ML19284C735
| ML19284C735 | |
| Person / Time | |
|---|---|
| Issue date: | 12/30/1980 |
| From: | Hanrahan E NRC OFFICE OF POLICY EVALUATIONS (OPE) |
| To: | |
| Shared Package | |
| ML19284C670 | List: |
| References | |
| REF-10CFR9.7, TASK-PIA, TASK-SE SECY-80-551A, NUDOCS 8101200623 | |
| Download: ML19284C735 (82) | |
Text
4 ncu
- - Q:_ ), si \\
- e W d@!5/)/
- g POLICY ISSUE 4
December 30, 1980 SECY-80-551 A
~
(Affirmation)
FOR:
The Commissioners Gig
_g
- u FROM
EdwardJ.Han,'ahan,Directorf N
53
- ;J.
[j Office of Policy Evaluation M y
m u
SUBJECT:
TOWARD A SAFETY GOAL: DISCUSSION OF PRELIMINARY POLICY CONSIDERATIONS
REFERENCE:
SECY-80-551, Preliminary Policy Paper on Development of a Safety Goal PURPOSE:
To present for Commission review and approval for release for public comment a more detailed report supporting the proposed Statement of preliminary policy considerations involved in developing a safety goal, submitted for Commission consideration with SECY-80-551, on December 29, 1980.
After Commission approval for release, the report will be issued as a NUREG document.
BACKGROUND:
The draft Federal Register notice containing the proposed Statement (Enclosure 1 of SECY-80-551) refers to the sup-porting NUREG document that we now submit.
DISCUSSION:
The proposed NUREG document is enclosed.
Its organization parallels that of the Statement.
RECOMMENDATION:
We recommend that the Commission approve issuance of the enclosed report as a NUREG document, for public comment in conjunction with the Statement addressed in SECY 551.
C0 ORDINATION:
,The Inter-0ffice Steering Group on Development of a Safety Goal reviewed a draft of this paper.
Steering Group members' comments were considered.
Concurrence of this Group was not sought.
Enclosure:
Draft NUREG document 8101"00Q]
CONTACT:
~
2 Commissioners' comment or consent should be provided directly to the Office of the Secretary by c.o.b. Thursday, January 15, 1981.
Commission Staff Office comments, if any, should be submitted to the Commissioners NLT January 8,1981, with an information copy to the Office of the Secretary.
If the paper is of such a nature that it requires additional time for analytical review and comment, the Commissioners and the Secretariat should be apprised of when comments may be expected.
This paper is tenatively scheduled for affirnation at an open meeting during the week of January 19, 1981.
Please refer to the appropriate Weekly Commission Schedule, when published, for a specific date and time.
DISTRIBUTION Commissioners Commission Staff Offices Exec Dir for Operations ACRS ASLBP ASLAP Secretariat
+
Enclosure Draft NUREG Document TOWARD A SAFETY G0AL:
DISCUSSION OF PRELIMINARY POLICY CONSIDERATIONS
4 TOWARD A SAFETY GOAL:
DISCUSSION OF PRELIMINARY POLICY CONSIDERATIONS Contents Page I.
INTRODUCTION 1
~
A.
Background
1 B.
Purpose and Scope of this Report 1
C.
Organization of the Report 3
II.
CRITERIA FOR ASSESSING AN APPROACH TO A SAFETY GOAL 4
A.
Considerations in Formulating Criteria 4
8.
Proposed Criteria:
Formulation 1 12 C.
Proposed Criteria:
Formulation 2 25 D.
General Observations 33 III.
APPROACHES TO SAFETY-GOAL FORMULATION 36 A.
Methods of Approach to Acceptable Risk 36 B.
Possible Characteristics of Safety Goals 42 C.
Types of Quantitative Approach 46 D.
Approaches to Dealing with Uncertainty 52 E.
Considerations in Balancing of Values 56 IV.
SOME SAFETY-GOAL PROPOSALS 59 A.
The ACRS Proposal 61 8.
Other Proposals 61 V.
DEGREE OF SAFETY 78
I.
INTRODUCTION A.
Background
In accordance with the Plan for Developing a Safety Goal (NUREG-0735; also published in 45 FR 71023, October 27, 1980), the NRC Office of Policy Evaluation submitted for Commission consideration, on December 29, 1980, a preliminary policy paper, including a draft statement of prelimi-nary policy considerations involved in developing a safety goal.
This report provides a more detailed discussion of the considerations underlying the proposed statement.
The Commission has reviewed the proposed statement and this supporting report and has approved them for publication for public comment.
In accordance with further provisions of the Plan, the comments received on the preliminary statement and this more detailed report will constitute a part of the considerations leading to preparation of a policy paper, including a draft policy statement.
This paper will be prepared by the Office of Policy Evaluation and submitted to the Coraission for its consideration by August 1981.
Subsequently, the Commission intends to seek additional public comment on the policy statement based upon the August 1981 paper.
B.
Purpose and Scope of this Report The purpose of this Discussion of Preliminary Policy Considerations is to indicate and examine the kinds of considerations which may enter into an
4 articulation of the Agency's safety goal and require 'urther deliberation, rather than to set down a single tentative approach.
Early policy development efforts have focused primarily on radiological accidents associated with power reactors.
Current efforts, however, are intended to include considerations of sabotage and other external events and to adopt and apply safety goals to other nuclear facilities and operations were the need is evident and practicalities permit.
Furthermore, a safety goal to be adopted by the Commission must be consist-
~
ent with the general goals of nuclear power regulation both explicit and implicit in the Atomic Energy Act and the Energy Reorganization Act of 1974, which created the NRC.
The essence of any non-trivial safety goal is the balance struck between safety and other competing interests.
Striking such balances is usually a matter of public policy as expressed and controlled by legislative action.
Thus, the evident intent of Congress places at least some polar limits on the safety goals we might consider.
A goal of "zero risk,' for example, would ensure safety at the cost of sacrificing all other goals which motivated Congress's approach to nuclear power regu17 tion.
Courts have made it clear that "zero risk" is not a necessary or appropriate standard for the NRC to apply.
At the other pole, a safety goal wtich ga; decisive weight to the interest of promoting nuclear power development, even at the cost of high risk to the public, would clearly be inconsistent wit'. ihe non promotional posture established for the NRC by the Energy Reorganization Act of 1974.
Apart from these obvious extremes, however, the legal constraints on what safety goal
4 might be appropriate for NRC adoption are not clearly defined.
Certainly the Commision would give strong consideration to seeking legislative action to confirm a desirable safety goal if there were any doubt about its consistency with the statutory scheme.
At this stage, however, the Commission believes it sufficient simply to note that evaluation of candidates for a safety goal involves consideration of the statutes controlling the regulatory activities to which the goal would be applied.
C.
Organization of the Discussion The articulation of a safety goal must not only stipulate a required degree of protection that is sound, but must also be formulated in a way that is useful in a practical, regulatory sense, in a way conducive to achieving the goal.
The Discussion begins with an exposition of the criteria by which the quality of a candidate approach to safety goal formulation may be judged.
No one definitive set of criteria has been selected; rather, criteria are at this time discussed as options.
The potential criteria and their selection are part of the subject matter regarding which public comment is sought.
The Discussion next addresses alternative approaches to safety goal formulation.
This section includes alternative general methods of approach, types of safety goals, types of quantitative approach, approaches for dealing with uncertainty, and comments about some aspects of balancing of risks and of safety and other values.
4
. Presented next are some safety goal proposals.
These include a proposal recommended to the Commission for preliminary consideration as an option by the Advisory Committee on Reactor Safeguards and five other proposals known to the Commission.
Finally, there is a short discussion of degree of safety, since all or most of the potential approaches can be adapted to establishing a degree of protection at any level over a wide range of possible levels.
Selecting that level on a sound basis is, of course, the paramount objective of the effort to develop a safety goal.
II.
CRITERIA FOR ASSESSING AN APPROACH TO A SAFETY GOAL A.
Considerations in Formulating Criteria The utility of a safety goal partly depends on the validity of the approach leading to its selection.
An approach which does not recognize and accommodate the many and diverse complexities of the issue of nuclear safety is unlikely either to achieve an appropriate safety goal or to persuade others that it has done so.
For a sound, reasonable safety goal to result, the approach to their formulation itself must be reasonable as well.
To arrive at this determination reouires an explicit discussion of what constitutes a suitable approach to the problem.
The formal result of that discussion is guidance in the form of a set of criteria for assessing an approach to safety goals.
Such a set of criteria can be stated, ordered, and emphasized in various ways.
Since the range of possible criteria and sets of criteria is
. great, some reason for choosing among them is also necessary.
At the very least, possible criteria or sets of criteria should lead to the selection of an approach having six basic characteristics:
reach, clarity, verifiability, reasonableness of results, practicality, and public acceptance.
These characteristics are discussed below; two lists of proposed criteria follow that discussion.
1.
Reach.
The reach of the safety goal formulation involves two related basic questions:
To what extent does the formulation address significent elements of the issue?
How comprehensive is it in the facilities and activities that it covers?
The characteristic of reach derive importance from the very nature of an agency safety goal statement:
such a statement would seek to rationalize safety regulation at a higher level of aggregation of issues than other regulatory instruments (rules, case decisions, etc.).
A part of the reach characteristic relates to the generality of the policy; another, to what special issues are included, notably:
s Safety-cost trade-offs.
Relation between goals for plants in operation, being built, or planned.
Goals for future improvements.
A major current issue in safety goal formulation relates to power-reactor accident considerations, more particularly, major accidents.
Specific criteria within the accident-safety issue could relate to whether and to what extent the stated goal policy includes within its sphere of determination or influences:
rules and case decisions on plant uusign, operation, siting, emergency planning, degraded-core provisions, anticipated transients without scram, off-site contin-gencies, etc.
Tney could relate to whether it includes a policy on decisions under uncertainty and the extent to which it excludes accident considerations that pose difficult policy problems (e.g.,
any implications for dilemmas of operational discipline vs. individual rights).
2.
Clarity.
The statement of the goal should be clear in two senses:
In a technical sense, to ensure that it can be given due meaning in technical evaluations underlying regulatory decisions.
4 In a sense of being understandable by the vast majority of citizens.
This clarity is important because broad public interests are involved; the goals are formulated in a context of differing perceptions, concerns, and value judgments, and because clarity will promote the goals of public consideration and debate.
The first of there may be largely a matter of definition of terms.
If the policy calls ror reactors being "very safe," what dos = that mean?
If it calls for a " major accident" have an annual probability of occurrence of 10'*, what sort of accident is mear.t!
For the second (public) aspect of clarity, it is, in addition, a matter of exposition of the significance of the goal, its relation to familiar risks, and the facts, considerations, and reasoning that underliu s'e ictmulation:
3.
Verifiability.
The question of how clearly a safety goal can be interpreted in terms of regulatory actions (on which hinges the predictability of such actions) involves not only the clarity of the goal statement but als) the possibility of verification, of measurement.
The basic question is:
How clearly can it be known whether a particular action serves or is consistent with that goal?
. How can one know, or reasonably judge, whether some low probability 6
target (say, 10 per reactor year) is met?
It should be noted that absence of strict verifiability, in a statistically meaningful sense, does not doom all quantitative goals for high-consequence, low probability events to failure on this criterion.
- However, available options to deal with the verification problem may introduce weaknesses with respect to other criteria by leaving troublesome decisions outside the purview of the goal or by introducing some fallible arbitrariness into its interpretation.
4.
Reasonabicness of Results.
At issue here is the extent to which the policy leads to coherent and reasonable results.
It is an underlying assumption in efforts to develop a safety goal that a cohesive structure connecting the important interrelated issues in safety regulation can lead to better safety and better management of resources devoted to safety than disaggregated decisions alone.
A result-oriented test of a proposed policy is whether it can be applied to different aspec b of a set of issues and whether, when so applied, it leads to reasonable results in each (e.g., siting, containment features, degraded core, ATWS, operator training).
.g.
These are the characteristics that watch for pitfalls in terms of unintended effects.
Specific characteristics include these:
Does tne policy direct attention and resources to issues that are both significant and tractable?
Does it encourage or stifle initiatives to improve safety where warranted?
While striving for coherence, does it allow enough flexibility for addressing related issues (especially in view of the uncer-tainties in them) differently when it is reasonable to do so?
(A recently corrected difficulty that illustrates this issue is the impact of the old " low population zone" (LPZ) concept on emergency planning requirements.)
A stark articulation of the results tests is:
Though the goal statement appears acceptable, does it lead to results that are not? Notably, could it be used to justify licensing a reactor where that result is not intended? Would it lead to shutting down a reactor or denials of applications and do so not for good cause, but as an unintended result of a rigid goal formulation?
e 5.
Practicality.
The practicality of a safety goal approach depends on how adequately the pertinent technical, industrial, institutional, and human capaci-ties and limitations are taken into account.
Significant aspects include:
Implementability.
To what extent does it build on the most useful available technical knowledge? To what extent does it build on industrial capacity to comply? To what extent can the policy be in fact expected to be effectively translated into useful regulatory and licensing results by NRC staff, Licensing Boards, the industry, intervenors, the courts?
Realism in the face of uncertainty.
Does it properly reflect recognition of uncertainties concerning probabilities and consequences of unwanted events, including uncertainties that can be narrowed by experience, research, and analysis, and those that caanot?
Flexibility.
How well can it accommodate new knowledge, new insights, new potentials for worthwhile improvements, correction of gradually discovered error?
Efficiency in use of resources.
How well does it channel resources for hardware, operation, analysis, and regulatory and licensing processes to areas of high safety benefit?
. Transition problems.
What problems are involved in transition from current practices to the new practices demanded by the goal? Can it accommodate reasonable safeguards against counter-productive dislocations in going from known, established approaches to approaches that are more promising but less tried, less known?
6.
Public Acceptance.
The question of the extent to which a safety goal is acceptable to affected groups is complicated by the heterogeneity of the public.
Industry, nearby residents, the general public and its various interest groups are affected differently.
Values and perceptions differ, and there are differing reasons and pressures to accommodate different views.
Ultimately, it is the public in its social and political forms that determines the values that the safety goal must serve.
The agency's safety goal must be sensitive to each group's values, even though value conflicts are inevitable.
An approach should be acceptable to a majority and not be totally unacceptable to any significant fraction of the public.
There is a particular burden on the agency to seek to impart to the public a sound perception of risks addressed and of the relation between policy and result.
A significant criterion in the public-acceptability category is whether a policy is distorted by dichotomies in technical and public perceptions or by damaging errors in public
. understanding of the facts or in agency predisposition.
The agency must not be an advocate of nuclear technology; rather its job is to set out what is known and, under. Congressional oversight, establish and implement working safety goals.
B.
Proposed Criteria:
Formulation 1 A set of criteria for selection of an approach to acceptable risk for NRC consideration was prepared by a team led by Dr. Paul Slovic, of Decision Research.
The Decision Research team identified seven qualities desired of an approach to making acceptable-risk decisions:
an approach should be comprehensive, logically sound, practical, open to evaluation, politi-cally acceptable, compatible with institutions, and conducive to learning.
These criteria are intended by the auti. ors for use in an analysis of possible approaches, to examine how each approach could, in principle, satisfy the criteria and how well each approach currently does so in practice.
They note, however, that although such an analysis evaluates the decision options from various perspectives, it does not tell which to choose.
Unless one option surpassed the others in all respects, society must decide which criteria are most important.
Such judgments of impor-tance might reflect personal values, legislative mandates, or the exigen-cies of particular situations.
The approach preferred for one problem might be rejected in another situation for which its particular strengths (e.g., political acceptability) were not essential.
The Decision Research team's discussion of the seven criteria follows.
This discussion is an edited version of a report adapted by the authors
. from Chapters 2 and 3 of their Approaches to Acceptable Risk:
A Critical Guide, NUREG/CR-1614; ORNL Sub-7657 (U.S. Nuclear Regulatory Commission; Washington, D. C., 1980)
Like other decisions, deciding how to decide involves a choice among alternatives.
The alternatives are the various possible decision-making methods, including the "do nothing" option of letting matters run their own course.
The choice among them is difficult, in part, because the alternatives are not readily compared.
Each embodies a somewhat different concept of what concerns deed to be addressed and what constitutes a rational procedures for amalgamating those concerns into a decision specifying a course of action.
One way to compare diverse methods is to evaluate each in terms of a common set of criteria.
This discussion offers one such set, representing what a society might want out of an approach.
It describes the importance of each criterion and how ic might be applied to various decision-making approaches.
Having evaluated how well each of a set of approaches satisfies each criterion, in theory and in practice, does not by itself indicate which approach to choose.
Unless one approach surpassed all others in all respects, it would still be necessary to decide which criteria are most important.
These importance weights might be different for different individuals and institutions.
In that case, some procedure would be needed to establish " official" priorities.
Weights may also vary across decisions, with the approach preferred for one problem being rejected in another for which its particular strengths were not as essential.
In
. this case, some procedure would be needed for identifying classes of decision problems with their respective criterion priorities.
1.
Comprehensive Acceptable-risk decisions are among the most difficult faced by modern society.
Addressing all the issues they raise requires expertise from the natural, mathematical, 2..a social sciences, as well as from engineering and the humanities.
These issues may be described in terms of five generic sources of uncertainty or complex-ity facing any decision-making approach.
Failure to address all of them explicitly and persuasively means that an approach is, at best, solving only part of the problem.
Uncertainty about problem definition.
The problem definition estab-lishes the universe of discourse for the decision-making process.
It determines (a) that there is a decision to be made; (b) what action options and consequences (e.g., risks, cost, benefits) are valid considerations; and (c) what kinds of information and uncer-tainty are worthy of note.
Often the decision has effectively been made once its definition is set.
A method should encourage a creative and comprehensive definition.
Failing that, it should at least indicate what has been left out and the implications of those omissions.
Uncertainty about the facts.
Incomplete and conflicting information is the lot of most acceptable-risk decisions; an approach must be able not only to live with that uncertainty, but to treat it in an
. explicit and credible fashion.
It needs to elicit and consider the range of opinion within the relevant technical fields as well as the limits to the methodologies used by those fields, so as to provide non-technical decision makers with a realistic appraisal of what is known.
Uncertainty about values.
Acceptable-risk decision makers are typically entrusted with acting in accordance with some vaguely defined " society's best interest." Their task is complicated by the conflicting arguments regarding how that definition should be sharpened and the natural tendency for arguers to mix their own best interests with those of society.
An approach should acknowledge these uncertain-ties about how to evaluate different consequences and explicate the assumptions made by various evaluation procedures (e.g., different economic analyses).
Furthermore, it should identify cases in which the issues are so novel or complex that society or its citizens do not have articulated positions.
Uncertainties about the human element.
Acceptable-risk problems involve a variety of human actors.
As consumers, voters, legislators, regulators, operators, and promoters, peoples shape technologies, the world within which they operate, and the effective degree of risk and benefit that society derives from them.
To be useful, a method must make explicit, realistic assumptions about how these various people perceive and respond to risks and to information about them.
_ Uncertainties about decision quality.
An appraisal of the overall quality of the decision reached by an approach tells users how much confidence they should place in its conclusions.
It tells the purveyors whether they should try again before reaching any conclu-sions, perhaps by recruiting more information, assessing value issues more thoroughly, consulting additional individuals, changing the problem definitior, or using an alternative method.
In principle, an approach should be capable of reporting that it is not up to the task, either because the uncertainties are so great as to render its conclusions indeterminate or because crucial uncertainties lie in areas that the method does not address.
2.
Logically Sound Delineating the problem is not synonymous with providing guidance.
Indeed, comprehensiveness alone can lead to confusion and frustration.
To be useful, an approach must provide a timely and logically defen-sible summary of all that it encompasses.
Without such summaries,
" analyses" can unfairly discourage projects by inducing a feeling that "we should not mess with anything that is so poorly understood,"
breed mistrust by making observers think that "they must be hiding something in that morass," or encourage capricious action by suggest-ing that "we might as well go ahead with this project since there is not convincing evidence against it."
Thus, a viable approach must produce some conclusion, if only " collect more data; we do not know enough to decide at the moment."
. In addition, that conclusion must be derived via a defensible decision rule.
Such a rule would be:
(a) Sensitive to the various aspects of a decision problem; changes in the alternatives, facts, values, or uncertainties considered should be capable of leading to different recommendations; (b) Reliable (or reproducible), in the sense that repeated applica-tion to the same problem should produce the same result; (c) Justifiable, in terms of either theoretical arguments, demon-strating why it should lead to good decisions, or empirical evidence showing that it has worked in the past; (d) Suitable to societal risk problems and not uncritically imported from the other realms (e.g., from corporate decision making or problems without potential loss of life); and (e) Unbiased in its recommendations, not giving undue weight to any interest or type of consideration.
3.
Practical Like the technologies they are meant to manage, decision-making methods must work in reality, as well as look good on the drawing board.
It must be possible to implement the approach with real problems, real people, and real resource constraints.
. Real problems.
To apply an approach, one must establish a reasonable correspondence between its terms and equivalents in reality.
Cost-benefit analysis, for example, has limited usefulness when generally accepted operational definition of " cost" are lacking.
Any approach could fail if it used one statistical summary of risk (e.g., expected annual fatalities) when policy makers were interest in others (e.g.,
catastrophic potential), or if it were able to consider only a fixed set of alternatives in a reality that persisted in creating new ones.
Real people.
Weighing strategies for the management of a technological hazara l: a labor intensive enterprise drawing upon a select pool of skilled individuals, including substantive experts (those who know most about a particular hazard) and normative experts, specializing in decision making per se).
Can enough of these special people be recruited for a reasonable facsimile of the approach to be implemented?
If experts can be found, does their task use them to best advantage?
Is it too novel and complicated to be comprehended? Do its questions fit the cognitive structure of the expert's knowledge? Finally, an approach must consider any possible bias on the part of the experts, due to pecuniary or scientific vested interests.
These questions become more acute as the scientific data base shrinks and experts are asked to create instant knowledge, in the form of educated intuitions, rather than draw upon the fund of knowledge that has undergone peer review.
. Resource constraints.
An approach must work adequately in the time and money constraints of real-time decision making.
Often, decision makers turn to a new method when they need help quick, in order to respond to a crisis in which traditional decision-making procedures have failed.
Even when time is available, decision makers may be reluctant to spend hard cash for the probabilistic benefits of good advice, which at best increases one's chances of making the right choice.
If an approach needs to be done right or not at all, it should at least identify situations in which some analysis is not better than none at all.
4.
Open to Evaluation As discussed earlier, assessing the quality of a decision or method is hard under the best of cirucmstances.
An approach should not make matters worse by obscuring its internal functioning.
All those whose fate it is deliberating have a right to ask:
What are its underlying assumptions? What are its political and philosophical roots? What options does it foreclose or prejudge? Where are fact and value issues mixed? What inputs were used? What computational procedures were followed? How much uncertainty surrounds the entire enterprise?
Providing answers to these questions is essential to the validity of an approach.
Many acceptable-risk questions are so complex and multi-disciplinary that no one can expect to get the right answer on the first try.
In such cases, an approach should indicate that it
. is only an approximate answer.
Moreover, it should invite construc-tive criticism designed to spot omissions, errors, and hidden assump-tions that can be treated in a subsequent iteration.
Even destructive criticism may be better than none at all, if it catches some problems and adds some new perspectives.
Evaluation is particularly frustrated by poorly defined procedures and lack of conceptual clarity.
The unexamined approach is hardly worth using.
An approach that fails to test its effectiveness and clarify its prejudices is not be trusted.
5.
Politically Acceptable An approach can fail in the harsh, politicized world within which hazards are managed because it works too peorly, works too well, or works in a vacuum.
If an approach has serious conceptual flaws (e.g., because it mis-defines the problem or has no defensible integration rule), critics will readily impeach any displeasing recommendations it produces.
For example, the fuzzy logic of some environmental impact statements exposed them to interminable litigation by parties dissatisfied with their conclusions (or intent on procrastinating).
At the other extreme, an approach may encounter little resistance because it is so poorly operationalized that all interested parties see how they can manipulate it to their own purposes.
In time, combatants may learn to conduct their debates in, say, the nomenclature of cost-
. benefit analysis, transforming the techniques into a rhetorical device and voiding its impact.
Conceptual strength can also encourage political complications.
If an approach produces a clear, persistent, and unwanted signal, the offended parties may choose to discredit it, rather than just fight one particular conclusion.
For example, an approach that redressed an existing imbalance of power between producers and consumers, employers and employees, or laborers and the general public might be attacked by the side whose advantage it jeopardized.
Finally, an approach can fail by disregarding means in its quest for the optimal end.
In any participatory system, recommendations must be sold as well as generated.
One aspect of that selling job is to insure that people's views have been accommodated.
Usually that means asking them early and sincerely enough to affect even the problem definition.
Attention to the process of decision making may also facilitate the creation of solutions, by negotiating settlements between opposing parties, i oreover, a good process may itself have positive consequences, such a: helping participants live and work together, reducing social alienation, and enabling participants to monitor a decision's implementation by educating them in its rationale and technical details. With a successful approach, process may be its most important product.
. 6.
Compatible with Institutions For better or worse, hazards are being managed today.
To accommodate this management, a complex of social institutions has evolved.
An approach's chances of survival drop as it departs from the standard operating procedures of the institutions.
Even a method that satisfies the other six criteria might not get very far if no one is empowered or ordered to heed its recommendations, if legal precedents bind the hands of crucial actors, if it fails to produce the paperwork required for documentation, or if the personnel it requires are neither found nor wanted in the relevant agencies.
On the other hand, an approach may fit too well.
Institutions have their own agendas, which need not coincide with those of the people they represent.
Decision makers in some institutions may prefer an approach that cloaks their decisions in ambiguity, reduces their accountability, establishes a position for them in hazard management, defers difficult value questions to external " experts," or studies hard issues forever.
Hence, the institution as well as the approach may need adapting.
7.
Conducive to Learning Attempting to satisfy these criteria encounters a fundamental conflict:
the need to respect political and institutional realities without being overwhelmed by them.
A final objective is to change those realities.
An approach should educate its participants, eliminate opportunities for obstructionism, and build up its own record of
. precedents.
Somehow society should become better o= wiser for its adoption.
Achieving this objective might even lead one to sacrifice short-term benefits, such as efficiently solving a particular problem, for the sake of long-term goals, such as developing generic standards.
Features that make an approach conducive to learning include:
(a) leaving a clear record of deliberations and assumptions, to facilitate evaluation and the cumulation of knowledge; (b) encouraging two-way communication between scientists and decision makers, to improve understanding of one another's problems and uncertainties; (c) educating lay observers, to enhance their ability to follow the process and develop expertise in the subtleties of acceptable-risk questions; (d) having enough generality to be used on many problems, allowing users to acquire an in-depth understanding of one technique, rather than a superficial grasp of many problem-specific methods.
One, more active, role an approach might fulfill is recruiting talented scientists and lay people to a problem.
Another is alerting users to recurrent oversights.
A third is indicating generic cate-gories of hazards that can be managed in a consistent fashion, drawing on the same decision-making effort.
A fourth is increasing the credibility of society's decision-making bodies by offering them more trustworthy tools.
Perhaps the most general criterion for judging the contribution of an approach to long-term effective management may be whether it raises the level of debate.
. Contrasts and Conclusions Like the approaches they are designed to evaluate, these criteria are not entirely independent.
Weakness in some respect may preclude strength in others.
An approach is unlikely to be comprehensive if it does not elicit competent criticism from a variety of perspectives.
Without openness to evaluation, there is little opportunity to learn from experience and increase understanding over the long term.
An approach with obvious logical flaws is unlikely to fare well politically.
As a result, an approach that stumbles in one respect is likely to encounter other difficulties as well.
On the other hand, some of these goals may be in conflict.
It may be easier to find a logically sound integration rule if one leaves out certain awkward issues, thereby sacrificing comprehensiveness.
Political acceptability may require involving so many parties in the decision-making process that the constraints of the responsible institutions are overwhelmed.
Openness to eva?uation may mean vulnerability to cheap shots and unfair criticism, thus impairing political acceptablilty.
If no approach does, or even can, satisfy all of these criteria and if their respective strengths and weaknesses lie in different realms, then we must decide what we really want.
As a result, the choice of an approach is a value-laden act, reflecting our preferences for how society should look and function.
. C.
Proposed Criteria:
Formulation 2 An alternative taxonomy is presented in a paper prepared by Roger Mattson, Malcolm Ernst, Warren Minners, and Miller Spangler, all of the NRC Office of Nuclear Reactor Regulation (NRR).
Their paper, " Concepts, Problems, and Issues in Developing Safety Goals and Objectives for Commerical Nuclear Power" (draft dated August 13, 1980), has been submitted for publication in Nuclear Safety.
The discussion of its taxonomy of six criteria appears below.
Before NRC chooses any particular set of safety goals, it needs to consider alternatives.
The safety goals that are selected for more in-depth consideration as alternatives will then need to be evaluated comparatively against some established criteria.
Generally, it might be expected that the same set of criteria will more or less serve both the selection and the evaluation of alternative goals.
First of all, criteria for candidate goal selection and evaluation would comprise estimates of their effectiveness in serving their societal purposes.
A re-examination of the five purposes suggested above [in their paper] reveals that they are highly subjective.
Moreover, as previously noted [in their paper], the effectiveness of the goals will in part depend upon program strategies and resource allocations.
Also, perceptions of how well various goal candidates serve these purposes may differ widely, if past experience is a guide.
With these thoughts in mind, we propose that it would be helpful if the primary purposes for a safety goal formulation were buttressed by additional selected criteria of the type discussed below.
. 1.
Comprehensiveness in Covering the Various Risks of Significant Social Concern It is difficult, on its face, to imagine how a single, overall safety goal could speak to all of the various risks of significant concern as these are presently perceived by different segments of the public, the nuclear industry, the NRC and other agencies of gcvernment.
The complexity introduced by needed to speak to multiple audiences is compounded by the question of how the safety goal might be perceived by future generations whose interests are, to a signifi-cant degree, entrusted to our decisions.
Both the National Environ-mental Policy Act of 1969 (Sec. 101(a) and (b)(1)) and the Energy Reorganization Act of 1974 (Sec. 2(a)) provide policy directives regarding impacts on future generations.
The variety of audiences is not the only reason that a single overall safety goal might not suffice.
The overall risk of nuclear reactors would not cover the overall risks of the nuclear fuel cycle which, in turn, are important to a comparative analysis of risks of alterna-tive sources of energy for generating electricity.
On the other hand, an overall goal which addresses the risk for all elements of the fuel cycle would conceal the spatial and temporal distribution of risk.
It therefore would deny an exploration of equity considera-tions in safety policy decisions.
Moreover, an overall safety goal for nuclear reactors at each given site of not exceeding some particular probability of excess deaths
- per year (or shortening of life expectancy) would not, of itself, address concerns for the kinds of serious economic damages to con-sumers suffered in the TMI accident nor concerns for land use or property damages external to the plant boundaries in the event of an accident involving substantial offsite releases of radioactivity.
Nor would such a goal address the costs in human anxiety often associated with the catastrophic and involuntariness aspects of nuclear risks.
Thus, the comprehensiveness of the proposed safety goal, or the candidate set of safety goals, in covering the various risks of significant social concern is an important criterion in their selection and making comparative evaluations for deciding on safety goal formulation.
2.
Verifiability of Goal Attainment Safety goals which have a low order of verifiability would not be expected to produce a high level of acceptance.
Certain kinds of quantitative as well as qualitative goals may suffer from a low order of verifiability.
In some instances, qualitative goals may be stated in such vague or ambiguous terms that various parties will interpret them differently or perhaps be confused as to how to interpret their practical significance.
Similar confusion and disagreement may also accompany the ex post facto interpretation of historical experience in the verification of previously established goals.
Likewise, certain quantitative goals may pose difficulties of verification.
For example, 30 tosses of a coin may provide a suitable number of observations to provide reasonable verification
. that the actual probability of tails is 50 percent for a single toss of a coin.
However, safety goals involving accident rates of low order probabilities (such as once in a hundred thousand or a million reactor years of experience) is scarely verifiable with 500 or even 1,000 years of reactor operating experience.
Nor, if such an event did happen within such a period of experience, can it be verified that the correct assessment of probabilities should have been once in 500 or once in 1000 reactor years.
There still remains a broad range of uncertainty that the true value is greater or less than such an empirically derived frequency.
The verification problem is even worse when one considers the heterogeneity of reactor designs and site or regional characteristics of importance to safety events, as well as variations in human factors affecting the design, construction and operation of each particular nuclear plant.
The problem, of course, may be made less severe if an overall quantitative goal involving a low-frequency event does not stand by itself but is part of a more comprehensive goal set in which supporting goals and standards have a higher order of verifiability.
Accordingly, close attention to the criterion of verifiability in the design of a candidate goal, or goal set, can appreciably improve it' comparative rating.
For example, an intermediate level of detail in a particular goal set might treat the rate and the consequences of anticipated operational occurrences as they are presently defined in 10 CFR.
Such a goal set would get a higher rating on this attribute than a goal wich treated only the rate and consequences of core-melt accidents.
. 3.
Clarity and Understandability of the Goal To an important degree, this criterion interfaces with the previous criterion of verifiability.
A goal statement that suffers from ambiguous or imprecise wording (such as " adequate protection" or "no unreasonable risk") is likely to have a low order or verifiability and at the same instance deserve a low rating for clarity and under-standibility.
Nevertheless, there can be an important difference between the two attributes when one considers the wide variations of education, experience and personal biases affecting preference and understandings of word choices and numerical forms.
For example, stating a safety goal in negative powers of 10 may have clear and precise meaning to technologists or others trained to understand such terminology, but produce a bewildering effect on people who lack such training.
The same may be true for supporting safety standards whose attributes are expressed only in terms of millirads, pico curies or person rems.
In some cases, only simple adjustments to the goal statement would need to be made to improve the rating of this criterion.
The evaluation of this criterion requires that one not simply ask whether the goal formulation is clear and understandable, but to whom it is clear and understandable.
This may suggest that an acceptable goal set must have several equivalent wordings at various levels of scientific sophistication.
As discussed below, goal achievement is often subject to a number of factors that are partially, if at all, controllable by the parties held responsible for goal attainment.
For example, the incidence
. and magnitude of certain natural or man-made events such as earth-quakes, floods, fires, or explosions leading to common mode failures may be beyond the full control of nuclear regulators, equipment manufacturers, or plant operators.
Population densities and land use patterns in the vicinity of nuclear plants may also change.
Even when the subject of control is not at issue, there may be significant deficiencies of information for which certain assumptions or engineering or management judgements are then made.
Thus, for improve clarity and understandibility, the goal, or goal set, must be conditioned by explicitly stating the underlying assump-tions so that the practicality and degree of realism of goal attain-ment can be better appraised.
In the long run, a conditioned goal will probably instill more trust than if seemingly unconditioned goals are presented and the essential underlying assumptions are unarticulated, hidden, or neglected in the goal formulation process.
4.
Harmonization of the Safety Goal, or Goal Set, with Other Societal Interests The degree to which the expressed safety goals are compatible with other societal interests in an important attribute.
A large number of writers on risk assessment and risk management view the fundamental problem as one of balancing risks with other costs and benefits and especially in comparison of risk acceptance of risk-rejection decisions vis a vis alternatives.
The statement of goals and objectives in NRC's first Annual Report recognizes the vital aspect of examining
. such trade-offs as does the President's Commission recommendation (for NRC) to establish safety-cost trade-offs.
It is clear that the term " cost" should not be viewed in the narrow sense of direct dollar cost associated with safety measures.
Rather, cost should also include the full gamut of adverse societal effects envisioned in NEPA requirements.
Moreover, there is the additional perspective of " opportunity costs," which are a measure of the benefits foregone in the alternative use of resources.
5.
Defensibility of the Goal, or Goal Set The defensibility rating of the candidate goals would be determined by a variety of attributes, some of which are overlapping the above criteria.
Additional aspects of defensibility are conceptual sound-ness, practicality of implementation, adaptability to available resources and institutional constraints, and flexibility in accom-modating diverse situations.
The defensibility of the goals will also be determined by the accept-ability and explainability of the procedures by which they were formulated.
A goal-setting procedure involving public input at all stages and providing an explicit account of the considerations that enter into the subjective judgements will stand a superior chance of being defensible.
. 6.
Safety Goal Advocacy and the Division of Responsibility The establishment of effective, defensible safety safety goals will demand a certain measure of statemanship in taking into account the initial pattern of safety goal preferences of the principal advocates as well as known predispositions of other influential segments of society.
Several advocacies of quantitative safety goals have been cited in the introduction, and an even larger number is found in the literature dealing with technological risks.
There are also a number of advocates of qualitative safety goals, particularly for those kinds of risks for which numerical verification is questionable or where there is a failure of a single, or several, quantitative safety goals to be adequately comprehensive in reflecting the key risks and interests of societal concern.
Obviously, there is more room for accommodation of various stake holders if, in lieu of a single goal, a goal set is chosen which may have a combination of goal forms organized in a consistent and logical fashion.
For example, the supplementing of an overall safety goal with a well chosen set of supporting objectives of safety standards may provide a strength and acceptance in their unity that would not be achiev.able when viewed separately.
The design of an effective goal set will require close attention to the profile of strengths and weaknesses of each member of the set in the light of the above evaluation criteria, including the known predisposi-tions or positions of ad',ocacy among influential segments of the
. public.
No such goal harmonization efforts, however, can be expected to receive acclaim or even acceptance from all quarters.
The NRC should not establish all of the goals or supporting standards by which safety is promoted.
Some part of this effort should be conducted by nuclear equipment vendors and nuclear utilities because of their primary responsibility for designing, constructing, and operating nuclear plants safely.
Other reasons for a division of effort in safety goal formulation between NRC and the industry are those of resource allocation and utilization as well as divisions of authorities (e.g., for " hands on" operations).
However, the respon-sibilities among the various participants in nuclear safety goal formulation need to be clearly defined and a schedule of complementary goal formulation efforts needs to be established so that a reasonable degree of agreement on the goal formulation process can be reached in a timely way.
D.
General Observations Slovic et al. (og. cit.) say the following concerning the criteria that they propose -- and this can be said of alternative formulations as well:
Like the approaches they are designed to evaluate, these criteria are not entirely independent.
Weakness in some respects may preclude strength in others.
An approach is unlikely to be comprehensive if it does not elicit competent criticism from a variety of perspectives.
Without openness to evaluation, there is little opportunity to learn
- from experience and increase understanding over the long term.
An approach with obvious logical flaws is unlikely to fare well politi-cally.
As a result, an approach that stumbles in one respect is likely to encounter other difficulties as well.
On the other hand, some of these goals may be in conflict.
It may be easier to find a logically sound integration rule if one leaves out certain awkward issues, thereby failing to address parts of the problem.
Political acceptability may require involving so many parties in the decision-making process that the constraints of the responsible institutions are overwhelmed.
Openness to evaluation may mean vulnerability to cheap shots and unfair criticism, thee impairing political acceptability.
If no approach does, or even can, satisfy all of these criteria and if their respective strengths and weaknesses lie in different realms, then we must decide what we really want.
As a result, the choice of an approach is a value-laden and political act, reflecting our pre-ferences of how society should look and function.
Whatever the basic formulation of criteria, a wide range of evaluation options exists in terms of the degree of emphasis accorded to the various categories of criteria or to specific criteria within each category.
Thus, one might emphasize comprehensiveness of the policy, at the cost of toleration of interpretive difficulties.
Alternatively, clarity and ease
. of -interpretation could be emphasized, at the cost of limiting the policy's reach to the more readily tractable parts of the issue.
On the basis of the foregoing af scussion, specific sets of criteria, with assigned degrees of emphasis, could be structured into a selected number of discrete evaluation-method options.
We do not do so at this time, and we leave open for now the question of whether such discrete options should be constructed later in the Commission's safety goal program.
Indeed, we recognize as an open question to what extent it is desirable to articulate a full set of criteria, perhaps with weights assigned, in advance of the approach-selection decision process.
An alternative to full a priori articulation is a process in which definitive articulation of specific criteria and decisions about the relative weights to be assigned them are arrived at as an integral part of the decision process.
Finally, we note that, in the program's early stages, the criteria should be applied tolerantly so that candidate approaches would not be too easily rejected from further consideration.
As the program progresses towards the narrowed set of options of the later policy paper, a more demanding interpretation of criteria will, it is hoped, lead to the desired narrowing -- and perhaps eventually to a single recommended approach.
. III. APPROACHES TO SAFETY GOAL FORMULATION An approach to developing safety goals presupposes the existence of and compliance with a set of criteria which validate it.
It also presupposes its competence to address the compiexities of the issue of nuclear safety and of assessing proposed safety goals or amending existing ones.
These presumptions allow a wide range of possibilities, however, since approaches may differ in method, form, and emphasis, and be formal or informal, simple or complex, in their application to the issue before them.
In this section, discussions progress from a characterization and assess-ment of three broad kinds of approaches, to a consideration of certain features inhering in possible safety goals, to an examination of types of quantitative approaches, to a brief account of means of dealing with uncertainty, and finally, to comments about balancing disparate values.
A.
Methods of Approach to Acceptable Risk Slovic et al. proposed classification of approaches to acceptable risk into three broad methodological categories:
formal analysis, bootstrapping, and professional judgment.
These are described in NUREG/CR-1614 (Chapter 3) as follows:
1.
Formal Analysis Formal analysis assumes that intellectual technologies can help us manage the problems created by physical technologies.
Cost-benefit analysis and decision analysis are the most prominent techniques for thinking our way out of whatever troublesome situations we have
. created for ourselves.
Evolving from economic and management theory, these approaches share a number of common features:
(a) Conceptualization of acceptable-risk problems as decision problems, requiring a choice between alternative courses of action.
For example, cost-benefit analysis attempts to identify the option with the greatest preponderance of benefits over costs.
(b) A divide-and-conquer methodology.
Complex problems are decomposed into more manageable components which can be assessed individually and then combined to provide an overall assessment.
(c) A strongly prescriptive cecision rule.
The components are combined according to a formalized procedure; if one accepts the assumptions underlying the analysis and its implementation, then one should follow its recommendations.
(d) Explicit use of a common metric.
Decisions are hard when one must make value tradeoffs between conflicting objectives.
In order to compare different consequences, formal methods reduce them to a common unit (e.g., dollar value).
(e) Official neutrality regarding problem definition.
These tech-niques are intended to be applicable to all problems with
. clearly delineated consequences, measurable options, and identi-fiable decision makers.
Purveyors of formal analysis tout its potential rigor, comprehen-siveness, and scrutability.
Skeptics wonder how often this potential is realized.
Are analyses accessible to interested observers? Can all consequences and options of. interest be accommodated? Don't actual applications have a more ad hoc flavor than the theory would suggest? Critics also worry about power being concentrated in an intellectual elite, analysts failing to appreciate the organizational impediments to imple-menting recommendations, and ideological biases lurking in the ostensibly neutral assumptions underlying the methods.
2.
Bootstrapping Approaches Whatever theoretical appeal formal analysis may have. the technical difficulties encountered in trying to conduct an analysis have led some observers to despair of ever devising a comprehensive fcrmula for acceptable-risk decisions.
An alternative approach, which pro-duces a quantitative answer without recourse to a complicated fo-mula, relies on first identifying and then continuing policies that have evolved over time.
Proponents of this family of approache; argue that society achieves a reasonable balance between risks and benefits only through a protracted periods of hands-on experience.
The safety levels achieved with old risks provide the best guide to how to manage new risks.
Assuming that one has identified such an
. equilibrium state, the balance between costs and benefits achieved there should be enshrined in future decisions, short-circuiting the learning and adjustment process and, in effect, lifting ourselves up by our own bootstraps.
One member of this family, the revealed preferences approach, uses the cost-benefit tradeoffs effected by our market, social, and political institutions in the recent past as prescriptions for future balances.
Another member, the natural-standards approach, looks to the geologic past; it argues that the ambient levels of pollution during the development of a species is the level to which that species is best suited and the level to be sought when setting future tolerances.
In either case, a description of past policies is taken as a prescription for the future.
The resultant policy should be consistent with existing decisions and be sensitive to complex tradeoffs that are hard to accommodate in formal computations.
One conceptual limitation of bootstrapping is that for new hazards, which are often the most troublesome, there may be no relevant experience to which to refer.
Another is that these methods pass judgment on the acceptabilitj of individual options, without explic-itly considering the alternatives.
One possible political limitation is bootstrapping's strong bias toward the status quo; it assumes, in effect, that whatever is (or was), is right for the future.
. 3.
Professional Judgment Another response to the possibility that there is no one formula for determining "how safe is safe enough?" is to rely on the judgment of the technical experts most knowledgeable in a field.
Professional judgment is exercised whenever a physician decides that a by pass operation or immunization program is worth the risk, a civil engineer decides that soil porosity has been adequately handled in the design of a dam, or a boilermaker decides not to reinforce further a poten-
,tially leaky joint.
In making their decisions, professionals might avail themselves of formal analyses, if such existed, but they are not bound by the conclusions of those analyses nor need they articu-late the reasons for their decision.
Their own "best judgment" is the final arbiter of whether to accept the risks associated with an option.
Although one might balk at even the suggestion of letting technical experts make decisions about value issues, technicians are trained to be servants responsive to their clients' needs.
If society as a whole is defined as the client, professional judgment may be the best way to devise creative and balanced solutions, considering what is desirable, feasible, and practical.
When
' ssionals deliberate, they may not only summarize existing knowledge,,ut also create new knowledge in the form of new and better options.
A physician may finesse the question of whether a drug is safe enough for a patient who is sloppy about taking pills by devising a therapeutic regime that circumvents the problem; similarly, a safety engineer may alter
_ traffic patterns so as to increase the effective safety of an aging bridge with fixed lead-bearing capacity.
Professionals may stumble in some areas where formal methods are strongest.
An inarticulable rule frustrates critics and colleagues attempting to assess the professional's performance and spot errors.
Under the cloak of professional wisdom may lie only a vague notion of what options are available or even a failure to consider more than one traditional solution.
Finally, there is no necessary link between expertise in a substantive area and expertise in decision making.
Similiarities and Contrasts These three approaches are not as conceptually distinct as they might initially appear.
Formal analyses require a large element of professional judgment, whereas professionals can (and at times do) base their judgments on formal analyses.
Bootstrapping requires risk and benefit measurements resembling those in formal analysis; for their part, formal analyses often turn to the historical record for critical measures, making assumptions like those underlying bootstrapping. Professionals are often tradition oriented, attempting to do what has been done in terms of policy making; the past studied by bootstrapping has largely been created by the actions-of professionals.
. The difficulties the approaches face also have similarities.
Charac-terizing a proposed technology for comparison with a historically derived standard encounters many of the same technical problems as characterizing it for comparison with alternative courses of action in a formal analysis.
Both bootstrapping and professional judgment may falter by failing to consider alternatives.
Furthermore, the prescriptive validity of each is contingent upon their descriptive valialty.
Professionals should be allowed to make accepteble-risk decisions only if they do know more; the cumulative record of evolu-tionary processes should be consulted for guidance only if such processes properly accommodate social pressures and realities.
These correlated weaknesses may decrease the possibilities for hybridizing approaches to compensate for one another's vulnerabilities.
B.
Possible Characteristics of Safety Goals Mattson et al. (op. cit.) classify varieties of form of safety goal formulation according to seven pairs of contrasting characteristics.
The pairs, with brief discussion based on the work of Mattson and coworkers, are as follows:
1.
Single vs. Multiple Goals A single overall goal has the merit of simplicity.
A set of more specific, narrower goals may, on the other hand, lend themselves better to verification of compl#ance.
Advantageous combinations may be pos ible, consisting of an interrelated hierarchy of overall and lower-order goals.
. 2.
Quantitative vs. Qualitative Goals Overall quantitative goals introduce severe verifiability problems with respect to low probability high-consequence events.
On the other hand, general qualitatively stated goals may defy assignment of clear, ascertainable meaning.
(Goals such "as safe as possible" or "as safe as reasonably possible" are included among the qualitative forms.) Different specific aspects of safety goal formulation may be better suited to one or the other of these alternatives, or may be expressible in forms combining qualitative and quantitative elements.
The authors see merit in hybrid, quantitative / qualitative goal forms.
3.
Ends-Oriented vs. Process-Oriented Goals Ordinarily, goals are thought of principally as ends to which strate-gies and resources are directed.
However, uncertainties and difficul-ties in verifying goal attainment may be so substantial that it may be preferable to substitute processes that command confidence.
The latter alternative is reflected in the basic reactor-safety principles of the Naval Nuclear Propulsion program, as recounted by Admiral Rickover in testimony before the President's Commission on the Accident at Three Mile Island.
Those principles included strong central technical control; management measures to achieve strong technical competence; conservatism of design; compliance with detailed operating procedures; prompt correction of safety deficiencies; and a host of do's and don'ts in the selection and training of plant operators and in the maintenance of formality and discipline in
. their performance.
The implication of Admiral Rickover's commer.ts is that, if the means of providing for nuclear safety are pursued with the goal of excellence of performance, then acceptable safety will be attained.
4.
Absolute vs. Relative Goals A goal may be expressed as some absolute level that risk should not exceed.
Alternatively, it may be related to some other risks to which neople are exposed (risks of other energy sources, other activities, natural phenomena).
The relation may be expressed quantitatively as a ratio or percentage, or in non quantitative terms (as equal to, less than, substantially less than, etc.).
In any event, some comparative analysis must underlie relative goals, though comparisons may be fraught with considerable difficulties.
5.
Individual vs. Society-Oriented Goals In the NRC regulations (10 CFR Parts 20, 50/ Appendix I, and 100),
both individual and societal goal forms are used in complementary fashion for limiting radiation exposure.
For example, Section C limits emission of radioiodine and radioactive particulates in terms of a maximum permissible individual exposure (15 millirem to any organ), while Section D of the same Appendix establishes an interim criterion of aggregated societal impact for cost-benefit trade off purposes ($1,000 per man-rem).
. 6.
Site (or Region) Dependent vs. Site (or Region) Independent Goals There are many variable locational factors which may affect:
(i) the probability of a serious accident, (ii) the probability of a failure of a reactor containment, and (iii) the radiction exposure of people in event of an accident.
Included are such factors as:
population density and distribution; character of emergency evacuation routes and related locational features; natural phenomena such as meteorology, tornadoes, earthquakes, and floods; and proximity to man-made hazards such as airports, military installations, LNG terminals, and transport systems involving movements of hazardous chemicals or other explosive materials.
The issue of whether goals should vary with specific location includes the extent if any to which various possible site weaknesses may be compensated by design and operational features.
The issue of possible regional variation of goals includes whether less exacting goals should be allowed in regions presenting region-wide difficulties (e.g., a relatively densely populated area of the country).
7.
Time-Related vs. Atemporal Goals A time-related goal may involve a schedule of time horizons for successive improvements in safety standards or goals.
It may call for achievement of some specified safety standard by a specified year and a more stringent safety standard by some later year.
. Within this temporal aspect is the question of interim vs. settled goals.
A " settled" goal is not necessarily permanently established,
~but it has a low expectation of near-term change compared to an
" interim" goal.
However, even a " settled" goal may need to be changed, because of technological progress, changing social values, institutional changes, or the emergence of new information by which the uncertainty or some other factor in a goal is perceived.
Establishing a goal as " interim" may contribute to its acceptability; the interim goal would offer a trial period while the process of learning, technological progress, and the results of additional research, studies, and continued debate will serve to clarify desirable goal changes after the interim period has elapsed.
C.
Types of Quantitative Approach Recent efforts towards development of proposed safety goals have had a predominantly quantitative emphasis, notwithstanding evident problems of verification of compliance with any quantitative goals.
The Advisory Committee on Reactor Safeguards (ACRS), as background for its own develop-ment of a quantitative approach, accepted a survey of some proposals pre-viously presented in the United States and abroad, according to which such approaches can be roughly categorized into three groups:
those that set limits on individual risk of death only; those that consider frequency of accidents and magnitude of the consequences; and those that imbed the
~
criteria in risk management frameworks that, at least in part, consider risks from alternatives or other societal endeavors (NUREG-0736, Part 1).
. Some (though not all) of the criteria considered in the survey apply specifically to nuclear reactors.
1.
Individual Risk Criteria One of the early proposals for quantitative risk criteria for nuclear reactors was made by Adams and Stone (1967) of the Central Electricity Generating Board in Great Britain at an IAEA Symposium on Siting and Containment.
They proposed that the parameter determining acceptable siting be taken as individual risk.
They suggested that en incremental increase in an individual's chance of death per year that is smaller than the demographic variation in the United Kingdom of that chance would be inappreciable and acceptable on those grounds.
Differences
-5 significantly greater than 10 per year occur among England, Wales, Scotland, and Ireland, and they proposed that an incremental individual
-5 risk of 10 chance of death per year would be acceptable.
For immediate deaths and a plant lifetime of 30 years, this risk would correspond to a statistical loss of life expectancy of about 6 days, while for death delayed until 10 years after exposure the statistical loss is about 3 days.
Of course, the loss is much larger for the actual victims and zero for all the others.
The apparently positive correlaticn between standard of living and health has been used by Bowen (1975) to develcp a general risk acceptance criterion for technological activities in the United Kingdom.
He suggests that the risks imposed upon society should be negligible or balanced by benefits.
However, risk levels that can
. -5 be scientifically supported, say, a 10 chance of death per year, cannot be considered negligible in all situations, and balancing by direct individual benefits is not possible in cases where the victim cannot be readily identified in advance, for example, the one excess cancer fatality that might be expected from the TMI accident.
Bowen argues that the balance should be done macroscopically.
Ha assumes that the observed annual increase in life expectancy in the U.K. is due to overall societal efforts, i.e., its investment in "the industrial machine" of which any technological facility forms a
-5 part.
An additional yearly risk of death of 10 from a new facility roughly balances the expected increase of an individual's life expectancy during one year.
With regard to accidents having a
~
potential for a major disaster, Bowen argued that the 10 limit should be demonstrated to a high confidence level.
2.
Frequency-Consequence Approaches The previous criteria dealt specifically with individual fatality risks without directly including limits on other types of risk or addressing the effects of a large scale accident.
In the frequency-consequence type of approach, special attention is given to the magnitude of an accident.
A basic common assumption in variants of this approach is that the limiting frequency of a particular accident should depend in some way upon its magnitude.
One early British proposal (Farmer, 1967) suggests a limit on the frequency of accidental release of radioactive material; a more recent Canadian one (Atomic
4 4 Energy Control Board of Canada, 1978) on frequency of individual exposure; and a recent British proposal (Kinchin, 1978 and 1979) is concerned with limits on the fatalities due to accidental exposure.
In an early paper (" Siting Criteria - A New Approach," IAEA Symposium on Siting and Containment, 1967), F. R. Farmer proposed that probabil-istic analysis be employed in reactor safety assessment and suggested that the safety criterion of less than 0.01 premature deaths per reactor year be adopted.
In addition, he proposed that a risk acceptance limit line relating release magnitude to frequency be used to judge the acceptability of the estimated occurrence frequency for any particular accident.
The severity of the accident was measured by the release in curies of iodine-131, one of the volatile fission products thought to be of greatest importance in thermal reactor accidents.
The Farmer limit ifne does not deal specifically with effects depende.it upon population density and other conditions around the site.
Therefore, the actual limits on effects, such as risk to individuals, property damage, or number of expected fatalities, must be estimated from site-specific analyses.
3.
Rick Management Approaches Two common premises of risk management approaches are:
that society has a limited amount of resources to allocate for the reduction of the risks that accompany the benefits of its endeavors and that
. these resources should be allocated wiseJy.
Such approaches reflect concern that improper actions to reduce risks may not minimize risk and niay even give rise to an increase in overa]l risks.
Okrent and Whipple (197Z) described a quantitative approach to risk management which incorporated the following principal features:
Risk assessment.
Each risk producing facility, technology, and the Jike would have to undergo assessment of risk both to the individual and to society.
Graduated limits on individual risk.
Societa) activities would be divided into major facilities or technologies, all or part of which are categorized as essential, beneficial, or periphera) to society.
There would be a decreasing level of acceptable
~4 risk to the most exposed individual (for example, 2 x 10 additional risk of death per year for the essential category,
-5
-6 2 x 10 for the beneficia) category, and 2 x 10 for the periphera) category).
Internalization of residual risk costs.
'[o provide incentive to reduce risk and balance some inequities between those who receive the benefits and those who are burdened by risk, the cost of the residual risk would have to be internalized, perhaps by means of a tax paid to the Federal government.
. Modest risk aversion.
Risk aversion to larce events would be built into the internalization of the cost of risk, but with a relatively modest penalty.
Co effective reduction of residual risk.
A limit on the marginal cost of risk reduction could be imposed.
The late C. L. Comar's editorial for Science (1979) entitled " Risk:
A Pragmatic De Minimis Apprcach" suggested the following as potentially useful, though oversimplified guidelines to perspective in risk policy rationalization:
(a) Eliminate any risk that carries no benefit or is easily avoided.
(b) Eliminate any large risk (about 1 in 10,000 per year or greater) that does not carry clearly overriding benefits.
(c)
Ignore for the time being any small risk (about 1 in 100,000 per year or less) that does not fall into category 1.
(d) Actively study risks falling between these limits, with the view that the risk of taking any proposed action should be weighed against the risk of not taking action.
Risk management considerations are involved in the ACRS proposal and other recent U.S. proposals, addressed below (in Section IV).
- D.
Approaches to Dealing with Uncertainty Verifiability of whether a nuclear plant meets an overall quantitative safety goal is subject to both reducible and irreducible uncertainties surrounding probabilities and consequences of severe but low probability accidents.
Various approaches can be considered for mitigating the impact of those uncertainties.
We describe five approaches:
arbitration, modeling, restrained use of quantitative criteria, conservatism, and non quantitative approaches.
Combinations of approaches are, of course, possible and may well have merit.
1.
Arbitration The decisions about whether a goal is met can be entrusted to a group of specially empowered experts.
(We avoid the term " science court.") This group could provide a mechanism for clear, authorita-tive resolution of disputes involving data gaps and possible con-flicting interpretations.
Selection of the arbritators would be guided by the aim of high quality in their decisions.
- However, there is here some inherent danger to the rationality of the regulatory results, since decisions would be made by methods that would necessarily in part transcend the scientific method.
Predictability could also suffer, as experts and their opinions change.
2.
Modeling Verification could be tied to a prescribed mode of calculation.
(For example, " Consider the aggregated probability to be the sum of
. the probabilities of the ten dominant sequences described below.")
The approach would aim at consistency and predictability.
With such approaches the quality of the results depends heavily on the fidelity of the calculational model; one needs to consider whether there is, in the model or its use context, enough respect for uncertainties (including possibilities of crucial oversight) to make its dependa-bility commensurate with the consequences of misjudgment.
3.
Restrained Use of Quantitative Criteria Use of the top-level probability target can be limited to decisions concerning outliers, the clearly prohibitive and the clearly trivial.
By leaving many decisions outside its purview, this approach detracts from the policy's value on the criterion of reach.
But its use would be focused on those parts of the safety goal issue for which it is most dependable.
Another mode of restraint is to use an overall plant target only loosely and to provide some general guidance for setting quantitative targets at the level of systems and equipment for which failures can be tolerated with a frequency sufficient for possible verification (say, once per 10 or 100 reactor years).
Such an approach, while permitting verification, is subject to the effects of unavoidable gaps in allocation (where measurable failure frequencies cannot be accepted) and of common cause and interactive failures.
. 4.
Conservatism Conservatism can be embedded in the calculations or explicitly applied to risk estimate results.
In the " embedded" approach, estimates of actual risk are based on conservative assumptions, to increase assurance that decisions concerning the issue at hand will be on the safe side.
One could, for example, say that estimated risk should be ensured at some specified high confidence level for each critical element (say, 90 percent of 99 percent confidence, rather than a 50 percent confidence-level "best estimate").
The conservatism-in-calculations approach is subject to difficulties of two sorts.
The first is that the most significant and troubling uncertanties often do not lend themselves to the making of estimates to which particular confidence levels can reasonably be assigned, and, in any event, some residual uncertainty remains.
The second difficulty is that, with conservatism introduced into the elements of an overall estimate, the degree of residual uncertainty in the result and the overall extent to which it includes conservative-ness margins are not readily apparent to the decision maker.
This handicaps trade-offs against side effects, not only economic ones, but also those of adverse safety impacts elsewhere of a safety feature introduced to solve a particular problem.
As an alternative to the "emoedded" conservativeness approach, one can require calculations to be realistic -- the best one can do.
. Margins of due prudence would be introduced into administrative decisions.
This explicit approach to conservatism offers visibility of margins, for consideration and debate.
The decision maker still needs, however, a " feel" for the uncertainties entailed by the assumptions-facte, ?nd nethods of the original risk estimation.
Sensitivity analyses may help discern the consequences of alterna-tive judgments and thus help to set an appropriate margin.
5.
Nonquantitative Approaches Nonquantitative approaches available to reduce vulnerability due to uncertainties include the following:
Independent lines of defense.
For example, remote siting no matter what degree of plant safety the calculations show.
Use of requirements known to be beneficial, though not quanti-fiable.
For example, emphasis on qualifications and training of operators, other plant personnel, and managers.
Economic incentives for safety (or removal of disincentives) could be in this category.
Extra circumspection when abandoning known, established practices for promising innovations.
Professional judgment, with emphasis on the qualifications and experience of decision makers and advisors.
. E.
Considerations in Balancing of Values Much of what has preceded in this paper has reflected consideration of disparate and sometimes conflicting values involved in development of a safety goal -- ethical, political, and economic values, along with technical considerations.
As the work of safety goal development progresses, we plan to address the philosophically complex and demanding task of seeking a sound balancing of the values relevant to goal setting.
The scope of this section, however, is limited to noting in a preliminary way two specific topics:
(a) individual and social risks and (b) safety and economic values.
1.
Individual and Social Risks A safety goal may focus on the risk of death or illness to which any one individual may bc exposed, including permissible differences among individuals in different circumstances such as workers, nearby residents who may receive some benefit as compensation for incremental risk, and the general population.
The goal may also include consideration of the numbers of people exposed to a risk.
An individual living near a plant in a densely populated area may not be exposed to greater individual risk than a person living near a plant remote from population centers, but the total number of probabilistically "expectea" casualties (i.e., the aggregrated social risk) would be greater.
. Social risk considerations also include such issues as equities of distribution of risks and benefits, possible transfer of risk to future generations (through long-lived radioactive materials),
distinctions between prompt and delayed fatalities, and whether and how property damage risks (which may indirectly entail other health-and-safety risks) should be taken into account.
A special aspect of the social risk issue is involved in the concept of risk management, that is, whether and how to consider the risks of alternatives in setting a nuclear plant safety goal.
A strict safety goal for nuclear power may result in some potential nuclear plants not being built and thereby lead to the safety risks imposed by alternative power sources (perhaps coal) or resulting from deprivation.
2.
Safety and Economic Values Safety and economic values are not necessarily or invariably in conflict.
Safety may protect plant investment and property of others, as well as save medical and other costs of illness.
In this positive respect, the issue is the extent to which economic incentives for raiaty should be reflected in safety goal formulatio_n.
However, in most questions about safety, safety and economic values conflict or appear to conflict; the issue involves, first, whether, under the circumstances at hand, economic impacts can be taken into
. account in a safety decision, and second, what amount of resources may be devoted (or what benefits foregone) to achieve a particular safety goal.
A possible approach involves setting some minimum acceptable safety level that cannot be compromised for economic reasons, but taking economic factors into account in seeking a higher safety goal.
The safety-cost trade-offs involved may be aided by guidelines about what degrees of safety should be viewed as equivalent to what costs (e.g., $1,000 per man-rem probabilistically expected), notwithstanding problems in applying a common metric to values that may not be philosophically commensurate.
Special diffi-culties in such trade-offs include methods of reflecting wide uncer-tainties in safety consequences in evaluations relative to generally better known economic impacts.
Decisions concerning oossible retroactive applications of new require-ments may involve special safety-cost trade-offs since the costs of specific safety improvements for plants already being built or operating may be substantially higher than for future plants.
By contrast, safety benefits are likely to be similar for old plants, and perhaps less than for future plants, in view of lesser remaining operating life and possible side effects of modifications of existing systems.
- IV, SOME SAFETY-GOAL PROPOSALS Six frameworks are currently used by society to regulate risks.
The first is market regulation.
Until recently, caveat emptor (let the buyer beware) was the mechanism for making safety decisions.
The second is no-risk.
In the Delaney Clause to the Food, Drug and Cosmetic Act, Congress instructed the FDA to allow no carcinogens to be added to the food supply.
In attempting to implement these instructions, FDA has attempted to define a negligible level of risk to make the absolute nature of the Delaney Clause more flexible.
Most of the proposals that follow attempt to define a negligible risk by using various comparisons.
The third is technology-based standards, such as best available control technology.
This framework is an attempt to shift attention from risks and costs over to available technology.
The fourth is risk-benefit analysis.
This framework attempts to trade off increased benefits against possible increases in risk to achieve a better social solution.
The fifth framework is cost-effectiveness analysis.
This framework is used a great deal in regulating the nuclear fuel cycle to ensure that emissions requirements are equally stringent throughout the cycle.
ALARA and ALAP are variants of this framework.
The sixth framework is benefit-cost analysis.
Thisframeworkseek$sanexplicitquantificationofallmajor benefits and costs of some decision and a formal balancing.
Each of these frameworks is a possible candidate for future regulation of the nuclear fuel cycle, along with new proposals.
Any proposal must be evaluated in terms of the criteria set out in a previous section.
The
. following proposals for quantitative safety goals are set out as current proposals known to the NRC.
We hope and expect to see new proposals formulated as a result of this request for comment.
We also hope to receive evaluations of the extent to which these proposals fulfill the criteria set out in this document, as well as other criteria which are relevant.
This section contains six safety goal proposals, all urging a quantitative formulation of safety goals and suggesting specific numerical values for the parameters that they propose.
The diverse frameworks (the ACRS " goal levels" and " upper limits," the AIF criteria, the Joksimovic " limit line," etc.) can, however, be employed in conjunction with numerical values that differ from those suggested in the specific propo'sals.
The intellectual task of devising a sound framework and the policy task of setting appropriate levels are distinct, though they must in due course merge.
Both tasks are essential, as is their proper merging.
All six of the proposals are based on use of probabilistic risk assessment.
They depend for their effectiveness on the potentialities of that technique and are subject to its limitations - gaps and uncertainties in data bases, difficulties of constructing adequate sets of underlying assump-tions, and of accounting for human factors in safety.
Some of the approaches proposed include provision for accomodating or mitigating the effects of uncertainties.
With all the approaches, consideration would have to be given to (a) the appropriate role for other methods where probabilistic risk assessment
. cannot dependably resolve an issue and (b) problems of transition frem current practices, including decisions with respect to possible retroactive application of new requirements.
A transitional problem of a different sort is the development of sufficiently wide availability of an adequate level of expertise in the new probabilistic methods.
A.
The ACRS Proposal On October 31, 1980, the Advisory Committee on Reactor Safeguards sub-mitted to the Commission what it described as "a preliminary proposal for a possible approach to quantitative safety goals... intended to serve as one focus for discussion on the subject... and... expected to be... a first step in an iterative process."
(NUREG-0739, "An Approach to Quanti-tative Safety Goals for Nuclear Power Plants," ACRS, 1980.) The ACRS letter containing the Committee's proposal was accompanied by a three part report prepared by its Subcommittee on Reliability and Probabilistic Assessment, discussing aspects of the subject in detail.
The ACRS letter (without the background report) is presented below.
B.
Other Proposals, The ACRS proposal is the only safety goal proposal that has been formally presented to the Commission for consideration or discussion.
However, we are aware of other proposals that have been elaborated in varying degree and have been published or widely communicated.
Five such proposals are discussed briefly below.
All five, like the ACRS proposal, involve quantitative safety goals and use of probabilistic risk assessment.
UNITED STkTES o
[' g )c:k NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS g
A.
WASHINGTON, D. C. 20555 October 31, 1980
_~ *....
Honorable John F. Ahearne Chairman U.S. Nuclear Regulatory Ccmmission Washington, D.C. 20555
SUBJECT:
AN APPROACH TO QUANTITATIVE SAFETY G0ALS FOR NUCLEAR POWER PLAN
Dear Dr. Ahearne:
In a letter dated May 16, 1979, the ACRS recommended that consideration be given by the Nuclear Regulatory Comission to the establishment of quantita-tive safety goals for nuclear power reactors.
The ACRS acknowledged the difficulties and uncertainties in the quantification of risk but stated its belief that quantitative safety goals and criteria can provide an important The yardstick for the engineering judgment that would still be required.
ACRS further recommended that the Congress be asked to express its views on the suitability of proposed NRC quantitative safety goals and criteria in relation to other relevant aspects of our technological society.
.In a letter dated June 11, 1979 to the ACRS you noted that you would appreci-ate any further development of the concept of quantitative safety goals that the ACRS could provide..In a memorandum dated August 14, 1979 the ACRS advised you that it was assigning the project of developing a possible ap-proach to quantitative safety goals to its Subcommittee on Reliability and Probabilistic Assessment and that it was anticipated that about a year would be needed to develop recommendations.
The Subcommittee has now developed a preliminary proposal for a possible approach to quantitative safety goals. The proposed approach is intended to serve as one focus for discussion on the subject of quantitative safety goals and as such is expected to be only a first step in an iterative process.
The Subcommittee has prepared its discussion of the su Ject in the form of a report which consists of three parts, as follows:
Part 1 "On the Development of Quantitative Risk Acceptance Criteria,"
J. M. Griesmeyer and D. Okrent.
Part 2 " Risk Management and Decision Rules for Light Water Reactors,"
J. M. Griesmeyer and D. Okrent.
Part 3 " Applications and Implications of Trial Risk Acceptance Criteria,"
D. H. Johnson and W. E. Kastenberg.
S
Honorable John F. Ahearne October 31, 1980
- =-
Part 1 is primarily a review of several prior or current proposals for quantitative risk criteria which have been developed by others.
Part 2 provides the preliminary proposal for a possible approach to quantitative safety goals.
Part 3 provides a brief evaluation of several technologies, including nuclear power plants, in terms of criteria like those proposed in the report.
The ACRS recognizes that there are several other ongoing efforts to examine the development of such criteria. The Committee hopes that this report will contribute material useful in the process of developing an approach.
The trial approach to quantitative safety criteria, which is described in Part 2 of the report, is divided into two major tasks: the predominantly social and political task of setting the safety criteria (termed decision rules herein) and the technical task of estimating the risks and deciding whether the safety criteria have been met.
The safety criteria or decision rules are as follows:
' Limits are placed on the frequency of occurrence of certain hazardous conditions (hazard states) within the reactor.
/EE1
' Limits are placed on the risk to the individual of early
\\c--
death, or delayed death due to cancer arising from an accident.
' Limits are placed on the overall societal risk of early or delayed death.
'An "as low as reasonably achievable" approach is applisd wit.h -
a cost-effectiveness criterion that includes both economic costs and a monetary value of preventing premature death.
'A small element of risk aversion is applied to infrequent accidents involving large numbers of early deaths compared to a similar number of deaths caused by many accidents each involving one or two deaths.
Each decision rule on hazard states and on individual and societal risk consists of a pair of numbers:
an upper, non-acceptance limit on risk and a lower, safety goal level of risk.
Compliance with the upper limit would be required for extended operation of the plant; otherwise, it must be improved within a certain period of time (to be determined) that depends upon the severity of the risk involved.
On the other hand, any risk value lower than the safety goal level would be considered in ccmpliance for the particular category of risk.
However, risks must be further reduced below these safety-goal levels whenever improvements are possible that meet certain cost effec-tiveness criteria for risk reduction.
Between the upper, non-acceptance eseeeeem e
i
.+
Honorable John F. Ahearne October 31,1980 w
limit and the lower safety-goal level of risk, there is a digressionary range in which case by case consideration of uncertainties, regional need for power, and alternative risks is required in the decision as to whether the plant should be allowed to operate for an extended time witnout modiff-cation.
The preliminary numerical values which have been suggested for use in the decision rules are primarily a matter of judgment and are intended to help stimulate discussion and evaluation in concrete terms.
Ultimately the NRC and the Congress must consider a wide range of socio-political and economic factors, of which direct risk to the public health and safety is but one, in arriving at a judgment on suitable risk acceptance l evels.
The quantitative values suggested for use in the proposed decision rules are intended to be applicable for new light water power reactors and may be more stringent than is deemed appropriate for existing plants.
DECISION RULES F-HAZARD STATES s
Accidents that damage the facility represent possible forerunners of more severe accidents.
A tentative set of hazard states of progressive severity has been defined and a preliminary set of limits on their rate of occurrenca has been proposed, as is shown in Table 1.
The limit on the frequency of a large offsite release, assuming that a fuel melt has occurred, places Such a emphasis on mitigation as well as prevention of serious accidents.
division between accident prevention and accident mitigation is believed to be necessary because of the difficulty in demonstrating with a very hirh degree of confidence that a fgequency of large scale fuel melt much less than the proposed goal of 10- per reactor-year can be achieved in view of the complexities introduced by consideration of matters such as sabotage, earthquakes, and other potential multiple failure scenarios.
INDIVIDUAL RISKS The limits on risk to individuals living closest to the reactor site have been set well below the sum of all other risks for any age group and below those from the principal competing source of generating electricity.
Lower levels were chosen (by a factor of five) for the risk of early deeth than for delayed death from cancer many years after an accident.
Table 2 summarizes the proposed decision rules for risks of delayed death from cancer and of early death.
Note that relatively few people will have risks as high as the most exposed individuals who presumably reside close to
=-
the plant site boundaries. Most people will be exposed to rf sks lower than the goal levels.
- (5 -
. October 31, 1980 Z6 Honorable John F. Ahearne SOCIETAL RISK It has been suggested in the 1 f terature that society is risk averse when comparing a single, infrequent large accident with a number of small accidents leading to the same total number of fatalities in the same A simple approach which assesses an equivalent social time period.
cost that increases faster than the actual consequences for events in-volving multiple deaths uses an equaticn of the form Equivalent social co.st =
[
(Frequay)(Consequence)"
accidents in which a is granter than unity.
If a is equal to one, the equivalent social cost would be the same as the expected costs (frequency times Although values of a as h!gh as 2 or 3 have been proposed consequence).
in the literature for fatalities from accidents, such values would pro-hibit many existing technological endeavors because of extremely high equivalent social cost, e.g., dams or large quantities of hazardous' Studies perfomed by the chemicals stored close to population centers.
Subcommittee and summarized in Part 3 of the report, indicate that society does not consciously place such high risk aversion penalties,on needed activitie3 In this proposal it is suggested that the socici cost for delayed cancer deaths should be assessed as equal to the calcaIated number of fatalities (i.e., a = 1). The range en the estimated nu':ter of people who %e from kWh is the pollution arising from a coal-fired plant which generates 10 about 10 to 200 (see Part 3 of.the report); 10 is proposed here as the upper, ncn-acceptance limit on the delayed cancer deaths due to a nuclear power pigt; the goal level is that there be less than two cancer fatalities per 10 kWh.
To provide' incentives to reduce the catastrophic potential of accidents,.it is proposed to assess the equivalent social cost of early deaths with a value=
of a slightly larger than unity, namely a
death cost of the plant, ked, w uld take the fom (Frequency) (Early Deaths)
- Eed =
accidents The limits on equivalent early deaths are reduced by the same factor of five from the delayed death limits as was done for the limits on individual risk.
Table 3 summarizes the decision rules for societal health risks.
SOCIETAL IMPACT REDUCTIJti - ALARA It is proposed to use an "as low as reasonably achievable" (ALARA) cost-effective ness criterion to judge whether additional risk reduction is required beyond
~ _ ~ ~
Honorable John F. Ahearne October 31, 1980 that level of safety required to meet the other decision rules. The cost of an improvement would be balanced against the combined change in economic losses and in the risk of delayed cancer deaths, and equivalent early deaths.
While there is some limit on how much the United States can afford to spend to reduce risk from all of its technological activities, lest economic instability lead to greater risk directly or indirectly, the current perspec-tive on nuclear reactors may be such that society is willing to spend more for LWR safety than for many other things.
It is tentati'.aly proposed that the marginal cost limit on expenditures be set at $1 million per delayed cancer death averted and $5 million per equivalent early death averted, when " equivalent" early deaths are calcu-lated vsing the coefficient a = 1.2 for risk aversion.
It is anticipated that careful study will be required to quantify the economic losses due to property and resource damage.
Because of uncertainties and the fact that some impacts cannot be quantified, it is proposed that the. marginal cost limit on expenditures to reduce adverse economic impacts be twice the expected reduction in impact when applying the ALARA criterion.
This also stresses prevention rather than repair of possible damage.
Table 4 summarizes the quantified ALARA criterion.
RISK QUANTIFICATION The rest of the proposed framework deals with the technical tasks of risk quantification, which will by no means be simple.
It has to be acknowledged from the beginning that there will be both large uncertainties in such risk estimates and significant differences between independent estimates of the same risk.
The form of the decision rules is intended to compensate in part for some of this uncertainty.
Limits are placed on the expected values of the various risks. These expected values are the weighted average of the probabilities and therefore reflect some of the uncertainties.
Also, limits are placed en both the risk of a damaging accident to the fuel and on the risk of a large release of radioactive material assuming the occurrence of fuel damage, thereby requiring both prevention and mitigation.
A major tool for this effort will be a plant and site specific quantitative risk analysis which is essentially a probabilistic estimate of the distribu-tion of risks. The details of the analysis will form a safety profile of the particular plant and site that can be used to make risk-based decisions on design and/or procedural changes.
The estimated risk distribution will ex-plicitly express the range of uncertainties and will be used in the application m
S
Honorable John F. Ahearne October 31, 1980 of the decision rules.
Special attention must be given to quality assurance of the risk assessment. There must be full and explicit identification of the assumptions and limitations of the analysis, and peer review will be re-In addition, it is proposed that a procedure be established to pro-quired.
vide a legally binding determination of those risk distribution values to be used with the decision rules.
A possible approach to this aspect is the
~
establishment of a Risk Certification Panel. After peer review of the analyses had been completed, the panel would be given the statutory authority to make a finding on the risk values to be used in the application of the decision rules.
The ACRS hopes this report proves to be useful in the ongoing effort on the development of quantitative safety goals. The Committee plans to continue to pursue the matter active'ly.
Sincerely, Milton S. Plesset Chairman e
b ensmose
I
! h
{I. 'l Ih l
1 i
j8 Table 1.
Limits on Occurrence of flazard States Decision Rules on Mean Frequency llazard State Probability Goal Goal Level Upper Limit Significant Core Damage 4
~3
(> 10% of tioble gas inventory Less than 1/100 f
10 fed <1x10 ed leaking into primary coolant) per reactor lifetime per reactor year per reactor year Large Scale Fuel Melt - LSFM
(> 3M of oxide fuel becoming Less than 1/300 f <1x10~4 f <5x10-4 molten) per reactor lifetime or pr mor pr i
Large Scale Uncontrolled Release f
<0.1 cn from Containment given LSFM Small, given a Large fR/m < 0.01 m
m
(> 10% of Iodine inventory Scale Fuel Melt p
p and 90% of noble gas) f is the frequency of Significant Core Damage per reactor year.
ed f,
is the frequency of Large Scale Fuel Melt por reactor year.
pf, is the frequency of Large Scale Uncontrolled Release per Large Scale Fuel Melt.
f 1he upper non-acceptance limits must be satisfied for extended operation of a new plant or for issuance of a construction permit.
Between the upper limits and the goal levels is a discretionary Once the risk level range for case-by-case consideration of uncertainties and competing risk.
decision rules have been applied, risk must still be reduced if such reduction is reasonably achievable within the cost-effectiveness criterion of Table 4.
/
i h
l f
{
q Table 2.
Limits on Risks to Most Exposed Individual Decision Rules on Mean Fraquecy per Mean Freqency per Site-year Large Scale Ful Mel W M Probability Goal Goal Level Upper Limit Goal Level Upper Limit d
d d/m<
- d/m'
- Probability of delayed death f
Per site-per site-year per LSFM per LSFM or a a it ov r lif e
year of individual <0.0005 f
fed /m<0.002 ed/m <0.01 Probability of early death fed < x 0 fed < x10 Per site-per site-year per LSPM per LSFM o r ife e
ual year g
< 0.0001.
f is the individual risk of delayed cancer death per site year.
d is the individual risk of delayed cancer death per large scale fuel melt, fd/m f
is the individual risk of early death per site year.
ed f
is the individual risk of early death per large scale fuel molt.
ed/m The upper non-acceptance limits must be' satisfied for extended operation of a new plas.t or for issuance of a construction pennit. Between the upper limits and the goal levels is a discretionary Once the risk level range for case by case consideration of uncertainties and competing risks.
decision rules have been applied, risk must still be reduced if such reduction is reasonably achievable within the cost-effectiveness criteria of Table 4.
g
)
l l,
I i
Table 3.
Societal Health Risk Limits Decision Rules on Societal Health Risks Measure of Risk Goal Level Upper Non-Acceptance Limit d = the exp cted value of:
B
<2 Ed < 10 E
0 0
[ (Frequency) (Delayed Cancer Deaths) per 10 kWh Per 10 kWh accidents and normal operation Eed <
Eed < 0.4 ed " the expected value of:
E 1
[ (Frequency) (Errly Deaths)
- per 10 kWh per 10 kWh o
accidents 1
0 E
is the average number of delayed cancer deaths per 10 kNhof d
electricity generated.
10 E
is the average number of equivalent early deaths per 10 kWh ed of electricity generated.
10 kWh is the amount of electricity generated by a large (1200 NWe) 10 power plant operating at full capacity for one year.
'Ihe upper non-acceptance limits must be met for extended operation of a nee plant or for issuance of a construction permit. Between the upper limits and the goal levels is a discretionary range for case by case consideration of uncertainties and ccmpeting risk. Once the risk level decision rules have been applied, risk must still be reduced if such reduction is reasonably achievable within the cost-effectiveness criteria of Table 4 6
~
Table' 4 Quantified ALARA Cost-Effectiveness Criteria.
Expenditure Limits for Impact Reduction 0
$1 x 10 /(AE L)
$1 million per delayed cancer death averted d
6
$5 x 10 /(AE L)
$5 million per early equivalent death averted g
2/(AE L) 2 times the economic loss (due to resource damage) averted A particular improvement is " cost-effective" and required if 0
Cost < [ 2AE + ($5x10 )(AEed)+ (
0)(AE}
d r
is the change (due to the proposed improvements) in the expected AEd value of: { (Frequency)(Delayed Cancer Deaths) accidents -
and normal operation is the change (due to.the proposed improvements) in the expected AEed value of:
[ (Frequency) (Early Deaths)
- accidents
'AE is the change (due to the proposed improvements) in the expected
- value of: {
(Frequency) (Economic Losses) accidents 10 kWh to be generated L is the remaining lifetime of the plant g units of 10 khh. This is the amount of elec-and the frequencies are calculated per 10 tricity generated by a large (1200 Mfe) plant operating at full capacity for one year.
N 8
. 1.
Atomic Industrial Forum The Atomic Industrial Forum (AIF) Subcommittee on Probabilistic Risk Assessment presented an approach to the ACRS Subcommittee on Relia-bility and Risk Assessment on J9 v 1, 1980.
The AIF proposal involves 1
quantitative safety goals addresst. in four elements:
individual health effects, population health effects, cost-benefit ratio, and core degradation probability.
The proposed individual health effects criterion is that the incre-mental risk of adverse health effects to the maximally exposed individual in the vicinity of a nuclear plant site should not result in a significant increase in annual mortality risk or in significant shortening of expected statistical life span.
This is interpreted
-5 in terms of a suggested goal of 10 / year individual mortality risk (mean value).
The proposed population health effects criterion is that the incre-ment'al cumulative risk of adverse health effects to the exposed population per 1,000 MW(e) of nuclear power capacity, considering the probability and consequences of events integrated over the spectrum of potential accidents, should be no more than a small fraction of the average background incidence of health effects.
This is reflected in a suggested goal of 0.1 fatality / year per 1,000 MW(e) (mean value).
. The AIF subcommittee suggests that for improvements beyond the safety goal and for possible exemptions from it decisions should be guided by cost-benefit analyses.
A numerical criterion of $100/ man-rem is suggested.
The criterion is ascribed to the principle that the benefit, in terms of populatian risk reduction, afforded by a change in plant design or operating procedure should be comparable to that which is generally achievable through alternative investments of the cost of the change in other areas of public risk reduction.
The numerical criterion (which is lower than the $1,000/ man-rem chosen by the NRC to guide interpretation of the as-low-as reasonably-achievable criterion in radiation protection) is said to be equivalent to $1 million per life saved and to be comparable to median cost-benefit ratios for other health and safety protective measures.
As the core degradation probability criterion, the AIF group proposes that a limit should be establisheu for the probability of accidents involving serious core degradation so that, for an expected population of reactors, the recurrence interval for accidents as serious as Tntee Mile Island is on the order of one per several decades.
They argue that a core degradation criterion is needed, as a supplement to the direct public radiation-impact criteria, to establish minimum requirements for accident prevention, prevent undue emphasis on mitigation, reduce frequency of stress provoking events for popula-tions near plants, and limit the economic risks of accidents.
. The AIF group calls for use of probabilistic risk assessment (PRA) to support deterministic requirements.
PRA should be used in inter-pretation of the goals in terms of generic requirements, but not as a licensing condition for individual plants.
A common PRA methodology should be developed.
The AIF proposes three cautions about quantitative safety goals:
The suggested numerical values should be used with mean value (50 percent confidence level) estimates of risk.
Higher values would be appropriate for more conservative (high confidence level) estimates of risk.
The initial set of values should be interim, for trial use for a period of three years.
Qualitative judgment must supplement quantitative goals.
This is particularly important in borderline cases.
2.
Starr Dr. Chauncey Starr, of Electric Power Research Institute, in a paper presented before the American Nuclear Society (November 1980),
advocated a safety goal approach that would build heavily on electric utility companies' economic self-interest in safety.
He argues that the economic requirement for protection of the investment in the plant may often be a more demanding safety constraint than social acceptability based on hazard to the public.
He presents the view
. that economic self-interest would motivate utilities to work towards a probabilistic design target that is 10,000 times stricter than a regionally acccotable upper bound for risk to the public.
(The nearby public's risk acceptance would be influenced by benefits; Dr. Starr would compensate nearby residents for the small risk increment by reduced electric rates.) The 10,000-fold " protective range" would provide a margin for uncertainties in probabilistic estimates.
Dr. Starr's' proposal includes recognition that the licensees' self-motivated safety goals s
?d need to be supplemented by NRC require-ments, in two respects:
NRC should (a) establish design criteria for systems that protect the public but not the plant (remote siting and reactor containment) and (b) check that the industry acts in accordance with its own financial interest (by requiring good engineering and management practices in siting, design, construction, and operation).
3.
Joksimovic and O'Donnell Dr. Vojin Joksimovic and L. F. O'Donnell, of General Atomic, in a paper entitled " Quantitative Safety Goals for the Regulatory Process (October 1980)," present a " limit-line" approach to safety goals.
The limit lines are plots of number of fatalities or public property damage as a function of the annual probability with which such effects may acceptably occur.
9 Two alternative lines are presented for latent cancer fatalities:
~4 one, reflecting a " balanced risk policy," would establish a 10 /
reactor year probability limit on accidents causing 100 casualties; the other, based on an " emphasized risk policy," would limit casual-ties at that probability level to 0.1.
Both limit lines would impose lower consequence probability products for high-consequence accidents (the increased emphasis being reflected by an exponent of 1.5 on the number of fatalities in an accident).
4.
Zebroski Dr. Edwin Zebroski, Director of the Nuclear Safety Analysis Center at the Electric Power Research Institute, in a paper entitled "A Proposed National Nuclear Safety Goal" (March 1980), described his proposal as "a tentative and probably incompleta formulation" and as a personal (rather than an EPRI) proposal.
Dr. Zebroski stated the proposed goal as follows:
(a) Reactor design, operation, and regulation should insure that accidents which reach the stage of core melting have a probable frequency of no more than one such occurrence in 30 years, taking account of the actual population of civilian _ reactors in operation in the U.S.
(b)
Reactor safety systems and containments shall be maintained and operated so that even if core meltdown were to occur, there would be less than one chance in 1,000 that a radiation release
4 s leading to a dose of 1 R or more to any member of the public will result.
5.
Bernero The NRC and others have underway a number of probabilistic plant analyses which are producing estimates of the probability of signifi-cant accident sequences (severe core damage or core melt sequences).
Robert Bernero, Director of NRC's Division of Systems and Reliability Research, has suggested the use of interim criteria and priorities for taking corrective action pending formal development of numerical criteria.
(Presentation before ACRS Subcommittee on Reliability and Probabilistic Assessment, July 1, 1980.) The interim criteria suggested by Mr. Bernero are as follows:
Estimated Probability of Severe Core Damage, Per Year Action
-2 Greater than 10 Correct in days
-2
-3 10 to 10 Correct in months
~4
-5 10 to 10 Correct in years
-5 Less than 10 No action Users of these interim criteria are urged to weigh possible bias in the analysis, the quality of the analysis, the potential scale of consequences, and other significant factors in applying them.
s'
. V.
DEGREE OF SAFETY The essence of a safety goal is the degree of safety that it establishes.
The generic discussion of appruaches to safety goal formulation and of the criteria by which approaches may be judged has as its purpose the creation of a vehicle for specifying the degree of safety sought in a way that would make it meaningful and useful.
The assignment of specific proposed degrees of safety in the specific proposals summarized above illustrates the use of the proponents' frame-works and the degrees of safety suggested by the proponents as appropriate.
The Commission reserves judgment as to any specific degree of safety, pending further progress in its safety goal development efforts.
.