ML030560047
| ML030560047 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 02/20/2003 |
| From: | Long S Division of Systems Safety and Analysis |
| To: | Diaz N, Dicus G, Mcgaffigan E, Merrifield J, Meserve R NRC/OCM |
| Long, Steve NRR/DSSA/SPSB 415-1077 | |
| References | |
| CRDM, DAVIS-BESSE, ORDER, RISK-INFORMED | |
| Download: ML030560047 (7) | |
Text
February 20, 2003 MEMORANDUM TO: Chairman Meserve Commissioner Dicus Commissioner Diaz Commissioner McGaffigan Commissioner Merrifield FROM:
Steven M. Long/RA/
Senior Reliability and Risk Analyst Probabilistic Safety Assessment Branch Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation
SUBJECT:
CLARIFICATION OF THE EXTENT OF MY DISSENT WITH THE AGENCYS DECISION NOT TO ORDER THE DAVIS-BESSE PLANT TO SHUT DOWN FOR INSPECTION BY DECEMBER 31, 2001 AND EXPLANATION OF THE BASIS FOR MY DISAGREEMENT As one of the technical review staff members who dissented from the agencys decision, I am troubled that the extent of and basis for my disagreement have been inaccurately characterized by various parties. I am writing directly to the Executive Director for Operations and Commissioners in the hope that a clear and authoritative statement of my reasons for disagreement will assist in focusing future discussions more accurately on pertinent issues.
Extent of Disagreement:
On page 13 of the OIG Event Inquiry, two votes are described. I was one of the three staff members who voted to issue the order to Davis-Besse requiring shutdown for CRDM nozzle inspection by December 31, 2001. I put the word vote in quotations because it was characterized at that time as a show of hands. At that time, I did not think the decision making process was going to be based on a raw count of the number of persons present who held opinions to issue or not issue the order. The number of managers present at that meeting substantially exceeded the number of technical reviewers present, which, of course, is the opposite of their representation in the whole NRR staff.
Contact:
Steven Long, NRR/DSSA/SPSB 301-1077
Commission Therefore, it is not reasonable to consider a count of the opinions of the staff present in the meeting to be a basis for a representative democracy. I assumed that the show of hands was only a quick way to see what bottom-line conclusion had been reached by each of us. We are all well known to the manager who requested the show of hands, and had previously made our various arguments for and against issuing the order. Since the results of the first vote split with the managers against the order and the review staff in favor of the order, I expected the actual decision to be made on the basis of weighing the relative merits of the reasoning expressed by each person present, not by a raw vote count.
On the second question, there was unanimity that, to the best of our knowledge, it was unlikely Davis-Besse would eject a nozzle if allowed to operate until February 16, 2002. However, I did not then and do not now agree that this is equivalent to agreeing that there was no significant safety concern that would preclude continued operation until that date as stated in the OIG report.
I continue to believe that the facts known at that time, when compared to the existing regulatory requirements, were a sufficient legal basis for ordering that Davis-Besse be inspected by the date specified. I recognize that there is some judgement involved in considering the acceptability of a delay, and that reasonable people may differ in their conclusions on this matter. However, I do not agree that the manner in which the available risk information was used in this decision-making process was appropriate to the circumstances of this decision.
Explanation of a Distraction:
Before explaining the bases for my disagreements with the decision process used, it is necessary to dispel a misconception about what that process was. As had been discussed for some months before the decision was made, the legal basis for an order would have to be either (1) non-compliance with a regulatory requirement or, (2) despite compliance with all requirements, a level of risk that would not be deemed to constitute adequate protection of the public. It was repeatedly stressed that it was not a sufficient basis to simply find that the risk level was above the values enumerated in Principle 4 of Regulatory Guide 1.174 as acceptably low levels for voluntary risk increases.
However, once it was decided that the two real potential bases for issuing an order were not adequately demonstrated by the staff, a rationale for not issuing the order was developed using the RG 1.174 criteria as its basis. That rationale is that the risk increment associated with the operation of Davis-Besse from January 1 to February 16, 2002 would not exceed the level of additional core damage frequency that is acceptable under RG 1.174. The implication is that this risk increment cannot be inadequate protection of the public because it is explicitly acceptable under existing procedures.
However, this application of that guidance is illogical, because the risk created by the potential for nozzle cracking was not zero before December 31, 2001. When the requested date for completion of inspections was established for the bulletin, it would have been logical to consider whether the risk that would be accrued between the date the bulletin was to be issued and the date the inspections were to be completed would be within the RG 1.174 guidance for acceptable increases in core damage frequency. However, the level of risk was not well quantified by the time that the bulletin was issued, and pragmatic concerns were more influential in selecting the December 31, 2001 date. Those concerns were primarily (1) the difficulty of scheduling a small number of available inspection contractors among a substantial
Commission number of power plants and (2) the existing plans for some of the affected plants to shut down for refueling purposes prior to that date. Thus, the December date was not risk-based, and was only loosely risk-informed. However, if the analysis that was used to estimate the risk for the first 47 days of 2002 was also applied to the prior 150 days since the bulletin was issued, the December 31 date would not have been justified by this guidance. Therefore, it is illogical to use the analysis that would not justify waiting until December 31st to justify waiting an additional 47 days beyond December 31st.
Thus, arguments about the acceptability of the 47-day risk increment under RG 1.174 guidance are illogical and have served to distract attention from my reasons for disagreeing with the process that was actually used to make the decision.
Basis for Disagreement:
There are two reasons that I believe the decision process was inadequate. (This is distinct from any assertion about whether the resulting decision was right or wrong.) My first reason is that the risk criterion actually used to assess the adequacy of public protection is a major relaxation from the criteria that are expressed in the agencys duly adopted regulations. I have a related concern about the inadequacy of the risk models used to address this criterion. My second reason is that I do not agree that the proper legal test was used to consider whether an order could have been issued.
Risk Criterion Used for Adequate Protection Is an Inappropriate Relaxation of Existing Regulations:
To assess whether a newly recognized increase in the level of core damage frequency constitutes inadequate protection of the public, it is necessary to know what levels of core damage frequency are adequate protection and what levels are not. However, the agency has never adopted a numerical threshold for the definition of adequate protection in terms of the estimated core damage frequency. Nevertheless, it is possible to infer that such a limit must be greater than 1 x 10-4 per reactor-year, because the agency accepts licensees IPE values significantly greater than 1 x 10-4 per reactor-year without implementing any regulatory actions to lower those values. It is also possible to calculate that, for the current population of 69 pressurized water type power reactors, two plants could eject a nozzle every year without the average increase in core damage frequency for those 69 plants exceeding the 1 x 10-4 per reactor-year value. So, it appears that the core damage frequency criterion actually used to make the decision would not be violated even if it was likely that 2 of the 69 plants would eject a nozzle in the next year.
In contrast, current regulations require that a plants reactor coolant system pressure boundary have an extremely low probability of abnormal leakage...and of gross rupture [10CFR50, Appendix A, General Design Criterion14]. Current regulations also require maintenance of the integrity of all physical barriers in the plants design as defense-in-depth for the publics safety.
Thus, the risk criterion that would accept at least two nozzle ejections per year in the existing population of 69 affected plants appears to be substantially less restrictive than intended by the agencys regulations. In the letter from John Zwolinski to Lew Myers, dated December 3, 2002, which documented the agencys decision process, it is clearly stated that The NRC staff did not consider it necessary that the licensee demonstrate strict conformance with the `extremely low criteria for the intent of GDC 14 to be met. I disagree that a less-restrictive, risk-based
Commission criterion should be substituted for our established regulations without any opportunity for public or other stake-holder comment, and without any formal revelation by the agency.
As part of the decision-making process, I also cautioned that it was unwise to rely on a risk-based criterion for this particular decision. The circumferential cracking phenomenon in CRDM nozzles had been discovered only that year, and (in the United States) it was previously thought not to occur. Our analytical models for this phenomenon were not well developed. Risk values were being calculated using conservatively biased averages of the available laboratory data, without a realistic appreciation of the range for the highest values for individual plants. Even if we had estimated the highest plausible risk value for an individual plant, we had no way to determine which actual plant, if any, it represented. We needed plant inspection data to develop reliable models for plant-specific decisions. But, the unreliable models were being used to make the need for that data appear to be less urgent, and therefore harder to justify the burden of prompt inspection.
Some have argued that the risk assessment that was used to make the decision in the fall of 2001 should be considered adequate because the portion of overall risk that was estimated for nozzle ejection after the inspection in the spring of 2002 was only about 2 times greater than the total risk estimated before the inspection. However, that comparison has an apples-to-oranges quality. The risk estimated after the inspection is based on the knowledge that 2 nozzles were leaking for periods of time long enough to create wastage cavities in the surrounding low-alloy steel. The risk estimates made before the inspection addressed 65 of the 69 nozzles, but not the one that actually developed a circumferential crack nor the two that were found to have developed cavities. That is because the licensee had submitted a risk assessment that discounted the possibility that circumferential cracks could cause nozzle ejections in the central and center ring of nozzles. However, circumferential cracks now have been found in center ring nozzles at both Davis-Besse and Oconee unit 3. The licensees risk assessment also did not address the possibility of structurally significant wastage of the reactor head by leaking reactor coolant. We now know that substantial wastage was occurring. We also know that Davis-Besse started leaking earlier in the plants lifetime than was expected and developed a much higher coolant leak rate than has been found from nozzle cracks at any other reactor. Thus, the actual material condition revealed by the inspection of the Davis-Besse reactor vessel head serves to illustrate how truly incomplete and unreliable the risk model was when we used it to make the decision to delay that inspection.
With this risk-based process, perhaps a specific plant could be ordered to inspect if the risk analysts could predict which plant was about to eject a nozzle, because a risk estimate of about 3 x 10-3 per reactor-year could be assigned to that plant. But, even that is not clear without a numerical definition for adequate protection. However, it is clear that risk analysts would not be able to make the necessary plant-specific prediction, even with relatively complete and accurate generic risk models. That fact is occasionally demonstrated by our failure to predict which plant will have the next steam generator tube rupture. Inspections are necessary to prevent pressure boundary failures. Risk assessments based on generic information are not an adequate substitute for the plant-specific information gained by appropriate inspections.
Legal Basis Used Was Overly Restrictive for an Order to Inspect:
This brings me to my second reason for disagreeing with the decision not to issue the order.
Management has stated that the licensee is presumed to be in compliance with the technical specification that prohibits RCS pressure boundary leakage until an actual leak in the pressure
Commission boundary is identified at the plant. For purposes of legally citing a plant for violating its technical specifications, this is appropriate. The reason is that uncertainties in the measurements of the allowable types of RCS leakage make it impossible to infer that pressure boundary leakage is zero or not zero based on total leakage measurements.
However, issuing an order to require a prompt inspection is not the same as citing a plant for violating its technical specifications. The order is to enforce a request for information about the plants condition. Information requests are not backfits to the license, and are not subject to the backfit rule requirements in 10CFR50.109. This is logical, because the information being sought is the same information needed to produce an analysis of the importance of obtaining that information. It would produce an intractable circular logic to require the use of information that is not available to obtain that information. However, it is the agencys policy to consider both the burden and the importance of obtaining the information in a manner similar to the backfit rule analysis. To do that, judgement is required to compensate for the unavailability of the information needed for proof.
In this case, the agency could have informed its judgement with the knowledge that all six of the similar plants had already been found to be leaking through the pressure boundary in a specific location. It was known that inspections conducted to comply with regulatory requirements were inadequate to detect the leakage in this location. It was known that undetected leakage in two nozzles at another plant already had produced circumferential cracks that were about half as large as the size that would cause a nozzle to be ejected. It was known that Davis-Besse could have been leaking in a similar location for a long period of time.
It was and is my position that, in this type of situation, the agency has the legal discretion to use its judgement to issue an order to inspect. I am troubled that our management has taken a position that precludes use of statistical information about other plants to make a judgement about the probability that an uninspected plant is in non-compliance with our requirements. I find it ironic that our management supports the use of risk assessments for the same purpose, because those risk assessments also depended on information from laboratory experiments and other plants.
Summation:
In summary, I believe that the agency has inappropriately substituted a non-vetted, risk-based criterion for our current regulatory requirements. Although this criterion is intended to substitute an objective, scrutable, reproducible process for a potentially subjective process, it is unreliable in cases where the risk assessment is too incomplete or uncertain, as illustrated by the Davis-Besse case. I am especially troubled that my Division Director has written to you that
...the decision making process used for addressing the control rod drive mechanism cracking at Davis-Besse was not only correct, but that it constitutes a good and appropriate model for future actions. I am concerned that eventually we will fail to adequately protect the public if we continue to use this relaxed probability standard and continue to use risk information without regard to its reliability for the purpose of each particular decision.
Please note that I am taking this position as a risk analyst. I am not a person who is resisting the increasing use of risk information in NRRs regulatory processes. To the contrary, I am one of the individuals who have pioneered the use of risk information by NRR over the last 16 years.
My previous work includes using risk analyses to assess the importance of events, to direct follow-up activities toward the risk-significant aspects of events, to guide routine inspection
Commission efforts, to evaluate the importance of generic issues, to help determine the acceptability of requested license changes, and to support discretionary waivers of regulatory requirements. In doing these things, I have learned the importance of recognizing the limitations of the available risk insights for each specific decision.
I believe that one essential requirement for developing a truly risk-informed culture within NRR is to have alternate regulatory processes that can proceed without risk information when the only available risk information is not adequate for the purpose. We already have such processes because our regulatory approach was first developed before risk assessment was an option. It is important that we not abandon those existing processes in the future, based on a false premise that reliable risk information will always be available to provide a better alternative. The Davis-Besse case has illustrated that need in at least two respects: (1) we did not have an adequate knowledge of the risk to support delaying the inspection, and (2) we still did not have an adequate knowledge of the risk to assign a color in the significance determination process, once the wastage condition was discovered. At least we recognized that the lack of risk information for the significance determination process was not an acceptable reason for delaying our response, once the wastage was revealed.
I hope that the agency can move past defensive reactions to criticism and learn from this experience how to better use risk information when making decisions in the future.
cc:
W. Travers S. Collins B. Sheron J. Zwolinski G. Holahan R. Barrett M. Johnson W. Bateman C. Carpenter M. Reinhart T. Chan
Commission efforts, to evaluate the importance of generic issues, to help determine the acceptability of requested license changes, and to support discretionary waivers of regulatory requirements. In doing these things, I have learned the importance of recognizing the limitations of the available risk insights for each specific decision.
I believe that one essential requirement for developing a truly risk-informed culture within NRR is to have alternate regulatory processes that can proceed without risk information when the only available risk information is not adequate for the purpose. We already have such processes because our regulatory approach was first developed before risk assessment was an option. It is important that we not abandon those existing processes in the future, based on a false premise that reliable risk information will always be available to provide a better alternative. The Davis-Besse case has illustrated that need in at least two respects: (1) we did not have an adequate knowledge of the risk to support delaying the inspection, and (2) we still did not have an adequate knowledge of the risk to assign a color in the significance determination process, once the wastage condition was discovered. At least we recognized that the lack of risk information for the significance determination process was not an acceptable reason for delaying our response, once the wastage was revealed.
I hope that the agency can move past defensive reactions to criticism and learn from this experience how to better use risk information when making decisions in the future.
cc:
S. Collins B. Sheron J. Zwolinski G. Holahan R. Barrett M. Johnson W. Bateman C. Carpenter M. Reinhart T. Chan DISTRIBUTION: SPSB r/f Accession#ML030560047 NRR-106 G:SPSB\\Long\\Letter to Commission.wpd OFFICE SPSB NAME SLong:nyc DATE 02/20/03 OFFICIAL RECORD COPY