ML19290E133
| ML19290E133 | |
| Person / Time | |
|---|---|
| Issue date: | 01/31/1980 |
| From: | Carbon M Advisory Committee on Reactor Safeguards |
| To: | |
| References | |
| NUREG-0642, NUREG-642, NUDOCS 8003040336 | |
| Download: ML19290E133 (68) | |
Text
rus NUREG-0642 A Review of NRC Regulatory Processes and Functions Advisory Committee on Reactor Safeguards U.S. Nuclear Regulatory Commission
,9**'%,,
m" a n n a socacao
- 3, g q
Available from GP0 Sales Program Division of Technical Information and Document Control U.S. Nuclear Regulatory Commission Washington, D.C.
20555 and National Technical Information Service Springfield, Virginia 22161
[
Na
+
~ ~ - - -
---_4-
-- ---..._. - - ------...-~-.- -
- - --+- --
A Review of \\lRC Regulatory Processes and Functions
==
=
====-===-
Manuscript Completed: December 1979 Date Published: January 1980 Advisory Committee on Reactor Safeguards U.S. Nuclear Regulatory Commission Washington, D.C. 20555
,.s...,,
5
y Mc,
o
'o, UNITED STATES
!4 t
NUCLEAR REGULATORY COMMISSION 5
W 3 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS k >+ h h [ f WASHING TON, D. C. 20555 December 17, 1979 The Ilonorable John F. Ahearne Chairman U. S. Nuclear Regulatory Commission Washington, DC 20555 Dear Dr. Ahearne he experience at Three Mile Island, Unit 2 was a dramatic reminder that improvements in the nuclear regulatory process are needed.
his is not to overlook the fact that the existing process has so far been quite effective in protecting the health and safety of the public and provides a solid base for the needed improvements.
The experience of twenty-five years of nuclear power stands as evidence of that statement.
In this context, and while continuing its review of the 'IMI-2 accident im-plications, the ACRS has been reexamining the regulatory process, and submits herewith the results of this study.
We had a dual objective.
First, we wanted to provide a single source to describe our understanding of how the system has functioned up to now.
We many investigations of
'IMI have revealed considerable confusion about the structure of this com-plex and interactive process, and we have tried to describe it and its geneology.
Second, we wished to call out weaknesses, as we see them, and to make appropriate recommendations for change.
You will find that we have not separately listed our recommendations in any " executive sum:mry" so that. a reading of the document is necessary, but it is our view that recommendations for change should be contained in the description of the existing system to make them meaningful.
Nonethe-less, some of the more important recommendations appear in Chapter 8.
We have found this exercise instructive to ourselves.
We are, of course, aware of the recommendations of the President's Commis-sion, the President's response to those, and of the other reviews now in progress.
We hope that this document will be generally useful, and sub-mit it with that intent.
Sincerely,
/
Max W. Carbon Chairman
i FUREGlD Any imfortant government function deserves periodic examination to determine whether it is serving the public need in an appropr, ate mnner. The Nuclear Requlatory Commission (NRC) has been in existence since 1975 to regulate nu-clear matters affecting the health and safety of the public dirough a gov-ernment licensing process.
The recent accident at Three Mile Island, Unit 2 (TMI-2) has made the public extremely sensitive to nuclear regulatory ac-tivities. The Congress is giving serious consideration to alterations in the regulatory structure, anticipating that such changes may enhance the national public safety. The President appointed a Commission to examine the TMI-2 event and to make recommendations concerning the regulatory process and functions as a result of information derived from that accident.
These actions all point toward a need for prompt reexamination of the Unitel States nuclear regulatory system.
While toth the NRC and the President's Commission are developing indepen-dent assessments of the regulatory process, nuclear regulation cannot be examined in the context of a single event or a single point of time. The process has been evolving over a period of about 25 years and has the ad-vantage of thoughtful and probing review over that entire period, much of it broadly displayed through the communications media to the entire popula-tion. Hence, it is appropriate at this time to understand well what has developed over the 25-year period before considering changes that materially af fe t the current regulatory processes. Changes are needed urgently in som" areas. Many are already being ef fected or planned by the NRC organi-r ~ an and its licensees. However, care must be taken to assure that the
.ces under consideration or to be identified in the future will, in fact, angthen the regulatory process and functions.
The Advisory Committee on Reactor Safeguards (ACRS) has spent much time over many years observing and examining the NRC licensing process.
The Commit-tee is, consequently, in a position to comment on the situation, and it believes this review will be helpful to those examining the regulatory process by discussing how it works, where it is weak, and the opportunities for improvement. The Committee's review may also help put current proposals and discussions in perspective.
11 CONTENTS 1.
INTRODUCTION................................................
1-1 2.
RDGU LATORY GOA LS............................................
2-1 3.
IllE CHANGING STYLE OF THE REGULATORY PRTESS................
3-1 4.
REGU LATORY ORGAN I Z ATION.....................................
4-1 4-1 4.1 R eg ul a to ry Documen ts...................................
4.2 The Nuclea r Regula to ry Commission......................
4-2
- 4. 3 Atomic Sa fe ty and Licens ing Boa rds.....................
4-4 4.4 Regula to ry Ope ra ti ng Funct ions.........................
4-5 4.4.1 Of fice of Nuclear Reactor Regulation............
4-5 4.4.2 Of fice of Inspection and Enfo rcement............
4-6 4.4.3 Office of Standards Development.................
4-7 4.4.4 Of fice of Nuclear Materials safety and Sa f eg ua rd s....................................
4-3 4.4.5 Of fice of Nuclea r Regula to ry Research...........
4-9 4.5 Advi so ry Commi ttee ca Reacto r Sa fegua rds...............
4-10 5.
NUCLEAR INDUSTRY ORGANIZATION...............................
5-1 5.1 Plant Licensing Responsibilities of the Owner..........
5-1
- 5. 2 Architect-Engineers' Role..............................
5-3
- 5. 3 Nuclear Steam Supply System Vendors' Role..............
5-4 5.4 Nuclear Fuel Suppliers' Role...........................
5-5
- 5. 5 Special Nuclea r Suppo rt Services.......................
5-5
- 5. 6 The Nuclear Plant Constructors' Role...................
5-5 5.7 Assessment of Coll ective Industry Capabili ty...........
5-6
111 6.
MAJOR TECHNOLDGICAL ISSUES..................................
6-1 6.1 Engineering Methodology for Public Safety Protection...
6-1 6.1.1 Design Basis Accidents and Probabilistic Analysis......................................
6-2 6.1.2 Failure Definition..............................
6-4 6.1.3 System Interacticns.............................
6-6 6.1.4 Man-Machine Interactions........................
6-7 6.1.5 Separation of Safety from Non-Safety Systems....
6-8
- 6. 2 Si ting Aspects of Public Safety Regulations............
6-10 6.2.1 S i t i ng Cr i te r i a.................................
6-10 6.2.2 Multi-Unit Sites................................
6-11 6.2.3 Si te-Related Sa fety Improvements................
6-12 6.2.4 Nuclear Power Plant Waste Management............
6-13 6.2.5 Emergency Response..............................
6-14 6.2.6 Accident Recovery...............................
6-14 7.
REGULATORY MANAGEM Effr MATTERS................................
7-1 7.1 Orga n i za t i ona l Issues..................................
7-1 7.1.1 Staff Competence................................
7-1 7.1.2 Industry Competence.............................
7-2 7.1.3 ACRS Effectiveness..............................
7-3 7.1.4 Cla ri fication o f Responsibil i ty.................
7-4 7.2 R eg u l a t o ry Fo rma t......................................
7-5 7.2.1 Prese rva tion of Regula to ry Base.................
7-5 7.2.2 S ta nda rd i za t io n.......... '....................... 7-6 7.2.3 Legal Framework.................................
7-7
iv 7-9 7.3 Regulatory Actions.....................................
7-9 7.3.1 Repo rting of Sa fe ty Problems.....................
7.3.2 Resolution of Generic Problems..................
7-10 7.3.3 Back-and Forward-Fitting of Safety 7-11 Improvements...................................
7-11 7.3.4 Public Coramun ica tio ns...........................
8-1 8.
OVERALL ASSESSMEvr..........................................
1^
i 1.
INTRODUCTION The Congress of the United States established the NRC along traditional reg-ulatory lines, wherein the Commission sets regulatory criteria and require-ments for industrial participants who are bound to meet the regulatory requirements as a condition of licensing. % e law places the onus on the licensee to show compliance and on the regulatory Commission to determine compliance. We Commission has authority to impase both legal restra;ats and monetary penalties on those who fail to comply with the reculatory re-quirements. %e Commission's authorit / generally transcends that of state and local governments, but it has acted to establish a cooperative relation-ship with all levels of government in order to maximize public acceptance of the regulatory process.
The operation of the NRC has some unusual aspects, including the way in which the Commission itself functions, the statutorily defined functions of the regulatory operations staff, the hearing process of the Atomic Safety and Licensing Boards (ASLB) and the review by the ACRS. Much of this is unique among United States regulatory processes, but the principles are similar to those of other regulatory systems.
The Congress has assigned to NRC the responsibility for regulating the construction and operation of nuclear power plants operated by privately financed public utilities and publicly owned power agencies. %e NRC discharges this responsibility by imposing technical and administrative requirements as a condition of issuing construction permits and operating licenses, and by monitoring the performance of licensees. However, the prime responsibility for safe design, construction, and maintenance of nuclear power plants rests with tha licensees.
Insofar as safety is concerned, the system has a number of advantages, but the primary one is that the user groups have both financial and legal in-centive to operate the power plants in a safe fashion. We regulatory or-ganization can act as a " watchdog" to make certain that the conditions of the license are satisfied. We system suffers from unevenness of applica-tion that leads to shallow audits of some areas of safety interest and overly detailed review of others. We present system also puts grave re-sponsibility on licensees to make certain that the nuclear technology is used in a wa'f which minimizes the potential for harm to the public even though they have counteractive pressures to minimize costs and improve profitability.
1-2 Other regulatory systems can be visualized. One such system would involve operation of a plant built with priv ar public funds by a governmental organization while a second governmental organization served as a " watchdog" over the first. Some countries use this arrangement.
However, the ad-vantages of one system over another can be discussed only in qualitative terms. %e present system has a substantial base of experience developed over a quarter of a century; hence, attention in this review is directed mainly to the existing regulatory concept, its strengths, its weaknesses, and the need for.mprovements.
7
%e NRC functions under the requirements of the Atom'.c Energy Act and its subsequent modifications, although the Commission was created by the Energy Reorganization Act of 1974. We Commission staff nunbers more than 2000 people.
By comparison with some others, it is a large regulatory agency.
The Atomic Energy Act specifies the duties of the Commission as they apply to regulation of the use of radioactive and fissionable material, with the main emphasis on nuclear power plan 4 and the nuclear fuel cycle, in the in-terest of public safety. However, as a spinof f of the National Environmen-tal Policy Act (NEPA) and the Calvert Clif fs decision, the NRC has directed a large portion of its activities to the NEPA evaluation of licensing actions.
The NEPA review requires a significant commitment in terms of manpower, per-haps 50-75 per cent as much effort as does the safety review. % us, when ex-amining the nuclear regulatory process, it is important to recognize the regulatory Commission's response not only to its own legislative mandate but to the related responsibilities derived from NEPA.
%e agency's functions are further complicated by its overlapping responsibifities with the Depart-ment of Energy (DOE). Wese, too, have to be taken into account when con-sidering the regulatory process.
Although the review of the nuclear regulatory process presented herein was performed from the vantage point of the 'IMI-2 experience, the entire history of nuclear power regulation was considered.
We reference time for this discussion of the state of the regulatory process is that period just prior to the 'INI-2 accident. Since that time, changes have been trade or are being planned by the NRC and by its licensees. Changes of which we are aware are noted herein.
2-1 2.
REGULATORY GOALS The Atomic Energy Act and its subsequent amendments and the Energy Reorgani-zation Act of 1974 provide a broad charter for the NRC, its staff, its hear-ing boards, and its advisors to regulate nuclear energy processes and prod-ucts, as needed, to protect the health and safety of the public. NEPA, as interpreted in the Calvert Cliffs decision, includes requirements for balancing of costs and benefits and evaluation of environmental impacts as conditions for nuclear licensing. These statutory requirements must com-prise the basis for judgments about the effectiveness of nuclear regulatory processes. While identifying important organizational participants, the legislation does not specify the regulatory process in great detail, thereby allowing the Commission latitude in establishing the methods for satisfring statutory requirements.
The Commission has not set forth specific objectives or goals in any offi-cial document or statement, but they can be inferred from the types of ac-tivities in which the NRC is involved and the resultant decisions.
Although not stated formally, the goals of the Commission should be kept in mind when judging the organization and programmatic thrust of the NRC.
A list of these goals should include:
1.
establishment of regulatory policies, standards, practices, and procedures that, while recognizing the societal need for energy and the associated economic considerations, make due allowance for public safety and moral obligations to present and future generations,
- 2. provision of criteria for public safety or other regulatory deci-sions set forth in understandable form and, where practical, with the use of quantitative risk evaluation methods which permit the relating of nuclear risks to other societal risks, 3.
provision and maintenance of a regulatory staff to establish requirements and enforce regulations, 4.
establishment of a regulatory system such that license compli-ance with the requirements can be demonstrated, 5.
provision of evidence through documentation, and regulatory ac-tions that the goals of the regulatory process are being met, and 6.
establishment of procedures for keeping the public informed on all matters of public interest, both from a societal and a tech-nological point of view.
2-2 One of the purposes of this review is to deternine w'iether these goals can Safety, environmental protection, and econouics can have conflict-be net.
inj deriands; the NEPA acknowledged this in its reluireraent for environmental bala nci n'j. The balance c.ay be altered as indoatty grows, technological un-derstanding broadens, or political circun.,tinces change (2.1),
public ac-ceptance of the rejulatory process depends upon conveyirkj to the public on accurate and fair representation of rejulatory ef tectiveness with respect to established regulatory goals.
The rejulatory process is discussed in this report with these sjoals in mind.
The report provides evidence as to how nearly the goals are beirvj attained, but no attempt is made to establish a grading system because the standards for jud jnent will always be influenced by tine and circumstances.
It is important that the process include tne capabilities needed to achieve the goals if it is to serve the public adequately.
(2.1) When nuclear-generated electric power was originally introduced as a source of energy in the United States, the main cons M^ ration was its ec-onomic competitiveness with other forms of energy, such as coal, gas and oil.- Recently its availability has become a natter of strategic importance to our national defense and international policy. Public safety and na-tional or world economic investment can also influence political circum-stances. These matters can have a bearing on how, whether, and where to use nuclear power.
3-1 3.0 THE CHANGING STYLE OF THE REGULATORY PROCESS The NRC institutional arrangement has developed over about a 25-year period.
Initially, the re3ulation of nuclear power plants was carried out by an arm of the now defunct Atomic Energy Commission (AEC). % e regulatory function became more active in the mid-1950s when the first commercial nuclear instal-lations were being planned. During that period, the AEC participated in the development of a nunber of nuclear power concepts.
The ACRS was established in late 1947 by the AEC to review safety-related aspects of the AEC-owned research, test, experimental, and production reac-tors.
In 1955, the AEC established a small, full-time hazards evaluation staff to perform safety reviews with technical guidance and oversight pro-vided by the ACRS. We AEC staf f and the applicants for licenses were re-sponsive to the recommendations of the ACRS, which was in many respects the ultimate reactor safety authority.
In 1957, the ACRS was established as a statutory body. At the same time the licensing process was opened to pub-lic partP:1pation by the establishment of the AEC public hearing process conductea by a " hearing examiner." The hearing process was a procedural mechanism to demonstrate on the public record that the review was complete and to adjudicate differences between parties.
Although the ACRS was not a party :.o the hearing, its recommendations were given serious attention by all parties, including the hearing examiner.
By the early 1960s, the nature of the hearing process had changed and the hearing examiner was asked to make technical decisions regarding interpreta-tions of AEC regulations, the scope of the regulations, and the technical basis for the regulatory licensing process. The AEC Regulatory Staff had to develop its own expertise to address these issues and began to make its own independent judgments, which were tested along with those of license appli-cants during the review process.
In 1962, the ASLB was established to con-duct licensing hearings. We ASLB consisted of three members:
two with technical backgrounds and one skilled in the conduct cf hearings.
A small overlap of ACRS and ASLB functions may have resulted, but the primary func-tions of the ASLB were to adjudicate disagreements between parties concern-ing the licensing action and to provide a public forum for discussing the adequacy of the safety review. We ASLB was not expected to conduct an independent review which duplicated that of the AEC Regulatory Staf f or the ACRS, although an occasional test for comprehensiveness was considered within the ASLB review scope. An ACRS report es required before safety related aspects of the ASLR review could begin, but the ACRS report was not a formal part of the record, and the ACRS did not present testimony tc the hearing board. %e hearing boards relied on the AEC Staff for an interpre-
3-2 tation of the ACR'; recommendations and relied on the testimony of the Staff, the applicant, and the intervenors as the principal basis for judgment.
In the early 1970s, the regulatory organization was extensively revised ty the AEC.
NEPA, as a consequence of the Calvert Cliffs decision, required more attention to envirorunental issues extraneous tn the nuclear safety evaluation process.
At the same time, the AEC Regulatory Staf f was sub-stantially expanded and its capability enhanced in resp)nse to public con-cern for the adequacy of some nuclear power plant safety features.
Bis was the situation at the time of the split of the ARC into the NRC and the Energy Research and Developnent Administration (ERDA) under the Energy Ro-organization Act of 1974.
The creation of the NRC did not materially change nuclear power plant 11-censing, but the new Commission did provide a different perspective on reg-ulatory management. The Regulatory Staff began to act more autonomously with regard to the ACRS. While it continued to review each case and to provide broad safety guidance, the ACRS now began to function primarily as a sounding board where the staf f judgments could be tested and tuned, with the Staff accepting ACRS recommendations selectively.
The NRC has now become an independent government unit judging nuclear reg-ulatory matters by a set of rules that it has generated internally. When so disposed, the NRC Staff responds to ACRS recommendations. When it deens such action inappropriate, it will defer the action or set it aside by mak-ing a brief record of such action in the NRC Safety Evaluation Report. Toe ASU3s have become the principal judges in determining whether NRC regulatory actions are in accord with NEPA and the Atoinic Energy Act.
It is with this style of operation in mind that the organization of the NRC must be examined.
6
a 4-1 4.
REGUIATORY ORGANIZATION When the NRC was created by the Energy Reorganization Act of 1974, a large part of the regulatory organization was already in existence. The Reorgan-ization Act created the Commission consisting of five members, and assigned to it the regulatory responsibilities of the AEC.
The form of the regula-tory process was already established as a combination of safety regulation and a review to determine compliance with NEPA requirements.
The regulatory process was expected to continue under the guidance of a regulatory conmis-sion unfettered by previous commitments to the development of atomic energy.
Nevertheless, a new administrative operation had to be established, the of-fices created by the Reorganization Act had to be staf fed, and the regula-tory functions had to be apportioned among these of fices. The regulatory documents also had to be reviewed, gaps filled, and plans for extension of the document preparation program had to be developed to provide an adequa'te documentary basis for regulation.
In a ntrnber of areas, notably waste management and material safeguards, there was no regulatory precedent of substance and a new regulatory program had to be created. The development of an effective regulatory organization is one of the major goals of the NRC, and this effort is still in progress. A review of its present status will indicate where further development is needed.
4.1 Regulatory _ Documents _
The NRC adopted the regulations developed by the AEC as the basis on which nuclear power plant licensing would be processed. The basic regulations were in existence and identified in the Code of Federal Regulations. They had been extended by other internally developed documents prepared by the Staff when it was still a part of the AEC.
The basic documents consist of:
1.
rules established as a basis for regulation and published in the Code of Federal Regulations, providing policy and technical guid-ance for licensing purposes, 2.
Regulatory Guides which describe methods acceptable to the NRC Staff for implementing specific parts of the Commission's regu-lations, and 3.
a Standard Review Plan which sets forth internal review procedures followed by the NRC Staf f in evaluating documents and other infor-mation submitted for licensing review.
4-2 These constitute an extensive set of requirements and practices, many of which are used throughout the world.
Ley are further expanded by various technical documents prepared by the ?mC technical Staff, government labora-tories, tmC approved industrial reports, and well known national standards (4.1).
Some of these docunents, particularly some regulatory guides, are excessively prescriptive, wn11e some other types of documents tend to iden-tify objectives without establishing a basis for determining conformance with the requirenents.
Even though there is a need for changes, improvements, id additions in many portions of the documentation, on the whole the present cumentary base is substantial and has provided an effective regulatory tool. %e preparation of new regulatory documents would benefit from a thorough review of pre-cise needs and intentions and an analysis of the existing information to establish where serious gaps exist and where upgrading of the gtnlity of information in the documents would be beneficial to the regulatory program.
4.2 The Nuclear Regulatory _Commiss_fon The five members of the NRC are appointed by the President of the United States with the concurrence of the Senate. %e Commissioners are appointed for terms of five years and not more than three may be members of the same political party. %e NRC Chairman is selected by the President.
The Commissioners must approve the NRC rules published in the Federal Regis-ter and all mandatory requirements of the Commission.
W ey review and ap-prove the budget and manpower levels submitted to the President and the Congress, and may review the decisions of the ASLB and the Atomic Safety and Licensing Appeal Panel (ASLAP) on their own initiative or because of appeal from within or outside the Commission. Wey select and appoint the heads of the five independent offices and the Executive Director for Opera-tions as well as members of the ACRS, ASLB Panel, and ASLAP. Wey may di-rect the regulatory staff to proceed along specified lines to satisfy (4.1)Section III, " Nuclear Components," of the ASME Boiler and Pressure Vessel Code is the best known standard applied to nuclear plants but most of the professional engineering societies have contributed useful standards through the American National Standards Institute, Inc. %ese professional societies include the Institutes of Electrical and Electronics Engineers, American Concrete Institute, American Society of Civil Engineers, American Society for Testing Materials, American Nuclear Society, the American Society for Nondestructive Testing, and the American Society of Mechanical Engineers.
4-3 regulatory objectives.
For the most part, the Commissioners have avoided direct involvement in the regulatory decision process to asue their independence when called upon to review regulatory decisions.
Because of their professional backgrounds, political allegiance, and indi-vidual attitudes, the Commissioners can have widely divergent viess concern-ing nuclear power plant regulation. Wey do, however, act as a collegial body operating on a majority rule basis. We individual regulatory offices of ten have to work out plans for implementing their duties with the intent of obtaining continuing support for their activities from a Commission majority.
We Corgress evidently intended the regulatory process to func-tion under this democratic style of control, but this approach does not al-ways lead to the development of a clear regulatory position on important public safety natters.
Many styles of operation could be envisioned for the Commission, but so far it has chosen to function as a referee in determining whether the regulated industry was conforming to the rules set by the Commission, and to enter the adjudicatory process only when regulatory actions were challenged. %is choice left the regulatory functions to the NRC Staff and the initial judg-ments concerning the appropriateness of regulatory licensing actions to the ASLBs.
Conceivably, the Commission could become the determining body in licensing actions, accepting opinions from the ASLB, the NRC Staf f, the ACRS, or other sources as part of the bases for its judgments. While the licensing rules would still have to be considered, other judgmental factors might be intro-duced into the licensing process.
In its determinations, the Commission might be responsive to public attitudes existing on local, regional, and national levels. Alte-natively, the Commission could leave the judgments related to technical safety matters to the regulatory Staff and direct its attention to the requirements of NEPA.
Administration of the licensing process and enforcement of licensing rules would require a different type of involvement.
Actions involving inspec-tion, technical revie - and conformance reporting would have to be dele-gated to subordinates who would need authority to enforce the regulations.
An administrative executive would be essential to provide a point of au-tho rity.
If they were adequately equipped by training and emerie nee, the Commissioners could evaluate whether specific regulatory functions were being performed appropriately. W e present Commission has a broad distribu-tion of capability, ranging from training in law to nuclear physics, Sut the individual background of each Commissioner is different, raising the question of whether each opinion deserves equal weight in other than broad policy mat-ters.
In-depth knowledge of the subject matter by each Commissioner should be required for equal weighing of their opinions on technical matters beyond palicy judgments.
4-4 As conceived under the Energy Reorganization Act of 1974, the Commission is intended to be responsive to public attitudes as influenced by the prevail-ing political environment.
If the law were changed to emphasize technologi-cal background as a requirement for Commission appointment, then the quali-fications of the Commissioners might justify more intimate involvement in licensing decision mzking with respect to rules, inspection, enforcement, and technical specif cations.
If the law were changed to put the primary i
emphasis on health and environmental impacts, the Commissioners could become more intimately involved in the NEPA matters.
If the law required that they have legal training, the Commissioners could have more intimate involvement in legal interpretation of the regulations and could judge di-rectly how the regulation satisfies the requirements of the Energy Reorgani-zation Act.
Since none of these is presently a dominant requirement and the collective background of the Commissioners encompasses all of them, a policy-making role for the Commission seems to be appropriate.
There could be some advantage gained by designating one Commissioner as the executive officer of the Commission.
Alternatively, there could be some advantage in assigning individual areas of decision authority to each Con-missioner in addition to his overall policy-making role.
Another option, which would be consistent with the present structure of the Commission, could give appreciable technical management power to the Executive Director for Operations who could also serve as the spokesman for the Commission.
This position would then require considerable technical skill in addition to management experience, and his relationship with the Commission would have to be carefully defined. %ese options should be considered as alter-natives, depending on public needs and interests, if the present Commission form of regulation is to be retained.
4.3 Atomic Safety and Licensing Boards Each three-member ASLB is drawn from a panel of board members preselected by the Commissioners. W ese members have a range of capabilities, and all have a reputation for significant professional accomplishment. W ey are expected to have understanding of the hearing process and technical knowledge of the regulatory approach and the requirements of NEPA. % ey are expected to make technical judgments and to evaluate the evidence available to assess whether the regulatory process conforms to the requirements set forth in the law.
Board decisions may be appealed to an ASIAP if the license applicant, the regulatory Staf f or the intervening groups challenge the ASLB rulings. We ASLB hearings are adversary in nature, with matters argued before the boards in a quasi-legal format, and the decisions of the boards are recorded and used as precedents in subsequent hearings. We legal staff of the NRC is, to a major extent, occupied with the preparation of cases to be presented before the hearing boards. Members of the regulatory Staff develop their safety reviews in a form suitable for use in this quasi-legal environment.
4-5 4.4 Regulatory _Operatinr["
etions The NRC Staff, under its Executive Director for Operations, is divided into five statutorily established and equally ranked offices:
Regulation, In-spection and Enforcement, Nuclear Materials Safety and Safeguards, Standards, and Research.
In addition, the Of fice of the Executive Legal Director estab-lishes and implements legal procedures.
Each statutory office has explicit duties in response to the organizational plan set forth in the Energy Reor-ganization Act of 1974
%e NRC has established documented rules and regula-tions under which its operational staff functions.
W e discussions which follow are intended to show how the organization currently works and where redirection might be of value.
4.4.1 Office of Nuclear Reactor Regulation The Of fice of Nuclear Reactor Regulation (NRR) is the focal point for defin-ing licensing requirements.
Licenses are granted when the NRR has determined that the necessary documentation has been submitted, that the plant is to be designed or to be operated in accord with established rules and regulations, and that the licensee has shown the required competence to meet the regula-tory requirements (4.2).
The NRR staff includes personnel with backgrounds in many aspects of nuclear technology, including such topics as nuclear physics, radiation protection, chemistry, fluid mechanics, thermal analysis, structural design, seismology, hydrology, mechanical engineering, chemical engineering, and electrical and instrument engineering. To evaluate NEPA requirements, some economics and social science skills are also provided. To evaluate a license application, they use NRC Regulations, Standards, Standard Review Plans, preapproved sub-mittals of vendors, recognized engineering practice, and comparable informa-tion as bases for judgment. Re NRR Staf f reviews for compliance with both NEPA and NRC requirements. Prior to granting an Operating License (OL),
the NRR Staff requires that the licensee provide a set of proposed technical specifications to which he will conform when operating the plant. Technical Specifications approved by the NRC Staff are incorporated in the license as requirements.
(4. 2) The documentary evidence of regulatory compliance is usually covered by a Final Safety Analysis Report (FSAR), t set of technical specifications, a preoperational test program, and a qualf fication program for operating per-sonnel. %is is required for an operating license, which must be granted before a licensee can load nuclear fuel. A construction license is granted prior to plant construction and is based upon a Preliminary Safety Analysis Report (PSAR) to show that the design and construction will comply with regu-lations.
4-5 Since the Staf f that performs reviews cannot be large enough to examine every detail of every design, the !aR Staff to a large degree relates each new license to some previously approved plant and focuses its attention on the differences.
Some standardizacion has naturally evolved from this pro-cen. %e ISR Staf f tries to concentrate on what is new in the license ap-plication and to accept without reexamination features which have been prev-iously accepted. When new information, operating experience, or regulatory prudence indicate the need, the ?MR Staff will reexamine an area that has been previously reviewed, even if previously accepted practice is being followel.
The technical strength of the !ER Staf f is critically important. We Staff must have a good understanding of the basis for licensing, the subtleties of engineering variations between plant designs, and must recognize operating circumstances that may challenge the safety feature performance of a plant.
The Staff reinforces its own skill with expert consultants and technical assistance contracts. Where necessary, it draws upon the Of fice of Nuclear Regulatory Research to develop new or supportive information to aid in li-censing evaluation. Over the years, this mode of operation has built a very extensive store of knowledge on which the NRC Staf f can draw. However, the extremely broad range of characteristics and performance which may have im-portant consequences and the compilcated interrelationships between then, invite concern for the ability of the NRC to cover the entire range of tech-nology. Staf f attention to conformance with regulatory logic, and the abil-ity of the NRC Staf f to relate its regulatory requirements to proper con-struction of the plant and to its control by the human operators under cir-cumstances that might lead to accidents are paramount considerations.
4.4.2 Office of Inspection and Enforcement The Of fice of Inspection and Enforcement (I&E) is the regulatory control arm of the NRC.
It investigates licensed installations for conformance with regulations.
It establishes whether licensees and their agents are conform-ing to licensing requirements. %e I&E organization uses the rules pub-lished in the Code of Federal Regulations, NRC Regulatory Guides, and Tech-nical Specifications as bases for regulatory enforcement. %e capabilities of the I&E staf f were for many years concentrated on assuring that construc-tion practices, such as material contrul, welding, equipment storage, and pressure testing, conformed to regulatory requirements.
Experience had shown this to be the main source of nonconformance.
Attention in the public press to reports of poor workmanship and worker malefaction intensified this interest. %ere was always, however, general attention to other areas of regulatory compliance.
The I&E staf f uses a system of audits to examine both plant records and phy-sical installations.
'1 embers of the staff visit supplier factories periodi-cally to establish qualifications and obtain written reports from the licen-sees to determine compliance with regulations. More recently, the faC has
4-7 added a staff of in-plant construction and operation inspectors.
Primarily, however, the I&E organization relies on a set of " quality assurance" practi-ces established by the owner in compliance with NRC regulations to assure that installed quality meets the regulations.
Preoperational test programs are used to verify the needed operational capabilities wherever practical.
The I&E Staff monitors these programs.
Of tentimes, tha tests require engi-neering analysis.
Analytical methods and the operational results are both usually channeled to the NRR Staff for technical review.
With the existing type of capability in the I&E organization, regulatory evaluation of operational adequacy is information oriented.
Operational procedures are reviewed by the I&E Staff, but the intent is mainly to show that procedures conform to technical specification requirements. W e actual efficacy of the procedures is left to the judgment of the licensees. W e I&E Staff has developed an outline of study to be employed in the licensees' train-ing program to assure operator competence. A group of training examiners, by observation and testing, determine the competence of operators.
To review operational matters not identifiable in procedures would require a level of technical understanding available only in those who have a back-ground in design logic and system performance. %e NRR Of fice evaluates this broad subject matter as a basis for licensing approval, but the I&E Office uses the information in a condensed form suited only to the information checking actions it must perform.
'N.th additional emphasis now being di-rected to simulator training, fundamental system behavior, symptomatic an-alysis of instrumentation signals, and similar matters, the current style of review of operational matters by the I&E organization will need altera-tions in order to allow a new technical role in the licensing process for I&E.
When asked, the NRR Of fice through its Division of Operating Reactors works in support of I&E to provide broader expertise on an as-needed basis. While the present arrangement could work in principle, an improvement in the I&E organization's ability to address unusual technological matters through reorganization, training, staff additions, or by other approaches seems to be required (4.3).
4.4.3 Office of Standards Development The Office of Standards Deve.lopment (SD) develops the regulatory documents which form the basis for regulations. All radiation exposure standards, reg-ulatory guides, and many of the rules published in the Code of Federal Regu-1.ations emanate from this office. Wis office is primarily a coordinator (4.3) The loose coupling of these capabilities seen in the 'D4I-2 experience does not serve the regulatory function adequately. Too much time elapsed between the identification of difficulty and the effective use of the NRR expertise. Recctly, there has been discussion of setting up a technical review function sgarate from both I&E and NRR to provide service to both.
L
4-8 of information and acts as the Secretariat for the NRC Staff in the prepara-tion of material for use in the regulatory process.
The SD has created a substantial body of documents which define acceptable engineering practice.
Diese have been most effective when addressing de-sign, construction, and installation types of subject matter.
U1e standards associated with operating procedures, instronentation, emergency response, radionuclide cleanup, and comparable matters have tended, with a few excep-tions, to N general in form and oriented to perfornunce goals rather than to explicit requirements.
Such standards serve a useful purpose in direct-ing the interested organizations to the proper objectives, but they do not provide the type of regulatory definition needed as a basis for rule enforce-ment. Technical specifications provided by licensees and approved by the NRC Staf f are the main regulatory controls.
While the present organization of SD adequately serves its assigned purposes, this office should also have additional capability in the operational areas in order to provide more effective docunents for I&E purposes.
Some addi-tional skills relevant to operational procedures in emergencies are an urgent neer (4.4).
i 4.4.4 Office of Nuclear Materials Safety __an_d_Sa_feguards The Of fice of Nuclear Materials Safety and Safeguards (NMSS) is primarily concerned with the nuclear fuel cycle external to the puer plant.
It is responsible for public safety regulation with respect to accountability of fissionable materials, safety of fuel manufacturing and reprocessing, spent fuel storage, and waste management and security provisions of all licensed facilities.
Problems ( f material diversion and industrial sabotage are also under its jurisdiction.
The tNSS of fice Las concentrated its interest on material accountability, protection and industrial security.
Its rules and regulations, except fo r material accountability, have a base of practice that develooed during the AEC era and at least until recently very little has been done to realign this base in accord with current public interests. Not until the last few years has the rNSS Of fice organized itself to direct the NRC's waste manage-ment regulatory program in an effective manner.
Previously it appeared to have adopted a reactive style of regulation directea toward correction of problems exposed in the public press and to providing inputs to DOE and the Environ. ental Protection Agency (EPA), both of whom are attempting to estab-
)ish a national posture in this area.
(4.4) Thus far, operating standards have consisted mainly of test procedures and listings of required tests. Standards for measuring capabilities of operating organizations in meaningful terms seem la: king.
b
4-9 The NRC's jurisdictional responsibility in waste management is suf ficiently vague to mke the regulatory program difficult to implement, but the matter of nuclear power safety cannot be divorced from either nuclear waste manage-ment or spent fuel handling.
The nature of the problem suggests that the NRC needs to expedite its own regulatory approach to these matters rather than waiting for other agencies to offer solutions.
Since certain asoects of the assignment of federal responsibility are vague (4.5), new legislation iray be needed to enable the NRC to accomplish these tasks.
e 4.4.5 Of fice of Nuclear Regul_at_ory_Researc_h.
The confirmation of safety bases used in the regulatory process has always been a fundamental requirenent for ensuring the health and safety of the public. The safety research programs, first initiated under the direction of the ABC, have been continued at a substantial level under the direction of toe Office of Nuclear Regulatory Research.
This office acts as a re-search manager by contracting the research work to national laboratories, universities, private contractors, including nuclear industry organizations and other sources.
Probabilistic analysis methodology also comes under this office.
The major part of the research program funding is assigned to op-eration of the emergency core cooling (ECC) and fuel-failure-mechanisms experimental facilities.
Other important work under this of fice includes pressure vessel reliability, core melt behavior, advanced reactor safety, steam generator degradation phenomena, and a number of miscellaneous stud-ies.
The need for research to improve safety has recently been recognized, but so far it has been funded at a minimal funding level.
The ef fectiveness of the Office of Nuclear Regulatory Research has to be considered in relation to its preestablished obligations. The prior commit-ments to DCC system investigations and fuel failure experiments leave littic latitude for other types of safety research within the funding limits.
The
" confirmatory" approach which the Office of Nuclear Regulatory Research is expected to follow, allows very limited opportunity for nes safeti initia-tives. While the work underway is well managed in an administrative sense, its contribution to overall reactor safety is mainly through enhancing confidence in current practice rather than by providing strong technical innovation.
(4. 5)
EPA has been designated to set environmental standards for radio-nuclide releases and DOE is assigned the responsibility for estab-lishing waste isolation techniques.
Until DOE has a definitive tech-nolo 3y that is consistent with EPA environmental standards, NRC cannot establish meaningful regulations.
7
'~
- M R % ;k M __ _
4-10 4.5 Advisory Committee on Reactor __Safegua_rds
%e 15-member ACRS, appointed by the tmC under the requirements of the law, reports on the public safety adequacy of specific licensing actions. We Committee reports directly to the NRC, and its budget and staf f support are provided as an item within the overall NRC authorization and appropriation.
The Committee is careful to assure that its membership is free of financial influence that might affect its regulatory review and also that it is free of all raC Staff involvement.
During the early nuclear power era, the ACRS established safety criteria on an ad hoc basis as questions arose during licensing reviews.
It was dur' i this period that containment requirements were established, design pracc ;
developed, design basis accidents (DBAs) identified, and the engineering methodology for accident evaluation was established. W e ACRS became the principal body for identifying supportive research and development work to establish safety adequacy of nuclear power plant design, although the sour-ces of information on which such recommendations were based of ten came from the national laboratories and the nuclear industry.
Such 1.nportant experimental investigations as the nuclear shutdown characteristics of water-cooled reactors under reactivity excursions, pressure vessel integ rity, BWR pressure suppression containment characteristics, nuclear fuel failure properties, and ECC system performance grew out of ACRS review. Tne ACRS was the principal notivating force in establishing the imprtance of reliable emergency core cooling and shutdown heat removal cambility for large nuclear power installations. Many of these requirements have since been embodied in the NRC Regulations under 10 CPR Part 50, Appendix A, and are generally covered by Standard Review Plans or Regulatory Guides in connection with other reference documents.
The ACRS has, with the support of the Commissioners and the N7C Staf f, main-tained an active review of NRC rules; Regulatory Guides dealing with desiqn, construction, and operational experience; experimental prograas; and analy-tical studies.
In 1977 the Congress asked the ACRS to review the Safety Research Program of the NRC on an annual basis and report its findings to the Congress.
Implicit in these assignments is the expectation that the ACRS will provide carefully weighed advice and that it will not psalvely accept Staff action or inaction that ceflects deleteriously on mfety recom-mendations concerning licensing actions.
In the early 1960s, the ACRS began to concentrate its attention on siting guidelines with the intent of looking beyond the literal interpretation of the regulations. Siting near high population centers, behavior of the re-actor core under degraded cooling conditions, including potential core melts, seismic design methodology, and instrumentation to follow the course of accidents beyond the design basis were regularly discussed with the NaC Staff. More recently probabilistic analysis methodology for safety assess-ment has been actively encouraged by the ACRS.
4-11
%e emphasis on such sophisticated technological questions may have diverted the attention of the ACRS and the NRC Staf f from many of the more routine safety-related problems that often precede major accidents.
The conmittee tends to assume that once it has identified a safety problem, the problem will be investigated in detail by the NRC Staff. An individual member often must be extremely persistent before his colleagues will devote extended attention to his safety concerns.
Except for transcripts and minutes of meetings, there is no record of the dif ferences of opinions expressed by Committee members during formulation of a Committee position unless one or more members dissent from the collegial view.
The ACRS has identified many matters needing safety attention because of their accident potential, but it has not devoted serious attention to the effectiveness of operator training or to the behavior of control systens under accident conditions.
In calling attention to conmon-mode failure problems, electrical reliability questions, probabilistic analysis and sys-tem interactions studies, the Committee has tended to express its interests in fairly general terms without attempting to determine how those matters would be pursued or what personnel capabilities are needed by the licensees or the NRC Staf f to respond to these inquiries. The ACRS could have done more to help the Commission identify NRC Staff weaknesses so that Staff enhancement would have produced more valuable safety analysis results.
The ACRS is of ten passive in its response to Staff work, thus sanctioning work to proceed in areas in which the Committee does not expect the results to be useful. We Committee could respnd more actively in such instances.
The ACRS serves on a part-time basis, and most of its members have other du-ties and responsibilities. Tb perform its work, the Committee relies on the knowledge and experience of its membership, the assistance of well-qualified consultants, a small supporting staff, and a recently added group of short term " Fellows." Because of the limited time available, the Commit-tee could not effectively review all Staf f work. There is a need to deter-mine whether the Committee's attention is being directed to the correct areas. Certainly an independent committee cannot be constrained in its.
review actions, but the level of detail to which it pursues some matters and the cursory level of attention which it addresses to others does raise some questions.
It may be appropriate for the ACRS to undertake a serious review of how its functions could be made more effective, and the Committee would benefit from a thorough introspective examination of the manner in which it performs its role.
During development of the early reactors it was essential that the ACRS review license applications in as much detail as feasible, and the Committee has continued such review in areas where new designs or new technologies have appeared. The ACRS is required under the law to report on each nuclear power plant license. This it does through prereview by subcommittees, fol-
i 4-12 lowed by full Committee action when the NRC Staff license revies has reached an appropriate point. hhen a large number of license applications were being processed, this represented a major part of the ACRS workload.
The Committee has recommended to the Congress that it be given the latitude to review plants on a selective basis in order to improve its effectiveness and minimize the time spent on matters already having acceptable safety precedent. 'Ihe committee needs to establish more order in its revies func-tions so that important matters will not be overlooked and the Committee work will provide optimum benefit to public health and safety.
5-1 5.
NUCLEAR INDUSTRY ORGANIZATION The nuclear power industry is an outgrowth of the electrical utility indus-try, and its organizational structure is similar.
The suppliers of electri-city to the public, using conventional methods of raising capital, procure the funds to design and construct nuclear power plants, to purchase the nuclear power and turbine generator equipment, and to buy the nuclear fuel.
In most cases, the electrical utility organization provides the plant oper-ating staff. The organizational structure of the whole electrical utility and supply industry is directed toward a regulated mode of business.
The industry must establish a service rate structure for the sale of electrical power to the public before it can arrange financing or proceed through the licensing process.
It is therefore important that the industry know the regulatory requirements and be able to translate them into a plant design that can be built and operated in accord with its electrical supply schedule and cost commitments.
The utility organizations make use of many service and supply sources on a purchase contract basis to supplement their own capabilities.
In review-ing the regulatory process, it would be unrealistic to evaluate the adequacy of the industry on the premise that each utility has within its own corpor-ate structure the capability to meet all of the requirements of public sa fety. The collective industry capability must be evaluated.
5.1 Plant Licensing Respon_sibilities of th_e__0wner The plant owner is the designated license holder under NRC rules.
He has
' a show both financial and technical canpetence to meet the licensing cb-ligations.
The plant owner, usually either a private electrical utility corporation or a public power organization, is responsible to the NRC for defining the nuclear steam supply system (NSSS) to be licensed, for identi-fying and showing the adequacy of the site on which it is to be placed, for providing appropriate engineered safety features for the systen, for coup 1-ing the system to a turbine generator and electrical distribution network, for establishing a fuel supply, for showing canpliance with spent fuel and radioactive waste disposal requirements, and for providing a canpetent organization to design, construct, and operate the plant.
Normally, an owner can satisfy only a portion of this capability with his own organiza-tion. The remainder is provided through contract agreements with other e rganizations.
Nevertheless, the owner is ultimately held responsible by the NRC for the safety of his plant.
Normally, the clant owner employs his own operating staff, which is quali-fied in accordance with NRC regulations. The system of operator training includes simulator training under the guidance of the NSSS vendor's techni-cal staff, hands-on operational experience, and direct training pregrams
11
' I 5-2 dealing with the owner's licensed facilities. Operators are ef fectively trained to respond to events encountered in normal operation and to repre-sentative events of unusual nature which can occur in emergencies.
- However, the training programs should be expanded to include a broadened spectrum of emergency events (5.1). %ere is a particular need to include unusual events which at the outset are minor in nature, but if not adequately controlled can escalate into major emergencies. % e offectiveness of this preparatory program depends upon the dedication of the owner's operating staff and its initial level of skill. Many licensees have benefited from the United States nuclear Navy program by hiring personnel trained in that program. %ese operators are well versed in the nuclear operational disciplines of the Navy, but their limited technical background makes it difficult to translate their Navy experience directly to commercial nuclear equipnent.
Enhanced capability is a recognized need.
The plant owner is expected to provide a technical support organization as well as the operating staff for the plant, and these groups are sometimes supported by a centralized technical service group. %e technical organi-zation usually prepares operating procedures, establishes technical specifi-cations to assure that the plant is operated in accord with design intent, evaluates malfunctions and failures, maintains an awareness of technical problems in other plants that may influence the operating facility under its technical surveillance (5.2), does trouble shooting, plans shutdowns, and carries out other functions appropriate to the installation. % e technical skill of the supporting staf f is crucial to successful plant operation.
Re-cent changes in regulatory requirements for operators have been directed to-ward enhancing in-plant capability of the owner's technical staff.
In ad-dition, owner groups are developing plans for operating support centers to enhance existing capabilities. %is effort is aimad toward upgrading oper-ating capabilities at licensed power plants to reduce the likelihood of such accidents as the one at MI-2.
Operating organizations are expected to have internal emergency response capability and to establish a warking relationship with governmental organi-zations designated to handle emergencies extending beyond plant boundaries.
Operators are also expected to control within regulatory limits the hand-ling and discharge of radionuclides and other radiation sources. %e plant (5.1) The simulator training is intended to provide this understanding, but no simulator equipnent can cover all operational circumstances. Simu-lator equipaent can be set up to address peculiar operating conditions, and this type of training is now receiving priority attention by licensees.
(5.2) A recent study by ACRS has established that such awareness is not as widespread as desirable in the industry.
In many companies there is a need for the owner's technical organization to establish a systematized effort to insure being informed of unusual events in other plants and to determine the applicability of such events to their facilities.
5-3 to assure that his operating staff will handle such matters in accord with regulatory restrictions.
These specialized operational functions are still being developed (5.3) in many operating organizations.
- 5. 2 Architect-Engineers' Role Some large utility organizations have sufficient capability to develop a com-plete plant design once a NSSS has been purchased, but most use outside architect-engineering organizations to prepare a design in accord with the plant owner's wishes. The architect-engineer in-E) may be trcught in to help select the NSSS or af ter its purchase, but in either case, the A-E will normally design the balance of the plant around the system selected. This ef fort will include the design for the containment, the fuel storage facili-ties, waste disposal and effluent systems, offsite power supply systems, electrical distribution and emergency power systems, the foundations, the secondary piping systems, and other related equipment and facilities. The A-E of ten serves as the plant owner's agent in developing responses to licensing requirements related to plant design but is not normally a party to the licensing commitments.
Although not directly licensed, the A-E is treated by the NRC as an integral part of the owner's licensed capability.
Hence, many A-E firms have obtained approval from NRC for their engineering practices and have had these approvals extended to cover a number of instal-lations.
The range of A-E work includes design of many highly couplex safety features, such as emergency power systems, secondary heat removal systems, and radio-nuclide ef fluent cleanup systems.
Foundations and other structures designed to accomnodate earthquakes, tornadoes, floods, and fluid system rupture are particularly sensitive nuclear safety areas handled by A-Es.
Earlier de-signs were found to have numerous minor design faults that required correc-tion, but the A-Es have learned through experience. The capability of A-E organizations is being strengthened through experience gained by personnel with repeated application of their nuclear plant designs.
Some A-E firms have elected to develop standardized design concepts (5.4) to be preapproved by NRC in order to expedite the licensing process.
Even if "cus-tom" designs are used, the practices followed are intended to minimize the amount of new licensing review once a design has been approved for licensing.
The desire to minimize licensing review and to use designs that have a well-established cost basis has inhibited design innovation in standardized plants (5.3) The TMI-2 experience showed operating weaknesses in these areas in the aftermath of the accident. The NRC had not emphasized the need for such capability suf ficiently, but current actions should correct the deficiency.
(5.4) The advantage of standardized design approval is that it precludes further NRC staff review of these sys ' ams unless some new safety problem appears.
5-4 as well as "non-standardized" or custom designed plants even though such changes might enhance public safety provisions and improve reliability.
Even when there are opportunities for substantial cost savings coincident with other advantages, the problems brought about by a delay in licensing because of extensive reviews of the new design features usually discourage design innovation.
The importance of establishing a " licensable design" is emphasized by plant owners to their A-Es.
This approach has tended to stabilize the design pro-cess so that recent designs have corrected most of the deficiencies observed in earlier submittals and minimized innovations requiring further review.
Nevertheless, the scale of the engineering effort for a nuclear plant is so broad that no plant can be conpletely error free. Normally, the A-Es provide continuing engineering services to the plant owner in evaluating errors in design and construction or in new licensing matters that may arise over the plant lifetime. When errors are exposed, a design review may show that the conservatism incorporated in the design will accommodate the errors safely.
However, this error tolerance has not immunized nuclear plants from diffi-culties introduced by design mistakes.
On occasion, misapplication of rec-ognized design practice has resulted in serious engineering flaws, as for example improper summing of directional forces from earthquakes. The archi-tect-engineering organizations are expected to maintain quality assurance systems to provide satisfactory design quality, but there is still room for considerable improvement in the design quality assurance practices in nuclear installations.
Attention is needed to proper use of design methodology and to assurance that equipment is fabricated and installed in accord with design intent.
- 5. 3 Nuclear Steam Supply S1s_ tem Vendors' Role In a business sense, the NSSS vendor is an equipment supplier selling a system to be installed as part of a licensed power plant. As a practical matter, the NSSS vendors have, through licensing negotiations with the NRC when each system was initially submitted, established a licensing basis that is used repetitively in subsequent applications. NSSS vendors have offered explicit standardized designs for licensing under the NRC standardization program, but these are normally variations of previously licensed installa-tions where some of the " standardization" had already been established. The NSSS vendors' obligation to the plant owner is to furnish a licensable sys-tem, and usually his contractual agreement includes handling, as the plant owner's technical representative, the NSSS licensing negotiations with the NRC.
This has often created confusion concerning placement of the licensing responsibility.
In most cases, the NSSS vendors' licensing obligations are limited to those he accepts as a contractor of the plant owner.
In spite of this limited responsibility, the NSSS vendors have most of the nuclear system safety expertise associated with licensing the equipment they
5-5 supply. %e plant owner relies heavily on this capability for advice and training and anticipates its availability for the life of the plant. To insure public ssfety, the NSSS vendor organization must be maintained at a high level of technical competence as a backup to the plant owner organiza-tion since the owner may not have adequate capability to respnd to emergen-cies on his own. We NSSS vendors, as shown by TMI-2 experience, do not study every safety aspect of their systems because they consider some matters outside the bounds of the licensing requirements.
Yet, their involvement in prompt resolution of safety questions which do arise is mndatory.
5.4 Nuclear Fuel Suppliers'_ R,o_1_e Normally, the NSSS vendor provides the first loading of fuel for a reacter core and my also contract to provide subsequent fuel loadings.
% e plant owner may elect to obtain reactor fuel independently of the NSSS vendor.
In any case, the nuclear fuel supplier must show that the fuel he will supply is compatible with the reactor system in which it will be used.
21s re-quires both experimental and analytical evaluation of the fuel. %e NRC has now developed a set of analytical procedures to be followed to show that the fuel is acceptable. We supplier is also required to show that his mnufac-turing processes will produce the needed fuel quality. % e plant owner then accepts responsibility for t' e fuel as a purchased item to be used in the nuclear plant. Be NRC lim # s its relations with the nuclear fuel supplier to accountability, performa:.;e verification, and manufacturing control ques-tions relevant to the regulatory process.
- 5. 5 Speci_al_ Nuclear _ Support Services Such mtters as in-service inspection, pressure system evaluation, r adio-active effluent disposal, fuel management strategies, and similar matters are often handled through service contracts to outside organizations. We plant owner usually contracts for such services on an al hoc basis when they are needed. Wey are important operational elements of the plant owner's licensed capability. We qualifications of such specialty organizations are generally not determined by formal procedures; but with rare exception, those performing the services have established a high level of expertise through long participation in nuclear power industry activities.
- 5. 6 The Nuclear Plan _t Con _struct_ ors _' Role, he nuclear power plant owner will sometimes act as the constructor of the plant by purchasing all materials, subcontracting for conventional build-E
5-6 ing and erection services, and hiring his own labor force to perform instal-lation work, including piping, electrical distribution, special service sys-tems, and other work normally outside the scope of his contracts.
Alterna-tively, the plant owner may elect to contract for a turn-key installation.
There may also be intermediate arrargements between these two extremes. 'Ihe owner sometimes acts as his own construction manager, and at other times he may hire an outside service organization, such as an architect-engineering firm, to perform that service. The owner is expected to have a quality as-sorance organization to establish that the work is being performed in accord with nuclear regulatory requirements.
The owner will require that each portion of the constructor-installer organization have a related quality assurance organization to meet regulatory requirements.
The owner's quality assurance responsibility also covers the adequacy of the quality assurance procedures of the A-E, the NSSS vendor, and the equipnent and materials ven-dors to insure adequate design, engineering, and testing. There will nor-mally be an understanding between the owner and the constructor-installer as to what will be provided to the operating organization.
In any case, this entire construction program is required to conform to the drawings and specifications prepared by the A-E, the NSSS vendor, or other engineering organizations that have participated in developing the licensed plant design.
Although much emphasis is placed on establishing qualification standards for craft skills, there is always some residual concern as to whether the quality of the workmanship will meet anticipated regulatory standards and whether the work will be done in accordance with the requirements stipulated by the drawings and specifications.
Many construction faults have been re-ported over the 25-year nuclear power plant history, and in spite of the quality assurance requirements, there is still e/idence that some organiza-tions do not exercise adequate control over the construction work. The NRC Of fice of Inspection and Enforcement can identify such matters early in the construction program, but the regulatory action is of ten of such limited forcefulness that constructors fail to respond adequately. The need for high-quality construction must be further emphasized in the regulatory pro-gram.
5.7 Assessment of Collective Industry Capa_bil_ity_
The licensing of auclear installations obviously requires consideration of all of the industrial elements upon which the owner-licensee depends. The industrial system limits the liability of the industrial participants to those established by the owner through contracting.
Many A-E organizations do not have independent self-audit procedures to check drawings adequately to insure that they reach the field with a mini-mum of errors.
They rely excessively on construction forces or test per-
5-7 sonnel to expose and correct errors in the field. khile more systematic than the A-Es in their design and manufacturing controls, the NSSS organi-zations would also benefit from improved review processes.
The interfacial relations between nuclear steam supply systems and the balance of plant systems are especially deserving of attention.
The quality assurance system on which the NRC depends to assure ade(pate quality in the licensed installation needs to be strengthened in the areas of design methodology and installation conformance with design intent.
The opportunities for engineering blunders af fecting public safety are too num-erous to allow this matter to continue in its present management style.
Under the present arrangement, the regulatory process needs to have more control over the licensees' contractors since the owner-licensee cannot assure that he will have access to all of these capabilities if they should be required for public safety reasons.
Alternatively, the regulations could require that the owner establish capabilities equivalent to those of his contractors whenever they are linportant to safety.
In particular, the capabilities of the NSSS venJor and the A-Es in system behavior, trouble shooting, and performance analysis could be required to be a part of the owner's capabilities.
6-1 6.0 MAJOR TECHNOLOGICAL ISSUES Limiting damage to the core and restricting the dispersal of radionuclides resulting from accidents in nuclear power plants are primary functions of the " engineered safety features."(6.1)
By design, the latter features are required to meet more stringent standards than equipment provided only for power production and special attention is directed to their reliability under accident circumstances.
To establish the adequacy of the engineered safety features, " design basis accidents" are postulated which are supposed to bound the accident contingencies having a probability large enough to require consideration.
Some engineered safety features are evaluated in relation to features of the site, in particular the size of the site and its distance from the nearest population center. All engineered safety features are designed to function properly in the face of severe natural phenomena, including earthquakes, tornadoes and floods.
6.1 Engineering Methodo1_ojgr for Public Safety _ Protection In considering the capability of engineered safety features, each D3A is related to a range of failure contingencies. Some of these are concerned with how failures are initiated, some with how they propagate, and some with the conditions prevailing when failure occurs.
Although the 'NI-2 accident did not exceed the bounds of the postulated accident conditions with regard to release of radioactive materials, it did lead to core damage greater than that predicted in the analysis of DBAs, and the 'mI-2 event has raised re-newed interest in how accident bounds should be defined. %e objective of the engineered safety features is to control the consequences of failure in such a way that the health and safety of the public are not jeopardized.
Unless there is a precise definition of what is meant by " failure," the effectiveness of the regulatory approach cannot be evaluated. Be refo re, attention must be directed toward the meaning of failure as it affects public safety.
Among the important nuclear safety technology matters highlighted ty the
'IMI-2 accident is the question of whether there is an effective way to separate the safety related features of the plant from those intended for normal operational use and not considered essential to public safety protection. %e assumption of separation of safety from non-safety (6.1) Engineered safety features are defined as the systems and equipnent needed to assure that DBA consequences do not exceed the site radiation exposure limits specified 'in 10 CFR Part 100.
However, many other systems are important for preventino or mitigating accidents.
6-2 features has had a profound influence on the manner in which nuclear safety regulations are imposed, and the separation philosophy must be understood and used properly. Of special significance is the interaction between the
" safety" and "non-safety" portions of the plants. W e accident conditions themselves may cause interaction, or the initiating events can involve unex-pected interactions that alter the performance of the engineered safety features. System interaction questions are complicated further by man-machine relationships associated with operator actions in nuclear plants.
Many of these issues are amplified further in the following subsections.
6.1.1 Design Basis Accidents and Probabilistic Analysis Since the early history of nuclear power plant regulation under the AEC, the design basis accident conditions used for the purpose of design of the containment and of the features intended to remove radioactive materials from the containment atmosphere assumed the release of very large awaunts of fission products in a containment building whose basic integrity was assumed to be maintained intact. W e assumed radionuclide release is de-rived in part from core melting experiments, but the containment design pressure is based on the assumption that core cooling will be maintained and that no fuel melting will occur (6.2). %e containment does not in-clude provisions to cope with a molten core or the heat, hydrogen, and other asoects of an accident in which the whole core melts.
On the other hand, the engineerd safety features have been designed to prevent severe core damage for a large number of design basis events including earthquakes, a pipe rupture in the primary system, a ruptured steam line, a loss of offsite power, etc.
T6'. 2)~~ Tlie-'iMf ~2 TncTden~t' involved accident conditions very much like the
~
DBA except that containment pressurization did not extend over a long period of time and fuel probably did not melt. Core cooling was disrupted for short but significant periods of time, leading to core damge and gaseous fission product release after the nuclear reaction had been halted. Cladding damage also exposed the bare fael pellets to the reactor coolant, leaching out some solid radionuclides. The containment did not maintain its leak tightness perfectly, but the type of leakage experienced did not result in damaging radionuclide release to the public environment. W e extent of the 'IMI-2 failure and the manner in which the core cooling system was operated height-ened interest in DBA assumptions, but the subject was not new.
6-3 In connection with the establishment of design basis events, the regulatory process should take account of both the probability and consequences of the event in order to establish a risk evaluation basis. Much could be learned by examining the possible differences in behavior of existing plants compared to those studied in the " Reactor Safety Study" (WASH-1400) that result from design variations, site conditions, and a hest of other variables known to exist because of changes in technology and engineering judgments among plants and systems.
The Reactor Safety Study showed that the probabilities of accidents involv-ing core melting without adequate core coolina were high enough to deserve attention.
Since 1966, ACRS had urged the AEC, NRC, and the nuclear indus-try to look beyond the design basis accident for circunstances that might warrant mitigation by design.
More recently, the floating nuclear plant vendor had been required, in response to an environmental impact evaluation, to provide features to reduce the consequences of a core melt.
Design basis events, such as earthquakes, are usually examined in the design of nuclear plants to show that they can occur without resulting in accidents, but these and other events, unless dealt with adequately, could subsequently lead to an accident of greater severity.
For example, continuing loss of offsite power without the provision for long-term continuity of the emer-gency in-plant power supply could eventually interrupt core cooling enough to permit core damage or even core melt.
Some of the events such as large double ended pipe breaks have a low probability of occurrence but neverthe-less are now dominant considerations in safety evaluations concerning design basis accidents.
Other more likely events might be identified as deserving greater enpnasis if probabilistic analysis were used instead of the DBA approach.
The WA approach to safety analysis has been useful and relatively effective in the analysis of reactor systems.
However, the experience gained with its use, the continuing developnent of probabilistic methods, and experience in power plant behavior that has been accumulated all su3 gest that the approach should be modified to include increasing use of probabilistic considerations.
Severity of the WA is one of the crucial technological issues.
Should core melt be assuned, and if so, how completely? If not, is the core damage ex-perienced at 'IMI-2 the appropriate basis for establishing containment leak tightness? Are the previous design bases for containment, which allow for large scale fission product release but not the other phenomena associated with core melt, adequate to protect the public health and safety? The tech-nical basis for the previously used accident assumptions involves a compro-
6-4 mise which tries to cope with most accidents. %e logic does not always in-volve totally consistent assumptions (6.3).
A more logical method for establishing severity levels is to use the Reac-tor Safety Study approach. W e method would have to include consideration of both consequence uncertainty and engineering reliability questions in-volving applications where little experience exists and quantitative safety goals would be needed.
Probabilistic methods are not presently developed to the point where they can be substituted completely for consideration of DBAs in the traditional way, however, and it appears necessary for the immediate future to continue the current policy of specifying arbitrary accidents as a basis for regula-tion (6.4).
% e present umbrella of DBAs may need modification, and a study should be made to determine which if any additional accidents should be ad-ded to those now considered.
The reculatory process should be able to show the public and the regulated industry how safety requirements are established and to clarify inconsisten-cies when they appear.
6.1.2 Failure Definition The primary interest of nuclear safety regulation is to prevent the spread of radionuclides to the external environment, thereby protecting the health and safety of the public. Werefore, the failure mechanisms that might re-sult in a release of radionuclides are the first safety considerations. We failure boundaries in a nuclear power plant have been described as:
(1) the fuel cladding, (2) the primary system pressure boundary, and (3) the con-tainment boundary.
Each has some independence from the others, but they are not three truly independent barriers.
It would have been desirable if the regulatory safety approach could have minimized the interdependence (6.3) Self-consistency has been an issue before the ASIAP. W e NRC Staff once required a BWR containment to be inerted because of H2 combus-tion potential, but the ASLB ruled that the assumed hydrogen generation potential was inconsistent with other assumptions.
(6.4) Arbitrary accident definitions can take several forms. Current practice assumes core melt level fission product releases but perfect containment and core cooling. Other combinations such as partial melt-ing with degraded core cooling could be selected. Containment leakage could be an accident variable.
6-5 of these boundaries so that failure of one boundary would not lead to fail-ure of the others. However, this failure approach cannot be fully realized.
Under some circumstances, failure of the primary pressure boundary could cause fuel cladding failure, but the reverse is unlikely.
Similarly, fail-ure of the primary system could cause failure of the containment under some circumstances.
The NRC has nevertheless placed great reliance on these separate lines of defense and has developed its requirements for engineered safety features consistent with this failure protection concept. W e engineered safety features are expected to function independently of the normal plant equi;>-
ment affecting the primary coolant boundary even when postulated failures of the primary boundary are considered.
Failure of the primary system is therefore permissible from a public safety standpoint because the separate lines of failure protection provide defense in depth.
However, a definition of acceptable failure involves a number of controversial matters.
One aspect of that definition is establishing failure tolerance.
Piping systems, for example, have suf fered stress corrosion cracking but the extent of the cracking has never resulted in a loss-of-coolant accident that wauld actuate the ECC system. One failure concern is whether the cracks could propagate uncontrollably, creating a rupture that excessively challenges the ECC system.
Another possible concern is that some severe condition, such as an earthquake, might cause a set of cracks to propagate into a failure of uncontrollable character. Hence, failure can be defined as acceptable only if it is controllable within public safety limits under the transient conditions stipulated for consideration by regulatory practice.
A second aspect of the definition is the influence of the operating environ-ment on the failure.
A failure may be initially acceptable under regulatory requirements, but if its control requires the continuing integrity of equip-ment that cannot survive the operating environment af ter failure, then it may eventually become uncontrollable.
For instance, severe fuel failure which released radionuclides to the primary containment and, within a short time, through excessive heat or ionizing radiation, caused a failure of a con-tainment seal would not have been an adequately controlled failure.
The third aspect is the question of how many failure events must be considered when defining an acceptable failure. We current approach is to use the single failure criterion which ascumes that an initial system or equipment failure occurs and then postulates one more equipment failure, usually asso-ciated with the mitigation actions intended to control the initial failure consequences. This " single failure criterion," adopted from electrical circuitry design practice, has been used in the NRC regulations as a way of defining acceptable failure, but it is more likely to be app)icable only to very simple systems.
For complex systems, multiple failures may be experi.enced subsequent to the initial failure and some other standard of acceptability is needed.
6-6 These several aspects of failure are sufficient to illustrate why an under-standable definition of acceptable failure is needed to provide a basis for regulatory practice. With a well-founded definition, it would then be possi-ble to show which types of failure would not constitute a cause for public safety concern; which types of failure known to be unacceptable, if allowed to run their cours2 unchecked, could be controlled within acceptable conse-quences by mitigating features such as physical restraints or backup opera-tional features; and which types of failure are clearly outside the bounds of acceptability, even with mitigating features, unless further failure E
control provisions such as emergency evacuation are provided.
Much of the safety research program sponsored by the NRC is aimed at estab-lishing the nature of fa.ilure and showing that the consequences are accept-able within regulatory limits. However, the tolerance of equipment for failure and the distinction between important and unimportant failure events are not yet adequately defined and more work is needed.
6.1.3 System Interac_tions In the prior discussion of failure, reference was made to the interactions between various operating systems and how they might lead to significant failures from a public safety standpoint.
As currently used, the term
" system interaction" refers to all of those circumstances that could arise where there is a possibility of the events occurring in one system imposing safety related stresses on another system. For example, actuation of a fire water sprinkler system that damaged the electrical controls could invalidate the capability of all engineered safety features.
systen interacticn questions involve such matters as (1) the relationship between the normal control systems and the so-called protection systems that are presumed to be isolated from each other but could have interactive ef-fects; (2) the release of radionuclides or heat into the operating environ-ment of engineered safety features to degrade their short-or long-term performance and possibly negate their safety function (6.5); and (3) a crossover of a short circuit fault from one circuit to another that could destroy redundant electrical equipment provided for public safety reliabil-ity purposes. Most of these matters are given some consideration in the licensing process. The regulations are intended to avoid deleterious system interactions, but recent experience suggests that the whole subject should be uncar constant surveillance by personnel who have insight into potential system interaction difficulties.
(6.5) The Browns Ferry fire was an illustrative circumstance. The fire destroyed the electrical control circuitry, and it was necessary for the operators to find an alternate power supply for actuating certain valves to depressurize the system in order to establish the core cooling safety function.
=
....-.-.-m_
6-7 6.1.4 Man-Machine Interactions Nuclear power stations cannot be operated solely by human action os by ma-chine automation. Uperators are needed to establish a state of readiness for the plants, to relate them to the external electrical demands and to provide fuel, maintenance, and similar service activities. One way to mini-riize human mistakes is to automate the plants or to provide better computer-Ized analysis so the likelihood cf human thinking errors will be minimized.
None of the older plant designs have suf ficient computerized analysis cap-ability to be useful in analyzing most operational symptoms quickly.
Some newer designs have improved computerized analysis capability but still pro-vide only a limited set of automated functions such as the emergency power supply systems, reactor safety protection systems, pressure relief, contain-ment isolation valves, and a few basic mechanical equipaent functions.
There may be advantages to expanding the automated plant features to reduce the need for operator action during transient operating periods, but how and whether this should be done deserves considerable thought. Most of the more modern plants are providing additional computerized control capability that could by computer initiated control signals ease the knowledge require-ments put on the operators, but concern has been expressed'about such sys-tems causing undesirable operational actions through computer malfunction.
We safety threat from such malfunction offsets to some extent the desira-ability of compucerized response.
There is need to improve the information displays in control rooms.
Rese have been developed along lines that follow customary display practice for non-nuclear steam power stations combined with the now-traditional display scheme for nuclear controls. Eis display has considerable merit because operating personnel are accustomed to it.
But it may not draw operator at-tention adequately to the crucial instrumentation needed in emergencies.
The alarm systems may be excessively confusing and some information displays could be better located (6.6).
Even if information displays are improved, the diagnostic needs for accident control purposes will not be met.
In order for either operating person-nel or automated controls to respond to instrumentation signals, there must be less ambiguity of interpr etation that could lead to erroneous safety ac-(6.6) This is not to say that the existing control rooms are unacceptably poor.
'n.c experience at 'IMI-2, although justifiably drawing criticism for the quality of the instrument displays, did not show that operators were unable to icentify operating conditions or to determine whether ccn-trol equipment was functioning. Some valve closures and the condition of the steam relief quench tanks were not adequately displayed tut minor de-sign changes could correct these problems. We real concern is whether the diagnostic burden on operating personnel is excessive.
l 6-8 tions of the sort that occurred at 'IMI-2.
Attention will' have to be con-centrated on integrating information from diverse sensors and combining the information in such a way that the accident symptoms lead the operators to initiate correct safety control actions. Symptom correlation with instru-ment signals to direct operator action to the appropriate safety proced-ures could eliminate much of the concern about man-mchine interfacial re-sponse. Not enough attention has been addressed to this matter.
In addition to information needed for diagnostic purposes, operating person-nel must have some emergency instrumentation provisions to maintain cogni-zance of accidents that do not proceed along anticipated lines. An example is instruments that show whether fuel has failed and what type of failure may have occurred. Without such provisions, the operating personnel are less able to correct unforeseen events that may have been overlooked during ac-cident analycis even though the corrective action might be easily performed.
6.1.5 Separation of Safety from Non-SafetLSystems The NRC regulations are generally founded on the idea that if the systems important to safety are reviewed carefully and the plants are properly con-structed with suitable features taking into account the plant site, then the public will be protected adequately. %e NRC review practice has been one which separates safety from non-safety systems, with primary attention given to the safety systems.
The initial intent of the separation philosophy was probably to avoid con-flict between demands rom normal operating modes and those peculiar to safety functions. As the scope of reactor licensing broadened, the sepa-ration philosophy permeated the design process but not with consistent logic. One typical example is the removal of decay heat.
In what is per-ceived as an " emergency," the ECC system is classified as a system impor-tant to safety and receives commensurate treatment and attention. On the other hand, those aspects of decay heat removal associated strictly with normal shutdown, a much more frequent need, do not receive the same em-phasis.
Thus, this separation philosophy has resulted in the creation of two systems which are treated differently in the safety reviews. We safety system is scrutinized carefully, but the non-safety system my be tot,11y ignored in the review process.
Important safety matters could be excluded from review if improperly classified.
In some cases, the concept of separ-ation results in overdependence on a specialized safety provision whose safety capability would be better realized if considered as a part of the whole operating plant.
Feedwater systems to steam generators cannot for example, be uniquely separated into safety and non-safety categories (6.7).
Th'iiWI 2 A'uxiliary Peedwater Systems obviously had safety related T-(6.7) functions that had to be integrated with normal feedwater supply capability.
6-9 As now applied, the philosophy is also used to distinguish between safety related and non-safety related functions with resoect to their quality and reliability. An advantage of a properly implenented sep1 ration philosophy is that safety related systems requiring very high reliabilty can be de-signed specifically to meet their requirements without imposing these requirenents on those non-safety related features which require less rigorous design. A disadvantage of the separation philosophy is that it cannot be implemented perfectly and is therefore sometimes arbitrary and artificial. For example, a control system and a shutdown protection system could be considered an integrated control systen tucause they are interactive (6.8).
The separation of safety from non-safety functions is necessary when the functions have contradictory requirements.
It is desirable in some cases to make them independent to prevent the circumstances which interfere with normal functions from also destroying the safety protection function.
For example, an operating electrical power system might be damaged try a lightn-ing strike, and if the emergency power system were tightly coupled, it also might be damaged by the mme lightning. 1his type of separation has been encouraged in the regulatory process, and in some parts of the warlo, deli-berate " bunkering" of some engineered safety features has been introduced to assure the integrity of the safety function.
In recent years, concern has been expressed about the use of engineered safety features to perform other normal plant functions althowjh such optional use could be desirable since, under some circumstances, such arrangenents might enhance the re-liability of the safety features by providiry a means for monitoring their operability. Care still needs to be taken to assure that the non-safety functions cannot interfere with the capability of the engineered safety features at the time of need.
Because it is impractical to impose all of the safety stringenclos on every plant detail, the separation concept must be used. A few very imp 3rtant features with extremely high public safety protection value sill need sp2cial quality, redundancy, and testability properties that cannot be extsnded to every plant element.
1he extent of this type of treabnent my need to be greater than has been provided in the past.
Alternatively, new design ap-proaches could be developed wherein the safety treatment placed less depend-ence on such safety related features.
Higher reliability may be attainel in some cares if the separation concept is discarded so that the entire system can be considered as responding to the safety requirunents. Credit for the capability of features previously considered outside the public safety T6.8')' ~ 'Det'ailbi cons ~id'er'atTon of anticipated transients wi thout scram (NIW )
~
~
showed that current power reactor designs routinely dep2nd on " scram" pro-tection for shutdown systems in certain " anticipated transients" to pro-vide needed corrective actions to prevent overpower. 1hus, the " shutdown system" is made a part of the control system. Nevertheless, Appenlix A, Criterion 24, of 10 CFR Part 50 requires that control systems be separated f rom protection systens.
6-10 provisions may also be justifiable.
Indeed, the review process itself can-not be permitted to follow arbitrary lines of separation between safety and non-safety features since this could easily result in overlooking important system iMarautions or malfunctions that have public safety importance. Le whole principle of safety separation needs to be redefined with the intent of developing a more logical and more effective result.
6.2 Sitin3_ Aspects._of Pub 1_ic safety, Regu_1_a_t_, ions An established precept of nuclear safety practice is to seek sites with ac-ceptable public safety characteristics including remoteness from ponu-ulc tion cent 9.
%e NRC Reactor Site Criteria,10 CFR Part 100, t ;e the site propert,.s as a reference basis and require the engineered safety fea-tures to be designed to limit the release of radioactive materials to ac-ceptable limits under postulated accident conditions.
However, the con-tainment is not designed to cope with core melt, and the use of currently employed engineered safety features to permit reactor siting in more popu-lated areas has been questioned. Certain types of accidents could create conditions beyond the engineered capability of such features.
It is there-fore necessary to reevaluate the criteria for siting, including the accident conditions under which site safety is judged, when establishing regulatory requirements.
6.2.1 Siting. Criteria Under early safety practices, the criteria for nuclear power plant siting revolved around the definition of power plant exclusion areas, low popu-lation zones, and the dependence to be placed on engineered safety features to assure the health and safety of the public in the event of accidents.
At one time during the most active period of power plant licensing, use of engineered safety features to mitigate accident contingencies was a major consideration in determining how close to population centers a power plant could be sited. More recently, there has been a tandency to discount this dependence on engineered safety features. Nevertheless, containment leak tightness is still a determining factor in establishing the rate and quan-tity of radionuclides that could escape to the environment if an accident were to release large quantities of radionuclides from the core. %e direc-tion of the dispersal, the dilution of gaseous radionuclides, and the set-tling-out of particulates are determined by analyzing site-related meteoro-logy.
The 'IMI-2 accident resulted in conditions well below 10 CFR Part 100 limits even though radionuclide releases into the containment were close to design basis assumptions and the containment leak tightness was not equivalent to that assumed by design. %ere were compensatory factors since the opening f rom the containment allowed some radionuclides to escape, but only through c
6-11 a route which included an array of piping, tanks, and filters where water, steam, and surface contact could capture some of the releases.
Thus, factors in addition to the usual engineered safety features associated with contain-ment were beneficial to public safety protection.
Not all accidents involving design basis radionuclide release rates would have the benefit of these mitigating factors if containment integrity were to be lost.
For example, at TMI-2, the hydrogen generated from the zirconium-water reaction evidently resulted in combustion within the containment that caused pressures higher than those provided by design in some low-pressure containments associated with other commercial plants.
The Reactor Safety Study showed that the likelihood of a core melt was high enough to deserve consideration in reactor siting. The study also indicated that the hydrological path for radionuclide dispersal was generally long enough to eliminate it as a short-term threat to the public in the event of a melt-through accident.
Ebwever, more attention should be directed to the ul-timate consequences of such events.
Siting criteria should be aimed toward establishing sites best able to accommodate core melting contingencies over the long term.
In particular, the hydrological considerations involving potable water systems should not be ignored.
Practical methods for protect-ing such systems from radionuclide contamination should be available for all nuclear power plant sites.
These siting matters have been considered by the AEC and the NRC for many years, but the circumstances surrounding the TMI-2 accident have placed new emphasis on them.
The initial public safety protection considered for nuclear reactor systems was primarily the selection of sites remote from highly populated regions, and this remains a valuable public safety protec-tion feature if other lines of defense are not adequate. Where practical, maximum advantage should be taken of remote siting as a public safety pro-vision.
6.2.2 Multi-Unit Sites The selection of sites for nuclear power stations and related facilities has to include consideration of fuel and waste transportation, electrical power supply dJ stribution, waste heat dispersal, and accident interactions between units, c, well as the environmental surroundings, including population dis-tribution. Nbst nuclear power plant sites involve only one or two nuclear reactor units, but a number of installations have been planned involving several reactors, and others have been discussed that extend the sites to as many as ten 1000-Mwe units. There are advantages in nultiple unit sites in concentrating installations where the best siting conditions prevail and, at
6-12 the same time, establishing a large enoagh power complex to justify an ade-quate technological support capability to enhance operating skill. The dis-advantage of multiple unit siting is that an accident at one unit could jeopardize all others, and multiply the property risk and vulnerability of the power system from a single accident. There is no clear basis for the selection of one approach over another at this stage in the technological development. Whether large multiple-unit sites would be desirable depends very much on whether an accident at one site of the type that occurred at TMI-2 could be isolated in such a way that the remaining facilities could be operated in a mode acceptable from a puLic safety standpoint.
- However, before the latter approach could be accepted, a nanber of matters would need to be resolved. They include:
1.
showing that an accident involving one unit at a site could be iso-lated in a manner that would eliminate its effect on other units, 2.
defining the technological skills needed to make the site acceptable in terms of operational capability, and 3.
identifying the physical acrangements of nuclear power plant support facilities, emergency control, transportation resources, and plant orientation to optimize the risk considerations introduced by the multiple unit approach.
Specific site development plans of this type have not been studied ade-quately. The criteria for acceptability should include not only the capa-city to handle a large nanber of units but also the characteristics that minimize jeopardy of population centers.
Further work is needed before a policy for evaluating large multiple unit sites can be established.
6.2.3 Site-Related Safety Improvements Nuclear power stations have incorporated many features intended primarily to enhance their safety as the result of direct regulatory requirements. These features have included of f-gas filtration, automated containment isolation, and hydrogen recombiners for containment.
Ebrther improvement in some areas may be desirable. A comprehensive study should be made to define the most urgent needs. The discussion which follows illustrates the types of safety improvement that could be of value.
An important safety contribution would be a system which could remove radio-active materials from the containment atmosphere after an accident so that the remaining gases could be vented to the atmosphere. Specification of the details of such a system and the needed performance reliability would r
involve research and experimental work.
If such a system could be prooided, public safety actions after a TMI-2 type of event would be easier.
6-13 More versatile and more reliable core cooling capability is another area that might enhance public safety. The experiences at Browns Ferry and TMI-2 both point to the desirability of being able to provide reliable core cool-ing capability from multiple sources.
Diversity of the capability, its independence from accident circumstances, its resistance to deliberate sabo-tage, and its ability to directly cool the core under a range of circum-stances could directly reduce the likelihood of a TMI-2 type of accident as well as other accidents of fering the potential for core damage and even fuel melting. Conceptual engineering studies would be valuable in deter-mining how this capability could be realized.
The ACRS has supported the investigation of both of these features as part of the NRC research program to improve reactor safety.
Other types of safety improvenents might be envisioned. These include dif ferent means for primary system pressure relief, changes in materials of construction, techniqpes for minimizing accumulation of radioactive materials that directly interfere with in-service inspection, and modifications in existing containment concepts.
However, more independent initiative is needed by the nuclear industry in identifying safety improvements.
6.2.4 Nuclear Power Plant Waste _M_anagemen_t_
A problem that had, until the TiI-2 accident, received virtually no atten-tion is the matter of radionuclide cleanup following such an event.
Similar problems pertain to the decommissioning processes for nuclear installations.
The NRC has, in the past, lef t these responsibilities to its licensees.
As a result, the associated planning and supporting research have been inade-quate. This is clearly shown by the inability to handle the large volunes of radioactive gaseous and liquid wastes that were generated by the TMI-2 accident. Neither the industry nor the involved federal agencies nor their advisory groups adequately envisioned or planned for accident situations in which the character and magnitude of the waste management problems would be significantly different from those of routine nuclear power plant operations.
The associated consequences included increased personnel exposures, an in-ability to collect adequate samples to assess the situation, and a delay in restoration activities.
The accompanying public opposition to plans for the disposal of the decontaminated-aaste fluids, even though these involve risks no greater than those associated with similar wastes resulting from normal operations, has also delayed cleanup of the plant.
The need for usable low-level waste disposal technology that meets estab-lished criteria, policies, procedures, and regulations is apparent. Mean-ingful regulatory action directed toward opening and operating new low-level waste disposal facilities might reduce public concern over this matter.
6-14 l
- 6. 2. 5 Emergency ResRnse.
l Questions concerning nuclear industry capabilities for handling off-site emergency-response problems associated with accident situations have been of interest since the beginning of nuclear power development. Those re-sponsible for the safah, of nuclear installations, beginning with the AEC, recognized the need to _evelop such capabilities, but it was not pursued vigorously, partly because of industry concerns and partly because of a lack of sufficient interest on the part of state and local authorities.
As a result, even though the NRC has required licensees to establish em-ergency plans in cooperation with state and local governments, this plan-ning has been inadequate because the state and local government units have not had either the funds or the personnel to participate on an effective basis. Also contributing to these problems is the fact that, as implied above, the NRC has had no regulatory authority over state and local govern-ments. As a result, the NRC Staf f could only indirectly review the radio-logical emergency plans of such agencies.
In the past the ABC and NRC considered evacuation primarily in terms of the controlled releases of radionuclides which would occur if containment integ-rity was maintained. Only in recent years has the NRC Staf f begun to examine emergency preparedness in terms of more serious accidents where evacuation might be considered at distances of ten or more miles.
With the occurrence of the accident at T9I-2, there has been a substantial alteration in this situation, particularly with respect to the interest of state and local governments in such matters.
In addition, several bills now pending before the Congress hold promise of correcting certain aspects of these problems. These actions are necessary to Enp12 ment needed changes in the regulatory process.
6.2.6 Accident Recovery The degree of difficulty encountered in restoration of a nuclear power plant which has been subjected to severe accident conditions is dependent in large part upon the forethought given such a probability during the design phase. When a significant amount of radioactive material escapes from the primary coolant system, its confinenent within the containment minimizes the immediate jeopardy to die public.
However, as the T4I-2 experience has shoan, the ultimate recovery from such an accident is im-peded greatly if the containment cannot be entered and there is no effec-tive way to remove the radioactive materials.
A thorough study of accident recovery methods is needed to ease the prob-lems associated with handling this type of situation should it recur.
~~
6-15 The options include addition of internal decontamination water sprays or comparable cleanup systems, robot type equirrent that could be used to reduce the concentration of radioactive matetial to a level suitable for human access, or possibly secondary types of enclosures intended minly to limit the spread of radionuclides from unanticipated accidents.
Ultimately, even previously molten fuel my need to be removed from the containment ar transformed to a more suitable condition for long term isolation. Attenti n is now being devoted to these problems as they apply to V4I-2, but the ques-tion is of sufficient general interest that it should be a part of the longer te~m contingency planning.
7-1 7.
REGULATORY MANAGEMEVP MA'ITERS Public understanding and acceptance of nuclear power as a beneficial source of energy depends to a large measure upon effective regulatory management.
In establishing the NRC, the intent of the Con]ress was to create a regula-tory agency which was free from promotional bias.
It was believed that such an agency could oversee the safe use of nuclear energy and improve public confidence in the regulatory process.
The law implied by its sanctioning of nuclear plant licensing that nuclear power was an acceptable source of en-ergy but that the policies and practices under which it was regulated needed modification.
Any such regulatory process, however, is extremely complex.
It has legal, economic, social and political aspects, and it involves very complex tech-nology. The regulatory process must be stable in the eyes of the industry, it must be vigilant in protecting the safety of the public, and it must handle safety questians intelligently, responsively, and expeditiously.
To satisfy these regulatory obligations, the competence and responsibility of those involved in the regulatory process must be shown to be suited to regulatory purposes.
If they are then able to develop a format which is understood by all the participants, a suitable regulatory system should result.
The effectiveness of the regulatory process should be evident from the regulatory reporting system, the regulatory actions involved in correcting safety problems, and the communications releases through which the regulatory agency provides information to the public. These matters are not all handled satisfactorily in the current regulatory system.
Attention is directed to some of the most urgent matters in the following discussion.
7.1 Organizational Issues As discussed in Chapters 4 and 5, the regulatory organization and the nu-clear industry have both structured their organizations for interactive re-sponse to regulatory demands.
However, the organizational structure is not set forth with such clarity that every need can be identified and shown to be met.
The responsibilities of the organizations, their competence, and the manner in which they perform their duties determine whether the organiza-tional structure is adequate.
In many cases, as subsequent discussions show, organizational problems exist that need attention.
7.1.1 Staff Competence Taken as a whole, the professional competence of the NRC Staff is impressive because of its varied talents and the high level of academic training and experience which its members have attained. Nevertheless, each time a sig-nificant new safety problem appears, it usually points to a weakness in the
7-2 regulatory process. Wis is particularly true with respect to the desig-nation of problem areas for attention. Areas that now seem to need the most attention are systems analysis and plant operations. With respect to systems analysis, the NRC Staff, which has been highly compartmantalized, needs to build a stronger capability to understand and anticipate the interactions between plant systems, including the effects on such systems of accident environments and external phenomena.
Relative to plant operations, the I&E staff needs to be able to understand better the behavior of operating systems, to assess the capabilities of the operating staff, and to assure that their activities do not jeopardize public safety because of design, construction, or operational errors.
The recent organization of a systems engineering group within the NRC Staff will be helpful in reducing the compartmentalization of technical skills and may ultimately satisfy the systems analysis need. %e operational as-pects of nuclear power plants have not yet been examined suf ficiently to clarify how the NRC Staf f capability should be altered. Areas in need of attention include a better understanding of methods for training nuclear power plant personnel, improved procedures for analyzing systems interac-tions, a broad capability for accident simulation, improved methods for the control of radionuclide effluents, and upgraded procedures for inservice inspection of plant safety features. All of these examples suggest a need for reorientation of existing review procedures rather than the addition of new staff skills. However, if the present staff is preoccupied with existing tasks, new sources of manpower may need to be obtained.
One possible way of expanding the I&E capability is through the use of third party review. We development of outside sources to review other plant fea-tures on a systems basis might be a useful approach.
% is approach is al-ready accepted by the NRC for the Primary Coolant Circuit and Containment Structures under the ASME Boiler and Unfired Pressure Vessel Code,Section III, Nuclear Components.
2e qualifications of such reviewers would need to be established, but in principle this approach could extend the capabilities of the NRC Staf f in matters pertaining to nuclear quality assurance.
To provide an independent assessment of its capabilities, the NRC Staff should consider the establishnent of ad hoc review groups, hhile the ACRS could contribute to this activity, it does not appear to be an ef fective use of the Committee's limited time.
Other arrangements should be sought.
In-dividual ACRS members might be able to lead ad hoc review groups composed of consulting experts.
It is important that such reviews be conducted by people who have an understanding of administrative as well as technological matters.
7.1.2 Industry Competen_ce_
The nuclear industry infrastructure is broad enough to satisfy most licens-ing requirements, given financial support and management backing. mus
7-3 far, however, segments of the industry have ter.ded to limit their interests to complying with specific requirements of licensing, while managing the engineering aspects of nuclear power plants along the lines of conventional utility practice.
Following this approach, many utilities have relied heavily on outside consulting services for technical guidance, although some of the larger utilities have established substantial nuclear engineering competence.
Recent events indicate that nuclear power plant licensees need more basic capability to prepare for accident contingencies, to diagnose and respond to such events as they evolve, and to provide backup resources when needed.
The operating organizations cannot become totally knowledgeable about all nu-clear steam system transient characteristics, but they can strengthen their understanding through training programs and professional staf f additions.
The organization of this additional capability will have to be adapted to existing operating situations, but it is extremely important that each li-censee or license applicant establish direct top level management interest in this capability on a continuing basis. We nuclear steam system sup-pliers and the architect-engineers also need to strengthen their capabili-ties in support of the operational organizations.
It would be appropriate for the NRC to encourage each of the major partici-pants in the nuclear industry to commit themselves to an aggressive program for the development of safety improvements. Regulatory action alone will not satisfy the interest of public safety. % e industry needs to demonstrate not only a commitment to the task, but also a methodology and a timetable for its accomplishment.
7.1.3 ACRS Effectivene_ss
'Ihe ACRS is assigned the respnsibility for reviewing nucler ins *allations prior to licensing, and reporting the results of their deliberations to the NRC.
In the Committee's view, some monitoring of current license applica-tions and of operating experience will always be neede:1 to assure up to date and comprehensive treatment of safety matters.
Similarly, ACRS review of NRC's safety requirements, as embodied in regulations, standards, and stan-dard review plans, must be continued since these requirments provide the basis for Staff judgment on such matters. W e ACRS also needs to keep itself currently informed of safety research and international nuclear safety matters.
When specific safety issues arise, the ACRS will frequently be asked to uie its range of expertise to assist the regulatory adminir,tration in defining a path for minimizing public safety risk. All 2.uch matters are important and muld
7-4 apnear tc deserve priority over other demands on the Committee (7.1). 21s is especia dy true since the time of ACRS members is limited by their part-time status.
7.1.4_ Ci ri_fication of_ Resp nsibil_ity f
Within the regulatory organizational structure, there are five line offices under the direction of the Executive Director for Operations (EDO). Because the law provides for direct access to the Commissioners by the Directors of three of these Offices, the authority of the EDO for public safety decisions may be diluted.
Further, of fices have sometimes acted independently of each other when their action should have been coordinated. %e result is apparent confusion concerning the source of authority for regulatory positions.
his has adversely af fected public confidence in the regulatory process.
Inte-grated and identifiable authority is needed to correct this situation.
The Commissioners also do not at present have a well-defined role.
Leg i sla-tive action should be taken to establish how the Commissioners as a colleg-ial body and as individuals should meet their responsibilities and display appropriate regulatory leadership.
If some other fonn of regulatory manaqe-ment approach is ultimately established, similar definition of the regulatory management role is needed.
A matter of equal concern is whether the rmC has delegated too much respon-sibility for public safety to the licensees. The imC could interject itself more into operational planning and training. W e presence of an tmC repre-sentative at a plant site offers imC the prerogative to decide when and whe-ther plants should be started up or shut down. In addition, the imC could set more explicit requirements with respect to plant design, operating procedures, and ef fluent discharges, and it could require all applicants to follow these imC directions. %us far, the NRC has avoided this because it muld essen-tially relieve the licensees of any responsibility for design and operational (7.1) The ACRS in the past has reviawed radionuclide shipping cask design and verification programs, waste management plans, and other comparable matters of lesser safety significance. We Committee can continue to handle such matters when licensing activities are slow but it could not carry a heavy extra load concurrently with intensive licensing.
It is noted that ir. Japan, the advisory functions are divided between two committees, one for power plants and the other for the balance of the fuel cycle.
7-5 decisions.
Such an approach night also result in the loss of the objectiv-ity of the NRC review since the agency would be defending its own designs and operating initiatives. %ere is a acucial need to establish that li-censees who accept such respansibilities are capable of meeting them.
7.2 Regulatory Format The conduct of the regulator / process requires a well understood format in which the technological matters are presented and the quasi-legal public review is effected. No system as complicated as the nuclear regulatory process could have a detailed prescription for every regulatory requirement.
Much that exists in the regulatory process is a result of continual develop-ment of review documents, and adversarial discussion between license appli-cants and safety reviewers, as well as the application of recognized conven-tional engineering methodology to important safety matters in every techno-logical area. % e application of this well understood base and the manner in which " standardization" is used to assure public safety must be appreci-ated by those concerned with regulatory management. We legal framework, itself, depends upon this format, but its use may be distorted if conven-tional legal processes are applied to safety areas. % e ensuing discussion will show where some adjustment of the regulatory format is justified and desirable.
7.2.1 Preservation of Regulato g _B,ase he good safety record of the nuclear power industry is largely attributable to the regulations of the NRC, and its predecessors, and to the ef forts of the nuclear industry.
In considering the need for change in the regulatory pro-cess, care must be taken to preserve the good qualities of the regulatory system while seeking improvements. W e current approach, based on the use of regulatory documents, is well understood even though some of them may be subject to misinterpretation, some may need to be more definitive and some may need to be expanded.
It is important to work with the existing base to the maximum extent practical.
If a new set of documents were introduced, the interpretation process, itself, could lead to regulatory chaos.
The experienced personnel involved in the regulatory process in both the reg-ulatory and licensee organizations are also an important part of the base.
Although management changes are needed and the definition of responsibility should be improved, those knowledgeable about the safety logic and the im-plicit but unstated cost-benefit balance must be permitted to function in a system not overly encumbered by procedural requirenents or arbitrary manage-ment edicts.
7-6 7.2.2 Stardardization The concept of " standardization" was originally envisioned as a way to ac-celerate the licensing process by minimizing review time.
Most NSSS ven-dots have established basically uniform configurations.
All major equignent is standardized in manufacture and performance.
The darust of recent stan-dardization has been to obtain " design approval" on a system basis so that system review will not have to be performed repetitiously.
Balance-of-plant designs by A-Es have followed a similar trend.
The level of detail provided in standardized designs is not as conplete as might be seen, for example, in air transport systems.
The adegaacy of the system definition, including the level of detail to be provided for final approval of standardized design has not yet been established.
Insufficient exper-ience is available to confirm the benefits anticipated from stand 6rdization.
Up to now, it seems to extend further the variability of designs from those of existing plants.
A variation of standardization that has received considerable support is the " replication" of existing designs. W is approach does reduce the design variability since the intent is to follow closely what has been done before.
As applied in recent licensing actions, replication approaches have, u6 fortunately, tended to restrict initiatives for safety improvements on the premise that they violated the princiole of " design stability" which standardization is intended to promote aa a means of streamlining the approval process. This restriction might also be inter-preted as a mechanism for circumventing requirenents for public safety improvenents.
Were are certainly advantages to standardization that could be realized if many nuclear plants needed to be licensed rapidly.
It is not certain that the present NPC approach really brings forth the aivantages of stan-da rdiza tion. We mode in which " standardization" is being used should be reexamined to detennine whether alterations (7.2) sauld enhance nuclear plant reliability and safety without loss of the streamlining effects on licensing that it is intended to provide.
The range of reliability and safety in current designs can ce measured in part by the current study of the critically required P.G auxiliary feedwater systems wherein a range of 100 or more in apparent reliability between various designs has been discovered.
Comparable ran3er of relia-bility may well be found in each of the other functional systems required T7'. 2)~ ~ ~ Yhe"cEce~pEof a" standard LWR design for national use has been sug-
~ ~
~
gested. Such a design could evolve from careful sifting of the current designs to determine the most reliable and economical means by which functions com.~on to all plants are acconplished.
7-7 for safe shutdown and accident mitigation. %ese range from the service water system through component cooling (including considerations of Whether such a system is necessary), the secondary steam system (again, if neces-sary) environmental and equipnent cooling systams, and the like.
%ese systems, as exemplified by the PG auxiliary feedwater systems, may all satisfy the minimu requiremente of present regulations, yet still show an extreme range !, very poor to generally excellent practice.
In the final analysis it may well be argued that study would show that some BWR or PWR design features should be eliminated from a future standardized design.
A concept of standardization could be established that would be based almost entirely on the IMR experience over the last 20 years plus consideration of comparative accident vulnerability as determined by careful study of criti-cal systems design under all modes of operation.
Unproven extrapolations of nuclear technology might be excluded although evolution of design improve-ments within a few developmental plants could be part of the overall ef fort.
7._2_. 3 Legal Framework _
A sound legal basis is essential to the regulatory process. One of the mechanisms in this process is the review of a license application by an ASLB.
Such a review is intended to establish that the NRC has a basis for its rules and regulations, that it is following its own regulatory require-ments and policies, and that it has satisfied the intent of the NEPA.
Since the NRC staff has satisfied itself as to the adequacy of the safety of a given facility prior to such a review, its legal staff generally supports the licensing actions before the ASIR.
%e NRC's legal staf f also serves as a channel through which the Boards can probe the NRC staff positions on licensing actions.
here are some significant advantages to the public in this process.
It sometimes provides an opportunity for further examination of legitimate safety concerns not fully exposed in the previous reviews.
It also pro-vides a valuable forum for discussing NEPA issues of concern to the pub-lic.
Nevertheless, the hearing process leans more toward legal maneuver-ing than to a position supportive of public safety and environmental con-cerns.
In addition, it seems to have discouraged discussion of safety issues in the Safety Evaluation Report (SER) and in other documentary evidence intended for Hearing Board review.
It also leads to legally orient (d oral statements by NRC Staf f members.
Mast importantly, this approach discourages the NRC Staff from discussing controversial subjects of safety concern in open meetings, including those with the ACRS. Rese restraints are probably intended to eliminate extraneous matters that might unnecessarily delay the hearing process.
Unfortunately, they may also prevent full exploration of some significant safety issue.
7-3 Under these conditions, the Staf f SER appears to be prepared mainly to pro-vide information for the quasi-judicial ASLB hearing.
As a result, the SER censists primarily of repetitive "boilcr plate" which often tends to obscure and provide little amplification of safety issues.
The result is that the SER has become a document of little value to those people responsible for safety reviews of nuclear facilities. This includes members of the ACRS.
Public safety is not well served by this legal style of safety issue presen-tation.
If the SER included discussion of the various aspects of each sig-nificant safety issue, together with a judgment basis for the NRC Staff conclusions, the report would serve a more appropriate role at the ASLB hearing. The reasoning of the NRC Staff could be examined by the ACRS and the ASLB without the need for advocacy by the NRC legal staf f.
Where a basis for ruling on a particular safety issue had been previously estab-lished, it could readily be identified. The public would then be able to see why, where and how the NRC Staff's safety conclusions were drawn.
ASLB rulings on specific safety issues have sometimes, because of legal con-siderations, adversely affected public safety interest as the follaving example illustrates. The ASLB has on occasion ruled that the NRC could not require planning for emergency action beyond the low population zone (LPZ).
It has also ruled in some cases that the radius of the LP2 must be reduced because of population growth near a plant site.
These two rulings have combined to permit a high population density adjoining some sites without commensurate planning for energencies.
The ASLB hearings are also used as a mechanism for determining whether the NRC Staff has an appropriate basis far rulemakirn. Although the hearing provides an ooportunity for open debate, the subject matter is sometimes outside the context of specific licensing actions. Whether such hearings provide the proper forum for estsblishing technological validity is not entirely clear.
Fbr example, adversary proceedings lasting more than a year were needed to develop rulemaking (7.3) for analytical techniques to demon-strate the performance adequacy of ECC systems.
Even so, some reliability If aspects were never adequately addre> sed durin) this hearing process.
such a process is to be used as the basis for rulemaking, the manner in which the issues are to be addressed and the rules established needs further study.
The attention directed to NEPA may be indirectly interfering with public safety reviews by diverting attention to other interests, such as power system load growth, cost-benefits of alternate power sources, anti-trust considerations, and other environmental matters.
These are concerns of major public interest, and the NRC is probably justified in its diligent attention to them. However, there has sometimes been a tendency to move (E 3) T b1 H Ed'i~n'10 CFR Part 50 as Appendix K.
7-9 NEPA natters ahead of public safety matters. he selection of a power plant site, for instance, is weighed carefully by NRC with respect to its economic benefits, social impacts, and power system demand, but in most cases, safety alternatives are weighed only with respect to whether a particular site meets the minimum safety requirements (7.4).
The Public Hearings are an imp 3rtant aspect of the nuclear regulatory pro-cess, but some consideration needs to be given to changing the style of the hearings so that the safety issues can be expased fully without unnecessarily delaying licensing actions. We combining of NEPA and Safety Reviews in the ASLB hearings may be a contributing complication. To the extent practical, it would be desirable to separate these two issues in the hearing process.
7.3 RegulatorL Actions Public perception of regulatory actions will be improved if safety problems are reparted on a timely basis and actions are implemented promptly when needed to assure the protection of the public. Since the accident at B1I-2, the NRC staff has been reexamining the manner in which public safety problems are identified and how it implements corrections.
Specific changes to be proposed are still under discussion. % e areas where alteration in the regulatory style could be of immediate value are noted below.
7.3.1 Reporting of Safety Problems New safety problems will appear in nuclear installations, and it is unrea-listic to assume that all will be predictable. %e NRC requires all licen-sees to report safety-significant happenings promptly so that necessary regulatory actions can be ta,en.
W e comprehensiveness of the reporting requirements, however, may not be adequate to cover all areas of interest nor to include all particicants who might make a safety contribution.
Ac-tion should be taken to make certain that nuclear plant owners and opera-tors, constructors, NSSS and other equipment suppliers, inspection and ser-vice organizations, craftsmen, operating personnel, and even the public at large report matters of public safety significance as soon as they are known.
While this may occasionally cause unnecessary reaction to minor safety mat-ters, it will assure that maximum time is available to correct serious dif-ficulties.
TT 4T Mi exception Ts iioit'ed i~n the case of the Hope Creek Nuclear Station whose site was changed from Newbold Island after NEPA review focused attention on the less than desirable population distribution in the proximity of the previously selected site but only after the earlier site had carried through an extensive licensing review including ACRS hearings.
7-10 At the.same tine, the reporting system should net be excessively burdensome.
The informational requirements should be defined in such a way that those involved in reporting can, without excessive effort, provide whatever infor-mation is necessary to assess the safety significance of such natters.
Of particular importance is the need to avoid a prosecutory environment (7.5) for those who report errors, faults, and maloperations, particularly when deliberate wrongdoing is not evident.
Only in this way can the regulatory system assure a positive response from licensed participants, their contrac-tors, and their employees.
7.3.2 Resolution of Generic Problems Sore years ago, the ACRS developed a list of safety matters that, although requiring attention, were not of such urgency that they required final res-olution for all specific license applications.
It was intended that these matters be covered by the NRC and its licensees over the long term and that the problems be corrected as solutions were found. The rate at which these
" generic safety items" were being examined and resolved, however, was rela-tively slow and this has caused considerable public concern (7.6).
In the past two years, the NRC Staff has established a more complete Generic Items list of its own, that incorporates all of the ACRS items, and has recom-mended priorities for addressing each item. Although the NRC Staf f list is more extensive than the ACRS list, there is agreement on most of the high priority matters. Action plans for resolving the items of highest priority have been established and an " unresolved Safety Issue Task Force" was re-cently formed by the NRC Staff to assure that high priority matters are given adequate attention.
Although the NRC Staf f actions in the past have not appeared to be aggres-sive in addressing generic problems, or timely in implementing their solu-tions, current efforts appear to be more acceptable. Some matters cannot be readily resolved by physical changes and will require surveillance or other (7. 5) Although it is difficult to excuse mistakes and unintended viola-tions of regulations, the threat of legal jeopardy in such instances can only create an environment of protective cover-up amory the threatened that tends to hide important safety information.
If the legal threat is suf ficiently serious, career-minded professionals will seek other employ-ment areas, weakening the industry's capability.
(7. 6) The need for " instruments to follow the course of accidents" is a generic item whose resolution was planned through issuance of Regulatory Guide 1.97.
The guide was excessively vague in some areas and overly de-manding in others. The NRC was never able to reach an understanding with the industry concerning implementation.
In a similar vein, the ATWS issue has been debated for more than 10 years, but an agreed upon implementation plan for resolving the issue has not yet been established.
7-11 types of contols to minimize public risk.
Others may involve implementation of major plant changes during planned outages. The correction of generic problems can be handled on a longer tenn basis if the risks are well under-stood and appropriate defenses are maintained. The current staf f actions appear to be respansive to regulatory needs, and they should be continued in an aggressive mode.
Establishing positive implementation plans once resolution actions are known is essential to maintaining public confidence in the regulatory process.
7.3.3 Back-and Forwa_rd-F_itt_inl of Safety Improvements _
i The public risk associated with omitting or delaying desirable safety im-provements or correcting safety deficiencies may be quite small if only a few plants are involved and operating organizations can provide compensating surveillance, for example. Changes in existing plants are often costly, and redesign sometimes delays the licensing process.
These factors must be taken into account when the NRC imposes new requirenents.
Nevertheless, a limit must be established with respect to the cumulative risk from delaying such actions.
Some matters (7.7) currently under consideration have been deferred for such a long time that they might be viewed as the object of deliberate procras-tination.
The NRC needs to show how its judgments concerning backfit or forward fit actions are established. Cost and schedule cannot be overriding considerations if there is real concern for public safety.
7.3.4 Public Communications The public anticipates that the NRC will keep it informed in an intelligent and responsible way concerning safety problems, licensing actions, regulatory deficiencies, health ef fects, waste disposal, and similar matters.
The public, as well as the NRC licensees, of ten have difficulty in determining which sources of information are authoritative and whether information pro-vided by NRC staff members is fact or opinion, official or private, prelim-inary or final. Clearly, as was recognized in connection with the accident at TMI-2, a single well-informed spokesman is essential to avoid confusion in responding to an emergency.
The NRC organization should be prepared through such a spokesman to explain, clarify, correct, modify, amplify or otherwise inform the public of matters appearing in the public information media in a timely fashion so that the public can identify the authoritative regulatory voice and discern the public safety significance of the informa-tion.
7.7 The Recirculation Pwnp Trip provision intended to alleviate concerns for NIWS consequences in BWRs is not yet fully implemented even though this has been a recognized need for about a decade. Also, increased pressure relief capacity in P4Rs seems to be meeting high industry resistance even though recent AWS reviews show that such capability will eliminate most concerns for this safety issue.
7-12 The provision of a designated spokesman to express the of ficial imC view-point, however, should not be a mechanism for stifling expression of di-vergent views.
Indeed, some Commissioners and some members of the tac Staff may dif fer with the of ficial position and they should be encouraged to ex-press those views.
Speakers should state that they are expressing personal views if they do not represent the collective imC viewpoint. When appro-priate, the NRC may even wish to have its spokesman discuss divergent posi-tions that are under consideration.
'Ihe benefit from having a designated srnkesman is that the press and the public can see the regulatory thought processes at vark in both the official and the independent positions and can have some understanding of their bases.
8-1 8.
OVERALL
'3ESSMEVT We regulatory base being used by the NRC is substantial. Over the 25 year period of development, the regulatory process has evolved a methodology for accident assessment in the interest of public safety that covers virtually all of the major issues.
It has many imperfections, but the goals outlined in Chapter 2 of this report have all been addressed.
As has been indicated in preceding sections of this report, there is considerable unevenness in the effectiveness of the regulatory activities, and in some cases, the capa-bility does not measure up to the need.
There are a number of strong points in the current regulatory process.
They include an established review methodology that is commonly understood and used by the regulatory staff and the regulated industry, a regulatory staff on the whole of high caliber that handles the technological issues knowledgeably and with dedication, and a system for identification of problem areas that draws attention to safety matters.
R ese are valuable assets of the current regulatory system, and they should not be jeopardized by changes in the management structure or in the scope of the regulatory authority.
There are also shortcomings in the regulatory process that need improve-ment. We President's Commission appointed to investigate the 'NI-2 ac-cident made a number of recommendations in this respect.
The ACRS concurs with many of these recommendations and of fers the following seven recommendations as its interpretation of the needed actions pertaining to the regulatory process:
1.
We nuclear regulatory function requires strong leadership. Wis could be provided by one of several opticas such as a Regulatory Com-mission Chairman having full executive authority, a single admin-istrator to whom all regulatory functions report, an administrator with full executive responsibility reporting to the Commissioners on policy matters or a Commission formed from the chief technical, legal and enforcement executives of the regulatory organization with one of them designated to be the chief executive officer. %e essential re-quirements of the leadership assignment are a knowledgeable under-standing of the regulatory processes, a sound technological background, and the ability and authority to act decisively on regulatory questions including the handling of nuclear safety emergencies.
2.
We President's Commission proposed that an oversight committee be established to examine the performance of a nuclear regulatory organi-zation headed by a single administrator. We ACRS is not persuaded of
8-2 the need for such a part -time oversight committee specific to nuclear energy, and believes that, if such a comittee were to be created, it should have a noch broader charter with regard to technological issues in society.
3.
Except for a few limited cases considered during the past few years, the staff has been unwilling to investigate potentially significant safety matters if they were not identified as part of the " design basis."
Its consideration of the ramifications of accidents involving degraded safety feature performance or other circumstances leading to accident consequences beyond those covered by the " design basis" was too restric-tive, causing both the industry and the regulatory staf f to be inad-equately prepared for unanticipated accident circumstances. There has been a salutary change in the !lRC Staf f views of such matters since the
'IMI-2 accident that seems responsive to the need.
Future organizational arrangements should assure that this interest will be sustained.
4.
Were is a need to strengthen some !GC Staf f functions, including those related to (a) provision of a systems approach to safety review, (b) a better audit of design, and (c) improved regulatory monitoring of licen-see performance including operations and technical support.
5.
We role of the ACRS should be strengthened by establishing the neces-sary arrangenents for arsuring that timely and adequate attention to ACRS concerns is given by the Commissioners as well as the imC Staf f.
6.
We nuclear industry must strengthen its ability to handle safety matters.
A strong technical and managerial capability in this area on the part of all licensees and their contractors is very important. We industry has taken some positive steps in this direction since the D1I-2 accident, but further changes are still needed.
7.
%e relevant knowledge and expertise gained during plant design and con-struction must be transferred to those responsible for plant operations.
We licensees, individually and cooperatively, should take an active rather than a passive role in a design decision making process. %e utility licensees must show they have effective and timely access to the techni-cal resources of their contractors and suppliers or the equivalent over the plant lifetime.
In addition to the preceding seven general recommendations, the ACRS recommends that the following nine technological matters be considered at the earliest opportunity.
8-3 8.
Accidents beyond the current design bases should be considered in decid-ing on the future approach to siting, to reactor design, and to emer-gency measures.
Future reactors should not be located at sites with high ponulation densities.
Using a risk-benefit evaluation basis. design and other measures should be considered to further reduce the probability of serious accidents and to mitigate their consequences.
9.
Be ACRS believes that the fundamental safety goal of both the ? RC and the nuclear industry should be to achieve a degree of safety that is as good as reasonably achievable, taking into consideration appropriate technical, social, and economic factors.
10.
Where practical, a quantitative approach should be used in establish-ing safety criteria, in assessing potential enhancement of safety, and in providing well qualified comparative risk assessments relating nu-clear power to other technological aspects of society. Publicly stated goals with regard to acceptable risk, the levels of safety which are thought to have been achieved, and the uncertainties inherent in such estimates of risk should be available to provide a basis for judgment by the public.
11.
We " single-failure criterion" and other failure control design bases should be modified as necessary to encourage more considera-tion of progressive, common cause, and multiple failures arising from a single initiating event. A systematic evaluation should be made of the needed reliability for components, systems, or groups of systems, commensurate with the impact of their failure on accident consequences affecting the public health and safety.
12.
Separate and dedicated safety systems can and should be used where appropriate to enhance reliability; however, future safety review and evaluation should consider not only safety-designated items, but also the potential safety influence of all portions of the plant.
13.
Substantially increased attention should be given by the nuclear industry and the regulatory staff to potentially adverse system inter-actions.
A method for studying system interactions needs to be de-veloped and used for this purpose.
14.
Much more attention must be given to man-machine interactions with respect to the manner in which they can af fect public safety.
15.
Regulatory and industry organizations should aggressively investigate such safety improvements as filtered vented containment, dedicated shutdown heat removal systems, and design changes to reduce the proba-bility of successful sabotage, and implement those found appropriate.
We nuclear industry should be more aggressive in seeking safety im-provements beyond those required by the regulations and the regulatory process should provide incentives for this purpose.
8-4 16.
%here practical, the techniques of probabilistic analysis should be applied to operating plants and to plants under construction to ascertain whether there are design improvements whose implementation would reduce the overall risk to the public.
With regard to the regulatory and industry organizations there is a need for skill enhancement in some areas, improved quality assurance arrangements for design, and greater industry initiative to improved safety. %e actions to satisfy these needs are outlined in the following eight recommendations:
17.
A procedure is needed whereby operating nuclear plants are periodically reexamined taking into account current nuclear criteria and standards.
We performance of the operating organization and the technical sup-port available to it should also be examined during these periodic reviews. We existing systematic -review program should be restructured and expedited, with responsibility placed on licensees to periodically evaluate and report on the safety acceptability of continued plant op-eration.
18.
We basic orientation of the NRC safety research program should be shif ted from overemphasis on " confirmatory research" to substantial effort in research intended to improve nuclear power safety by assist-ing in the resolution of identified safety concerns, by examining possible safety improvements and by exploring for issues or prob-lems of potential significance. W e probabilistic techniques developed for risk assessment should be made an active working tool in the safety improvement effort.
19.
It is recommended that the NRC use its p3wers vigorously under 10 CFR Part 21 to require that NSSS vendors, A-Es, and licensees promptly re-port safety concerns that may be raised withir, their organizations, in-cluding submittal of pertinent internal documents.
20.
It is important to public safety that the nuclear steam system vendor organizations be maintained at a high level of competence or that an equivalent source of expert knowledge of the performance and function of the nuclear steam supply systems be developed and maintained as a direct support available to licensees when needed during the plant life time.
21.
A fundamental change in approach by both architect-engineer and plant owner must be developed in which the objective of the architect-engineer is to make the safety of the plant as good as reasonably achievable, rather than merely r..eeting existing regulatory require-ments at minimum cost.
For example, the use of probabilistic techniques and systems engineering studies, performed jointly by the A-E and the owners' staff, should help *o determine where significant
8-5 gains in system reliability or safety margin can be obtained at rea-sonable cort.
A-Es should be required to demonstrate that appro-priately safe design has been attained.
22.
Qthods should be developed and implemented to provide a meaningful, rmre extensive design check and audit of the balance-of-plant than has been the general custom previously.
%is might be partially achieved through appropriate, certified third party organizations which are independent of both the nuclear industry and the NRC Staff.
However, the internal review functions of the owner and the A-E must also be improved.
23.
As stated in its recent Review of Licensee Event Reports (NURB3-0572),
the Committee believes that operating experience can provide an important source of safety guidance for commercial power plants.
We Committee encourages the NRC to continue to develop a program under which benefits of the lessons learned from LERs can be fed back into the design, construction, operation, and maintenance of nuclear plants.
24.
The development of a limited number of standard LWR plant designs using an as good as reasonably achievable design philosophy would provide guidance in judging public safety adequacy and should be encouraged. %here appropriate, these designs should include ideas that depart from previous practice.
The safet.y of operating nuclear power plants and of those nearly ready to be licensed can be improved during the current licensing " pause" adopted by the MIC.
We ACC agrees that some of the safety improvements could be sig-ni fic.snt. However, the Committee does not believe that the absolute or in-cremental risk from oxration of several more newly completed nuclear power piants will pose tmusual or unacceptable individual or societal risks.
Serious consideration should be given to permitting startup tests for plants ready for licensing that have safety features at least equivalent to those now required for currently operating plants. tese plants could then be placed on standby as being ready for operation if required in the national interest while the NRC is deciding on the needed changes in safety require-ments beyond those already announced.
i
NRC romu 335
- 1. REPORT NUMPE R (Assvted by DOC /
U.S. NUCLE AR REGULATORY COMMIMtON g y 7 7, BIBLIOGRAPHIC DATA SHEET NUREG-0642
- 4. TlTLE AND SUBTITLE (Add Volume No. rf avorecristel 2 (Leave ttek) 3 RECIPIENT S ACCESSION NO A Review of NRC Regulatory Processes and Functions
- 7. AUTHOR tSI 5 Dr TE REPORT COYPLE TED f.t oN T H vt An Advisory Committee on Reactor Safeguards December 1979
- 9. PE RF ORMING ORG ANIZA TION N AME AND M AILING A DD RE SS traciude In Codel DA TE RtPOR T ISS' YONYH vEAH Advisorv Comittee on 9eactor Safeauards J nuarv 1980 U. S. Nuclear Reculatory Comission e a e4., n,e*,
Washinoton, D. C. 20555 8 iLeave tuan.1
- 12. SPONSOHING ORG ANIZ ATION N AVE AND M AILING ADD RE S5 Ilar war l a Coo-!
1 F' H O A G T T A S*.
V.0 % t ; N I T N O 11 CONT H ACT NO 13 TYPE OF HEPORT PE 4,;,D C OV E H F D 'lo e s i vd d* > r
- 15. SUPPLEMEN T ARY NOTE S 14 rL ee &ral 16 ABSTR ACT (200 eorcs or tess)
A reexamination by the ACRS of the Regulatory Process has been made.
Objectives were to provid - in a single source, ACRS' understanding of the Regulatory Process and to point out perceived weaknesses end to make appropriate re onmendations for change.
- 17. KE Y WOROS AND DOCUME NT AN ALYSIS 17a DE SC H iP T O WS 17b. IDENTIFIE RS' OPE N EN DE D TE RYS 21
.O CF P AGE S 18 AV AILABILITY STATE VE NT 13 Sfg gpQ[ 5 '"Do'r1 Unlinited 20 Se Co m T y Ct ASS <ru o,p/
22 PR CE 5
N RC FORM 335 (7 77)
UNITED STATES f
7 WUCLEAR REGULATORY COMMISSION W ASHINGTON, O. C. 20555 POST AGE AND F E ES P 4 f D U.S NUCLE AR REGULATORY OFFICI AL BUSINESS couwesssON PEN ALTY FOR PRIV ATE USE,5300 L
J t.I
}{}
j 3
'