2010/12/28-Use of Risk Measures in Design and Licensing of Future Reactors

ML103620079
Person / Time
Site:	Davis Besse
Issue date:	12/28/2010
From:	Jamali K Elsevier, US Dept of Energy, Office of Nuclear Energy
To:	NRC/SECY
SECY RAS
Shared Package
ML103620074	List: ML103620075 ML103620076 ML103620077 ML103620078 ML103620079 ML103620080
References
License Renewal 2, RAS 19324, 50-346-LR
Download: ML103620079 (9)
v • d • e

Text

ARTICLE IN PRESS Reliability Engineering and System Safety 95 (2010) 935-943 Contents lists available at ScienceDirect Reliability Engineering and System Safety journal homepage: www.elsevier.com/locate/ress Use of risk measures in design and licensing of future reactors Kamiar Jamali United States Department of Energy, Of"ce of Nuclear Energy, 1000 Independence Avenue, Washington, DC 20585, USA a r t i c l e in fo abstract Article history: Use of information and insights from probabilistic risk assessments (PRAs) in nuclear reactor safety Received 17 February 2010 applications has been increasing by the nuclear industry and the regulators, both domestically and Received in revised form internationally. This is a desirable trend, as PRAs have demonstrated capability to improve safety and 5 April 2010 operational "exibility beyond that provided through deterministic approaches alone. But there can be Accepted 6 April 2010 Available online 10 April 2010 potential pitfalls. The limitations of risk assessment technology can be lost through approaches that rely heavily on quantitative PRA results (referred to as risk measures in this paper), because of the Keywords: unambiguous but potentially misleading message that can be delivered by risk-based numbers. This is Nuclear reactor safety particularly true for future reactors, where PRAs are used during the design and licensing processes. For Probabilistic risk assessment (PRA) these applications, it is important to ensure that the actual, de facto, or even perceived use of risk Safety goals measures in the context of either regulatory or design acceptance criteria is avoided. While the issues Acceptance criteria Next generation nuclear plant discussed here can have a signi"cant in"uence on design certi"cation or combined license applications Small modular reactors for future reactors, they can also have secondary impacts on currently operating reactors.

Frequency-consequence curve Published by Elsevier Ltd.

1. Introduction risk-based regulatory construct. Some of the distinguishing features between the two are also discussed in this paper.

Probabilistic risk assessment (PRA) results and insights have The nuclear industry also has used PRA techniques extensively helped to improve nuclear power plant safety and operational with bene"cial results, including in the design of advanced or "exibility for more than 30 years. This success has led to increased evolutionary nuclear reactors. These bene"ts are, in part, related use of PRAs by the nuclear industry and regulatory authorities to the fact that these same users can also control and limit the worldwide. While this trend is largely positive, there can be in"uence of the incomplete safety information that is provided potential negative consequences that have not been widely through the results of the PRA alone. Factors that are usually not discussed in related literature, with some exceptions (e.g., [1]). fully accounted for in a PRA model but are germane to the It was because of this positive contribution to safety that the consideration of adequacy of safety features for a speci"c issue or US Nuclear Regulatory Commission (NRC) gradually re"ned their accident scenario may include: magnitudes of relevant safety original deterministic-based nuclear safety regulations by margins, incorporation of defense in depth, potential for correc-incorporating the use of risk information and insights within a tive or compensatory actions, degree of conservatism in analysis, risk-informed framework. Risk-informed regulations for the and many others. The very same PRA information, however, when current "eet of operating light-water reactors (LWRs) are de"ned used to comply with well-intentioned regulatory policies and through a combination of rule-making and publication of approaches can lead to some undesirable consequences. Some of lower-tier documents, such as regulatory guides or NRCs the undesirable consequences in applications involving future endorsement of certain nuclear industry documents. Thus, in a reactors are also discussed below.

risk-informed framework, risk information and insights supple- PRAs provide both qualitative and quantitative information.

ment the traditional deterministic approaches and form a part of Recent trends in the development of new risk-related approaches, the overall safety case (which is sometimes referred to as the whether they are performed by the regulatory staff, nuclear safety basis) for a nuclear plant. The Commission has also called industry, or other domestic or international bodies, are towards for increased use of PRA technology in all regulatory matters in a heavier emphasis in use of quantitative PRA results (interchange-manner that complements NRCs predominantly deterministic ably referred to as risk measures in this paper). It is well-known approaches within the con"nes of a risk-informed as opposed to a that quantitative results of PRAs, in particular, are subject to various types of uncertainties. Examples of these uncertainties include probabilistic quanti"cation of single and common-cause hardware or software failures, occurrence of certain E-mail address: kamiar.jamali@hq.doe.gov physical phenomena, human errors of omission and commission, 0951-8320/$ - see front matter Published by Elsevier Ltd.

doi:10.1016/j.ress.2010.04.001

ARTICLE IN PRESS 936 K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 magnitudes of source terms, radionuclide release and transport, The Commissions 1995 PRA Policy Statement on use of PRA atmospheric dispersion, biological effects of radiation, dose methods in nuclear regulatory activities [3], which was issued in calculations, and many others. Unlike deterministic uncertainties the aftermath of the completion of PRAs for all operating nuclear related to physical phenomena (e.g., neutronics, thermal-hydrau- plants in accordance with the Individual Plant Examinations lics), PRA uncertainties are not readily reducible in most Generic Letter [4] states, in part:

instances. Uncertainties associated with physical phenomena The use of PRA technology should be increased in all regulatory can often be reduced by tests, experiments, operating experience matters to the extent supported by the state-of-the-art in PRA on actual or prototype designs, or improvements in analytical methods and data and in a manner that complements the models or computational capabilities. Despite this well-known NRCs deterministic approach and supports the NRCs limitation, if quantitative PRA results are used in the context of traditional defense-in-depth philosophy.

risk acceptance criteria (i.e., when they are compared against a set of threshold values established by either the industry or the The Commissions safety goals for nuclear power plants and regulator), it would be dif"cult to counter the unambiguous but subsidiary numerical objectives are to be used with potentially misleading or incorrect message that is delivered appropriate consideration of uncertainties in making by such a number-based process; i.e., implying that a design is regulatory judgments on the need for proposing and back-unacceptable or unsafe because it did not meet a particular risk- "tting new generic requirements on nuclear power plant based numerical threshold (labeled as a risk acceptance criterion). licensees.

An important issue that is outside of the scope of this paper, but is worthy of detailed discussions of its own, is that the The Commission approved the staffs White Paper on Risk-introduction and impact of PRAs in the design and licensing stages Informed and Performance-Based Regulation in March 1999 [5],

for a future reactor is by and large different from the way that which provided de"nitions of risk-informed and risk-based risk-informed regulations have been applied to existing reactors. regulations. It reiterates that the Commission does not endorse Currently operating reactors had a deterministically established an approach that is risk-based, wherein decision-making is solely licensing basis (which included the plants safety basis) before based on the numerical results of a risk assessment.

plant-speci"c or generic risk information and insights were made Regulatory Guide 1.174 [6] established the framework for available through PRAs. The PRAs generally con"rmed that the risk-informed regulations in applications regarding making plant-original deterministic approach to design and licensing was speci"c changes to the licensing basis. Its approach ensures that conservative (e.g., plants could respond to some accident numerical PRA results would not form the sole basis for making scenarios in manners that were not credited in the deterministic nuclear safety decisions by listing "ve key principles (i.e., meeting analyses) and further identi"ed changes that could improve plant current regulations [which are primarily deterministic],

design or operational safety. Meeting the deterministic require- meeting defense-in-depth principles, maintaining suf"cient ments meant that implementation of their attendant provisions safety margin, keeping increases in risk small, and performance embodied within the concepts of defense in depth, safety margins, monitored) that have to be met for a risk-informed approach.

conservative assumptions and analyses, quality assurance, and Clearly, current regulations are by and large based on determi-numerous other factors (many of which are not readily measur- nistic requirements. A key portion of the section on scope (Section able within a PRA model) created a safety cushion or margin that 1.4) states:

protected these plants from uncertainties, including those from y The NRC has chosen a more restrictive policy that would unknown unknowns (for which a euphemism can be emerging permit only small increases in risk, and then only when it is safety issues as discussed in Section 2). On the other hand, PRA reasonably assured, among other things, that suf"cient defense models have to rely on realistic inputs to ensure that risk in depth and suf"cient margins are maintained. This policy is signi"cant insights are not obscured by arti"cially biased results adopted because of uncertainties and to account for the fact derived from the application of uneven conservatisms. Therefore, that safety issues continue to emerge regarding design, great care must be exercised in bringing PRAs into the design construction, and operational matters notwithstanding the process to ensure that the fundamental pillars of deterministic maturity of the nuclear power industry. These factors suggest safety assurance process mentioned above are not unduly that nuclear power reactors should operate routinely only at a compromised. Thus, for future reactors, use of risk information prudent margin above adequate protection. The safety goal can have a far more signi"cant impact on the safety basis of the subsidiary objectives are used as an example of such a prudent plant, including the potential to drive some key design decisions.

margin.

The intent of risk-informed regulations is to ensure their in"uence is positive in safety tradeoff decisions. The clause about continual emergence of safety issues for plants with many years of operating experience is an alternative way to state the concern regarding uncertainties about the

2. NRCs approach to safety goals and risk acceptance criteria unknown unknowns that are a more signi"cant concern for future reactor designs.

NRC published the Safety Goals Policy Statement on August 8, One reason that Regulatory Guide 1.174 has worked well in 1986 [2]. While the text of this Policy Statement does use the application is that it was intended for operating plants with a phrase acceptable risk, the title and the rest of the discussions primarily deterministic licensing basis already in place, which were careful to avoid the use of the Quantitative Health means that the plants were already determined to be safe before Objectives (QHOs) of prompt fatalities (PFs) and latent cancer applying the results of plant-speci"c PRAs.

fatalities (LCFs) as regulatory risk-acceptance criteria. In other Finally, Note 2 of Chapter 19 of the Standard Review Plan (SRP) words, the selection of the terminology of safety goals was very [7] states that the QHO-surrogates of Core Damage Frequency deliberate. An important attribute of the calculation of plant- (CDF) and Large Release Frequency (LRF) are goals and not speci"c PFs and LCFs for comparison with the dual QHOs is that regulatory requirements.

both are by necessity integral quantities that are derived from The key conclusion from the above is that the NRC the contributions of all accident scenarios that are considered in Commissioners have not endorsed a risk-based approach to the plant-speci"c PRA model. regulation because of the uncertainties in quantitative results of

ARTICLE IN PRESS K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 937 PRAs. These uncertainties are large for currently operating nuclear In addition, the Commission rejected the use of 1E 5/yr of plants, particularly in the so-called Level 2 and Level 3 PRAs. The reactor operation as a CDF goal for advanced designs in SECY-fact that the large uncertainties in the estimates of probabilities90-016 [12] and its SRM. This rejection should be examined for hardware failures and human errors, and understanding and together with a series of Commission Policy Statements on probabilistic quanti"cation of occurrence of some physical regulation of advanced reactors. The last in the series published phenomena in PRAs of currently operating reactors seem less so in October of 2008 [13] states:

because of repeated reuse should not be overlooked. Treatment of uncertainties in severe accident progression and delineation has The Commission expects, as a minimum, at least the same always been limited in risk assessments performed to date, even degree of protection of the environment and public health and in the studies that went the furthest in such analyses, such as safety and the common defense and security that is required NUREG-1150 [8]. for current generation light-water reactors. Furthermore, the Another important consideration, also related to the general Commission expects that advanced reactors will provide category of uncertainties, is the issue of state-of-the-art in PRA enhanced margins of safety and/or use simpli"ed, inherent, methods and data. This is an issue for risk modeling of all reactor passive, or other innovative means to accomplish their safety designs as alluded to above, and it is especially so for designs and security functions. The incorporation of enhanced safety that primarily rely on passive safety functions performed by margins may help offset the effects of added uncertainties in safety-related Systems, Structures, and Components (SSCs) and the PRA model and/or in accident analyses arising from the digital systems (e.g., in instrumentation and controlI&C). The novelty of advanced reactor designs. [Elsewhere other attri-current state-of-the-art does not permit a high quality modeling butes of advanced designs are described as: reliable and less for reliability evaluations for these systems. In particular, there is complex shutdown heat removal systems; longer time con-considerable uncertainty with respect to the contribution of stants and suf"cient instrumentation; simpli"ed safety sys-software common-cause failures (CCF) to digital system relia- tems; minimize potential for severe accidents by incorporating bility. For the potentially safer and more passive advanced reactor redundancy, diversity, safety system independence; incorpo-designs, it is possible that digital systems and human errors of rate defense-in-depth; etc.].

commission (due in part to longer time constantssee, e.g., [13])

might have a higher relative risk contribution, a contribution that The important aspects of this Policy Statement are: (a) it may be dif"cult to assess with any signi"cant level of con"dence. contains only qualitative but well-proven principles for enhanced These issues offer additional reasons to apply quantitative PRA safety of nuclear reactor designs, and (b) it speci"cally lacks any results judiciously for future nuclear plants. risk-based numerical criteria. Because of large uncertainties of The Commission also offered another goal of 1E 6/yr within the risk-based numerical results, risk analysts typically do not Safety Goals Policy Statement for frequency of large releases to the consider variations of less than factors of 10 or so in such environment for further staff examination. A de"nition for large numbers as meaningful increments. Risk experts may convert the release was not offered in that document [2]. In [9] the staff above policy statement into a corresponding numerical criterion considered several options and "nally recommended that a large by providing an order of magnitude as the smallest discriminator release be de"ned as a release that has the potential for causing an for deciding how much safer advanced reactors should be from offsite early fatality. Several other SECY papers (denotes papers current reactors. This, however, is a non-sequitur and a problem submitted to the Commissioners by the NRC staff), Staff inherent to risk-based calculations. An order of magnitude is a Requirements Memoranda (SRMs), and Advisory Committee on very large increment in the real world, and current nuclear Reactor Safeguards (ACRS) letters to the Commission (e.g., [10]) were reactors are already much safer than any other comparable devoted to this subject. The Commission directed the staff to ensure industrial facilities and hazardous human activities. Ultra-con-that their evaluation of large release magnitude be consistent with servatism in design has a price, both economically and ACRS proposed guidelines linking the hierarchical levels of the safety operationally. As discussed in Section 3, the proposed new goal objectives, where the large release guideline was considered the surrogate numerical risk-based criteria can be far more restrictive third level objective (the qualitative and quantitative health objectives than the QHOs. They are also quantitatively unpredictable in were the level one and two objectives). According to these guidelines, real risk space and not comparable with QHOs as they are each subordinate level of the safety goal objectives should: non-integral measures of risk. They are more restrictive in the sense that a reactor that in a hypothetical case may fail to meet some of the new criteria (described in Section 3) can still meet the

 be consistent with the level above, QHOs by orders of magnitude.

 not be so conservative as to create a de facto new policy, In spite of the above discussions and the broad policy guidance

 represent a simpli"cation of the previous level, by the NRC Commissioners, this papers observation is that

 provide a basis for assuring that the Safety Goal Policy throughout many publications of the national and international Objectives are being met, regulatory agencies and commercial entities, there is an

 be de"ned to have broad generic applicability, increasing trend toward more prevalent use of risk-based

 be stated in terms that are understandable to the public, and regulatory concepts in general, and the use of some form of

 generally comply with current PRA usage and practice.

numerical risk thresholds as acceptance criteria vis-a-vis safety In the end, the staff reached the overall conclusion that goals, in particular. For example, a number of NRC staff development of a large release de"nition and magnitude, beyond documents (e.g., [14,15]), as well as industry and international a simple qualitative statement related to the frequency of 1E 6/yr publications (e.g., [16-23]), have employed various types of risk-is neither practical nor required for design or regulatory purposes. acceptance criteria (consistent with the terminology employed In addition, based upon the work done evaluating large releases within the documents) which involve some form of a frequency in NUREG-1150 [8] and other related activities, the staff noted versus consequence (FC) curve, or FC anchor points or regions. It that the general performance guideline of 1E 6/yr and the CDF can be shown that these approaches generally establish much subsidiary objective of 1E 4/yr are not consistent with the more restrictive numerical thresholds than the QHOs, and are original QHOs [11] (i.e., they are more conservative, and the applied as non-integral quantities. While the intentions behind degree of conservatism depends on the speci"c plant). this trend are noble and motivated in part from a desire to

ARTICLE IN PRESS 938 K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 continuously improve nuclear reactor safety, and in part from the signi"cantly larger than the traditional PRAs, depending Commission Policy Statements on regulation of advanced reactors on the speci"cs of the methodology chosen by the

[13], their actual implementation can lead to a number of analysis team. A signi"cant increase in the level and undesirable consequences, as discussed in Section 3. complexity of the PRA can lead to problems of cost, con"guration control, dif"culty for analysis of results and review, and issues regarding quality assurance of

3. Critique of frequency-consequence curve from the product.

NUREG-1860 2. Possibly as a surrogate risk metric to the QHOs, because the CDF metric for LWRs is not fully applicable to all advanced This section presents a brief review of a speci"c section (i.e., reactors (such as the high-temperature gas cooled reac-the discussion on FC curve as a potential risk threshold for torHTGR); and Licensing Basis Events) of the representative and probably the 3. As a guide to designers, i.e., it relates the frequency of most high-pro"le, document among the international references potential accidents to acceptable [emphasis added]

mentioned above, namely NUREG-1860 [15], and describes some radiation doses at the site boundary from these accidents.

issues that can arise in using similar approaches with regard to numerical risk assessment results. NUREG-1860 does address Fig. 6.2 of NUREG-1860, reproduced here as Fig. 1, is an deterministic requirements and defense in depth guidelines, but a example of a worldwide and industry-wide trend (documented in discussion of these topics is beyond the scope of this paper. Refs. [14-23]). The ACRS expressed a number of concerns with An important part of the reason for the prominence of earlier versions of this curve [26].

NUREG-1860 in these discussions is SECY-07-0101 and its Staff NUREG-1860 indicates that doses in Fig. 1 are total effective Requirements Memorandum [24], in which the Commission dose equivalents (TEDEs, which includes the 50-year committed directed the NRC staff to test the concept of this framework on dose) calculated at the site boundary on a per scenario basis.

an actual future reactor design. Additional discussion related to this "gure, and those in a number The most likely candidate for the application of this of other references, e.g., [14,18,27] also reiterate a questionable Risk-Informed and Performance-Based Regulatory Structure for relationship between an accident frequency of 1E 4/yr, a dose of Future Plant Licensing is the Next Generation Nuclear Plant 25 rem, and design basis accidents (DBAs). First, it is important to (NGNP) [25]. The rami"cations of this action can go beyond the note that many traditional DBA frequencies are demonstrably NGNP license application, and potentially have a signi"cant below this frequency, when initiating event frequencies are impact on all future reactors, particularly advanced reactors that combined with the partial failure probabilities of safety systems would largely constitute the group that is currently referred to as imposed by the requirements of single failure criterion. For the Small Modular Reactors (SMRs). Moreover, they can create an example, in the last paragraph of page, 6-7 of NUREG-1860 it is environment for raising and/or revisiting questions on whether stated that:

currently operating reactors are indeed safe enough, even though this question had been emphatically put to rest with a positive y while those in the range of 1-25 rem are assigned a response in the past. frequency of 1E 4 per year. The DBA off-site dose guideline in The issue that this section examines is whether the use of 10 CFR 50.34 [29] and 10 CFR 100 [30] is 25 rem. [Note: The numerical results of PRAs (i.e., risk measures) to be compared relationship or a lack thereof, between a dose of 25 rem and against pre-established risk thresholds (i.e., risk-acceptance DBAs is discussed in Section 5.]

criteria), as employed in NUREG-1860 and the similar approaches in the other referenced documents listed above, is akin to y doses in the range of 25-100 rem are assigned a frequency modifying NRCs long-established risk-informed regulation of 1E 5 per year.

paradigm towards one of being risk-based; and whether these y doses in the range 100-300 rem are assigned a frequency of approaches could lead to other, unintended consequences. 1E 6 per year, 300-500 rem a frequency of 5E 7 per year, Discussions in Sections 2.5.1, 3.2.2, 6.2.2, and 6.3 of and the curve is capped beyond doses greater than 500 rem at NUREG-1860 state: 1E 7 per year.

 The FC curve is used in the following ways: This paper proposes that using Fig. 1 in regulatory or even

1. For the selection of Licensing Basis Events (LBEs) (discus- design applications as suggested in NUREG-1860 can lead to a sion and de"nition provided in [15]), including frequent, number of unintended consequences for two principal reasons:

infrequent, and rare events. (1) the use of the labels of acceptable and unacceptable, and J This paper notes that the retention of accident scenarios (2) comparison of the embedded criteria against the attributes of other than severe accidents in the PRA beyond the initial individual accident scenarios (as opposed to integral measures of screening stage creates an entirely new type of PRA that risk, such as CDF or LCFs). Speci"cally:

is, among other things, much larger than the current PRAs. Current PRAs do not retain for further analysis  The Commission has long avoided establishing any kind of risk-accident scenarios that terminate in states other than based acceptance criteria by endorsing the QHOs as safety one of any pre-de"ned consequence categories, often goals. As stated earlier, the signi"cant roles played by both the referred to as plant damage states. For current plants uncertainties and state-of-the-art (both of which are exacer-these generally involve core damage, based on prede- bated for future/advanced reactors with little or no operating "ned thresholds (e.g., peak cladding temperature above experience) associated with the PRA model of a plant are the 22001F). The NUREG-1860 PRA method would addition- main drivers for this decision. In accounting for uncertainties, ally include all intermediate accident scenarios from the PRA model can only provide some treatment of the known simple initiating events to those intermediate scenarios uncertainties through propagation of parameter uncertainties that are terminated successfully before reaching any and performing sensitivity studies (to address some modeling plant damage state, as well as the traditional PRAs plant uncertainties), and is generally incapable of handling uncertain-damage state scenarios. This type of PRA can become ties associated with (lack of) completeness inherent to the

ARTICLE IN PRESS K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 939 Fig. 1. Frequency versus consequence curve (Fig. 6.2) of NUREG-1860.

analytical models and many other factors (e.g., impact of safety subject to such dependencies on the calculation model or margins). Even then, the use of representative parameters (such plant design.

as the mean) associated with the frequencies and consequences J It will be a challenge to establish criteria to ensure that of individual or integrated accident scenarios has limitations of individual accident scenarios are de"ned or character-its own, as the types and widths of the underlying distributions ized at the same level of resolution across different of the input random variables are generally assigned by plant designs and associated PRA models for use with subjective judgment. It is clear that these issues become more this type of FC curve construct. The system would be dominant in analyses of future/advanced reactor designs with inherently unstable and dependent on subjective inter-less knowledge about several key aspects of the safety of the pretations by all sides in a dispute.

design, such as the "delity of analyses in thermal-"uids, 2. Relative uncertainties decrease when the associated ran-neutronics, "ssion product transport, material properties at dom variables are summed, and they increase when the high temperatures, component reliabilities, and the unknown random variables are multiplied. Therefore, the effects of unknowns. uncertainties are minimized when integrated risk measures

 The QHOs have a logical relationship with the risk that the are used as opposed to when intermediate and product members of the public are otherwise exposed to as articulated quantities, such as frequencies and consequences of in the qualitative health objectives. They establish the risks of individual accident scenarios are used.

nuclear power plant operations at a small fraction of the risks 3. Comparison of any partial level of plant risk, such as those that the members of the public, not the general public at large, that are based on individual accident scenarios, against but those living in the vicinity of the plant are already exposed some quantitative criteria can misinform or even mislead.

to. A reduction in these risks for future reactors proposed by The potential for misinformation is large because it would any stakeholder (which would be consistent with the stated not be known as to what fraction (is it 0.001% or 10%) of the qualitative goal of the Commission), should be within reason overall integral risk (even within the same category, such as and not so drastic as to deprive the same population from the internal events) is being compared against the criteria.

bene"ts that they may otherwise realize from operation of J Thus, the risk of an individual scenario would/should not these reactors. necessarily be unacceptable if it falls in the unaccep-

 Plant-speci"c PFs and LCFs are calculated for comparison table region of an FC curve, because the QHOs (as safety against the QHOs. Both of these, as well as the more widely goals) might still be met with large margin.

used surrogate metrics to QHOs, such as CDF and LRF for LWR J A converse corollary is that the risk of individual applications, are integral quantities that are derived from the scenarios should not necessarily be viewed as accep-contributions of all accident scenarios that are considered in table in the other region either, as a prudent approach the plant-speci"c risk model. Integral risk measures incorpo- to safety assurance always seeks to incorporate reason-rate at least three important properties: able additional controls where ever a proper qualitative

1. De"nition or characterization of individual accident scenar- engineering judgment or a quantitative analysis so ios is dependent on both the speci"c PRA model (e.g., dictates. Falling within the acceptable region could deny large fault tree/small event tree versus small fault tree/large the designers and others from thorough engineering event tree) and the speci"c plant design (e.g., complex with thinking in the safety design process.

more active safety systems versus less complex with more  If it is assumed that a future design of an HTGR or an SMR passive safety systems). Integrated risk measures are not meets the FC curve, then the NRC will be on record for

ARTICLE IN PRESS 940 K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 certifying that the level of risk-based safety of this design is acceptance criteria will be variable for each design, speci"c acceptable, and in contrast, any design that does not meet PRA model, and reactor site. The variability can be substantial this level of safety, even for a single accident scenario with all in some cases.

the attendant uncertainty, is unsafe. The same problem is encountered even if the governing document is from the It is important that the NRC staff be cognizant of the above industry, whether or not it is explicitly endorsed by the NRC, issues in complying with the Commission direction in testing the such as an ASME or ANS standard as in [18]. How could the concepts embodied in NUREG-1860 in an actual licensing regulator accept a design with one or more accident scenarios approval process for a future plant. The staff should ensure that in the unacceptable region when the governing industry their review will not deviate from the long-standing Commission standard itself has labeled it as such? precedents in establishing the many elements of a risk-informed

 Some current LWRs will likely not meet this FC curve. approach. While this paper has touched upon only a few topics, A misunderstanding of the intent of this curve and the role future papers can discuss the use of PRA, including the introduc-that NUREG reports play at NRC could lead some to incorrect tion of a proposed technology-neutral generic risk measure that conclusions concerning the adequacy of safety of current will allow for cross-comparison of the level of safety for different plants, because the NRC and/or the nuclear industry them- plant designs independent of site-speci"c characteristics; ap-selves (as, e.g., in [15,18]) have labeled plants that do not meet proach to defense-in-depth; selection of the so-called licensing-this curve as unacceptable. basis events; and selection of safety SSCs in a risk-informed and

 The FC curve is, in fact, introducing new and more restrictive performance-based framework.

acceptance criteria than the QHO safety goals as evident by It should be added that alternative and complementary risk inspection and as mentioned in [15], in contradiction to the metrics to QHOs can be useful to a potential applicant for a design ACRS guidance mentioned above. certi"cation or combined license, for example to assist in

 The combined effect of using risk metrics as acceptance criteria determination of having reached a suf"cient mix of preventive and applying them on the level of individual accident scenarios and mitigative features in a new design (i.e., safety design trade-can lead to other undesirable outcomes. Future reactor designs off decisions) or to compare relative safety of different designs.

offering lower total (integrated) risk than current operating The technology-neutral generic risk measure mentioned above reactors may be erroneously labeled as unsafe and not be will satisfy the latter need for future reactor designs for which the pursued, or be burdened with costly and unnecessary design CDF and LRF metrics may not be fully applicable. An example of modi"cations. an alternative FC curve that can be effectively used for safety J An example of the above (involving a potentially safer design trade-off decisions is discussed in Section 6.

future reactor design) is a reactor coolant line break for a high-temperature gas-cooled reactor (HTGR). In a hypothe-tical case, it can be assumed that an applicant calculates the 4. Use of risk measures by industry frequency and the consequences of the scenario in a way that allows them to show that it is acceptable. Anyone The impact of the aforementioned issues may not be as great in inclined to question the validity of the calculations can: practice when the FC curve of NUREG-1860 or a similar construct (a) point to the degree of uncertainty in the pipe break is used only by the designer as opposed to the regulator. The frequency because of very limited number of years of designer can use such constructs or concepts as complementary operating experience with these reactors; (b) point to information in an iterative manner throughout the design process.

conditions such as high operating temperatures as addi- A problem that may be encountered in that process is that a tional reasons for much higher failure frequency potential proper interpretation of some risk-based concepts may not be as than in the LWR experience; and (c) challenge the assumed intuitive for the designer, especially for those who are not PRA radionuclide airborne fractions produced by uncertainties experts, as it may appear at "rst. In addition, manuals of practice, in source terms (e.g., long-term diffusion of radionuclides such as standards or guides that are developed by the industry through coated fuel particles, resuspension caused by may be endorsed or referenced by the regulators and be used in vibration effects, higher temperatures, lower plateout, ways that produce the unintended results (e.g., leading to etc.). These challenges can lead to a conclusion that the rejection of safer designs). For this reason, it is suggested that scenario falls in the unacceptable region instead. the use of quantitative PRA results in the context of design or

 Simple and/or passive reactor designs would have fewer regulatory risk-acceptance criteria be avoided by all. Instead, numbers of accident scenarios than complex and active Section 6 provides an alternative construct that may be used by designs at the same level of accident scenario de"nition the industry that will accomplish the intended purpose (design (e.g., system level) and within the same PRA model. safety trade-off decisions) without the negative connotations that The difference in the number of accident scenarios could are associated with NUREG-1860s version of an FC curve.

be in multiples of 10 rather than in algebraic fractions. As a hypothetical example, two reactors may have the same risk pro"le, but the "rst has 10 sequences with 30 rem at 2E 6/yr, 5. Interpretation of the 25 Rem criterion used in and the second has one sequence with a consequence of 10 CFR 100/50.34 30 rem at 2E 5/yr. Under the FC curve construct, one is deemed acceptable and the other is not, which does not make The 25 rem criterion used in 10 CFR 100 and 10 CFR 50.34 is sense in real risk space. often used as a de facto dose acceptance criterion for DBAs by the J Thus, the use of risk-based acceptance criteria on the level of NRC staff. This usage is, however, contradictory to actual individual accident scenarios (as opposed to integral quan- Commission policy and guidance as described explicitly in NRC tities) may be viewed as penalizing simple and passive regulations, as discussed in this section. Since a nuclear plant is designs in favor of active and complex designs, in violation of designed to adequately respond to the occurrence of Design Basis the Commission Policy Statement on Advanced Reactors [13]. Events (DBEsincludes Anticipated Operational Occurrences and

 Again, because integral measures of risk are not obtained in Design Basis Accidents), the expectation is that the associated this model, applications of these scenario-level and risk-based offsite consequences will be small (e.g., fractions of 25 rem TEDE).

ARTICLE IN PRESS K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 941 This expectation, however, should be viewed as a safety goal containment system based on this scenario alone? The or guideline as opposed to a dose acceptance criterion, as decision on whether the design has achieved adequate discussed below. safety (within the context of accident analysis and PRA)

NRC Policy Statement on Severe Reactor Accidents [28] states: should be derived from the consideration of all relevant Severe nuclear accidents are those in which substantial damage information derived from the deterministic and is done to the reactor core, whether or not there are serious offsite probabilistic analysis of the accident(s) and the design consequences. Based on this de"nition, the type of accidents attributes, such as margins, assumptions, uncertainties, described in 10 CFR 100 and 10 CFR 50.34 involving a substantial potential corrective or mitigative features and factors, and amount of core melt discharged into an intact containment is a other design options that could be considered.

Severe Accident, not a DBA. Elsewhere in this document, severe accidents are de"ned as a class of accidents which are beyond It should also be noted that in judging the degree of seriousness the substantial coverage of design basis events. And "nally, it of calculated exposure levels (that can be very different from states that a new design for a nuclear power plant can be shown actual exposures because of uncertainties), such as the 25 rem of to be acceptable for severe accident concerns if it meets the 10 CFR 100, it is useful to be mindful of the routinely accepted acceptability of safety using an approach that stresses determi- exposure levels by the members of the public. For example, nistic engineering analysis and judgment complemented by a numerous medical procedures expose the patient to doses of PRA. more than 1 rem, with at least one procedure reaching an Note 7 of 10 CFR 50.34 carefully avoids the labels of estimated dose of 5.7 rem [31]. In addition, background radiation acceptable or unacceptable dose to the value of 25 rem total doses in certain parts of the country and the world can reach effective dose equivalent (TEDE). Rather, it states that: y this the rem range and as high as around 26 [32] rem/yr (another dose value has been set forth as a reference value, which can be study of the same locality arrived at 70 rem/yr [33]). Ref. [32]

used in the evaluation of plant design features with respect to found no greater incidence of cancer in the high dose population postulated reactor accidents, in order to assure that such designs compared with those in neighboring areas of normal background provide assurance of low risk of public exposure to radiation, in radiation. Even a maximum background radiation at 1 rem/yr, the event of such accidents. which is observed in many parts of the country and the world, With regards to the often cited accident that is the source of can be argued to be comparable to about 50 rem TEDE for a the 25 rem TEDE dose (10 CFR 100, or 10 CFR 50.34) [29] or [30], it 50-year exposure.

is noted that:

(a) it is not an actual accident scenario, as the assumption of 6. An alternative frequency versus consequence curve substantial core melt outside of the reactor vessel and inside the containment is the initial condition for the analysis, The motivation for use of an FC curve concept is, in part, to irrespective of the requisite sequence of events (i.e., the provide an indication of reaching adequate levels of preventive speci"cs of the other aspects of the plant design) that may or and mitigative measures (collectively referred to as controls in could have led to such conditions, this paper) for various accident scenarios. An alternate and (b) again, the Commissions Policy Statement on Severe Accidents conceptual FC curve for satisfying this purpose that can be used

[28] considers accidents involving substantial core damage as by the applicant/reactor vendor in the design stage without the Severe Accidents, whether or not there are serious offsite negative implications that were mentioned for the FC curve of consequences. This means that the characteristics of this NUREG-1860 is suggested in Fig. 2. Note that this scheme would accident should not to be compared with DBAs, and only form a part of an integrated safety decision making process (c) the magnitude of the calculated dose itself should not be for a new design, such as the "ve-element process described in viewed in terms of acceptability or a lack thereof. It is a dose Regulatory Guide 1.174.

value that is used in the evaluation of containment design The key feature of this curve is that it is consistent with the (and size of the Exclusion and Low Population Zones) to concept of generating risk information and insights in support of assure low risk of public exposure to radiation in the event of deterministic approaches, not as a means for undermining a accidents involving core melt (10 CFR 50.34, Note 7) in an holistic approach to the nuclear plant safety assurance process.

intact containment. The results of these analyses and This FC curve can be viewed as a design or operational safety calculations have little to do with the rest of the plant design, optimization tool for use by the reactor designer or plant and thus, should not be correlated with the safety and/or operator.

acceptability of the speci"c design (with the exception of the Fig. 2 incorporates several key considerations:

containment systems),

(d) it should be noted that in particular, typical severe accidents (i) This FC curve is also used with single accident scenarios (Beyond DBAs) in commercial-size LWRs could exceed this (or scenario groups/event families).

dose value by orders of magnitude, and thus: (ii) This is an FC curve used and conceptualized by the designer

 the 25 rem TEDE should not be viewed as a dose or reactor vendor in the plant design stage to establish the acceptance criterion for any accident scenario, DBA or basis for the decisions regarding incorporation of the initial Beyond DBA (such as severe accidents). This distinction is set of controls, and each additional control to be potentially critical as it may have substantial impacts on judging the considered for a given accident scenario.

safety of future designs. For example, in a hypothetical (iii) The use of risk-based acceptance-criteria is avoided. There case, it can be assumed that an advanced reactor design are no acceptable risk and unacceptable risk regions. It is has a risk pro"le that is orders of magnitude below important to eliminate this concept of risk-acceptability comparable LWRs (in reactor size/energy output). It can be from the design optimization process, even in the mind of assumed further that the advanced reactor design has one the designer.

DBA that is calculated to result in a 30 rem dose at the site (iv) One of the main objectives for selection of DBE and Beyond boundary without a leak-tight containment. Would it DBEs is to establish the adequacy of controls. The two make sense to require the design to employ a leak-tight distinct regions are associated speci"cally with a decision on

ARTICLE IN PRESS 942 K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 heavier emphasis in use of quantitative PRA results. These risk measures are sometimes compared to risk threshold values that have attained an actual, or even a de facto, regulatory stature of risk acceptance criteria in certain instances. Such applications of risk measures for a nuclear reactor design or a speci"c plant are not always in keeping with the tenets of risk-informed regula-tions, which call for comparing (integral) measures of the calculated risk (e.g., PFs and LCFs or their suitable surrogates such as the CDF or the LRF) against QHOs (or their surrogate targets, e.g., 1E 4/yr for CDF) only as safety goals.

In addition, using numerical PRA results, particularly those that are not integral quantities, in a risk-acceptance context, even by the nuclear industry (as opposed to the regulators) can have numerous undesirable consequences. Examples of these among many discussed in the text include: the tendency to penalize simple, passive safety system designs in favor of complex, active designs; and future reactor designs offering lower integrated risk than those of the current and highly safe operating reactors may Fig. 2. A conceptual accident sequence-level frequency versus consequence curve that can be used by applicant during design process.

be erroneously labeled as unsafe and not be pursued, or be burdened with costly but unnecessary design modi"cations.

These issues can lead to serious unintended consequences in whether additional controls should be considered for the licensing of future reactors or creating new challenges regarding speci"c scenario.

the safety adequacy of existing plants.

(v) The two regions are separated by a band of perhaps an order The paper also offered an alternative use for a frequency versus of magnitude variation with diffused boundaries (such as in consequence curve as a design or operational safety optimization Regulatory Guide 1.174) on frequency and consequence, tool for use by the reactor designer or plant operator.

rather than "rm boundaries. This is because any single parameter of scenario frequency or consequence (the mean is typically used for all) is itself subject to uncertainty and Disclaimer ensuing challenges, as the ranges of variability and the underlying distributions are generally assigned subjectively.

(vi) The consequence scale may be related to appropriate public The work related to the development of this paper was health measures and/or cost-bene"t for the inclusion of the conducted at the request of the Director of the Advanced Reactor additional control under consideration. Programs at the Of"ce of New Reactors (now retired) in the last (vii) Since this curve is used as a design aid for the applicant, quarter of 2008 at the US NRC, while the author was on loan from regulatory staff would have no position about the accept- the US Department of Energy.

ability or the lack thereof associated with any part of its Neither the author, nor the United States Government, any construct, including the anchor points. The regulator must agency thereof, or any of their employees makes any warranty, use the totality of the safety information delivered by the expressed or implied, or assumes any legal liability or responsi-design and the proposed operational plan that includes bility for the accuracy, completeness, or any third partys use of the traditional deterministic requirements along with the the results of such use of any information, product, or process supplemental PRA information in concluding that the pro- disclosed, or represents that its use would not infringe privately posed plant is safe. owned rights. Reference herein to any speci"c commercial product, process, or service by trade name, trademark, manufac-turer, or otherwise, does not necessarily constitute or imply its Note that the boundary region of essentially constant risk is endorsement, recommendation, or favoring by the United States only conceptual. The designer may decide that in certain Government, or any agency thereof.

sub-regions and because of speci"c considerations, such as events The views and opinions of the author expressed herein do not with particularly high or low frequencies and/or consequences, necessarily state or re"ect those of the United States government and in those areas governed by existing regulations, deviations or any agency thereof.

from the boundary region are warranted.

Acknowledgments

7. Summary and conclusions The author wishes to thank Dr. Don Dube (US NRC) who was Risk-informed regulation is built around the concept of the "rst expert to review the early versions of this paper and using traditional deterministic techniques of safety assurance offered his broad and in-depth knowledge in support of its supplemented by PRA information and insights. Traditional development. Mr. Alan Kuritzky and Drs. Mohsen Khatib-Rahbar deterministic techniques include concepts such as incorporation and Doug True provided many useful insights.

of redundancy and diversity, incorporation of safety margins, application of defense in depth, application of quality assurance, etc. PRA results should play a limited and supportive role in References making decisions about adequacy of safety in a risk-informed regulatory framework. [1] Chapman J, Hess SM. Risk-informed, technology-neutral design and licensing However, recent trends in the development of new risk-related framework for new nuclear plants. In: ANS PSA 2008 topical meetingchallenges to PSA during the nuclear renaissance, Knoxville, TN, September 7-11, 2008.

approaches, whether they are performed by the industry, NRC [2] US NRC. Federal Register, 51 FR 30028. Safety goals for the operations of staff or other domestic or international bodies, are towards nuclear power plants, August 21, 1986.

ARTICLE IN PRESS K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 943

[3] US NRC. Federal Register, policy statement on use of probabilistic risk [20] Hun-Joo Lee (Coauthor). Korea Institute of Nuclear Safety. Regulatory assessment methods in nuclear regulatory activities, Final Policy Statement, viewpoint on innovative VHTR development in Korea. In: 4th August 16, vol. 60(158), 1995. p. 42622-9. international topical meeting on high temperature reactor technology,

[4] US NRC. Generic letter GL88020. Individual plant examination for severe September 28-October 1, 2008.

accident vulnerabilities, November 23, 1988. [21] NEI- 02-02. Nuclear Energy Institute. A risk-informed, performance-based

[5] US NRC. SECY-98-144. White paper on risk-informed and performance-based regulatory framework for power reactors, May 2002.

regulation, January 22, 1998. Staff requirements memorandum approved [22] Jean Joubert (Coauthor). National Nuclear Regulator, South Africa. South March 1, 1999. African safety assessment frame-work for the pebble bed modular reactor. In:

[6] US NRC. Regulatory guide 1.174. An approach for using probabilistic risk 4th international topical meeting on high temperature reactor technology, assessment in risk-informed decisions on plant-speci"c changes to the September 28-October 1, 2008.

licensing basis, Revision 1, November 2002. [23] PBMR (Pty) Ltd. Probabilistic risk assessment (PRA) approach for the pebble

[7] US NRC. NUREG-0800. US Nuclear Regulatory Commission standard review bed modular reactor, Revision 1, June 12, 2006.

plan, Revision 3, March 2007 [Chapter 19]. [24] US NRC. SECY-07-0101. Staff recommendations regarding a risk-informed

[8] US NRC. NUREG-1150. Severe accident risks: an assessment for "ve US and performance-based revision to 10 CFR part 50 (RIN 3150-AH81);

Nuclear Power Plants; October 1990. June 14, 2007. Staff requirements memorandum approved September 10,

[9] US NRC. SECY-89-102. Implementation of safety goal policy; March 30, 1989. 2007.

[10] US NRC. ACRS Letter to NRC Chairman, ACRS comments on an implementa- [25] US NRC. SECY-09-0056. Staff approach regarding a risk-informed and tion plan for the safety goal policy, May 13, 1987. performance-based revision to part 50 of title 10 of the Code of Federal

[11] US NRC. SECY-00-0198. Status report on risk-informed changes to the Regulations and Developing a Policy statement on Defense-in-Depth for technical requirements of 10 CFR part 50 (option 3) and recommendations on Future Reactors, April 7, 2009.

risk-informed changes to 10 CFR part 50.44 (combustible gas control); [26] US NRC. ACRSR-2267. Development of a technology-neutral regulatory September 14, 2000. framework, September 26, 2007.

[12] US NRC. SECY-90-016. Evolutionary light water reactor (LWR) certi"cation [27] Memorandum. E.V. Imbro to J.E. Dyer. Foreign travel trip report for the issues and their relationships to current regulatory requirements, June 26, 1990. International Atomic Energy Agency Consultancy meeting to develop an IAEA

[13] US NRC. Federal Register, vol. 73 (199), NRC-2008-0237. Policy statement on safety guide on classi"cation of structures, systems, and components from regulation of advanced reactors, October 14, 2008. p. 60612-6. April 24 through April 29, 2006; May 5, 2006.

[14] US NRC. NUREG-1338. Draft pre-application safety evaluation report for the [28] US NRC. Federal Register, 50 FR 32138. Policy statement on severe modular high-temperature gas-cooled reactor, March 1989. reactor accidents regarding future designs and existing plants, August 8,

[15] US NRC. NUREG-1860. Feasibility study for a risk-informed and 1985.

performance-based regulatory structure for future plant licensing, December [29] Code of Federal Regulations, Parts 1-50; January 1, 2008 [Chapter 10].

2007. [30] Code of Federal Regulations, Parts51-199; January 1, 2008 [Chapter 10].

[16] General Atomics. Top-level regulatory criteria for the standard MHTGR, DOE- [31] Stabin M. G. Doses from medical radiation sources. Health Physics Society.

HTGR-85002, September 1989. /http://www.hps.org/hpspublications/articles/dosesfrommedicalradiation.

[17] European Commission. European safety approach for modular HTR, htmlS; Updated May 26, 2009.

Document no. RAPHAEL-0903-D-ST4.2, Restricted distribution, April 15, [32] Karam PA. The high background radiation area in Ramsar, Iran: Geology, 2005. norm, biology, LNT, and possible regulatory fun. In: WM 02 Conference,

[18] ANSI/ANS-53.1-200X. Nuclear safety criteria and safety design process for Tucson, AZ, February 24-28, 2002.

modular helium-cooled reactor plants, Draft; June 23, 2008. [33] Jaworowski Z. Ionizing radiation and radioactivity in the 20th century. In:

[19] Safety Report Series no. 54, accident analysis for nuclear power plants with International conference on radiation and its role in diagnosis and treatment, modular high temperature gas cooled reactors, April, 2008. Tehran, Iran, October 18-20, 2000.