Text

From: Rahn, David To: Paige, Jason Cc: Waters, Michael; Benner, Eric; Alvarado, Rossnyev; Morton, Wendell; Zhang, Deanna; Salgado, Nancy; Mott, Kenneth; Rebstock, Paul; Thomas, Brian; Govan, Tekia

Subject:

FW: Re: Public Meeting Regarding Updating of BTP 7-19 and Long-term Planning of Future DI&C Modernization Efforts Date: Tuesday, April 02, 2019 9:00:04 AM Attachments: 2018 - Denning and Budnitz, Impact of PRA and SAR in reducing reactor risk Progress in Nuclear Energy 102 pp.90-102 (2018).pdf Comments on NEI Digital I&C Strategy presentation GLJ 20190401.docx Hi Jason:

I received the attached email from Gary Johnson (former Lawrence Livermore principal investigator on NRC I&C projects). Please include it with your meeting materials for the April 4th public meeting.

Thanks, Dave From: Gary Johnson <kg6un@me.com>

Sent: Monday, April 01, 2019 7:06 PM To: Rahn, David <David.Rahn@nrc.gov>

Subject:

[External_Sender] Re: Public Meeting Regarding Updating of BTP 7-19 and Long-term Planning of Future DI&C Modernization Efforts Hi Dave The NEI paper referenced in the invitation looks like Warren Odess Gillette's work. Thats good news. Ive known Warren for a long time. Hes a thoughtful and serious guy. My short version of the paper is Lets use IEC standards. Im ok with that.

A few notes on the presentation are attached. Youve probably heard most of this before.

What we I&C people want is some way to introduce safety factors like the structural folk. It isnt so easy.

Using a ship analogy we DAS is a kind of double hull. Im thinking that we need something more like a lifeboat.

I think what we are forgetting a couple of things.

Software CCF in the protection system is only one kind of CCF. CCF come about from Design Errors.

We dont know how to predict these and we are probably not through with them. Back in the 60s Eppler concluded that the reliability of protection systems could only be about 10-4 per demand and I have reached the same conclusion during by a different path. One of these days, Im going to collect all of the I&C related Nuclear Safety articles into one document. Those guys were pretty

smart.

We now have additional defense in depth systems that didnt exist or werent so well understood. To my mind if we take credit for these we might find that the risk from CCF of all kinds is not as scary as we thought in 1993.

Richard Denning and Bob Budnitz (a couple of old NRC troopers) wrote a paper discussing some of the improvements made in that last few decades. Attached.

I know Bob well. He was the staff person responsible for producing the Rogavan report and was for a while the director of research.

During my last years at Livermore he was my Associate Division Leader and I still see him in Berkeley from time to time.

Best Regards Gary

> On Mar 27, 2019, at 6:15 PM, Rahn, David <David.Rahn@nrc.gov> wrote:

> <Meeting Announcement April 4 2019 --Revision of BTP 7-19 and Long-Term (Strategic)

Assessment.pdf>

Progress in Nuclear Energy 102 (2018) 90e102 Contents lists available at ScienceDirect Progress in Nuclear Energy journal homepage: www.elsevier.com/locate/pnucene Impact of probabilistic risk assessment and severe accident research in reducing reactor risk R.S. Denning a, *, R.J. Budnitz b a

Consultant, 2041 Hythe Rd, Columbus, OH, USA b

Lawrence Berkeley National Laboratory, University of California, USA a r t i c l e i n f o a b s t r a c t Article history: The development of probabilistic risk assessment (PRA) as a safety analysis tool and the implementation Received 6 March 2017 of lessons learned from risk studies in the design, operation and regulation of nuclear power plants has Received in revised form resulted in a substantial reduction in reactor risk. The lack of a strong technical basis for realistically 11 May 2017 assessing severe accident behavior, including the release and transport of radionuclides to the envi-Accepted 23 May 2017 Available online 27 June 2017 ronment, resulted in some conservatism in early risk studies that distorted the true nature of severe accident risk. This paper describes the evolution of PRA over the past four decades, the bene"ts that have been achieved in the reduction of reactor risk, and the changes in the perspective of the nature of severe Keywords:

Probabilistic risk assessment accident risk associated with the development of a strong technical basis for assessing severe accident Severe accident research consequences. Based on these developments, we conclude that the probability of early containment Societal risk failure leading to a large, early release of radioactive material to the environment was over stated in Risk reduction these early risk studies. Although it is not possible to preclude the possibility of offsite early fatalities in a severe accident, the probability is extremely small, perhaps below the level at which it should be a key consideration in regulatory oversight. Conversely, as highlighted by the Fukushima accident, the po-tential for the societal impacts of land contamination represents an important element of reactor acci-dent risk that has received insuf"cient consideration in the past. These "ndings have implications regarding preferred strategies for emergency planning and appropriate metrics for risk-informed regulation.

© 2017 Elsevier Ltd. All rights reserved.

1. Introduction Unit 2 accident, had to be addressed by making expensive back"ts to existing plant systems.

In many respects, the nuclear industry grew up too quickly. The objective of this paper is to assess the impact of two speci"c Initial operation of the Shippingport nuclear plant was followed developments that have had a major impact on the safe design and quickly by the Connecticut Yankee plant, the "rst true pressurized operation of existing plants and have laid the groundwork for the water reactor (PWR) demonstration plant, and the Dresden plant, improved safety of future plant designs: (1) probabilistic risk the "rst boiling water reactor (BWR) demonstration plant. Before assessment (PRA) and (2) severe accident research. These de-these 300 MWe demonstration nuclear power plants (NPP) had velopments have led to both a better understanding of the nature of begun to operate, 600 MWe plants and 800 MWe plants had severe accident risk and to an actual reduction in that risk. This already been ordered, soon to be followed by plants greater than paper only addresses the evolution in safety of light water reactors 1000 MWe. As a result, it was not possible to incorporate signi"cant (LWRs), although an improved understanding of severe accident operating experience into the design basis of subsequent genera- behavior and the application of risk analysis are playing a key role tions of reactor designs. Thus, materials problems, such as steam in the safe design of other advanced reactor concepts.

generator tube degradation, and safety lessons, such as those The nature of the hazard associated with the large inventory of exposed by the Browns Ferry Unit 3 "re and the Three Mile Island radioactive material in an operating nuclear power plant is signif-icantly different from the safety challenge posed by other forms of electricity generation. This difference was recognized by the de-

• Corresponding author. signers very early through the development of a Defense-in-Depth E-mail address: denningrs.8@gmail.com (R.S. Denning). (Drouin et al., 2016) approach to assuring adequate public safety (as http://dx.doi.org/10.1016/j.pnucene.2017.05.021 0149-1970/© 2017 Elsevier Ltd. All rights reserved.

R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 91 described in Section 2). However, the plants that are currently very limited knowledge of severe accident behavior that existed at operating were largely designed, constructed and operated without the time WASH-1400 was undertaken, before PRA could become a an in-depth capability to model the response of the plant to off- reliable tool for safety regulation it was necessary to undertake normal, low probability events beyond the design basis of the plant. suf"cient research on severe accident behavior to assure that PRA was not leading to a distorted perspective of the contributors to 1.1. Risk plant risk. The scope of this research is described in Section 4.

Section 5 returns to a discussion of PRA and its broad application to Risk is de"ned as the possibility that something bad will NPPs in the U.S. Section 6 provides our quantitative assessment of happen, (Merriam-Webster Dictionary, 2017). Risk always has two the actual reduction in risk of accidents in NPPs currently operating elements, a consequence characteristic and a likelihood charac- in the U.S. that has resulted from actions taken based on PRA re-teristic. When someone assesses whether an action is safe or sults. This improvement in the understanding of reactor risk has unsafe, they are actually assessing what the risk of the action is. also provided the basis for a future generation of LWRs with even Thus, when we describe an improvement in reactor safety, we are lower risk. Finally, in Section 7 we discuss general misperceptions implying an improvement in reactor risk, either a reduction in of the nature of the risk posed by operating plants and provide our probability, a reduction in consequences or a reduction in both. own perspective.

When we cross a street, there is a potential consequence that we will be struck by a car and die (perhaps the ultimate consequence), 2. Development of a regulatory framework, deterministic but by taking appropriate precautions (staying in the cross walk; design criteria, and operating restrictions for U.S. reactors looking both ways) we determine that the probability of being struck is suf"ciently low that we conclude it is safe to cross. We The regulatory requirements imposed by the U.S. Nuclear Reg-brie"y address safety adequacy in this paper within the context of ulatory Commission (NRC) on the safe design, licensing and oper-the conformance of plant risk to probabilistic safety goals that have ation of nuclear power plants are contained in Title 10, Part 50 of been established by the Nuclear Regulatory Commission (NRC). the Code of Federal Regulations (US NRC, 2017a). Appendix A to Part Nevertheless, the question of safety adequacy underlies basic de- 50 identi"es General Design Criteria (GDC) that are applicable to all cisions made by owners, regulators and the public in deciding NPPs in the U.S. The GDC codify a safety philosophy built around the whether or not to maintain or expand the role of nuclear energy in use of multiple barriers to the release of radioactive material, a addressing future energy supply needs. balance of preventive and mitigative safety features, and the use of As the result of extensive severe accident research, reactor redundancy and diversity of safety systems. Although the term operating experience, and the application of risk assessment Defense-in-Depth was not coined until the late 1960s, it is now techniques, our technical understanding of reactor accident risk has used as a general description of this underlying approach to NPP substantially improved over the past sixty years. The primary value safety (Drouin et al., 2016). Some of the key requirements of the of a risk assessment is generally recognized as the identi"cation of GDC are a high level of quality assurance (as detailed in Appendix B the principal contributors to risk rather than the quantitative of Part 50), protection against natural phenomena hazards, "re (bottom line) results. In fact, risk analysts generally warn against protection, leak-tight containment system, emergency core cooling over-emphasis on the calculated risk numbers without consider- system, negative reactivity feedback, independent reactor shut-ation of the associated uncertainties. Nevertheless, in this paper we down system, and decay heat removal system.

will use the quantitative results from risk assessments to provide a In complying with the GDC and more detailed regulatory measure of the relative improvement (reduction) in risk that has guidance documents, deterministic design bases are developed by occurred as a result of changes in plant con"guration and plant the reactor design organization for safety-related systems. For operations. example, based on a calculation of the increase in pressure that The second major topic discussed in this paper is the insight, would occur in containment in a major loss of coolant accident of which has evolved through an extensive body of both experimental 0.25 MPa, a design basis for the containment might be 0.3 MPa, and analytical studies, that the likelihood of a major accident that which includes some safety margin based on established safety would produce a very early and large release of radioactive material codes developed by industry organizations, like the American to the environment is much less than had been thought earlier. Concrete Institute. These codes and standards have undergone Conversely, another insight is that the importance of major extensive review by standards committees. The design bases for a contamination to off-site property has not received the degree of nuclear power plant are described in a Safety Analysis Report (SAR) attention it deserves, either in the regulations or in the consider- in which compliance with the design bases is demonstrated by the ations of decision-makers at the policy level. The bases for these analysis of so-called design basis accidents. The SAR also includes insights will be discussed in the body of this paper. Technical Speci"cations that describe the Limiting Conditions of The fact that there is an improved technical understanding of Operation of the plant, such as an identi"cation of the number of NPP risk does not necessarily mean that public perception of the risk safety trains that must be in service for the plant to continue to of NPP accidents has changed. Communicating a technical under- operate at full power. One of the key design requirements for an standing of risk to the public is extremely dif"cult. Thus, we will NPP is assurance that safety functions can be satis"ed even if any differentiate between a technical understanding of the magnitude single component has failed. This requirement is referred to as the of risk, which is the subject of this paper, and public perception of Single Failure Criterion. It is an essential element of the NRC's risk. deterministic approach to safety, in order to provide protection under circumstances in which it is necessary to disable a train of a 1.2. Structure of paper safety system to perform testing or maintenance while the plant is operating. It also provides protection against a condition in which a Section 2 of this paper describes the deterministic framework safety-related component has failed but its failure has not yet been that was developed for the regulation, design and operation of identi"ed. The Single Failure Criterion is only applied to active NPPs. Section 3 describes the methodology of PRA, including a components, i.e. those components that require some motive force description of WASH-1400, the "rst major application of PRA to like electricity or a steam turbine or require operator intervention address the risk of commercial NPPs (US NRC, 1975). Because of the to operate.

92 R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 The design basis for the strength of the containment structure in be licensed according to a revised process (US NRC, 2017c) in which currently operating LWRs uses the release of steam to containment a reference design is approved by the NRC and a single-step com-for a large loss of coolant accident (LOCA). Because the objective of bined construction and operating license is approved, as long as the the leak-tight nature of the containment is to retain the release of applicant does not deviate from the approved reference design.

radioactive material from the fuel that would occur in a severe Subsequent to the atomic bomb attacks at the end of World War accident, this large LOCA design basis assumption acts as a surro- II, the public became very aware of the potential health effects of gate for containment loads that would occur in a large variety of exposure to large doses of radiation. Thus, there was fear that a severe accidents. All BWRs and one class of PWRs (ice-condenser major release of radioactive material from an NPP could have containment design) use pressure suppression devices that substantial public health implications. If private companies were to condense steam as a means of decreasing the size or strength of the design, build and operate nuclear power plants, their liability containment for the purpose of reducing cost. Because severe ac- exposure would be large and considered unacceptable from an cident loads actually include the production of non-condensable investment viewpoint without some federal protection and a and combustible gases in addition to steam, the likelihood of means to provide insurance coverage. In 1957 in order to support containment failure has been found to be higher in severe accident legislation that would provide a pool of insurance funding, a study scenarios for BWRs than PWRs. This is to a large extent mitigated by was supported by the U.S. Atomic Energy Commission (AEC) and the potential for capture of radioactive material in the pressure performed by Brookhaven National Laboratory (BNL) to assess the suppression device (suppression pools in BWRs), which can be potential consequences of a worst case accident scenario (US AEC, substantial as long as the pool is not thermally saturated. 1957). Lacking the ability to realistically model severe accident The term source term is used in safety analysis to represent scenarios, three possible radioactive material release scenarios the release of radioactive material to the environment. The amount were examined for a range of meteorological conditions. Ranges of of this release is the source term for assessing environmental consequences were calculated for area of land contamination, dispersion and radiation dose to exposed members of the public. number of injuries (radiation sickness) and fatalities from a lethal The term is more broadly used to describe the amount of release of dose of radiation. The estimated frequency of major releases was radioactive material from fuel and release from the reactor coolant subjectively assessed as 1E-5 per yr to 1E-9 per yr. The most severe system in addition to the release to the environment. The design scenario was assumed to result in the release of 50% of the core basis accident source term used when these plants were originally inventory of noble gases and halogens (iodine) for a licensed was developed from a study performed by ORNL and re- 500 MW(thermal) reactor. Up to 3400 early fatalities and up to ported in TID-14844 (DiNunno et al., 1962). The TID source terms 43,000 early injuries were estimated depending on meteorology are in many respects inconsistent with current understanding of and the conditions of release. The BNL study (typically referenced severe accident source terms. The TID source term assumes a by its document number WASH-740) also concluded the potential release to containment of 100 percent of the noble gases, 50 existed for contaminating large areas of land to a level restricting percent of the halogens (largely iodine), and 1% of the other "ssion use for crops. The very conservative, non-physical assumptions products in aerosol form. The iodine was primarily assumed to be in made in this study resulted in a perspective about the potential the elemental form. Of the iodine released to the containment, 50% consequences of an accident at an NPP that is vastly different from was assumed to be captured by removal processes. Based on the TID the current technical perspective obtained from the results of more release to the containment, site dose calculations were performed mechanistic studies, as will be discussed in Section 6.

for each plant to determine exclusion area boundary and low population zone boundary. In this analysis, the containment 3. Development of probabilistic risk assessment (PRA) as a structure is assumed to leak at its design basis leak rate (in the safety analysis tool range of 0.1 vol % per day to 0.25 vol % per day). These boundaries are established to assure that someone standing at the boundary As the nuclear industry began a major expansion in the 1960s, would not receive a dose exceeding 0.25 sievert (Sv) to the whole public concerns rose about the safety of nuclear power plants, body or 3 Sv to the thyroid over a 2 h period for the exclusion area particularly as the size of the plants began to grow. The potential or the duration of the release for the low population zone. A very value of an assessment of the risk of nuclear power was recognized, conservative (95th percentile) site-speci"c meteorology is used in although with some concern as to whether it would be possible to the analysis. The symptoms of radiation sickness occur at approx- realistically assess the probability of core damage events with such imately 1 Sv. Thus, the siting analysis requirement provides assur- a limited data base (US NRC, 2016). In 1972, the AEC initiated a ance that even for severe accidents, in which the containment planning activity to develop a methodology to be used in a remains intact and leaks at its design rate, the consequences to comprehensive assessment of accident risk in NPPs. The method-members of the public in the vicinity of the plant will not result in ology that was developed, PRA, relies on reliability tools in use in prompt radiation-caused health effects. other disciplines, in particular the aerospace industry. Speci"cally When currently operating plants were licensed, there was a event trees (ET) are used to characterize the relationships among two-step licensing process (US NRC, 2017a) in which acceptance of the success or failure of major systems providing critical safety a Preliminary SAR was required before construction could begin functions and fault trees (FT) are used to calculate the failure and acceptance of a Final SAR was required before the plant could probabilities of systems using basic component failure data. In be operated. Because design considerations were evolving rapidly, some respects this FT/ET approach is particularly well-suited for the numerous changes would be incorporated into plant designs dur- analysis of accidents in nuclear reactors, whose safety relies on ing the SAR review process to address licensing issues and to satisfy multiple redundant and diverse standby safety systems.

the individual preferences of the utility. As a result, the approxi- In the PRA process, risk is represented as an ensemble of triplets mately one hundred (currently 98) nuclear plants operating in the that address the questions: What can go wrong? How likely is it?

U.S. are each unique in some respect. This has had both safety What are the consequences? Risk is thus comprised of (1) the implications and cost implications associated with the length of identi"cation/de"nition of scenarios, (2) the associated frequencies time required to obtain an approved license. It has also led to the (or probabilities) of those scenarios, and (3) the associated conse-need for plant-speci"c risk assessments for virtually every plant. quences of those scenarios. A scenario begins with an initiating Future plants, like the AP-1000 reactor (Westinghouse, 2017), will event (e.g. loss of offsite power). Depending on the success or

R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 93 failure of safety systems, that initiating event will be coped with numbers, WASH-1400 (from the old AEC system) and NUREG-75/

without signi"cant consequences or will lead to various levels of 014 (US NRC, 1975).

consequence depending on which systems succeed or fail. Initiating WASH-1400 analyzed the risk of two representative reactors, events typically occur with suf"cient frequency that a database Surry Unit 1, a Westinghouse three-loop, subatmospheric exists from which the frequency of occurrence can be determined. containment PWR in Virginia, and Peach Bottom Unit 2, a General Because of the redundancy and diversity of safety systems in a Electric BWR with a Mark I containment design with a toroidal nuclear power plant, in order for an event to result in signi"cant pressure suppression chamber in Pennsylvania. These two reactors consequences, multiple faults must occur. The overall frequency were taken as representative of the anticipated population of 100 associated with the combination of the occurrence of an initiating light water reactors (LWR). Depending on the objectives of the PRA, event with the probabilities of multiple failures of systems is small the scope can be limited to identifying and determining the fre-and cannot be quanti"ed directly based on experience. However, quency of severe accident scenarios (Level 1), can include the the ET/FT methodology decomposes the risk in a manner that uses analysis of severe accident progression, containment failure and the database that does exist on component failure probability with release of radioactive material to the environment (Level 2), or can Boolean logic to deductively assess the probability of core damage include the calculation of offsite consequences (Level 3) (US NRC, given an initiating event. In combination with the known frequency 1983). WASH-1400 was performed as a Level 3 PRA to enable a of initiating events, the overall risk can be quantitatively assessed. comparison to be made of the relative risk to the public of a pop-In general, there are limited data on which to base the analysis of ulation of nuclear reactors versus other sources of risk to which the the failure probability of full systems, such as the emergency core public is exposed.

cooling system, under accident challenge conditions. This is In 1973, the existing capability to model core meltdown particularly true of redundant systems, for which the loss of func- behavior was primitive. Some out-of-pile experiments of irradiated tion depends on multiple faults. In practice, the most likely source uranium dioxide fuel in Zircaloy cladding had been performed by of multiple failures is found not to be the result of the combination ORNL, some transient experiments had been undertaken in the of random failures of multiple components but rather due to TREAT facility (Deitrich et al., 1998), and some modeling of core common cause failures. For example, one type of common cause meltdown behavior had been performed at BCL. It was well failure involves maintenance errors, such as an error in the established that there would be effectively 100% release of noble replacement by a technician of a pump seal on the same component gases from melting fuel. There was also evidence that there would in each of three safety trains with the wrong type of seal. Thus, in an be substantial release of iodine, cesium and tellurium radionuclides accident when the component is called on to operate, not only one but the associated chemistry was unclear. Thermodynamic ana-component fails but all three redundant components fail. Another lyses indicated that CsI would be the dominant chemical form of type of common cause failure involves the direct impact of the iodine relative to the elemental form I2. However, because there initiating event on redundant components, such as in a "re or a was no experimental evidence of CsI in irradiated fuel rods, the seismic event. Approaches to the quanti"cation of common-cause possibility of CsI being a major chemical form is not suf"ciently failure probabilities have been developed that can be effectively established to justify consideration in this work (US NRC, 1975).

implemented within the context of FT/ET methodology (Fleming Although HI was also recognized as a potential chemical form of et al., 1986). Although there are other approaches that can be iodine, the underlying assumption was that iodine would primarily taken in assessing nuclear power plant risk, the term PRA is usually be released in elemental form and that some of this iodine would synonymous with FT/ET methodology. However, using PRA to study be converted to an organic iodide in the containment. Organic io-reactor safety goes well beyond using FT/ET methods for modeling dide was of particular concern because it is not effectively removed plant response. For example, probabilistic approaches are also by deposition processes, such as by the containment spray system.

particularly well suited to understanding of containment failure Release fractions were divided into three phases: gap release, mechanisms and modes, and for modeling the consequences of the meltdown release and vaporization release (associated with gas release of radioactivity into the containment and later into the sparging of the melt during the period when the molten core ma-environment. terial is attacking the concrete basemat). Ranges of uncertainty for Recognizing the scope of the task to be undertaken in the release fractions in these phases of the accident were developed performance of a major risk study and the ultimate need for collaboratively among researchers from BCL, ORNL and Argonne acceptance by the technical community, the AEC contracted with National Laboratory (US NRC, 1975).

Prof. Norman Rasmussen of Massachusetts Institute of Technol- In contrast with current modeling capabilities, the character-ogy to provide technical leadership. Mr. Saul Levine of the AEC ization of the core, reactor coolant system and containment were staff acted as Project Management Director. The Reactor Safety coarse: the core region was divided into 5 radial zones (associated Study, better known as WASH-1400, was performed over a three with the radial power pro"le of the core) and 24 axial zones, the year period with a team of over 50 contractors and AEC staff. water level in the core was tracked as a balance between boiling Much of the work was performed at AEC headquarters with and makeup, and the rate of hydrogen production from the steam-contributions from Boeing Company, Aerojet Nuclear Company, zirconium reaction was predicted (Baker and Just, 1962). However, Science Applications, Inc., Lawrence Livermore Laboratory and the melting temperature of fuel was assumed to occur at the Sandia National Laboratories (SNL) in the areas of FT/ET analysis. melting temperature of uranium dioxide. The potential for forma-Battelle Columbus Laboratory (BCL) had responsibility for the tion of U-Zr-O mixtures with lower melting temperatures and analysis of severe accident progression and radioactive material candling down the exterior surface of the cladding was not release and transport with support from Oak Ridge National recognized at the time. There was no assessment made of circu-Laboratory (ORNL) and Aerojet Nuclear Company. Battelle Paci"c lating "ow patterns within the core region.

Northwest Laboratory had responsibility for offsite radioactive Containment event trees were developed in WASH-1400 to material release and the analysis of offsite consequences. A draft describe the probability of containment failure by different modes:

of the "nal report was issued in 1974. In 1975, the AEC was failure to isolate the containment, an in-vessel steam explosion separated into two separate agencies with the NRC receiving leading to generation of the reactor head as a missile, containment responsibilities for regulatory oversight of NPPs. When the "nal over-pressurization from hydrogen combustion, containment over-version of the report was issued in 1975, it was given two report pressurization from loss of containment heat removal and non-

94 R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 condensable gas production, and melt-through of the concrete de"agration occurred in the TMI-2 accident with an over-pressure basemat of the containment. In the BWR design, the potential also of 0.1 MPa). In the aftermath of TMI-2 two major initiatives were was assumed to exist for molten core debris to contact and fail the undertaken by the NRC: a research program to better understand wall of the drywell. In the WASH-1400 analyses, the likelihood of severe accident behavior including radionuclide source terms, and early failure of containment in a severe accident was assessed to be research activities to improve PRA methodology. Parallel activities substantial and the associated release of radioactive material to the were undertaken by the U.S. nuclear industry and by other coun-environment was a large fraction of the core inventory of the more tries with NPPs.

volatile radionuclides. In Germany, the WASH-1400 methodology was applied to the One of the principal conclusions highlighted in the WASH-1400 Biblis B plant (Verlag Tuev Rheinland, 1980), a German-design of a Executive Summary was that the risk to the U.S. public from acci- PWR with a large dry containment. In Reference, (Keller and dents in the anticipated population of 100 NPPs is very small in Modarres, 2005) provide a review of developmental PRA activ-comparison to other sources of accident risk associated with nat- ities that occurred in the U.S. following the completion of WASH-ural hazards, such as earthquakes and hurricanes, and from man- 1400. From 1979 to 1984 the NRC undertook the Reactor Safety made hazards, such as aircraft crashes (see Section 6). At a high Study Methodology Applications Program to extend WASH-1400 level, WASH-1400 provided both justi"cation to the public methodology to additional plant designs and the Interim Reli-regarding the acceptability of the risk imposed by NPPs and a ability Evaluation Program to develop and standardize methods of measure for the NRC to assess the adequacy of regulation. More reliability assessment. Over a similar time period "ve full-scope fundamentally, however, PRA was found to be effective in identi- PRAs were also performed for U.S. nuclear utilities by the com-fying safety vulnerabilities at NPPs that existed despite what had pany Pickard, Lowe and Garrick (2008). Sandia National Labora-been considered to be a very conservative deterministic approach tories (SNL) undertook the Accident Sequence Evaluation Program to safety assessment. Human error was found to be a major that included the development of the THERP method for the per-contributor to risk. Some of the plant-speci"c severe accident formance of human reliability analysis (Swain, 1987). These studies vulnerabilities that were identi"ed included the importance of made a number of advances in the methodology, particularly in the station blackout events (loss of offsite power accompanied by on- treatment of uncertainty and in the analysis of accidents initiated site failure of emergency diesel generators), failure of heat rejec- by earthquakes and "res.

tion in transient accidents, small loss of coolant accidents and the failure of isolation valves separating high pressure from low pres- 4. Severe accident research sure systems. The latter events, referred to as interfacing system loss of coolant accidents, were of high concern not only because of In 1980 the NRC issued notice of intent (45 FR40101, 1980) to the potential to result in severe core damage but also for the undertake a Degraded Core Rulemaking process to determine released radioactive material to bypass the containment building. whether nuclear power plants should be designed to deal effec-WASH-1400 also identi"ed some potential threats to containment tively with degraded core and core melt accidents. With the failure, such as combustible gas explosions. support of NRC funding, experimental programs (simulant mate-As a "rst step in risk analysis, WASH-1400 had a number of rials, prototypic materials, in-pile, out-of-pile, separate effects, in-limitations. Although the uncertainties in the estimation of core tegral experiments) were performed in the areas of:

damage frequency and severe accident consequences were recog-nized as being large, they were treated simplistically (and very  ! Fuel degradation, cladding oxidation, corium formation (mix-subjectively). The study also failed to address "re risk and seismic tures of U-Zr-O), fuel melting and slumping risk meaningfully, both of which have signi"cant potential for  ! Radionuclide chemical forms and release from over-heated fuel common cause failure. Following release of WASH-1400, the study  ! Radioactive material retention associated with natural deposi-was subjected to independent peer review (US NRC, 1978). The tion processes and the effects of engineered safety features such conclusions of the review were favorable regarding the potential of as sprays and pools PRA but identi"ed areas in which the WASH-1400 methodology  ! Hydrogen combustion including limits of de"agration and "ame should be improved. The NRC Commissioners subsequently acceleration directed the staff to continue to develop the methodology but, at  ! Steam explosions associated with corium/water interactions the current state of methodology, concluded that PRA should not be  ! Molten fuel/reactor vessel interaction and failure relied on as the basis for regulatory decisions. Section 4 of this  ! Molten core-concrete interaction paper describes the severe accident research program undertaken  ! Over-pressurization failure modes of steel and concrete to improve the ability to model severe accident consequences. containments In the late 1970s two accidents occurred at U.S. nuclear plants  ! Pressure loads on containment associated with the rapid that have had major impacts on plant design (including back"tting transfer of heat to the containment atmosphere from the of existing plants), plant operations, and regulation. On March 22, dispersal of fragmented molten core debris in the event of lower 1975, a "re occurred in cabling systems at Browns Ferry Unit 3 in head failure while the primary system is at high pressure.

Alabama, which was dif"cult to extinguish and resulted in the loss of critical safety systems (US NRC, 1976). This event led to major Prior to WASH-1400, severe accident behavior was not explicitly changes in "re safety programs at NPPs including improvements in considered in the licensing and regulation of nuclear power plants, the separation and protection of safety trains. other than through the use of TID-14844 source terms for the On March 28, 1979 an accident occurred at the Three Mile Island analysis of design basis accidents. In the early stages of the NRC's Unit 2 (TMI-2) reactor in Pennsylvania that resulted in severe core severe accident research program, the Source Term Code Package damage (Rogovin, 1979). Although WASH-1400 had indicated that (STCP) (Gieseke et al., 1986) was developed by BCL, which pieced severe core damage events were credible, the TMI-2 accident not together separate effects models for source term analysis. The STCP only demonstrated that fact but also displayed many of the WASH- was used to explore a range of accident scenarios for a variety of 1400 lessons learned, such as the importance of human factors (and plant designs. A study was also undertaken by the NRC using the human error), transient events leading to core uncovery, and po- tools available in the 1980 timeframe, primarily the STCP, to assess tential challenges to containment integrity (a hydrogen how severe accident behavior could be more realistically included

R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 95 in the regulatory process (U.S. NRC, 1982). The Sandia Siting Study In August 1985, the NRC issued a policy statement on severe developed "ve categories of "ssion product source terms to be used accidents (US NRC, 1985) in which they withdrew their intent to in determining site acceptability (Aldrich et al., 1982). The most undertake a Degraded Core Rulemaking, concluding that existing severe of these categories included source terms as large as those plants pose no undue risk to the public health and safety. In 1986 obtained in the WASH-1400 study. Based on the results of expert the NRC published a Reassessment of the Technical Bases for elicitations and uncertainty analyses, the NRC also developed a set Estimating Source Terms, NUREG-0956 (Silberberg et al., 1986) of conservative but more physically realistic source terms, NUREG- describing improvements in the understanding of severe accident 1465, to be used for regulatory applications as an alternative to phenomena and their impacts on source term magnitude.

the source term prescription in TID-14844 (US NRC, 1995a). Following closure of the IDCOR program, the Electric Power In this time period, severe accident process-speci"c computer Research Institute became the focus of industry-sponsored severe codes were under development by a number of DOE laboratories in accident research. Just as MELCOR 2 (Humphries et al., 2017) has conjunction with major severe accident experimental programs. As become the state-of-the-art NRC computer code for the analysis of a replacement for the STCP, development of a severe accident in- severe accident behavior, the MAAP5 (EPRI, 2013) code has become tegrated effects code was undertaken by SNL as the MELCOR (U.S. the industry's state-of-the-art integrated severe accident analysis NRC, 2005) code. The NRC philosophy at the time was to develop computer code. MAAP5 has the advantage of being relatively fast a two-tiered analysis approach in which high "delity models would running and of providing consistent, reproducible results for severe be developed to address speci"c severe accident processes, such as accident outcomes obtained by different code users. MELCOR 2 has hydrogen de"agration, containment behavior, radionuclide chem- the advantage of "exible modeling to allow consideration of the istry and transport, and core melt progression. An integrated effects effects of severe accident modeling uncertainties.

code would be developed to support PRA applications. The inte- In addition to the U.S. severe accident research effort, research grated effects code would have simpler, fast-running models that programs in other countries have also made major contributions to could be benchmarked against the high "delity codes. This led to a the understanding of severe accident behavior. Experimental proliferation of computer codes that would require validation and research in Germany on fuel pin melting and slumping behavior updating. In practice, as MELCOR development progressed the best provided a very important early contribution to improving severe features of the high "delity models were incorporated into the accident modeling capability. France, Japan, Korea, Sweden and a MELCOR code. At Idaho National Laboratory (INL), a parallel number of other countries have also contributed particularly in development effort was undertaken for the SCDAP computer code. large international cooperative programs, such as the Phebus pro-SCDAP had two advantages relative to MELCOR: a more phenom- gram in France (Clement and Zeyen, 2005). The ASTEC code (Van enological modeling of fuel degradation and slumping and a more Dorsselaere et al., 2009), developed with French and German mechanistic treatment of two-phase "ow through coupling with support has capabilities comparable to MELCOR and MAAP. In the RELAP code (Siefken et al., 2001). Ultimately, the "nancial Reference, (Sehgal, 2012) has provided a comprehensive summary burden of supporting parallel code development activities by the of severe accident research world-wide.

NRC led to the elimination of support at INL. Some development work on RELAP5/SCDAP was continued by INL and separately by a 5. Extension of PRA as a tool to support plant design, private contractor, Innovative Systems Software, as RELAP5/SCAP- operations, and regulatory oversight SIM package (Allison and Hohorst, 2010).

Although MELCOR has modeling capability for PWR and BWR In order to determine the impact of the results of severe ac-plant designs, the initial application studies at SNL focused on PWR cident research on the assessed risk of nuclear power plant acci-scenarios. In this time frame, in the late 1980s, ORNL undertook the dents, the NRC initiated a follow-on study to WASH-1400, which modeling of BWR accident scenarios and the evaluation of the involved an analysis of "ve plants, the two WASH-1400 plants, effectiveness of BWR safety systems under severe accident condi- Surry (PWR, with subatmospheric, large-dry containment design),

tions with the BWRSAR code (Hodge and Ott, 1990). Peach Bottom (BWR, Mark I containment design), plus Zion (PWR, In the U.S. the nuclear industry undertook its own degraded core large-dry containment design), Sequoyah (PWR, ice-condenser cooling research, under the acronym IDCOR (Buhl et al., 1987). This containment design), and Grand Gulf (BWR, Mark III contain-program focused on a number of areas in which the industry felt ment design). The resulting report NUREG-1150, Severe Accident that the WASH-1400 models were too conservative and could Risks: An Assessment for Five U.S. Nuclear Plants, (US NRC, 1990) potentially distort perspective on the magnitude and nature of also undertook an extensive treatment of uncertainties involving severe accident risk. The NRC and IDCOR scientists undertook expert elicitation to characterize the ranges of uncertainties.

collaborative workshops to discuss such issues as the credibility of Although a version of the MELCOR code was available to provide the hypothetical containment failure mode (referred to as a-mode) some integrated results for accident scenarios, the factors associated with an in-vessel steam explosion that would convert entering into the source term, such as magnitude of release from the vessel head into a missile and the magnitude of containment fuel, retention in the primary and retention in the containment loads associated with high pressure ejection of molten fuel, if were based on STCP analyses and expert elicitation from panels of bottom head failure were to occur at high primary system pressure. experts on ranges of associated uncertainty. A "rst draft of this The principal conclusions of the IDCOR project were (Buhl et al., report was issued in 1987. However, it received a large number of 1987): review comments and underwent extensive revision. The "nal version was issued in 1990 (US NRC, 1990). A noteworthy feature

! Probabilities of severe accident scenarios are extremely low of the NUREG-1150 effort was the extensive use of numerous

! Fission product source terms are likely to be much less than topic-speci"c expert elicitation panels, which was very resource-previous studies intensive. The level of effort was so great for this study that it is

! The risks and consequences to the public of severe accidents are unlikely a similar approach for the treatment of uncertainty will much smaller than previous studies and much smaller than the be used for any PRA in the future.

NRC's safety goals In 1986, the NRC adopted a set of probabilistic safety goals for

! Major design or operational changes in reactors are not the risk to members of the public from severe accidents in NPPs (US warranted. NRC, 1986). The Commissi8on stated that it has established two

96 R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 qualitative safety goals which are supported by two quantitative ineffective regulatory requirements can divert plant personnel objectives. The qualitative goals are: from performing activities that can signi"cantly improve reactor safety, the NRC undertook a comprehensive review to identify

! Individual members of the public should be provided a level of regulations that could be more risk-informed. For example, in-protection from the consequences of nuclear power plant tegrated leak-rate tests of containment integrity before plant operation such that individuals bear no signi"cant risk to life restart are very time consuming and directly impact plant capacity and health; and factor. In cooperation with the industry, the NRC developed less-

! Societal risks to life and health from nuclear power plant time consuming requirements that are focused on the areas of operation should be comparable to or less than the risks of highest potential leakage. Similarly, when changes are made in generating electricity by viable competing technologies and equipment or testing procedures that would require a change in the should not be a signi"cant addition to other societal risks. plant's operating license, the plant can expedite the regulatory review by demonstrating that the effect of the changes satisfy limits The two supporting objectives are based on the principle that on changes in core damage frequency and large early release fre-nuclear risks should not be a signi"cant addition to other societal quency, as described in Regulatory Guide 1.174 (US NRC, 2011a).

risks. The safety goals address two types of radiologically-induced Within the time period of these changes in the role of risk health effects: early fatalities from radiation sickness and assessment in reactor regulation, a major accident occurred at the radiation-induced cancer fatalities. In developing quantitative Chernobyl Unit 4 reactor in Ukraine within the former Soviet Union.

health objectives, the NRC interpreted not signi"cant to imply The lessons learned from this accident had very limited impact on less than 0.1% of other comparable health risks. Within one mile of a improving the safety of U.S. commercial nuclear power plants. The nuclear plant, the prompt fatality risk should be less than 0.1% of design-related issues that led to and exacerbated the event were other accident risks and within ten miles of the plant the increment speci"c to the unique Soviet-designed RBMK reactors (Petrangeli, in latent cancer fatalities due to radiation exposure should be less 2006). The design features of the Fukushima Dai-ichi reactors than 0.1% of an individual's cancer fatality risk. A principal "nding damaged in an accident in Japan in 2011 were similar to some older of NUREG-1150 was that the risk associated with NPP accidents is U.S. NPPs. However, the speci"c event leading to severe core very small relative to other risks, even for people living in the close damage was very site-speci"c. The height of the tsunami that proximity of NPPs (see Section 6 below). destroyed the ability to power systems required to provide In November 1988, the NRC imposed a requirement for an In- adequate heat removal far exceeded the design basis for the plant.

dividual Plant Examination (IPE) at each U.S. NPP (US NRC, 1988) In retrospect, it is clear that the process used to establish the design based on favorable NRC and industry experience with probabilistic basis for tsunami protection was inadequate. There was suf"cient analysis indicating that systematic examinations are bene"cial in empirical evidence in the Fukushima region of historical tsunamis identifying plant-speci"c vulnerabilities to severe accidents that of equal or greater magnitude that it should have been recognized could be "xed with low cost improvements. While the IPE analyses that the design basis was inconsistent with generally accepted emphasized searches for vulnerabilities, another outcome was that safety principles. A level of protection is required for NPP safety that the technical staffs at many more U.S. operating plants became goes beyond industrial standards for the design of typical safety-aware of the value of PRA methods, severe-accident analysis, and related structures like bridges. One of the lessons from the how to apply these ideas at their plants. This cultural shift, still Fukushima accident is the need to risk-inform the design bases of under way, has had a positive impact on reactor safety. external event threats. Had the design basis for the tsunami barrier In addressing the NRC requirement for a systematic IPE, the been risk-informed, for example to withstand a 10,000 year event, utilities were given the option of performing a PRA or undertaking a there would have been no core damage. Failure to protect the less-expensive alternative. Although some utilities chose an alter- plant's emergency diesel generators from "ooding also re"ected a native to PRA to satisfy this requirement, today every nuclear plant failure of defense-in-depth and safety culture. At the neighboring has at least a Level 1 PRA. In addition, the NRC also has a plant- Dai-ini plant site an emergency diesel generator had been provided speci"c PRA for each plant, referred to as a SPAR model (US NRC, with protection against "ooding, which was used as a source of 2017d), which has been validated against the utility's PRA model. emergency power to that site protecting those reactors from the Utilities use these PRA models on a daily basis to alert operators of degraded conditions at the Dai-ichi site (National Research Council, potentially vulnerable conditions. For example, if a plant has two 2014). Shortly following the Fukushima accident, the NRC's Near trains available to provide a particular safety function and Train A is Term Task Force made some recommendations that would signif-out of service for testing or maintenance, the plant's on-line risk icantly expand NRC's oversight into the area of beyond design basis monitor warns the operator not to take components out of service events (US NRC, 2011b). However, the NRC Commissioners have from Train B. The NRC uses its plant-speci"c SPAR models for ac- concluded that major changes in regulatory oversight will not be tivities such as determining the risk-signi"cance of operational required. Severe accident management guidelines will remain an events as potential severe accident precursors (Johnson and industry initiative. Hardened vents will be required for each of the Rasmuson, 1996). Because of the success of the IPE program in Mark I and II BWRs (US NRC, 2015). All U.S. plants have reviewed the identi"cation of plant-speci"c vulnerabilities for internally their ability to respond to a range of natural phenomena hazards initiated events, the NRC extended the IPE requirement for each including seismic events and external "oods. Other than the plant to perform external event analyses (e.g. analysis of accidents seismic design basis where reconsideration of the seismic hazard at initiated by earthquakes or external "ooding) in the IPEEE program all U.S. NPP sites was already in progress at the time of the (US NRC, 2002). Fukushima accident, the need for design changes at U.S. plants has In 1995 the Commissioners issued a policy statement strongly been limited.

supporting the use of PRA within the regulatory process. The policy One of the signi"cant post-Fukushima initiatives that has been statement said in part The use of PRA technology should be increased undertaken involves upgrades to severe accident management in all regulatory matters to the extent supported by the state of the art guidelines and more extensive training on these guidelines at the in PRA methods and data, and in a manner that complements the plants. The industry has also initiated a program, referred to as the NRC's deterministic approach and supports the NRC's traditional FLEX program, to provide an additional layer of defense-in-depth to defense-in-depth philosophy. (US NRC, 1995b). Recognizing that address unanticipated safety threats. In this program, mobile

R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 97 equipment is being provided both at each plant site and at regional release but bypasses containment, the effects of deposition in pri-centers that could be rapidly deployed to provide an additional mary and secondary system piping as well as in the auxiliary source of cooling water or electric power for extended scenarios building were found to substantially reduce the release. In those associated with loss of long term cooling or ac power as encoun- scenarios involving containment failure, the release of radioactive tered at Fukushima (Nuclear Energy Institute, 2012). The methods iodine and cesium isotopes was found not to be dominated by the for incorporating FLEX-type safety improvements at the plants into quantity airborne at the time of failure, as in earlier studies, but by their PRA analyses are still under development at this time. the delayed revaporization of radionuclides from reactor coolant Although the range of consequences of severe accidents as system surfaces into the containment volume after it had previ-analyzed in NUREG-1150 re"ected the contemporary modeling ously failed.

capability, the range was in large part driven by two aspects of the In 2012, the results of an NRC task force were released, that had assessment: 1). The large uncertainties assessed by the technical been charged with the development of a more comprehensive, risk-experts who participated in the expert elicitation process and 2). informed, performance-based regulatory approach broadly across Simpli"cations made in the separation of radionuclide release and all aspects of the regulatory oversight of reactors, materials, waste, transport into separable factors (release from fuel, retention in the fuel cycle and transportation (Apostolakis et al., 2012). However, to primary system, release from core-concrete interaction, retention date changes to use risk information in NRC regulation in areas in water pools, retention in containment). This process led to very beyond nuclear power plant safety have been implemented in only large overall source term uncertainties, to some extent re"ecting a few cases, in part because if the potential consequences of events the contemporary level of epistemic uncertainty but in part asso- are small, the added cost of risk assessment may not be warranted, ciated with the uncertainty propagation process used in the study. and in part because in some areas PRA-type methods have not been Over the intervening twenty years, considerable additional severe developed or used.

accident research has been performed beyond the status repre-sented by the Reassessment of the Technical Bases for Estimating 6. Assessment of changes in reactor risk Source Terms (Silberberg et al., 1986) (see Section 4), which has substantially further reduced the uncertainties associated with the As stated in Section 1, the objective of this paper is to discuss and phenomena that potentially threaten containment integrity and assess the impact of two speci"c developments that have had a the release and transport of radioactive material from the core. The major impact on the safe design and operation of existing plants MELCOR 2.1 and MAAP 5 codes have matured and been validated and have laid the groundwork for the improved safety of future against integral effects experiments, like the PHEBUS experiments plant designs: (1) the probabilistic risk assessment (PRA) meth-(Clement and Zeyen, 2005). In order to obtain a contemporary odology for assessing the risk of reactor accidents and (2) the understanding of the impact of these methodological improve- capability to analyze severe accident progression with the potential ments on severe accident source terms, the NRC recently undertook for the release of signi"cant amounts of radioactivity to the envi-a major project, with support from SNL, called the State of the Art ronment. Reactor safety has also been improved as the result of Reactor Consequence Analyses (SOARCA) study (SNL, 2012). Using actions taken to address lessons learned from a few important the best available models, the SOARCA study re-examined the best- accidents, in particular the Browns Ferry "re, the TMI-2 accident estimate consequences of dominant accident scenarios for the and the Fukushima accident. The research that has been performed Surry and Peach Bottom plants using MELCOR 2.0 to determine the over the past 40 years has resulted in an improved technical un-physical response and release of radioactive materials from the derstanding of the magnitude and the nature of reactor risk.

plant and the MACCS computer code (US NRC, 1998) to assess off- Improved understanding does not necessarily assure a reduction in site consequences. Subsequent to the World Trade Center and risk, however. In order to achieve a reduction in risk actions have to Pentagon terrorist attack, the NRC established additional re- be taken.

quirements for mitigating the consequences of terrorist attacks on A number of major insights into reactor safety arose from the nuclear power plants (US NRC, 2017b). Much of that focus was earliest PRAs and the earliest severe-accident analyses. In the related to the potential for the draining of water from the spent fuel intervening decades a steady stream of additional insights have storage pool as the result of an aircraft crash. Equipment and pro- arisen and have been assimilated into the safety philosophy of cedures, called Extensive Damage Mitigation Guidelines, were reactor-safety analysts, owners, operators and regulators. The re-provided to plant sites to reduce the associated risk. Historically, actors are much safer as a result. Among the most important were PRA studies have limited the consideration of recovery and miti- the "ndings in WASH-1400 that sequences starting with small gative actions. However, because some of these additional safety LOCAs and transients, rather than large-LOCA sequences, were the measures provided to address risk from terrorist acts would affect dominant contributor to overall core-damage frequency (CDF).

the likelihood and consequences of key accident sequences, the Similarly the importance of the contributions to CDF of human SOARCA study also examined the impact of this equipment on the errors and of common-caused failures were other vital insights reduction of the risk from key accident scenarios. arising from WASH-1400. Shortly thereafter, the "rst industry-The SOARCA analyses indicate that the fractions of the core in- sponsored PRAs identi"ed that accidents initiated by earthquakes ventory of key radionuclides released to the environment in risk- and internal "res were among the most important contributors to dominant scenarios are substantially smaller than those obtained CDF at many plants. This led in turn to major improvements in in earlier risk studies and used in regulatory analyses, such as the safety in those areas.

Sandia Siting Source Terms (Aldrich et al., 1982). In contrast to The results of WASH-1400 not only showed the importance of WASH-1400, in which the probability of early failure of the severe core damage to accident risk but highlighted the various containment was assessed to be high in some scenarios, more potential threats that arise to containment integrity, such as failure realistic assessments of containment loads and containment to isolate the containment, steam explosions, hydrogen explosions strength in the SOARCA analyses indicate that, if containment and bypass scenarios. As severe accident research led to improved failure were to occur, it was generally much later in the accident understanding of these threats, some of the hypothesized threats scenario providing substantial time for radionuclide retention were found to be of such low probability that they have been dis-mechanisms to be effective. Similarly, in containment bypass sce- missed from further consideration. A prime example was the use of narios, such as the interfacing LOCA scenario, which has a delayed a process called Risk Oriented Accident Analysis Methodology

98 R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 (ROAAM) (Theofanous and Yuen, 1995) to dismiss the a-mode led the plants to concentrate resources on those categories, thereby failure of containment described in Section 4. Although a-mode substantially improving their reliability and ef"cacy. Those im-failure had been assessed to have very low probability in WASH- provements, in turn, have played a major role in the huge increase 1400, the level of consequences associated with a very large and in the plants on-line availability; the plants now produce elec-very early release of radioactive material was quite high and dis- tricity about 90% of the time or more, compared to about 50e55%

torted the perspective of consequences potentially anticipated in a that was typical in the years before the advent of PRA.

core melt accident. The ROOAM approach was also used to address the probability of liner melt-through following lower head failure 6.1. Changes in risk perspective in a Mark I BWR design. Similarly, more mechanistic models of containment pressurization, hydrogen combustion, direct The principal consequences of concern for severe accidents are:

containment heating if molten core material were to be dispersed in the containment atmosphere if the reactor vessel failed while  ! Radiological exposures of members of the public at a level of still at high pressure, and ability of the containment to withstand dose suf"ciently high, e.g. greater than 4.5 Sv, to result in fatality pressures well beyond design resulted in reduction in the associ- in the near term, e.g. within thirty days.

ated probabilities of containment failure and increased delay in the  ! Radiological exposure leading to radiation sickness (early release of radioactive material. These analyses also identi"ed the injury), e.g greater than 1 Sv effectiveness of site-speci"c offsite protective measures in miti-  ! Radiation exposure to a population leading, after some latency gating impacts on nearby populations. period, to a stochastic increased likelihood of cancer fatality The initial PRAs considered accidents initiated while the reactor  ! Land contamination suf"cient to affect land use, products, was at full power. During plant outages when the vessel head has commerce, habitability and need for either exclusion or been removed, the level of decay heat removal required to cool the decontamination.

core is lower and the inventories of short-lived radionuclides are smaller than when the plant is operating. However, some of the As previously discussed, a high level "nding of WASH-1400 was standby safety systems available when the plant is operating are no that a population of 100 reactors in the U.S. would represent an longer available in a shutdown condition, the containment barrier extremely small increment to the risks from natural hazards and is no longer closed, and maintenance operations, like welding, manmade hazards to which the public is already exposed. Fig. 1 represent potential accident initiators. In recent years, utilities have provides a reproduction of the WASH-1400 risk curve (exceed-been undertaking risk assessments for plants for accident initiators ance frequency of an event with consequences equal to or greater associated with a shutdown plant. These risk assessments have than the associated abscissa) of fatalities that would be expected in enabled the plants to better manage the threats associated with the a population of 100 reactors in the U.S. in comparison with the risk shutdown condition. of natural phenomena events (e.g. hurricanes and earthquakes) and All of these PRA insights led to changes in the design and man-caused events (e.g. aircraft crashes) to which the U.S. popu-operation of the plants that have substantially improved overall lation is exposed but without curves for the individual risk con-safety. Another major impact of the plant-speci"c PRAs was iden- tributors (e.g. hurricane risk). Note that the axes involve tifying which categories of equipment and which operator actions logarithmic scales. As indicated in the "gure, the additional generally suffered from compromises in reliability or ef"cacy; this contribution to fatality risk in the U.S. associated with accidents in Fig. 1. Comparison between early fatality risk for 100 nuclear power plants and other sources of fatality risk in the United States (Natural Hazards, Man-Caused Hazards, NPP Risk-WASH-1400 are based on Fig. 6.1 and 6.2 in Ref. (US NRC, 1975); NPP Risk-NUREG-1150 is based on Figs. 3.9, 4.9, 5.8, 6.8 and 7.7 of Ref. (US NRC, 1990)).

R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 99 nuclear power plants was assessed to be less than 1:100,000th large numbers of people and of the contamination of land and (approximately "ve decades lower) of the background risks. property have been very high. The NRC's latent cancer fatality QHO Although the presentation of risk in NUREG-1150 did not focus is often referred to as a societal risk objective. However, this QHO on a comparison with other natural and manmade sources of risk as does not capture the societal impacts associated with relocation of shown in WASH-1400, it is possible to show NUREG-1150 results in personnel, property loss, interruption of commerce, and decon-this format of an exceedance frequency as illustrated in the bottom tamination costs that were such a major element of the Fukushima curve in Fig. 1. This comparison indicates that the more primitive accident. In Reference Denning and Mubayi, 2017 consideration is tools used to assess accident consequences in the WASH-1400 given to the development of a quantitative societal objective that analyses resulted in an over-estimation of the risk by approxi- would provide a limit on the societal cost of NPP accidents. The mately a factor of 10e100 relative to the state-of-the-art at the time hypothetical goal is that the societal risk of NPP accidents including of the NUREG-1150 study. the costs associated with property loss and land decontamination It is important to recognize that the SOARCA study was not a should be less than 0.1% of the societal cost of other major events to risk study and focused on a few accident scenarios that have which the public is exposed, such as hurricanes, earthquakes, epi-tended to dominate risk, such as station blackout scenarios. The demics and wars. In this study, the impacts of all events (including results of the SOARCA study are described in terms of latent cancer fatalities) were monetized as a convenient metric. Using the results fatalities because the releases of radionuclides for the scenarios of NUREG-1150 sequence frequencies, reduced source terms based analyzed were too small to produce off-site early fatalities on SOARCA "ndings, and characteristic meteorological conditions, because of their dose threshold nature. The broader implication of MACCS calculations were performed for four representative plant the SOARCA study is that the likelihood of early fatalities in a sites and extended to a full population of 100 plants. The results of severe accident is at worst extremely small relative to the early the study are shown in Fig. 3. The overall societal risk curve was fatality risk assessed in NUREG-1150. Because major extinction obtained by monetizing the costs of societally disruptive events events (for example precipitated by large meteors) have histori- over the course of U.S. history in"ated to current dollars. Because of cally occurred with a frequency of 4E-8 per year, it makes no sense the uncertainty in the actual average core damage frequency of the to consider accident frequencies smaller than this value, as indi- U.S. population of reactors a range of 1E-5 per yr to 3E-4 per yr was cated by the band at the bottom of Fig. 1. Although it is not considered (shown with hash marks in the "gure). The study possible to completely exclude the possibility of offsite early fa- leading to these results was performed to demonstrate the concept talities in a severe accident based on SOARCA results (Ghosh et al.,

2017), we conclude that the likelihood is very small and falls within this band of truly negligible events.

As indicated in Fig. 1, WASH-1400 had demonstrated how small nuclear power plant risks are relative to comparable risks from natural hazards or man-caused events for the average American but had not shown what the risk is for the maximally exposed people living in the near proximity of a plant. The NUREG-1150 report (US NRC, 1990) addresses this risk by comparison with the QHOs. Fig. 2 is reproduced from NUREG-1150. The "gure shows that each of the "ve NUREG-1150 plants easily satis"es the NRC's QHOs by large margin including the associated un-certainties. The smallest margin between the 95th percentile risk for each plant and the safety goal is more than a factor of ten for early fatality risk and approximately a factor of 100 for latent cancer fatality risk. Because the safety goals represent 0.1% of the background risk, the results indicate that people living in the near vicinity of an NPP are exposed to an incremental risk of less than 1:10,000 for early fatality risk and 1:100,000 for latent cancer fatality risk. The SOARCA results further modify this perspective, particularly for early fatality risk, which is assessed to be extremely small relative to the NUREG-1150 mean risk.

In contrast to early fatality risk, the individual latent cancer fa-tality risks within ten miles for the Surry and Peach Bottom plants are found to be essentially the same between the NUREG-1150 and SOARCA base case (unmitigated) analyses. Nevertheless, there is substantial technical question about the applicability of the linear, no-threshold model used in the calculation of latent cancer fatality risk. The sensitivity of the results has been explored in the SOARCA study. However, the strong support provided to the linear, no-threshold model in the recent BEIR committee report (National Academy of Science, 2006) indicates that obtaining a consensus of technical experts in removing any conservatism in this model will not occur in the near future.

In retrospect, one of the major de"ciencies of NUREG-1150 was an insuf"cient consideration of land contamination as a signi"cant aspect of NPP risk. In the Fukushima accident the radiological ex-posures of individual members of the public were small (World Fig. 2. NUREG-1150 comparison of risks to people living near NPPs with safety goals Health Organization, 2013) but the societal impacts of relocating (Fig. 13.2 of reference US NRC, 1990).

100 R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 event core damage frequencies than the PWRs. The Zion plant re-sults are particularly interesting because the high core damage frequency is the result of a design vulnerability identi"ed by the systematic nature of the PRA approach. The utility provided a "x to the vulnerability that resulted in a reduction of the internal event core damage frequency to 6E-5 per yr.

The initial focus of PRA was on accidents arising from internal event faults. The risk arising from external events such as the risk from large earthquakes is amenable to analysis using the ET/FT approach but the overall uncertainties in the "nal risk numbers are quite large, principally because of major uncertainties associated with the frequencies of the initiating events. For example, the principal uncertainty in seismic risk is associated with the char-acterization of the seismic hazard, speci"cally the frequency of Fig. 3. Comparison of monetized societal risk for 100 plants Vs. Other societal risks ground accelerations of different amplitudes at a site. For seismic (Denning and Mubayi, 2017).

PRA, considerable effort is placed on assuring that the uncertainty associated with the site-dependent hazard captures the diverse interpretations of various seismic experts. A probabilistic approach and did not have the level of effort and peer review of the major is taken to establishing the seismic design basis for a plant that studies described elsewhere in this paper.

provides high con"dence that the seismic risk will be substantially In addition to indicating the potential importance of land less than 1E-4 per yr. The owner of the plant must demonstrate that contamination and relocation of people as impacts of severe nu-given the design basis seismic hazard there is high con"dence of a clear power plant accidents, the Fukushima accident also illustrated low probability of failure (HCLPF) of safety-related structures, sys-the importance of multiple-unit considerations in risk assessment.

tems and components (Budnitz et al., 1985). In contrast, the design In future PRAs it is recommended that more emphasis should be bases for high winds and external "oods are based on deterministic placed on the joint response of multiple units at a site associated criteria involving assumed maximum events, as conventionally with the sharing of some common equipment, exposure to the used for non-nuclear risks. As indicated earlier, if the tsunami same external hazard, and impact of radioactive material release protection for Fukushima had been risk-informed, the accident from one unit on the ability to prevent severe core damage at other would have been averted. Consideration should be given to risk units. These risk insights will provide an improved basis for multi-informing the regulatory requirements for all natural phenomena unit design and operating considerations such as associated with hazards.

interties among safety systems and for the development of multi-The risk of internally-initiated "res is potentially a dominant unit siting criteria.

contributor to reactor risk because the initiation frequency is high and there is a high potential for common cause failures. Recent 6.2. Changes in reactor risk experience with the transition from a deterministic "re protection program to a risk-informed "re protection program as described by In 1957 when WASH-740 was issued the frequency of a severe NFPA-805 has been a source of contention between the NRC and accident with a major release of radioactive material was subjec- the industry (National Fire Protection Association, 2015). Never-tively assessed to be in the range of 1E-5 per yr to 1E-9 per yr (US theless, we believe that the performance of "re PRA is an invaluable AEC, 1957). Prior to WASH-1400, severe accidents were often tool in the management of "re risk.

classi"ed as incredible with an assumed frequency less than 1E-6 Combining the objective assessment of CDF based on 10,000 per yr. reactor-years of LWR experience with the results of WASH-1400 The overall median core damage frequency for internally initi- and NUREG-1150, we conclude that the overall mean CDF for the ated accidents in WASH-1400 is approximately 7E-5 per reactor population of U.S. plants prior to the application of PRA analyses to year. This corresponds to an overall mean value of approximately identify vulnerabilities was approximately 1E-4 to 3E-4 per yr. In 1E-4 per reactor year. This number is reasonably consistent with 2008, the Electric Power Research Institute (EPRI) developed a actual severe accident experience in LWRs. white paper, Safety and Operational Bene"ts of Risk-Informed Integrating the total world-wide experience with LWRs there Initiatives, that discusses how risk-informed initiatives have have been approximately 10,000 reactor years of operating expe- resulted in an improvement in reactor risk in the U.S. (Gaertner rience. In that period, there have been two events resulting in se- et al., 2008). The paper is limited to the consideration of vere accidents, the Three Mile Island Unit 2 accident in 1979 and improvement in CDF, so measures that would have reduced the the tsunami at Fukushima Dai-ichi in 2011 leading to the meltdown consequences of accidents are not included. From 1992 (the year in of three reactors. Depending on whether the Fukushima event which the IPEs (US NRC, 1988) were completed) to 2005, their counts as one or three events, objectively (based on operating assessment indicated that the industry average CDF had decreased experience) the core damage frequency over the history of LWR by a four-fold factor from 9E-5 per yr to 2E-5 per yr. During this operation has been 2E-4 to 4E-4 per reactor year of operation. period, the rate of occurrence of signi"cant safety events also The NUREG-1150 PRA involved a number of advances relative to decreased by a factor of four providing strong evidence that the WASH-1400 including consideration of external events for two of assessed relative reduction in CDF is real. The EPRI assessment cites the "ve reactors. The following bottom line mean core damage a number of risk-informed activities as contributing to risk reduc-frequencies are reported in NUREG-1150: Surry (4E-5 per yr in- tion: the NRC Maintenance Rule, con"guration risk management, ternal events; 1.3E-4 per yr external events); Peach Bottom (4E-6 the NRC's Regulatory Oversight Process, risk-informed allowed per yr internal events; 9.7E-5 per yr external events), Zion (3.4E-4 outage times, emergency Technical Speci"cation changes, risk-per yr internal events); Sequoyah (5.7E-5 per yr internal internal); informed mode change assessments, treatment of missed surveil-Grand Gulf 4E-6 per yr internal events) (US NRC, 1990). The two lances, in-service inspection, and containment integrity testing.

BWR plants (Peach Bottom and Grand Gulf) had lower internal Many of these risk-informed activities have also resulted in

R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 101 improved capacity factors for the plants. Thus, the evidence in- The objective of PRA is to provide an unbiased assessment of risk dicates that CDF has been decreased over the past four decades by including characterization of the associated uncertainties. Crucially, approximately a factor of ten (from 2E-4 per yr to 2E-5 per yr) as severe accident research has improved our perspective about the the result of the application of PRA results to improving reactor magnitude and nature of reactor risk. It is evident that in the early safety. Because much of the emphasis in making plant modi"ca- PRA studies, which lacked an adequate basis for the modeling of tions has been associated with sequences with potentially high severe accidents, some modeling assumptions resulted in a signif-consequences, such as the interfacing system LOCA event, in which icant conservative bias with regard to the timing and magnitude of the containment would be bypassed, the average potential conse- severe accident source terms. In particular, as understanding of quences of severe accidents has also decreased. severe accident phenomenology and modeling capability have One of the activities undertaken in the SOARCA study was to improved, the assessed likelihood of early failure of containment examine whether mitigative activities as prescribed in NRC's with a large release of radioactive material has been shown to have regulation 10CFR50(hh) (US NRC, 2017b) would effectively reduce been over stated. The two metrics commonly employed in risk-the probability of dominant accident scenarios in the two plants informed regulation are CDF and large early release frequency analyzed. Their results indicated a substantial reduction in the (LERF). These are considered surrogates for the safety goals. Based likelihood of key scenarios, in particular ones involving station on the current state of knowledge, we conclude that it is much less blackout. Thus, it can be expected that some further reduction in likely than had been assessed earlier that a severe accident would core damage frequency may be found to result from the imple- result in off-site early fatalities. This "nding has implications for mentation of mitigative actions, including the use of FLEX equip- both risk-informed regulation and emergency response planning.

ment. However, in discussing reduction in CDF it is important to LERF no longer appears to be as effective a risk metric as previously recognize the associated uncertainties, particularly for very small thought. At the same time, as demonstrated by the Fukushima CDFs. As the dominant accident sequences are reduced in fre- accident, the societal impact associated with extensive land quency by scenario-speci"c "xes, a much larger set of potential contamination in a severe accident is an important element of scenarios now become relatively more important that may have reactor risk, perhaps more important than the risk of radiation-previously received less detailed attention. induced human health effects. Large release frequency (LRF) ap-Although the band in Fig. 3 was developed as representing a pears to be a more meaningful risk metric than LERF. It more possible range for the average core damage frequency of the pop- directly addresses not only societal risks associated with land ulation of U.S. NPPs, it also provides a measure of risk reduction of contamination but also the risk of latent cancer fatalities.

approximately an order of magnitude representing the change in The scope of this paper has been limited to examining the risk that has occurred as the result of PRA-related improvements. impact of PRA and severe accident research on the current gener-The "gure indicates that U.S. NPPs could marginally satisfy the ation of LWRs. Most advanced reactor types (Generation III LWRs, hypothetical quantitative societal objective proposed. However, the Generation III LWRs, small modular LWR reactors with integral factor of difference between the NPP risk and the background of steam generators, and reactors with different coolants and fuel other societally-disruptive events is not as large as that for latent forms) are being designed using PRA as a design evaluation tool and cancer fatality risk or early fatality risk in the existing QHOs. are explicitly addressing the need to provide both preventive and mitigative features for beyond-design basis events. For these

7. Summary and conclusions advanced reactors, as for the existing LWRs, a strong ongoing program of reactor safety research is needed to provide the foun-The introduction of PRA as a safety assessment tool has resulted dation for understanding and managing the beyond-design-basis in reduced risk. The structured, logical method of analysis in PRA risks, and to add to our knowledge base, thereby supporting has been effective in identifying design and operational vulnera- continuous improvements in safety. The major topics covered here, bilities that existed despite the inherent conservatism in a deter- the understanding of severe-accident behavior and the PRA-based ministic, defense-in-depth design approach. The magnitude of understanding of how accident sequences arise and evolve, have improvement in CDF over the last four decades appears to be always been (and need to continue to be) major elements of such a approximately a factor of ten, although care must be exercised in research program.

trusting the quantitative aspects of PRA. Risk-informed regulatory The two major topics discussed in this paper have been (i) how oversight has been of value to both the regulator and the plant the advent and use of PRA methods have been an important operators in minimizing activities that are ineffective in assuring contributor to the signi"cant decrease in overall risk of reactor the safe operation of plants and focusing on risk-signi"cant issues. accidents in the last four decades, and (ii) why, based on an The principal impacts of severe accident research have been in extensive body of experimental and analytical studies, we now improving our understanding of the risk and how to respond to understand that the likelihood of an accident that would produce a potential severe accidents while they are evolving. Through the very early and large release of radioactive material to the envi-development and validation of severe accident analysis codes, this ronment is much less than had been thought earlier. Conversely, research has provided the technical basis for Severe Accident another insight is that the importance of major contamination to Mitigation Guidelines, which make it more likely that control room off-site property has not received the degree of attention it de-staff and their technical advisors will take appropriate corrective serves, either in the regulations or in the considerations of actions that will return the plant to a safe stable state or minimize decision-makers at the policy level.

accident consequences. For example, research on high pressure melt ejection and direct containment heating has led to guidelines for decreasing primary system pressure prior to a time at which References vessel failure would occur. Similarly, for a Mark I BWR, severe ac-45 FR40101, June 13, 1980. Nuclear Power Plant Accident Considerations under the cident analyses indicate that it is essential to initiate venting from National Environmental Policy Act of 1969.

the wetwell prior to the time at which the head of the drywell Aldrich, D.C., et al., 1982. Technical Guidance for Siting Criteria Development.

would fail and provide a direct pathway from containment to the NUREG/CR-2239.

Allison, C.M., Hohorst, J.K., 2010. Role of RELAP/SCDAPSIM in nuclear safety. Sci.

reactor building (a message that was clearly not recognized by the Technol. Nucl. Installations.

operators at Fukushima). Apostolakis, G., et al., 2012. A Proposed Risk Management Regulatory Framework.

102 R.S. Denning, R.J. Budnitz / Progress in Nuclear Energy 102 (2018) 90e102 NUREG-2150. U.S. Nuclear Regulatory Commission. Thermal Hydraulic and Core Behavior Models, vol. 1. Rev 2.

Baker, L., Just, L.C., 1962. Studies of Metal-water Reactions at High Temperatures III. Silberberg, M., Mitchell, J.A., Meyer, R.O., Ryder, C.P., July 1986. Reassessment of the Experimental and Theoretical Studies of the Zirconium-water Reaction. ANL- Technical Bases For Estimating Source Terms. NUREG-0956.

6548. SNL, January 2012. State-of-the-Art Reactor Consequence Analyses Project. NUREG/

Budnitz, R., et al., 1985. An Approach to the Quanti"cation of Seismic Margins in CR-7110, Albuquerque, NM.

Nuclear Power Plants. NUREG/CR-4334. Swain, A.D., February 1987. Accident Sequence Evaluation Program Human Reli-Buhl, A.R., Carter, J.C., Fontana, M.N., Henry, R.E., Mitchell, R.A., 1987. The IDCOR ability Analysis Procedure. NUREG/CR-4772.

program e severe accident issues, individual plant examinations and source Theofanous, T.J., Yuen, W.W., April 1995. The probability of alpha-mode contain-term developments. In: Lave, L.B. (Ed.), Risk Assessment and Management. ment failure. Nucl. Eng. Des. 155 (1e2), 459e473.

Springer Science, New York. US AEC, March 1957. Theoretical Possibilities and Consequences of Major Accidents Clement, B., Zeyen, R., 2005. The PHEBUS "ssion product and source term inter- in Large Nuclear Power Plants. WASH-740.

national programme. Proc. Int. Con. Nucl. Energy New Eur. INIS-SI-06-002. US NRC, 2017a. Title 10, code of federal regulations, Part 50, Domestic Licensing of Deitrich, L.W., Dickerman, C.E., Klickman, A.E., Wright, A.E., November 1998. A Production and Utilization Facilities.

Review of Experiments and Results from the Transient Reactor Test (TREAT) US NRC, SPAR Model Development Program, Of"ce of Reactor Safety Research, Facility. ANL/RE/cp-96982, ANS Winter Meeting. Division of Risk Analysis, 2017d, https://www.nrc.gov/docs/ML1029/

Denning, R., Mubayi, V., January 2017. Insights into the societal risk of nuclear ML102930134.pdf.

power plant accidents. Risk Anal. 37 (1), 160e172. US NRC, 2017b. Title 10 Part 50.54(hh), Conditions of License.

DiNunno, J., Baker, R., Anderson, F., Water"eld, R., 1962. Calculation of Distance US NRC, 2017c. Title 10, code of federal regulations, Part 52, Licenses, Certi"cations, Factors for Power and Test Reactors Sites. TID-14844. and Approvals for Nuclear Power Plants.

Drouin, M., Wagner, B., Lehner, J., Mubayi, V., April 2016. Historical Review and US NRC, 1975. Reactor Safety Study, an Assessment of Accident Risks in U.S. Com-Observations of Defense-in-depth. NUREG/KM-009. mercial Nuclear Power Plants. WASH-1400 (NUREG 75/014).

EPRI, December 2013. Modular Accident Analysis Program (MAAP5) Version 5.02 e US NRC, 1976. Recommendations Related to Browns Ferry Fire. NUREG-0050.

Windows, 3002001978. www.epri.com. US NRC, 1978. Risk Assessment Review Group Report to the U.S. Nuclear Regulatory Fleming, K.N., Mosleh, A., Deremer, R.K., 1986. A systematic procedure for the Commission. NUREG/CR-0400.

incorporation of common cause events into risk and reliability models. Nucl. U.S. NRC, 1982. The Development of Severe Reactor Accident Source Terms:

Eng. Des. 93 (2e3), 245e273. 1957e1981,amprdquosemicolon. NUREG-0773.

Gaertner, J., Canavan, K., True, D., February 2008. Safety and Operational Bene"ts of US NRC, 1983. PRA Procedures Guide. NUREG/CR-2300.

Risk-informed Initiatives. An EPRI White Paper, 1016308. US NRC, August 1986. Safety Goals for the Operation of Nuclear Power Plants.

Garrick, B.J., 2008. Quantifying and Controlling Catastrophic Risks, "rst ed. Aca- Federal Register, 51 FR 30028, Washington, DC.

demic Press. US NRC, 1988. Individual Plant Examination For Severe Accident Vulnerabilities.

Ghosh, S.T., Mattie, P.D. and Sallaberry, C.J., 2017. Uncertainty analysis for the U.S. Generic Letter 88-20.

NRC state-of-the-art reactor consequence analyses, ML12180A434, www.nrc. US NRC, December 1990. Severe Accident Risks: an Assessment for Five U.S. Nuclear gov. Power Plants. NUREG-1150.

Gieseke, J.A., et al., July 1986. Source Term Code Package: a User's Guide. NUREG/CR- US NRC, 1995a. Accident Source Terms for Light-water Nuclear Power Plants.

4587. NUREG-1465.

Hodge, S.A., Ott, L.J., 1990. BWRSAR calculations of reactor vessel debris pours for US NRC, 1995b. Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Peach bottom, short-term station blackout. Nucl. Eng. Des. 121, 327e339. Activities: Final Policy Statement, 60FR42622.

Humphries, L.L., Beeny, B.A., Gelbard, F., Louie, D.L., Phillips, J., January 2017. US NRC, 1998. Code Manual for MACCS2, User's Guide. NUREG/CR-6613.

Reference Manual, Version 2.2.9541 2017, SAND2017e0876 O. MELCOR Com- US NRC, 2002. Perspectives Gained from the Individual Plant Examination of puter Code Manuals, vol. 2. External Events (IPEEE) Program. NUREG-1742.

Johnson, J., Rasmuson, D., 1996. The US NRC's accident sequence precursor program: U.S. NRC, 2005. MELCOR Computer Code Manuals. NUREG/CR-6119, Vol 2, Rev. 3 an overview and development of a Bayesian approach to estimate core damage (SAND2005-5713).

frequency using precursor information. Reliab. Eng. Syst. Saf. 53, 205e216. US NRC, 2011a. An Approach for Using Probabilistic Risk Assessment in Risk-Keller, W., Modarres, M., 2005. A historical overview of probabilistic risk assessment informed Decisions on Plant Speci"c Changes to the Licensing Basis. R.G. 1.174, development and its use in the nuclear power industry: a tribute to the late Rev. 2.

professor norman C. Rasmussen. Reliab. Eng. Syst. Saf. 89 (3), 271e285. US NRC, 2011b. Recommendations for Enhancing Reactor Safety in the 21st Century, Merriam-Webster Dictionary, 2017. https://www.merriam-webster.com/dictionary/ the Near-term Task Force Review of Insights from the Fukushima Dai-ichi risk. Accident.

National Academy of Science, 2006. BEIR VII: Health Risks from Exposure to Low US NRC, 2015. Staff Requirements Memorandum Response to SECY-15-0085 e Levels of Ionizing Radiation. Committee to Assess Health Risks of Low Levels of Evaluation of the Containment Protection and Release Reduction for Mark I and Ionizing Radiation. National Academies Press, Washington, DC. Mark II Boiling Water Reactors Rulemaking Activities.

National Fire Protection Association, 2015. NFPA 805, Performance-based Standard US NRC, August 2016. WASH-1400, the Reactor Safety Study, the Introduction of for Fire Protection for Light Water Reactor Electric Generating Plants. Risk Assessment to the Regulation of Nuclear Reactors. NUREG/KM-0010,.

National Research Council, 2014. Lessons Learned from the Fukushima Nuclear US NRC, Federal Register, 1985. No. 153. Policy Statement on Severe Reactor Acci-Accident for Improving Safety of U.S. Nuclear Plants. dents Regarding Future Designs and Existing Plants, vol. 50.

Nuclear Energy Institute, 2012. Diverse and Flexible Coping Strategies (FLEX), Van Dorsselaere, J.P., et al., 2009. The ASTEC integral code for severe accident Implementation Guide. NEI 12-06. simulation. Nucl. Technol. 165 (3), 293e307.

Petrangeli, G., 2006. Nuclear Safety, "rst ed. Elsevier, New York, p. 9. Verlag Tuev Rheinland, 1980. Deutsche Risikostudie Kernkraftwerke, Eine Unter-Rogovin, M., 1979. Three Mile Island, a Report to the Commissioners and to the suchung zu dem durch Storfalle in Kernkraftwerken. Germany.

Public. Nuclear Regulatory Commission Special Inquiry Group. Westinghouse, 2017. AP-1000 Nuclear Power Plant Design. http://www.

Sehgal, B.R., 2012. Nuclear Safety, Severe Accident Phenomenology, "rst ed. Elsevier, westinghousenuclear.com/New-Plants/AP1000-PWR/Overview.

New York. World Health Organization, 2013. Health Risk Assessment from the Nuclear Acci-Siefken, L.J., Coryell, E.W., Harvego, E.A., Hohorst, J.K., January 2001. NUREG/CR- dent after the 2011 Great East Japan Earthquake and Tsunami. Geneva, 6150. SCDAP/RELAP5/MOD 3.3 Code Manual: Code Architecture and Interface of Switzerland.

Comments on NEI Digital I&C strategy presentation 20190131 Gary Johnson Slide 6 Solution #1 - CCF (1) If the risk informed approach is looking at the consequences of CCF, well ok. It seems to me that this should already come out of the plant safety analysis of each postulated CCF. I have a feeling that vendors are avoiding doing the analysis. And I also have the feeling that NRC has been inflexible when applying 7-19 to hypothetical events that are in the design basis.

• I was dismayed to learn that NRC required the APR-1400 DAS to deal with CCF for large break LOCAs. This was not required for System 80+ that was the basis for the Korean plant that was a safety upgrade of the 80+.

(2) If it means something like importance measures from an I&C system reliability analysis, I dont buy it. PSA and fault trees are good tools for assessing failure, but the CCF we are worried about are not that kind of failure. The CCF of concern are human errors introduced during the design. We have no good method for understanding the probability of such failures. Petroskis book To Engineer is Human is a pretty good story about CCF, although he doesnt talk about it that way.

Slides 8&9 (1) Before the SRP the software guidance came from NQA. That guidance was fine for analytical codes, but not for realtime software. The SRP changed that.

(2) We picked up the IEEE Software standards because we expected that Westinghouse, GE, and others already had good processes that were based upon current software engineering guidance (i.e., IAEA software society standards). Apparently that was not the case.

(3) Nevertheless, the 7-4.3.2 committee picked up the new Reg. Guides without much complaint.

(4) In the mid 90s we considered IEC 60880 as an acceptable alternative that filtered much of the other guidance to give NPP engineers just what they needed to know. But in the mid-90s 60880 had too much basic plant content to mesh with the NRC regulations. John Gallagher was the SC45A chairman at that time and pushed to have 60880 simplified and general plant information moved out.

This more or less happened. The more general information went to 61513.

• At that time I&C staff in NRR intended to endorse the new 60880, but Jerry Vermeil killed any further work on this idea in NRR. RES wasnt interested. Not bleeding edge enough.

Slide 10 Barrier #3 - I&C System Architecture Development.

(1) I couldnt agree more. In 2000 or so, part of the LLNL SRP team worked for GE as an outside reviewer of V&V for the Lungmen project. We were shocked to see how GE was using BTP 14 as a checklist rather than as a short list of fundamental principles to meet attached to a list of suggestions that might be used to confirm that the principles were being met. The answers were always yes. Yes to the relevant things and Yes the irrelevant things. After that we wanted to change BTP-14 into a systems level document, but we didnt get the chance. Most of our supporters in NRC had retired or died before the 2007 update came around.

Sllide 12 - Limited Functional I&C devices.

(1) I also couldnt agree more. The original BTP-19 excluded such items because we thought that the BTP didnt apply. We had the intent to do some more work on this, but it was one more thing taken away from NRR.

(2) BTP-19 came from NUREG 0493. I dare you to match the concerns about limited functional devices to the concerns raised by that report.

(3) My view is that devices of limited functionality are generally not a big CCF concern. Most of these devices have one or more characteristics that limit the problem such as:

Comments on NEI Digital I&C strategy presentation 20190131 Gary Johnson A. Not connected to more than one safety channel.

B. Limited functionality C. Small range of input or output trajectories (sometimes just one division and sometimes just start stop)

D. Use in normal operation is the same as in safety service E. Surveillance testing closely simulates the range of possible input and output trajectories.

I.e., Not a big harry system involving hundreds of inputs and outputs and cross channel communications.

Still, some thinking is needed to avoid things like the Turkey Point load sequencer, the DB50, the BWR scram volume, and the HFA relay problems.