Text

D880412 The Honorable Lando W. Zech, Jr.

Chairman U.S. Nuclear Regulatory Commission Washington, DC 20555

Dear Chairman Zech:

SUBJECT:

PROGRAM TO IMPLEMENT THE SAFETY GOAL POLICY -- ACRS COMMENTS During the 336th meeting of the Advisory Committee on Reactor Safe-guards, April 7-9, 1988, and in previous meetings, we discussed NRC Staff efforts to devise methods for implementing the Safety Goal Policy enunciated by the Commission in 1986. Following our report to you of May 13, 1987, "ACRS Comments on an Implementation Plan for the Safety Goal Policy," the Commission directed the Staff to develop a plan along the lines we had suggested.

The ACRS and its Subcommittee on Safety Philosophy, Technology, and Criteria have met several times with members of the Office of Nuclear Regulatory Research (RES) to discuss means by which the implementation plan suggested in our May 1987 report might be "fleshed out." We expect that additional meetings will be necessary over the next few months.

Our understanding is that the Staff will then document a description of its program. We believe it would be useful to provide you with some interim comments. These follow:

Definition of a "Large Release" The Safety Goal Policy includes a general performance guideline that there should be a probability no greater than 1E-6 per reactor-year of a large release from any operating nuclear power plant. Exactly what is meant by a large release was not defined in the Policy, but it has been suggested that a definition is needed in the implementation plan.

We believe the definition of a large release should make clear that a release to the biosphere of a substantial fraction of the core inventory is intended. In particular, it is misleading to define it in terms of health effects; those goals are stated elsewhere in the Policy. Of course, in assessing whether the 1E-6 goal is met by the body of regu-latory rules and practice, one will have to consider and evaluate specific sequences for individual plants. All of the probabilistic risk assessments (PRAs) provide examples of such sequences, and it is uni-versally agreed that the "bottom line" estimates thereby derived are among the weakest results of a PRA. Nonetheless, a definition of a large release in terms of a number of curies released would provide a durable objective for the calculations, which will improve with time, and which must be done as best one can at any given time. In the end, of course, a particular number will have to be specified, and it must be consistent with the other elements of the program.

Examples of what we have in mind might be helpful. We regard the

release to the environment that occurred at TMI-2 in 1979 as not a large release. The release that occurred in the accident at Chernobyl Unit 4 in 1986 was a large release. The fact that there were apparently no "prompt" radiological fatalities among the offsite population at Chernobyl is irrelevant under the proposed definition.

Definition of "Core Melt" In our report of May 13, 1987, we suggested a performance objective for "prevention" systems as a calculated core melt probability of less than 1E-4 per reactor-year. Exactly what is meant by core melt, seemingly a simple question, presents a problem for analysts and others considering the details of nuclear power plant accidents. The most likely sequence of core overheating, melting, and displacement can be viewed as a hypothetical sequence of events. Each event is less likely than that preceding it because the sequence may be interrupted at any point, for example, by successful performance of emergency procedures. These events might be defined as:

(1) loss of adequate core cooling (core overheating beyond design-basis limits),

(2) onset of significant damage to the core, (3) melting and displacement of the core within the reactor pressure vessel (as in the TMI-2 event),

(4) passage of molten core out of the reactor pressure vessel (e.g.,

"core on the floor").

We would apply the 1E-4 objective to the first event in this sequence, with the expectation that there is a significant but undefined margin in likelihood between it and the remaining events. We note that referring to this as a "Core Melt Performance Objective" is an unfortunate choice; however, it is one that is well established in the nuclear safety community.

Definition of the Plant Performance Objective Our May 1987 report recommended that a performance objective expressing "how well the plant is operated" should be developed. The RES Staff has indicated that it doesn't know how to do this and plans no further work regarding this matter. Without a performance objective of this sort, the severe gap in the logic of the Safety Goal Policy, which led to our original recommendation, remains.

The problem is as follows:

. The Safety Goal Policy is intended, as we understand it, to be a declaration of intent about how safe operating nuclear plants are to be. However, PRA, the primary tool by which performance of plants against the safety goal is to be judged, uses few data on operational performance. Most of the analyses in a PRA depend on attributes of the plant design. Very little information about how a plant is actually operated is used. Where actual operational performance is included (e.g., equipment failure rates and pre-

dictions of operator response), most of the data used are generic to industry experience and little reflect attributes of the oper-ation of the particular plant being analyzed. This is really an inherent weakness in the present art of PRA.

. Although no means are presently apparent for incorporating a more complete definition of operational performance into the Policy implementation, we believe credibility of the Policy suffers without it. Research could help. It might be possible to somehow better incorporate attributes of operational performance into PRA.

If this cannot be done, a prominent caveat, e.g., a warning that PRA results do not tell the full story, should be made a part of the Policy or of the implementation plan.

We note that at one of our recent meetings, Nuclear Reactor Regulation Staff described plans for further work having as its objective a better description (for use in PRAs, e.g.) of the contribution to risk or to safety made by the plant operating staff. Results of this work could contribute to the formulation of a performance objective.

Use of Cost-Benefit Analysis Cost-benefit analysis has a role in regulatory practice under the backfit rule. In this context, the role of the safety goal should be only to help provide a definition of what is meant by "adequate for safety." If it is found that a regulation is permitting plants to be licensed which seem to have safety performance poorer than the guidance provided by the safety goal, then that regulation should be revised, without recourse to cost-benefit arguments.

Need For Review of Regulations From the Perspective of the Safety Goal Policy There is a need to consider what is meant by implementation of the Safety Goal Policy. We have suggested that the Policy not be "used to make narrowly differentiated decisions about specific plants." Instead, it should be used as a primary means for judging the suitability and necessity of specific regulations and regulatory practices. We include practices in this discussion because many of the requirements levied by the NRC on licensees are not part of formal regulations but proceed from a more informal body of practice. We put aside, for now, the question of whether this in itself is or is not a problem but suggest only that the informal, as well as the formal, regulatory practices should be constrained by the Safety Goal Policy.

The next question is whether the Policy should be used only reactively in assessing proposed regulatory changes evolving from other programs (e.g., new requirements coming from resolution of a USI), or should be used more actively in assessing the present body of regulatory practice.

We recommend the latter.

The existing body of regulations and regulatory practice has grown enormously over the past 30 years. This growth has been largely a bottom-up process as the regulatory staff and ACRS have reacted to proposals from applicants and vendors and responded to developing technical information and plant experience. We believe it is possible to make a zero-based assessment of this body of regulations to deter-

mine: (a) which parts are contributing effectively to assure that plants are appropriately safe, (b) which parts are unnecessary, and (c) which parts need to be strengthened or better focused.

It is the responsibility of the NRC to move in the direction of such an assessment. It will not be easy but should begin now for several reasons:

. There is a hiatus in applications for new plants.

. There is now an extensive body of experience with operation and regulation that did not exist 30 years ago.

. There is now much more complete information about severe accidents than existed previously.

. PRA has matured and is available as a tool.

. And finally, the Safety Goal Policy is available as a thoughtful and agreed-upon measuring criterion.

We trust the above comments will be useful as the Staff continues with development of the Policy implementation.

Additional remarks by ACRS Member Harold W. Lewis are presented below.

Sincerely, W. Kerr Chairman Additional Remarks By ACRS Member Harold W. Lewis The Committee has, in its May 1987 report, defined the term "core melt" to mean loss of assured core cooling which can result in severe core damage, to match the probability objective of 1E-4 per reactor year. In this report the definition is made even more restrictive. While there is ambiguity in the community about the meaning of the term (as noted by the Committee), the redefinition has an enormous impact on the effect of the goal. There is a considerable difference of probability between loss of adequate core cooling and melting of the core, the former more probable but not necessarily damaging. Since the assignment of the term "core melt" to an event which need not melt the core unnecessarily biases the interpretation of the safety goal, I believe it is the job of the Commission to clarify what is meant by the term, rather than for the Committee to read minds. I take the simplistic view that a core melt requires a molten core. In the law, the established procedure for resolving apparent ambiguities is to start with the plain meaning of the words.

I also believe it important that the Commission (not the Staff) clarify its intent in promulgating the Safety Goal Policy. Though the goals were stated by the Commission two years ago, we continue to hear of

Staff actions which are justified by one or another version of "if we can see a way to improve safety, we will." Presumably the Commission, by giving an answer to the how-safe-is-safe-enough question, intended precisely to dampen such unbounded enthusiasm. I believe the Commission should reinforce its guidance to its staff.