources to detect any significant construction flaw.

Risk-informed approach

The use of design-specific risk insights is relevant in assessing the safety significance attribute. This is based on the premise that an item's inspection priority should be determined in part by the increase in risk that would be caused by degraded performance
of the item. Using risk-importance measures such as the Fussel-Vesely (FV) and risk achievement worth (RAW) to evaluate ITAAC allows for more accurate prioritization and lessens subjectivity.

The NRC staff recently completed a risk- informed activity to rank the DC ITAAC for a new reactor design by the safety significance attribute. The safety significance attribute is one of four ITAAC attributes mentioned previously, and is heavily weighted.
The attribute itself is comprised of two factors:

• Safety significance of the system, structure, or activity (hereafter system) associated with the ITAAC in question
• Importance of the ITAAC in ensuring the proper functioning of the system.

The ranking activity employed expert judgment, informed by several sources of risk information specific to the reactor design, and several safety principles rooted in the NRC's philosophy of defence-in-depth for power reactors. A panel of NRC staff with intimate knowledge of the particular design, safety analysis and risk analysis, including the NRC's review of those analyses, used this information and its collective experience to assign a system safety significance numerical ranking between one (lowest) and five (highest) and a functional importance numerical ranking between one (lowest) and three (highest). The process was risk- informed in that the approach considered risk insights in conjunction with traditional defence-in-depth thinking.

The sources of risk information used in the ranking process included the results of the assessment process in the reactor vendor's Design Reliability Assurance Program (D-RAP) and risk insights from the design Probabilistic Risk Assessment (PRA) documented in the DC application, as well as information taken directly from the description of the reactor design and PRA provided to the NRC for review and approval.

Guidelines for risk-ranking new reactor safety significance

This two-part ITAAC attribute relates to the increase in risk caused by degraded performance.
System ranking guidelines:

• Primary barriers to radioactive release receive a high importance
• The system itself is more important than the structure housing the system (for example, the diesel generator is more important than the diesel building)
• RTNSS systems ranked relatively highly.

ITAAC importance ranking guidelines:

• Testing is more important than analysis
• Testing to confirm passive functionality receives a high importance
• ITAAC related to ASME code requirements receive a high importance.

Nuclear power reactor defence-in-depth can be described at a high level as a series of four layers of defence against nuclear reactor accidents. These layers include: (1) precluding events that challenge safety, (2) preventing events from proceeding to core damage, (3) containing or confining radioactive material, and (4) protecting the public from the effects of radioactive releases. In the panel's evaluation of the ITAAC, the NRC staff considered the importance associated with the ITAAC relative to these layers of defence-in-depth. For example, the panel gave a larger weight to systems, structures and components (SSCs) that functioned as a primary barrier to the release of radioactivity. For SSCs that initiated events when they failed, the panel examined the risk importance of the sequences initiated by the SSC failure.

The panel of NRC staff considered the Regulatory Treatment of Non-Safety Systems (RTNSS) designation in the ranking process. The RTNSS process addresses in part the residual uncertainties associated with passive safety system performance by specifying standards for active defence- in-depth functions to back up the passive systems. RTNSS also addresses the need to ensure reliability and availability of equipment relied upon beyond 72 hours after shutdown, and other deterministic performance requirements. Due to the importance of the RTNSS SSCs in providing defence-in-depth, these SSCs were treated by assigning a value no less than three for safety significance in the ranking process.

For new reactor licensing, the reactor vendors provide information in the D-RAP which includes a list of SSCs that are significant contributors to risk, as determined with the PRA in conjunction with expert assessment. The NRC reviews this information as part of its safety review of applications for design certification and combined construction and operating licence. The panel of NRC staff assured that the safety significance ranking of the systems associated with the ITAAC was consistent with the D-RAP rank.

Passive design considerations

Many systems in operating 'active' plants provide coolant makeup using pumped flow at driving heads that have margin relative to flow resistances. On the other hand, some simplified passive designs make use of the natural driving forces that are much less dominant compared to resistance forces. Hence, the safety of the advanced passive plants relies extensively on features whose high reliability depends on layout and physics. Certain causes of excessive resistance or inadequate flow may be difficult to identify and correct following construction. They should therefore be carefully monitored and controlled during construction.

A high degree of confidence is warranted that the desired flow characteristics are obtained and that the mandated verification activities are appropriately conducted. This rationale was reflected in the ranking process by assigning a high importance to ITAAC involving inspection, testing and/or analysis of passive system performance (for example, passive core cooling, natural circulation heat removal, and so on).

Safety significance ranking results

The NRC staff recently completed a preliminary prioritization of ITAAC for the safety significance attribute, which considered 1254 ITAAC applicable to this process. In most cases an ITAAC corresponded to a plant system such as the reactor protection system or the condensate and feedwater system. In some cases, an ITAAC related to a design activity such as software development, or a programmatic activity such as environmental and seismic qualification of mechanical and electrical equipment. These programmatic activities, in turn, tie back to a particular system and associated safety significance. Results developed to date are summarized above in Table 1.

During the expert panel process to develop the ranking, expert judgment relied heavily on engineering and plant knowledge and experience of the panel members while being informed by the PRA insights. Once the safety significance ranking was complete,
the PRA insights were used again to assess the reasonableness of the ranking. Table 2 lists the top ten safety significant ITAACs grouped by system along with the risk importance measures from the design PRA. Table 2 shows that in most cases the FV and RAW system level importance measures are greater than the threshold values generally used by the nuclear industry and NRC to identify risk-significant SSCs. Thus, the safety significance ranking determined by the expert panel process appears to be in line with the risk significance as measured by FV or RAW. However, there may be cases where this correlation does not hold because the second factor of the safety significance attribute, which has to do with the importance of ITAAC in ensuring the function of the system, has little correlation with risk.

It is important to note that at the current stage of the prioritization process, the ranking results only reflect the safety significance attribute of the ITAAC. Subsequent activities need to establish the ranking by the other three ITAAC attributes. Ultimately, the weighting scheme determined by the AHP will be combined with the other attribute ranking results to establish the final ITAAC ranking. The final ITAAC ranking information is then mapped to the ITAAC Matrix to determine the inspection sample to support ITAAC closure.

Conclusion

Risk-informed activities (for example NRC Reactor Oversight Process, Maintenance Rule implementation at power plant sites, and so on) have demonstrated the usefulness of risk information in focussing resources on activities with greater safety significance. This proved to be the case also for prioritizing ITAAC. The NRC staff found the design PRA, D-RAP and other risk-related information obtained through the NRC staff review of the design certification application and the knowledge of the NRC staff involved in the review process to be valuable to the process of prioritizing ITAAC.

Additional activities remain to finalize the ITAAC ranking for the current new reactor DC application. The process will likely be repeated for the other new reactor DC and COL applications currently under NRC staff review and for future submittals. Any lessons learned captured during these activities will be fed back to ensure an effective and efficient ITAAC verification process.

References

1. SECY-07-0047, "Staff Approach to Verifying the Closure of Inspections, Tests, Analyses, and Acceptance Criteria Through a Sample-Based Inspection Program," (ADAMS Accession Number ML070430501).
2. C. ATWOOD et. al, "Technical Report on the Prioritization of Inspection Resources for Inspections, Tests, Analyses and Acceptance Criteria (ITAAC)," (ADAMS Accession Number ML060740006) Information Systems Laboratories, Inc. (2005)

Author notes

Mark Caruso, Tony Nakanishi and Christopher Welch, USNRC, Washington DC 20555-0001 USA. Based on 'Use of Risk Information for Prioritizing Inspections, Tests, Analyses and Acceptance Criteria for Nuclear Power Plants Licensed Under 10 CFR Part 52' presented at the ANS Winter Meeting and Nuclear Technology Expo 2013.