Text

.

,s mA a

December 30, 1980 j,

i SECY-80-552

\\.v /

sa POLICY ISSUE E

li (Information)

EE F

For:

The Comissioners bh 3

N" From:

William J. Dircks M

(

5 Executive Director for Operations a

Subject:

THE USE OF PROBABILISTIC RISK ASSESSMENT IN THE LICENSING PROCESS

Purpose:

To provide an interim response to the January 18, 1979 Comission request that the staff submit to it for its review, procedures for the use of risk assessment by the regulatory staff.

No action is requested of the Comission at this time.

The staff will continue to keep the Commission informed of all significant applications of risk assessment methodology.

Formal, detailed reactor review procedures will be developed subsequent to completion of the Phase II IREP reviews.

Background:

With regard to the use of probabilistic risk assessment tech-niques (PRA), the reportl of the Risk Assessment Review Group stated, " Proper application of the methodology can therefore provide a tool for the NRC to make the licensing and regulatory process more rational, in more properly matching its resources (research, quality assurance, inspection, licensing regulations) to the risks provided by the proper application of the methodo-logy. NRC has moved somewhat in this direction, and we recomend s

a faster pace." The Review Group Report points to a number of deficiencies in the Reactor Safety Study pertaining to the estimation of accident probabilities, including the inadequacy, in many cases, of the data base; the inability to quantify events such as fires, earthquakes, floods, and human accident initiation; the pervasive intrusion of regulatory conservatism; the inability to quantify human adaptability during an accident; poor statistical practices; and the uneven propagation of uncertainties.

2 the Commission said, In its January 18, 1979, policy statement "Taking due account of the reservations expressed in the Review ANUREG/CR-0400, " Risk Assessment Review Group Report to the U.S. Nuclear Regu-latory Comksion," September 1978.

2"NRC Statement on Risk Assessment and the Reactor Safety Study Report (WASH-1400) in Light of the Risk Assessment Review Group Report," January 18, 1979.

8101;G N M

Group Report and in its presentation to the Commission, the Commission supports the extended use of probabilistic risk assessment in regulatory decision-making." This Commission support for the extended use of probabilistic risk assessment techniques, in basic agreement with the Review Group's conclu-sions, was further clarified in the recent Commission guidance 3 to the staff:

" Quantitative risk assessment techniques may be used to estimate the relative importance of potential nuclear power plant accident sequences or other features where sufficient similarity exists so that the comparisons are not invalidated by lack of an adequate data base.

Such techniques should not be used to estimate absolute values of probabilities of fail-ure of subsystems unless an adequate data base exists and it is possible either to quantify the uncertainties or to support a conservative analysis. The staff shall give special atten-tion to those activities identified in the Risk Assessment Review Group (NUREG/CR-0400) as being especially amen-able to risk assessment, i.e., dealing with generic safety issues, fomulating new regulatory requirements, assessing and revalidating existing regulatory requirements, evaluating new designs, and fomulating reactor safety research and inspection priorities."

Discussion: The Three Mile Island Accident occurred shortly after the Comis-sion's January 18, 1979, request; and that event had several impor-tant impacts on the staff's response.

First, the response was substantially delayed due to the press of priority activities, and second, the President's Commission and the Rogovin inquiry both gave strong m;hasis to the importance of PRA as an important adjunct to the conventional NRC evaluation and decision-making processes. During the past year the staff has placed increasing emphasis on the use of PRA in the licensing process.

The staff has prepared a paper on the above subject (Enclosure 1).

This paper speaks to the question of procedures from the institutional and planning sense. The staff has not progressed far enough in PRA to comit working relationships and goals to paper in the form of explicit procedures. However, we believe that the enclosed paper usefully meets the intent of the Commission's request. Sumary highlights of the enclosed paper are provided below.

Organizational Aspects

. RES must be appropriately consulted in all significant activities associated with PRA, since they have the principal expertise, and d" Fiscal Years 1902-1986, Policy, Planning and Program Guidance (PPPG),"

April 29, 1980.

. the technical field is sufficiently new to NRC that internal peer review is necessary.

. Program Offices will eventually obtain the resources necessary to perfonn PRA reviews required for the direct support of Office functions. The establishment of the Reliability and Risk Assess-ment Branch in NRR was the first step in this direction.

. The program Offices, starting this fiscal year, will begin to exercise the " user needs" function with regard to PRA research proposals made by RES.

Power Reactor PRA Activities

. Several TMI Action Plan items are PRA based, and all were well coordinated among the Offices.

. The Interim Reliability Evaluation Program (IREP), Phase II, began September 1980 with active participation by both RES and NRR, as well as the affected utilities. The IREP is geared toward developing a standard PRA methodology for use in NREP, the National Reliability Evaluation Program.

. The NREP will be used to assess the safety of all commercial operating power reactors, appropriately coordinated with the SEP program and the requirements of Section 110 of the FY 80 NRC Authorization Act, Public Law 96-295.

. The standard methodology for NREP will come not only from IREP, but also from a forum comprised of the NRC, industry, IEEE, and the ANS. This standard methodology reasonably should be in place by the end of 1981.

. A methodology for identifying adverse systems interactions using PRA is being developed. A review of seismically induced systems interactions at Diablo Canyon has been completed.

. While much of the PRA work is, in theory, aimed at relative or comparative risk, it is clear that even the use of PRA in a purely relative manner implies the acceptability or nonacceptability of a certain absolute level of risk.

. Optimal use of PRA in the decisional mode will not occur until a safety goal is established, and the role of PRA in this safety goal is clearly articulated.

Other PRA Activities

. The Offices of Nuclear Material Safety and Safeguards (NMSS) and Nuclear Regulatory Research are coordinating the development of a risk prediction methodology and computer codes for geological waste repositories, including sensitivity analyses to identify

_4_

high risk contributors. NMSS has an ongoing program of assessing risk associated with the effects of natural phenomena on operating plutonium processing plants. This effort, which has already produced completed analyses on three of the six plants in question, involved RES from the planning stages through to the completed risk assessment for each plant.

. The Office of Standards Development, with some interaction with RES, has utilized risk analyses in some of their transportation studies, establishment of emergency planning zones, and the development of some industry codes and standards. A much larger cooperative effort among offices is underway to review accident sequences and associated radiological consequences to aid in the Reactor Siting and Minimum Engineered Safety Features Rulemaking.

. The Office of Inspection and Enforcement has no on-going programs to utilize probabilistic risk assessment, however, they will modify their routine inspection program when a ranking is established by NRR of the importance of various reactor systems.

. Staff members from various Offices have participated in training sponsored by the Office of Nuclear Regulatory Research regarding probabilistic modeling and statistical analysis techniques.

This training effort will continue and will be expanded to familiarize a wide spectrum of the staff with the concepts and techniques involved. Likewise, the Fault Tree Handbook which has been developed by the Probabilistic Analysis Staff is being distributed widely throughout the agency.

. In addition to these efforts, the Office of Nuclear Regulatory Research is sponsoring research in the areas of human reliability, including analysis of Licensee Event Reports and the development of the Human Reliability Handbook, and methodology development to improve component failure rate predictions.

~

In sumary, staff practices in PRA have been evolving rapidly. How-ever, there is no intent to use these probabilistic assessments alone to eliminate or relax existing deterministic considerations at this time, since such assessments, by their nature, have large uncertain-ties and address only a portion of the spectrum of considerations necessary to fully and properly evaluate a plant design. The role of RES has been one of pioneering the application of risk assessment in the regulatory process. Over the next several years, this evolving methodology will be transferred to the various program Offices. The program Offices will then assume primary responsibility for most of the routine applications of the methodology to specific-safety problems and regulatory decisions and will establish user needs for future research; however, RES likely will perfonn a peer review function for the program Offices for the foreseeable future.

. In view of the increased. staff coordination and commftment of resources to risk assessment efforts, and the ongoing applica-tion of these techniques to those areas identified by the Risk Assessment Review Group, the staff concludes that no further specific Commission level guidance or instr..tions are needed at this time to encourage the expanded use of these techniques.

However, the role that such techniques should play in the NRC decisional process (including the licensing hearings) will be in need of further Cannission guidance; and this role must be appropriately compatible with any forthcoming safety goal for nuclear regulatory decision making.

.0 Willisn J. Dircks Executive Director for Operations

Enclosure:

The Use of Probabilistic Risk Assessment Techniques in the Licensing Process

Contact:

M. Ernst, NRR 492-8016 DISTRIBUTION Commissioners Commission Staff Offices Exec Dir for Operations ACRS Secretariat

THE USE OF PROBABILISTIC RISK ASSESSMENT TECHNIQUES IN THE LICENSING PROCESS I.

Introduction This paper is in response to the January 18, 1979, Commission directive1 that the staff prepare and submit " detailed procedures to ensure proper and effec-tive use of risk assessment theory, methods, data development and statistical analyses by the staff," that the staff "give special attention to those activities identified by the (Lewis) Review Group as being especially amenable to risk assessment," and that the staff review " coordination among research and probabilistic analysis staff and the licensing and regulatory staff, in order to promote effective use of these techniques."

As used in tnis paper, "probabilistic risk assessment" involves the methodology of probabilistic calculations including:

1.

Statistical analysis of operating data and other sources of informa-tion to evaluate event frequencies, operator and maintenance reli-abilities, and the success or failure probabilities of equipment and systems.

In this regard, the Office of Nuclear Regulatory Research (RES) has an ongoing program to determine component failure rates from Licensing Event Reports.

1 Memo from S. J. Chilk to L. V. Gossick, dated January 18, 1979,

Subject:

" Staff Actions Regarding Risk Assessment Review Group Report."

2.

System modeling (e.g., failure modes and effects analysis, event trees, fault trees) to relate operator actions and the functional performance of equipment and systems to event sequences.

The Reactor Safety Study is an application of event tree and fault tree analyses.

3.

Consequence modeling to relate the event sequences to offsite consequences.

4.

Risk modeling to relate probability and consequences of event combinations.

The recent Task Force report on Indian Point operation (SECY-80-283) is a good example of risk modeling.

Many applications of probabilistic risk assessment techniques will involve less than all these aspects; e.g., one may be interested only in a quantitative assessment of the relative reliability of similar systems, given the qualitative assumption,that the consequence modeling would be similar for these systems.

II.

Background on the Use-of.Probabilistic Risk ~ Assessment Techniques With regard to the use of probabilistic risk assessment techniques, the report 2 of the Risk Assessment Review Group stated, " Proper application of the method-ology can therefore provide a tool for the NRC to make the licensing and regulatory process more rational, in more properly matching its resources ZNUREG/CR-0400, " Risk Assessment Review Group Report to the U.S. Nuclear Regulatory Commission," September 1978.

2

(research, quality assurance, inspection, licensing regulations) to the risks provided by the proper application of the methodology.

NRC has moved somewhat in this direction, and we recommend a faster pace."

In its January 18, 1979 policy statement,3 the Commission said, "Taking due account of the reservations expresssd in the Review Group Report and in its presentation to the Commission, the Commission supports the extended use of probabilistic risk assessment in regulatory decision-making." This Commission support for the extended use of probabilistic risk assessment techniques, in basic agreement with the Review Group's conclusions, was further clarified in the recent Commission guidance 4 to the staff:

"Quantatitive risk assessment techniques may be used to estimate the relative importance of potential nuclear power plant accident sequences or other features where sufficient similarity exists so that the compari-sons are not invalidated by lack of an adequate data base.

Such techniques should not be used to estimate absolute values of probabilities of failure of subsystems unless an adequate data base exists and it is possible either to quantify the uncertainties or to support a conservative analysis.

The staff shall give special attention to those activities identified in the Risk Assessment Review Group Report (NUREG/CR-0400) as being especially amenable to risk assessment, i.e., dealing with generic safety issues, formulating new regulatory requirements, assessing and revalidating existing regulatory requirements, evaluating new designs, and formulating reactor safety research and inspection priorities."

The use of probabilistic risk assessment techniques in the Reactor Safety Study was a significant step in the application of these techniques to safety coasiderations of nuclear power plants.

Since the publication of the Reactor

""NRC Statement on Risk Assessment and the Reactor Safety Study Report (WASH-1400) in Light of the Risk Assessment Review Group Report," January 18, 1979.

4" Fiscal Years 1982-1986, Policy, Planning and Program Guidance (PPPG),"

Apri.1 29, 1980.

3

Safety Study, the methodology has been developed further, both by the NRC staff and by contractor organizations, and has been complemented by other work, including efforts initiated by the nuclear industry and work in foreign countries.

There have been efforts also to correlate these advances with similar activities in other high technology areas.

Notwithstanding these advances, probabilistic risk assessment techniques have important inherent limitations which must be recognized.

These limitations, which relate generally to realism, completeness and statistical inference, have been discussed in detail in other places and are briefly summarized here.

Realism All realistic models contain approximations and assumptions which restrict the models to limited ranges of applicability (i.e., to that range of applicability within which the approximations and assumptions remain valid).

In order to give some assurance that the results of probabilistic risk assessments are realistic, a conscious attempt must be made to arrive at realistic approximations.

This is because the regulatory approach to modeling frequently will produce a large number of considera-tions in these approximations, principally because of the uncertainties involved in the analyses and the regulatory desire to " upper brund" such analyses.

Therefore, it must always be verified that the use'of realistic models is appropriate and not beyond the range of applicability of either the models or the data.

However, it is equally important in any such realistic analyses that appropriate uncertainty bounds are clearly defined.

4

Completeness Any attempt to take into consideration all potentially significant con-tributors to a complex problem such as nuclear safety is inevitably subject to question with respect to complateness of either the model or the data.

This problem is particularly limiting in the use of prob-abilistic risk assessment techniques to determine absolute risk levels and in comparative analyses of dissimilar risks.

With regard to complete-ness of the data, every attempt must be made to assure that all pertinent existing data have been identified and used appropriately.

If the existing body of data is less than desired, the uncertainty bounds should be modified accordingly.

With regard to completeness of the model, no model of a complex nuclear power plant can be complete in the strict sense.

However, it should be verified that all appropriate system aspects and interactions are properly modeled for the particular application.

Statistical Inference Endeavors involving statistical inference, i.e., the manipulation of failure data to obtain mathematical probabilities of success and/or failure at specified confidence levels, are particularly exacting when data are sparse (i.e., expected failure frequency is low) or of mixed origin.

Frequently, this leads to questionable relevance of data used in certain applications.

Where data or sets of data are used which are sparse or which may not be consistent with each other, care must be exercised to assure that data of questionable relevance are not misused in any particular application and that appropriate uncertainty bounds and confidence levels are clearly identified.

5

The use of prcbabilistic risk assessment techniques can aid significantly in the NRC's regulatory decision process only if their application is made in full cognizance of these limitations, and if the uncertainties are clearly specified.

It is important to distinguish between the use of results of the Reactor Safety Study (either summary results, or intermediate results, or data devel-oped therein) and the use of probabilistic risk assessment methods in a broader, more general sense.

The Risk Assessment Review Group Report contains a dis-cussion of both the achievements and tne limitations of the Reactor Safety Study, provides re_ commendations regarding its use, and provides insights about risk assessment techniques exclusive of their use in the Reactor Safety Study.

In particular, the Review Group Report points to a number of deficiencies in the Reactor Safety Study pertaining to the estimation of accident probabilities, including the inadequacy, in many cases, of the data base; the inability to quantify events such as fires, earthquakes, floods, and human accident ini-tiation; the pervasive intrusion of regulatory conservatism; the inability to quantify human adaptability during an accident; poor statistical practices; and the uneven propagation of uncertainties.

While these deficiencies cast doubt on the validity of the absolute numerical results of the Reactor Safety Study (i.e., its overall assessment of reactor accident risks), they do not undermine the validity of the techniques nor their use as an aid in regulatory decision-making, provided suitable care is taken in their application.

The Commission recognized, however, that the Reactor Safety Study itself does contain important information and analyses about reactor safety, and cautioned in its policy statement of January 18, 1979:

6

"With respect to the component parts of the (Reactor Safety) Study, the Ccmmission expects the staff to make use of ther.: as appropriate, that is, where the data base is adequate and analytical techniques permit."

While the above statement focuses on uses of risk assessment techniques in the safety evaluation of reactor facilities, the considerations apply with equal force to safeguards matters, to environnental and safety aspects of fuel cycle facilities, and to any other facility or action which may fall under the NRC's regulatcry mission.

III. Organizational Aspects The staff expertise in the development of probabilistic risk assessment methodologies lies principally in the Office of Nuclear Regulatory Research (RES) at this time. Thus, RES must be appropriately included during the early stages of discussions within an Office which could lead to significant regula-tory decisions or an expenditure of staff or contractor resources for probabil-istic risk analysis. Occasionally, a risk assessment effort will be undertaken which will involve more than one program Office.

In these instances, RES should be involved in all significant inter-Office meetings in order to assure that any parochial aspects of the discussions do not cause insufficient attention to be focused on the risk assessment issues.

It is planned that each program Office eventually will be given the necessary resources to establish a sufficient professional cadre to oversee and undertake probabilistic risk assessment efforts within that Office in order to reduce 7

direct reliance on, but not comunication with, the methods development function supplied by RES. As an initial step in this direction, the recent reorganiza-tion within the Office of Nuclear Reactor Regulation (NRR) established the Reliability and Risk Assessment Branch (RRAB) to begin to undertake the imple-mentation of these techniques in the area of reactor safety. At the present time the RRAB staff: provides over two man-years of direct staff support to the IREP program; is responsible for the NRR review of the Zion interim risk study, the Zion and Indian Point longer term risk studies, the Limerick study, and the Big Rock Point analyses; will participate heavily in the development of a common PRA methodology; provides increasing support to PRA analyses needed to evaluate the importance of proposed safety improvements; and acts as a focal point between NRR and RES in other PRA matters, including the coordination of training needs.

The Systems Interaction Branch was also established to develop and carry out the systems interaction program identified in the NRC Action Plan. Although the risk studies involved both probability and release consequence of event combinations, accidents that can cause safety system failures without a significant release of radioactivity also need to be addressed, since they may represent forerunners of more severe accidents.

As the direct program support activities shift from RES to the program Offices during the next few years, the role of RES will revert principally to research to improve the methodology, to improve the infonnation base and data banks for risk assessment, to improve the treatment of human factors and common cause failures, and to better focus the expenditure of safety research funds.

In 8

this regard, the program Offices will begin to exercise their " user needs" responsibilities to provide assurance that the research programs are well focused on identified Office needs..

~

IV. Staff Coordination of Probabilistic Risk Assessment Efforts - Power Reactors In the past, NRC efforts to implement probabilistic risk assessment techniques frequently lacked agency-level coordination. The Risk Assessment Review Group Report highlighted this point by stating that the "NRC should encourage close coordination among research and probabilistic analysis staff and the licensing and regulatory staff, in order to promote the effective use of these techniques."

The staff has since corrected this situation, and improved cou. ination exists between various Offices.

The Offices of NRR and RES have cooperated in the evaluation of Task Action Plans associated with generic safety and environmental issues using probabilis-tic risk assessment techniques. 'For example, NUREG-0660, "NRC Action Plans Developed as a Result of the TMI-2 Accident," includes reliability engineering and risk assessment tasks (II.C.1 and II.C.2) that were developed jointly by NRR and RES personnel. Task II.C.1 describes the Interim Reliability Evalua-tion Program (IREP), which is being used by the NRC to develop a standard metho-dology for the identification of the dominant accident sequences leading to extensive core damage. The first step in the IREP is the nearly completed reliability evaluation of Crystal River, Unit 3, undertaken by RES (ref. ). The second step (Phase II IREP) is refinement of the procedures through the simultaneous evaluations of four operating nuclear plants (Arkansas 1, 9

Browns Ferry, Calvert Cliffs and Millstone 1). These evaluations began in September 1980 and involve both NRR and RES personnel, as well as utility personnel. These IREP activities will culminate in a probabilistic risk assess-ment of all commercial operating reactors within the United States under a National Reliability Evaluation Program (NREP), which will be administered by NRR. The NREP program will be suitably integrated into the plan for the syste-matic evaluation of the safety of all operating reactors mandated by Section 110 of the FY 80 NRC Authorization Act, Public Law 96-295.

At the present time, there also is no consensus within the nuclear industry on the most effective method for conducting reliability analyses.

Several detailed risk studies are currently being performed by the nuclear industry - Zion, Indian Point, Limerick, Sequoyah, and Oconee - which will provide additional input to the methodology development. Attachment 2 provides a table summarizing these industry efforts and showing the scope and level of effort for each.

For comparison purposes, the IREP plants are also included in this table.

As indicated above, RES in coordination with NRR is attempting to develop a standard methodoloc't to be used in NREP, while recognizing the potential for future modificat"ons as the methodology matures. Because of the complexity of nuclear power systems, uncertainties regarding phenomenology, the important questions of human interactions and common mode failures, and the relatively sparse data base, a standard methodology is critical to establishing a reason-ably implenentable program for the orderly and timely evaluation of significant contributors to risk at all operating plants.

In order to establish broader based support to work on this common problem, RES and NRR spearheaded the recent formation of an NRC/ industry forum under the sponsorship of the Institute 10

of Electrical and Electronic Engineers (IEEE) and the American Nuclear Society (ANS) to develop a standard methodology drawing on expertise outside as well as inside the industry.

Expertise from NASA, FAA, D00, and DOE would be avail-able through the IEEE participation in the working group.

A tentative agreement has been reached between the technical societies (IEEE/ANS as co-sponsors), the industry, and the NRC as to the mechanism to be used to develop the methodology for systematic probabilistic and reliability analysis of nuclear power plants. The technical effort on development of a procedures guide on PRA techniques will be undertaken by a technical working comittee which will receive direction and guidance from a steering committee.

Provisions will be made to ensure broad industry and peer review during the developnent of the guide. The final charter for this forum is currently under development, and the goal is to reach a reasonable consensus on a comon methodology by the end of 1981.

An important aspect of implementing this common methodology in the licensing pro-cess, especially for assessing the results of NREP, is the articulation of acceptance criteria for evaluating the probabilistic risk assessments. Use of absolute values was cautioned against strongly by the Risk Assessment Review Group. However, it is difficult to use PRA only in a pure, relative manner.

Anytime a comparative analysis indicates that a design or a procedure should be revised, inherent in that decision is the conclusion that the absolute level of risk of the subject design or procedure is marginal or unacceptable.

11

The RES staff has proposed the use of severe core damage probabilities as a basis for licensing decisions on the Crystal River reliability study. The NRR staff has proposed to use risk profiles (early fatalities, latent cancer, property damage) as one factor in evaluating the need for licensing action on the Zion, Indian Point, and Limerick plants. These tentative proposals as well as other on-going efforts by RES, NRR, and the ACRS should be considered in the Comission's plan to develop and articulate a substantive safety goal for its nuclear regulatory decisionmaking.

There have been other examples of the use of PRA in the regulation of nuclear power plants. These examples include:

1.

Assessment of the reliability of the auxiliary feedwater (AFW) sys' tem in all operating pressurized water reactors. This effort has been continued by NRR in the review of AFW systems in operating license applications.

2.

Assessment of generic issues, such as A-30, " Adequacy of Safety-Related DC Power Supplies"; and A-44, " Station Blackout."

3.

Interim assessment of the risk from seismically non-qualified auxiliary feedwater systems.

4.

Assessment of seismic margins in selected safety systems based on combining the probability distributions of the component / system fragility and the seismic loading.

5.

Assessment of the probability of various earthquake spectra at SEP plant sites.

6.

Assessment of the probability of seismically induced surface rupture at the GETR site.

12

7.

The safety systems failures resulting from systems interactions can be initiated from common external events or malfunction of connecting non-safety systems. The PRA activities related to common cause failures, as well as the procedures developed from IREP, will be useful in the develop-ment of systems interaction methods. A favorable review by the staff and the ACRS has been recently completed on the seismically induced systems interaction studies for the Diablo Canyon plant. The systems interaction program now underway also includes review for San Onofre similar to that conducted on Diablo Canyon; a review of Indian Point 3; and development of interim systems interaction regulatory guidance for subsequent use on up to six pilot light water reactor plants.

V.

Staff Coordination of Probabilistic Risk Assessment Effort - Other The Offices of Nuclear Material Safety and Safeguards (NMSS) and Nuclear Regula-tory Research are coordinating the development of a risk prediction methodology and computer codes for geologic waste repositories, including sensitivity analyses to identify high risk contributors.

NMSS has an ongoing program of assessing risk associated with the effects of natural phenomena on operating plutonium processing p'lants. This effort, which has already produced completed analyses on three of the six plants in question, involved RES from the planning stages through to the completed risk assessment for each plant.

Office of Standards Development, with some interaction with RES, has utilized risk analyses in some of their transportation studies, establishment of emergency planning zones, and in the development of some industry codes and standards.

A much larger cooperative effort among offices is underway to review accident sequences and associated radiological consemences to aid in the Reactor Siting and Minimum Engireered Safety Features Rulemakings.

13

The Office of Inspection and Enforcenent has no on-going programs to utilize probabilistic risk assessment, however, they will modify their routine inspec-tion program when a ranking is established by NRR of the importance of various reactor systems.

Staff members from various Offices have participated in training sponsored by the Office of Nuclear Regulatory Research regarding probabilistic modeling and statistical analysis techniques. This training effort will continue and will be expanded to familiarize a wide spectrum of the staff with the concepts and techniques involved.

Likewise, the Fault Tree Handbook which has been developed by the Probabilistic Analysis Staff is being distributed widely throughout the agency.

In addition to these efforts, the Office of Nuclear Regulatory Research is sponsoring research in the areas of human reliability, including analysis of Licensee Event Reports and the development of the Human Reliability Handbook, and methodology development to improve component failure rate predictions.

IV.

Summary Reliability and risk assessments provide a tool to help identify dominant contributors to risk. The use of such assessments thus will improve the regula-tory process.

Events since the January 18, 1979 Commission directive (to which this paper is a response), most notably the Three Mile Island accident, have

~

caused the NRC staff to redirect and reconsider many of its practices and attitudes regarding the use of probabilistic risk assessment techniques in 14

assessing reactor safety. As a result, staff practices have been evolving at a rapid pace to embrace an effective and expanded use of probabilistic tech-niques to identify design weaknesses and risk outliers. Such assessments must be tempered by seasoned engineering experience, since uncertainties in such

~

assessments are large. The results of such reliability and risk assessments eventually will be used, in conjunction with other regulatory review processes, to better identify the minimum set of design requirements which must be met.

There is no intent to use these probabilistic assessments alone to eliminate or relax existing detenninistic considerations at this time, since such assessments, by their nature, have large uncertainties and address only a portion of the spectrum of considerations necessary to fully and properly evaluate a plant design.

The role of RES has been one of pioneering the application of risk assessment in the regulatory process. Over the next several years, this evolving metho-dology will be transferred to the various program Offices. The program Offices will then assume primary responsibility for most of the routine applications of the methodology to specific safety problems and regulatory decisions and will establish user needs; however, RES likely will perform a peer review function for the program Offices for the foreseeable future.

In view of the increased staff coordination and commitment of resources to risk assessment efforts, and the ongoing application of these techniques to those areas identified by the Risk Assessment Review Group, the staff concludes that no further specific Conmission level guidance or instructions are needed at this time to encourage the expanded use of these techniques other than a 15

definition of the role of these techniques in any forthcoming safety goal for nuclear regulatory decision making. However, in order to assure that staff efforts in probabilistic risk analysis continue to be implemented effectively, it is essential that the various parts of the agency involved in these analyses continue to communicate among themselves, that all probabilistic risk assess-ment technical assistance and research contracts be reviewed for unnecessary duplication, and that adequate peer review be performed of probabilistic risk assessment work efforts.

Attachments:

1.

Crystal River Unit 3 Study and Its Influence on IREP 2.

Probabilistic Risk Assessment Studies Currently Underway 16

\\

Crystal River Unit 3 Study and Its Influence on IREP The need for a limited assessment of the risk associated with operating reactors became obvious during 1979 for several reasons. The accident at Three Mile Island Unit 2 demonstrated an event sequence that was different in several speci-fic characteristics from those analyzed in the Reactor Safety Study because of differences in design and different demands on the operators.

In addition, various studies perfomed after the Three Mile Island accident indicated a wider variability in system reliability from plant to plant than was previously believed to exist. Chief among these studies was the analysis of the reliability of the auxiliary feedwater s~ystems at all operating plants designed by either Combustion Engineering, Inc. or Westinghouse Electric Corporation. Thus, plans were initiated to develop a program to identify any high risk accident sequences which might be present at operating plants, using probabilistic risk assessment techniques. This project was also structured to build foundations which could be used for future risk assessment efforts and to provide a basis for long range development of risk or reliability based licensing assistance.

While the formulation of the specifics of the plan for accomplishing these goals was underway, interest was expressed in the early performance of a limited risk assessment of a Babcock & Wilcox designed reactor facility to detemine the risk associated with such a plant in light of the experience gained at Three Mile Island and the many system modifications implemented as a result.

Further, assistance was requested relative to the risk significance of the sensitivity of plant performance to the low secondary water inventory in the steam generators.

-2 Preliminary results were needed in a relatively short period of time to meet the needs of the licensing authority.

For this reason, the assessment of a Babccck & Wilcox designed plant, Crystal River Unit No. 3, was initiated in parallel with the fonnulation of a specific approach to the Interim Reliability Evaluation Program (IREP). Thus, the Crystal River Study did not have avail-able a standardized approach, nor detailed guidance regarding content, scope of analysis, and means of applying existing methodology, as will the Phase II IREP plants. Further, the study was conducted prior to the availability of recent handbooks or listings of human error potential and component failure rates. The Crystal River Study, therefore, is more dependent on the WASH-1400 data base than the Phase II analyses will be.

The preliminary results of the Crystal River Study have influenced the nature of the Phase II studies. Greater emphasis will be placed on the search for conmon mode failures and dependencies between systems, particularly those support systems which not only can influence other systems but also, through malfunction, initiate a transient; e.g., control systems, DC power, pneumatic control system, and HVAC. Somewhat less emphasis will be devoted to the detailed modeling of system features which do not interact with other systems under any circumstances.

An additional lesson from the Crystal River Study was the need for close involve-ment of operations personnel from the utility on a day-to-day basis.

In many areas, misunderstanding of procedures or the lack of knowlege of in-plant data complicated the Crystal River analysis and hampered its performance.

The direct involvement of utility personnel on most of the IREP Phase II studies

/

l

/ should reduce communication difficulties while permitting the insights gained from the analysis to be available to the licensee's organization in as short a time as possible.

In short, the Crystal River study was performed by a collection of experienced analysts from various laboratory and contractor organizations on a tight time schedule without having available standard procedures or methodology, or direct day-to-day contact with plant operations personnel.

Crystal River was an IREP pilot study, and lessons learned from that effort are being factored into the conduct of the Phase II IREP studies.

It should be recognized, therefore, that by its very nature the Crystal River Study is not prototypical of the Phase II IREP studies, nor was it intended to be so.

PROBABILISTIC RISK ASSESSMENT STUDIES CURRENTLY UNDERWAY NSSS/ CONTAINMENT PARTIES LEVEL OF ESTIMATED E

PLANT TYPE INVOLVED EFFORT (MY)

COMPLETION DATE

_ SCOPE OF EFFORT P

C A

E Oconee B&W/ Dry NCAS 15-20 August 1981 X

X X

8 Utilities Consultants Sequoyah W/IceCondenser EPRI 12-16 Phase I -

X X

X Utility December 1980 Consultants Phase II -

December 1981 Limerick GE/ Mark II Utility 7-8 December 1980 X

X NSSS Vendor Consultants Zion / Indian Pt. I W/ Dry Utilities

$30 December 1980 X

X X

NSSS Vendor (3 units at Consul tants 2 sites)

Crystal River B&W/ Dry NRC-RES 6-7 September 1980 X

(Initial IREP Consultants Study)

Calvert Cliffs 1 CE/ Dry NRC-RES 3-5 June 1981 X

M ansas 1 B&W/ Dry Consultants (Per plant) 7.illstone 1 GE/ Mark I Browns Ferry 1 GE/ Mark I (IREP Follow-up Studies) 2__/ n addition to these larger studies, interim studies were performed E - Accident Probabilities P

I C - Accident Consequences and the results submitted to the NRC in mid 1980.

A - Plant Availability E - External Events i