IA-85-199, Forwards Draft Rev of Policy Statement on Severe Reactor Accidents Re Future Designs & Existing Plants & Draft NUREG-1070,incorporating Policy Statement Rev,As Followup to Response to Commission Questions Per SECY-84-370

From kanterella
Jump to navigation Jump to search
Forwards Draft Rev of Policy Statement on Severe Reactor Accidents Re Future Designs & Existing Plants & Draft NUREG-1070,incorporating Policy Statement Rev,As Followup to Response to Commission Questions Per SECY-84-370
ML20133K564
Person / Time
Issue date: 11/23/1984
From: Dircks W
NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO)
To: Asselstine, Palladino, Roberts
NRC COMMISSION (OCM)
Shared Package
ML20132C556 List:
References
FOIA-85-199, FOIA-85-A-15, RTR-NUREG-1070 NUDOCS 8508120281
Download: ML20133K564 (185)
v  d  e


Text

(

g:2 u f 4 thd b I .

  1. 'o, UNITED STATES

. E W SH NGT N. D. C 205 5 " ' $tCRETARIAT RD COPY s'j., #

s I_

  • NOV 2 3 mo4 MEMORANDUM FOR: Chairman Palladino Commissioner Roberts Commissioner Asselstine Commissioner Bernthal Commissioner Zech FROM: William J. Dircks Executive Director for Operations

SUBJECT:

FOLLOW-UP TO STAFF RESPONSE TO COMMISSIONERS' QUESTIONS ON SEVERE ACCIDENT POLICY STATEMENT (SECY-84-370, DATED SEPTEMBER 19,1984)

As indicated tc you in my recent memorandum on this subject, the Severe Accident Policy Statement nas been revised to incorporate certain responses to Commissioner questions. Several additional revisions were made as a result of suggestions by the OGC and by the ACRS in its letter to Commissioner Asselstine dated November 6, 1984.

Enclosure 1 provides a line-in, line-out revision of the Policy Statement

, and Enclosure 2 provides the revised NUREG-1070 that incorporates the revised Policy Statement. Commensurate changes were made throughout NUREG-1070 to reflect the more flexible approach to forward referenceable standard designs achieved either by a Final Design Approval through staff review or a Design Certification by Commission issuance through rulemaking.

Egass WilUm J.L2ct William J. Dircks .

Enclosures:

- lN ~

As s CC:

E OGC ACRS

Contact:

R. M. Bernero, NRR 49-27373 T V

u, k

0500120201 850627 PDR FOIA '

BELAIR85-A-15 PDR c7 (J.

  • 1 &

l{

( % w s>

FEDERAL REGISTER NOTICE FOR COMMISSION POLICY STATEMENT ON ISjUES F0d- ,

NEW STANDARD REACTOR DESIGNS AND SEVERE ACCIDENTS J_,p, Q NUCLEAR REGULATORY COMMISSION b 10 CFR Part 50 Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants AGENCY: Nuclear Regulatory Commission ACTION: Policy Statement.

SUMMARY

This statement describes the policy the Commission intends to use to resolve safety issues related to reactor accidents more severe than design basis accidents. It's main focus is on the criteria and procedures the Commisshn intends to use to certify new standard designs for nuclear power plants. ihis policy statement is a revision of the " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" that was published for comment on April 13, 1983 (48 FR 16014). It also serves as notice of withdrawal of the advanced notice of proposed rulemaking, " Severe Accident Design Criteria," published on October 2, 1980 (45 FR 65474).

FOR FURTHER INFORMATION CONTACT:

Miller B. Spangler, Special Assistant for Policy Development, Division of Systems Integration Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, D.C. 20555 Telephone: (301) 492-7305.

SUPPLEMENTARY INFORMATION:

This policy statement sets forth the Commission's intentions for rulemakings and other regulatory actions for resolving safety issues related to reactor accidents more severe than design basis accidents. The main focus of this statement is on decision procedures involving staff enelyses and approval or, optionally, Commission certification of new standard designs for nuclear power plants. It also provides guidance on decision and analytical procedures for the resolution of severe accident issues for other classes of future plants and for existing plants (operating reactors and plants under construction for which an operating license has been applied). Severe nuclear accidents are those in which sub-stantial damage is done to the reactor core whether or not there are serious offsite consequences. On October 2,1980, the Commission issued an advance notice of proposed rulemaking, " Severe Accident Design Criteria " that invited public comment on leng-term proposals for treating severe accident issues (45 FR 65474). By this action the Consission hereby serves notice of the withdrawal of that advance notice of proposed rulemaking.

This policy statement is a revision of the " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" published for public comment on April 13, 1983 (48 FR 16014). Twenty six letters of consnent on the proposed policy statement were received. The nuclear industry 1

generally supported the proposed policy statement and suggested several modifi-cations. Much of the criticism of the proposed policy statement by environmental groups and other interested persons focused on a perception of over-reliance on probabilistic risk assessment, especially when coupled with the Commission's

" Safety Goal Development Program" (48 FR 10772 March 14, 1983). The Policy Statement was revised as a result of these suggestions and criticisms as well as comments by the Advisory Committee on Reactor Safeguards.

Many changes have already been implemented in existing plants as a result of the TMI Action Plan (NUREG-0660 and NUREG-0737), information resulting from NRC and industry-sponsored research, and data arising from construction and operating experience. On the basis of currently available information, the Commission concludes that existing plants pose no undue risk to public health, safety and property and sees no present basis for immediate action on generic rulemaking or other regulatory changes for these plants because of severe accident risk. Here-everv _The Commission has ongoing nuclear safety programs that include: the resolution of new and several other Unresolved Safety Issues and Generic Safety Issues; Severe Accident Source Term Program; the Severe Accident Research Pro-gram; operating experience and data evaluation regarding failure of certain Engineered Safety Features and safety-related equipment, human errors, and other sources of abnormal events; and scrutiny by the Office of Inspection and Enforcement to monitor the quality of plant construction, operation, and main-tenance. Should significant new safety information become available, from whatever source, to question the conclusion of "no undue risk," then the tech-nical issues thus identified would be resolved by the NRC under its backfit policy and other existing procedures, including the possibility of generic rulemaking where this is j.atifiable.

Howeveev One important source of new information is the experience of NRC and the nuclear industry with plan Especific probabil Etic risk assessment. 4e thee Each of these analyses, which provide a mere detailed assessment of possible accident scenarios, has exposed relatively unique vulnerabilities to severe accidents. Generally, the undesirable risk from these unique features has been reduced to an acceptable level by low-cost changes in procedures or minor design modifications. Accordingly, when NRC and industry interactions on severe accident issues have progressed sufficiently to define the methods of analysis, the Commission plans to formulate an integrated systematic approach to an examina-tion of each nuclear power plant now operating or under construction for possibly significant risk contributors that might be plant specific and might be missed absent a systematic search. Following the development of such an approach, an

' analysis will be made of any plant that has not yet undergone an appropriate examination and cost-effective changes will be made, if needed, to ensure that there is no undue risk to public health, safety and property. 3, implementing such a, systematic approach, plants under construction that have not yet received an, Operating License will M treated essantially the same a_s,the manner by, which operating reactors are dealt with. That is to say, a plant-specific review of, severe accident vulnerabilities g this approach M not considered g be necessary g determine adequate safety og compliance with NRC safet; regulations under the Atomic Energy Act, or to be a necessary or routine part of an Operating License review for this class of plants.

Regarding the decision process for certifying a new standard plant' design -- an approach the Connission strongly encourages for future plants -- the Policy Statement affirms the Commission's belief that's new design for a nuclear power plant can be shown to be acceptable for severe accident concerns if it meets the following criteria and procedural requirements:

2

e Demonstration of compliance with the procedural requirements and criteria of the current Commission regulations, including the Three Mile Island requirements for new plants as reflected in the CP Rule

[10 CFR 50,34(f)];

4 e

2a

e Demonstration of technical resolution of all applicable Unresolved Safety Issues and the medium- and high-priority Generic Safety Issues, including a special focus on assuring the reliability of decay heat removal systems and the reliability of both AC and DC electrical supply systems; e Completion of a Probabilistic Risk Assessment (FRA) and consideration of the severe accident vulnerabilities the PRA exposes along with the insights that it may add to the assurance of no undue risk to public health, safety, and property;* and, e Completion of a staff review of the design with a conclusion of safety acceptability using an approach that stresses deterministic engineering analysis and judgment complemented by PRA.

Custom designs in future construction permit applications will be reviewed under the guidelines identified for approval jyt certification of standard plant designs.

Because this policy statement is just one part of a larger program, including the Severe Accident Research Program, for resolving severe accident issues, the NRC staff is publishing concurrently with this Policy Statement a report on "NRC Policy on Future Reactor Designs: Decisions on Severe Accident Issues in Nuclear Power Plant Regulation" (NUREG-1070). In this report the Policy Statement is reprinted along with other information and appendices that provide perspective on the development and implementation of this policy and how it relates to other features of the Severe Accident Program. A copy of NUREG-1070 will be available for inspection at the Commission's Public Document Room,1717 H Street NW. ,

Washington, D.C. 64tgle Free single copies of NUREG-1070 eise will be available open westeen requese and at no eest, Requeses eheeld be made te the NRG-6PO Se&ee Peegeeny Ateene4ent Sales Menegee, may M requested M writing to,the Publication Services Section, Division of Technical Information and Document Control. U.S. Nuclear Regulatory Commission Washington, D.C. 20555. (Phene-304) 493-9639)v Geptes eine may be perehesed from the NRG-GPO Gales Program and the' Nee 4enal Technfeel Enfeemetten Seevicey Springfieldy Vieg4nde 42464, The authority for this document is (Sec. 161, Pub. L.83-703, 68 Stat. 948, as amended (42 U.S.C. 2201).

Dated at Washington, D.C. this day of 1984.

For the Nuclear Regulatory Commission.

Samuel J. Chilk, Secretary of the Commission.

  • This criterion has an antecedent in Chapter 10 Sec. 103b of the Atomic Energy Act of 1954, which states, as a regulatory objective. "to protect health and to minimize danger to life or property."

3

i I

l POLICY STATEMENT ON SEVERE REACTOR ACCIDENTS REGARDING FUTURE DESIGNS AND EXISTING PLANTS A. Introduction The focus on severe accident issues in this Policy Statement is prompted by the staf f's judgment know4 edge that accidents of this class, which are beyond the substantial coverage of design basis events, eeund constitute the major risk to the public associated with radioactive releases from nuclear power plants, accidents. A fundamental objective of the Commission's severe accident policy is that the Commission intends to take all reasonable steps to reduce the chances of occurrence of a severe accident involving substantial damage tjt the i reactor core and to mitigate the consequences of such an accident should one occur. The occurrence of a severe accident is more likely at some plants ,

than others. In some cases, this mav be attributable to deficiencies in systems designs or in operating and maintenance procedures. In all cases, the commitment of utility management to the pursuit of excellence in risk management is of critical importance. The term risk management includes accident prevention, accident management to curtail or retard its progression, and consequence mitigation to further limit its effects on public health and safety.

On April 13, 1983, the U.S. Nuclear Regulatory Commission issued for public comment a " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" (48 FR 16014). The public :omments have been reviewed and, on the basis of further study and consultation, the. Commission is issuing the present Policy Statement as a guide to regulatory decision making on the treat-ment of severe accident issues for existing and future nuclear reactors

  • with special focus on pra :dures for the staff approval or, optionally, Commission certification of new standard plant designs.**

In line with its legislative mandate to ensure that nuclear power plants should pose no undue risk tc public health, safety, and property, the Co==ission has examined an extensive range of technical issues relating to severe accident risk that have been identified since the accident at Three Mile Island. Following implementation of numerous modifications of plant design and regulatory procedures as developed through the TMI Action Plan (NUREG-0660 and NUREG-0737) and other Commission deliberations, the Commission concludes (based on current information and analyses) that existing plants do not pose an undue level of risk to the public.

On this basis, the Commission feels there is no need for immediate action on generic rule =aking or other regulatory changes for these plants because of severe i accident risk. However, the Commission plans to formulate an approach for a systematic safety examination of axisting plants to determine whether particular ,

! accident vulnerabilities are present and what cost-effective changes are desirable l to ensure that there is no undue risk to public health, saf ety, and property.

l

  • The term " nuclear reactor" is commonly used as a synonym for a nuclear power plant which, in addition to the Nuclear Steam Supply System, included facilities and equipneat denoted as Balance-of-Plant.

l **For forward referenceabilitv of a new standard design. the appliesnt is being l afforded in this Poliev Statement the flexibility of choosing between a

Prelt=inary Design Approval (PDA), a Final Design Approval (FDA), or a Design t Certification (DC). The design approvals (i.e. , a PDA or FDA) would be issued f ollowing the completion of the staf f 's review and would be subj ect to challenge in individual licensing hearings. The Design Certification would be issued by the Commission following a rulemaking proceeding and could not be challenged in individual hearings.  !

4

The main purposes of this Policy Statement follow:

e To clarify the procedures and requirments for licensing a new nuclear plant; e To consider the need for the generic rulemaking proceeding contemplated in the TMI Action Plan commitment (NUREG-0660. Task II.B.8) on degraded core accidents, currently referred to as severe nuclear reactor accidents; e To avoid unnecessary delays of plants now under construction; e To close out for now severe accident issues for existing plants (those in operation and under construction) without imposing further backfits unless this can be justified by new safety information; and, 1

I l

l 4a t

o To achieve improved stability and predictability of reactor regula-tion in a manner that would merit improved public confidence in our regulatory decision making.

The policies presented in this statement will lead to amendment of NRC regula-tions, standard review plans for licensing actions, or other decision procedures and criteria as part of NRC's ongoing Severe Accident Program. This Policy Statement makes allowance for such changes as the result of the development of new safety information of significance for design and operating procedures.

In accordance with the activities, views, and policy developments discussed in this Policy Statement, the Commission believes that it is possible to complete its ongoing reviews of new plant designs with an expectation of fully resolving the severe accident questions in the course of the review. This belief is predicated on the availability of results from the ongoing NRC, Industry Degraded Core Rulemaking Program (IDCOR), and vendor research and insights from the Zion, Indian Point Limerick, and.other risk analyses. The review of standard designs for future cps provides incentive to industry to address severe accident phenomena. Indeed, since July 1983, the staff has completed the reviews and has issued Final Design Approvals (FDAs) for two standard designs (General Electric Company's BWR/6 Nuclear Island Design, GESSAR II; and Combustion Engineering Incorporated's System 80 Design, CESSAR). A severe accident review by the NRC staff of the GESSAR II design for forward referenceability is nearly complete. in prepeestien fee a eulemaking te eeettfy that design fee future refeeeneer The review included assessment of alternative design changes for severe accident risk reduction. In addition, the staff has been involved with pretendering review of an application for Westinghouse Electric Corporation's advanced pressurized water reactor design RESAR-SP/90. In January 1984, the NRC found the RESAR-SP/90 application for a Preliminary Design Approval acceptable for docketing and in May 1984 the application was docketed. Also, work has been continuing between NRC and the Electric Power Research Institute (EPRI) on their " LWR Standardized Future Plant Design Evaluation Program."

It is assumed in this Policy Statement that, over the next 10 to 15 years, utility and commercial interest in the United States will focus on advanced light water reactors that involve improvements but are essentially based on the technology that was demonstrated in the design, construction, and operation of more than 100 of these plants in the United States. This policy should not be viewed as prejudicial to more extensive changes in reactor designs that might be demonstrated during or beyond that time period. Indeed, the Commission encourages the development and commercialization of any standard designs that realize safety and economic benefits, such as those achieved through greater simplicity; redweed stee end geneesting espeeleyt slower dynamic response to upset conditions involving accident precurser events; passive heat removal for loss-of-coolant accidents; and other characteristics that promote more efficient construction, operation, and maintenance procedures to enhance safety, reliabil-ity, and economy.

B. Policy for New Plant Applications

1. Introduction No new commercial nuclear reactors have been ordered in the United States since December 1978. However, the Commission has received several applications for 5

i i

reference design approvals that are currently under review. A reference design is one of the options in the Commission's standardization policy. When approved by the NRC staff, a reference design could be incorporated by reference in a new CP application and, ultimately, in an Operating License (OL) application.

During the corresponding CP and OL reviews, the NRC staff would not duplicate that portion cf its review encompassed by its reference design approval.

Therefore, even in the absence of new CP applications, in order to provide guidelines for the current reference design reviews, the Commission has recog-nized the need to promptly establish the criteria by which new designs can be shown to be acceptable in meeting severe accident concerns. The Commission now believes that there exists an adequate basis from which to establish an appro-priate set of criteria. This belief is supported by current operating reactor experience, ongoing severe accident research, and insights from a variety of risk analyses. The resultant criteria and procedural requirements are listed below.

2. Criteria and Procedural Requirements The Commission believes that a new design for a nuclear power plant (as well as a proposed custom plant) can be shown to be acceptable for severe accident concerns if it meets the following criteria and procedural requirements:
a. Demonstration of compliance with the procedural requirements and criteria of.the current Commission regulations, including the Three Mile Island requirements for new plants as reflected in the CP Rule

[10 CFR 50.34(f)];

b. Demonstration of technical resolution of all applicable Unresolved Safety Issues and the medium- and high-priority Generic Safety Issues, I including a special focus on assuring the reliability of decay heat l removal systems and the reliability of both AC and DC electrical supply systems;
c. Completion of a Probabilistic Risk Assessment (FRA) and consideration of the severe accident vulnerabilities the PRA exposes along with the insights that it may add to the assurance of no undue risk to public health, safety, and property; and,
d. Completion of a staff review of the design with a conclusion of safety acceptability using an approach that stresses deterministic engineer-ing analysis and judgment complemented by PRA.

The fundamental criteria listed above apply to the staff's review of any new design. In addressing criteria (b) and (c), the applicant for approval oj; certification of a reference design shall consider a range of alternatives and combination of alternatives to address the unresolved and generic safety issues and to search for cost-effective reductions in the risk frem severe accidents.

No cost-benefit standard has currently been certified by the commission, although one has been proposed for trial use (NUREG-0880, Rev. 1). Such a standard, if certified, could serve as a surrogate, not only for dollar costs and benefits of a decision option, but also for other adverse and beneficial effects (soft attributes) of social significance that cannot readily be quantified in commensurate units.

6

The following sections explain in more detail how these criteria are to be applied to the various types of reviews that the staff may encounter. It is intended that a new design would satisfy each of the fundamental criteria listed above before final seeff and Gemadessen approval g certification. It is recognized, however, that a new design can go through different stages or levels of approval before receiving this final staff and Gemmteefen approval cy; certification. For example, a reference design can obtain a Preliminary Design Approval (PDA) and then a Final Design Approval (FDA). The unique circumstances of each design review will, therefore, require flexibility in the application of the criteria listed above. In particular, the timing of the PRA requirement may differ considerably from one review to another. In addition, the licensee is encouraged to ensure that the intent of the safety requirements are accomplished during procurement, construction and operation.

It is recognized that there are a diversity of PRA methods. These will continue to undergo evolutionary development as the results of r2 search programs and reliability data from operating reactors become available and as innovative uses of PRA in safety decision contexts suggest better ways to achieve the benefits of these methods while guarding against their limitations or improper uses. While learning curves of these kinds will likely continue for a decade or more, it would nevertheless be constructive to consolidate this experience at various stages of PRA development and utilization. At the present stage of development, a number of positive uses of PRAs have been demonstrated, especially in identifying: (1) those contributors to severe accident risk that are clearly dominant and hence need to be examined for cost-effective risk reduction measures and (2) those accident sequences that are clearly insignificant risk contributors and can therefore be prudently dismissed. In-between cases are more problematic.

Accordingly, within 18 months of the publication of this severe accident state-ment, the staf f will issue guidance on the form, purpose and role that PRAs are to play in severe accident analysis and decision making for both existing and future plant designs and what minimum criteria of adequacy PRAs should meet.

From experience to date, it is evident that PRAs could serve as a highly useful tool in assessing the risk-reduction potential and cost-effecciveness of a number of imaginative design options for new plants in comparison with design features of existing plants. The PRA guidance will describe the appropriate -

combination of deterministic and probabilistic considerations as a basis for severe accident decisions.

The proposed Commission Policy Statement on Severe Accidents issued on April 13, 1983 recognizes the need for striking a balance between accident prevention and consequence mitigation. In exploring the need for additional design or operational features in the next generation of plants to mitigate the conse-quences of core-melt accidents, the Commission will strike a balance between accident prevention and consequence mitigation encompassing actions that improve understanding of containment building failure characteristics and design features or emergency actions that decrease the likelihood of containment building failures *. Although not specifically dc -igned to accommodate all of the hostile environments resulting from the complete spectrum of severe accidents, they can contain a large fraction of the radiological inventory from a portion of the spectrum of such severe. accidents. For example, large, dry containments may be sufficiently capable of mitigating the consequences of a wide 7

spectrum of core-melt accidents; hence, further requirements may be unnecessary or, at most, upgrading current requirements to gain limited improvements of their existing capability may be necessary. The Commission expects that these matters will continue to be subjects for study (e.g. , in the NRC research program and in further plant-specific studies such as the Zion and Indian Point probabilistic risk assessments).

Integrated systems analysis will be used to explore whether other containment i

types exhibit a functional containment capability equivalent to that of large, dry containments. Although containment strength is an important feature to be considered in such an analysis, credits should also be given to the inherent energy and radionuclide absorption capabilities of the various designs as well as other design features that limit or control combustible gases.

It is clear that core-melt accident evaluations and containment failure evalu-ations should continue to be performed for a representative sample of operating plants and plants under construction and for all future plant designs. These studies should improve our understanding of the containment loading and failure characteristics for the various classes of facilities. The analyses should be as realistic as possible and should include, where appropriate, dynamic and static loadings from combustion of hydrogen and other combustibles, static pres-sure and temperature loadings from steam and non-condensibles, basemat penetra-tion by core-melt materials, and effects of aerosols on engineered safety fea-tures. Following the outcome of severe accident research, a clarification of containment performance expectations will be made including a decision on whether to establish new performance criteria for containment systems and, if so, what these should be.

The Commission also recognizes the importance of such potential contributors to severe accident risk as human performance and sabotage. The issues of both insider and outsider sabotage threats will be carefully analyzed and, to the extent practicable, will be emphasized as special considerations in the design and in the operating procedures developed for new plants. Likewise, the effec-tiveness of human performance will be emphasized in design and operating proce-dure development. A balanced focus will be paid to the negative impact of human performance on severe accident risk as well as its potentially. positive '

contribution to halting or limiting the consequences of severe accident progres-sion. Design features should be emphasized that reduce the risk of early con-tainment failure, thus providing more time for the positive contributions of operator performance in curtailing severe accident consequences. Also, design features should be given special attention that serve to decrease the role of human error in the sequence of events leading to the initiation or aggravation of core degradation. In particular, methods of analysis and associatec data bases are under development by the Commission's ongoing severe accident programs that will aid the analyses and corrective actions of both negative and positive human performance contributions to severe accident risk or its alleviation.

It is noted that some of the severe accident scenarios result in insignificant probability of offsite consequences, because of containment effectiveness. In this situation, there may be no clear basis for regulatory action because there is no substantial effect on public health or offsite property. However, the implementation of requirements to control occupational exposure should be con-siderdd along with the relatively small effects on public health and offsite 8

l l

i l

i l l

l property for these types of severe accidents. The resolution of cost-benefit issues in severe accident decision making is part of the NRC's Safety Goal Evaluation Program.

Although in the licensing of existing plants the Commission has determined that these plants pose no undue risk to public health and safety, this should not be viewed as implying a Commission policy that safety improvements in new plant designs should not be actively sought. The Commission fully expects that vendors engaged in designing new standard (or custom) plants will achieve a higher standard of severe accident safety performance than their prior designs.

, This expectation is based on:

e The growing volume of information from industry and government-sponsored research and operating reactor experience has improved our knowledge of specific severe accident vulnerabilities and of low-cost ,

methods for their mitigation. Further learning on safety vulnerabili-ties and innovative methods is to be expected.

o The inherent flexibility of this Policy Statement (that permits risk-risk tradeoffs in systems and sub-systems design) encourages thereby innovative uays of achieving an improved overall systems reliability at a reasonable cost.

e Public acceptance, and hence investor acceptance, of nuclear tech-nology is dependent on demonstrable progress in safety performance, including the reduction in frequency of accident precursor events as

' well as a diminished controversy among experts as to the adequacy of nuclear safety technology.

e Further progress in severe accident risk reduction is a hedge against j the possibility that current risk estimates with their broad ranges of uncertainty might unwittingly have been optimistically biased.

e Although the severe accident risk of an individual plant may be acceptable in terms of its direct offsite regional consequences for public health, safety and property damage, the aggregate probability (say, over a 30-year period) that one severe accident will occur in a large population of reactors holds a separate and additive signifi-cance. Such an event would yield adverse spillover consequences for innocent parties in other regions (i.e., nuclear-oriented utilities and their customers), not to mention a changed political environment.

for nuclear regulation itself affecting resource costs and program-matic activities.

3. Application of Criteria for Different Types of OL and CP Applications
a. Approval 53; Certification of Reference Designs with No Previous FDA In accordance with the Commission's standardization regulations and policy, a new reference design can be submitted for approval, first as a preliminary design and then as a final design. Correspondingly, the staff will issue a Preliminary Design Approval and a Final Design Approval. A PDA is not, how-ever, a prerequisite for an FDA. An applicant has the option to submit FDA-level information initially and proceed directly with an FDA review. These options remain unchanged by this Policy Statement.

9 l

Af ter a PDA application is docketed, the preliminary design can be referenced in a new CP application. The corresponding OL application would then reference the approved final design (FDA). Of course, an approved final design could also be referenced in a new CP application.

The ese of an approved standard design in new CP/0L applications has received considerable attention under the Commission's legislative initiatives on single-step licensing, it should be noted that a two-step review process for a standard design approval is not, in itself, inconsistent with single-step licensing. To be most effective, single-step licensing presumes the existence of a previously approved design -- es sentially an FDA. This design could still be approved in a two-step process as long as both steps were completed in advance of the single-step licensing application.

The use of PRA in a two-step review process also raises a number of questions.

Of pat ticular concern is the timing of the PRA requirement bebause the completion of a comprehensive and detailed PRA may not be achievable in the absence of essentially complete and final detailed design information. Therefore, to require a complete PRA at the PDA stage would not be realistic. The Commission's recent experience, however, indicates that a substantial amount of design detail that would permit meaningful, limited, quantitative risk analysis does exist at the PDA stage. Because the Commission believes that risk analysis of this type would be a useful design tool, the Commission expects that it would be completed as part of the PDA application process. A complete risk analysis would not be a prerequisite for issuance of a PDA. However, if this risk analysis is not performed in the PDA process, it will have to be provided as part of any CP application referencing the design.

If the scope of the FDA reference design application is limited to an extent that would preclude the completion of a meaningful, comprehensive PRA, the requirement for a complete PRA may be waived. However, the applicant should still perform and submit supplementary risk analysis, to the extent practical, to demonstrate the adequacy of the proposed design. If a comprehensive PRA is not submitted for an FDA, a CP/0L applicant referencing the approved design would be required to submit a plant-specific PRA. For standard design approvals of restricted scope, additional limitations beyond the PRA aspects may exist.

Use of such a standard design by the license applicant may be limited by its very nature to a two-step licensing process, namely, a Construction Permit and an Operating License issued separately. This would negate some of the benefits envisioned for e art approved oj; certified design wherein a previously approved site could be matched with it in a one-step, combined CP/0L process.

The reference design must satisfy each of the criteria stated in Section B.2 before an FDA can be issued. Once appeeved by the staffy each reference final design wf44 be subdeet te Gemmission approval by rulemaking, gps er Obst based en a reference design ehet has not been appesved through rulemakingy shall be subject te any design ehenges arising from the rulemaking preceeding in seeerd-enee with the Gemmissienis beekfit policy and reguiettens, For forward referenceability of a new standard design, the applicant is being afforded in this Policy Statement the flexibility of choosing between a Preliminary Design Approval (PDA), a Final Design Approval (FDA), or a Design Certification (DC).

The design approvals (i.e., a PDA or FDA) would be issued following the completion 10

of the staff's review and would be subject to challenge in individual licensing hearings. The Design Certification would be issued by the Commission following a rulemaking proceeding and could not be challenged in individual hearings. cps or OLs, based on a reference design that has not been approved through rulemaking, shall be subject to any design changes arising from the rulemaking proceeding in accordance with the Commission's backfit policy and regulations. The design certification would be issued for a longer duration than a design approval. The specific requirr.ents and procedures for obtaining design certifications or approvals will be established in a forthcoming revision to the Commission's Standardization Policy Statement.

b. Approval cg- Certification of Reference Designs Previously Granted an FDA In 1983, the NRC staff issued two Final Design Approvals for reference designs.

These design approvals were permitted to be incorporated by reference in OL applications where the corresponding CP application had referenced the PDA.

10a

However, the designs were not approved for incorporation in new CP applications.

The Commission now believes that these designs are suitable for use in new CP and OL applications under the conditions specified below.

(1) Each reference design applicant with an existing FDA must per-form an evaluation of its design against the current revision of the Standard Review Plan in accordance with 10 CFR 50.34(g). Upon submittal of this evalua-tion, the staff will amend the existing FDA to permit the design to be referenced in new CP and OL applications.

(2) The reference design must satisfy each of the criteria stated in III.B.2 before approval g certification of the design. Each-deefsn-appeeved-by-the seef f-fee-eneeeperee sen-by-ref erence-in-new-G P-e nd-Gh-s pplice t t ens-she it-be-s u bje c e ee-Gemmissien-eppeeve4-by-eulemakingv If a comprehensive PRA cannot be completed owing to the limited scope of the design, the applicant shall perform supplementary risk analyses', to the extent practical, in support of the rulemaking process.

Fefluee-ee-suppeet-the-eulemaking-in-a-esse 4y-mannee-een-be-eense-fee-the-staff ee-eevehe-ehe-app 44eenele-FBAv Aleet A_s noted above, the limited scope of plant design and PRA analysis would lead to a partial loss of benefits relative to a certified design in that a two-step CP/0L licensing process would be required in lieu of a one-step process.

(3) With regard to completion of a comprehensive PRA for a reference design, the Commission recognizes that a PRA wculd be more meaningful if it were based on a substantial portion of the complete facility design. Therefore, if justified to the NRC staff, completion of the FRA by the FDA applicant may be waived. If a comprehensive PRA is nor submitted by the FDA applicant for the FDA, a CP/0L applicant referencing the design would be required to submit a plant-specific PRA.

A reference design previously granted an FDA can be converted to forward referenceability for new CP or OL applications by pursuing one of the same options of design approval or design certification as described in the preceding section for reference designs with no previous FDA. The FDA with forward referenceability would be issued following the completion of the staff's review and would be subject to challenge in individual licensing hearings. The Design Certification would be issued by the Commission following a rulemaking proceeding and could not be challenged in individual hearings. cps or OLs, based on a reference design that has not been approved through rulemaking, shall be subject to any design changes arising from the rulemaking proceeding in accordance with the Commission's backfit policy and regulations. The design certification would be issued for a longer duration than a design approval.

The specific requirements and procedures for obtaining design certifications or approvals will be established in a forthcoming revision to the Commission's Standardization Policy Statement.

c. A Reactivated Construction Permit Application Because of the many complex factors involved, the criteria and procedures for l regulatory treatment of reactivated Construction Permits will be a matter of

( separate consideration apart from this Severe Accident Policy Statement.

1 11

d. A New Custom Plant Construction Permit Application It is the Commission's policy to encourage the use of reference designs in future CP applications. This does not, however, preclude the use of a custom design. Custom designs shall also be reviewed against the criteria identified in Section III.B.2. As a result of the circumstances and timing involved in the ongoing standard design review processes, the Commission expects that most, if not all, new CP applications incorporatina a reference design would be based on essentially final design information. This will result in improved safety and regulatory practices, as well as reduced time to license and construct a nuclear power plant. To obtain as much of this benefit as practicable for a custom design application, the Commission will require a CP application for a custos design to include design information that is sufficiently final and complete to permit completion of an adequate plant-specific PRA. It is possible, however, that an applicant referencing e agt approved ej; certified design in lieu of a custom plant would have in prospect a significantly reduced licensing fee since staff effort would not be required -- or much less would be required -- for a 11a

rereview of the approved jyt certified design at the CP/0L stage save for those detailed changes to accommodate unique site features or other special circum-stances (e.g. , innovative equipment designs to meet new ASME or IEEE codes, etc.) .

C. Policy for Existing Plants

1. Some General Principles of Policy Development The Commission has licensed about 80 nuclear plants and expects to process applications to license another 40 or 50 plants. The Commission has considered at length the question of whether generic rulemaking should be undertaken or additional regulations should be issued at this time to require more capability in operating plants or plants under construction to Laprove severe accident prevention, consequence mitigation, or accident management that would halt or delay further core degradation.

Since the accident at TMI, many changes have been implemented in existing plants resulting from recommendations of special inquiry groups, the TMI Action Plan (NUREG-0660 and NUREG-0737), and other information arising from NRC- and industry-sponsored research along with failure data from construction and operating experience. In addition, the NRC/AEC has sponsored eleven plant-specific PRAs and the industry has sponsored about as many more. The evaluation of severe accident risk by the interrelated deterministic and probabilistic methods has identified many refinements of current design and operating prac-l tice that are worthwhile, but has identified no need for fundamental (or major) changes in design.

On the basis of currently available information, the Commission concludes that existing plants pose no undue risk to public health, safety, and property and sees no present basis for immediate diem 4 sees theredere the need dee peampe action on generic rulemaking or other regulatory changes for these plants because of severe accident risk. Moreover, the Commission has ongoing programs (described in NUREG-1070 and issued concurrently with this Policy Statement) that include: the resolution of Unresolved Safety Issues and other Generic Safety Issues, including a special focus on assuring the reliability of decay heat removal systems and the reliability of both AC and DC electrical supply systems; the Severe Accident Source Term Program; the Severe Accident Research Program; operating experience and data evaluation regarding equipment failure, human errors, and other sources of abnormal events; and scrutiny by the Office of Inspection and Enforcement to monitor the quality of plant construction, operation, and maintenance. The Commission will maintain its vigilance in these programs to offset the uncertainty of whether significant safety issues remain to be disclosed. Industry research and foreign reactor experience are also meaningful sources of information.

One important source of new information is the experience of NRC and the nuclear industry with plant-specific probabilistic risk assessments, is ehet Each of these analyses, which provide a more detailed assessment of possible accident scenarios, has exposed relatively unique vulnerabilities to severe l

accidents. Generally, the undesirable risk from these unique features has l been reduced to an acceptable level by low-cost changes in procedures or minor design modifications. Accordingly, when NRC and industry interactions on severe accident issues have progressed sufficiently to define the methods of analysis, the Commission plans to formulate an integrated systematic approach to an examina-tion of each nuclear power plant now oper,ating or under construction for possible 12

significant risk contributors (sometimes called " outliers" that might be plant specific and might be missed absent a systematic search. Following the development of such an approach, an analysis vill be made of any plant that has not yet undergone an appropriate examination. The examination will include specific attention to containment performance in striking a balance between accident prevention and consequence mitigation. In implementing such a systematic approach, plants under construction that have not yet received an Operating License will be treated essentially the same as the manner by which operating reactors are dealt with. That is to say, a plant-specific review of severe accident vulnerabilities using this approach is not considered to be necessary to determine adequate safety or compliance with NRC safety regulations under the Atomic Energy Act, or to be a necessary or routine part of an Operating License review for this class of plants.

";;;n ;;, th; C _ i;;ien he; engelo, p;eg - (deo;;ited la NWREG-1970-end seemed ;;;;; ; 17 rith-thse-Policy C;e: r ;O the io;isde. th; ;;;;1stien-of Uneeeelved-Gefety-leeves-end-eth;; C;;;;i; Gefety-Essuesy-including-a-spectal feewe-en-eeeweing th; ;; liability ;f decay h;;; ;s sel systems-end-the-relse bilfey-ef-both-AG-end-BG-eleeteteel-supply-systemet-the-6;;;;; Accident-6eucee Teen-Peegeant-the-Gevece-Acendent-Res;;;;h Pieg; , *peesting-empecience-and S

12a

a d ete-eve 4 uet ten-v ege eding-equipment-f e44 meer-humen-eeeeess-and-et hee-s eu cc e s-e s s'enermel-eventet-and-secutiny-by-the-Of fiee-ed-inspection-and-Enf ere enent-t e menteee-tha p isty-ef plent-eensteuettent-eyeesttent-and-maintenancev--The Gemmise4en-ws41-eefstein-fes-vigfiene; in these peegress-te-effset-the-uneer-toiney-of-whethee-sign 444eent-safety-feeves-eemain-te-be-diselesedr--Endustry reseeech-end-fecessn-eeeeter-enpeetenee-eve-ense-meaningful-seueces-ef-insee-satsen, Should significant new safety information develop, from whatever source, which brings into question the Comunission's conclusion that existing plants pose no undue risk, then at that time the specific technical issues suggesting undue vulnerability will undergo close arm =4 nation and be handled by the NRC under existing procedures for issue resolutio'n including the possibility of generic rula= miring where this is justifiable. However, NRC's experience suggests that safety issues discovered through operating experience programs, quality assur-ance programa or safety analyses of ten pertain to unique characteristics of a specific plant design and, therefore, are dealt with through plant-specific modifications of relatively modest cost rather than major generic design changes.

The Severe Accident Research Program as well as NRC's extensive severe accident studies of certain individual plants will aid in determining the extent to which carefully analyzed reference plants can appropriately serve as surrogates for a class of sinflar plants as the basis for any generic conclusions. These studies will also aid in identifying the desirable scope and approach for follow-up safety studies of individual plants. Any geneM c design changes that are identified as necessary for public health and rety and for adequate protec-tion of property will be required through ruler .ing and will be consistent with the Cosmaission's backfit policy.

2. Policy for Operating Reactors -

In light of the above principles and conclusions, the Commission's policy for operating reactors includes the following guidance:

e Operating nuclear power plants require no further regulatory action to deal with severe accident issues unless significant new safety information arises to question whether there is adequate assurance of no undue risk to public safety and property.

  • In the latter event, a careful assessment shall be made of the severe accident vulnerability posed by the issue and whether this vulner-ability is plant or site specific or of generic importance.

e The most cost-effective options for reducing this vulnerability shall be identified and a decision shall be reached consistent with the cost-effectiveness criteria of the Commission's backfit policy as to which option or set of options (if any) are justifiable and required to be implemented, e In those instances where the technical issue goes beyond cufrent regulatory requirements, generic rulemaking vill be the preferred solution. In other cases, the issue should be disposed of through 13

the conventional practice of issuing Bulletins and Orders or Generic Letters where modifications are justified through backfit policy, or through plant-specific decision making along the lines of the Inte-grated Safety Assessment Program (ISAP) conception.*

e Recognizing that plant-specific PRAs have yielded valuable insights to unique plant vulnerabilities to severe accidents leading to low-cost modifications, licensees of each operating reactor will be expected to perform a limited-scope, accident safety analysis designed to discover instances (i.e. , outliers) of particular vulnerability to core melt or to unusually poor containment performance, given core-melt accidents. These plant-specific studies will serve to verify that conclusions developed from intensive severe accident safety analyses of reference or surrogate plants can be applied to each of the indidivual operating plants. During the next two years, the Commission will fotuulate a systematic approach, including the develop-ment of guidelines and procedural criteria, with an expectation that such an approach will be Laplemented by licensees of the remaining operating reactors not yet systematically analyzed in an equivalent or superior manner.

3. Policy for Operating License Applications for Plants Currently Under Construction The same severe accident policy guidance applies to applications for operating licenses (OLs) as stated above for operating nuclear power plants along with the following additional item. (This item also applies to any hearing proceed-ings that might arise for an operating reactor.)

e The Geum 4eeten intende ee reserve fee its own delibeestiene the resolutten ei severe eeefdent 4semes effecting plante under eenstrue-elen, Therefevey individualv Individual licensing proceedings are not appropriate forums for a broad examination of the Commission's

. regulatory requirements policies relating to evaluation, control and mitigation of accidents more severe than the design basis (Class 9).

Simileelyy netwithstanding the Glass 9 eeefdents review eequirements for envivenmental hearings of the Gemmisstenis The Commission has announced a policy regarding Class 9 accident environmental reviews and hearings in its Statement of Interta Policy on " Nuclear Power l Plant Accident Considerations Under the National Environmental Policy Act of 1969" (45 FR 40101, June 13, 1980), and expects tct continue

~

this policy. the espebility of eureent deetgas er precedures fee eateenettves therete) The environmental issues deal essentially with the estimation and description of the risk oj[ severe accidents.

The Commission believes that considerations which go beyond that tot the possible need for safety measures to control or mitigate severe accidents in addition to those required for conformance with the Commission's safety regulations, should not be addressed in case-related safety I hearings.

  • See " Integrated Safety Assessment Program (ISAP) " (SECY-84-133, March 23, 1984.

e l

14

SECRETARIAT RECORD Enclosure 2 i

NUREG-1070 NRC POLICY ON FUTURE REACTOR DESIGNS:

DECISIONS ON SEVERE ACCIDENT ISSUES IN NUCLEAR POWER PLANT REGULATIONS November 16, 1984 e

NUREG-1070 NRC Policy on Future Reactor Designs l Decisions on Severe Accident issues in Nuclear Power Plant Regulation i

i U.S. Nuclear Regulatory l Commission Office of Nuclear Reactor Regulation

,ef" "*%, _

(Y}

.,; e,//

k

, NUREG-1070 1

=e ,

NRC Policy on Future Reactor Designs Decisions on Severe Accident issues in Nuclear Power Plant Regulation Manuscript Completed: August 1984 Date Published: October 1984 Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555

,p s, s /

--.-,,y .-,,-- ----__,- --- ._. - ,_ _ _ _,- _ _ . - _ _ _ m.., - -- ,_ _ ---- ___ r--_ .-- -- - , - - . - , _.

ABSTRACT On April 13, 1983, the U.S. Nuclear Regulatory Commission issued for public comment a " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" (48 FR 16014). This report presents and discusses the Commission's final version of that policy statement now entitled,

" Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants." It provides an overview of comments received from the public and the Advisory Committee on Reactor Safeguards and the staff response to these.

In addition to the Policy Statement, the report discusses how the policies of this statement relate to other NRC programs, including the Severe Accident Re-search Program; the implementation of safety measures resulting from lessons

  • learned in the accident at Three Mile Island; safety goal development; the reso-lution of Unresolved Safety Issues and other Generic Safety Issues; and possible revisions of rules or regulatory requirements resulting from the Severe Accident Source Term Progras. Also discussed are the main features of a generic decision strategy for resolving Regulatory Questions and Technical Issues relating to severe accidents; the development and regulatory use of new safety information; the treatment of uncertainty in severe accident decision making; and the devel-opeent and implementation of a Systems Reliability Program for both existing and future plants to ensure that the realized level of safety is commensurate with the safety analyses used in regulatory decisions.

Since this report does not contain any requests for information, an Office of Management and Budget approval is not required.

0 4

m iii

CONTENTS ESSE A85 TRACT.............................................................. iii I. INTRODUCTION..................................................... 1 II. FEDERAL REGISTER NOTICE PREAMBLE AND SIGNATURE BLOCK FOR COP 91ISSION POLICY STATEMENT ON ISSUES FOR NEW STANDARD REACTOR DESIGNS AND SEVERE ACCIDENTS ............................ 3

' III. POLICY STATEMENT ON SEVERE REACTOR ACCIDENTS REGARDING FUTURE DESIGNS AND EXISTING PLANTS...................................... 7 A. Introduction................................................ 7

, B. Pol icy for New Plant App 11 cations. . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1. Introduction..................................:........ 9
2. Criteria and Procedural Requirements................... 9
3. Application of Criteria for Different Types of OL and CP Applications.................................... 13
a. Approval or Certification of Reference Designs with No Previous FDA.............................. 13
b. Approval or Certification of Reference Designs P re v i o u s ly G ra n ted a n FDA . . . . . . . . . . . . . . . . . . . . . . . . . 14
c. A Reactivated Construction Permit Application.....

~

15

d. A New Custom Plant Construction Permit App 11 cation........................................ 15 C. Policy for Existing P1 ants./................................ 15
1. Some General Principles of Policy Development.......... 15
2. Policy for Operating Reactors.......................... 17
3. Policy for Operating License Applications for Plants Currently Under Construction........................... 18 IV. SEVERE ACCIDENT PR0 GRAM.......................................... 19 A. The Need for Forward-Looking Policy Development in the Context of an Ongoing Severe Accident Program............... 19

, B. Lessons Learned from Three Mile Island...................... 20 l

C. Generic Decision Strategy................................... 21 i

1. Severe Accident Source Term Program.................... 21
2. Deterministic and Risk Analysis Approaches to Address Regulatory Questions and Technical Issues.............. 22

, 3. Treatment of Uncertainty in Decision Making............ 28 l

l D. Exclusion of Policies and Issues Being Addressed Separately. 29

1. Revision of Standardization Regulations and Policy..... 29 i
2. Systems Reliability Program............................ 29 ,
3. Safety Goals and the PRA Reference Document............ 30 1,

v I

{

CONTENTS (Continued)

Pa21

4. Unresolved Safety Issues, Generic Scfety Issues, and Other Developments............. ....................... 31 E. Development and Use of New Safety Information................ 32
1. Research Results and Operating Reactor Information...... 32
2. Industry Degraded Core Rulemaking Results............... 33
3. Foreign Reactor and Regulatory Experience............... 33
4. Integration of Insights from Review of New Designs...... 34 i

V.

COMMENTS ON POLICY DEVELOPMENT AND STAFF RESPONSE................. 35 A. Advi sory Committee on Reactor Safeguards. . . . . . . . . . . . . . . . . . . . . 35 B. Public Comments: An 0verview................................ 43 1

1.

2.

Introduction............................................. 43 Representative Comments on Proposed Policy Statement..... 44

3. Abstracts of Comments and Staff Response................. 47

{ VI. REFERENCES........................................................ 75 t

VII. GLOSSARY.......................................................... 79 APPENDICES ..

, A. CURRENT INFORMATION BEARING ON THE NEED FOR GENERIC DESIGN CHANGES OR FURTHER REGULATORY CHANGES AFFECTING NUCLEAR POWE R P LANT S . . . . . . . . . . . . . . . . . . . . . . . . . .'. . . . . . . . . . . . . . . . . . . . . . . . . . . 85 I.

Introduction:

The Need for Forward-Looking Polic Development......................................y ......... 87 II. Technological Maturation and the Outlook for Surprising Developments............................................... 93 .

III. Modifications of Nuclear Plants Because of Significant Operating Events........................................... 97 IV. Perspectives on the Need to Reduce Severe Accident Risk Drawn from Probabilistic Risk Assessment. . . . . . . . . . . . . . 101 V. Experience with PRA as a Safety Analysis Technique......... 109 VI. Modifications Due to Construction and Operating Reactor Expe r i e n c e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 VII. Generic Insights from Projects of the Severe Accident Research P1an.............................................. 121 VIII., Conclusions................................................ 131 B. TREATMENT OF UNCERTAINTY IN SEVERE ACCIDENT PROGRAM............... 133 I. Analysis Uncertainty....................................... 135 II. Generic Applicability of Reference Plants.................. 137 III. Decision Makers' Preferences............................... 139 C. ACRS REPORTS ON SEVERE ACCIDENT POLICY DEVELOPMENT................ 141 i

vi

TABLES -

Table fage 1 COMMENTERS AND THEIR AFFILI ATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 A.1 REACTOR ACCIDENT CONSEQUENCES, IN ORDER OF DIMINISHING IMPORTANCE................................................... 103 A.2 INSIGHTS FROM PREVIOUS PROBABILISTIC RISK ASSESSMENTS........ 111 f

' A.3 PLANT MODIFICATIONS BASED ON PROBA8ILISTIC RISK ASSESSMENTS.. 112 A.4 DOCUMENTARY SOURCES OF INFORMATION TO UNDERSTAND THE NATURE AND IMPORTANCE OF SAFETY MODIFICATIONS....................... 116 A.5 AE00 SOURCES OF REACTOR OPERATIONAL DATA..................... 119 A.6 ESTIMATED FREQUENCIES OF CORE MELT AND MOST IMPORTANT SEVERE ACCIDENT SEQUENCES FROM PUBLISHED PRAs....................... 124 A.7 ACCIDENT SEQUENCES IDENTIFIED BY ASEP THAT DOMINATE PROBABILITY OF CORE MELT FOR PWRs AND BWRs................... 126 I

vii

I. INTRODUCTION On April 13, 1983, the Comission published for public comment a " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" (48 FR 16014). The present Policy Statement (see Chapter III) takes into account the comments received from the public and the Advisory Com-mittee on Reactor Safeguards as wel1 as data and analyses arising from exper-ience and research developed since that time. It deals with two classes of plants: those that now exist (operating or under construction) and those that may be constructed in the future. The Comission's policy on severe accidents began to change soon after the accident at Three Mile Island (TMI) Unit 2 in

. March 1979. A large number of changes in plant design and operating procedures of nuclear power plants were mandated by the Commission following various investigations of the causes of the TMI accident and a general' probing of vul-nerabilities of severe accident risk in other types of plants. Following the initial priority for changes given to operating plants and plants under con-struction, a separate set of requirements was developed for applicants whose Construction Permit (CP) review had been interrupted. This last set of require-ments, embodied in the Construction Permit / Manufacturing License Rule (herein-after, the CP Rule) was published on January 15, 1982 (47 FR 2286), and became effective on February 16, 1982.

As part of the Commission'.s response to the -TMI accident, an Action Plan (NUREG-0660, May 1980) was issued.Section II.B of that plan deals with the siting of plants and the requirements for coping with severe accidents.

Consistent with the plan, the Commission has developed two rules concerning hydrogen control in degraded core cooling accidents. The first rule was codified in 10 CFR 50.44 (c). The second was proposed on December 23, 1981 and is now pending before the Commission for final action. The concept of a generic rulemaking to reach final decisions on severe accidents also took form in the TMI Action Plan, Task II.B.8, "Rulemaking Proceeding on Degraded Core Accidents." In this plan the NRC envisioned a long-term rulemaking extending beyond 1982 to establish policy, goals, and requirements related to accidents involving core damage greater than the present design basis for all classes of

' reactors: those operating, under construction, proposed for construction, or proposed as new standard plant designs. The task also included the interim step of an Advance Notice of Proposed Rulemaking, issued on October 2, 1980 (45 FR 65474). The present Policy Statement withdraws this Advance Notice of Proposed Rulemaking.

In addition t'o the Policy Statement on Severe Reactor Accidents, this report describes other related NRC programs, including the Severe Accident Research Program; the implementation of safety measures resulting from lessons learned from the accident at Three Mile Island; safety goal development; the resolution of Unresolved Safety Issues and other Generic Safety Issues; possible revisions of rules or regulatory requirements resulting from the Severe Accident Source Term Program; and deferral of siting policy. Also discussed are the main features of a generic decision strategy for resolving Regulatory Questions and Technical Issues relating to severe accidents; the development and regulatory use of new safety information; the treatment of uncertainty in severe accident decisionmaking; and the development and implementation of an appropriate 1

Systems Reliability Program for existing and future plants to ensure that the realized level of safety is commensurate with estimates based on safety analyses used in regulatory decisions. The Program will also ensure that a systematic analysis has been made for possible significant risk contributors that otherwise might have escaped attention. The Systems Reliability Program, when developed, will achieve a balanced attention to containment performance and accident (or core melt) prevention.

5 9

2 l

II.

FEDERAL REGISTER NOTICE FOR COMISSION POLICY STATEMENT ON ISSUES FOR NEW STANDARD REACTOR DESIGNS AND SEVERE ACCIDENTS NUCLEAR REGULATORY COMISSION 10 CFR Part 50 Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants AGENCY: Nuclear Regulatory Commission i

ACTION: Policy Statement.

SUMARY: This statement describes the policy the Commission intends to use to

' resolve safety issues related to reactor accidents more severe than design basis accidents. It's main focus is on the criteria and procedures the Commis-sion intends to use to certify new standard designs for nuclear power plants.

This policy statement is a revision of the " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" that was published for comment on April 13, 1983 (48 FR 16014). It also serves as notice of withdrawal of the advancod notice of proposed rulemaking, " Severe Accident

Design Criteria," published on October 2, 1980 (45 FR 65474).

{ FOR FURTHER INFORMATION CONTACT:

1 Miller B.' Spangler, Special Assistant for Policy Development, Division of Systems Integration, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington D.C. 20555, Telephone: -(301) 492-7305.

SUPPLEMENTARY INFORMATION:

This policy statement sets forth the Commission's intentions for rulemakings and other regulatory actions for resolving safety issues related to reactor accidents more severe than design basis accidents. The main focus of this statement is on decision procedures involving staff approval or, optionally, Commission certifi-l cation of new standard designs for nuclear power plants. It also provides guid-ance on decision and analytical procedures for the resolution of severe accident

, issues for other classes of future plants and for existing plants (operating reactors and plants under construction for which an operating license has been applied). Severe nuclear accidents are those in which substantial damage is done to the reactor core whether or not there are serious offsite consequences.

On October 2, 1980, the Commission issued an advance notice of proposed rule-making, " Severe Accident Design Criteria," that invited public comment on long-term proposals for treating severe accident issues (45 FR 65474). By this action the Commission hereby serves notice of the withdrawal of that advance notice of proposed rulemaking.

This policy statement is a revision of the " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" published for public comment on April 13, 1983 (48 FR 16014). Twenty six letters of comment on the proposed policy statement wer.e received. The nuclear industry 3

generally supported the proposed policy statement and suggested several modifi-cations. Much of the criticism of the proposed policy statement by environmental groups and other interested persons focused on a perception of over-reliance on probabilistic risk assessment, especially when coupled with the Commission's

" Safety Goal Development Program" (48 FR 10772, March 14, 1983). The Policy i Statement was revised as a result of these suggestions and criticisms as well as comments by the Advisory Committee on Reactor Safeguards.

Many changes have already been implemented in existing plants as a result of the THI' Action Plan (NUREG-0660 and NUREG-0737), information resulting from NRC and industry-sponsored research, and data arising from construction and operating experience. On the basis of currently available information, the Commission concludes that existing plants pose no undue risk to public health, safety and property and sees no present basis for immediate action on generic rulemaking or other regulatory changes for these plants because of severe accident risk.

The Commission has ongoing nuclear safety programs that include: the resolution of new and several other Unresolved Safety Issues and Generic, Safety Issues; Severe Accident Source Term Program; the Severe Accident Research Program; operating experience and data evaluation regarding failure of certain Engineered Safety Features 'and safety-related equipment, human errors, and other sources of abnormal events; and scrutiny by the Office of Inspection and Enforcement to

! monitor the quality of plant construction, operation, and maintenance. Should significant new safety information become available, from whatever source, to 4

question the conclusion of "no undue risk," then the technical issues thus identified would be resolved by the NRC under its backfit policy and other existing procedures, including the possibility of generic rulemaking where this is justifiable. --

One important source of new information is the experience of NRC and the nuclear industry with plant-specific probabilistic risk assessments. Each of these analyses, which provide a detailed assessment of possible accident scenarios, has exposed relatively unique vulnerabilities to severe accidents. Generally, the undesirable risk from these unique features has been reduced to an accept-able level by low-cost changes in procedures or minor design modifications.

Accordingly, when NRC and industry interactions on :s are accident issues have progressed sufficiently to define the methods of analysis, the Commission plans to formulate an integrated systematic approach to an examination of each nuclear power plant now operating or under construction for possibly significant risk contributors that might be plant specific and might M missed absent a systematic j, search. Following the development of such an approach, an analysis will be 4 made of any plant that has not yet undergone an appropriate examination and cost-cffective changes will be made, if neecea, to ensure that there is no undue risk to public health, safety anc property. In implementing such a systematic approach, plants under corstruction that .iave not yet received an Operating License will be treated assentivly t"e same as the manner by which '

operating reactors are dealt with. Tht :v to .ay, a plant-specific review of )

severe accident vulnerabilities using this epproach is not considered to be '

necessary to deterr:ae adequate safety or comol *ance with NRC safety regula- i tions under the Atomic Energy Act, or to be a necessary or routine part of an 1 Operating License review for this class of plants, l

Regarding the decision process for certifying a new standard plant design --an l approach the Commission strongly encourages'for future plants -- the Policy ,

Statement affirms the Commission's belief that a new design for a nuclear 4

1

power plant can be shown to be acceptable for severe accident concerns if it meets the following criteria and procedural requirements:

e Demonstration of compliance with the procedural requirements and criteria of the current Commission regulations,. including the Three Mile Island requirements for new plants as reflected in the CP Rule

[10 CFR 50.34(f)];

e Demonstration of technical resolution of all applicable Unresolved Safety Issues and the medium- and high priority Generic Safety Issues, including a special focus on assuring the reliability of decay heat removal systems and the reliability of both AC and DC electrical supply systems; e Completion of a Probabilistic Risk Assessment (PRA) and consideration of the severe accident vulnerabilities the PRA exposes along with the insights that it may add to the assurance of no undue risk to public health, safety, and property;* and, -

e Completion of a staff review of the design with a conclusion of safety acceptability using an approach that stresses deterministic engineering analysis and judgment complemented by PRA.

1 Custos designs in future construction permit applications will be reviewed under j

the guidelines identified for approval or certification of standard plant designs.

Because this policy statement' is just one part of a larger program, including the Severe Accident Research Program, for resolving severe accident issues, the NRC staff is publishing concurrently with this Policy Statement a report on "NRC Policy on Future Reactor Designs: Decisions on Severe Accident Issues in Nuclear Power Plant Regulation" (NUREG-1070). In this report the Policy Statement is reprinted along with other information and appendices that provide perspective on the development and implementation of this policy and how it relates to other features of the Severe Accident Program. A copy of NUREG-1070 will be available for inspection at the Commission's Public Document koom, 1717 H Street NW.,

Washington, D.C. Free single copies of NUREG-1070 may be requested by writing to the Publication Services Section, Division of Technical Information and Document Control, U.S Nuclear Regulatory Commission, Washington, D.C. 20555.

The authority for this document is (Sec.161, Pub. L.83-703, 68 Stat. 948, as amended (42 U.S.C. 2201).

, Dated at Washington, D.C. this day of 1984.

For the Nuclear Regulatory Commission.

Samuel J. Chilk, Secretary of the Commission.

  • This criterion has an antecedent in Chapter 10, Sec.103b of the Atomic Energy Act of 1954, which states, as a regulatory objective, "to protect health and to minimize danger to life or property."

5 i

O e

9 e

6 4

III. POLICY STATEMENT ON SEVERE REACTOR ACCIDENTS REGARDING FUTURE DESIGNS AND EXISTING PLANTS A. Introduction The focus on severe accident issues in this Policy Statement is prompted by the staff's judgment that accidents of this class, which are beyond the substantial coverage of design basis events, constitute the major risk to the public asso-ciated with radioactive releases from nuclear power plant accidents. A funda-mental objective of the Commission's severe accident policy is that the Commis-sion intends to take all reasonable steps to reduce the chances of occurrence of a severe accidcat involving substantial damage to the reactor core and to mitigate the consequences of such an accident should one occur. The occurrence of a severe accident is more likely at some plants than others. In some cases, this may be attributable to deficiencies in systems designs or in operating and maintenance procedures. In all cases, the commitment of utility management to the pursuit of excellence in risk management is of critical importance. The term risk management includes accident prevention, accident management to cur-tail or retard its progression, and consequence mitigation to further limit its effects on public health and safety.

On April 13, 1983, the U.S. Nuclear Regulatory Commission issued for pubite comment a " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" (48 FR 16014). The public comments have been reviewed, and, on the basis of further study and consultation, the Commis-sion is issuing the present Policy Statement as a guide to regulatory decision making on the treatment of severe accident issues for existing and future nuclear reactors

  • with special focus on procedures for staff approval or, optionally, Commission certification of new standard plant designs.**

In line with its legislative mandate to ensure that nuclear power plants should pose no undue risk to public health, safety, and property, the Commission has examined an extensive range of technical issues relating to severe accident risk that have been identified since the accident at Three Mile Island. Follow-ing implementation of numerous modifications of plant design and regulatory procedures as developed t.hrough the TMI Action Plan (NUREG-0660 and NUREG-0737) and other Commission deliberations, the Commission concludes (based on current

, information and analyses) that existing plants do not pose an undue level of risk to the public. On this basis, the Commission feels there is no need for immediate action on generic rulemaking or other regulatory changes for these plants because of severe accident risk. However, the Commission plans to

. formulate an approach for a systematic safety examination of existing plants

, to determine whether particular accident vulnerabilities are present and what

  • The ters," nuclear reactor" is commonly used as a synonym for a nuclear power -

plant which, in addition to the Nuclear Steam Supply System, includes facilities and equipment denoted as Balance-of-Plant.

    • For forward referenceability of a new standard design, the applicant is being affdrded in this Policy Statement the flexibility of choosing between a Preliminary Cesign Approval (PDA), a Final Design Approval (FDA), or a Design Certification (DC). The design approvals (i.e., a PDA or FDA) would be issued following the completion of the staff's review and would be subject to challenge in individual licensing hearings. The Design Certification would be issued by the Commission following a rulemaking proceeding and cotid not be challenged in individual. hearings.

7

l cost-effective changes are desirable to ensure that there is no undue risk to public health, safety, and property.

The main purposes of this Policy St&tement follow:

e To clarify the procedures and requirements for licensing a new nuclear plant; e To consider the need for the generic rulemaking proceeding contem-plated in the TMI Action Plan commitment (NUREG-0660, Task II.B.8) on degraded core accidents, currently referred to as severe nuclear reactor accidents; e To avoid unnecessary delays of plants now under construction; e To close out for now severe accident issues for existing plants (those in operation and under construction) without. imposing further backfits unless this can be justified by new safety information; and, e To achieve improved stability and predictability of reactor regula-tion in a manner that would merit improved public confidence in our

, regulatory decision making.

The policies presented in this statement will lead to amendment of NRC regula-tions, standard review plans for licensing actions, or other decision procedures and criteria as part of NRC's ongoing Severe Accident Program. This Policy Statement makes allowance for such changes'is the result of the development of new safety information of significance for design and operating procedures.

In accordance with the activities, views, and policy developments discussed in this Policy Statement, the Commission believes that it is possible to complete its ongoing reviews of new plant designs with an expectation of fully resolving the severe accident questions in the course of the review. This belief is predicated on the availability of results from the ongoing NRC, Industry Degraded Core Rulemaking Program (IDCOR), and vendor research and insights from the Zion, Indian Point, Limerick, and other risk analyses. The review of standard designs for future cps provides incentive to industry to address ,

severe accident phenomena. Indeed, since July 1983, the staff has completed '

the reviews and has issued Final Design Approvals (FDAs) for two standard designs (General Electric Company's BWR/6 Nuclear Island Design, GESSAR II; and Combustion Engineering Incorporated's System 80 Design, CESSAR). A severe l accident review by the NRC staff of the GESSAR II design for forward reference- )

i ability is nearly complete. The review included assessment of alternative ,

l design changes for severe accident risk reduction. In addition, the staff has '

been involved with pretendering review of an application for Westinghouse l Electric Corporation's advanced pressurized water reactor design RESAR-SP/90.

In January 1984, the NRC found the RESAR-SP/90 application for a Preliminary .

Design Approval acceptable for docketing and in May 1984 the application was l docketed. Also, work has' been continuing between NRC and the Electric Power l Research Institute (EPRI) on their " LWR Standardized Future Plant Design ,

Evaluation Program." I It is assumed in this Policy Statement that, over the next 10 to 15 years, utility and commercial interest in the United States will focus on advanced 8

a

light water reactors that involve improvements but are essentially based on the technology that was demonstrated in the design, construction, and operation of more than 100 of these plants in the United States. This policy should not be viewed as prejudicial to more extensive changes in reactor designs that might be demonstrated during or beyond that time' period. Indeed, the Commission encourages the development and commercializaticn of any standard designs that realize safety and economic benefits, such as those achieved through greater simplicity; slower dynamic response to upset conditions involving accident precursor events; passive heat removal for loss-of-coolant accidents; and other characteristics that promote more efficient construction, operation, and main-tenance procedures to enhance safety, reliability, and economy.

B. Policy for New Plant Applications

1. Introduction No ember Dr. new commercial 1978. However,nuclear reactors have been ordered in the United States since the Commission has received several applications for 4

sence design approvals that are currently under review. A reference design one of the options in the Commission's standardization policy. When approved by the NRC staff, a reference design could be incorporated by reference in a new CP application and, ultimately, in an Operating License (OL) application.

During the corresponding CP and OL reviews, the NRC staff would not duplicate that portion of its review encompassed by its reference design approval.

Therefore, even in the absence of new CP applications, in order to provide guidelines for the current reference design reviews, the Commission has recog-nized the need to promptly establish the criteria by which new designs can be shown to be acceptable in. meeting severe a'ccident concerns. The Commission now believes that there exists an adequate basis from which to establish an appro-priate set of criteria.

This belief is supported by current operating reactor experience, ongoing severe accident research, and insights from a variety of risk analyses. The resultant criteria cnd procedural requirements are listed below.

2. Criteria and Procedural Requirements The Commission believes that a new design for a nuclear power plant (as well as a proposed custom plant) can be shown to be acceptable for severe accident 5

concerns if it meets the following criteria and procedural requirements:

l a. Demonstration of compliance with the procedural requireme;$ and criteria of the current Commission regulations, including De Three Mile Island requirements for new plants as reflected in the CP Rule

[10 CFR 50.34(f)];

b. Dem'o nstration of technical resolution of all applicable Unresolved Safety Issues and the medium- and high priority Generic Safety Issues, including a special focus on assuring the reliability of decay heat l removal systems and the reliability of both AC and DC electrical sup-ply systems; *
c. Completion of a Probabilistic Risk Assessment (PRA) and consideration of the severe accident vulnerabilities the PRA exposes along with the 9

l insights that it may add to the assurance of no undue risk t'o public health, safety, and property; and

d. Completion of a staff review of the design with a conclusion of safety acceptability using an approach that stresses deterministic engineer-ing analysis and judgment complemented by PRA. l l

The fundamental criteria listed above apply to the staff's review of any new design. In addressing criteria (b) and (c), the applicant for approval or i

certification of a reference design shall consider a range of alternatives and combination of alternatives to address the unresolved and generic safety issues j and to search for cost-effective reductions in the risk from severe accidents.

No cost-benefit standard has currently been certified by the Commission, although one has been proposed for trial use (NUREG-0880, Rev. 1). Such a standard, if certified, could serve as a surrogate, not only for dollar costs  ;

and benefits of a decision option, but also for other adverse and beneficial effects (soft attributes) of social significance that cannot readily be quanti-fied in commensurate units.

The following sections explain in more detail how these criteria are to be applied to the various types of reviews that the staff may encounter. It is intended that a new design would satisfy each of the fundamental criteria listed above before final approval or certification. It is recognized, however, that a new design can go through different stages or levels of approval before receiving this final approval or certification. For example, a reference design can obtain a Preliminary Design Approval (PDA) and then a Final Design Approval (FDA). The unique' circumstances 'of each design review will, therefore, require flexibility in the application of the criteria listed above. In par-ticular, the timing of the PRA requirement may differ considerably from one review to another. In addition, the licensee is encouraged to ensure that the intent of the safety requirements are accomplished during procurement, construc-tion and operation.

It is recognized that there are a diversity of PRA methods. These will continue to undergo evolutionary development as the results of research programs and '

reliability data from operating reactors become available and as innovative uses of PRA in safety decision contexts suggest better ways to achieve the benefits of these methods while guarding against their limitations or improper uses. While learning curves of these kinds will likely continue for a decade or more, it would nevertheless be constructive to consolidate this experience.

at various stages of PRA development and utilization. At the present stage of development, a number of positive uses of PRAs have been demonstrated, espe-cially in identifying: (1) those contributors to severe accident risk that are clearly dominant and hence need to be examined for cost-effective risk reduction l measures and (2) those accident sequences that are clearly insignificant risk contributors and can therefore be prudently dismissed. In-between cases are more problematic.

Accordingly, within 18 months of the publication of this severe accident state-

, ment, the staff will issue guidance on the form, purpose and role that PRAs are to play in severe accident analysis and decision making for both existing and future plant designs and what minimum criterla of adequacy PRAs should meet.

From experience to date, if. is evident that PRAs could serve as a highly useful tool in assessing the risk-reduction potential and cost-effectiveness of a 10 l

number of imaginative design options for new plants in comparison with design features of existing plants. The PRA guidance will describe the appropriate combination of deterministic and probabilistic considerations as a basis for severe accident decisions.

The proposed Commission Policy Statement on Severe Accidents issued on April 13, 1983 recognizes the need for striking a balance between accident prevention and consequence mitigation. In exploring the need for additional design or operational features in the next generation of plants to mitigate the conse-4 quences of core-melt accidents, the Commission will strike a balance between accident prevention and consequence mitigation encompassing actions that improve understanding of containment building failure characteristics and design features or emergency actions that decrease the likelihood of contain-ment building failures. Although not specifically designed to accommodate all of the hostile environments resulting from the complete spectrum of severe ac-cidents, they can contain a large fraction of the radiological inventory from a portion of the spectrum of such severe accidents. For example, large, dry con-tainments may be sufficiently capable of mitigating the consequences of a wide spectrum of core melt accidents; hence, further requirements may be unnecessary

' or, at most, upgrading current requirements to gain limited improvements of their existing capability may be necessary. The Commission expects that these matters will continue to be subjects for study (e.g., in the NRC research program and in further plant-specific studies such as the Zion and Indian Point probabilistic risk assessments).

Integrated systems analysis will be used to explore whether other containment types exhibit a functional' containment capability equivalent to that of large, dry containments. Although containment strength is an important feature to be considered in such an analysis, credits should also be given to the inherent energy and radionuclide absorption capabilities of the various designs as well as other design features that limit or control combustible gases.

It is clear that core-melt accident evaluations and containment failure evalu-ations should continue to be performed for a representative sample of operating r

plants and plants under construction and for all future plant designs. These studies should improve our understanding of the containment loading and failure characteristics for the various classes of facilities. The analyses should be as realistic as possible and should include, where appropriate, dynamic and e

static loadings from combustion of hydrogen and other combustibles, static pres-sure and temperature loadings from steam and non-condensibles, basemat penetra-tion by core-melt materials, and effects of aerosols on engineered safety fea-tures. Following the outcome of severe accident research, a clarification of containment performance expectations will be made including a decision on whether to establish new performance criteria for containment systems and, if so, what these should be.

The Commission also recognizes the importance of such potential contributors to severe accident risk as human performance and sabotage. The issues of both insider and outsider sabotage threats will be carefully analyzed and, to the extent practicable, will be emphasized as special considerations in the design and in the operating procedures developed for new plants. Likewise, the effec-tiveness of human performance will be emphasized in design and operating proce-dure development. A balanced focus will be paid to the negative impact of

+

human performance on severe accident risk as well as its potentially positive 11 .

contribution to halting or limiting the consequences of severe accident progres-sion. Design features should be emphasized that reduce the risk of early con-tainment failure, thus providing more time for the positive contributions of operator performance in curtailing severe accident consequences. Also, design features should be given special attention that serve to decrease the role of human error in the sequence of events leading to the initiation or aggravation of core degradation. In particular, methods of analysis and associated data bases are under development by the Commission's ongoing severe accident programs that will aid the analyses and corrective actions of both negative and positive human performance contributions to severe accident risk or its alleviation.

It is noted that some of the severe accident scenarios result in insignificant probability of offsite consequences, because of containment effectiveness. In this situation, there may be no clear basis for regulatory action because there is no substantial effect on public health or offsite property. However, the implementation of requirements to control occupational exposure should be con-sidered along with the relatively small effects on public health and offsite

, property for these types of severe accidents. The resolution'of cost-benefit issues in severe accident decision making is part of the NRC's Safety Goal Evaluation Program.

Although in the licensing of existing plants the Commission has determined that these plants pose no undue risk to public health and safety, this should not be viewed as implying a Commission policy that safety improvements in new plant designs should not be actively sought. The Commission fully expects that vendors engaged in designing new standard (or custom) plants will achieve a higher standard of severe. accident safety performance than their prior designs.

This expectation is based on:

e The growing volume of information from industry and government-sponsored research and operating reactor experience has improved our knowledge of specific severe accident vulnerabilities and of low-cost methods for their mitigation. Further learning on safety vulnerabili-ties and innovative methods is to be expected.

e The inherent flexibility of this Policy Statement (that permits risk-j risk tradeoffs in systems and sub-systems design). encourages thereby l

innovative ways of achieving an improved overall systems reliability l

at a reasonable cost.

I e Public acceptance, and hence investor acceptance, of nuclear tech-l nology is dependent on demonstrable progress in safety performance, t including the reduction in frequency of accident precursor events as I

well as a diminished controversy among experts as to the adequacy of nuclear safety technology.

e Further progress in severe accident risk reduction is a hedge against

the possibility that current risk estimates with their broad ranges of uncertainty might unwittingly have been optimistically biased.

e Although the severe accident risk of an individual plant may be acceptable in terms of its direct offsite regional-consequences for public health, safety and property damage, the aggregate probability (say, over a 30 year period) that one severe accident will occur in a 12

large population of reactors holds a separate and additive signifi-cance. Such an event would yield adverse spillover consequences for innocent parties in other regions (i.e. , nuclear-oriented utilities and their customers), not to mention a changed political environment for nuclear regulation itself affecting resource costs and program-matic activities.

3. Application of Criteria for Different Types of OL and CP Applications
a. Approval or Certification of Reference Designs with No Previous FDA In accordance with the Commission's standardization regulations and policy, a new reference design can be submitted for approval, first as a preliminary design and then as a final design. Correspondingly, the staff will issue a Preliminary Design Approval and a Final. Design Approval. A PDA is not, how-ever, a prerequisite for an FDA. An applicant has the option to submit FDA-level information initially and proceed directly with an FDA review. These options remain unchanged by this Policy Statement.

After a PDA application is docketed, the preliminary design can be referenced in a new CP application. The corresponding OL application would then reference the approved final design (FDA). Of course, an approved final design could also be referenced in a new CP application.

The use of an approved standard design in new CP/0L applications has received considerable attention under the Commission's legislative initiatives on single-step licensing. It should'be noted that a two-step review process for a standard design approval is not, in itself, inconsistent with single,-step licensing. To be most effective, single-step licensing presumes the existence of a previously approved design --essentially an FDA. This design could still be approved in a two-step process as long as both steps were completed in advance of the single-step licensing application.

The use of PRA in a two-step review process also raises a number of questions.

Of particular concern is the timing of the PRA requirement because the comple-tion of a comprehensive and detailed PRA may not be achievable in the absence

'of essentially complete and final detailed design information. Therefore, to require a complete PRA at the PDA stage would not be realistic. The Commis-sion's recent expa.-fence, however, indicates that a substantial amount of design detail that would permit meaningful, limited, quantitative risk 1

analysis does exist at the PDA stage. Because the Commission believes that risk analysis of this type would be a useful design tool, the Commission expects ,

that it would be completed as part of the PDA application process. A complete risk analysis would not be a prerequisite for issuance of a PDA. However, if this risk analysis is not performed in the PDA process, it will have to be provided as part of any CP application referencing the design.

If the scope of the FDA reference design application is limited to an extent that would preclude the completion of a meaningful, comprehensive PRA, the t requirement ~for a complete PRA may be waived. However, the applicant should still perform and submit supplementary risk analysis, to the extent practical, to demonstrate the adequacy of the proposed design. If a comprehensive PRA is not submitted for an FDA, a CP/0L applicant referencing the approved design would be required to submit a plant-specific PRA. For standard design approvals .,

13

.-. - . - . - . - _ . . - __ - -- - _ _ . . - - - . - =

i of restricted scope, additional limitations beyond the PRA aspects may exist.

Use of such a standard design by the license applicant may be limited by its very nature to a two-step licensing process, namely, a Construction Permit and an Operating License issued separately. This would negate some of the benefits envisioned for an approved or certified design wherein a previously approved site could be matched with it in a one-step, combined CP/0L process.

The reference design must satisfy each of the criteria stated in Section III.B.2 before an FDA can be issued. For forward referenceability of a new standard design, the applicant is being afforded in this Policy Statement the flexibility of choosing between a Preliminary Design Approval (PDA), a Final Design Approval (FDA), or a Design Certification (DC). The design approvals (i.e., a PDA or FDA) would be issued following the completion of the staff's review and would be subject to challenge'in individual licensing hearings. The Design Certifi -

cation would be issued by the Commission following a rulemaking proceeding and could not be challenged in individual hearings. cps or OLs, based on a refer-ence design that has not been approved through rulemaking, shall be subject to any design changes arising from the rulemaking proceeding in accordance with the Commission's backfit policy and regulations. The design certification would be issued for a longer duration than a design approval. The specific require-ments and procedures for obtaining design certifications or approvals will be established in a forthcoming revision to the Commission's Standardization Policy Statement.

b. Approval or Certification of Reference Designs Previously Granted

, an FDA --

In 1983, the NRC staff issued two Final Design Approvals for reference designs.

These design approvals were permitted to be incorporated by reference in OL applications where the corresponding CP application had referenced the PDA.

However, the designs were not approved for incorporation in new CP applica-tions. The Commission now believes that these designs are suitable for use in new CP and OL applications under the conditions specified below.

(1) Each reference design applicant with an existing FDA must per-form an evaluation of its design against the current revision of the Standard Review Plan in accordance with 10 CFR 50.34(g). Upon submittal of this evalua-tion, the staff will amend the existing FDA to permit the design to be referenced in new CP and OL applications.

(2) The reference design must satisfy each of the criteria stated in III.B.2 before approval or certification of the design. If a comprehensive PRA cannot be completed owing to the limited scope of the design, the applicant i shall perform supplementary risk analyses, to the extent practical, in support of the rulemaking process. As noted above, the limited scope of plant design and PRA analysis would lead to a partial loss of benefits relative to a certi-fied design in that a two-step CP/0L licensing process would be required in-j lieu of a one-step process.

(3) With regard to completion of a comprehensive PRA for a reference design, the Commission recognizes that a PRA would be more meaningful if it were based on a substantial portion of the complete facility design. Therefore, if justified to the NRC staff, completion of the PRA by the FDA applicant may 5

14

i i

d be waived. If a comprehensive PRA is not submitted by the FDA applicant for' the FDA, a CP/0L applicant referencing the design would be required to submit a plant-specific PRA.

A reference design previously granted an FDA can be converted to forward referenceability for new CP or OL applications by pursuing one of the same options of design approval or design certification as described in the preceding section for reference designs with no previous FDA. The FDA with forward referenceability would be issued following the completion of the staff's review and would be subject to challenge in individual licensing hearings. The Design Certification would be issued by the Commission following a rulemaking proceed-ing and could not be challenged in individual hearings. cps or OLs, based on a 1 reference design that has not been approved through rulemaking, shall be subject 1 to any design changes arising from the rulemaking proceeding in accorcance with the Commission's backfit policy and regulations. The design certification would be issued for a longer duration than a design approval. The specific require-ments and piocedures for obtaining design certifications or approvals will be established in a forthcoming revision to the Commission's Standardization Policy Statement,

c. A Reactivated Construction Permit Application Because of the many complex factors involved, the criteria and procedures for regulatory treatment of reactivated Construction Permits will be a matter of separate consideration apart from this Severe Accident Policy Statement.
d. A New Custom Plant Construction Permit Application It is the Commission's policy to encourage the use of reference designs in future CP applications. This does not, however, preclude the use of a custom design. Custom designs shall also be reviewed against the criteria identified in Section III.B.2. As a result of the circumstances and timing involved in the ongoing standard design review processes, the Commission expects that most, if not all, new CP applications incorporating a reference design would be based on essentially final design information. This will result in improved safety and regulatory practices, as well as reduced time to license and construct a nuclear power plant. To obtain as much of this benefit as practicable for a custom design application, the Commission will require a CP application for a custom design to include design information that is sufficiently final and complete to permit completion of an adequate plant-specific PRA. It is pos-sible, however, that an applicant referencing an approved or certified design in lieu of a custom plant would have in prospect a significantly reduced licensing fee since staff effort would not be required -- or much less would be required - for a rereview of the approved or certified design at the CP/0L stage save for those detailed changes to accommodate unique site features or other special circumstances (e.g., innovative equipment designs to meet new ASME or IEEE codes, etc.). .

C. Policy for Existing Plants i

i 1. Some General Principles of Policy Development i

The Commission has licensed about 80 nuclear plants and expects to process applications to license another 40 or 50 plants. The Commission has considered 15 s

1 1

4 j at length the question of whether generic rulemaking should be undertoken or 4

additional regulations should be issued at this time to require more capability

] in operating plants or plants under construction to improve severe accident prevention, consequence mitigation, or accident management that would halt or

delay further core degradation.

Since the accident at TMI, many changes have been implemented in existing plants

resulting from recommendations of special inquiry groups, the TMI Action Plan (NUREG-0660 and NUREG-0737), and other information arising from NRC and industry sponsored research along with failure data from construction and l operating experience. In addition, the NRC/AEC has sponsored eleven plant-specific PRAs and the industry has sponsored about as many more. The evalua-tion of severe accident risk by the interrelated deterministic and probabilistic methods has identified many refinements of current design and operating prac-l tice that are worthwhile, but has identified no need for fundamental (or major)
changes in design. .

! On the basis of currently available information, the Commission concludes that i

existing plants pose no undue risk to public health, safety, and property and sees no present basis for immediate action on generic rulemaking or other i

regulatory changes for these plants because of severe accident risk. Moreover, the Commission has ongoing programs (described in NUREG-1070 and issued con-l currently with this Policy Statement) that include: the resolution of Unresolved Safety Issues and other Generic Safety Issues, including a special focus on l assuring the reliability of decay heat removal systems and the reliability of both AC and DC electrical supply systems; the Severe Accident Source Ters

Program; the Severe Accident Research Program; operating experience and data i

evaluation regarding equipment failure, human errors, and other sources of

' abnormal events; and scrutiny by the Office of Inspection and Enforcement to monitor the quality of plant construction, operation, and maintenance. The l

Commission will maintain its vigilance in these programs to offset the uncer-tainty of whether significant safety issues remain to be disclosed. Industry

' research and foreign reactor experience are also meaningful sources of information.

One important source of new information is the experience of NRC and the nuclear industry with plant-specific probabilistic risk assessments is that each of these analyses, which provide a more detailed assessment of possible accident scenarios, has exposed relatively unique vulnerabilities to severe accidents.

Generally, the undesirable risk from these unique features has been reduced to an acceptable level by low-cost changes in procedures or minor design modifica-tions. Accordingly, when NRC and industry interactions on severe accident issues have progressed sufficiently ta dgfine the methods of analysis, the Commission plans to formulate an ih ,tegrated systematic approach to an examina-tion of each nuclear power plant now operating or under construction for possi-

ble significant risk contributors (sometimes called " outliers") that might be plant specific and might be missed absent a systematic search. Following the
development of such an approach, an analysis will be made of any plant that has not yet undergone an appropriate examination. The examination will include specific attention to containment performance in striking a balance between accident prevention and consequance mitigation. In implementing such a system-atic approach, plants under construction that have not yet received an Operating License will be treated essentially the same as the manner by which operating j reactors are dealt with. That is to say, a plant-specific review of severe 4

16 i

accident vulnerabilities using this approach is not considered to be necessary to determine adequate safety or compliance with NRC safety regulations under the Atomic Energy Act, or to be a necessary or routine part of an Operating License review for this class of plants.

Should significant new safety information develop, from whatever source, which brings into question the Commission's conclusion that existing plants pose no undue risk, then at that time the specific technical issues suggesting undue vulnerability will undergo close examination and be handled by the NRC under existing procedures for issue resolution including the possibility of generic rulemaking where this is justifiable. However, NRC's experience suggests that safety issues discovered through operat'ng experience programs, quality assur-ance programs or safety analyses ofte' pertain to unique characteristics of a specific plant design and, therefore are dealt with through plant-specific modifications of relatively modest ost rather than major generic design changes.

The Severe Accident Research P , gram as well as NRC's extensive severe accident studies of certain individual plants will aid in determining the extent to which carefully analy ed reference ,,lants can appropriately serve as surrogates for a class of similar plants as t'ie basis for any generic conclusions. These studies will also aid in identifying the desirable scope and approach for follow-up safety studies of individual plants. Any generic design changes that are identified as necessary for public health and safety and for adequate protec-tion of property will be required through rulemaking and will 'be consistent with the Commission's backfit policy. .-

2. Policy for Operating Reactors -

In light of the above principles and conclusions, the Commission's policy for operating reactors includes the following guidance:

e Operating nuclear power plants require no further regulatory action to deal with severe accident issues unless significant new safety information arises to question whether there is adequate assurance of no undue risk to public safety and property, e In the latter event, a careful assessment shall be made of the severe accident vulnerability posed by the issue and whether this vulner-ability is plant or site specific or of generic importance.

e The most cost-effective options for reducing this vulnerability shall be identified and a decision shall be reached consistent with the cost-effectiveness criteria of the Commission's backfit policy as to which option or set of options (if any) are justifiabi'e and required to be implemented.

e In those instances where the technical issue goes beyond current regulatory requirements, generic rulemaking will be the preferred solution. In other cases, the issue should be disposed of through the conventional practice of issuing Bulletins and Orders or Generic Letters where modifications are justified through backfit policy, or 17

. l through plant-specific decision making along the lines of the Inte-grated Safety Assessment Program (ISAP) conception."

e Recognizing that plant-specific PRAs have yielded valuable insights to unique plant vulnerabilities to severe accidents leading to low-cost modifications, licensees of each operating reactor will be 4

expected to perform a limited-scope, accident safety analysis designed to discover instances (i.e., outliers) of particular vulnerability to l

core melt or to unusually poor containment performance, given core-l melt accidents. These plant-specific studies will serve to verify

, that conclusions developed from intensive severe accident safety I analyses of reference or surrogate plants can be applied to each of l

the individual operating plants. During the next two years, the Commission will formulate a systematic approach, including the develops:..t of guidelines and procedural criteria, with an expecta-tion that such an approach will be implemented by licensees of the remaining operating reactors not yet systematically analyzed in an i equivalent or superior manner.

3. Policy for Operating License Applications for Plants Currently Under Construction l The same severe accident policy guidance applies to applications for operating licenses (OLs) as stated above for operating nuclear power plants along with the following additional item. (This item also applies to any hearing proceed-
ings that might arise for an operating reactor.)

e Individual licensing proceedings are not appropriate forums for a broad examination of the Commission's regulatory policies relating to evaluation, control and mitigation of accidents more severe than the design basis (Class 9). The Commission has announced a policy regard-ing Class 9 environmental reviews and hearings in its Statement of Interim Policy on " Nuclear Power Plant Accident Considerations Under the National Environmental Policy Act of 1969" (45 FR 40101, June 13,

1980), and expects to continue this policy. The environmental issues deal essentially with the estimation and description of the risk of severe accidents. The Commission believes that considerations which go beyond that to the possible need for safety measures to control or mitigate severe accidents in addition to those required for conformance with the Commission's safety regulations, should not be addressed in case-related safety hearings.
  • See " Integrated Safety Assessment Program (ISAP)," SECY 84-133, March 23, 1984.

18

IV. SEVERE ACCIDENT PROGRAM A. The Need for Forward-Looking Policy Development in the Context of an Ongoing Severe Accident Program.

The differential needs of existing and future plants for early generic policy development in treating severe accident issues is addressed in Appendix A. One of the key concerns is the predictability of what Nd safety infomation from the Severe Accident Research Program, experience du a from operating reactors and other sources might require in the way of generic changes in design having maior impact on cost considerations. The identification of design changes with

' potential for substantial risk reduction at relatively minor cost is desirable and worth consideration under the Commission's backfit policy. However, uncer-tainty over changes of these kinds does not alter significantly the stability of severe accident policy development. Moreover, it is believed that many of the likely candidates for generic changes have already been addressed for exist-ing plants in the actions associated with the lessons learned from TMI. Also, in the case of existing plants, there is no ostensible advantage in seeking to anticipate what new safety information might arise from future operating expe-rience or severe accident research because no safety or cost differentials are apparent from anticipating a change before there is sufficient information to specify it. Thus, through issuing the Policy Statement (Chapter III), the Commission establishes its intention to deal with severe accident issues of existing plants through its ongoing programs for severe accident research and through its monitoring of the safety experience of operating reactors rather than through the . instrument of generic rulemaking (unless justified by new safety information) or deliberations of ifcensing boards.

The same situation does not apply, however, for future plasts. In this case there is a demonstrable need to establish, at this time, a generic policy for severe accident decisionmaking (see Appendix A). The staff does not believe such a policy development for future plants should be delayed because of un-certainties over what new safety information might signify for possible require-ments for generic design changes having major cost impact. The analyses of currently available information in Appendix A do not suggest a high probability of changes of these kinds being required through new safety information deve-loped over the next several years--or at least not to a degree that would merit '

delay. Rather, our severe accident policy development for future plants was sensitive to such uncertainties by the following forward-looking principles of j policy conception:

l (1) Policy for future plants will serve to guide regulatory decisions for a substantial period of years beyond its introduction. To the extent that the future courses of events are assessed reasonably accurately, the policy will not quickly become obsolete or reduce the cost effectiveness l

of these decisions.

l l (2) Fonvard-looking policy will have sufficient flexibility to accommodate i

those events not wholly or accurately predicted as to their specific l nature, timing, or magnitude of importance. ,

( (3) Forward-looking policy needs to be developed in a manner that would en-t l

courage innovative ways of achieving superior safety levels at reasonable costs. A highly prescriptive set of technical performance criteria for l 19 l

. _ _ - . _ - _ _ _ _ _ _ _ _ _ _ _ _ __.______ _ _ --- __~ -

l, l

functions important to severe accident safety would have the effect of preventing the sort of risk-risk tradeoff decisions in plant design that might achieve such optimal results.

Ongoing NRC programs relating directly or indirectly to the treatment of severe accident issues lend strategic support to the above forward-looking

! aspects of the Policy for Severe Reactor Accidents. These programs will aid

[ severe accident decision making for both existing and future plants by identi-

, fying the greatest vulnerabilities of plant design and operating procedures to  ;

. severs accident re k. Also, these programs will supply information useful to

! detemine the most cost-effective means of risk reduction for existing plants and desirable risk-risk tradeoffs in new plant design that would optimize over-i all safety and economy in reactor design and operation, among other regulatory considerations.

l Thus, the overall strategy of the Policy for Severe Reactor Accidents cannot be well understood except in the largar perspective of the Severe Accident Program

described below and in the Appendices. Included in the ongoing severe accident i programs are elements that have a life of their own: the completion of regu-latory actions in the TMI Action Plan; the Severe Accident Research Program; the Severe Accident Source Term Program; the resolution of Unresolved Safety Issues l' ,and other generic issues already prioritized; the completion of Safety Goal Policy formulation, including safety goal evaluation and the development of an i

implementation plan; the development of the PRA Reference Document (NUREG-1050,

February 1984) and related risk assessment programs; the planned revision of our standardization regulations; the continuing program for Analysis and Evaluation of Operational ' Data (AE00); and reliability engineering initiatives to evaluate, with utilities and vendors, the benefits from. reliability programs

, for both existing and future plants to ensure that the realized level of safety

. is commensurate with the safety assessments in regulatory decisions. Other on-I going efforts supportive of the activities and objectives of the Severe Accident i

Program include: NRC cooperation with industry in identifying and treating technical issues important to severe accident risk reduction (e.g. , the Industry Degraded Core Rulemaking Program); determination of the proper blend of the i mutually supportive deterministic and risk analysis approaches to address

Regulatory Questions and Technical Issues important to severe accident decision making; methods of treating uncertainty in decision making including a proper scoping of decision criteria; and integration into severe accident decision
making of insight from review of new designs and foreign reactor and regulatory i experience. A brief summary follows of the various features of the NRC Severe i Accident Program.

B. Lessons Learned from Three Mile Island l The lessons learned from TMI have been applied to operating plants and plants i in operating license review. The lessons are summarized as licensing require-

, ments for operating plants and plants under construction in " Clarification of i TMI Action Plan Requirements" (NUREG-0737, November 1980). The TMI Action Plan

1ed to the requirement of over 6,400 separate action items for operating reactors i and Near-Term Operating Licenses (5 NTOLs) (NUREG-0737). Of these, about 5,700
(or 88%) are now complete. All Action Plan items approved in NUREG-0737 for
operating reactors are expected to be completed by the end of Fiscal Year 1985.

l 20

There were 132 different types of action items approved in the Action Plan (an average of 90 actions per plant). Of this total, 39 involved equipment backfit items, 31 involved procedural changes, and 62 required analyses and reports.

Few of the individual equipment backfit changes involved were estimated to cost over a million dollars. It is impractical to quantify all of the safety improvements obtained by these many changes. Nevertheless, the cumulative l effect is undoubtedly a significant improvement in safety.

Because effective implementation of the actions summarized in NUREG-0737 have significantly upgraded nuclear power plant sa.fety, a more deliberate rather than expedient approach to decision making on severe accidents is warranted.

. Other features of the NRC Severe Accident Program discussed below constitute such a deliberate approach to severe accident decision making.

C. Generic Decision Strategy There are several areas of regulatory activity besides the immediate issues of reactor licensing that relate to severe accidents and that require attention to severe accident analysis and decision making. These include: severe accident source term review; what is an appropriate blend of deterministic and risk analysis approaches in addressing Regulatory Questions and Technical Issues related to severe accidents; and what are appropriate procedures for the treat-ment of uncertainty over risk assessments in decision making. This section addresses these three aspects of generic decision strategy related to severe accident issues not directly dealt with in the Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants (Chapter III).

1. Severe Accident Source Term Program .

By " source term" is meant the description of fission products released by a reactor accident. However, several different source term usages are found in the regulatory process ranging.from the releases calculated using TID-14844 (10 CFR 100.11b) to the source terms calculated in the Reactor Safety Study * (See also 10 CFR 50.47). The NRC and others are now engaged in an extensive study of severe accident source terms that is expected to provide more realistic estimates of the fission product releases that can be expected in reactor accidents. This study consists of a systematic analysis of the releases associ-

~

ated with the most important accident sequences for a set of reference plants, using the best available methods. The plants were chosen to be representative of each principal reactor and containment combination found in existing plants.

, Shortly after peer review by a Committee of the American Physical Society, which is targeted for completion by the end of 1984, the results of the NRC source term studies will be available to be used in considering what, if any ,regula-tory requirements, rules, or guidance documents involving source term applica-tions in the regulatory process need revision.

Because of the variable design characteristics of numerous plants and the wide diversity in the timing and release levels of fission products for the many accident scenarios involving such releases, source term revision is a highly

  • Formerly, WASH-1400; now available as NUREG/75-014.

21

complex subject. Accordingly, an important feature of the Severe Accident Source Term Program is the establishment of an appropriate set of procedures and guidelines for individual applications of an appropriate state-of-the-art methodolcgy for calculating various source terms used in severe accident risk analysis of existing or future plants.

2. Deterministic and Risk Analysis Approaches to Address Regulatory Questions and Technical Issues The primary question addressed by NRC's Severe Accident Research Program is as follows:

What changes, if any, should be made in nuclear reactor regulation to account for accidents involving core damage greater than the present design basis, including core meltdown accidents?

The question applies to existing reactors (in operation or under construction) and to future reactors. There will be feedback from the existing plant deci-sion process to the standard plant certification process, and vice versa. The primary question has been broken down into its component questions, called Regulatory Questions, as follows:

e How safe are the existing plants with respect lo severe accidents?

! e How can the level of protection for severe accidents be increased?

e What additional research or information is needed?

e Is additional pro.tection for sev.ere accidents needed or desirable?

A number of Technical Issues will be addressed and positions taken on them in order to help provide reasoned answers to these Regulatory Questions. The NRC staff and IDCOR representatives have developed a joint list of more than 50 l Technical Issues that was reviewed by the ACRS. In the NRC and IDCOR technical exchange meetings, discussions are being held to identify issues for which

.there is general agreement, issues where there is disagreement, and issues where the state of information is inadequate to support decisions. Agreement will also be sought on descriptions of the magnitude of the uncertainties associated with the issues. If the uncertainties are too large, that alone may form the basis for a decision or some decision basis may exist other than an accurate understanding of the issue. If further research can substantially narrow the uncertainty at reasonable cost, it may be better to defer the decision.

The major Technical Issues with respect to severe accidents are the following:

(1) Severe Accident Phenomenology e Progression of core melt in the reactor coolant system o Loading of the containment e Response of the containment and other essential equipment e Fission product release and transport e Ex-containment fission product transport and consequences 22 i

(2) Safety Assessment

e. Characterization of plants and severe accident sequences e Assessment of existing plants e Assessment of plants with modifications Preliminary evaluation suggests that other issues. are either subordinate to these major issues or are signficantly less important for answering the Re-gulatory Questions. However, it is the staff's intent to refine its judgment of the relative priorities to be accorded to the approximately 50 Technical Issues so that the Severe Accident Program can focus on those issues that matter the most regarding severe accident risk reduction or the need to reduc's uncer-tainty surrounding their assessment as risk contributors.

Approach to Answering Regulatory Questions.

The Proposed Commission Policy Statement on Severe Accidents, published on April 13,1983, suggested a three-step process for arriving at severe accident decisions for existing plants. First, quantitative risk assessment techniques were to be used to estimate the relative importance of potential nuclear power plant accident sequences where sufficient data exist to make comparisons.

Second, a range of possible design and operational changes to improve accident prevention and consequence mitigation capabilities were to be studied to deter-mine the costs and safety benefits of backfitting them to plants in operation or under construction. Finally, using engineering and policy judgment, comple-mented by probabilistic risk assessment (PRA) where appropriate, the NRC was to make decisions on whether reductions in stvere accident risk are necessary. If risk reductions should prove necessary, research should tell how best to achieve them, whether by accident prevention or consequence mitigation, or by a balance of the two. The approach was criticized for placing too much reliance on PRA.

The Commission has decided on an approach for severe accidents that jointly

. relies on deterministic engineering analysis and on PRA, consistent with the known strengths and weaknesses of the two methods and the technical state of the art. The approach will be primarily deterministic in character, relying importantly on engineering analysis of (a) LWR safety performance; (b) the estimated response of existing plants to postulated core-melt accidents; and (c) potential performance objectives, hardware changes, and operational con-trols or procedures that could qualify as backfit options to improve safety or decrease uncertainty for severe accidents. This approach will include a cataloging and assessment of the relevant considerations for understanding the hazard that severe accidents pose, including some sense of their probability of occurrence. The process does not place primary reliance on PRA but will use quantitative engineering analysis where supported by data and justified by a full consideration of uncertainties. PRA will be of value in cataloging and arranging in order of significance the accident sequences representing important challenges to containment and associated containment response for the " internal events" and in providing a useful perspective on risk judgments. PRA has the advantages of most direct comparability with the Commission's Proposed Safety Goals and of direct utility in NRC's required system of Regulatory Analysis for all new generic requirements. It is difficult to prescribe a_ prioef the weight to be given PRA in severe accident decision making. The weight wifT vary among the Technical Issues and the extent to which ongoing or past research has reduced uncertainty about them.

23

In summary, NRC's Severe Accident Program uses an approach that stressits det'er-

' ministic engineering analysis and judgment, complemented by PRA. It is not appropriate to draw a hard curtain between the methods of deterministic engi-neerin analysis and more quantitative assessment using fault tree / event tree logic c." the causes and sequences of multiple failures that potentially could lead to a severe reactor accident. It is more useful and accurate to consider the PRA approach to be an extension and refinement of the deterministic method.

This is based on the fact that the PRA approach actually demands more from

" deterministic" analysis than does the deterministic approach as traditionally used. More extensive and realistic deterministic analyses are required in PRA to define success criteria and estimate the progression of the various accident sequences in order to project consequences. Furthermore, some qualitative judgmental use must be made of probabilistic risk considerations even in a j

purely deterministic approach in the selection of design-basis accidents and i conclusions regarding undue risk to the public. Thus, attempting to separate and consider the approaches on an "either/or" basis masks the fact that each contains essential elements of the other, and that the PRA approach tends to

extend, refine, and quantify the deterministic approach and its uncertainties.

The discussion to follow makes a somewhat artificial distinction between these 4 methods to illuminate their salient procedural elements and the kinds of skills and desired information to execute them effectively as an aid to severe accident i decisionmaking for existing and future plants.

Methods of Evaluation.

In its approach, the staff will provide analysis and data from the design, operations, and performance points of view. The staff will initially assemble deterministic engineering analyses of typical plants for a. range of severe accidents. Next, the staff will review and update the available probabilistic risk analyses of plants. Finally, the staff will develop a set of policy papers on important aspects of severe accident risk. The information available from these three sources will be consolidated into an assessment of the level of safety presently achieved by existing plants for severe accidents. The three complementary and interrelated methods are elaborated below.

Evaluation Method 1 (Deterministic) uses a safety evaluation that is determi-nistic in nature (i.e., the effort will place strong emphasis on NRC's tradi-i tional, deterministic engineering analysis methods). The safety of existing plants will be realistically estimated by evaluating some typical plants for a selected set of severe accidents in a manner like that currently used for postu-i lated accidents within the design basis. In important areas of the evaluation 1

(such as the definition of the severe accidents to be considered), more than one approach will be used.

Severe accidents with a wide range of consequences will be considered. To study the severe accident performance capability of typical plants, the staff (using insights from PRA) will select the most important severe accidents from a public health and safety perspective. To ensure completeness in the selec-tion process, three different ways will be used to identify representative acci-dent sequences. The final selection will be based on the combined results of the three methods. First, severe accident sequences will be selected based on i

available PRA studies. Events with an estimated probability of occurrence suf-I ficient to cause a concern will be considered together with severe accidents 1

24

that lead to a level of risk causing a concern. Second, severe accident se-quences, which start with the same initiating events required for design basis accidents (originally selected by engineering judgment), will be added and then combined with multiple equipment failures and' operator errors to better match operating experience.

Finally, important severe accident sequences will be added by grouping severe accidents into categories based on core-melt progression and containment per-formance. The staff will consider degraded core accidents like TMI, core melting within the vessel, vessel melt-through, and basemat melt-through. The containment performance categories will include small containment leakage, large containment leakage, containment bypass, and early and late containment failures. Severe accident sequences that could yield the various categories will be identified based on current knowledge and engineering judgment. The emphasis will be on identifying a complete set of qualitatively distinct se-quences. Special attention will be paid through PRA insights to the identi-fication of sequences leading to very large releases or source terms and hence offsite consequences of serious concern.

Results of accident precursor studies will be factored into the event selection processes. In selecting models of operator actions, the emphasis will be on discerning essential operator actions rather than assessing all operator actions.

Some combination of elements of the three methods, including discussion and integrative judgment, will go into a final selection and documentation of the important severe accidents.

Although all known accident initiators will be addressed, some possible acci-dent sequences will be excluded from further corsideration where data and analysis are available to support their exclusion. Where this is done, there will be documentation of the basis. Other events or accident sequences will be considered and addressed in the best way possible, again documenting the basis (e.g., large earthquakes and sabotage). Where feasible, uncertainties related to the deterministic method will be addressed below under Evaluation Method 2.

Evaluation Method 2 (Quantitative Risk Assessments) is used to extend and complement the deterministic engineering analysis. In this method the staff l will derive generic safety insights for classes of plants by evaluating the results of the many existing probabilistic risk analyses. NRC experience with the use of PRA in specific licensing actions will be factored into the overall assessment of severe accident safety for existing plants and future

, plant designs. Examples include PRAs developed for Indian Point, Zion, l Limerick, Shoreham, Seabrook, Millstone 3, and GESSAR II. The IOCOR review i

of existing PRAs and engineering analysis of four reference design plants (Zion, Sequoyah, Peach Bottom, and Grand Gulf) also will be factored in.

From the PRAs, the safety of existing and future plants from severe accidents will be measured in terms of:

e Identification of accident sequences likely to dominate severe accident risk e Likelihood and potential consequences of these sequences 25

e Overall plant risk (i.e., offsite risks resulting from release of radioactive material from the plant)

The uncertainties associated with these estimates will be discussed and de-scribed quantitatively wherever possible. Principal uncertainties to be de-scribed for PRA and deterministic *sk analyses include:

(1) Problems with identifying outi 1 associated with individual plant siting, design or operation idiosyncrac .;

(2) Limitations of the data base; (3) Limitations of the state-of-the-art of risk analysis (quantitative or qualitative);

(4) Limitations of existing PRAs (e.g., selection of initiating events, treatment of common-cause failures and consequential failures, equip-ment performance in the accident environment, and treatment of human performance):

e Modeling capability (accident phenomenology, human performance, consequence analysis) e Variability (capability of the analyst, analytic procedures, quality assurance) e Completeness in identifying important accident sequences (5) Potential initiating events less amenable to PRA (e.g., large earth-quakes, hurricanes and sabotage).

Evaluation Method 3 (Policy Papers) involves the development of a set of policy

, papers to provide guidance on the desired treatment of issues on severe accident i

risk of existing and future plants. In 1984 and 1985, the NRC will begin to communicate its understanding of the importance of the following considerations regarding severe accident safety of existing and future plants:

l l

(1) Design experience:

e Intention and value of defense-in-depth design philosophy e Inherent margins fo" events beyond the design basis e Design errors e Complexity of design e Identification through PRA of risk outliers in design (2) Construction experience:

e Realization of design margin e Construction errors (3) Operating experience:

e Arrival rates of serious threats to fuel, reactor coolant system, or containment (the three fission product barriers) 26

e Characteristics of the threats (e.g., operator errors, maintenance error, multiple failures) e Trends of core melt precursors e Reliance that can be placed on operators to avoid and :eanage severe accidents e Restoration of safety margin through backfit requirements The policy papers will form part of the basis for a Commission judgment on the level of safety presently achieved by existing plants for severe accidents. The .

relative weights to be accorded these various factors in decision making and possible tradeoffs among the factors will be considered.

The integration of insights from the three complementary evaluation methods described above will comprise the basis for NRC views on severe accident safety.

These overall views will be summarized in the following ways:

(1) NRC's expectations regarding severe accideLis in the future.

(2) NRC's best assessment of the present capability and uncertainty of nuclear power plants to cope with severe accidents in terms of the following:

l e Accident prevention e Accident management e Consequence mitigation I

To address the question of how severe accident protection might be increased, the NRC will study potential improvements from design, performance, and cost perspectives. A list of potential alternative improvements for severe accident safety has been developed in the Severe Accident Research Program (SARP). These improvements are divided into the categories of prevention, management and miti-gation. The NRC will initiate an effort to ensure that the set of alternatives and categories is complete. To test for completeness the NRC will consult with i

' the Advisory Committee on Reactor Safeguards (ACRS), industry, national labora-tory experts and other interested members of the public. It is clear at this point that more alternatives are identifiable than will merit detailed evalua-tion or implementation. It is also clear that, following evaluation, some alternatives will be more desirable than others. It is NRC's intention to select a course of action from among the potential improvements in a demon-strable, visible manner with confidence and to be able to share the reasons for i its conclusions with others. To aid this selection process, the staff will l

continue to use selected decision analysis methods to choose among the alter-natives. To assess the overall value of each alternative, the staff will ,

develop a set of decision considerations or attributes. These attributes, although applicable to all alternatives, will not be of equal importance.

I Thus, a set of weighting factors will be used to reflect the relative import-ance of each attribute in assessing their overall value in support of the objectives of onging NRC programs. As the more promising alternatives are thus 27 I

i

_ _ ~- ___ ___,,.,~._ _ _ _ ____.o_,,_-,,,_ -. __- . - . - _.- .-.. _.--, _,

identified, the NRC staff will augment or eliminate work in SARP to promote effective achievement of the Program objectives.

Cost-benefit analysis will be developed to aid decision making on whether addi-tional protection for severe accidents is needed. It will take the form of a regulatory analysis consistent with present internal hRC procedures for consid-ering whether to impose new generic requirements. This analysis will display in a consistent standardized format the costs, benefits, and uncertainties asso-ciated with modifications including:

(1) Estimated benefits e Reduction of offsite public safety and health effects and property damage e Reduction of accidental occupational exposure (2) Estimated costs e Industry implementation and operating costs that ultimately affect ratepayer costs e NRC costs e Possible adverse safety effects e Possible increase of routine occupational exposure The Commission will then select which of these costs and benefits should be considered in evaluating and comparing modifications and whether and how the costs or benefits not possessing common units of value should be weighted or indexed for purposes of integration.

3. Treatment of Uncertainty in Decision Making Uncertainties in knowledge affect severe accident policy at two levels. First, much of the incentive for severe accident policy development originates in the uncertainties in the level of risk posed by severe reactor accidents and in the burden placed on industry by the uncertainties in future regulatory requirements.

Thus, uncertainty reduction needs to be considered in the policy objectives.

Second, there are uncertainties surrounding reactor safety criteria development questions. The research program can narrow but cannot eliminate these uncer-tainties. Within the research program and within rulemakings, should they be warranted, decisions must be made without precise quantitative information. The unavailability of such information is due principally to the rarity of certain kinds of multiple failures leading to severe reactor accidents and the difficul-ty of simulating severe accident conditions in tests. Accordingly, there will always be substantial uncertainties in the calculation of risks, costs, and benefits, so that both prudence and sophistication of judgment will be required.

The guidelines for major.rulemakings in " Regulatory Analysis Guidelines of the-U.S. Nuclear Regulatory Commission" (NUREG/8R-0058, Rev. 1, May 1984) will be 28

i t

employed in the development of regulatory options, as well as in the documenta-tion of their pros and cons. Appendix 8 contains a discussion of the treatment of uncertainty in severe accident decision making.

D. Exclusion of Policies and Issues Being Addressed Separately This section describes the relationship between the Severe Accident Policy of Chapter III and a number of other related policy issues that are ongoing or under revision in separate NRC programs. These programs include Standardization Regulations; Systems Reliability Program; Safety Goals; and Unresolved Safety Issues. The Policy Statement does not supersede or limit the Commission's

options in any of the related programs described in this section. ,
1. Revision of Standardization Regulations and Policy The Commission's regulations governing standardization are contained in 10 CFR -

50, Appendix M (manufacturing license), Appendix N (duplicate design), and Appendix 0 (standard reference design). The related Commission policy state-4 ment, " Statement on Standardization of Nuclear Power Plants" (43 FR 38954) was i

issued on August 31, 1978, to provide specific guidelines for implementation of the Commission's standardization program, encompassing four standardization concepts: (a) the reference design concept; (b) the duplicate plant concept; i (c) the manufacturing license concept; and (d) the replicate plant concept.

Because the Commission is not aware of any plans for new CP applications in the near future, only one of these four standardization concepts remains as an active and viable option, namely, the reference design concept. For this rea-son, the Commission has decided to focus on reference design applications in its program for the resolution of severe accident considerations in future

! plants. Therefore, although the requirements in the policy statement in Chap- ,

ter III are presented in terms of reference designs, these requirements can be reviewed in a more general context as representing the minimum requirements for j all new plant designs, both custom and standard.

Chapter III of this document sets forth the conditions for approval or certi-l fication of reference designs. It is recognized that these conditions repre-t sent changes to the Commission's 1978 Standardization Policy Statement and to

'10 CFR 50, Appendix 0. Therefore, in parallel with the policy statement in '

Chapter III, the Commission is preparing corresponding changes to its standardi-zation policy and regulations.

2. Systems Reliability Program '

Among the criteria stated in Chapter III for demonstrating that a new plant design can be shown to be acceptable for severe accident concerns is the com-pletion of a PRA and consideration of the insights that it adds to assurance of no undue risk to public health, safety, and property. The staff expe' cts applicants for a design certification to optimize the design for the cost-effective Ifmitation of severe accident risk, and to develop plant-specific resolutions of Unresolved Safety Issues such as systems interactions, decay heat removal reliability, and station blackout. Systems reliability engineer-ing techniques are particularly wel suited to these tasks. Also, problems arise in the licensing of a standard plant before component procurement, con-struction, preoperational testing, or startup testing has been done. Each of f

29

I these steps surfaces problems and decisions that could, if left unattended, l alter the safety profile of the plant and invalidate the safety analysis per-formed in the mutually supportive PRA and deterministic engineering analysis methods.

It is contrary to the concept of an approved or certified design to call for an extensive new licensing safety analysis of the design as it is readied for com-mercial service. However, the licensee or applicant for a license is expected to develop a Systems Reliability Program following guidelines and procedural criteria as formulated by the NRC that develops a systematic severe accident i

' analysis approach, performance specifications, and specific monitoring proce-dures to ensure that the reliability of components and systems important to i safety are at, or remain at, a sufficient level so as to pose no undue risk i to public health, safety and property. If this program is developed and con-l scientiously implemented, then the PRA performed at the stage of new standard plant design certification becomes a "living document" with accountable trade-offs between safety and cost in the detailed design decisions arising in pro-curement, construction, preoperational testing, startup testing and the formula-tion of procedures for operations and maintenance. A Systems Reliability Pro-

gram developed in the above manner would provide safety assurance against severe j accident risk for operating plants and plants under construction as well as for future plants. NRC has research under way that will screen reliability program elements from other industries and compare these with nuclear industry practices and its regulatory approach to ensure that reliability objectives are met for systems important to safety and to prevent degradation of the reliability during operation and maintenance.

j 3. Safety Goals and the PRA Reference Document The NRC has published a proposed policy statement and regulatory guidance on safety goals in NUREG-0880, Revision 1, For Comment, May 1983.* The Commission has made it clear that its proposed safety goals are not a source of authority

! for regulatory decisions during the two year evaluation period of the safety goals. The safety goals will not be used by the staff to make severe accident decisions in this interval.

l The Commission, in its admonition not to employ the proposed safety goals in regulatory decisions, has not proscribed the use of PRA or cost-benefit con-siderations in licensing case work or reactor safety standards development.

The Commission has approved the use of PRA-based insights in generic safety issue prioritization, in the study of special requirements for plants at high population density sites, and in regulatory analysis. Applicable guidance on generic reactor safety standards development is found in NUREG/BR-0058, Rev. 1, May 1984. The regulatory analysis for major rules called for in NUREG/8R-0058

is a thorough inquiry into costs and benefits. Neither this document nor i NUREG-0880, Revision 1, spells out how the benefits of risk reduction should be compared with costs.

The staff, in making severe accident decisi w a vill draw from the research performed under the aegis of the safety goal c,.t ation program to explore safety-cost tradeoffs within the framework +. parmissible risk-risk tradeoffs. ,

  • See also " Safety Goal Development Program," 48 FR 10772, March 14, 1983.

30 1

t I

4 Several sources of perspective on the incentives for risk reduction will be drawn from the inquiry into safety-cost tradeoffs and further developed to illuminate severe accident decisions. No one formula relating risk reduction to a monetary value (e.g., $1000 per person rem averted) will be taken as definitive, pending possible establishment of guidance under the Safety Goal Development Program or independent of this Program. Rather, the range and variety of such figures of merit will be treated on the same footing as other sources of uncertainty entering into the judgmental and legal procedure of reactor safety standards development.

One of the products of the safety goal evaluation program is the PRA Reference Document, "Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regulatory Application," NUREG-1050. This draft report was published for com-

~

ment in February 1984, and was published in final form in August 1984. This document contains an extensive discussion of the results of past PRAs and the strengths, weaknesses, and uncertainties of PRA methods. The supportive role of PRA in severe accident decision making, in Regulatory Analysis, and in the implementation of severe accident requirements will be tailored to the strengths and weaknesses of PRA methodology identified in the PRA Reference Document.

' The Commission intends for severe accident decisions to be fully congruent with emerging safety goal implementation policy.

4. Unresolved Safety Issues, Generic Safety Issues, and Other Developments The Commission has been pursuing resolutions to the Unresolved Safety Issues and Generic Safety Issues in separate programs. Section 210 of the Energy i

Reorganization Act of 1974, as amended, requires continued effort on those items previously identified as Unresolved Safety Issues. A total of 27 Unre-solved Safety Issues has been identified, and a final technical resolution has been achieved for 14 of these. Resolution of the remaining 13 involves (a) preparation of a regulatory analysis and its review by the NRC Committee i

to Review Generic Requirements; (b) provision of a public comment period, followed by discussion and disposition of the comments received in a final i,

report; (c) provision for the incorporation of the technical resolution into NRC Regulations, Standard Review Plans, Regulatory Guides, or other official i guidance; and (d) provision for application of the final technical resolution to all affected plants in operation or under construction.

For operating reactors and plants under construction, the Unresolved Safety Issue program will be carried out separately from the Severe Accident Program.

However, it is anticipated that the resolution of some Unresolved Safety Issues might influence actions that could be proposed for existing or future plants as a result of severe accident considerations. In particular, the resolution of station blackout, shutdown decay heat removal, and pressurized thermal shock issues might contribute to prevention and mitigation of severe accidents if design changes are required for future plants or to be backfit to l existing plants to treat these issues.

t A corresponding Commission program for the resolution of important Generic Safety Issues is also in progress (NUREG-0933). High and medium priority j issues in this category are receiving attention and the process and procedures for resolution are similar to those for Unresolved Safety Issues. This program will also be continued separately from the work on severe accidents. The re-I 31

._ - - - _ . _ _ ~

I solution of some of these Generic Safety Issues might also contribute to the prevention and mitigation of severe accidents and therefore may influence actions that might be proposed for existing or future plants as a result of further consideration of severe accidents. As stated in Chapter III, the Commission requires that applicable Unresolved Safety Issues be satisfactorily resolved on any new design before it is approved or certified. The Commission also expects that the applicable high- and medium priority Generic Safety Issues will be resolved for such plants so that there are no loose ends left that might later contribute to instability in the licensing process.

In the case of existing plants, as was noted in Section III.8.2 for new designs.

the licensee in performing cost-effectiveness analyses relating to Unresolved

.l Safety Issues and Generic Safety Issues might develop an overall cost-effectiveness of alternative design measures in reducing severe accident vulnerabilities that is greater if the various benefits of change are inte-grated. For example, the integrated benefits from improved fire and sabotage protection, shutdown decay heat removal and station blackout might be greater i than the cost-effectiveness that would be attained for modifications focusing on only one such benefit at a time.

E. Development and Use of New Safety Information

1. Research Results and Operating Reactor Information The Severe Accident Research Program (SARP) is developing a large body of information to improve understanding of the severe accident characteristics and risks of the current generation of light water reactors. The largest part of the SARP effort is dedicated to the better understanding of the physical phenomena of severe accidents and the staff's ability to model these phenomena in estimating severe accident behavior. This improved modeling capability is used in a number of ways, most notably in revised estimates of what radioactive materials are actually released to the environment in any identified severe accident sequence. The SARP also contains a substantial effort to examine all available data sources, especially the many detailed PRAs now available, to

! identify the important accident sequences for each class of reactor. This part of the SARP is called the Accident Sequence Evaluation Program (ASEP).

} Once the improved deterministic methods for estimating fission product transport and release are available, these will be used in the SARP to rebaseline or

reestimate the risk characteristics for each class of plant and systematically '

evaluate costs and benefits for candidate improvements to those reactors.

This part of the SARP is called the Severe Accident Risk Reduction Program (SARRP). These risk and risk reduction estimates will use the best available methods for estimating fission product transport and containment performance in order to obtain the most realistic results.

The results of existing PRAs, the IDCOR/NRC technical interactions, the Zion,

. Indian Point, and Limerick studies, the NRC Accident Source Term Program, and the GESSAR severe accident review will provide a base of technical information

that is generally reflective of severe accident behavior in the entire popula-
tion of existing nuclear power plants and should lead to a decrease in the

] risk of severe accidents. It is recognized, however, that the extraction from this base of technical information of conclusions that are applicable to all

~

32

l 1

l plants may be limited by those particular design features of individual plants that may significantly influence severe accident behavior. In recognition of this, the staff's review will include consideration of those elements of the technical information base that are sensitive to individual plant variations, and, if warranted, will define the appropriate specific analysis and criteria necessary to qualify individual plants to the conclusions drawn for the plants included in the technical information base.

l Any generic design changes that are identified as essential to protect public '

health and safety or as sufficiently cost-beneficial to warrant consideration for adoption will be required through rulemaking and be consistent with the Commission's then-current backfitting policy and procedures. Simple procedural changes, such as guidelines for emergency procedures, would be adopted through the authority delegated to the NRC staff. The appropriate course of action cannot be identified until the substance of the proposed change is known.

2. Industry Decraded Core Rulemaking Program Results The Industry Degraded Core Rulemaking (IDCOR) Program, under the sponsorship of the Atomic Industrial Forum, was formed to evaluate severe accident risk for existing reactors. The IDCOR group is not generating new test data but is developing new analytical models for assessing the risk of severe accident Technical Issues based on the latest available data. The Commission believes it is prerequisite to the objectives and schedules set forth in the Policy Statement on Severe Reactor Accidents in Chapter III that the IDCOR Program

. continue on its present course and schedule. The IDCOR studies are based on four reference plants that are the same as four of the six Source Term Refer-ence Plants in the NRC's Severe Accident Researen Program. As IDCOR results have come available, the NRC staff and its contractors have begun a structured technical interchange process to compare these independent models and assess-ments of severe accident behavior with work sponsored by the NRC. This inter-change is being documented and, through a system of Technical Issue papers, the staff is identifying areas of technical consensus and controversy. Thus, orderly consideration of the IDCOR work is contained in the severe accident research on existing plants.

3. Foreign Reactor and Regulatory I!xperience Especially since the TMI-2 accident, there is a common interest in the interna- ,

tional sharing of safety information obtained from research and operating l reactor experience with a view to reducing severe accident risk. To this end the Committee on the Safety of Nuclear Installations (CSNI) of the Nuclear Energy Agency (NEA) has undertaken a program to promote the sharing of tech-nical information in this field. The new program has participation by France, the Federal Republic of Germany, Italy, Japan, Sweden, the United Kingdom, and the United States. Areas of special concern include the thermal nydraulic behavior (both in-vessel and ex-vessel) of severe accident sequences, source term and fission product behavior, hydrogen and other gases, steam explosions, containment response, emergency instrumentation and equipment, and various aspects of short-term and long-term accident management. The NRC will monitor foreign reactor experience and severe accident policy developments as potential sources of new safety information that could provide insights relevant to its own policy development or revision.

33 L _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

i

4. Intearation of Insichts from Review of New Desians It is important that any resolutions of safety problems disclosed in the staff reviews of new designs or in the approval or certification process for such designs be considered for their application to existing plants (and vice versa).

The review of new designs will follow the generic decision strategy summarized in Section IV.C. New safety information will arise in this process because alternative design features will be analyzed for their comparative contributions to the probability and consequences of potential severe accident sequences as a principal means of justifying the proposed design features. However, the cost-effectiveness analysis of these design options may differ appreciably between new designs and existing plants because of the generally higher costs of back-fitting versus frontfitting (i.e., before CP approval) of safety modifications.

Accordingly, the Policy Statement in Chapter III does not assume that any new or imaginative design features proposed for new designs will necessarily, or even likely, merit backfitting to existing plants.

l

{

34

V. ComENTS ON POLICY DEVELOPMENT AND STAFF RESPONSE On April 13, 1983, the Commission published for public comment a " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" (48 FR 16014). The present Policy Statement takes into account the comments received from the public and other experience and informa-tion developed since that time. This section provides an overview of the public comments received and the staff response to these comments. The Com-mission also made a request to the Advisory Committee on Reactor Safeguards for its comments on the proposed Policy Statement. The ACRS response is provided below, beginning with a September 2, 1983 letter regarding ACRS' views on staff work in progress leading to the development of the present Policy Statement.

A. Advisory Committee on Reactor Safeguards On September 2, 1983, the ACRS sent a letter to the Chairman on the subject "ACRS Report on the Severe Accident Policy" (see Appendix C). In this letter the ACRS provided its views on a draft paper presented by the staff on August 5, 1983, on " Severe Accident Decisions for Existing Nuclear Power Plants." The following ACRS comments to which the staff now responds are derived from this letter.

1. The ACRS reiterated the staff's statement of the primary question to be addressed by SARP and the Commission's severe accident decision, namely:

"What changes, if any, should be made in nuclear reactor regulation to account for accidents involving core damage greater than the present design basis, including core meltdown accidents?"

The ACRS noted that, although this is probably not the only way to define the issue, it is a reasonable approach.

Staff Response: There is general agreement by NRC staff that the primary question accurately characterizes the severe accident issue.

2. The ACRS commented that the success of the staff's approach depends on further, more detailed elaboration of the primary regulatory question, on iden-tification of the information needed for such elaboration, and of the ways in which information needed for its answer is to be developed and used in reaching a conclusion.

Staff Response: The staff agrees and is at work on these us.afis. Further meetings will be held with the ACRS and its Class 9 Subcommittee to provide the elaboration of detafis and to seek agreement on the Technical Issues and the Severe Accident Research Program.

3. The ACRS urged that priority be given first to the method for answering the Regulatory Questions, and second to information that may be needed to provide the answers.

35

4 4

4 Staff Response: The staff agrees and its ongoing programs to deal with severe accidents (see Chapter IV) will develop a refinement of the Regulatory Questions.

At future ACRS meetings, the staff will describe the ongoing work to correlate the information needs with the Regulatory Questions.

i

4. In an additional comment on the decision process, the ACRS stated that, i

although Systems Assurance Analysis (SAA) may be useful for some purposes, the i

Committee did not consider it an alternative to the combined deterministic-probabilistic approach and did not recommend application of SAA to the severe

accident decision problem.

~

Staff Response: The staff agrees with this comment. No initiatives are being recommended for direct use of SAA in severe accident decision making. Since

1982 the NRC has had a program under way evaluating the potential uses of SAA l

as sources of insight for improving the combined deterministic and probabilistic approach and not as a replacement method of nuclear reactor regulation. This philosophy contrasts with that of the NASA and 000 which makes direct use of the SAA methodology for systems reliability assurance decisions. In NRC's i

approach information made available from the SAA program will be coordinated with information from the SARP. In this manner the results of systems inter-

, action analysis, failure modes and effects analyses, and systems reliability

! assurance analyses performed under the SAA program will be utilized , to the i

extent available, in the severe accident decision making process.

! 5. The ACRS observed that eventually a policy must be developed for dealing

, with decisions involving areas of considerable uncertainty and recommended that

immediate attention be given to this approach.

Staff Response: The staff agrees with this comment. As a result, several sec-

tions on the treatment of uncertainty in severe accident decision making have i been added to the present report to deal with this subject (see Section IV.C.3 I and Appendix B). By its very nature, the ongoing severe accident programs will i

entail decisions in the face of considerable uncertainty. The current process of gathering and analyzing severe accident information is attempting to fill the gaps in knowledge of severe accident occurrence and behavior. No matter how exhaustive that program might be over any reasonable period of time, there will remain substantial uncertainties in the staff's understanding of failure

frequencies and risk magnitudes in both deterministic and probabilistic analyses.

1 The use of deterministic engineering judgment does not remove or resolve un-i certainty-- it only attempts to cope with it. After a systematic search for

! improved understanding, the remaining uncertainties will be displayed and con-I sidered, and tentative judgments will be drawn. These judgments might require

certain changes in plant design or safety assurance procedures to account for

! uncertainty. The ultimate test of this process is the administrative procedure ,

! by which the program is subject to the full range of ACRS review and Commission i review and vote, coupled with a public review and coment process. The staff

l. is developing and analyzing both the technical information and the policy in-formation that needs to be considered.

1

6. The ACRS noted reference to a source term and cautioned that there are l many severe accident source terms, and that indeed the source term or terms l

i 36 t

i_..-.___ _ _ _- _ . ~ _ , . _ _ _ _ _ _ _ _ , _ __ _- _ ._

i l

used will depend markedly on the accident sequence or sequences finally chosen for analysis and decision making.

Staff Response: The staff agrees that there is no single source term that aptly

, represents the severe accident characteristics of the many possible accident sequences in the various types of plants. The staff will rely on thorough 1

analyses of various types of plants through research and licensing case reviews and IDCOR and SARP results to form the technical basis for estimating an en-semble of source terms for various types of plants.

7. The ACRS observed that the draft refers to important accident sequences, but does not make clear what measure of importance is to be used.

Staff Response: Three complementary methods are being recommended for the identification and selection of severe accident sequences (see Section IV.C.2).

When they are finalized, a summary of the ongoing work on this subject will be presented to the ACRS to facilitate further discussion and comments.

i

8. The ACRS has also suggested that the staff take into account the experience which has seen new safety issues discovered in the course of risk analyses and

, other studies.

, Staff Response: The staff agrees with this comment. Consideration of the learn-ing curve is an integral part of the selection process of accident sequences through predictive and retrospective methods. Expectations about the arrival rate of further learning experiences are also addressed as a policy issue.

9. Finally, the ACRS suggested that it is desirable that the approach proposed

, for new plants include what is learned in the development of a policy for exist-1 ing plants.

Staff Response: The staff agrees and notes that the feedback between existing nuclear power plants and future plants is now described in the Policy Statement (see Chapter III). The time needed for rulemaking for the reference design approvals will afford the staff opportunity to factor into reviews of future standard designs the lessons learned from severe accident decisions for existing nuclear power plants. Moreover, the advanced technical work now under way in

reviewing the new designs will permit early input of that information to the ongoing severe accident considerations to existing plants.

i On October 18, 1983, the ACRS sent a letter to the Executive Director for Operations on the subject " Severe Accident Decisions for Existing Nuclear Power Plants." This letter commented as follows on a revised paper on this subject prepared by the staff and discussed with the ACRS Class 9 Subcommittee on October 12, 1983, and with the full committee on October 14, 1983:

"We consider the current draft to represent an improvement over the one on l which we commented in our September 2, 1983 letter to Chairman Palladino.

We endorse the current proposal to blend deterministic and probabilistic gproaches in order to construct an appropriate regulatory framework. The i Committee also recommends that a similar approach be used for future plants.

i I

i i

I 37 l

The general approach seems reasonable. We expect to study and comment further on the relationships being established among regulatory questions, policy issues, technical questions, and the research needed to provide information not currently available.

We observe that the Severe Accident Research Program was planned before this proposed approach was developed. We recommend that those managing and performing the research be asked to ensure that such research will contribute importantly to answering the regulatory questions."

Staff Response: The staff agrees with these comments and will continue to work with the ACRS on further developments of the Severe Accident Program.

On July 18, 1984, the ACRS sent a letter to the Chairman on the subject: "ACRS Report on NUREG-1070, 'NRC Policy on Future Reactor Designs: Decisions on Severe Accident Issues in Nuclear Power Plant Regulation'" (see Appendix C).

This letter provides ACRS comments and recommendations plus additional comments by three ACRS members on the draft NUREG-1070 dated April 18, 1984. The fol-lowing ACRS comments to which the staff now responds are derived from this letter.

1. The ACRS summarized its understanding of the main features of the draft severe accident policy for existing plants as follows:

"The Risk from accidents more serious than the analyzed design basis accidents for nuclear power plants now in operation or nearing completion is acceptable subject to the resolution of Unresolved Safety Issues, to a decision on whether and how Safety Goals will be applied, and to the results of a source term rulemaking. Although some changes in equipment or procedures may be required after these programs are concluded, it is anticipated that these will not be major changes."

Staff Response: The above appears to be a reasonably succinct summary of the key features of the draft policy statement regarding existing plants. The

, staff would prefer to include in such a summary that:

1 e Ongoing severe accident programs include the resolution of other Generic Safety Issues (see pp. 5, 9 and 15) along with Unresolved Safety Issues; and e Should significant new safety information develop from whatever source, to question the Commission's conclusion that existing plants pose no undue risk, then at that time the specific technical issues suggesting undue vulnerability will undergo close examinatinn and be handled by the NRC under existing procedures for issue resolution including the possibility of generic rulenaking where this is justifiable (see p. 16).

2. Regarding the desirability of a systematic analysis using PRAs or other methods to discover possible significant risk contributors for existing plants, the ACRS made the following comment:

"In our various meetings with the NRC staff we have discussed the desir-ability of formulating some systematic approach to an examination of each c

38

t 1

i (

i nuclear power plant now operating or under construction for possible sig- I nificant risk contributors (sometimes called ' outliers') that might be I plant specific and might be missed absent a systematic search. Because previous experience indicates that systematic analysis using PRA or other methods may uncover such outliers, we believe that the policy statement should state explicitly that an appropriate approach will be developed and that an analysis will be made of any plant that has not yet undergone an

, appropriate examination. The examination should include specific attention to containment performance."

Staff Response: The staff understands the reasons for and agrees with the desirability of some approach of this general kind. In the draft NUREG-1070, the Section IV.O.2 on Systems Reliability Program stated that "the licensee or applicant for a Ifcense is encouraged to develop a systems reliability program that develops performance specifications,and monitoring procedures to assure that the reliability of components and systems important to safety remain at a sufficient level so as to pose no undue risk to public health, safety and property." Further, the staff envisions that such a program for individual operating reactors would develop some combination of deterministic engineering analysis and PRA method that would serve as a "living document" to improve 1 detection of outliers or severe accident vulnerabilities that may be unique to i

the plant design or operating procedures. Accordingly, when NRC and industry interactions on severe accident issues have progressed sufficiently to define the methods of analysis, the Commission plans to formulate an integrated systematic approach to an examination of each nuclear power plant now operat-

. ing or under construction for possible significant risk contributors that

{ might be plant specific ard might be missed absent a systematic search. Fol-lowing the development of such an approach, an analysis will be made of any plant that has not yet uu rgone an appropriate examination. In the present

Policy Statement, change < ave been made as a result of the above ACRS comments on pages 2, 4,15,17, am 30.

The staff also agrees with the ACRS concern that such a severe accident risk

, analysis should include specific attention to containment performance. Atten-l tion to the severe accident issues of containment performance was principally

addressed in the draft NUREG-1070 in Section IV.C.2 as follows:

g "The staff will consider degraded core accidents like THI, core melting 4

within the vessel, vessel melt-through, and basemat melt-through. The containment performance categories will include small containment leakage, l large containment leakage, containment bypass, and early and late contain-ment failures."

In response to the ACRS comments on the need for specific attention to contain-

, ment performance in severe accident vulnerability analysis, inserts have been

made'on pages 10-11 of the present Policy Statement. The Commission recognizes i the need for striking a balance between accident prevention and consequence i mitigation and will deal with these policy issues in its further development of i safety goals.
3. In commenting on the resolution of Unresolved Safety Issues, the ACRS gave l special recognition to the following severe accident risk issues
l 1

1 1

39 1

r "a) an appropriate approach for assuring the reliability of decay heat removal systems, and b) the appropriate reliability of electrical supplies for the power plant, both AC and DC systems."

Staff Response: The staff agrees with the special importance accorded these issues for both existing and new plants and in the present Policy Statement has provided inserts on page 5, 9 and 16 to reflect an intended emphasis on treating these issues of particular importante to our policy of defense-in-depth.

4. The ACRS letter makes note of the large research program in progress and its relationship to expectations of subsequent rulemaking, presumably involving source term revision affecting regulation of existing plants:

"There is under way a large-scale research program that concentrates on producing better information and increased understanding of the release of radioactive fission products from the reactor fuel during a severe accident, their subsequent transport outside the reactor primary pressure boundary, their behavior in the containment, and their subsequent release from the containment. We expect the results of this research to be incor-porated in a rulemaking that is likely to influence the calculated risk from accidents involving severe core damage. If these new calculations have a significant influence on our present perceptions of severe accident risk, we expect them to be followed by whatever changes in regulations, plant equipment, or operational and emergency procedures are indicated."

i Staff Response: The staff basically agrees with these views except to note that the decision as to whether a source term rulemaking will prove necessary and what ultimate form it should take is not regarded as within the scope of the present Policy Statement. However, in order to reflect more accurately cur-rent thinking on this subject, changes of nuance have been made on pages 21-22 of the present draft of NUREG-1070. These changes draw attention to a form of source term rulemaking under consideration that would involve the establishment of an appropriate set of procedures and guidelines for individual applications of the (best) state-of-the-art methodology in severe accident risk analysis of existing or future plant designs.

5. Regarding existing plants, the ACRS observes that:

"There are a number of significant efforts on the part of the nuclear industry. Activities such as the IOCOR Program, and the organization of INPO and NSAC are industry initiatives which should lead to a decrease in the risk of severe accidents."

Staff Response: The staff agrees with the expectation that the industry initia-tives noted in this comment will likely lead to a decrease in the risk of severe accidents for existing plants, although not necessarily at the same level of significance for each plant. A modification has been made to page 32 of the present draf t of NUREG-1070 in agreement with this view.

6. The ACRS comments as follows on the use of risk-cost-benefit analysis in risk management decisions for existing plants:

40

"We support the consideration of cost-effectiveness as one of the important determinants in formulating an approach to risk management in existing plants. There will, however, always be substantial uncertainties in the calculation of risks, costs, and benefits, so that both prudence and sophistication will be required."

Staff Response: The staff agrees with these views and modifications have been made on page 28 of NUREG-1070 acknowledging substantial uncertainties in the calculation of risks, costs, and benefits and the need for prudence and sophis-tication of judgment to be exercised in the treatment of uncertainty in severe accident decision making.

7. The ACRS draws the following conclusion regarding the proposed policy and ongoing severe accident programs involving existing plants:

"We believe that, taking into account the results of programs now in progress, and assuming a systematic examination of each plant, the pro-posed policy provides an acceptable basis for dealing with the severe accident issue for plants now in operation or under construction."

Staff Response: The staff is gratified with this conclusion and agrees with the underlying assumption on which the conclusion of acceptability was reached.

(See the staff response to item 2).

8. The ACRS summarized its understanding of the key features of the draft severe accident policy statement for new plants as follows:

"New plants must meet existing regulations. They will be required to deal with the resolution of all the Unresolved Safety Issues. They will be subject to any new regulations that result from the source term rulemaking.

The severe accident risk from new plants is expected to be dealt with in the foreseeable future through rulemaking for standard plants. One of the requirements of the rulemaking process will be a full scope PRA for the proposed plant. Severe accident risk will be dealt with primarily through consideration of the results and insights gained from the PRA."

Staff Response: The staff accepts this interpretation of the proposed severe accident policy with several modifications:

e All applicable medium and high priority Generic Safety Issues (in addition to Unresolved Safety Issues) will need to have a demonstra-tion of technical resolution, o While it is the Commission's policy to encourage the use of reference (or standard plant) designs in future CP applications, the proposed (and present) Policy Statement does have provisions for reviewing the acceptability of custom plant designs from the standpoint of severe accident risk. (See Section III.B.3.d., page 14),

e It is not correct to say that it is Commission policy that severe accident risk will be dealt with primarily through consideration of the results and insights gained from the PRA. It is true that a PRA is stated as one of the acceptance criteria for new plant designs, 41

whether a reference plant or custos plant design. However, the dis-cussion in Section IV.C.2 of NUREG-1070 states that the Commission has decided on an approach for severe accidents which jointly relies on deterministic engineering analysis and on PRA, consistent with the known strengths and weaknesses of the two methods and the technical state of the art (see p. 23). The approach will be primarily (empha-sis added) deterministic in character, relying importantly upon engineering analysis of (a) LWR safety performance; (b) the estimated response of existing plants to postulated core-melt accidents; and (c) potential performance objectives, hardware changes, and opera-tional controls or procedures that could qualify as backfit options to improve safety or decrease uncertainty for severe accidents.

9. The ACRS made five recommendations concerning the proposed policy for dealing with severe accident risk of new plants. The first of these states:

"There should be a statement that the policy is expected to lead to new plants producing less risk than the older ones."

Staff Response: The staff basically agrees with this view and has inserted a statement addressing this matter on page 12 of the present Policy Statement.

10. The second recommendation states:

"The policy statement indicates that heavy reliance is to be placed on the results of the required PRA in deciding whether or not the severe accident risk associated with a proposed design is acceptable. Guidance on the required scope of the PRA and the way it is to be used are probably not appropriate to a policy statement. However, the policy statement should say that such guidance will be developed. We approve of the general approach of using a combination of deterministic and probabilistic con-siderations to provide the information on which a decision is to be based."

Staff Response: Whether the weight (or reliance) to be placed on the PRA results is to be heavy or light is discussed in Section IV.C.2 of NUREG-1070 (page 23) with the notation that the weight will vary among the Technical Issues and the extent to which ongoing or past research has reduced uncertainty about them. The staff accepts the ACRS recommendation of the need for guidance on the general approach of using a combination of deterministic and probabilis-tic considerations to provide the key information on which severe accident decisions for new plants is to be based. This is addressed by a statement inserted on page 10 of the present Policy Statement.

11. The third recommendation is stated as follows:

"The policy statement should speak to some balance between prevention and mitigation of risk. As a minimum, some clarification of containment per-formance expectations should be given. If the NRC Staff has concluded that performance criteria cannot be formulated at this time, the statement should say that such criteria or some appropriate description of expected performance will be formulated."

Staff Response: In the proposed Policy Staterrent on Severe Accidents issued on April 13, 1983, the Commission recognized the need for striking a balance 42

between accident prevention and consequence mitigation. The determination of what that balance should be is appropriately the work of several elements of the Commission's ongoing severe accident program, namely, the Severe Accident Research Program, the Source Term Program, the resolution of several key Unresolved Safety Issues, and the Safety Goal Program. Nevertheless, the staff agrees with the recommendation that the present Severe Accident Policy State-ment should state that clarification of containment performance expectations will be developed. This statement along with a discussion of containment per-formance issues is found on pages 10-11 of the present Policy Statement.

12. The fourth and fifth ACRS recommendations for treating certain severe accident issues of new plants are:

"The effectiveness of human performance, including that of management, has a substantial influence on risk. For this reason, we recommend that attention be given to these matters for both new and existing plants to assure that inadequate human performance at individual plants will not result in unacceptable risk. In particular, methods of analysis and associated data bases need to be developed which can properly account for both positive and negative human performance contributions.

Although we recognize the uncertainty in dealing with sabotage, we believe the policy statement should indicate that the issue of both insider and outside threats wi*1 be carefully examined, and to the extent feasible, taken into account in the design and in the operational procedures that are developed for new plants."

Staff Response: The staff agrees with the importance attached to the issuns of sabotage and human performance by the ACRS. Accordingly, the staff has pro-vided an accommodating statement in concert with these recommendations on page 11 of the present Policy Statement.

13. The ACRS provides the following conclusion regarding the adequacy of the policy statement dealing with new plants:

"We conclude that in its present form that part of the policy statement that deals with new plants needs strengthening in the areas that we have indicated."

Staff Response: The staff is appreciative of the views of the ACRS regarding areas where strengthening is needed to clarify our present policy and ongoing severe accident programs in reaching severe accident decisions for new plants.

The above responses to the ACRS comments (items 8-12) constitute the degree of accommodation the staff feels it is desirable to make at this time based on presently available information, the disparate schedules for completion of the interrelated ongoing severe accident programs, and in keeping with the needs of the several vendors for early guidance on review criteria and procedures for NRC approval or certification of proposed new standard plant designs.

B. Public Comments: An Overview

1. Introduction Twenty-six letters of comment have been received on the proposed severe accident policy statement. Fourteen letters are from the nuclear industry, one from 43

DOE, one from the New York State Department of Law, and the balance from environmental groups and two individuals. Table 1 lists the commenters and their affiliations.

The themes of the comments range from general support for adoption of a policy statement that resolves severe accident issues based on strong technical argu-ment to strong opposition on the basis that it is useless to try to develop an effective safety goal.

Most of the comments that took issue with the proposed severe accident policy statement were concerned with the use of Probabilistic Risk Assessment in severe accident decisionmaking--PRA is unreliable, subject to uncertainty and bias, and can lead to contradictions with existing NRC regulations and the draft Policy Statement on Safety Goals for the Operation of Nuclear Power Plants (March 14, 1983, 48 FR 10772).

2. Representative Comments on Proposed Policy Statement
a. Environmental Groups and Private Citizens e " FUSE urges the Commission to reject the concept that public safety must defer to the NRC's new proposal of cost effectiveness." (Letter No. 4) e "The NRC's proposed policy statements on ... severe accident criteria are unacceptable in their undue reliance on probabilistic risk assessment and safety-cost tradeoffs." (Letter No. 8) e "The severe accident policy statement simply ignores the uncertainties outlined in the safety goal policy, and structures the NRC severe accident review on assumptions explicitly identified as unproven in the safety goals policy." (Letter No. 11) e

... the severe accident program allows no opportunity for public partici-pation or oversight, and provides no accountability by the Commission to the public." (Letter No. 11) e "A further weakness in this policy statement stems from the presumed application in standardized plants in the future, as this neglects and might exempt existing plants and those presently under construction from such controls." (Letter No.12) e " Curiously, the Commission reaches this anomalous conclusion: that con-servative design criteria and analysis methods like those applied to ESFs will not be required for core melt accidents, because of their " low proba-bility....Where then is the basis for the low probability conclusion?

It is unsupported by fact." (Letter No. 14)

b. Nuclear Industry and Rehted Jrganizations e "Given that severe accide at 4echnical issues have been formally raised by the NRC, there is need for permanent closure on these technical issues."

(Letter No. 2) 44

1 i

l Table 1. Commenters and their affiliation Letter No. Name Affiliation Type a 1 Diane Curran Harmon & Weiss (UCS) E 2 Cordell Reed AIF (IOCOR) NI 3 W. White Burns and Roe, Inc. NI 4 Mark P. Oncavage Floridians United for Safe Energy, Inc. E 5 D. Farrar Commonwealth Edison Company NI 6 Ezra I. Bialik State of NY, Dept. of Law G 7 Jerry D. Griffith DOE, Office of Nuclear Energy G 8 Mrs. David G. Frey The Indiana Sassafras Audubon Society E 9 Russel Jim Yakima Indian Nation G 10 Judith Dorsey Counsel for Limerick Ecology Action E 11 Diane Curran, Union of Concerned Scientists E Steven S. Sholly 12 Samuel Seely New England Coalition on Nuclear E Pollution, Inc.

13 Marvin I. Lewis Not applicable I 14 Susan L. Hiatt Not applicable I 15 T. W. Elward Consumers Power Company NI 16 David E. Leaver Wood-Leaver and Associates, Inc. NI 17 R. B. Bradbury Stone & Webster Engineering Corporation NI 18 Glenn G. Sherwood General Electric Company NI 19 R. P. Schmitz Bechtel Power Corporation NI 20 R. E. Helfrich Yankee Atomic Electric Company NI 21 L. M. Mills Tennessee Valley Authority NI 22 E. P. Rahe, Jr. Westinghouse Electric Corporation NI 23 A. E. Scherer Combustion Engineering, Inc. NI 24 Murray Edelman AIF, Committee on Reactor Licensing NI and Safety 25 David Salvesen Wisconsin Environmental Decade E 26 E. P. Rahe, Jr. Westinghouse Electric Corporation NI

  • Legend:

E - Environmental Group NI - Nuclear Industry G - Governmental Agency I - Individual e "The focus of Standardization Policy must shift from ' STANDARD DESIGNS' to

' STANDARD DESIGN PROCESSES'. (Letter No. 3) e "The proposed policy statement seems to overemphasize several mitigative design features which are presently not technically justifiable, such as filtered vented containment systems." (Letter No. 15) e ... as presently written, the decision process is vague and does not pro-vide any guidance on how these decisions will be made. For example, the phrase ' engineering and policy judgment, supplemented by PRA where appro-priate' appears to make the decision very arbitrary." (Letter No. 16) e

... it is suggested that uncertainty analysis should be done to support decision making with the PRA and that this be the starting point of any 45-

work done to determine what characteristics are necessary." (Letter No. 16) e "We do not believe ... that the Commission needs ' final design information' for its determinations on the acceptability of standardized designs."

(Letter No. 17) e "We believe that the requirement to meet the CP Rule is not consistent with the overall philosophy of the policy statement. *** it is suggested that Sections I, VI, IX and X be modified to indicate that the applicant must adhere to the requirements set forth in the CP Rule unless it can be demonstrated that specific requirements of the CP Rule are not cost-effective." (Letter No. 18) e "It is recommended that the NRC hold meetings to discuss these issues more widely than only with the few organizations with active standard plant applications before resolution of these issues." (Letter No. 19) e "We believe that there is insufficient recognition of the 10COR program and its role in identification of issues, design features related to those issues, or interaction with the IDCOR group." (Letter No. 19) e "... we wish to emphasize that any future consideration of whether to impose specific-mitigating features for operating plants and plants under construction must correctly be viewed as a (predecessor) to backfitting.

In this regard, we recommend that the Commission postpone its publication of a final policy statement on severe accidents, pending a final rulemaking to resolve the more immediate and pressing issue of backfitting."

(Letter No. 20) e "We believe the plan ... to utilize the 13 available PRAs to ' provide better understanding of the design features and site characteristics' would be difficult to accomplish generically because of the varying pedigrees of the studies." (Letter No. 21) e ... there is too much enyhasis on NRC regulation and research currently being placed on hardware-oriented plant improvements. We believe that more emphasis should be directed toward improving the human factor aspects of plant operation and emergency response." (Letter No. 21) e "The three-step process identified for presently operating and pipeline plants though only briefly described appears consistent with industry's l 10COR program objectives." (Letter No. 22) e "The NRC should recognize and reaffirm a continuing role for Preliminary Design Approvals as an appropriate incentive for ... major design develop-ment initiatives." (Letter No. 26)

c. Government Agencies e

... to reach any important decision based on a PRA is little more than speculation... Therefore, the Commission's duty to protect public health and safety cannot be satisfied by reliance on what is inherently unreli-able." (Letter No. 6)

! 46

l l

e ... we do not concur that NRC development of plant designs is an appro-priate activity for the NRC as a regulator." (Letter No. 7) e "While we agree with the basic approach NRC is taking ... we have some concerns about the apparent open-endedness to the process." (Letter No. 7) e "... DOE believes that acceptable criteria for severe accident related backfitting of plants, which are operating or under construction, are an essential part of the proposed policy statement and recommends their incorporation into the NRC severe accident policy." (Letter No. 7)

3. Abstracts of Comments and Staff Responses

, This section consists of abstracts of the public comments, received on the proposed severe accident policy statement published in the Federal Register on April 13,1983 (48 FR 16014) and the staff responses to the comments.

The 26 letters of comment are listed in the order of docketing by the NRC's Docketing and Services Branch, Office of the Secretary of the Commission.

Each of 81 comments abstracted from the letters is followed by a staff response to the comment.

The abstracts are direct quotes of the letters of comment, but do not include all details of the commenters' discussions or the reasons for their views. A reader who finds any of the quoted coments insufficient or unclear and wishes to know more of what the commenter wrote should consult the original letters of coment. They are available for inspection and copying for a fee at the Commission's Public Document Room, 1717 H Street NW, Washington, D.C. under the file, PR-50, 48 FR 16014.

Letter No. 1. Diane Curran, Harmon & Weiss, Attorney for UCS e ... UCS plans to consolidate its comments ... and file them in early July."

Staff Response: No comment. '

Letter No. 2. Cordell Reed, Atomic Industrial Forum, Inc. (IOCOR) e "Given that severe accident technical issues have been formally raised by the NRC, there is need for permanent closure on these technical issues.

, Further, the decisionmaking process must be effectively managed and per-manent closure reached in a timely fashion."

Staff Response: The staff cannot foresee at this time an absolutely permanent closure of the severe accident technical issues. Any significant new safety problems disclosed in the Severe Accident Research Program or staff reviews of new standard designs or in the certification process for such designs will be considered for possible modifications of existing plants (and vice versa).

Letter No. 3. W. White, Burns and Roe, Inc.

e "The focus of Standardization Policy must shift from ' STANDARD DESIGNS' to ' STANDARD DESIGN PROCESSES': *** The Replicate Plant Concept should 47

I l

i l

l

I 1

be eliminated. The Reference Plant Concept should be fully defined or i

eliminated." l Staff Response: This comment applies to standardization policy which is not the subject of this particular policy statement. This comment will be con-j sidered in an upcoming revision to the Commission's standardization policy statement.

Letter No. 4. Mark P. Oncavage, Floridians United for Safe Energy, Inc.

~

e " FUSE urges the Commission to reject the concept that public safety must j defer to the NRC's new proposal of cost effectiveness."

l Staff Response: The staff rejects the notion that cost-effectiveness analysis is not a socially desirable approach to severe accident decision making (see

! Appendix A, Chapter I). The President's Commission on the Accident at Three Mile Island recommended that NRC establish safety-cost tradeoff criteria, and l Title III, Sec. 307(c) of the Energy Reorganization Act of 1974 requires NRC to make a clear statement annually of the short range and long-range goals, priorities, and plans of the Commission as they related to the benefits,

! costs, and risks of commercial nuclear power. Moreover, the consideration of i

costs in conjunction with risk is imperative because of the recognition that

society has finite resources to devote to life-saving or risk reduction invest-I ments. Hence, an imposing ethical issue is whether an excessive expenditure for risk reduction in one area of human activity would inequitably deprive the 4

! use of these same resources for risk reduction in other areas with expecta-tions for saving possibly an even greater number of lives. Although cost-

! benefit evaluations will be used to identify sufficiently attractive changes i in the design of nuclear power plants, if new safety information should indicate l that the only viable method of providing adequate protection of public health i and safety is through more fundamental and costly changes, the Commission will j not hesitate to require them.

e ... if the NRC replaces sound engineering judgement, operating experience, lessons learned, theoretical research, experimental research, and public input with unreliable PRA methods, a disservice has been done to public l safety. *** Exclusive use of the PRA methodology would throw away all the hard work the NRC has accomplished to extend its learning curve on safe opera-

! tion and put actual reactor safety back 25 years."

i

! Staff Response: In Section IV.C.2 of the Severe Accident Program, the Commission has decided on an approach for severe accidents that relies on deterministic l engineering analysis and on PRA, consistent with the known strengths and i

weaknesses of the two methods and the technical state of the art. It is l difficult to prescribe a priori the weight to be given PRA in severe accident decisionmaking. The weigit will vary among the Technical Issues and the extent to which ongoing or past research has reduced uncertainty about them.

Letter No. 5. D. Farrar, Commonwealth Edison l e "We concur with the need for such a statement and urge the Com m ission to adopt it."
i l'

} 48 l

}

---,.--r - _-n,n,- _ , - - ,-n - - - - - = . ~ . , - -- - _ _ . - - . . -

Staff Response: No comment.

Letter No. 6. Ezra I. Bialik, State of New York, Department of Law e ... to reach any important decision based on a PRA is little more than speculation... Therefore, the Commission's duty to protect public health and safety cannot be satisfied by reliance on what is inherently unreli-able."

Staff Response: In the Severe Accident Program, the staff will not place primary reliance on PRA, but will use quantitative engineering analysis where supported by data and justified by a full consideration of uncertainties.

Letter No. 7. Jerry D. Griffith, Department of Energy o "Specifically we question the proposed role for NRC in the design of commercial plants as part of the NRC severe accident research, as raising a potential confilet of interest given NRC regulatory responsibility. In our view, the design and operation of commercial nuclear reactors in the United States is the responsbility not of government, but of industry."

Staff Response: The staff is in basic agreement with this position. The Severe Accident Program and generic decision strategy (see Sections IV.A and IV.C.2) support a severe accident policy for new standard plant designs that would encourage innovative ways for industry to achieve superior safety levels at reasonable costs while avoiding a highly prescriptive set of technical per-formance criteria for functions important to severe accident safety, which serve to deny the sort of risk-risk tradeoff decisions in plaat design that might achieve such optimal results. However, to address the question of how

' severe accident protection might cost-effectively be increased, the NRC will study potential improvements from design, performance, and cost perspectives.

A list of potential alternative improvements for severe accident safety has been developed in the Severe Accident Risk Reduction Program (SARRP). The studied improvements are conceptual designs only, which have been taken far enough to develop cost data, and cannot be used by specific plants without significant further development by industry. The NRC staff is cooperating with IOCOR to identify and assess technical issues important to severe accident risk.

This will be helpful to industry in assessing and identifying the best design options, e " Industry, not NRC or indeed the Federal Government, has the responsi-bility for plant design, and we do not concur that NRC development of plant designs is an appropriate activity for the NRC as a regulator.

Fortunately, this design activity is also being done as part of the IOCOR i industry project, which NRC can receive data from as appropriate. It is l therefore not necessary for NRC to dupitcate this work."

Staff Response: See the preceding response.

4 e "1. While we agree with the basic approach NRC is taking to focus the NRC

severe accident rulemaking on standard plant designs with an objective of i fully resolving all the severe accident related regulatory issues within i

the standard plant licensing reviews, we have some concern about the apparent open-endedness to the process. We recommend that the specific 49 l

-.---_.,,,__-m.~. , __,,,_.-.--,-_7,_,._7c_. . . _ , _ _ . , - - _ _ _ , _ _ _ _ - . . . ._s

t questions that need to be answered, and the information needed by NRC to answer these questions be specifically identified and tied to the NRC and other research program elements from which essential input is required for NRC to resolve the specific regulatory issues impacted by severe accident considerations, on a published schedule."

Staff Response: The apparent open-endedness of the NRC program is an unavoid-able consequence of two factors. First, the staff is seeking to narrow the uncertainties surrounding the level of risk posed by severe reactor accidents at operating nuclear power plants. Because this is an inquiry into unknown elements of accident phenomenology or susceptibility, the research results are not fully predictable. Often research results pose new questions or require the exploration of newly discovered issues. Second, the staff wishes to avoid pre-scribing the ways severe accident risk is to be controlled by applicants for

certified Final Design Approval through rulemaking lest, in so doing, it should discourge innovation, cost / benefit optimization, or the sense of responsibilty for safety design in the applicant organization. We have and will continue to minimize the programmatic uncertainties arising from this open-endedness by (a) publishing research plans, results, and policy analyses expeditiously; and (b) clarifying the groundrules for standard design approval or certification in the policy statement herein (see Chapter III).

e "2. The reference to the final decisions on the severe accident related to regulatory decisions for plants in operation and under construction causes DOE some concern, since it appears to re-couple these plants with the standard plants, as in the previous NRC severe accident policy, prior to the current proposed policy change. Our concern is that while recogniz-ing the need to factor insights developed in safety related research pro-grams into regulatory decisions, NRC policy needs to recognize that plant backfits cannot continue throughout the 30 year plant lifetime without economic and safety criteria against which need for further safety improve-ment in specific plants can be evaluated."

Staff Response: The Commission has completed an initial review of NRC require-i ments and staff practices for backfitting. As a result, the Commission published on September 28, 1983, a policy statement on revision of backfitting process for power reactors and initiated a rulemaking proceeding for the purpose of estab-lishing requirements for the long-term management of the backfitting process, an action that will provide for the replacement of the current 10 CFR 50.109, "Backfitting" (48 FR 44173, 44217). The Commission recognizes that the develop-ment of measures for the management of the backfitting process involves a number of complex issues on which there exist several differing points of view.

e "No backfits should be made in plants in operation or under construction unless they provide substantial safety improvement and consider cost benefit, including economic consequences to the competitive nature of nuclear power and the preservation of nuclear power as an energy option

in the United States. For this reason, 00E believes that acceptable criteria for severe accident related backfitting of plants, which are i operating or under construction, are an essential part of the proposed policy statement and recommends their incorporation into the NRC severe accident policy."

4 50

l l

1 Staff Response: The staff has conducted a feasibility study of applying back-fit controls to CP holders and OL applicants. The control process for CP/0Ls would be similar to the control process and guidelines for operating reactors approved by the Commission on June 22, 1983. These measures provide adequate management of the Commission's process for documenting, considering, and deciding on proposed new generic and plant specific requirements for power reactors, e "3. The ' lessons learned from THI' should include data that can be derived by NRC from examination of the TMI-2 core and data related to source term."

Staff Response: The Severe Accident Research Plan (NUREG-0900) includes TMI core examination as a task in the program element on the behavior of damaged fuel. The program element plan assumes that initial information will be available in FY 1984 from the THI-2 core examination, but recognizes that because of uncertainties in the schedule for recovery of.the TMI-2 core, data on the fuel behavior in a severe accident may not be available until very late in the period covered by the Plan, i.e., the end of FY 1986.

e "4. We agree with the NRC approach to use the research to reduce any sig-nificant uncertainty in the risk calculations used in implementing safety policy. However, NRC needs to identify the criteria for acceptable uncer-tainty beyond which further reduction is not necessary, based for example, on cost-beneficial use of research dollars, or requirements for NRC to make the necessary severe accident related regulatory decisions. Further, re-ductions in the dominant contributors to uncertainty in risk may adequately resolve any alleged need for reductions in risk for standard design plants over the current generation of LWR commercial powerplants."

Staff Response: The staff fully agrees that reductions in the uncertainty surrounding the level of risk posed by severe reactor accidents is the objective of the Severe Accident Research Program, and that real reductions in reactor risk may not prove to be necessary if the risk is not found to be substantial.

As noted in the policy statement, a thorough inquiry into costs and benefits is the centerpiece of NRC standards development. The staff will take the sugges-tion of criteria for acceptable uncertainty as a proposal to be explored in the safety goal evaluation program, e "5. We agree with NRC that a technical basis does not now exist to sup-port further regulatory changes, or to show a clear need to add further safety related features. In this context, an essential need for further safety features must be established prior to any regulatory requirement for them, and if such need is established, agreed criteria rather than designs, design concepts, prescriptions, etc., should be set forth."

Staff Response: The staff agrees with this comment. Any design changes that are identified as essential to public health and safety or as sufficiently cost-beneficial to warrant consideration as generic requirements will be adopted through rulemaking and will be consistent with the Commission's then-effective backfitting policy.

51

l Letter No. 8. Mrs. David G. Frey, The Indiana Sassafras Audubon Society

! e "The NRC's proposed policy statements on ... severe accident criteria are unacceptable in their undue reliance on probabilistic risk assessment and safety-cost tradeoffs."

, Staff Reponse: See the staff's position in response to the first comment of Letter No. 4 (Mark P. Oncavage).

Letter No. 9. Russell Jim, Yakima Indian Nation e "4. The proposed rules, particularly in the PRA methodology and radio-active source term information for severe accidents, fail to take into consideration the fact that the Yakima Indian Nation cannot be evacuated from its Sacred Lands." .

i Staff Response: The closest part of the Yakima Indian Nation Reservation is l about 35 miles from the " exclusion area" of the nuclear plants, WNP Units 1 and 2, located on the Hanford Reservation of the U.S. Government, and it is 25 miles outside of the " ten-mile emergency planning zone." Accordingly, there is no need for evacuation from the Yakima Indian Reservation in the event of a severe nuclear accident at any of the nuclear plants at Hanford. Indeed, at any dis-

, tance beyond a five-mile radius of a nuclear plant, the staff estimates that

, sheltering provides as good or better protection than emergency evacuation from radiation effects of a severe nuclear accident.

Letter No. 10. Judith A. Oorsey, Counsel for Limerick Ecology Action

! e "Due to the importance of PRA in the Limerick proceeding, it would be beneficial to all parties if the Commission clarified section VIII of its Proposed Policy Statement as it applies to special circumstances such as i those at Limerick. LEA strongly supports the NRC staff's decision to 4 require the applicant to perform a PRA, and to use the results of the PRA in its licensing review. The Commission has the duty to protect the public health and safety, and should support the NRC staff on this matter."

Staff Response: NRC experience with the PRAs in environmental analyses of specific licensing actions such as Limerick will be factored into the overall assessment of severe accidents. Individual licensing proceedings are, however, not appropriate forums for a broad examination of the Commission's regulatory requirements relating to control and mitigation of accidents more severe than the design basis.

Letter No. 11. Diane Curran and Steven S. Sholly, Union of Concerned Scientists l e "The severe accident policy statement simply ignores the uncertainties outlined in the safety goal policy, and structures the NRC severe accident review on assumptions explicitly identified as unproven in the safety goals policy."

Staff Response: The Commission, in its admonition not to employ the proposed safety goals in regulatory decisions, has not proscribed the use of PRA or cost-benefit considerations in licensing casework reviews or reactor safety standards development. The Commission has approved the use of PRA-based 52

-- ,e,,--,,--,-..,.-,.m.m .-, .,.-~-..- , - - w w , - ,, _ w w- g , mm.. ,,,,--m - , - - - - - - , , - - - -

l l

insights in generic issue prioritization, in the study of special requirements at plants at high population density sites, and in regulatory analysis. The Commission intends that severe accident decisions will be fully congruent with emerging safety goal implementation policy. For a discussion of the treatment of uncertainty in severe accident decision making, see Appendix 8. Note also that much of NRC's Severe Accident Research Program is oriented toward the reduction of uncertainty in estimating risk.

e "PRAs should not be used to evaluate whether a plant or regulation meets a safety goal or is ' cost effective.' They are simply not accurate enough j to provide a basis for confidence in reactor regulation."

Staff Response: See response to the first comment of Letter No. 4 (Mark P.

Oncavage).

e "Because they are so sensitive and capable of misinterpretation, PRAs are also subject to manipulation to reach a predetermined conclusion."

Staff Response: The staff has addressed this point in a separate program to develop acceptable guidelines for PRAs and to connect the results of the PRA Reference Document with the Safety Goal Implementation Plan when developed.

In addition, the Commission expects applicants for a standard design approval or certification to optimize the design for the cost-effective limitation of severe accicent risk. Then, in the rule that certifies the final design approval, the Commission will encourage certain checks and balances by license applicants through the use of reliability engineering techniques to ensure that the original PRA assumptions remain valid during construction and eventual operation and maintenance of the licensed facility.

e "Nowhere in the policy statement is it acknowledged that the risk posed by severe accidents is at best poorly known in a probabilistic sense, or that a two year evaluation program and a substantial research program have been established to obtain much of the very information on which a severe accident assessment must rest. This fundamental contradiction between the safety goals Evaluation Plan and the severe accident policy statement must be resolved. At the very least, the Commission should observe the same two year evaluation period as proposed in the Evaluation Plan before it makes substantive decisions on reactor regulation."

Staff Response: Section IV.D.3 of the ongoing severe accident programs ,

addressing the safety goal development program notes that the Commission has '

made it clear that its proposed safety goals are not a source of authority for regulatory decisions during the two year evaluation period of the safety goals and the safety goals will not be used by the staff to make severe accident decisions. In its admonition, however, the Commission did not proscribe the use of PRA or cost-benefit considerations in Ifcensing casework reviews or  :

reactor safety standards development.

e "For nuclear power plants already operating or scheduled for construc-tion, the severe accident criteria in the policy statement serves as a rationalization for inaction. The Commission clearly reveals its foregone conclusions that its safety goals and severe accident evaluations will not result in any significant discoveries...."

53

Staff Response: Although large programs on severe accident research have not yet shown a need to make major design changes, any such change identified as essential to public health and safety or sufficiently attractive or cost-l beneficial to warrant consideration for adoption will be required through traditional regulatory procedures including the possibility of rulemaking and be consistent with the Commission's then-current backfitting policy.

e

"... NRC proposes to use the ' normalized' PRAs for a variety of decisions, including evaluation of generic safety issues and backfit decisions. No I

evaluation of the reliability of using plant-specific PRAs for making regulatory decisions which affect other or all nuclear plants is proposed 3 and none presently exists."

i Staff Response: One of the products of the safety goal evaluation program is

! the "PRA Reference Document" (NUREG-1050) published in August 1984. The sup-portive role of PRA in severe accident decision making, regulatory analysis, l and the implementation of severe accident requirements will be tailored to the strengths and weaknesses of PRA methodology identified in the PRA Reference Document.

i e

"The policy statement should contain some structure, with specific tasks and deadlines, for the completion of severe accident review with respect to existing plants. The program should account for the two year period outlined in the Evaluation Plan, in which PRA methodology is to be studied i and evaluated."

' Staff Response: The review of standard designs for future cps provides incen-tive to industry to address severe accident phenomena. These reviews and ongoing research will also provide information needed for final decisions on severe accident considerations for operating plants and plants under construc-tion. The staff expects to reach many of those final decisions within the next several years.

e " .. the severe accident program allows no opportunity for public partici-

! pation or oversight, and provides for no accountability by the Commission to the public. The program should provide for all generic safety decisions to be made by rulemaking, with full opportunity for comment. Backfitting i

decisions for individual plants should be noticed and an opportunity for

' a public hearing offered pursuant to 5189a of the Atomic Energy Act, 42 U.S.C. $ 2239(a)."

i Staff Response: It is the NRC's intention to select a course of action from i

among potential severe accident improvements in a measurable, visible manner with confidence and the ability to share the reasons for its conclusions with others. Adoptions of major design changes as generic requirements by rulemak-ing proceedings will provide opportunity for public participation.

Letter No. 12. Samuel Seely, New England Coalition on Nuclear Pollution, Inc.

{

e "In so far as the severe accident criteria policy statement is concerned, a significant weakness is the failure to acknowledge that the risk of

] severe accidents is presently not known. Further, there is no evident

] plan to establish a program to obtain such data. Thus at the very least, 4 ,

1 54 i

i

the safety goals Evaluation Plan study should be completed before sub-stantive decisions on reactor regulation are made."

Staff Response: In Section IV.C.2 of the Severe Accident Program, the staff describes three complementary methods of evaluation of existing plants. The NRC will perform engineering analyses of typical plants for a range of severe accidents. Additionally, the NRC will review and update the available PRAs of plants. Finally, the NRC will develop a set of policy papers on important aspects of plant safety. The information available from these three sources will be consolidated into an assessment of the level of safety presently achieved by existing plants for severe accidents.

e "A further weakness in this policy statement stems from the presumed application in standardized plants in the future, as this neglects and might exempt existing plants and those presently under construction from such controls. Ignoring the need for controls en the strength of warped interpretation of past problems with existing ruclear plants is violating the trust of the public."

Staff Response: It is important that any safety problems disclosed in the reviews of new designs be considered for their application to existing plants '

(and vice versa). The cost-effectiveness analysis of these design options may differ appreciably between new standard designs and existing plants because of the generally higher costs of backfitting design improvements to existing plants.

Accordingly, the present Policy Statement assumes that no imaginative design feature proposed for a new standard design will necessarily, or even likely, merit backfitting to existing plants, e "We feel that there exists a contradiction between the safety gcals Evalua-tion Plan and the severe accident policy statement. To employ PRAs as a i

key methodology in both generic and plant specific safety decisions with a cost-benefit criterion, downplays the importance of engineering judgment.

This is an inadequate assurance of public health and safety."

Staff Response: The staff does not agree with this comment because the sup-i portive role of PRA in the deterministic approach for severe accidents will be tailored by the staff to the strengths and weaknesses of PRA methodology iden-tified in one of the products of the safety goal program -- the PRA Reference

' Document. The Commission intends that the severe accident program will be fully congruent with emerging safety goal implementation policy.

l Letter No. 13. Marvin I. Lewis, Philadelphia, Pennsylvania e "The safety goal is admitted to be only an estimate within several orders

of magnitude of reality. Still when you look at history

1 TMI-2 accident had a probability of 1 in several hundreds of millions to happen.

TMI-2 accident happened within 1000 years of reactor operation. <

Even within the large spread of probabilities in the WASH-1400 the proba-j bility of the THI-2 accident was missed by several orders of magnitude."

4 55.

4

i

Staff Response
The staff disagrees with the statement that the WASH 1400

. estimated probability of the kind of small-break loss-of-coolant accident (58LOCA) that happened at TMI-2 was one in several hundred million reactor c years of reactor operation. The size of the power-operated relief valve (PORV) i leakage at TMI-2 was quite small (i.e., in the 52 category of to 2 inches) and WASH-1400 (see p. 79 of the Main Report) gave an estimate for this class of I events as 2 x 10.s, or one such accident in 50,000 reactor years, and not one in several hundred million. One needs to be cautious in the inference of pro-

, babilities for rare events by the occurrence of a single event. For example, I as illustrated in games of chance, if there were a true probability of one such l event happening in, say, 1,000 trials, the event might show up in the first or l last of 1,000 trials, several times during such trials, or not at all. If such an event happened in the first ten trials (and hence a probability of one-tenth

, were assumad) then one would be in error by a factor of 100 in comparison with l the true probability. The NRC staff reports have repeatedly cautioned that

, bottom-line probabilistic risk assessments for severe reactor accidents are not

! based on the sort of frequency data that would permit narrow confidence bands, which could be several orders of magnitude. It is the very rarity of core-melt events that prevents the sort of frequency data that would drastically reduce

these uncertainty bands. Moreover, after each serious accident precursor I event, the NRC examines the causes of these events and, where appropriate,

! takes action to reduce the probability of recurrence of such events (see Chapter VI of Appendix A). Thus, the probability of the kind of accident that happened at TMI-2 is not the same today as it was before the accident.

Letter No. 14. Susan L. Hiatt, Mentor, Ohio

! e "By this proposal the Comission launches a regrettable approach: that of replacing logic and judgement (and sound regulatory policy with opportunity for public input) with voodoo engineering, which is the only appropriate description of PRA. This policy statement should not be adopted."

Staff Response: The staff does not agree. In the present Policy Statement, the Comission establishes the policy that the NRC will use a deterministic j approach that most highly values engineering analysis and judgment, comple-mented as appropriate by PRA, for its severe accident program, J

o "What is to prevent utilities and vendors, knowing that the results of the PRAs they perform will be used as the basis for regulatory decisions, from choosing the data, assumptions, and methodologies so as to make their plants appear safer than they really are, in the interest of avoiding expensive design modifications and safety sytems?"

Staff Response: In Section III.B.2, the Comission sets forth four criteria .

for final staff approval of reference designs and expects industry to devel.op specifications for a reliability engineering program. This means that risk-risk

, or risk-cost tradeoffs to be made as decisions arise in readying a design for l comercial service must not worsen severe accident risk levels for key defense-in-depth features as confirmed in the site / plant-specific PRA performed at the CP stage. See also the staff's response to a similar coment in Letter No.11 i

from Diane Curran and Steven S. Sholly.

I e "An especially reprehensible feature of the severe accident policy is Sec-tion VIII, concerning treatment of severe accidents in on going licensing 56 l

l 1

-n. --- - - , -- ,-n,.,_,n _,-----..--n __, , . - - - - - _ , . , . , - - - - , - - ,,- --n _e - - - - - . , n+. --

proceedings. The Commission has arbitrarily assumed that its rules on hydrogen control are sufficient to cover all aspects of severe accidents, and that the capability of current designs or procedures to prevent or mitigate severe accidents should not be addressed in case-specific licens-ing hearings. This measure is unwise, unfair and unlawful. It is also ambiguous; does this prohibition extend also to the degree of compliance of facilities with the hydrogen rules? 10 CFR 2.758 prohibits attacks on the regulations of the NRC; however, compliance with regulations is liti-gable; nothing is said therein abo.ut challenges to policy statements. Such nebulous provisions will undoubtedly increase, rather than decrease, liti-gation on this point alone, as citizens will not relinquish their right to legally protect themselves from nuclear dangers."

Staff Response: The staff disagrees with this comment because the Commission has not assumed that its rules on hydrogen control are sufficient to cover all aspects of severe accidents. Rather, these rules are intended to provide rea-sonable assurance that the risk of degraded-core accidents for plants designed in accordance with current regulatory requirements is acceptable. Accidents more severe than the design basis have no current regulatory requirements specifying system or equipment designs that can be litigated in individual licensing proceedings.

e " Curiously, the Commission reaches this anomalous conclusion: that conservative design criteria and analysis methods like those applied to ESFs will not be required for core melt accidents, because of their ' low probability.' 48 FR 1.6020. This is further contradicted by the Commis-sion's safety goal that the probability of core melt accidents should be kept below 1 in 10,000/ year. 48 FR 10775. As Commissioner Gilinsky notes, 1/3 of the PRAs performed to date show risks greater than the goal.

48 FR 10776. Where then is the basis for the low probability conclusions?

It is unsupported by fact."

Staff Response: The graded approach for the design features and procedures for core-melt mitigation was based on the potential once-in-a-lifetime need to use equipment or procedures dedicated to severe accident sequencts. The concept, however, does not appear in the present Severe Accident Policy Statement.

Rather, the NRC will study potential alternative improvements for severe acci-dent safety from design, performance, and cost perspectives. In that study, the probabilities (low or otherwise) of core-melt accidents are factors for estimating risk reductions in preparing regulatory analyses of any potential generic improvements considered for possible adoption through rulemaking (see

Chapter VI of Appendix A).

e "It is also disturbing that future plants will have to meet stronger criteria than plants now operating or under construction, especially since there will probably be no future plants. Risk to health and safety is

' posed by existing plants; it is these that should be made safer, without catering to the financial complaints of utilities."

Staff Response: Although the results of research and licensing reviews to date do not indicate that large changes need be made for severe accident con-siderations, it is possible (although not necessarily likely for any or all classes of nuclear power plants) that new information will demonstrate the desirability of certain lesser changes. Of course, if new safety information 57

should indicate that the only viable method of providing adequate protection of public health and safety is through more fundamental and costly changes, the Commission will not hesitate to require them.

1 Letter No. 15. T. W. Elward, Consumers Power Company '

e "2. The proposed policy statement seems to overemphasize several sitiga-tive design features which are presently not technically justifiable, such  ;

as filtered-vented containment systems. The implementation guidelines

, indicate that these design features will be evaluated for cost-effective-ness to determine if they should be required during rulemaking for stand-ard design approval. Based on the technical data available and the associ-ated uncertainties, we believe that such judgements cannot presently be made in rulemaking. Prior to such judgement, additional data is necessary to adequately define the need for and benefits of such mitigative design features. Without firm technical bases.for judging the viability and i necessity of such mitigative design features, the evaluation whether to i require these features during the rulemaking process can result in a

lengthy and unresolvable debate. Such debate tends to lengthen and de-
stabilize the licensing process."

Staff Response: Section IV.E.1 of the Severe Accident Program places design changes in perspective by noting that although the results of research and licensing reviews to date do not indicate that large changes need be made for

severe accident considerations, it is possible (although not necessarily likely l for any or all classes of nuclear power plants) that new information will demon-strate the desirability of certain lesser changes such as improved reliability of some Engineered Safety Features and addition of filtered vents to some types of containment and design features that would reduce the risk from sabotage and
earthquakes. Potential design changes must first be identified and evaluated before it can be determined whether these are essential to public health and safety or sufficiently attractive under the Commission's backfitting and rule-making procedures to adopt.

i e "3. In line with the objective of strengthening the data base, the policy l statement should give specific consideration to factoring in data and results from the IDCOR program. This program has provided a substantial i data base which can be used in determining logical design choices. The i

policy statement should provide greater recognition of this important research effort in the final statement."

l Staff Response: The staff believes it is prerequisite to the objectives and schedules of the final policy statement that the IDCOR program continue on its present course and schedule. As 10COR results have come available, the staff i and its contractors have begun a structured technical interchange process.

This interchange is being documented and, through a system of Technical Issue papers, the staff is identifying areas of technical consensus and controversy.

l Thus, orderly consideration of the 10COR work is contained in the severe accident research on existing plants. ,

I e "4.. The proposed policy indicates that NRC approval of standardized

! designs for referencing in future CP applications will be valid for

! 10 years. This should be contrasted with the average time for nuclear power plant construction. Since the TMI-2 incident, the average time for l

l i 58 l

l

'.---_, _ _ - . , _ , , - _ _ , _ _ . - _ . ~ . - - - - - - - - - - - - - - -

nuclear power plant licensing and construction is approaching ten years.

Unless the proposed period of referenceability were lengthened, the pur-pose of stabilizing requirements during the construction could easily be negated. We would propose that the initial review be valid for a period of 10 years or 3 years after commercial operation, whichever is longer."

Staff Response: The ten year limit refers to the time span during which new CP applications could be filed referencing an approved standard design. It is not a limit on a CP or OL application once it is under review. However, since the question of time limit applies to standardization policy which is not the sub-ject of this particular policy statement, the reference to a time limit has been deleted. This comment will be considered in an upcoming revision to the Commission's standardization policy. statement.

Letter No. 16. David E. Leaver, Wood-Leaver and Associates, Inc.

e "(a) Severe accident decisions will have a very significant economic impact on the industry and the ratepaying public. Therefore the decision process must be well understood by the NRC staff and the industry. How-ever, as presently written, the decision process is vague and does not provide any guidance on how these decisions will be made. For example, the phrase ' engineering and policy judgment, supplemented by PRA where appropriate' appears to make the decision very arbitrary. If the Com-mission's intent is that the decision process be defined through R&D,

, trial implementation or some other means, this should be stated. Other-wise, a clearer definition of the process should be included in the Policy Statement."

Staff Response: To address the question of how severe accident protection might be increased, the NRC will study potential improvements from design, performance, and cost perspectives. The NRC will initiate an effort to assure that the set of alternatives and categories of improvements is reasonably com-plate. It is the NRC's intention to select a course of action from among the potential improvements in a measurable, visible manner with confidence and the ability to share the reasons for its conclusions with others (see Sec. IV.C.2 l in the text and Chapts. I and IV in Appendix A).

l l e "The cost of limited plant specific PRA work is believed to be small com-I pared with the benefits gained in terms of the increased understanding of plant specific design and operation features which contribute the most to risk. Thus it is suggested that the Consission reconsider the use of the

" existing ensemble of available PRAs" for estimating relative importance of accident sequences."

Staff Response: Following the present Policy Statement, the Commission's approach for severe accidents will not place primary reliance on PRA but will use quantitative engineering analysis where supported by data and justified by l

I a full consideration of uncertainties. PRA will be of value in cataloging and arranging in order of significance severe accident sequences representing impor-tant challenges to containment and associated containment response to " internal" I

events. Ways will be used to identify other severe accident sequences leading to very large source terms. Final selection will be made from the complete set I

of qualitatively distinct severe accident sequences.

59 l

l L____ _ _ _ . . _ . - - - - _ - - - - - - - . - --

_ -_- - -. . = - . _.

)

i e "(c) It is unclear if the use of PRA is intended in step (2), i.e. to determine the safety benefit of backfits. This should be clarified and if the intent is to use PRA, some guidance should be developed on how this is to be done."

Staff Response: Section IV.C.2 of the present Policy Statement replaces the three-step process for arriving at severe accident decisions for existing plants with a deterministic approach that most highly values engineering analysis and judgment, supplemented as appropriate by PRA, for the Severe Accident Program.

Cost-benefit analyses will be developed to aid decisionmaking on whether addi-tional protection for severe accidents is needed. The analysis will take the form of a Regulatory Analysis consistent with present internal NRC procedures i for any new generic requirements. Regarding NRC plans to develoo guidance on

, PRA use, see staff response to items 2 and 10 of the ACRS letter of July 18, 1984 (pp. 39 and 42).

I e "Section III states that the Commission will require the performance of a PRA that is as complete as practical for standardized design in CP appli-l cations. This, in effect, requires that the PRA and associated reliability engineering programs be performed earlier in the design and regulatory 4

process than is now the case. Performing a PRA and an associated reli-t ability engineering program early in the design process in such a manner as to truly influence the design is a difficult process not only because i of the lack of detail design information but also because acceptance may be slow since PRA has not traditionally been used in this way. The Com-mission should consider the need for development work which would produce j demonstrated guidelines on how such a PRA should be performed and how it can be integrated into the design process."

Staff Response: The commenter is correct that the NRC has not published detailed guidance on what is expected of licensees employing PRA as a design tool. The

, staff is aware of certain advantages in reducing regulatory uncertainty through

greater specificity of guidance in this regard. However, it is the staff's
philosophy in regulatory practices to place on nuclear power plant vendors and licensees the primary burden of developing ways to consider variations in severe accident vulnerability in design options in the context of risk-risk tradeoff and safety-cost tradeoff analyses last, in so doing, the NRC would establish a chilling environment for innovative creativity or the usurpation of responsi-bility for safety from the licensee. Also, most practitioners of PRA have consistently urged the use of PRA as a design tool and have a basic understand-ing of how to proceed. There is, of course, the more fundamental question of how techniques of using PRA as a design tool would procedurally differ, if at all, from the use of PRA to make backfit decisions on existing plant designs and/or changes in operating and maintenance procedures. To this end, the fol-lowing NRC reports may be helpful

(a) "PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," NUREG/CR-2300, Vols. 1 and 2, January 1983. -

(b) "Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regulatory Application," NUREG-1050, August 1984.

60

4 e "Section IX states that filtered vented containment should be provided in future CP application if it yields ' cost effective reduction in risk. '

This is a strong statement which will require significant analysis to evaluate. It is suggested that the Commission develop an approach for determining the reduction in risk and for answering the question of what is cost effective."

Staff Response: Several sources of perspective on the incentives for risk reduction will be drawn from the staff's inquiry into safety-cost tradeoffs and further developed to illuminate severe accident decisions. No single formula relating risk reduction to a monetary value (e.g. , $1,000 per person-

, rem averted) will be taken as definitive. Rather, the range and variety of such conversion factors will be treated on the same footing as other sources of uncertainty entering into the judgmental and legal procedure of reactor safety standards development.

e "The Commission research program discussed in Section VII should include some work to define the characteristics of the uncertainty analysis neces-sary in a PRA. In particular, it is suggs ted that uncertainty analysis should be done to support decision making with the PRA and that this be "

the starting point of any work done to determine wnat characteristics are necessary."

Staff Response: As noted in Section IV.C.3 and Appendix B, consideration of uncertainty in risk estimates is a central issue in severe accident research and policy development. Defining the characteristics of the uncertainty analysis in PRA is made difficult by the fact that the potentially most sig-nificant sources of uncertainty,- namely, modeling approximations and complete-ness issues,-- are not amenable to probabilistic treatment"in the way statistical uncertainties are. A large part of the phenomenological and PRA research within ,

the Severe Accident Research Program can be regarded as tackling this problem.

e "The Policy Statement refers to the weaknesses of PRA in many different places in many different ways. The statement should define clearly and precisely these weaknesses. In this way areas can be defined where NRC responsiveness to the insights of PRA is appropriate. Further, the industry might choose to spend R&D efforts accordingly."

Staff Response: In Section IV.C.2, the staff lists the limitations of existing i PRAs--selection of initiating events, treatment of common-cause failures, and i

consequential failures; equipment performance in the accident environment; and treatment of human performance.

etter No. 17. R. B. Bradbury, Stone and Webster Engineering Corporation

< ... the proposed policy statement, in Section VI, appears to restrict the severe accident rulemaking to standardized nuclear steam supply system

,' (NSSS) designs. The review of standardized balance of plant (BOP) des ~igns coupled with a standard NSSS design should be specifically included in the policy statement because the response of a given design to severe accidents cannot be determined by considering only the NSSS portion."

~

snse: The staff disagrees with this comment. While the staff en-s current trend in standardization toward a more comprehensive b .oes not believe that the review of a standardized NSSS design must 61

l be coupled,with a corresponding standardized 80P. Therefore, this policy state-ment continues to allow for the approval or certification of a standard design i

encompassing, as a minimum, an NSSS. This is consistent with the Commission's current standardization policy and regulations (see 10 CFR 50, Appendix 0).

l e "We also agree that a standardization policy can and should be coupled with single-stage licensing to provide the most effective use of stand-ardization.Section VI, however, appears to restrict this concept to

' standardized whole plant designs.' A standardized whole plant can be a standardized BOP joined, through well-defined interfaces, to a stand-ardized NSSS. We endorse the use of a standardized BOP matched with a standard NSSS because it is consistent with the well-tested and long-standing practices in the nuclear industry and can be implemented with minimal perturbation on the industry and the regulators." l i

Staff Response: This comment applies to single-stage licensing and standardi-zation which are not the subjects of the present Policy Statement. The state- l ments in the proposed policy that were the source of this comment have been deleted. Standardized designs, as discussed within the context of the present Policy Statement, are not limited to whole plant designs.

e "The Commission is on firm ground in giving priority of resources to stand-ard plant applications for which a substantial portion of the NSSS and BOP design has been completed, and we support the 10 yr term of an approved design. We do not believe, however, that the Commission needs ' final design information' for its determinations on the acceptability of stand-ardized designs. The . extent of design- information required should be that which is ' sufficient' to enable NRC to determine if a plant can be con-structed and operated in conformity with the provisions of the Atomic Energy Act and the NRC's rules and regulations. It is our view that this level of detail is greater than that in a Preliminary Safety Analysis Report (PSAR), but less than that in a Final Safety Analysis Report (FSAR)."

Staff Response: The staff partially agrees with this comment. The design information required for the review and approval of a standard design is speci-fied in Appendix 0 to 10 CFR 50. Under these regulations, the staff has issued two Final Design Approvals (FDA) for standard designs based on final design information. This final design information is not, however, equivalent to an l FSAR as the commenter would suggest. The staff recognizes that some informa-tion supplied in an FSAR, which accompanies an OL application, is not available until late in the procurement and construction phases of a faciilty. The staff's procedures for the review of a standard design take this limitation into consideration.

e "The Commission is placing justified emphasis in paragraph IX.G on ensur-ing that potentially highly radioactive systems be engineered to facili-tate human access in buildings outside containment. However, the wording of the statement could be interpreted as advocating that potentially highly radioactive systems be located outside containment to facilitate access, long-term post accident control, and maintenance. We suggest the wording be revised to remove the ambiguity by deleting the characterization 'out-side containment' in the sentence, 'One item deserving consideration, however, is the location outside containment of systems that could become highly radioactive following a severe accident.'"

62 y--m----,,-.w. - --,,- ~ _ . - - - _ , _ _ _ _ _ . , _ _ , . , _ _ _ _ _ , _ _ _ _ _ . _ . . . , , _ _ _ _ . , _ _ _ , _ _ _ _ _ _ _ _ . _ _ _ _ _ . , _ _ , . _ _ . , _ _ , , , , _ , .

y _ , , _ , , _ . - , , , . , , _ . , . . , _ _ _ _ _ _

Staff Response: Although the present Policy Statement does not discuss this particular consequence mitigation measure, the staff will review the location of such systems from the risk-based, cost-benefit viewpoint (e.g. , reduction of accident occupational exposure versus possible increase in routine occupa-tional exposure).

e "We agree with Section X of the proposed statement that regulatory decisions should take into account the new research information on severe accidents and the costs of backfitting for operating plants and plants under con-struction. We also agree that applicants for a construction permit (CP) should be required to install casign features for prevention, management, or mitigation of severe accidents that are shown to be cost effective. We also believe, however, that should the probabilistic risk assessment show any of the requirements of the CP rule not to be cost effective, they should not need to be incorporated.in the design."

Staff Response: The staff agrees with this comment. The Commission realizes that the CP Rule is moot because all pending CP applications have been cancelled.

However, the rule is a useful compendium of the specific requirements flowing from TMI. Some of these requirements might be shown to be unnecessary (e.g.,

saving space for a filtered vent) in light of the conclusions that could be justified with a PRA and severe accident judgments in a rulemaking to certify a new reference design.

Letter No. 18. Glenn G. Sherwood, General Electric Company s "We believe that the . requirement to medt the CP Rule is not consistent with the overall philosophy of the policy statement. For example, Sec-tion X requires completion of a PRA before standard design approval through rulemaking, with the applicant to install those design features that are to be considered under Section IX and shown to be cost-effective.

Three of the Section IX design features (i.e., containment strength, filtered-vented containment systems, and hydrogen control systems) are part of the CP Rule. If an applicant complies with the CP Rule, then there is no benefit in performing a PRA and cost-benefit analysis for such features. Since the time that the CP Rule was promulgated, a significant amount of information regarding severe accident issues has become avail-able. This information provides a more technically defensible basis to consider the prescriptive changes required by the CP Rule. In order to be consistent and conform with the overall philosophy of the policy statement, it is suggested that Sections I, VI, IX and X be modified to indicate that the applicant must adhere to the requirements set forth in the CP Rule unless it can be demonstrated that specific requirements of the CP Rule are not cost-effective."

Staff Response: The staff does not believe that the suggested clarification is required. A requirement to meet the CP Rule would not be different from the requirement to meet the other Commission regulations. Specific exemptions can be granted, if justified. (See also the preceding response regarding mootness of the CP Rule.)

e "We fully agree that the Section VI Standardization Policy will be more effective in achieving its objectives when coupled with regulatory reform. _

However, we believe that the policy for one-step licensing should not be 63

restricted to whole-plant designs but should apply to substantial portions of a nuclear power plant. As long as the scope of the design is a sub-stantial portion of a whole plant and each safety interface identified, there is no need to limit one-step licensing to standardized whole plant designs. Thus, we suggest that Section VI be revised to acknowledge that one-step licensing can be provided for 'a less than whole plant stand-ardized design.'"

Staff Response: This comment applies to one-step licensing, which is not the subject of this particular policy statement. The reference to one-step licans-ing that generated this comment has been deleted.

Letter No. 19. R. P. Schmitz, Bechtel Power Corporation a "We agree with the central recommendation in the statement that severe accident issues should be considered on future standard plant license applications and there is no need for a separate rulemaking on these issues. It is recommended that the NRC hold meetings to discuss these issues more widely than only with the few organizations with active stand-ard plant applications before resolution of these issues."

Staff Response: The staff and its contractors have begun a structured tech-nical interchange process (in the form of meetings) with representatives of the Industry Degraded Core Rulemaking (IOCOR) Program, under the sponsorship of the Atomic Industrial Forum, to compare independent models and assessments of severe accident behavior. In addition, to test for completeness of potential improve-

' ments in severe accident protection, the NRC will consult with the ACRS,. industry, national laboratory experts, and 'other interested members of the public. The NRC does not plan at this time, however, to hold public mee' tings devoted to _

severe accident issues.

e "1. We believe that there is insufficient recognition of the IDCOR pro-gram and its role in identification of issues, design features related to s

those issues, or interaction with the IDCOR group. IDCOR is one of the most important industry efforts to date, and the NRC should give a high priority to the program conclusions."

Staff Response: Section IV.E.2 of the Severe Accident Program notes that the Commission believes it is prerequisite to the objectives and schedules set out in the policy statement that the IOCOR program continue on its present course and schedule. Orderly consideration of the 10COR work is contained in the severe accident research on existing plants and in the discussions of Technical Issues described in Section IV.C.2. .-

e "2. Probabilistic Risk Assessments (PRA) are discussed in a number of sections of the Statement. Although we agree that the PRA approach should be used to set overall safety criteria, we firmly believe that PRAs should not be required on specific plants and designs. The significant range'of uncertainty associated with PRAs would argue against their direct use in a regulatory or adversarial environment. We strongly recommend that the PRA approach be limited to the evaluation of the NRC's deterministic criteria and not be required for standard plants or specific plants."

I Staff Response: The staff only partially agrees with this recommendation because it is believed that PRAs will provide useful supplemental insights into 64~

1 1

I severe accident concerns on a plant / site specific basis. In the discussions in i Section IV.C.3, the staff notes that PRA is an extension and refinement of 4

deterministic approaches involving engineering analysis and judgment.

e "3. The first paragraph under Section V reinforces the NRC requirement that applicants show compliance with the September 1981 Standard Review Plan. Compliance with regulatory criteria is frequently a matter of inter-pretation; the interpretation is basically the regulator's responsibility not the applicant's. We believe that this is a significant burden on applicants which should not be required."

, Staff Resaonse: The staff disagrees with this comment. Current regulations '

require t)at applications for Operating Licenses include an evaluation against the Standard Review Plan (SRP). This is not a requirement to demonstrate com-pliance with the SRP. The SRP is not a substitute for the regulations, and compliance is not a requirement. The commenter may argue that even an evalua-tion is a significant burden on applicants, but this is not a matter to be considered within the context of this Policy Statement. The question of burden was addressed when the applicable regulations were established.

l e "4. There are a number of references to a 10 year period of validity for standard plant designs. We strongly endorse this concept. However, con-sidering the inevitable evolution of ideas for improvements, it is recom-mended that more detailed criteria for evaluating improvements in standard plants be included."

Staff Response: Staff references to a 10 ye~ar period of validity for standard 1

plant designs reflect "one-step" licensing legislation prop,osed in 1982 -

(47 FR 24044) that contemplates such a period of validity. With regard to detailed criteria for evaluating improvements in standard plants, the staff is developing amendments to its standardization regulations to incorporate the guidelines for final staff approval of reference designs as set out in the present Policy Statement (see Section III.B.2).

e "S. A number of important new criteria relating to sabotage, multiple i human errors, design errors, filtered-vented containments, containment

ultimate strength, hydrogen control systems, core retention systems, and i

containment heat removal systems are either proposed or implied in Sec-tion IX. It is strongly recommended that new criteria such as these be individually reviewed in accordance with NRC procedures for new generic requirements and not be specifically discussed in this policy statement."

Staff Response: The staff agrees with this recommendation. Any major design changes in operating plants and plants under construction that are identified as necessary for public health and safety will be required through rulemaking and will be consistent with the Commission's backfitting policy.

e "6. The discussion of applicability of the rule in Section X needs con-l siderable clarification distinguishing between (a) reactivated previously docketed construction permit applications referencing total, partial or no standard designs, (b) proposals for replication of plants which have used total, partial or no standard plant designs or (c) new custom plant applications."

  • 65

Staff Response: The present Policy Statement has been rewritten to clarify the applicability of the requirements to various types of applications. Further clarifications will be provided in an upcoming revision to the standarization policy. An application for replication would be treated as a new custom CP application.

Letter No. 20. R. E. Helfrich, Yankee Atomic Electric Company e "We believe that the NRC staff's current base of knowledge regarding severe accident issues is insufficient to support rulemakings at this time. The Commission has yet to be briefed on the results of its own comprehensive and complex research program which has been underway since 1980 (funded at about $50 million per year). Valuable results regarding the Industry's severe accident research will soon become available from the IDCOR program which the Commission should carefully consider in con-

junction with its proposed policy. We encourage the Commission to exercise restraint and avoid imposing any new regulatory requirements regarding the issue of severe accidents, until information is available from both of ,

these ambitious programs.

Thus, in view of the current status of these programs, we must disagree i with Commissioner Asselstine's view that the proposed policy statement is

' seriously flawed' for not adequately defining the process for deciding what changes are needed, if any, in the current generation of nuclear power plants (79 holding operating licenses and 59 under construction),

to take into account severe accidents. We perceive that.the intent of the proposed policy statement correctly reflects the reality that the NRC

~

staff is not technically prepared to define such a process."

l Staff Response: The staff partially agrees with these comments.Section IV.C l of the ongoing Severe Accident Program is devoted to the staff's generic i decision strategy. One task is an extensive study of severe accident source

terms. After peer review, targeted for November 1984, the results of the NRC l source term studies will be available for use in considering what, if any, i regulatory requirements or rules involving source term applications in regula-tory decisions warrant revision (see pp. 21-22).

I j For the staff's views on IDCOR, see Section IV.E.2 and the staff's response to I the first comment in Letter No.19 from R. P. Schmitz.

i e " Finally, we wish to emphasize that any future consideration of whether to impose specific consequence-mitigating features for operating plants and plants under construction must correctly be viewed as a [ predecessor] ,

to backfitting. In this regard, we recommend that the Commission postpone its publication of a final policy statement on severe accidents, pending a final rulemaking to resolve the more immediate and pressing issue of back-fitting. Once promulgated, we believe that a rigorous cost-benefit thres-i hold for backfitting will render the Commission's future policymaking or

! rulemaking for severe accidents to be more acceptable by Industry."

l l

Staff Response: The staff does not agree with the recommendation to postpone publication of the present Policy Statement on severe accidents pending a final l rule on backfitting. The Commission has taken actions (see 48 FR 44173, Septem-I ber 28,1983) that provide effective interim management of the imposition of new requirements for power reactors. Any design changes that are identified for I

66 l

severe accident considerations will be consistent with the Commission's then-current backfitting policy. I l

Letter No. 21. L. M. Mills, Tennessee Valley Authority e "1. In Section I, it is stated that 'a three-step process will be used for severe accident decisions for plants in operation, under construction, or other classes of plants.' We believe that the sequence should be revised as follows. We agree that the utility should use risk assessment tech-niques to establish the relative risk represented by the plant. If the relative risk from the plant is acceptable using the primary design objec-tives from the nuclear power plant safety goals, then the utility will be

' initially responsible for studying possible design and operational changes in order to determine cost-effective means of reducing the radiation risk to the public which shall be subject to NRC approval. We believe that the utility will be the best organization to determine what cost-effective measures will be taken to reduce the risk from the plant subject to NRC revision and approval." -

Staff Response: The staff agrees with this comment. The "three-step" process for arriving at severe accident decisions for existing plants was criticized for placing too much reliance on PRA. Consequently, the Commission has now decided to use a deterministic approach that most highly values engineering analysis and judgment, complemented as appropriate by PRA, for its severe accident program. The several potential alternative improvements for severe accident safety originated from many sources including nuclear utilities. One '

task of the NRC's severe accident program.is to test for completeness of the set of alternatives, e "2. We believe the plan in section I to utilize the 13 available ras to

' provide better understanding of the design features and site chara,c-teristics' would be difficult to accomplish generically because of - the varying pedigrees of the studies. We believe that most of the effc'rt should be devoted to examining the studies for Surry, Peach Bottom, Zion, and Indian Point."

l -

i Staff Response: The staff basically agrees with this comment. -Under the present plan, the staff will derive generic insights for classes of plants by evaluating the results of existing PRAs. NRC experience with the use of PRA in

! specific licensing actions (Indian Point, Zion, Limerick, Shoreham, Seabrook, l Millstone 3, and GESSAR II) will be factored into the overall assessment of severe accident safety for existing plants.

e "3. In section III, a reference is made to 'a standard methodology ... on PRA procedures.' In performing a PRA, we recommend the approach described in the PRA Procedures Guide (NUREG/CR-2300). *** PRAs should not be treated as primary licensing criteria."

l Staff Response: The staff does not agree with the suggestion be.cause the staff believes that a CP application should include denonstration of a consider- I i

ation of the insights afforded by risk, analyses,. incle, ding severe accident concerns. The CP Rule,10 CFR 50.34(f), will b:e amended to clarify the purpose and use of PRA.

67

e "4. We call attention to the continuing references throughout the, policy statement to ' additional regulatory requirements' (Section III), 'deci-sions to add or modify principal design features and operating guides and procedures' (Section VII), ' desirability of certain lesser changes' (Sec-tion VII), and ' additional rules' (Section VIII). We believe as new

, information is developed as a result of severe accident research and refined risk assessments, an open perspective should be maintained by the NRC toward the possibility of modifying or even deleting some present l safety requirements that may be modified on the basis of new facts."

i Staff Response: Although the NRC's severe accident programs will be further developed to aid decisionmaking on whether additional protection for severe accidents is needed, the staff recognizes that one cost of a severe accident modification of an existing plant might include possible adverse safety effects on existing features or systems. Under these circumstances, the staff might have to include the modification or deletion of a present safety requirement in the risk-cost-benefit analysis of the severe accident modification.

e "5. In Section VI, the statement is made that ' Design changes ... would be reviewed to ensure that risk reduction is cost-effective.' We support

, the principle of reviewing changes for cost effectiveness providing that one recognizes the inherent limitations of such calculations and the over-riding need to reduce risks to the lowest practicable level. We question l whether such changes as the CP Rule that have already been issued in final form were ever subjected to such a review. In particular, such CP Rule requirements'as designing a hydrogen mitigation system for 100 percent

cladding reaction, constructing the containment structure for a minimum of i

45 lb/in g, and providing a dedicated' three-foot penetration for a contain-l ment vent show no evidence of a cost-effectiveness scrutiny."

Staff Response: The CP Rule embodies a set of requirements mandated by the Commission for applicants whose CP review had been interrupted by the degraded core accident at Three Mile Island. With respect to cost / benefit evaluations,

.the preamble to the CP Rule (see 47 FR 2286 at 2291) states, "... in its extensive deliberations concerning TMI-related requirements, the Commission has decided that the requirements in the new rule are necessary for the protec-

tion of the public and that their costs are not exorbitant."

e "6.Section VII mentions 'certain lesser changes such as ... addition of filtered vents to some types of containment.' We believe vented contain-ment would be a major physical, operational, and philosophical change to.a nuclear power plant."

Staff Response: The addition of filtered vents to some types of containment is characterized as a " lesser change" when compared with fundamental and costly

changes in the principal design criteria of a facility that potentially could be required for severe accident considerations. The results of research and licensing reviews to date do not indicate that large changes need be made for severe accident considerations.

e " 7. In Section VIII, reference is made to 'the ongoing programs of severe accident study and research' and that 'the Commission will ensure that j these programs are closely coordinated and will concentrate on specific

! analyses and experiment.s needed.' We support this intention and cannot 68

overemphasize the importance of carefully focusing these programs to obtain specific information to make specific decisions."

'l Staff Response: The staff agrees with this comment. As the more promising alternatives for severe accident protection become clear, the staff will e

strengthen or eliminate work in the Severe Accident Research Program so as to achieve the objectives of the NRC Severe Accident Program in the most effective manner.

e "8. In Section IX, tiiere is too much emphasis on NRC regulation and research currently being placed on hardware-oriented plant improvements.

We believe that more emphasis should be directed toward improving the human factor aspects of plant operation and emergency response. This difficult ' lesson-learned' is being ignored when so much attention is paid to adding new systems, upgrading present hardware, designing for more extreme scenarios, etc."

Staff Response: In Section IV.C.2, the Severe Accident Program addresses human factor aspects in a set of policy papers that the NRC will develop on important aspects of plant safety. The factors include the following terms: design -

errors, construction errors, operator errors, maintenance errors, reliance that can be placed on operators to avoid and manage severe accidents, and effective-ness of emergency preparedness.

, Letter No. 22. E. K Raha, Westinghouse Electric Corporation a "The three-step process identified for presently operating and pipeline plants, though only briefly described, appears consistent with industry's

)

IDCOR program objectives. Finally the conditions outl'ined for future CP applications appear reasonable and are generally in line with Westinghouse practice and plans already under way in our future plant design develop-4 ment programs."

Staff Response
No comment.

4 Letter No. 23. A. E. Scherer, Combustion Engineering, Inc.

i e "1. INTRODUCTION: HISTORY AND PURPOSE OF THE POLICY STATEMENT

! 'The reference to designs' ... now under consideration by U.S. vendors for future sales" should be clarified to recognize that there are standard designs now at the Final Design Approval stage which are being considered for future l

  • sales. We suggest, therefore, that the parenthetical phrase be written as I follows:

i

... (such as those proposed in CP applications docketed after the

promulgation of the Standard Review Plan, now at the Final Design l

Approval stage, or now under consideration by U.S. vendors for future sales)..."

l l Staff Response: This comment is no longer applicable because it applies to a i portion of the Policy Statement that has been substantially rewritten.

69

- . - _ _ . ~ - - _ ~ _ _ _ - - _ . - ._ _ _ _ _ - _ - - - - _ - - _ .

e "VI. STANDARDIZATION POLICY

'The requirement that '... an application must be filed for a severe {

accident review ...' could be misleading. The NSSS vendors that are about l to receive Final Design Approvals for their current designs have already l filed ' applications' under the August 1978 Policy Statement on Standardiza- 3

tion. The information required under this new policy adds a new set of  !

issues to be resolved before the same goal (i.e. , forward referenceability)

is achieved. To avoid any misinterpretation, therefore, the interim policy should be rewritten as follows:

1

'In the interin until a severe accident review is' completed and a l new design approval is granted, a standard design with an approval granted pursuant to present Commission regulations must be updated in order to be referenced in new or re-activated CP applications by

{ showing that it meets the new CP rule. Since this Policy statement

' imposes new issues upon the original application, the Applicant must .

identify its intent to proceed with a severe accident review pursuant

, to the requirements of Section X, below. At that point, the standard design will be made referenceable in new or re-activated CP applica-tions, subject only to the resolution of the severe accident review."

) Staff Response: This comment is not directly applica' ale because the portion of the Policy Statement in question has been completely rewritten. The staff

, disagrees, however, with the central premise of this comment; namely, that the j existing FDAs should be extended to allow referencing in new CP applications without any further review by the staff. The staff bellieves that the existing design approvals should be updated by being evaluated again,st the Standard Review Plan in accordance with 10 CFR 50.34 (g).

e "The proposed policy states:

' ..the Commission expects that the approval of the standardized designs for referencing in future CP applications would be binding on both the staff and applicants... '

First, the word ' expects' implies some hesitation by the Commission in making a commitment to stabilize the requirements for standardized designs. Secondly, a rulemaking by the Commission should be binding on the ACRS, the ASL8's and the ASLA8's, as well as the Staff and applicants.

Therefore, the above phrase should be written as follows:

... the Commission will require that the approval of the standard-ized designs for referencing in future CP applications would be binding on the Staff, ACRS, ASLB's, ASLAB's, and applicants..."

l Staff Response: The portion of the proposed Policy Statement in question has i been deleted and therefore this comment is no longer applicable. Chapter III of the present Policy Statement presents guidance on severe accident issues l to be followed by the NRC staff, hearing boards, licensees, and applicants.

l 70 i

i

e "C. The proposed policy states:

'To conserve resources in the conduct of licensing reviews, the Commission will give priority, at the time of docketing, to stand-ard plant applications for which a substantial portion of the NSSS and BOP design has been completed.'

'This statement implies that less resources are required to review an NSSS and 80P combined than to review the NSSS and 80P separately. We believe that the Staff's recent experience with the CESSAR-P review demonstrated that, when reviewing the NSSS, the only additional effort expended by the Staff was the review of interface requirements and that the additional effort was insignificant when compared to th overall review of the NSSS.

The above sentence, therefore, should be modified to say:

... for which a substantial portion of the NSSS or 80P design has been completed.'" ~

Staff Response: The staff does not agree with this suggestion because, for a standardized whole plant design, the staff will need essentially an FDA-level of design detail for the NSSS and for a substantial portion of the 80P before successfully completing a quantitative PRA for the standardized whole plant design, e " IMPLEMENTATION GUIDELINES FOR SEVERE ACCIDENT POLICY "A. Under item (3), the proposed pol, icy states:

" Completion of a staff review of the standard desjgn with a con-clusion of safety acceptability; the review will be based upon the updated version of the Standard Review Plan (NUREG-0800) and 10 CFR 50.34(g) that requires applicants to evaluate differences from the Standard Review Plan..."

"When 10 CFR 50.34(g) was implemented by the Commission, it was clearly stated as the Commission's intent that evaluating differences from the SRP was purely for the purpose of facilitating the staff's review. The regulation was not to be applied to applications already reviewed by the staff. Evaluation of differences from the SRP should, therefore, not be applied to standard designs that have already been reviewed against cur-rent NRC guidance. Further, since the regulation is clear that future applicants must comply, it is redundant to include this in the policy and

, it should be deleted.

" Item (3) should, therefore, be shortened to read:

" Completion of a Staff review of the standard design with a conclu-sion of safety acceptability with respect to current Commission regula-tions."

Staff Response: The staff does not agree with this comment. An evaluation against the current Standard Review Plan will, in a sense, " update" the previous FDA applications. This will then facilitate the staff's review and allow the 71

staff to make a determination that the design is adequate for referencing in new CP applications.

e "B. The policy identifies the conditions for approving future CP applica-tions and re-activated CP's that reference standard designs. By omission, the policy does not state the conditions for approving CP applications that use custos designs. This seems to be an indirect requirement that all future plants must use standard designs. While C-E whole-heartedly supports standardization, we do not believe that future applicants should be precluded from using custos designs.

'The policy should, therefore, include a statement to clarify that all of the conditions that apply to standard designs will also apply to custos plant designs.'"

Staff Response: Section III.B.3.d of the present Policy Statement indicates that the Commission's policy to encourage the use of reference designs in future cps does not preclude the use of a custos design. The staff will review custos designs under the same guidelines identified for reference design approvals set out in Section III.8.3.

Letter No. 24. Murray Edleman, Atomic Industrial Forum, Inc.

e "The policy discusses 'the importance of having final design information' in the context of standardization. Approval of a standard design can only be successful when all the information necessary for the staff to make the necessary safety determinations is made available. This need not, how-ever, include all the ' final' information found in a current final Safety Analysis Report. Equipment vendor names, material and stress report re-sults, environmental qualification data and equipment test results are a product of design implementation and not necessary for a determination of acceptability of a standard design. The policy statement should make it clear that the level of detail needed is that necessary for the safety determination. The word ' final' should be eliminated to avoid any con-fusion with the implementation data found in a ' final' Safety Analysis Report."

Staff Response: The staff agrees in principle with the comment but does not agree that further clarification is required. The staff does not equate " final design information" with a complete FSAR. It is recognized that certain infor-mation in an FSAR is not available during the standard design review process.

This limitation is recognized and was considered in the staff's review and approval of two FDA applications that were filed in accordance with Appendix 0 to 10 CFR 50.

e "The statement recognizes the potential effectiveness of standardization when coupled with regulatory reform. The statement continues by mention-ing 'one-step licensing in cases using standardized whole plant designs.'

Single stage, or 'one-step' licensing should not be restricted to stand-ardized whole plants. Any application which contains the necessary deter-minations concerning public health and safety should be acceptable for a single stage license application. This application could be for a custom plant; a combination of a standard bala'nce of plant, standard nucear steam 72

i supply system and pre-approved site; or a combination of major stand-ardized and custom portions."

i" Staff Response: The staff agrees with this comment. However, one-step licensing is not the subject of this particular policy statement and has been deleted.

Letter No. 25. David Salvesen, Wisconsin Environmental Decade e "... While the NRC is studying the PRA methodology to determine its reli-1 ability, they are conducting a review of their entire regulatory program using the questionable PRA methodology. Wisconsin Environmental Decade

'1 feels that the NRC's use of such an admittedly unproven and uncertain methodology will eliminate important safety issues from consideration. Too much remains unknown about risk of serious accidents to make predictions

of plant safety or to evaluate the need for regulations based on the untested PRA methodology. In addition, as it is presented now, the severe accident program allows no opportunity for public oversight and provides

! for no accountability by the Commission to the public."

f Staff Response: Although it is true that, in some instances, the complementary use of insights from PRA and deterministic engineering analysis has eliminated j some safety issues from further consideration because of their demonstrated unimportance, insights from PRAs have also led to the identification of the j relative importance of other safety issues leading to subsequent design modi-

fications and procedure changes (see Chapter V of Appendix A). See also the j responses to second comment of Letter No.-4 and eighth comment of Letter No.11.
26. E. P. Rahe, Westinghouse Electric Corporation -

e "The application is also intended to conform to the guidance provided by

the proposed severe accident policy statement previously referred to. In l that regard, each of the implementation guidelines enumerated in Section X of that policy statement will be satisfied with one single exception pro-vided by that policy....The single exception is that regarding the need for completed rulemaking prior to PDA issue. As we have previously indi ,

cated, Westinghouse intends to also make application for Final Design i Approval (FDA) through rulemaking. This application is scheduled for 1985

submittal with final approval through rulemaking projected for 1987. Upon issue of the FDA we would intend to modify the approved preliminary design as appropriate in consideration of any design changes identified through the severe accident rulemaking on the final design. Should the preliminary design be incorporated by reference in new domestic CP applications during
the intervening period (i.e., between PDA issue and FDA issue through rule-making), then those changes would be adopted on those CP applications as

! appropriate by consideration of the cost effectiveness of the risk reduc-

! tion indicated.

l

(

l "...The NRC should recognize and reaffirm a continuing role for Preliminary i Design Approvals as an appropriate incentive for such major design develop- '

ment initiatives."

Staff Response: The staff. agrees with this comment. A PDA is still an acknow-f ledged step in the standard design approval process. Although this comment is l 73

primarily applicable to standardization policy, some clarification is provided in Section III.B. to address the matter of PDAs.

I

\

l f

5 i

l l

74

VI. REFERENCES CSNI, " Decay Heat Removal . Systems," Proceedings of the CSNI Specialist Meeting, April 25-29,1983, WUrlingen, Switzerland. (Swiss Federal Institute for Reactor Research: Wurlingen, Switzerland).

Matteson, T. D., et al, "A Study to Identify the Potential Value of Commercial Aviation Experience to the Nuclear Industry," Los Alamos Technical Associates, Inc., TPS 82-67, June 1983.

NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident,"

Vols. 1 and 2, Rev. 1, August 1980.

NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980.

i NUREG-0739, "An Approach to Quantitative Safety Goals for Nucleai Power Plants,"

Advisory Committee on Reactor SafegiJards, October 1980.

NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports' for Nuclear ~ Power Plants, LWR Edition," July 1981.

Il l NUREG-0880, Revision 1 for Comment, " Safety Goals for Nuclear Power Plant Operations," May 1983.

l~

NUREG-0885, Issue 3, "U.S. Nuclear Regulatory Commission Policy and Planning Guidance 1984," January 1984.

I NUREG-0900, " Nuclear Power Plant Severe Acticent Research Plan," January 1983.

NUREG-1050, "Probabilistic Risk Assessment (PRA) - Status Report and Guidance for Regulatory Application," August 1984.

NUREG/BR-0032, "10 CFR Part 50 - Environmental Qualification of Electrical Equipment," March 13, 1984.

NUREG/8R-0058, Rev.1, " Regulatory Analysis Guidelines of the U.S. Nuclear i Regulatory Commission," May 1984.

NUREG/CP-0036, " Proceedings of the Workshop on Nuclear Power Plant Aging,"

Sandia National Laboratories, November 1982.

, NUREG/CP-0048, " Proceedings of the Eleventh Water Reactor Safety Research Information Meeting," January 1984.

I NUREG/CR-2040, "A Study of the Implications of Applying Quantitative Risk Criteria in the Licensing of Nuclear Power Plants in the United States, Brookhaven National Laboratory, May 1981.

j NUREG/CR-2239, " Technical Guidance for Siting Criteria Development," Sandia

National Laboratories, December 1982.

4 NUREG/CR-2497, " Precursors to Potential Severe Core Damage Accidents: 1969-79, J

A Status Report," Cak Ridge National Laboratories, June 1982.

i 75 i

i r-,- --- . -a--. - ,, --,-----.. _ - _ ,- - -.- -_- . , , , _ _ , . _

~ . .

J i

NUREG/CR-2591, " Estimating the Potential Impacts of a Nuclear Reactor Accident:

Methodology and Case Studies," U.S. Dept. of Commerce, April 1982.

NUREG/CR-2723, " Estimates of Financial Consequences of Nuclear Power Reactor

Accidents," Sandia National Laboratories, September 1982..

I NUREG/CR-2800, " Guidelines for Nuclear Power Plant Safety Issue Prioritization,"

Supplement 2, Pacific Northwest Laboratory,-December 1983.

NUREG/CR-2883, " Study of the Value and Impact of Alternative Decay Heat Removal Concepts for Light Water Reactors," June 1983.

4 NUREG/CR-2899, " Analysis of a Proposed One Thousand Dollar Per Man-Rem Cost Effectiveness Criterion," Sandia National Laboratories, October 1982.

i

~

NUREG/CR-3568, "A Handbook for Value-Impact Assessment," Pacific Northwest

Laboratory, December 1983. -

NUREG/CR-3673, " Economic Risks of Nuclear Power Reactor Accidents," Sandia National Laboratories," April 1984.

NUREG/CR-3787, " Effectiveness of Engineered Safety Feature (ESF) Systems in Retaining Fission Products: Background Information," Pacific Northwest Laboratory, August 1984.

' Regulatory Guide 1.97, Rev. 3, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Envi.rons Conditions During and Following an Accident," May 1983.  :

Regulatory Guide 4.7, Revision 1, " General Site Suitability Criteria for
Nuclear Power Stations," November 1975.

l TID-14844, " Calculation of Distance Factors for Power and Test Reactor Sites,"

l March 1962.

WASH-1400 (NUREG-75/014), " Reactor Safety Study: An Assessment of Risks in U.S.

Commercial Nuclear Power Reactors," October 1975.

43 FR 38954, " Statement on Standardization of Nuclear Power Plants," U.S.

Nuclear Regulatory Commission, August 31, 1978.

45 FR 40101, " Nuclear Power Plant Accident Considerations Under the National '

Environmental Policy Act of 1969," U, S. Nuclear Regulatory Commission, June 13, 1980.

45 FR 65474, " Domestic Licensing of Production and Utilization Facilities; Consideration of Degraded or Malted Cores in Safety Regulation," U.S.

Nuclear Regulatory Commission, October 2,1980.

46 FR 62281, " Interim Requirements Related to Hydrogen Control," U.S. Nuclear Regulatory Commission, December 23, 1981.

48 FR 10772, " Safety Goal Development Program," U.S. Nuclear Regulatory

~

Commission, March 14, 1983.

j 76 L_-_--.-__._.---- __- - _ .__ _ _ - _ . - _ . - . - . . _ _ _

i 48 FR 16014, " Proposed Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation," U.S. Nuclear Regulatory Commission, April 13, 1983.

" Indian Point Probabilistic Safety Study," Docket Nos. 50-247 and 50-286, 1982.

Limerick, " Severe Accident Risk Assassment, Limerick Generating Station,"

Docket Nos. 50-352 and 50-383, 1983.

Limerick, "Probabilistic Risk Assessment, Limerick Generating Station," Docket Nos. 50-352 and 50-353, 1981.

Millstone 3, Controlled document (Draft Level-3 PRA), Docket No. 50-423.

"Seacrook Station Probabilistic Safety Assessment," Docket Nos. 50-443 and 50-444, January 1984.

Shoreham, "Probabilistic Risk Assessment - Shoreham Nuclear Power Station -

Unit 1 - Long Island Lighting Company," Docket No. 50-322, 1983.

Zion Probabilistic Safety Study," Docket Nos. 50-295 and 50-304, September 1981.

G t

77

VII. GLOSSARY ACRS: Advisory Committee on Reactor Safeguards.

Accident Initiator: A causal mechanism that can precipitate an initiating event leading to a severe accident provided there are subsequent failures of defense-in-depth Engineered Safety Features.

Accident Management: Integrated strategies that combine elements of plant design and operating configuration with operator guidelines and procedures to optimize the capabilities to prevent, arrest the progress of, or mitigate the consequences of potentially severe accidents, thus adding an important margin of assurance that a severe accident does not become a " worst case" accident or even one involving serious offsite consequences.

Accident Sequence: An event tree giving the complete event sequence delineation of different pathways and different consequences of severe accidents. .

AE00: The NRC Office of Analysis and Evaluation of Operational Data.

AFWS: Auxiliary feedwater system.

AIF: Atomic Industrial Forum.

ASEP: Accident Sequence Evaluatten Program. An element of SARP to review the accident sequence (event tree) evaluations in plant-specific PRAs and make them more appropriate for value/ impact analyses' of nuclear power plant modifications.

ASP: Accident Sequence Precursor Program. An element of SARP.

ATVS: Anticipated transient without scram.

Backfit: The addition, elimination, or modification of a production or utili-zation facility after the construction permit has been issued.

BOP: Balance of plant. The portion of a whole nuclear power plant other than the nuclear steam supply system.

BWR Mark I: Boiling water-cooled reactor with a Mark I containment design.

CFR: Code of Federal Regulations. A codification of the general and permanent rules published in the Federal Register by the Executive departments and agencies of the Federal Government. NRC's rules are codified in Title 10, Code of Federal Regulations, Chapter I.

Common-cause Failures: Failures in which several systems or functions experience failure or degradation together in a correlated way deriving from a single causal factor (e.g., an earthquake, fire, flood, or sabotage).

Consequence Mitigation: Systems, actions, or procedures intended to make the consequences of an accident less severe.

Containment: An enclosure around a reactor to confine radioactive materials that otherwise might be released to the atmosphere or groundwater in the event of an accident.

79

I l

Core Melt: The term applied to the overheating of a reactor core as a result l

of the failure of reactor shutdown or cooling systems that leads to substantial melting of the radioactive fuel and the structures which hold the fuel in place.

Cost-Benefit Analysis:

l A decision method in which the adverse and beneficial

' consequences of realistic decision options are evaluated and compared, not always in quantified or commensurable units.

Cost-effectiveness: Usually, a more restricted form of cost-benefit analysis in which the objective is to determine the decision option having the least i

' (dollar) cost of achieving a common benefit or a given set of desirable con-sequences (e.g., an identical level of acceptable risk).

CP: Construction permit. A permit for the construction of a production or Eilization facility issued prior to'the issuance of a license if the applica-tion for a license is otherwise acceptable.

CP Rule: 10 CFR 50.34(f), " Additional TMI-related requirements," imposed on l

each applicant for a light-water reactor construction permit or manufacturing license whose application was pending on February 12, 1982 (47 FR 2286, l January 15, 1982).

l CRGR: The NRC Committee for Review of Generic Requirements.

CSNI: Committee on the Safety of Nuclear Installations of the Organization for Economic Cooperation and Development's (DECD) 24-country Nuclear Energy Agency (NEA). --

08A: Design-basis accident. A postulated accident that a 7acility must be designed and built to withstand without exceeding the offsite exposure limits provided in the NRC's siting regulation (10 CFR Part 100).

dc: Direct current.

DC: Design Certification as granted by the Commission for a forward reference-l able final standard plant design through rulemaking.

Defense-in-depth: An approach that assures safety by (1) designing fundamental systems important to safety to withstand even severe challenges without fail-ure, (2) building and operating such systems to high quality standards, and (3) postulating the failure of such systems and providing reliable additional systems to mitigate the consequences of such failure.

Degraded Core: Extensive core damage that is less than core melt.

Deterministic Approach: The method of determining acceptable design or per-formance by quantitative engineering analysis and comparison of the results to predetermined quantitative limits. '

ECCS: Emergency core cooling system; an important defense-in-depth Engineered Safety Feature that functions on demand to prevent a severe reactor accident following a loss-of-coolant accident.

80

Engineered Safety Features: Design features of safety equipment that will acti-vate automatically on demand to protect the core / reactor coolant pressure boun-dary and avoid exceeding the reactor safety limits such as power level, pressure and average water temperature.

1 EPRI: Electric Power Research Institute.

ESF: Engineered Safety Feature.

Event Tree Analysis: As applied to nuclear reactor safety, an event tree defines an initial failure within a plant and examines the sequence of events

, which follow, depending upon the subsequent operation or failure of various systems that are designed to mitigate the adverse consequences of the initial failure.

External Event: A hazard such as an earthquake or flooding external to a nuclear power plant. In plant fires are also regarded as external events since they are exogenous factors affecting systems performance.

Fault Tree Analysis: A fault tree examines an event such as a system or sub-system failure and traces the various possible event paths to that failure.

FDA: Final Desig'n Approval. Approval by the staff granted to the designer of a final standard design for most of a nuclear plant or a major fraction of a nuclear plant outside of the immediate context of an application for a construc-tion permit or operating license. An FDA does.not constitute Commission approval. ~~

FR: Federal Register. A daily publication that provides a' uniform system Tor publishing Presidential and Federal Agency documents of general policy or programmatic applicability or legal effect.

FUSE: Floridians United for Safety Energy, Inc.

GDC: General Design Criteria establish minimum requirements for the principal design criteria for water-cooled nuclear power plants similar in design and location to plants for which Construction Permits have been issued by the Commission.

GSI: Generic Safety Issue.

IDCOR: The Industry Degraded Core Rulemaking Program. A program under the sponsorship of the Atomic Industrial Forum to evaluate severe accident risk for existing nuclear reactors.

IE: The NRC Office of Inspection and Enforcement.

INP0: Institute of Nuclear Power Operations.

j IREP: Interim Reliability Evaluation Program.

ISAP: Integrated Safety Assessment Program.

ll LER: Licensee Event Report as issued by the AEOD.

t 81

l LOCA: Loss-of-coolant accident.

LWR: Light water-cooled reactor; the most common nuclear power technology currently employed in the United States and a number of other countries.

Multi-attribute Analysis: Analysis of decision options using a full scope of decision considerations or criteria of both indirect as well as direct impor-tance often exceeding those employed in more conventional cost-benefit analysis.

NRC: Nuclear Regulatory Commission, the agency established by Title II of the Energy Reorganization Act of 1974, as amended; its regulatory functions supersede l similar ones within the organization of the now defunct U.S. Atomic Energy l Commission.

NSAC: Nuclear Safety Analysis Center.

NSIC: Nuclear Safety Information Center, Oak Ridge National Laboratory. ,

i NSSS: Nuclear Steam Supply System, the central features of which are the converter reactor and steam generators.

OL: Operating License issued by the Commission upon completion of the construc-Hon of a nuclear power plant after satisfactory staff. review of compliance to the technical specifications and safety requirements established at, or subsequent to, the issuance of the Construction Permit.

OR: Operating Reactor; a nuclear power plant that is licensed to operate.

4 PDA: Preliminary Design Approval. A determination published in the Federal j Register as to whether the preliminary standard design is acceptable, subject to such conditions as may be appropriate.

PRA: Probabilistic Risk Assessment that mathematically quantifies an expected (or average) risk based on observed and calculated component and human failure rates and the anticipated consequences associated with these failures, which may occur either singly or in combination.

PRA Reference Document: A report on the " state-of-the-art" of PRA methodology.

NUREG-1050, "Probabilistic Risk Analysis (PRA) - Status Report and Guidance for Regulatory Application, For Comment," February 1984.

Precursor Event: An event in an operating LWR that has the potential, when combined with other events, to lead to a severe accident. ,

PWR: Pressurized water-cooled reactor.

Quality Assurance: Comprises all those planned and systematic actions neces-sary to provide adequate confidence that a man-machine system, sub-system, or component will perform satisfactorily in service.

! Radiation: (Ionizing radiation). The term includes alpha particles, beta particles, gamma-rays, X-rays, neutrons, high-speed electrons, high-speed protons, and other particles capable of producing ions.

82 i

- .. ._ __ _ _ _ - - . _. =. . - _ - _ _ -_ . - - - _

i l

Regulatory Question: A component question concerning severe accidents that when answered can contribute to the answer to the primary question on the need i

for changes, if any, in nuclear reactor regulation to account for acceptable risk of severe accidents.

Rem: A unit of dose equivalent for any type of ionizing radiation absorbed by body tissue in terms of its estimated biological effect relative to exposure to j X-rays or gamma-rays.

RCS: Reactor cooling system.

, Risk: The product of the probability of occurrence of a given type of accident and the magnitude of the consequences given that occurrence.

Risk Characteristics: (With special reference to nuclear power plants) the set of characteristic failure mechanisms that constitute all but the most insignifi-cant sources of risk posed by the plant.

Risk-risk Tradeoff: In systems engineering design analysis, the identification of possibilities for overall system risk reduction wherein one or more areas of improved reliability more than offset other areas of diminished reliability with the consequent attainment of the twin objectives of reduced risks and costs of the system in question.

RSS: Reactor Safety Study (WASH-1400).

RSSMAP: Reactor Safety Study Methodology -Applications Program.

Rulemaking: The agency process for issuing, amending, or repealing a regulation.

I

Safety-cost Tradeoff Criterion
A figure of merit regarding an approprit.te

, level of expenditure fer a given decrement of risk reduction based on the equity principle that society has alternative opportunities yielding a greater risk reduction for the same expenditure of resources.

1 Safety Goal: Any of the preliminary qualitative safety goals and quantitative i design objectives as proposed by the Commission with emphasis on individual I

and societal risks which might arise from reactor accidents in order to have

, a general approach to answering the question, "How safe is safe enough?"

SARP: Severe Accident Research Plan established by the Office of Nuclear Regulatory Research to provide an experimental and analytical basis for more accurate assessments of the risks of severe accidents in nuclear power plants.

SARRP: Severe Accident Risk Reduction Program. A SARP program element that

analyzes the risk reduction potential and costs associated with a spectrum of possible nuclear power plant modifications.

I Severe Accident: A reactor accident more severe than design-basis accidents I in which, as a minimum, substantial damage is done to the reactor core.

Single Failure: A single occurrence which results in the loss of capability of a component to perform its intended safety functions.

83 l -

Single Failure Criterion: Consideration of the need to design against single failures such as, for example, passive components 'in fluid systems important to safety.

Source Term: The description and qualification of fission products released by a specific type of reactor accident.

Technical Issue: One of a joint list of areas of safety concern such as severe accident phenomenology and safety or reliability assessment of nuclear power plant systems performance jointly developed by NRC staff and IDCOR representa-tives and reviewed by the ACRS.

Technical Specification: Derived from the analyses and evaluation of the safety analyses report and includes safety limits, limiting conditions for operation, and other specifications listed in 10 CFR 50.36.

TMI: An acronym for the nuclear accident during March 1979 at Three Mile Tsfand Nuclear Plant, Unit 2, 10 miles southeast of Harrisburg, Pa.

UCS: Union of Concerned Scientists.

USI: Unresolved Safety Issue. A generic safety issue which has not yet been technically resolved and which NRC is devoting priority attention to resolving.

t 84

4- A ,- A A + w Lr3----m -- - ,I bl -,- - a s -- - + - -

9 APPENDIX A CURRENT INFORMATION BEARING ON THE NEED FOR GENERIC DESIGN CHANGES OR FURTHER REGULATORY CHANGE!i AFFECTING NUCLEAR POWER PLANTS i

4 i

r e

85 L

m.

.e.,A._ mJ d e.im. *ALA __m-

,, D.4.a-_ 4 - w + __ J_ __ .s..m_4 __A -- Jsr _ .a m* .__ __ h_ _A . _ _ __e.a#

gh 4

I t

I 1

6 h,

O 4

{

a k

i O O I

e i

i 1

i e

2 k

l

,f i

t l

4 1

1 1

i 1

1 86' 4

-wrrw r~w,_

APPENDIX A CURRENT INFORMATION BEARING ON THE NEED FOR GENERIC DESIGN CHANGES OR FURTHER REGULATORY CHANGES AFFECTING NUCLEAR POWER PLANTS I. INTRODUCTION: THE NEED FOR FORWARD-LOOKING POLICY DEVELOPMENT

, Certain basic principles of regulatory practice consistent with the mandates of the Atomic Energy Act are inherent in the safety approach that has been followed since the early 1950's. Absolute safety or "zero risk" is not legally required.

The Atomic Energy Act refers to " adequate" rather than " absolute" protection of the public health and safety. There is risk in nuclear power, just as there is risk in all technologies, as well as in every personal activity in which people engage. Congress' intent expressed in that legislation is that nuclear power be developed under a licensing system for safe commercial use to generate elec-tricity. The Commission's continuing practice of conservatism and use of the defense-in-depth concept is intended to provide an extra margin of protection.

Nuclear power plants have been designed, constructed, and operated so as to pro-vide an extra margin of safety for unforeseen events. Because of the complexity of nuclear power plants and the wide variety of designs, it is assumed that not all potential failure and accident scenarios, including ones that could present significant radiological hazards, have been identified. Potential failures and accident scenarios continue to be studied"in order to improve knowledge of reac-tor safety.

Before the TMI accident, the major thrust of regulatory attention was directed to the prevention of severe nuclear accidents. Principles of defense-in-depth incorporated into nuclear reactor designs were intended to make the probability of an accident more severe than the design basis vanishingly small--an incred-ible event. Accident prevention is still an important aspect of our regulatory policy because design-basis accidents can be precursors to more severe acci-dents. However, since the TMI accident, considerable attention has been paid to (a) changes in power plant design and regulatory requirements that have a benefit for accident management to limit the severity or retard the course of degraded core accidents, and (b) consequence mitigation including planning for emergency actions offsite.

Since THI, and based on currently available information relating to severe accident risk, the Commission has taken numerous regulatory actions to enhance safety and has licensed a number of plants to begin operation. The Clarifica-tion of TMI Action Plan Requirements (NUREG-0737) led to the requirement of over 6,400 separate action items on about 80 plants. Of these, about 5,700 (about 88%) are now complete. Moreover, both NRC and the nuclear industry have greatly expanded the information sources and analyses that are available to probe for weaknesses in plant design, construction, operation and maintenance having a bearing on the risk of severe nuclear accidents and the need for change. These programs are vital and effective.

All of the operating nuclear plants are determined by the Commission to pose no undue risk to life or property. In this and other policy judgments about 87 t

technology there is substantial uncertainty. That is why the Commission has established and will continue to maintain a viable program to examine operating experience and is committed to the completion of a large research program on i severe accident technical issues. This research program has elements that examine accident likelihood and severe accident phenomenology as well as an exploration for cost-effective measures to further reduce risk. This research is expected to reduce uncertainties regarding the belief that operating plants present no undue risk. The only basis for altering the judgment of no undue risk in existing plants and taking action to impose changes in design or regu- i lations governing their operation and maintenance would be the emergence of new safety information that would suggest undue risk.

1 In the case of existing plants, there is only one need for a generic policy on the treatment of severe accident issues in advance of any new significant. safety information that might conceivably require changes in design or further regu-j latory changes. That is the need to keep various parties to NRC decisions informed of Commission policy and current understanding in this area. For the existing plants, the central message to be delivered is that the most jus-tifiable candidates for generic changes have already been addressed in the actions associated with the lessons from TMI or in actions associated with PRAs already conducted and reviewed. Moreover, in the case of existing plants, there is no ostensible advantage in seeking to anticipate what new safety infor-nation might arise from future operating experience or severe accident research because no safety or cost differentials are apparent from anticipating a change before there is sufficient information to specify it. Thus, through issuing the Policy Statement of Chapter III, the Commission establishes its intention

to deal with severe accident issues for existing plants through its ongoing programs involving severe accident research and monitoring.,the safety experi-

. ence of operating reactors rather than through the instrument of generic rule-making or deliberations of licensing boards.

A somewhat different situation applies to future plants. In this case there is

.a need to establish, at this time, a generic policy for final severe accident l decision making. This need does not derive because the Commission has reason to expect a substantial number of new plant orders in the United States during

! the next several years. None may be ordered. Yet, should any such orders

! arise during this period (including reactivation of a construction permit application of a cancelled plant), a severe accident policy is needed to deal with such regulatory actions and this has been provided in the Policy Statement (Chapter III). Rather, the need for a generic policy statement to deal with j severe accident issues of future plants derives mainly from the expressed j interest of several vendors to submit proposed standard plant designs for i

certification with forward referenceability covering a substantial number of years. The efficient allocation of vendor resources involved in the develop-ment and marketing of new standard plant designs obviously hinges on the stability and predictability of reactor regulation during the period it takes to achieve design certification by the NRC. During the period of forward .

referenceability of a standard design, although not strongly anticipated, there i can be no iron-clad guarantee that surprising new information regarding severe accident risk considerations might not arise that would lead to NRC considering

and possibly requiring design changes.

l The question arises (a) whether NRC should cooperate with the expressed interest of vendors for the early issuance of a policy statement on severe accident

! 88 i

decision making that would provide a reasonably stable regulatory outlook, which reinforces incentives for new standard plant design; or (b) whether it would be more prudent to await the outcome of the substantial severe accident.

research program that is in progress in the NRC and the industry before issuing such a policy statement. Whichever course is followed, the licensing of plants that pose undue risk to life or property is not at issue. What is at I

issue is the possible differential cost penalties of the two courses of action (i.e. , early n delayed policy development). It is clear that any changes in operating procedures for future plants resulting from new safety information would provide no significant cost difference between the two options. Similarly, the differential cost of backfitting minor design changes to the few plants that might be ordered in the next several years versus plants of the same basic design that might be ordered after the results of severe accident research programs are known would probably not be very significant.

Moreover, a delay in developing a severe accident policy statement governing new plants would increase the likelihood of utilities ordering custos plants during this period that would entail higher overall costs than new standard plant designs. The judgment here is that new standard plant designs would more likely incorporate cost-effective design features (i.e., more safety at less cost) than custom plants relying more heavily on older design principles.

4 Also, it is felt that new standard designs could be constructed over a shorter period with superior control of schedules and costs than custom plants. This has been amply demonstrated by the experience of other countries where standard j nuclear plants have been consistently constructed within 5 or 6 years at low

! overall costs, some substantially below many custom plants built in the United

! States.

A more itg.ortant t asideration in the earlier versus later options of policy develc, lent governing future plants is whether or not it is deemed likely that new saf m information developed over the next several years will lead to requirements for fundamental changes in design of major cost. This invites attenticn as to what the cost differential might be for implementing these major changes when backfitted to a standard plant ordered in the next several years versus a standard plant ordered only after a delayed policy has been put in place following the development of the new information. (In the case of a custom plant ordered in the next several years in lieu of a standard plant based on an early policy development, it is difficult to foresee any appreci-able difference in the cost of backfitting a fundamental design change). I '.

is not whcIly clear what would constitute a major cost differential in the backfitting of a fundamental design change; but, in view of the above rationale, l a differential cost of, say, $30-50 million for a design change would probably not be a persuasive consideration for delaying a severe accident policy that would encourage an early introduction of new standard designs in lieu of custom designs.

l Despite the uncertainties of what new safety information might signify for.the I cost differentials discussed above, it is important that a severe accident

} policy be forward-looking in conception at the point in time it is introduced.

This results from the following rationale:

l (1) Such a policy will serve to guide investment and regulatory decisions for a substantial period 'of years beyond its introduction; to the extent the 89

^

$ future course of events are assessed reasonably accurately, the policy.

will not quickly become obsolete or reduce the cost-effectiveness of these decisions; (2) Forward-looking policy will have sufficient flexibility to accommodate those events not wholly or accurately predicted as to their specific '

nature, timing, magnitude or importance; and (3) Forward-looking policy needs to be developed in a manner that would en-courage innovative ways of achieving superior safety levels at reasonable  !

costs; a highly prescriptive set of technical performance criteria for functions important to severe accident safety would have the effect of preventing the sort of risk-risk tradeoff decisions in plant design that j might achieve such optimal results.

In developing a forward-looking policy for severe accident decision making regarding future plants, it is important, therefore, to anticipate as best one can what new safety information might yield, especially regarding possible requirements for major (i.e. , costly) design changes of generic importance.

One of the best sources of insight for anticipating the most relevant events impacting such policy decisions accrues from the large volume of information engendered since the TMI accident that bears upon severe accident risk assess-

! ment and the nature of regulatory actions imposed as a result of this informa-tion and the lessons learned from operating experience. The major function of this Appendix will be to systematically examine currently available information of these kinds to (a) discern their implications for the likelihood of major design changes or further regulatory chang'es of a potentially costly nature

, affecting future nuclear plants whether of custom or standa,rd design, and (b) determine whether, on balance, this information supports the conclusion that existing plants pose no undue risk to public health and safety.

The kinds of information to be examined to serve this purpose include the l following:

(1) Modifications to nuclear plants to reduce severe accident risk resulting from backfitting by NRC requirements imposed as the result of signifi-cant precursor events, including the TMI Action Plan (NUREG-0660 and NUREG-0737).

(2) Modifications resulting from a dozen or so plant-specific Probabilistic Risk Assessments performed for operating reactors, especially plants in regions of high population (e.g. , Indian Point, Zion, and Limerick).

(3) Modifications directly resulting from construction and operating experience i

as revealed through Inspection and Enforcement (I&E)~Information Notices and Bulletins, Accident Evaluation Operating Data (AE00) Reports, Generic Letters, and utility quality assurance programs and staff reviews.

(4) Generic insights from the Severe Accident Research Program (SARP) that are completed or where sufficient progress has been made from which useful insights can be drawn regarding potential requirements, if any, for generic and costly design change.

90

The examination of information and distillation of relevant insights in this Appendix is of a preliminary nature. More work of this type would be performed by the initiation or continuation of programs discussed elsewhere in this report. Nevertheless, it is believed that there is adequate support for today's judgments that existing plants pose no undue risk to public health and safety and major generic design changes are not likely to be required by new safety information that is prospective of development in the next several years.

Although it is important to offer these judgments in connection with the Policy i Statement, it must be made clear that, should future information indicate a need to impose further requirements to protect public health and safety, such requirements will indead be imposed.

i I

I i

l 91

A. . .e e a . - , _s -w. s a .- u__ _ __ _ _ a_. m --, -. 2. _-w_..a.4_-__ .-m. _ _ . _,. _ _ _. ._.

a 4

I i

4 i

i 1

e i

1 1

1 I

e l

E a

I i

G i

(

i 1

e i

'I e

2 i 6 e

l 1

I 1

I J

d i

4 i,

92 sp 4

a- - - - ---w-,,,.,.e-- --,,.w.. . - , , , . , , - , , - - . . -, -, w-,,-en._ _w-,, _.m,--e ,..n,- -im-esn,_n-,.. . ..-- , - -. , ,,,m,

I II. TECHNOLOGICAL MATURATION AND THE OUTLOOK FOR SURPRISING DEVELOPMENTS Before beginning an examination of the aforementioned sources of currently available information, it may be useful to consider what the lessons of history

~ might suggest for the potentiality of surprising developments with safety implications. The experience of other complex technologies might offer some insights. Lacking special case studies, some conclusions still can be drawn from general knowledge of the literature depicting problems and success of the maturation cycle for such technologies as transportation; architectural design of structures such as bridges, skyscrapers, and dams; and aerospace technology. The availability of these conclusions for peer review may serve to aid the decision process through counter-evidence, or the absence thereof.

It is a supportable view that light water reactor technology for the commercial production of nuclear energy has achieved at least a middle state of maturity.

It has been on the world scene for over 26 years since a prototype nuclear power i reactor achieved criticality at Shippingport, Pennsylvania, in December 1957.

Since then, over 700 reactor years of operating experience has accumulated for commercial nuclear power plants in the United States alone. Foreign reactor experience and the use of nuclear reactors to power ocean vessels adds to the relevant experience contributing to the maturation of this technology. So does the commonality of experience with the reliability or failure rates of equipment such as pumps, motors, diesel engines, valves, pipes, weldsents, circuit breakers, and a host of electrical and mechanical devices used in a variety of industries, l

t including the nuclear industry. There are, of course, some features of nuclear power plants that produce unique effects on materials and their durability or failure potential. These include the effe~ cts of radiation and the harsh envi-i ronmental effects of accidents. .

It has been the general experience of other technologies having achieved an advanced state of maturation that most surprising developments regarding equip-

, ment failure occurred within the first several years after their introduction.

The work of a test pilot who flies the newest prototype model of an aircraft is regarded as especially hazardous. Examples of surprising failures coming in later years often result from the aging process affecting metals and equipment,

'; including the offacts of corrosion and fatigue.* Sometimes the failure of equipment may occur in later rather than early years because long-term environ-l mental conditions were not adequately addressed in the design of equipment or j in its maintenance or replacement programs. Thus, at least part of the matura-tion of a technology from a safety standpoint is not realized until experience accumulates or certain experiments are conducted to test equipment reliability under a more varied and extreme range of environmental conditions. Insofar as aging is concerned, we judge that nuclear technology would be in at least a middle state of maturity. This is based on several observations; namely, that (a) nuclear equipment in some plants has been in service about 20 years; j (b) safety-related equipment has for some time been required to be qualified

for its service life; and (c) critical equipment is undergoing research experi-ments to demonstrate survivability under the extreme environmental conditions
of severe accidents concerning, for example, the time required before contain-i 4

ment might lose its function following a severe accident.

} *See, for example, " Proceedings of the Workshop on Nuclear Power Plant Aging,"

NUREG/CP-0036, Sandia National Laboratories, November 1982.

93 i

Research in progress that could lead to surprising developments is that related to accident progression phenomenology. This includes such things as behavior of damaged fuel, fission product release and transport, hydrogen generation and control, fuel-water interactions, fuel-structure interaction, containment failure modes, etc. Although surprising developments are often bad news inso-far as the safety of a technology is concerned, this is not necessarily a foregone conclusion regarding research on severe accident progression phenome-nology. There are some conservatisms in the risk assessment modeling of severe accidents and their consequences; also, margins of conservatism have been built into hardware design. Consequently it is possible that surprising developments from this kind of research could be a mixture of both good and bad news.

In the " Proposed, Commission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation" (48 FR 16014, April 13, 1983) it was stated that:

"We do not expect our present views on severe accident considerations .

to change substantially as a result of ongoing NRC-sponsored or in-dustry research with respect to the fundamentals of the present de-signs and their general adherence to our safety policy. However, it is possible -- though not necessarily likely for any or all classes of nuclear power plants -- that new information will demonstrate the desirability of some engineered safety features and addition of fil-tered vents to some types of containment ar.d design features that would reduce the risk from sabotage and earuquakes. Also, we expect research results to permit further ri.sk reduction by identifying worthwhile refinements in the design of operating nuclear plants or their operating practices rather than indicating major. redesign needs.

The research will also help to develop more accurate probabilistic risk assessment methods for use in regulatory decisionmaking and to provide greater assurance of adequate protection of public health and safety."

It is our judgment that no new information has emerged since the above state-ment was published to overturn these anticipations about the outlook for sur-prising developments and their importance for costly changes in design or regulations. The staff's views on these matters have been conditioned by the reading of numerous reports and memoranda and by oral exchanges of information in which the more important, or potentially more important, changes receive priority attention. The large program of severe accident research that the NRC launched several years ago has not been justified on the basis of expectations that major changes would be required in plant designs to make them acceptably safe. Rather, the prime objective of this program is to reduce the uncertain-

. ties surrounding the level of risk posed by the possibility of severe reactor accidents. We are not seeking risk reduction except in those cases in which the new information would suggest undue risk. Said in another way, it is our judgment that existing plants are safe enough, but we seek to narrow the window of uncertainty.

l The remaining chapters of this Appendix are designed to explore more systemati-cally the currently available information regarding the outlook for emerging severe accident knowledge and operating experience. This outlook controls our judgments about generic design changes or further regulatory changes of major 94

i cost importance to existing or future plants in line with the philosophy expressed in Chapter I of this Appendix.

It needs to be emphasized, however, that the regulatory programs described in Chapter IV are designed to address the full range of severe accident questions.

If new safety information emerges from whatever source that leads to new tech-

' nical issues or elevates concern that there is undue risk, then such safety questions will be handled by the NRC under existing procedures for issue reso-l lution including the Commission's backfit policy and the possibility of generic

! rulemaking where this is justifiable.

t I

I F

95

6 0

0 6

.O e

Et O

96' l

l l

r,--~r,-,r,,,,.m- --wwr,--- , , - - - - , - - - - - - - - - , , - - -

III. MODIFICATIONS OF NUCLEAR PLANTS BECAUSE OF SIGNIFICANT OPERATING EVENTS Operating events that are significant precursors of core-melt accidents have been studied in NUREG/CR-2497. The precursor study found the following contri-butions to the severe core damage frequency for the period 1969-1979:

Date Event Frecuency (oer reactor-yr. )*

3/29/79 TMI accident 2.3x10 8 3/22/75 Browns Ferry fire 9x10 4 3/20/78 Rancho Seco loss of non-nuclear 6x10

  • instrumentation .

All PWR loss of main feedwater initiators 3x10

  • 5/02/79 Loss of feedwater flow at Oyster Creek 6x10.s 3/24/71 Loss of offsite power at Lacrosse 4x10.s 1/19/74 Loss of offsite power at Haddam Neck 3x10.s -

8/31/77 Loss of feedwater at Cooper 3x10 5 There were methodological difficulties in the study, such as the use of a biased statistical estimator, possible overestimation of the contribution of some accident sequences, such as the Browns Ferry fire, and other errors in details of the study. The authors of the precursor study recognized that there was some overestimation present because of the methodology they used and gave a range of 1.7x10 3/ry to 4.5x10 8/ry as the point estimate of severe core damage frequency. The NRC staff point estimate of the severe core damage frequency during this period (1969 to 1979) is toward the lower end of the range. Note also that the precursor study estimates the. frequency of severe core damage, not core melt. Presently, it is difficult to estimate the fraction of severe core damage events that might be terminated short of core melt.

Actions have already been taken to reduce the contribution to the severe core damage frequency from the three major contributors identified in the precursor study. Implementation of the TMI Action Plan should reduce considerably the probability of accidents of the Three Mile Island type, Appendix R requirements should reduce the probability of severe core damage due to fires, and actions have been taken to reduce the probability of severe core damage emanating from the loss of non-nuclear instrumentation.

In the precursor study, significant contributions to the estimated severe core damage frequency were also made by accident sequences initiated by loss of main feedwater, and by loss of offsite power. Improvements in the reliability of auxiliary feedwater systems (post-TMI fixes), and work on bleed-and-feed cool-ing should reduce the contribution of the loss of main feedwater initiator.

The work on station blackout (USI A-44) addresses the accident sequences initi-ated or furthered by loss of offsite power. Initial review of the precursor

-study and subsequent considerations do not reveal the need for any NRC actions not already taken or under way to suppress the perceived core-melt frequency in operating plants or plants under construction. .

Although we have not explicitly evaluated the effects of the many changes (procedural and hardware) implemented at operating plants, we would anticipate

  • The point estimates of severe core damage frequency were derived in the precursor study from very crude assumptions and have several orders of magnitude uncertainty.

97

that the frequencies of the top four scenarios leading to severe core d'amage' have likely been reduced by about an order of magnitude. It is misleading, however, to infer from this that the present severe core damage probability is an order of magnitude lower than that during the 1969 to 1979 time period. The reason is that there may be other accident sequences of importance that have had no precursor yet or that we have failed to identify in a precursor study.

One such example is the partial failure to scram at Browns Ferry.

Nevertheless, one would expect a large number of potential severe core damage

. events to have been previously revealed by precursors. In addition, many of the human factors changes after TMI will serve to reduce the probability of a broad spectrum of accident sequences, not just the TMI type of event. To assure that the potential for severe core damage is minimized, NRC will continue to stress the need to pay attention to precursors and to the dominant accident sequences identified by such studies. The precursor approach of the Oak Ridge National Laboratory, with licensee participation in evaluating significant events, is a viable and useful tool for improving the safety of nuclear reactors. .

Since most of the changes in the design and operation of nuclear power plants that have occurred as a result of operating experience were associated with the 1979 accident at Three Mile Island, those changes are described in more detail in the following paragraphs.

The TMI accident led to a number of investigations of the adequacy of design features, operating procedures, and personnel of nuclear power plants to provide assurance of no undue risk regarding sever.e, reactor accidents. The report "NRC Action Plan Developed as a Result of the TMI-2 Accident" (NUREG-0660, May 1980) describes a comprehensive and integrated plan involving many actions that serve to increase safety when implemented by operating plants and plants under con-struction. The Commission approved items for implementation and these are iden-tified in a report, " Clarification of TMI Action Plan Requirements" (NUREG-0737, November 1980). The staff issued further criteria on emergency operational facilities (NUREG-0737, Rev. 1), auxiliary feedwater system improvements (derived from NUREG-0667), and instrumentation (Regulatory Guide 1.97, Revision 2).

~

! A summary of the status of the Commission-approved TMI action items found in NUREG-0737 and its Supplement follows:

l (a) Breakout of action items, by type i

e 39 equipment backfit items; 18 implemented e 31 procedural changes; 28 implemented e 62 required analyses or reports e 137 total action items approved (b) Total action items required for all affected plants e 6471 separate action items for operating reactors and five NTOLs (about 90 per operating reactor) e 5700 action items implemented (88%)

e All but a few items in place by the end of FY 1985 for the NUREG-0737 items and by the end of FY 1988 for the additional items of the Supplement 98

It is of note that only 39 of the 132 different types of actions (about 30%)

involved equipment backfits and, of these, the most custly (at least in the aggregate) involved control room design changes. It has been estimated that the TMI-related backfits at operating plants cost in excess of $25 million in most plants and much more in others.

In addition to these backfit items, there were a number of action items set aside in NUREG-0660 for further study by the staff regarding their desir-ability for generic attention. Some of these will require resolution of severe accident policy and source terms before they can be completed.

s S

.e 99

ww 9

O 9

M e

6 9

100

!V. PERSPECTIVES ON THE NEED TO REDUCE SEVERE ACCIDENT RISK ORAWN FROM PA08A81LISTIC RISK ASSESSMENT To aid this discussion of risk perspectives, it is important to first define some terms. The consequences of severe reactor accidents are of two kinds:

those due to offsite radiological releases, known as "offsite losses" and those due to the damage to the plant, known as "onsite losses." Offsite losses are made up of property damage and health effects. Property damage can originate in the contamination of offsite property by fission products released in an accident. Contributors to pro m ty damage include loss of benefits from contaminated land, buildings, water, ad agricultural products; the costs of decontamination; the costs of relocating or evacuating people, etc. Health effects of radiation exposure are made up of latent effects and early effects.

Latent effects include fatal and non-fatal cancers and genetic effects. These effects are latent in that they take many years, or tens of years, to show up, if at all, in the exposed population. Early effects are those that might occur within a year of exposure to high levels of radiation, and include injury or death.

Onsite losses are made up of the extra costs of replacement power for the damaged plant, the costs of cleaning up and/or repairing the plant, the pos-sible loss of capital investment in the plant, and the so-called business costs, such as higher interest rates on borrowed funds or capital the utility may have to pay following an accident. The major consequences of the accident at Three Mile Island Unit 2 are almost exclusively onsite losses, estimated to be about several billion dollars. ,,

With these definitions in mind, what do the existing PRAs t911 us? Reactor risk assessments have shown a consistent pattern in tae relative importance of severe accident consequences.* Onsite losses tend to be larger than offsite property damage for all but the most extreme releases in combination with the most adverse weather conditions possible. In these extreme cases, offsite property damage may be a little larger than onsite losses, though only when the effects on the business costs or availability of other nuclear plants are left out of the computation of "onsite losses." Since the spectrum of severe accidents to which a plant may be subject includes a range of release severities, it is almost certainly true that, for all but the most extreme accidents, the expected onsite losses would be substantially larger than expected offsite property damage.

The expected number of latent casualties is estimated to be higher, often very t much higher, than the number of early casualties. Most severe accident scenarios I

would cause no early fatalities at all. Only the coincidence of a very severe release with particularly unfavorable weather can be expected to give rise to

lethal doses offsite. There are paradoxes associated with the importance of 1 latent versus early casualities. Because the estimated latent casualties, on the average, are vastly more numerous than early casualties, the latent casual-l ties are responsible for almost all of the human suffering and life-shortening i

l l *For a fuller discussion of PRA methods and insights, see "Probabilistic Risk l Assessment (PRA): Status. Report and Guidance for Regulatory Application,"

i NUREG-1050, August 1984.

l l

101

attached to health damage from reactor accidents. On the other hand, the latent casualties are so dilute in their place of origin (radii to beyond 10 miles from the plant) and so dilute in their time of arrival (tens of years after the accident) that they are masked by the far more numerou; naturally occurring cancers and genetic effects in populations of that size. Therefore, the dis-persed latent casualties pose almost no threat to the fabric or resiliency of society compared to the readily attributable early casualties. However, certain groups within our society pursuing different rationale may perceive dispersed latent fatalities from a catastrophic event to be much greater than that asso-ciated with the logic presented here. Indeed, aggravated societal reactions of these kinds could conceivably force the closure of some or all nuclear power plants should there occur another degraded core accident of similar or*much greater consequence (especially offsite) than the TMI accident.

The available PRAs also indicate that offsite property damage from severe acci-dents tends to be larger than latent casualties in overall importance. This results, in part, from government policy. For example, the thresholds for in-tardicting contaminated ground water or foodstuffs, set by the Environmental Protection Agency (EPA), are deliberately selected to be conservative, that is, to err on the side of caution. The result is that the costs of cleaning up or avoiding contaminated territory exceed the health effects of exposure to low level radiation to be expected if the interdiction policies were not followed.

The patterns discussed so far were first seen in the results of reactor risk assessments and can be shown to depend only on the models of reactor accident consequences. They would remain true even.i.f there were serious errors in PRA estimates of accident likelihood or release fractions. The patterns of conse-quence importance are summarized in Table A.1. .

There have been eleven PRAs sponsored by the NRC and an almost equal number sponsored by the nuclear industry. They cover a wide variety of plant designs. The central estimate of the core-melt frequency for these plants has ranged from roughly one in a thousand years of operation to one in one hundred thousand years. The highest risk estimates have been found in PRAs of three plants. All three have been modified to eliminate the vulnerabilities responsible for the large accident frequency estimate, so none of these three original risk estimates remain valid." Nonetheless, they are indicative of what PRA methods have found in the more vulnerable plants.

It is interesting to compare these figures with the actuarial experience. We have accumulated roughly 700 reactor years of operation in the United States with commercial nuclear power plants. Plants of similar design operating abroad have accumulated roughly the same service time. Thus we have over a thousand reactor years of commercial reactor experience with one severe core-damage accident (Three Mile Island) and no core-melt accidents. The PRAs do not distinguish severe core damage from core melt, calling both " core melt,"

so the actuarial experience, weak as it is, is not inconsistent with the PRA predictions that some of the more vulnerable plants may run roughly one chance in a thousand per year of severe core damage or core melt.

  • Furthermore, when changes are shown to'be n'ecessary for one plant, the change is examined for its generic implications and required of other plants, ifjustified.

102

Table A.1 Reacter accident consequences, in order of diminishing importance Consequence Comments

1. Possible shutdown of all Possible losses in the hundreds of nuclear power reactors billions of dollars
2. Damages (onsite losses) Losses in the several billions of to the affected plant dollars is a certain consequence of severe core damage or melt
3. Offsite property damage Losses in the range of zero to tens of billions of dollars possible from loss of benefits of land, gater, and goods contaminated offsite
4. Latent aualties,(i.e., fatal Casualties in the range of zero to tens and non iatal cancers and of thousands of delayed fatalities pos-genetic effects) sible; very dilyte'in place of origin and time of arrival
5. Early casualties (i.e., injuries None are expected 'of the great majority and fatalities) of severe reactor recident possibil-ities. They can range thousands of casualties { rom zero to

" Theoretically, the combination of extraordinarily large releases and extraor-dinarily unfavorable site and weather conditions can yield higher consequences than these indicated here, but higher values are extremely unlikely.

One can get a perspective on the upper limits of the incentives to better the prevention er mitigation of severe reactor accidents by c0nstructing a bound-ing estimate of risk. A useful estimate can be made by addressing risk assess-ment in three segments: (a) the probability or frequency estimate of core melt, (b) the source term (or accident fission product release c.ffsite) which, among other factors, depends on containment performance, and (c) the societal con-sequences of the source term and other factors such as weather conditions. For example, let us assume a point estimate of core-melt frequency of one accident in a thousand reactor years and such an accident occurs in cunjunction with an unmitigated release. Such a frequency estimate is close to an upper limit in-ferred from actuarial experience, and the severity assumption is bounding.

Tables of the expected consequences of an unmitigated release (as well as miti-gated releases) for each reactor site in the country can be found in " Estimates of the Financial Consequences of Nuclear Power Reactor Accidents", NUREG/CR-2723.

In that document, a release in which the containment systems are wholly un-successful is designated "SST1". The Indian Point site is the most populous in the country. More people are at risk there than at any other site. By choosing the Indian Point site, the SST1 release, and the t ;h accident fre- .

quency, we can surely bound the risk for the great majority of plants. The expected risk results using this pessimistic bounding assumption are as follows:

103

r Early fatalities 0.7 per reactor year Cancer fatalities 6 per reactor year Offsite property damage $9.2 million per reactor year Onsite losses $4 million per reactor year If we were to choose a more typical site, say that of the Palisades plant, but keep the pessimistic bounding assumptions on accident frequency and severity, we would get the following expected risks:

Early fatalities 0.02 per reactor year Cancer fatalities 1 per reactor year Offsite property damage $1 million per reactor year Onsite losses -

$4 million per reactor year These are the expected (or weighted average) consequences based on the full range of possible consequences if an SST1 release occurred with a frequency of one per-thousand years (i.e. , 0.001 times per year). If such a release actually occurred, the range of early fatalities (as, for example, at Indian Point) runs from none at all for most weather conditions to the tens of thousands for un-usually bad conditions, with a weighted average of about one thousand." The same range for the more typical Palisades site is from no early fatalities at all to perhaps a thousand in an extreme case, with a mean of about 40 early deaths.

Next, let us relax the pessimistic assumption that the containment is worthless.

We can replace the SST1 release with the SST2 release, designed to model the case in which the core melts in a leaky containment, but the containment sprays and coolers function to reduce the contamination that leaks out of the plant.

At the Indian Point site, an SST2 release at a frequency of one-in-a-thousand reactor years yields the following expected risks:

Early fatalities 0.0001 per reactor year Cancer fatalities 0.5 per reactor year Offsite property damage $100 thousand per reactor year Onsite losses $4 million per reactor year The consequence estimates published in NUREG/CR-2723 assume an accident release, or souru term, essentially as modeled for WASH-1400 (also known as the Reactor Safety Stdy, NUREG/75-014). A great deal of work is in progress to develop a revised assentment of severe accident source terms. It is premature to make a prognosis of it; outcome. Nevertheless, it is reasonable to expect that the WASH-1400 source terms for the most severe accidents are likely to be shown as pessimistic, at least for early fatalities.

Since radiciodine dose contributes about half of the estimated early fatalities, and most of it is already assumed in WASH-1400 to be released with early contain-ment failure (an unmitigated release), revised estimates of early fatalities based on new source terms are expected to be somewhat Iower for most accident scenarios.

  • NUREG/CR-2239, " Technical Guidance for Siting Criteria Development," Sandia National Laboratories, December 1982.

104

I i

4 4 .

Once the source terms are set, the balance of a reactor accident risk calcula-tion involves uncertainties that are much better known. The principal one is the availability of statistical data on specific weather conditions that prob-

! abilistically might prevail at the time any accident release occurs. Relevant i weather conditions that affect the dispersion of the release and, thus, the l consequences include the presence or absence of precipitation; the strength,

! temperature, and direction of the wind; and other meteorological factors. The i atmospheric dispersion is so significant that, for most sites under most wea-ther conditions, there would be eo early fatalities even if a large accident release did occur. These estimates generally include a relatively pessimistic, or at best, realistic estimate of offsite emergency response. A more timely i  !

and effective offsite response than these assumptions could virtually eliminate j early fatalities in a severe accic'ent release.

4 i Several perspectives on the incentives for better risk reduction at nuclear j

plants emerge from these sample calculations, that have been born out by and '

i originally discovered in reactor risk assessments. First, health effects are not large, in any event. They are small enough that there apparently is little or no incentive to make plants safer in order to lower the expected risk of i

fatalities, prompt or latent. Offsite property damage could be large, and so

! pose a large incentive for improvements, but only when very severe releases are t

postulated with very high frequency, i.e., near the actuarial limit. If the '

l containment can be credited with modest mitigative success (it need not perform j

' as well as expected based on its design) in the majority of core-melt accidents, then onsite losses can be expected to be the largest contributor to the risk.

Accident prevention serves to reduce all accident risks, both onsite and off-site. However, accident mitigation reduces only offsite releases (and thus, r I

offsite losses) but does nothing to reduce onsite losses. Because onsite losses '

are thought to be dominant relative to offsite losses in almost every accident [

scenario, a strong preference for prevention over mitigation appears when risk  :

i reduction strategies are compared. Only for accident scenarios in which the  !

! containment is bypassed or wholly fails to limit releases does one find the incentive for better containment to rival the incentive for better accident '

i prevention.

1 i The incentives for better accident prevention may be quite significant. Under

! the assumption that core-damage accidents occur once in a thousand reactor

years, we found expected onsite losses in the range of four to thirteen million

} dollars per reactor year. A one-time expenditure ten times the size of the annual expected loss might well be cost effective if it substantially reduced l' the expected losses over the rest of the life of the plant. As a first approxi-mation of what would be a good prevention investment in a particular plant i

' on the basis of averted onsite losses alone, consider the following. A plant ,

with a core-melt frequency around one-in-a-thousand years might well warrant '

j investments in the many tens of millions of dollars (if no less costly options i a can be found) to lower that frequency. By the same token, a plant with a core- '

melt frequency of one-in-ten-thousand years might well warrant investments in I the many millions of dollars to reduce its vulnerability. Finally, a plant l whose core-melt frequency is one accident in one hundred thousand years would j warrant a one-time investment of less than one million dollars to lower that frequency substantially. Significant changes in plant design and operation j can be had with a budget of many tens of millions of dollars. Substantial

] changes in the risk profile of a plant can be had for that amount. It is very l

1 j 105 i

j

likely that cost effective means can be found to lower the vulnerability of a plant if its core-melt frequency is in the neighborhood of one-in-a-thousand years. Cost-effective improvements are still possible, though not assured, in a plant with an accident frequency around one-in-ten-thousand per year. Only very modest changes in plant design can be achieved with a budget less than ten million dollars. Refinements in procedures are all one can expect to achieve in a cost-effective attempt to better a plant with a core-melt frequency as low as one-in-one-hundred-thousand years.

There are now roughly eighty plants licensed to operate by the NRC. There will soon be one hundred in service. Both the experience with PRAs and the actuarial experience suggest that some few of these plants may be running one chance in a thousand or more per year of core damage or meltdown, although the PRAs suggest that most plants are less vulnerable than that. In light of this evidence, we can infer that the frequency of occurrence of core-melt accidents in the whole domestic power reactor industry probably lies somewhere between one in ten years and one in one hundred years. There is a distinct possibility of one or more additional severe reactor accidents, beyond the one at Three Mile Island, in the remaining service life of the plants now in operation or under construction, unless the estimated accident frequency declines sharply with modifications, or has been significantly overestimated in current PRAs and actuarial inferences.

If there is another severe reactor accident, the insights afforded by the exist-ing PRAs allow us to make some projections of what to expect. Although no reac-tor risk assessment has explicitly distinguished core melt from severe core damage, several estimates have been prepared of the fraction of severe accident scenarios that can be expected to stop with core damage rather than progress into core melt. They suggest that something in the range of 10% to more than 90% of the severe core damage accidents would go on to core melt. Early fa-talities are very unlikely; the better contained scenarios cause none and the poorly contained scenarios do so only under unusual weather conditions. Latent casualties would number in the range of zero to thousands (more are possible, but very unlikely). In any event, the latent casualties would be undistin-guishable, because they would be very dilute among the background occurrences.

Offsite property damage might range from negligible (a likely result) to mas-sive (tens of billions of dollars, a very unlikely result). The onsite losses would amount to several billions of dollars. Last, but not least, the political climate for the continued operation of the other 130 or so plants in the country might very plausibly sour. The hundreds of billions of dollars invested in the nuclear power industry could plausibly be lost to a popular reaction, even if the objective consequences of the reactor accident did not warrant the changed perspective on risk.

In summary, the picture emerging from reactor risk assessments is one in which public health and safety have been well-served. The threat of radiation-induced early fatalities is quite remote. The threat of latent casualties, while not negligible, does not appear large in casualties per reactor year and is very small against the non-nuclear rate of occurrence in the affected population even after a severe release event. Offsite property damage could be a signifi-cant threat, but does not appear large compared with the risk to the reactor owners' investment in their facility. There may, in fact, be an undue risk to the economic investment a utility has made in nuclear power if its plant is at the upper level of the risk estimates and the actuarial experience. That is, 106

l 1

the probability of another severe reactor accident may not be small for some plants, and the economic losses associated with such an event for a nuclear utility and its customers could be very large.

1

(

4 i

107 l

m A __pJ . a.m.- e,a ~ --A_ .- - mw, . 4- m.mwa,_ , _ _ .m A m s,. .. -asEhA 4 m+-a. *_ _A.- -, h- 2 m5-. .la.Ah,a-- --_-a - m.-um_mi__.- _-4 a- .-,--e -aa 1

i I

4 1

1 i

I-1

(

s i

I I

O 108

l 4

i

}

V. EXPERIENCE WITH PRA AS A SAFETY ANALYSIS TECHNIQUE A probabilistic risk assessment (PRA) attempts to give a comprehensive and realistic model for predicting risks by performing a systematic review of the design and operation of a nuclear power plant. The technique provides an inte-grated assessment of primary safety systems, support systems, and plant opera-tion with respect to core melt, containment failure, and radiological conse-quences. It differs from the traditional deterministic approach because it is not constrained to highly prescribed design basis events.

I Although PRAs are constructed on a logical framework, they involve many simpli-'

i fled approximations. There are also gaps in our knowledge and hence in our

ability to quantify certain classes of risk contributors. For example, (a) we do not know how to quantify reliably the likelihood of sabotage attempts or success; (b) we have not yet mastered the art of quantifying the contributions to reactor accident susceptibility made by those design errors that are not revealed by either design documents, quality control measures, surveillance tests, or reactor operations and that are not included in failure data bases; and (c) we are not very good at quantifying the likelihood that operators might l misdiagnose an incident, and thus employ the wrong procedures.

i Such limitations make PRAs unreliable at predicting the precise magnitude of risk. However, they are successful at identifying many, if not all, of the ways a reactor may be vulnerable to severe accidents and warrant remedial

' action. They are also valuable as a method with which to estimate the import-ance of safety issues. A number of inferences can be drawn from PRAs on ways to improve reactor safety. PRAs provide an objective framework for putting reactor safety issues in context. Most importantly, PRAs provide the best i available numerical estimates of the existing uncertainties in any reactor i safety assessment, i

An assessment of the adequacy of plant design and operation is obtained by identifying those' sequences of potential events that dominate risk and deter-mining the features of the plant that contribute most to the frequency of such r sequences. These plant features may be potential hardware failures, including common-cause failures, test and maintenance activities, or procedural defi-i ciencies resulting in particular vulnerability to human errors. On the other hand, some features may serve to prevent or mitigate events that would otherwise 1 lead to accidents or more severe accidents. Thus, a probabilistic analysis '

reveals plant features that may merit close attention, or conversely, identify present or proposed regulatory actions that do not provide a significant safety i

benefit. Also, plant-specific PRAs can generate useful predictive models of

( plant susceptibility to severe accidents that can be used, improved, and reused l by both licensees and the staff for safety management, for revising technical specifications and procedures, and in design reviews. Indeed, it is easy to

' discern that PRAs, with their more rigorous structuring of cause-effect rela-tionships and their aid in helping hard science drive out soft science, provide

! learning curve mechanisms superior to those associated with the traditional i methods of deterministic engineering analysis. PRA methods, of course, are an

extension rather than a replacement of deterministic engineering methods (see j Section IV.C.3).

1 i

i 1 l \

\

109 t

i

l Many of the probabilistic safety analyses performed to date (as PRAs) have I provided important insights into potential plant vulnerabilities that were not  !

being considered or not thoroughly evaluated in the traditional deterministic j evaluations of the plants. A list of some of the significant insights is  :

presented in Table A.2 addressed generically; e.g., confirming the integrity of intersystem isolation capability and the elimination of ac dependency in turbine-driven auxiliary feedwater trains. Other issues are the subjects of generic programs; e.g., station blackout and de power supplies. Based on this past experience, we would expect to continue to identify insights into features important to risk with new plant-specific PRAs.

The features warranting corrective action are frequently unique to the subject plant. The details of balance-of plant design or of the provisions for test, maintenance, and operations which often differ substantially from plant to plant have been found to harbor the vulnerabilities'that lead to dominant con-tributors to risk. It is not surprising that the aspects of safety design and operation that are not closely scrutinized in licensing show the greatest variability among plants and also the largest proportion of the vulnerabilities that warrant attention.

Many of the PRAs have stimulated the licensees to take corrective actions, either during the study or after the results were evaluated. A partial list of these modifications resulting from PRAs is presented in Table A.3. To a large extent these modifications were implemented voluntarily by the utilities in an effort to correct weaknesses in their plants.

Potential accident sequences that involve connected systems and closely coupled procedures are the most amenable to probabilistic risk assessment because de-pendencies are readily identified and component failure probabilities are generally available. The more elusive sequences, which may not be identified, are those involving dependencies between components and systems other than direct connections (other forms of common-cause failures and systems interac-tion) and physical phenomena that are not readily apparent to the analyst.

Examples of these dependencies are (a) the Crystal River event of February 1980, which resulted in an open Pressure Operated Relief Valve (PORV) and loss of vital control room instrumentation, was not identified by an ongoing risk study, and (b) the man-machine interaction that occurred during the TMI-2 event.

Attempts are being made to develop procedures that will minimize the likelihood of missing such sequences. However, completeness within a specified scope of study can never be fully assured for PRAs or for any other review processes; learning curves with PRAs will improve this assurance.

The concerns associated with the completeness issue are alleviated to some extent by a peer review like that performed by NRC on the studies submitted for the Big Rock Point, Zion, Indian Point, and Limerick nuclear power plants.

The findings of these reviews have not identified any important deficiencies in the statistical methods. Rather, they provided alternate views on the frequency of offsite events (loss of power and hurricanes); revised the assumptions re-garding human errors; and identified additional accident sequences based on systems analysis considerations. The independent review is valuable in identi-fying marginal assumptions that may have an impact on the overall results.

110

i TABLE A.2 ,

IN$!GHTS F110M PREV!0W5 PROSAO!LISTIC RISK A55t$3E NTS A. Reactor $afety Study e Ofscovery of vulnerebflity to uncontained. interfectng syntes LOCA

, Two valve failures at reactor coolant systm . LP! interftce could result in 1) LOCA. 2) loss of ECCS. and 3) bypass of contalment for fission product release (Intersystem LOCA) e Complete loss of ac power and aust11ery feedwater resulting in core melt and loss of containment (no cooling) e Failwe of ECCS coolant pumps post.LOCA due to cavitatten following contalment failure (no long term contaiment cooling) e Importance of operator to realf gn ECCS cooling post LOCA e Containment configuration could lead to inadewate filling of the sume and subsement failure of spray recirculation pumps when actuated post LOCA e Importance of ATWS in SWRs

8. Reactor Safety Study mothe61oey Aeolications eroeram e !sportance of loss.of.feedmeter events for plants with two train aux 111ery feedwater systems e Faflure of ice condenser contatment for most core melt accidents e Importance of ice condenser contalment drafn plugs for filling sump post LOCA e Importance of hydrogen burning as a potential contalment failure mode C. Interia s elf abt19'y Evaluation beoocam o Vulnerabf ttty to de power system coupitag independent tratas of vital cooling e Loss of turbine defven ausf1tary feedwater train in station

, blackout occause of at dependency e Vulnerability to single faults burfed in a control system electroates e Value of $P05 and fmproved operators D. Owaer's Studies e Provtston for alternate makeup to mergency condenser in SWas e Importance of reetter coolant pop seal vulnerab111ty to cooling support system e Internal flooding in aust1tary butiding e Vulnerett11ty to failure of service water system (staff review) e vulnerablif ty to seisele effects e

Vulnerabflity)of (staff review sunf1f ary butidings to high wind conditions I

e Vulnerability)of (staff review cable tray to hot gas layee from fires e Importance of timely dooressariastfon of the primary system in f.8s 111

TABLE A.3 PLANT N00!FICATIOM$ BASED f.N PROSA8!LISTIC R!$K AS$t$$MENTS Crystal Rivee

- 4 Removed ac dependency in the tuttine driven auxillery feeeuster train e Modification to steemitne rupture metria circuitry e Reevaluated procedures related te less of effstte power Calvert C11 Ms e Added meter def ven avalltary feedster train and auto start for AN Millstone. Unit I e Provided procedures for makeup to fsalation condenser following loss of offsite power e .!sproved manual depressuritation procedures (under consideration) e Improved gas turbine maintenance (under consideration) e Corrected single failure vulnerability in centrol system Ita ecct potet e Remote makeup to the emergency condenser from the fire systen e Added post. accident valve position indfcation e Added early contatnnent sprey following a LOCA e Added additional isolation valves on the primary coolant system

$!.ll" e Decreased allouette cutage time for auntilary feeduster trains Shoreham o Replacesent of stelock sightglass e Modiffcation to RCIC turbine enhaust setootnt e Lower MS!V flotation setpoint e Black start caeabilities for gas turbine emerpacy oceer ladf aa Potat e Modiff ed control buildf ng roof and ceiling to accommodate nigner seismic accelerations e testemented anticipetory shutdown technical specifications for hurricane e Provide alternate electrical paths to cope with fire in switchgear/

electrical tunnell e Modifled befck walls of de battery room to accesinodate higher seisafc accelerations 112

The staff believes that it is desirable to eventually develop plant-specific PRAs for all nuclear power reactors. Although a few surrogate PRAs can iden-tify a number of generic issues and illuminate many aspects of reactor risk in general, the differences of individual plant design and operation often harbor vulnerabilities that warrant fixing and whose presence could not be inferred from PRAs of other plants. For example, the vulnerability of the Indian Point Unit 2 control building to damage during earthquakes because of ir.teractions with the adjacent Unit 1 superheater building is peculiar to Indian Point Unit 2. In our Judgment, the value of discovering and correcting this singular vulnerability pstified the cost of the PRA as well as the hardware changes, and many other values of the peer-reviewed PRA are still available for harvest-ing in the continued operation of that plant.

A second reason to believe that plant-specific PRAs may be warranted lies in the familiarity they offer primarily to the owner-operators of the plants and secondarily to the NRC staff regarding the importance of safety issues, acci-dont sequences, and equipment reliability for the plant. A PRA can be used as a safety management tool for training operators, reviewing procedures, main-taining and replacing equipment, evaluating the lessons of experience, and evaluating the applicability of generic safety issues. Such uses of PRA enable licensees and the NRC staff to be more discriminating, and to focus more sharply on issues of significance.

Most of the design modifications resulting from industry-developed PRAs for operatine eactors were of plant unique significance rather than generic sig-nificanct =nd were estimated to cost less than a million dollars. A few ex-coeded this value. No such modication involved me.for cost as defined in Chap-ter I of this Appendix (i.e., $30-50 million).

113

6 i

1 114

. _ _ _ _ _ - - _ __ _ . _ _._.___.____________.m i i i  !

i l

I I

o I VI. M00!FICATIONS DUE TO CONSTRUCTION AND OPERATING REACTOR EXPERIENCE j A. Accident Precursor and Consequence Mitigation Information The major information sources providing insight on safety modifications due to  !

j construction and operating reactor experience are shown in Table A.4. This in-1 formation relates to human errors and equipment failures. It more often deals j with accident precursor events rather than the systems designed to mitigate 4 the consequences of an accident greater than design basis (e.g. , containment). i Very little experiential data is available for the simple reason that multiple j failures of considerable rarity are required concurrently or in sequence. i l Thus, the consequence mitigation systems are seldom challenged to respond.

Even then, there may be plant-specific or unique circumstances that would make j it inappropriate to draw generic conclusions about their performance, except perhaps for a limited number of plants of similar design. Most U.S. plants differ in the character and magnitude of their vulnerabilities to severe  ;

I reactor accidents. The more prominent vulnerabilities tend to lie in the l l details of balance-of plant design or operation, usually in areas unconstrained or unstandardized by existing reactor regulations.

! This chapter provides a brief summary of the voluminous data made available 1 through the Office of Analysis and Evaluation of Operation Data (AE00) sources j and the IE Oulletins and Information Notices cf the Office of Inspection and t j Enforcement. This information pertains to the nature of design modifications ,

resulting from events or failures recorded for operating reactors. Many staff t t members in various offices and divisions of NRC come into contact with, or have j purview of, the various kinds of information sources described in Table A.4.  !

The need for design m dtfications to enhance protection against severe accidents

! derived from this in; reation has a greater likelihood of coming to the wide-  !

spread attention of the middle to higher levels of management to the extent it i involves major cost to implement or requires anneric changes. Modifications to t

design and operating procedures entailing sign <ficant risk reduction but at i little cost, or requiring no changes in our regulations or technical positions, i
invite attention to only a limited number of persons. This desirable bias of ,

l upward management attention to the more costly or generic modifications serves l

! to reinforce the overa11 validity of these kinds of observations that is the primary objective of this Appendix.

l 8. IE Oulletins and Information Notices [

l t l There are several groups within the NRC that review power reactor operating l experience to identify issues that are potentially significant from both a ,

generic and safety point of view. Within the Office of Inspection and Enforce- }

i ment, the Event Analysis 8 ranch (EA8) screens the events that the Itcensees l j report by telephone to the NRC Operations Center in accordance with the require-  !'

monts of 10 CFR 50.72. These events are discussed with the Operating Reactors Assessment Branch (0RA8) during a daily conference call. These two branches  ;

collectively decide which events warrant further followup. This followup may l be accomplished by the EA8, ORA 8, or by the regional office. In addition, some

events are referred to 'the Engineering and Generic Communications Branch (EGC8)
for followup.

l i r

t I i 115 l 1

f

__ _ _ _ _ _ _ _ _ _ _ _2

r Table A.4 Documentary sources of information to understand the nature and importance of safety modifications

  • e Operating Reactors Licensing Actions Summary (NUREG-0748) e IE Bulletins (8 in 1983) e IE Information Notices (84 in 1983) e NRR Generic Letters (41 in 1983) e AE00 - review licensee event reports (about 4500 per year) e AE00 published case studies (several per year) e AEOD published engineering evaluations (30 in 1983) e AE00 published techical review reports (41 in 1983) e AE00 published Power Reactor Events Reports (6 per year, NUREG/BR-0051) e Report to Congress on Abnormal Occurrences, NUREG-0090 (12 per year) e NRC monthly status report to Congress (Bevill report) e Miscellaneous NUREGs; case-related hearing testimonies, transcripts, etc.

e Plara-Specific PRAs e Foreign event information e INPC SEE-IN Program (56 0&M reminders, 87 SERs, and 9 SOERs in 1983) e INPO NPRO system (40,000 component reports in 1983)

  • Resulting from experience of failures in equipment and procedures during nuclear power plant construction, operation and maintenance.

In addition to events reported to the NRC Operations Center, there are other sources of operating experience that are reviewed. The EAB screens construc-tion deficiencies reports provided in accordance with 10 CFR 50.55(e) and component deficiency reports submitted in compliance to 10 CFR 21. Items that appear generic and significant are followed up by the EA8 or referred to the EGCB. The AE00 reviews all Licensee Event Reports submitted in accordance with 10 CFR 50.73 and performs in-depth evaluations of some events. Further, daily report items by the regional offices are revieweJ by all the aforementioned groups. Finally, the regional offices submit to the EGCB for further evaluation the items they consider to be potentially generic and safety significant. Those events that the NRC staff screening and evaluation efforts find to be poten-tially generic and safety significant are disseminated to industry by issuance of IE Bulletins, IE Information Notices, NRR Generic Letters, or by AE00 Power Reactor Events Reports.

116

h i .

i i

i

IE Bulletins provide information about one or more similar events and require I that licensees take specific actions. The Ifcensees report actions taken or i to be taken and provide information the NRC may need to assess the need for i further action. Bulletins are reviewed by the Committee for Review of Generic l

Requirements (CRGR) before issuance. Sulletins seldom, if ever, impose a new I regulatory requirement upon the licensee and as such are not normally a back-

! fit. They usually require the addressee to take action to assure that the j intent of an existing rule or requirement is being satisfied. Prompt response by licensees is reqW red and failure to respond will normally result in NRC enforcement action. NRC Bulletins generally require one-time action i

and are not intendec as substitutes for fomally issued regulations or for j imposed license amendments, e

! IE Information Notices provide information but do not require specific actions.

They are rapid transmittals of information that may not yet have been completely  !

!t analyzed by the NRC, but that licensees should be aware of. Licensees receiv-ing an Information Notice are expected to review the information for applica-bility to their current and future licensed operations. If the information is applicable to their facility, licensees are expected to take action necessary to avoid repetition of the problem described in the Information Notice. -

, , NRR Generic Letters generally impose new, or partially new, requirements on licensees and CP holders. These usually involve issues relating to design 2

basis accidents rather than severe accidents. Before a Generic Letter is i issued, it is reviewed and approved by the CRGR. Frequently, an NRR Generic t

! Letter endorses the recommendations contained in a NUREG document and requires i

that licensees and/or CP holders submit a program for staff approval that will

{ implement these recommendations on a continuing basis, j In summary, all power reactor operating events, construction deficiencies, and I vendor deficiency reports are screened, and those appearing to have both generic .

i and safety significance are evaluated further. If the evaluation indicates [

l that the event or deficiency has a generic safety significance, industry is  !

i notified. Therefore, the severe accident study and severe accident policy 1 makers can assume, with reasonable confidence, that safety significant deft- .

{ ciencies that have been identified at one nuclear site will not remain uncor- [

i rected at other facilities. It should be noted that IE sometimes uses the i' results of the Accident Sequence Precursor (ASP) Program to " calibrate" opera- -

tional events or sequences to help determine which are important enough to L require action. More plant-specific PRAs or event trees would be of value to l l IE in the quantification of AE00 findings or recommendations before use or  ;

i implementation. Thus, the results of the Severe Accident Research Program will -

. be of considerable benefit in aiding the evaluation of the potential importance i

of experiential data to severe accident risk reduction obtained through the interactive reporting and data analyses of the IE, AE00, and industry systsis such as the Institute of Nuclear Power Operations (INPO) and the Nuclear Safety i Analysis Center (NSAC) regarding failures in the construction, operation and r j maintenance of nuclear power plants.

C. Analysis and Evaluation of Operational Data by the AE00 c

i NRC's Office for Analysis and Evaluation of Operational Data (AE00) was estab-l lished several months after the accident at TMI-2 to identify and feed back

! significant safety lessons of operational experience to NRC, its licensees, the J

1

]l 117 i

  • --m~,--~~~~--,------_-~~ , wm u- - + - - - _ - - - ~ ~ .
  • nuclear industry as a whole, and the public. These responsibilities include managing the NRC Licensee Event Report (LER) system and analyzing operational experience in engineering evaluations and case studies. In addition, AE00

, publishes the NRC's " Licensee Event Report (LER) Compilation" (NUREG/CR-2000),

which contains abstracts of LERs processed during a one-month period; " Power Reactor Events" (NUREG/BR-0051), a bi-monthly publication which contains abstracts of events of significance and interest to plant operators; and the quarterly " Report to Congress on Abnormal Occurrences" (NUREG-0090).

To assure uniform, systematic procedures for the coordination needed for the collection, organization, and dissemination of operating data to meet the needs of the agency, the AE00 has developed an Operational Data Assessment Program. The feedback of operating data or experience is an inherent and important aspect of all NRC activities to some degree and thus involves all NRC organizational ele;nents:at one time or another. Operational safety data and activities, as covered by this program, are those related to incident or failure reports associated with operations licensed by the NRC and similar reports from foreign facilities. Thus, the focus and scope of this program is on operating events, their implications, and their corrective actions. Unless otherwise indicated, other types of operating information and input data, al-though relevant and often important in support of operational data assessment, are considered outside the scope of this program.

The principal objective of the NRC's Operational Data Assessment Program is to identify, through the review of operating experience, where the margin of safety established through licensing has been degraded, and, through a systematic analysis of an operating event or a combination of events, to identify and implement corrective action that will restore the originally intended margin of safety. Thus, in implementing the. Program, a clear distinction is main-tained between restoration of the original safety margin, which is the primary objective, and improvements in the safety margin. The latter must be separately identified and justified as new licensing actions.

The scope and reporting frequency of the programmatic activities of the AE00 are shown in Table A.5. The most important reporting effort of the AE00 Program is the Licensee Event Report (LER). About 4,500 LERs were received in fiscal year 1983, covering a wide variety of events reported by U.S. nuclear plant owners. In May 1982, the NRC published in the Federal Register a proposed LER Rule designed to revise the scope, content, and method of reporting. The reporting criteria focus on events most likely to have potential safety signi-

! ficance and require a more detailed narrative report for each such event. The NRC staff received more than 40 letters commenting on the proposal. In July 1983, the Commission issued its final LER Rule (10 CFR 50.73), which became effective on January 1,1984.

The Sequence Coding and Search System (SCSS) (an improved computerized data storage and retrieval system) is now in use. It facilitates trend and pattern analyses, allows for statistical assessment of data, and brings a greater range j of past experience to bear on cases under consideration. The NRC has also con- ,

solidated its computerized LER data files at the Nuclear Safety Information i Center (NSIC) in Oak Ridge, Tennessee. Here the expanded LER file uses the SCSS as well as the RECON on-line data search and retrieval system.

118

Table A.5 AE00 source of reactor operational data (1) Prompt notification (approximately 2000/ year) e 10 CFR 50.72 e Plant Technical Specifications (2) Licensee Events Reports (approximately 4500/ year) e Plant Technical Specifications (3) Construction Deficiency Reports.(approximately 200/ year)

(4) , Defects and noncompliance (approximately 200/ year) e 10 CFR 21 (5) Other Sources (approximately 200/ year) e Inspection findings e DOE reactor experience e Licensee reports and requests e Informal communications e Foreign event information The NRC has established a program to monitor the component failure information reported to the Nuclear Plant Reliability Data System (NPRDS) of the Institute of Nuclear Power Operations. This is a reporting system for failure data on safety components. The NRC has also implemented a system'to gather and store nonreactor operational data on nuclear materials and fuel cycle operational ,

events and on personnel radiation exposure events. It also may be useful in identifying trends in events that signal a need for remedial action.

Efforts have been made to increase the number of foreign experience reports that are assessed by NRC offices and contractors. The NRC also participated in the development of International Atomic Energy Agency (IAEA) guidelines to be used to improve incident reporting systems. Simultaneously, an NRC program at the NSIC was expanded to systematically screen and assess selected foreign informa-tion, and to abstract it for computerized data filing.

The AE00 conducts engineering evaluations and case studies of events and potential generic problems, and performs selected trend and pattern analyses.

Significant individual events and small groups of events that demonstrate a potential generic problem may be assessed in a detailed study. Events of less safety significance that appear as a group to exhibit a prevailing tendency of significance are usually assessed by trend and pattern techniques.

Examples of AE00 engineering evaluations and case studies include a preopera-tional test precursor of the TMI-2 accident, an Indian Point Unit 2 flooding

! event, the inadvertent loss-of-coolant events at the Sequoyah Nuclear Power Plant, a loss of residual heat removal service water at the Brunswick Steam Electric Plant, an overpressurization event at McGuire, valve flooding at Surry, l

119 1

loss of all charging pumps at St. Lucie Unit 1, loss of shutdown cooling at San Onofre Unit 2, failures of the reactor trip system in the Salem Unit 1 ATWS events, the plant systems interaction transient at Hatch Unit 2, low temperature overpressurization events at Turkey Point Unit 4, and human factors contribu-tions to accident sequence precursor events. Other events evaluated involved water hammer, diesel generators, power distribution systems, instrumentation and control systems, support service systems, safety-related pumps and valves, and fuel assembly degradations.

D. Conclusions The above description of the IE and AEOD efforts to develop a systematic pro-gram for receiving and analyzing data to discern what regulatory actions should be taken as a result of reported failures in nuclear power plant construction and operation is impressive in its scope and evolving sophistication. The Severe Accident Research Program can reasonably be expected to improve the quality of insights to be obtained from this data in discerning the importance to severe accident risk reduction of various options for reducing the frequency of failures that challenge reactor safety systems. The actions and modifica-tions resulting from the IE and AEOD programs to deal with the safety issues exposed by operating reactor data are generic. Some of the design modifica-tions are high-cost items (e.g. , masonry walls, "as built" seismic supports).

The changes set in motion by IE and AE00 studies are in the general nature of restoring the margin that was originally intended or recognized in the design.

Even when new generic requirements are issued, they are often met by plant-specific design changes. Few, if any, of these changes pass into the " major cost" area we have defined here. Thus we conclude that the more costly and generic modifications receive widespread and upward attention of staff manage-l ment and their infrequency supports the conclusion that future design modifica-l tions as a result of operating experience and research are more likely to be plant-specific and of modest cost than generic and of major cost.

l i

1 l

120 l

4 VII. GENERIC INSIGHTS FROM PROJECTS OF THE SEVERE ACCIDENT RESEARCH PLAN (SARP)

A. Introduction

' The NRC is currently conducting a considerable amount of research in support of regulatory decisions on severe accident issues. This research, described in detail in NUREG-0900, " Nuclear Power Plant Severe Accident Research Plan,"

involves many levels of work, ranging from detailed experimental programs on specific accident phenomena to integrating efforts that provide perspectives to regulatory decisionmakers on the risk of severe accidents, the componen'ts and uncertainties of this risk, and the cost effectiveness of possible methods for

! reducing this risk. In this section, preliminary results from the latter part i of the SARP program will te described to provide one indication of the level of safety of present LWRs and the merit of " major" design changes (e.g., those entailing a cost of $30-50 million). These SARP results will be supplemented by additional insights from the report "Probabilistic Risk Assessment (PRA):

Status Report and Guidance for Regulatory Application," NUREG-1050, August 1984.

In general, these studies suggest that, if one were to rely on the "best-estimate" levels in available PRAs, then severe accidents in LWRs do not pose

large risks to the public. However, the magnitude of the estimated risk is
frequently plant- and site-specific with broad ranges of uncertainty for these I estimated levels. Large uncertainties are present in both the estimation of core-melt frequencies and in the estimation of the resultant public consequences.

There are a number of reasons for the broad range of uncertainty in core-melt

frequency estimations, arising both from the uncertainties in the assessment of risk for a specific plant and the uncertainities in extending a risk assessment of one plant to other plants similar in design. The reasons for uncertainty in-clude inherent difficulties in generically predicting the probability of a severe reactor accident
the considerable variability in the design features of exist-ing LWRs; quantification of human error frequencies; common-cause failure mech-anisms of multiple safety features; incompleteness in describing accident ini-tiators (e.g., difficulty in including sabotage); assumptions made for success /

failure criteria and for recovery actions; and the estimation of the recurrence frequency of external events such as very high intensity earthquake, fires, hurricanes, and floods.

Counterbalancing, to some degree, these difficulties in estimating the probabil-ity of severe accidents is the current perception of conservatism in estimating the consequences of such accidents. Much of the SARP program is oriented toward the improved analysis (i.e., narrowing the uncertainties) of these consequences.

For the most part, the conclusions of this research remain, as yet, indeterminate.

With this backdrop, the SARP integrating elements--the Accioent Sequence Evalua-tion Program (ASEP) and the Severe Accident Risk Reduction Program (SARRP)--have been using and extending available PRA data to assess present LWR risk from severe accidents, the impact of uncertainties, and the cost-effectiveness of plant changes to reduce risk (or to reduce uncertainty in risk estimations).

ASEP work to date indicates that a relatively small set of important accident sequences is probably common to many LWRs. However, it is very difficult to quantify their frequencies generically because of considerable variation in 121

't

plant design. Risk studies performed to date indicate that the risk of any par-ticular plant not yet explicitly studied could deviate significantly from the estimated risk of plants of similar design because of unique plant-specific design and operating characteristics.

Work in the SARRP program considers a broad spectrum of severe accident preven-tion and mitigation features. These features range in complexity from relatively simple procedural modifications or upgrades of existing safety features to highly advanced concepts such as independent, bunkered shutdown heat removal systems.

Using best-estimate data on only the offsite health effects of severe accidents, SARRP results to date indicate that, for a " typical" plant and using RSS-type source terms (WASH-1400), expenditures on the order of ten million dollars per plant could probably be justified to reduce risk. Best-estimate studies that consider smaller source terms indicate that, if offsite health effects only are used to measure impact, the justified expenditures would be proportionally lower. If both onsite and offsite economic impacts are included, justifiable i

expenditures are greater and less sensitive to source term assumptions. As a result, SARRP preliminary best-estimate calculations show generally that some relatively simple plant changes would be cost-effective, while more elaborate changes would not. Of course, if onsite and offsite impacts were considered, and substantial conservatisms were included in regulatory decisions to com-pensate for the large uncertainties, then tens of millions of dollars might be justified to reduce risk.

An example of a simple plant change is an unfiltered vent from the wetwell of

! a BWR Mark I. An example of a more expensive, elaborate change would be a bun-kered shutdown heat removal system. However, if one were to use a conservative basis for estimating the cost effectiveness of plant modifications (for example, using the 95th percentile of core-melt risk estimates instead of median or mean estimates), then the more elaborate changes might be deemed to be cost effective.

Again, this points to the need for greater confidence in basing risk reduction decisions on estimates of risk that tend to be reflective of more equitable safety-cost tradeoffs (see Chapter 1 of this Appendix) than a conservative basis that might deprive society of the use of these same financial resources to achieve greater saving of lives in other opportunities for risk reduction.

B. Insights on the Frequency of Core-Melt Accidents As described above, data on the frequency of severe (core-melt) accidents are being collected and interpreted in two NRC research projects: the PRA " Reference Document" and the Accident Sequence Evaluation Program (ASEP).* Within ASEP, one l

  • See the following references:

"Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regulatory Application," NUREG-1050, Oraf t for Comment, February 1984.

" Interim Report on Accident Sequence Likelihood Reassessment (Accident Sequence Evaluation Program)," Sandia National Laboratories, August 1983.

Available when published as a NUREG in late 1984.

"ASEP Plant Survey and Initial Plant Grouping Letter Report," Volume 1 (Main Report), Sandia National Laboratories, December 22, 1983. Available when ,

published as a NUREG in late 1984.

122'

i f

major task has been a cataloging of available PRA data, and a second, the exten-sion of this data to attempt to develop more generic (less plant-specific) acci-dent sequence data. Each of these tasks is discussed below. Following these i

sections is a discussion on the uncertainties associated with accident frequency .

predictions.

1. Summary of Published PRA Results Table A.6 summarizes the ASEP categorization of important accident sequences, their frequencies, and a central estimate core-melt frequency for a number of published PRAs. Uncertainties surrounding these estimates on a specific plant would be about an order of magnitude higher or lower. An examination of the estimated accident frequencies of Table A.6 leads to the observation that the types of accident sequences found to be important in these PRAs are, in general, similar. Table A.7 shows these sequence's for PWRs and BWRs. It is difficult, however, to find such general trends at more detailed levels of the analyses.

As can be seen, both the overall core-melt frequency estimates and the frequency estimates of specific sequences can vary considerably from plant to plant.

Implicit also in the latter is a considerable variation in the types of failures j that contribute significantly to the system and sequence frequencies. Thus, the data from these PRAs, while showing some similarities, demonstrate to a i greater extent a considerable variability in the estimates of core-melt fre-quency and the principal contributors to this estimate. This suggests that plant-specific PRAs provide more valid insights than generic PRAs in assessing severe accident vulnerabilities.

2. Development of Generic PRA Results It is well recognized that the manageability of the ongoing severe accident programs could be significantly enhanced by the development of more generic i results. As one task of the ASEP program, the possible extension of available PRA results to more generic classes has been investigated. Toward this end, a

, considerable amount of systems design data (and to a lesser extent, containment data) has been collected for a large fraction of the LWR population. Using I

this data, along with insights on what design features tend to be more important

. in risk studies, the studied plants have been placed in categories.

l In the Main Report, "ASEP Plant Survey and Initial Plant Grouping Letter i Report," published on December 22, 1983, the PWRs having certain design features in common are organized into 29 " generic" groups and BWRs into 15 " generic" groups. These categories were established in accordance with diversity in

! designs of key defense-in-depth systems such as (for PWRs) auxiliary feedwater, high pressure ECCS, electric power, RCS relief valves, and service water.

I t

Some tentative conclusions can be drawn from the categorization data of this ASEP Report. First, for a particular system, the number of configurations in the studied plants can be large. For example, twenty different auxiliary i feedwater system configurations were identified for the PWRs studied, and eight

electric power configurations for BWRs. Service water systems, which can be significant contributors to common-cause failure of " front-line" systems (e.g.,

i ECCS), were found to be essentially all plant-specific, at least at this first level of analysis. Without accounting for service water system variations, the differences in systems still resulted in 29 initial PWR categories (incorporat-

ing 72 plants) and 15 BWR categories (with 31 plants)--dramatic evidence of the 123 3-- - _ - - - . _ - _ _ , . . _ _ _ _ _ _ _ _ _ _ _ _ . . _ . _ _ - _ _ _ _ _ _ _ _ _ _ _ , _ . _ _ _ _ _ . _ _ ~ _ _ - -

Table A.6. Estimated frequencies of core eelt and most important severe accident sequences from published PRAs*

(Frecuency in events per reactor year)

Plant and Core-Melt Most Important Sequence Reference Frequency Accident Sequences' Frequency

1. Arkansas Nuclear One SE-5* T(LOOP) AU75U I N I 1E-5 (AN0-IREP)

T(S.O.-PORV) M 4E-6 SLOCA

2. Browns Ferry 1 2E-4 T( M ) M 1E-4 (8.F. - IREP)

T(PEI) F5 SE-5 T(LOOP) M 3E-5 0

3. Calvert Cliffs 2 2E-3 T( R I)
  • X N5 9E-4 (C.C. - RSSMAP)

T(LOOP) A N 5 7E-4 4 Crystal River 3 4E-4 LOCA(<4*) M 2E-4 (Crystal River 1 REP)

LOCA(<4a3 M UIT 7E-5 T(LOOP) 3E75U I NI SE-5

5. Grand Gulf 1 4E-5 T(CDUP) FCI M IE-5 (Grand Gulf RSSMAP)

T(LOOP) FEI M 6E-6 T(DUF) 55 SE-6

) LOCA(<13.5") M SE-6

6. Millstone 1 3E-4 T(LOOP) 50-SRV G IFli 7E-5 (Millstone IREP) T(LOOP) 50-SRV N R E 4E-5 T(LOOP) E N A R 3E-5 T(LOOP) ItR N IR 3E-5 T(LOOP) R N RC 3E-5
7. Oconee-3 8E-5 T(FCI) 50-SRV M IE-5 i (0-RSSMAP)

SLOCA M IE-6 T(FET) I N 5 E ! IBU 8E-6 T(FEI) D T X E R E SE-6

8. Seoucyan-1 6E-5 SLOCA M 3E-5 (SEQ-RSSMAP)

SLOCA R E 1E-5

{ SLOCA M = fil 8E-6 V 5E-6

9. Surry 1 6E-5 SLOCA R E 9E-6 (R33I SLOCA M 6E-6 T(PCS) I N T 6E-6 d
10. Zion 1 and 2 4E-5 SLOCA M 2E-5 (IPSS) l T(SEISMIC) IE INI 6E-6 ILOCA ECX 5E-6 LLOCA M 5E-6 l

{ 124 l

Table A.6. (Continued)

Plant and Core-Melt Most leportant Sequence Reference Frequency Accident Sequences' Frequency

11. Limerick 1 ar.e 2 1E-5' T(LOOP) E 6E-6 ILOS '"A)

T(PCS) E 4E-6

12. Peach Bottos 2 3E-5 T IRI 2E-5 (RSS)

TM IE-5

  • Data Sources:

" Catalog of PRA Dominant Accident Sequence Information (Draf t)," EGAG Idaho, Inc., June 1983.

" Interim Report on Accident Sequence Likelihood Reassessment," Sandia National Laboratories, August 1983. The estimated frequencies are subject to considerable uncertainty as discussed in the text.

Legend:

IC75C - Loss of AC and/or DC power XN5 - Failure of auxiliary feedwater system XFI - Failure of automatic pressure relier CIT - Failure of containment spray injection system CII - Failure of containment spray system in recirculation mode EC - Failure of emergency core cooling system ET- Failure of emergency core cooling systee in recirculation mode N - Failure of feedwater/feedwater coolant injection system E - Failure of isolation condenser T5i -Failure of fsolation concenser make up ILOCA - Intermediate size loss-of-coolant accident LLOCA - Large loss of-coolant accident LOCA( ,*) - Loss-of-coolant accident of less than indicated size (diameter)

I E 5 - Failure of reactor building cooling system IEI - Failure of residual heat removal system IFT - Failure of reactor protection system SLOCA - Small loss-of-coolant accident 50-SRV - RCS relief valve stuck open T - Transient T(LOOP) - Loss of offsite power transient T(35F) - Any transient not involving loss of offsite power T(FCI) - Transient with unavailability of power conversion system

( T(5.0.-PORV) or T(5.0-SRV) - Transient with stuck-open RCS relief valve T(Seismic) - Seismically initiated transient V - Interfacing systems LOCA 8

4E 5 is equal to 4x10.s, b

0oes not include effect of substantial AFWS modifications.

C For legend, see end of table.

d Total internal core-melt frequency from Zion PRA, vol.10. Sec. 8, p. 8. 7-5.

'From April 1982 version of Limerick PRA.

I

! 125 .

I l

i Table A.7 Accident sequences identified by ASEP that dominate probability of core melt for PWRs and BWRs*

PWRs BWRs e Transients without ECC (early) e Transients without ECC (early) e Transient-induced LOCA without e Transients without long-term ECC (early) heat removal e Small LOCA without ECC (early) e ATWS -

e ATWS e Transient-induced LOCA without ECC (early)a e Transient without ECC (early) e Transient-induced LOCA without and without containment long-term heat removal" heat removal

  • " Interim Report on Accident Sequence Likelihood Reassessment" (oj. cit.).

a Isolation condenser BWRs only.

lack of standardized designs in this country. As the ASEP work continues, it can be expected that some category consolidation can occur by system reliability comparisons and elimination of some less important category distinctions. Run-ning counter to this will be the incorporation of additional plants, potentially leading to yet more categories.

In addition to these systems configuration categories, the studied plants can be grouped by containment type. In the ASEP program, containment buildings have been studied and an initial set of general categories were defined. This resulted in nine different generic groupings of PWR containments and three groupings for BWRs. While a more rigorous containment design study could define a somewhat different set of categories, the ASEP Report provided several relatively general but noteworthy insights, particularly for the PWRs studied.

First, for some containment types such as the free-standing steel "large, dry" containment (Type A1), the plants studied have a wide variation in systems configurations. For other types (e.g., ice condenser and subatmospheric designs) the system differences are not nearly so broad.

The above discussion of system diversities in U.S. nuclear power plants makes it clear there is an imposing barrier to generic data development. Nonetheless, it may be possible to make at least some generic conclusions on specific classes of plants (e.g. , the ice condenser or subatmospheric PWRs). As such, some more general decisions may be feasible (e.g., on the need for significant systems upgrades in ice condenser PWRs). However, as the service water system varia-bility demonstrates, it is equally clear that even such generic results cannot replace plant-specific studies, with their capability to identify more subtle but potentially critical design anomalies. Many of these anomalies are found in the idiosyncracies of balance-of plant design features. Variations in opera-tions and maintenance practices along with the above variables all point to the 126

i a

difficulties in identifying a corpletely generic profile among U.S. plants as presently built and operated.

' The results of existing PRAs, the IDCOR/NRC technical interactions, the Zion, Indian Point, and Limerick studies, the NRC Source Term Program and the GESSAR II l severe accident review will provide a base of technical information which is generally reflective of severe accident behavior in the entire population of '

existing nuclear pcw plants. It is recognized, however, that the extraction from this base of uchnical information of conclusions which are applicable to 4

all plants may be !imited by those particular design features of individual plants that may si pificantly influence severe accident behavior. In recogni-tion of this, the Staff's review will include consideration of those elements of the technical information base which are sensitive to individual plant varia-tions, and if warranted, will define the appropriate specific analysis and cri-teria which are necessary to qualify individual plants to the conclusions drawn for the plants included in the technical information base.

3. Uncertainties in Accident Frequency Prediction As part of its assessment of the state of-technology of PRA and the potential i

i use of PRA in regulation, the draft PRA Reference Document (NUREG-1050) provides a considerable amount of discussion on uncertainties inherent in present PRA i techniques. With respect to estimating core-melt frequency, the report identi-i fies a wide variety of sources of uncertainty. These range from thermal-l hydraulic issues (e.g., how much ECCS flow will adequately cool the fuel) to 1

human errors of omission and commission, and to the potential threat of ex-

.ternally initiated but rare events such as earthquakes and floods. For some sources of uncertainty (e.g., ECCS " success" criteria), present PRAs probably

.are conservative in their treatment and thus the uncertainty is biased in the downward direction (towards lower frequency estimates). However, in some crit-ical areas (human errors, external events), a bias in the uncertainty, either optimistically or pessimistically, is not so apparent. Plant-specific PRAs can address these uncertainties to some extent by sensitivity studies, and, as occurred in the Indian Point deliberations, specific plant changes can be made to compensate for potential vulnerabilities.

As discussed above, the extrapolation of plant-specific results to more generic classes may contribute additional uncertainty. As such, it is difficult to have high confidence in "best estimate," absolute estimates of core-melt frequency.

Nevertheless, as the bounding analysis in Chapter IV of this Appendix illus-trates, the uncertainties of PRA estimates of severe accident frequencies are not so great as to suggest a clear and present danger to life and property.

Moreover, the conclusions available from the experience with existing plant-specific PRAs described in Chapter V serve to increase our confidence that when s j the nature of severe accident vulnerabilities are thus exposed, it has always been possible to identify changes in certain design features or in operating and maintenance procedures to reduce substantially these vulnerabilities at

relatively modest cost.

f C. Research Insights on Severe Accident Risk l

In the Severe Accident Research Program, elements 11 and 12 relate to the bench-j marking of severe accident risk and assessing the cost effectiveness of possible plant changes to reduce risk. In performing these analyses, the Severe Accident 127 i i

_ . _ . . _ , _ _ _ _ _ . . . . _ _ _ _ _ _ _ _ _ _ _ _. _ _ , _ _ _ _ _ _ , _ _ _ _ _ _ _ _ , _ _ _ _ __~ _ ._ _ _ _ _ _ _ _ _ __

Risk Reduction Program (SARRP) relies on input on accident frequencies (from

, ASEP) and the ongoing severe accident phenomenological research, especially

" source ters" research. When the source term reevaluations are completed in late 1984, SARRP will reassess the risk of the source term reference plants and, to the extent practicable, the risk of generic classes of LWRs. With this basis, l

the risk reduction benefit and costs of alternative plant modifications will be systematically evaluated to identify potentially worthy modifications.

i

As a prelude to these analyses, SARRP has been. assessing the maximum achievable benefit of a severe accident prevention or mitigation feature, that is, the i benefit achieved if a feature completely eliminated the risk from severe acci-l dents. Such benefit has been equated to a monetary figure using three measures:

1 (a) person-ree averted at $1000 per person-res; (b) offsite costs averted, using actual calculations of the constituents of these costs; and (c) total costs

averted, offsite and onsite. Using these measures, a risk (or set of risks) assessed in a PRA can be converted into a set of plant-lifetime economic " risks" l (offsite, onsite, and total). In a recent study, this has been done assuming

! as a point of departure the Reactor Safety Study PRA for the Surry plant and as modified to more quantitatively account for accident frequency uncertainties, '

source term uncertainties, and meteorological distributions.* For this case, i and considering such uncertainties, the site-dependent offsite economic risks range from 10 to 20 million dollars down to a few thousand dollars, with this range strongly affected by both accident frequency and source term uncertainties.

l Onsite economic risk ranges from roughly 5 to 50 million dollars. Because on-I site costs are dominated by cleanup and loss-of-facility costs, this range is l l strongly influenced by accident frequency uncertainties but is relatively i insensitive to source term uncertainties. As points of comparison to this i economic risk, two research studies indicate costs for dedicated decay heat removal systems of roughly 30 to 100 million dollars and for unfiltered con-tainment vents for 8WRs of a few million dollars.**

l As discussed previously, the extrapolation of risk results from one plant to other plants or plant groups can be very difficult and of questionable reliability. Thus, it is impractical to rigorously extend an economic risk case study which begins with the Reactor Safety Study Surry PRA to other plants.

However, considering that a range of severe accident frequencies and source terms were also incorporated in this case study to account for uncertainty, it is not unreasonable to suggest that cost-effective severe accident prevention /

mitigation features would, as a bounding limitation, have to cost on the order of tens of millions of dollars or less. A more precise statement on justifiable expenditures is difficult, and is dependent on policy uncertainties as well as physical uncertainties. As discussed elsewhere in this Appendix, the use of

, *"SARRP-Risk Rebaselining and Risk Reduction Analysis," paper presented at Eleventh Water Reactor Safety Research Information Meeting, October 24-28, ,

1983, NUREG/CP-0048, January 1984. i

( "Value-Impact Investigation of Filtered-Vented Containment Systems and

Other Safety Options for a BWR Mark I Conta'inment," to be published.

i i

i l 128 l

.-_ . . - . _ __ . _ = . _ _ _ . . _ - . _ _ _ -

1 total economic risks (offsite and onsite) versus only offsite " health, safety, and property" risks can have a considerable impact, as can the decision to make conservative decisions to compensate for unanticipated or poorly quantified accident sequences such as sabotage. Nonetheless, a reasonable figure-of-merit seems to be tens of millions of dollars. That is, costs must be held to no greater than such figures for severe accident prevention or mitigation features that substantially affect risk in order for them to be cost-effective.

a 129 I

.A _ .._ _ - . . - - _ - - . __ .Am...mam.

I e

f J

130

l l

l VIII. CONCLUSIONS In developing a forward-looking policy for severe accident decision making regarding future plants, it is.important to anticipate as best one can what new safety information might yield, especially regarding possible requirements for me.ior (i.e. , costly) design changes of generic importance. One of the best sources of insight for anticipating the most relevant events impacting such policy decisions accrues from the large volume of information engendered since the TMI accident that bears upon severe accident risk assessment and the nature of regulatory actions imposed as a result of this information and the lessons learned from operating experience. The major purpose of this Appendix is to examine currently available information to (a) discern its implications for the likelihood of generic design chan'ges or further regulatory changes of a potentially costly nature affecting future nuclear plants whether of custom or standard design, and (b) to determine whether, on balance, this information supports the conclusion that existing plants pose no undue risk to public health and safety.

An examination was made of a variety of sources of currently available informa-tion to serve this purpose, including (a) modifications to nuclear plants to reduce severe accident risk resulting from backfitting by NRC requirements in-posed as the result of significant precursor events, including the TMI Action Plan; (b) modifications resulting from a number of plant-specific Probabilis-tic Risk Assessments performed for operating reactors, especially certain plants having a higher level of concern for severe accident risk (e.g. , Indian Point, Zion, and Limerick); (c) modifications resulting directly from construction and operating experience as revealed through Inspection and Enforcement (IE)

Bulletins and Information Notices, and Accident Evaluation Operating Data (AE00)

Reports and Generic Letters, and (d) generic insights from the Severe Accident Research Program (SARP) that are completed or where sufficient progress has been made from which useful insights can be drawn regarding potential require-ments, if any, for generic and costly design change.

Although information from such sources is voluminous, it is not always suffi-ciently complete or organized to provide ready access to the insights desired (e.g., major versus minor changes regarding cost implications, or generic versus plant-specific in terms of scope of application, or even in terms of their justification as through a risk-cost-benefit analysis). Accordingly, our conclusions must be regarded as circumscribed by these limitations. Never-theless, it is believed that the large body of currently available information summarized in this Appendix provides substantial support to the notions that existing plants pose no undue risk to public health and safety and few, if any, generic desian chances imposina major costs are likely to be required by new safety information that is prospective of development in the next several years.

l 131

-- --~u.4aam_+.w.,%-..--e-+.w-_-.4-__ _ .m.__%% w m u . _.m-.,_,_,.%. u,___,%sm,,.,m.mm_m_

_ mu. . ,_

l I

l

}

l t

I i

l l

l r

132'

APPENDIX B TREATMENT OF UNCERTAINTY IN SEVERE ACCIDENT PROGRAM 133

a,u _ um._ m t

s 4

i 1

l l

l l

a 1

1 1

t i

l t

l 1

f 134 l

APPENDIX B TREATMENT OF UNCERTAINTY IN SEVERE ACCIDENT PROGRAM There are many uncertainties surrounding a comprehensive assessment of regulatory formulations. Of these, the largest and most troublesome originate in the analyses that are used to measure the safety benefits and attendant risks of the regulatory alternatives. The mutually supportive deterministic and proba-bilistic safety analysis techniques will be jointly employed, as noted in the main text. -

I. ANALYSIS UNCERTAINTY Deterministic safety analyses proceed from the judgmental selection of one or a few reference (or design-basis) accident scenarios as surrogates for the variety of accident scenarios to which the plants might be subject. The selec-tion of these reference or design-basis accident scenarios introduces un-certainties. The necessity and sufficiency of measures to assure good plant performance to mitigate these particular accidents is often controversial. In fact, the need for severe accident policy development can be traced to the realization that the risk of nuclear power plants is dominated by events beyond the design basis. Probabilistic safety analyses approach the problem by considering the full array of possible accidents, each weighted according to estimates of their likelihood.

Once a catalog of accident scenarios is identified, the two forms of safety analysis (PRA and deterministic) utilize the same analytic technology: deter-ministic phenomenological analysis of accident progression, radiological releases, offsite doses and consequences. Historically, there have been differences: deterministic safety analysis has been done traditionally with conservative phenomenological analysis; whereas, the tendency in PRAs has been i to use more realistic analysis. A deterministic safety analysis typically selects just one of the alternate accident scenarios for evaluation of contain-ment performance, releases, and consequences; whereas, PRA commonly employs

! likelihood-weighted models of a spectrum of possible outcomes. However, there

' are few fundamental differences in the phenomenological or consequence models employed in deterministic and probabilistic safety analyses. Uncertainties

originate in these analyses through modeling approximations, omissions arising j from less-than-complete understanding or coverage of potentially contributory physical or chemical processes, and input parameters.

Neither deterministic nor probabilistic safety analysis is amenable to calcula-tions of the magnitude or character of the uncertainties, because many of the important contributors to uncertainty (such as modeling approximations and omis-sions that are not stochastic) are not quantifiable. Nonetheless, a disci-(

plined approach to the exploration of these uncertainties can be achieved by (a) employing both deterministic and probabilistic methods, (b) uniformly em-i ploying the latest state-of-the-art techniques in the application of both meth-ods, and (c) employing sensitivity studies within the framework of both methods l

l l 135 l

by varying parametric assumptions over the full range of uncertainty. The staff is working to assure the reliability of the severe accident safety analyses by using evaluation models within the context in which they give trustworthy results.

4 l

l l

l l

l 136 l

l l

~~~ - _ - - . ._ _ 7

II. GENERIC APPLICABILITY OF REFERENCE PLANTS Additional uncertainties arise when safety analyses of one or a few reference plants are utilized to draw inferences about a class of plants. There is a considerable evidence that severe accident risk, and therefore the incentive for additional requirements, is a function of subtle details of balance-of plant (BOP) design. For example, PRAs of Indian Point Units 2 and 3, which are nearly identical in most respects, found significant differences in the severe accident susceptibility of the two units. To address this source of uncertainty for new standard plants, the NRC has already chosen to require extensive plant-specific, probabilistic analyses of severe accident risk. These analyses are to be employed as design tools, as design review tools, and as a disciplined method to assure that safety is not compromised by problems in the interfacing or coordination among the several design disciplines, procurement, construction, startup, development of operational and maintenance procedures, or the conduct of operations.

Because of the substantial time and resources required, the staff is not automatically presuming to employ severe accident safety analyses of all the operating plants or those under construction. Rather, to the extent practicable, we will seek to employ surrogates in the process of severe accident standards development for current plant design. However, the staff will employ perfor-mance criteria and required plant-specific analyses or other decision considera-tions in the implementation of new requirements to the extent necessary to assure that any retrofits are warranted and achieve the intended risk reductions.

137 f

l l

l I

138 I - - - - _ _ _ _

1 l

III. DECISION-HAKERS' PREFERENCES There are important sources of uncertainty in regulatory standards development apart from those in safety analysis. The quantification and comparison of costs and benefits (including non-risk-related benefits such as non political factors) together with the decision-makers' preferences can introduce substantial uncertainties. The report, " Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission" (NUREG/BR-0058), indicates that the scope and thorough-ness of a regulatory analysis should be proportional to the safety significance and costs of the issue. It is important that the inquiry identify the dominant contributors to the costs and benefits, even if they are subtle or indirect. A regulatory analysis can give a severely distorted result if a dominant contributor to the cost or benefits is omitted, seriously underestimated, or exaggerated.

Thus, it is incumbent upon the staff, in its preparation of regulatory analyses, to make a thorough search for potentially dominant contributors to costs and benefits.

I 139

.,__;__. 4,-_m,,,_x s 44m. hE- h *--+_4._ir_44sA.,_me_M.,_J.c.sae.em _,.a wh e w4.._ M' m-_Aa,wAAm,JL4.E..aGJh_.a. 4h4,,,__m_e___m4__hA.-

W 4 4 m A._mm Amm m

l 4

4  !

l..

e i

d 4

).

J J

+

F N

p a

t i

l 6

P 4

1 l

l

.f i t

! I i

l E l

i e

1 i

6

! I i

i 1

a 1t i

i f

i i

l 4

i 1,

4 j

l 4

V t

1 140 1

i f

l l

r .

l' l

i l

l i

l l

APPENDIX C -

l >

ACRS REPORTS ON SEVERE ACCIDENT POLICY DEVELOPMENT l (Letters of September 2, 1983 and July 18, 1984 to the Chairman, NRC) t i

I i

I t

I l

\

t I r

l l

I i -

i 141- l t

AwrJA2*--o---eaet-J-&~aAM-k- a-M6N-O=--^-M---6 AA"-MF"+&S,22 --=4.-+ed--M

-Ai+--* < - ~A--* MM%AM---L-L-v~~-eM-4*m~4u "

bnLM,u j

i 4

J 1

i i

i 1

i .

4 i

f P

l I (

l t

i i ,

s

)

e j

I r

1 i

I i

i 4

i 1

i f

t l

4 t

I n

k 1

i I

I l

lt  !

i i

i t

I f

I i

l

{

f

> t t t i t i

! [

4 I

t i

h 1

142 e

i f

i I

m w wwm_,w w. mnew -pc, - - ,-p. w-- n we my wm,wy- --.-,

m -

[

  1. 1 "g

UNITED STATES NUCLEAR REGULATORY COMMISSION y, .I

. Aovisony conomTTEE ON REACTOR SAFEGUARDS 4***

wasmetow.o.c. asses September 2, 1983 Honorable Nunzio J. Palladino -

Chairman l U. S. Nuclear Regulatory Commission Washington, DC 20555 l

Dear Dr. Palladino:

j

SUBJECT:

ACRS REPORT ON THE SEVERE ACCIDENT POLICY During its 281st meeting August .31-September 1,1983, the Advisory Com-mittee on Reactor Safeguards continued its discussion with the NRC Staff of the development of a Severe Accident Policy for dealing with accidents more severe than those now analyzed as design basis accidents. This issue was discussed by the ACRS Subcommittee on Class 9 Accidents with the NRC Staff on August 23, 1983.

1 The focus for the discussion was a dr ft report developed by the Severe i Accident Research Program (SARP) Senior Aaview Group and entitled, " Severe j Accident Decisions for Existing Nuclear Power Plants," dated August 5, As indicated by its title, this report and the discussions were 1983.

mostly concerned with power plants now in operation or under construction.

The report, drafted in response to a Commission request, describes on a preliminary basis "the approach (primarily determiriistic, supplanented by probabilistic and systems assurance analysis), the Commission may use to i arrive at severe accident decisions for existing nuclear power plants."

The NRC Staff asked for. comments "so that issues and the decision process can be refined, and so that any needed changes in the Severe Accident l Research Program can be identified."

l We encourage the NRC Staff to continue its developmen; of this general i approach. It appears to be an improvement over what has been proposed up i to this time.

The NRC Staff has defined the problem in the fom of a question to be answered, namely, "What changes, if any, should be made in nuclear reactor regulation to account for accidents involving core damage greater than the I

present design basis, including core meltdown accidents?" Although this is probably not the only way to define the issue, it is a reasonable approach.

j The success of this approach depends on further, more detailed elaboration of the question, on identification of the information needed for such elaboration and on the ways in which information needed for its answer is to be developed and used in reaching a conclusion. We look forward to '

this further elaboration and expect to make further comments as more

information becomes available.

)

143 l

4 Honorable Nunzio J. Palladino September 2, 1983 4

) Two key issues identified in the report are, "How safe are the existing i plants with respect to severe accidents?" and, "Is additional protection j for severe accidents needed or desirable?" An associated question is how the decisions are to be reached. We urge that priority be given, first to the method to be used for answering these questions, and second to infor-mation that may be needed to provide the answers. We do not view this task as primarily a research problem, especially the development of the way in which the decisions are to be made. We believe that some develop.

ment of decision criteria, and the identification of needed information, '

at least on a tentative basis, are necessary before one can define any extensive research program.

We also agree with what appears to. be a tentative conclusion that the i decision process must include both probabilistic and deterministic consid-erations. Even though the appropriate balance between the two may be difficult to define, we believe that elements of both methods will be needed for a final resolution of the problem. There is a suggestion that Systems Assurance Analysis (SAA) could become a valuable tool in the analysis and prevention of severe accidents. Although this approach may be useful for some purposes, we do not consider it an alternative to the combined detenninistic-probabilistic approach. We do not recommend appli-cation of SAA to this problem.

Because of the early stage of development of the program described in the draft we discussed, we are not able to comment on its completeness or j adequacy. We do have the following comments.

1 Eventually a policy must be developed for dealing with decisions involving areas of considerable uncertainty. One does not avoid this problem by deciding to use a deterministic approach. We recommend that immediate attention be given to this process. One area of uncertainty, not'statis-tical, is the unexpected problem that may yet be encountered. This is <

alluded to in the report, but there are no suggestions for dealing with it. The formulation of the policy should take account of experience which has seen a continuing series of new safety issues discovered in the course of new risk analyses and other studies, i We note reference to a source term in this draft. We caution that there are many source terms, and that indeed the source term or terms used will depend markedly on the accident sequence or sequences finally chosen for analysis and decision making. Also, current or possible future changes 4

in regulatory approach could lead to a major perturbation in the basis on which any new source terms may be applied.

b 144

l l

i l

Honorable Nunzio J. Palladino Septenter 2,1983 The draft refers to important accident sequences. It is not clear what measure of importance is to be used. We believe that both probability and consequences should be included in judging importance and that sequences not now listed as " dominant" should be carefully screened for their possible significance.

The report implies that the severe accident issue can be dealt with for future plants without consideration of the information and the processes developed to deal with existing plants. Although we expect that there may be differences in the way in which one deals with these two classes of plants, we believe it is desirable that the approach proposed for new plants include what is learned in the development of a policy for existing ones.

Sincerely, 1

P w A J. J. Ray Chairman 145 l

l

t l

1 l

l l

f

! t i

146

Honorable Nunzio J. Palladino July 18,1984 For new plants we interpret the policy statement to say that:

New plants must meet existing reculations. They will be required to deal with the resolution of all 'the Unresolved Safety Issues. They will be subject tn any new reculations that result from the source tem rulemaking. The severe accident risk from new plants is ex-pected to be dealt with in the foreseeable future through rulemaking for standard plants. One of the requirements of the rulemaking process will be a full scope PRA for the proposed plant. Severe accident risk will be dealt with primarily through consideration of the results and insights gained from the PRA.

< We have several recormendations concerning the proposed policy for dealing with new plants. These reconm ndations follow:

. There should be a statement that the policy is expected to lead to rew plants producing less risk than the older ones.

! . The policy statement indicates that heavy reliance is to be placed on the results of the required PRA in decidina whether or not the severe accident risk associated with a propos'ed design is acceptable.

! Guidance on the required scope of the PRA and the way it is to be used are probably not appropriate to a policy statement. However, the policy statement should say that such guidance will be developed.

We approve of the general approach of using a con 61 nation of deter-t ministic and probabilistic considerations to provide the infomation on which a decision is to be based.

. The policy statement should speak to some balance between prevention

and mitigation of risk. As a minimum, some clarification of contain-ment perfomance expectations should be given. If the NRC Staff hes concluded that perfomance criteria cannot be fomulated at this time, the statement should say that such criteria or some appropriate description of expected perfomance will be fomulated.

. The effectiveness of human performance, including that of management, has a substantial influence on risk. For this reason, we recomend that attention be given to these matters for both new and existing plants to assure that inadequate human performance at individual plants will not result in unacceptable risk. In particular, methods of analysis and associated data bases need to be developed which can properly account for both positive and negative human perfomance contributions.

. Although we recognize the uncertainty in dealing with sabotage, we l

believe the policy statement should indicate that the issue of both I

insider and outside threats will be carefully examined, and, to the extent feasible, taken into account in the design and in the opera-tional procedures that are developed for new plants.

l l

l 149 l

L

- . . - - -_ --. _ _= . - . - - .._ . _ _

Honorable Nunzio J. Palladino July 18, 19C4 he conclude that in its present form that part of the policy statement that deals with new plants needs strengthening in the areas that we have indicated.

' Additional connents by ACRS Members Robert C. Axtmann, Harold W. Lewis and David Okrent are presented below. ,

\

%ncerely,/ g.

J Jesse C. Ebersole W

Chairman Additional Coments by ACRS Member Robert C. Axtmann Absent an urgent domestic need or a public appetite for new nuclear power plants of .a_ny n design, the policy statement's emphasis on regu-latory attention to future plants could be a misallocation of resources.

While there may be an international market for advanced reactors, it is not clear why the U.S. public shoulo unoerwrite creation of a regulatory framework that may not have domestic application for fifteen years or l more. Should that schedule be foreshortened. I as confident that we can

! pick up where I propose we leave off in 1984.

Additional Connents by ACRS Member Harold W. Lewis As I interpret the proposed policy statement it is that the Comission will not seek to further decrease the risk from existing reactors, unless programs now in being lead to the conclusion that it is necessary to do so. There is also a statement about new reactors, in a similar vein.

! I am not persuaded of the need to issue such a statement at this time, although I share in a widespread recognition of the need to do something to relieve the apparent open-encedness of the regulatory process. I simply doubt that it is appropriate to formulate a policy on severe l accidents without some sort of clarification of the overall objectives

' of MRC regulation of the nuclear enterprise. That the function of the Connission is to protect the health and safety of the pubitc need not be repeated, but that in itself is hardly a Suide to an appropriate level

(

or direction of regulation. In the absence of guidance on this point, regulation has often become the objective in itself, imperfectly linked to its purpose.

The Commission has struck a glancing blow at this problem by promulgat-i ing a safety goal, for evaluation, test, and connent, but there remain l

open questions about the underlying rationale for the specific criteria chosen.

1

! 150

'l

=wns"- + - ww-~ ~ ww-, c -. .,,em, ,_,%.m_,_ _ . , . _ _ _ , . , , _ . . _ _ . , _ . , , _ . , _ _ _ _ . . , . _ _ _ . _ , , _ , _ . _ , . , ._ . . . . . , . , , , , . , . , , _ _,_,_m.,,_m,,.,..g,-_.--.,--,y---,

- 5- July 18, 1984 Honorable Nunzio J. Palladino l

t It would be far healthier tc bring these scattershot efforts together ,

into a coherent statement of Comission policy on an appropriate level of safety, and on NRC's perception of its role in achieving and/or i maintaining that level, he said this in our letter of September 14 1962. I believe that, however painful, an unhurried effort to generate an agency phile*ephy would make it far easier to deal with severe In the corporate accidents and re~ ned questions in a coherent way.

world this is kmn as a long-range plan. A plan generated one element at a time -- setety goals, severe accidents, backfitting etc. -- is doomed to incoherence.

The Comittee letter, with which I have no serious disagreement, con-tains many items directed toward specifying a program plan, but avoids the questions raised here. I regret that we have thereby acquiesced in the current incoherent approach to safety assurance, and have thereby joined NRC in missing an opportunity for an integrated approach to resolve this matter.

Additional Coments by ACRS Member David Okrent I generally agree with the ACRS letter. These coments are for purpose of emphasis or are supplemental.

1. I recomend that the Comission significantly modify the Staff's severe accident policy statement as given on the top of page 4 and again on page 15 of the An il 18. 1984 craft of NUREG-1070. In this
statement. it is said

"On the basis of currently available information, the Comission concluces that existing plants pose no undue risk to public safety and property and sees no present basis for prompt action on generic rulemaking or other regulatory changes for these plants because of severe accident risk."

I would modify this statement both for technical reasons and for reasons of public policy. One might use something whose import was more like the following:

"The currently available infomation does not leao the Comission to conclude that existing plants pose any undue risk to public safety and property due to severe accidents. However, the Comis-sion plans to pursue a five-year program during which systematic examination of all existing plants wi 11 be undertaken by probabi-listic risk assessment and/or other means to detemine that there are no unacceptable large risk contributors and to help detemine on a plant-by-plant (or generic) basis those safety improvements which it would be prudent to incorporate."

2. I believe that approval of the April 18,1%4 draft NUREG-1070 could easily appear to place the Comission at odds with a large segment.

if not a majority, of the general public as well as many members of Congress, and with many respected individuals outside of government.

I t

151 4

er---v--c.--vmm--,w-r----,--,, , - - ,m-- ----n,,-- e,, - - , . - .----n-,e.,---,~.--n-- --,,w- -v--,w---w- ,- - - -- ------------w--

i 1

1 Honorable hunzio J. Palladino July 18, 1984 l

l all of whom want nuclear power plants to be safer. The position of tiiese groups seems to be supported by the several foreign countries (Sweden, France. England, Germany. Switzerland, etc.J who have adopted or propose to use safety requirements considerably more stringent than those of the U$hRC. On the other hand, the proposed policy statement could be interpreted by others as an expression of satisfaction by the NRC with the status quo for existing reactors.

3. If the NRC had firm, indisputable data on the risk from each existing nuclear power plant, and it was convinced that the least safe was acceptable as is, it might be plausible for the NRC to take a posi-tion contrary to so much other opinion. However, such data do not exist. Only a limited number of plants have had good, " full-scope" PRAs, and their results are subject to large uncertainties. The existing PkAs cannot be accepted as representative of other indi-vidual plants because of the demonstrated importance of the specific features of a plant to estimates of core melt frequency and risk.

Furthermore, several good PkAs have turned up one or more high probability core melt scenarios, so-called outliers, that required early remedy for the particular plant involved.

A much less complete set of information is available concerning the performance during severe accidents of the many variants of contain-ment oesign used in the U.S. For example, the ACRS has not had the benefit of a sophisticated report evaluating containment performance for some of the concepts currently in use.

4. Thus, it seems to be premature to draw so strung a positive conclu-sion concerning the safety of existing plants as that stated on pages 4 ano 15 of the draft NUREG-1070. Furthermore, the proposed policy coes not include a systematic examination of each plant, including its management and operation, for possible significant improvements in act.ident prevention ano adtigation. I fear the overall safety posture is further aggravated by the way benefit /ccst analysis has usually been used recently, namely a ratio uf median estimates of benefit and cost, lacking a prudent regard for the large uncer-tainties. The stated intention to omit any credit for reduction in onsite losses will only worsen the situation. I fear, and may make few meaningf ul improvements in safety possible under the backfit rule. Since all costs are eventually born by large sectors of the public, including retirees whuse annutties are 11nkea to utility stocks among others I find it more meaningful and equitable to balance the cost of an improvement against all benefits, offsite and onsite.

To avoid excessive costs by being " prudent" in the inclusion of i

uncertainties in all benefit / cost analysis, one could include an overall limit on expenditures approved on the basis of prudence, say l

a few percent of the replacement cost of the plant.

l I

152 l

i

Honorable hunzio J. Palladino July 18, 1984

5. Concerning future plants, I find the proposed criteria, in their siasmarized form on pages 4 and 5 of draft NUREG-1070, inadequate for the purpose. They place no emphasis on the need for effective containment. They do not set safer reactors as a goal for future reactors. They appear to place a very great reliance on the results from a PRA. despite tiie large uncertainties inherent in its results.

4 153

~--.21 - - .u- ------n..~.-- - - --- - .--- - - .. . - -..-- . _ - - - , . . ~ . . . - - - - . _ _ , - - .-..x .~ -.2 .- ____-. -.. _ . _ - . .

I i

i d

i

)

s l

t 4

l I

1 i

i i

E I

f a

?

154 k_,_._._,..__.__. __-,_.

.. ., r, c.

g, . , vi .ua u... 6.r . .... v .., .. ,

EE WSWORAPHIC DATA SHEET NUREG-1070 l 908e.gf.WCfe0 8a.sf.e.Jve e

& f,f La s. 8u.fif Le 148.v8 84 NRC POLICY ON FUTURE REACTOR DESTGNS:

Decisions on Severe Accident Issues in i Nuclear Power Plant Regulation ca"" '" l August '.""'"'"l

. , , , , 1984

* .n . ,. ..

Office of Nuclear Reactor Regulation -

==v.

l

,e*. .

October 1984

>n .ur 6,= - i.c . cm .. .

Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Comission *= = =a'" au==a Washington, D.C. 20555

.. . .u r ... . .. . ,, ,. c , , , , ,,n o, .. ,

Same as above Regulatory Report Tp'Yfi'T H5Fto ,

. August 23,1984 1 3 $UPPta.sgest.. . orts I

o c..ct ,- - ,

On April 13, 1983, the U.S. Nuclear Regulatory Comission issued for public coment a " Proposed Comission Policy Statement on Severe Accidents and Related Views on Nuclear Reactor Regulation (48 FR 16014). This report presents and discusses the Comission's final version of that policy statement now entitled, " Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants." It provides an overview of coments received from the public and the Advisory Comittee on Reactor Safeguards and the staff response to these. In addition to the Policy

! Statement, the report discusses how the policies of this statement relate to other NRC programs, including the Severe Accident Research Program; the implementation

. of safety measures resulting from lessons learned in the accident at Three Mile Island; safety goal development; the resolution of Unresolved Safety Issues and

, i other Generic Safety Issues; and possible revisions of rules or regulatory require-i ments resulting from the Severe Accident Source Tem Program. Also discussed are the main features of a generic decision strategy for resolving Regulatory 1 Questions and Technical Issues relating to severe accidents; the development and

regulatory use of new safety infomation; the treatment of uncertainty in severe accident decision making; and the development and implementation of a Systems Reliability Program for 60th existing and future plants to ensure that the realized j

level of safety is comensurate with the safety analyses used in regulatory decisions.

Unlimited

' 16 84CW sTT CL.0Ss8sC.f .

. .u .e,. .. . ,o.. . . .o. . n = = $'c'Iassified a r.. _,

Unclassified O sew t. cep.G55 is parcs

- - . ,- ,- -. . - - 4 e. _ , , - - , - -, , - -

Retrieved from "https://kanterella.com/w/index.php?title=IA-85-199,_Forwards_Draft_Rev_of_Policy_Statement_on_Severe_Reactor_Accidents_Re_Future_Designs_%26_Existing_Plants_%26_Draft_NUREG-1070,incorporating_Policy_Statement_Rev,As_Followup_to_Response_to_Commission_Questions_Per_SECY-84-370&oldid=2939652"