ML20004E063
| ML20004E063 | |
| Person / Time | |
|---|---|
| Issue date: | 05/31/1981 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Shared Package | |
| ML20004E062 | List: |
| References | |
| NUREG-0642, NUREG-0642-R01, NUREG-642, NUREG-642-R1, NUDOCS 8106110084 | |
| Download: ML20004E063 (65) | |
Text
-
O NUREG-0642 Rev.1 1
l A Review of NRC Regulatory Processes and Functions l
Manuscript Completed: May 1981 Date Published: May 1981 l
Advisory Committee on Reactor Safeguards U.S. Nuclear Regulatory Commission Wcchington, D.C. 20555
,e
[/
s l
l f
flod//6 03Y
ANNOUNCEMENT The ACRS has issued in final form its " Review of NRC Regulatory Processes and Functions."
The report is a condensed summary of the NRC approach to Nuclear Safety Regulation that explains how the regulations evolved and where shortcomings exist.
As an independent report akin to the Kemeny Report and the Rogovin story, it provides a compact interpretation of nuclear regulatory matters needing attention subsequent to the Three Mile Island accident.
This issuance f* cludes editorial and typographical corrections, but does not change the substance of the version published in January,1980.
Changes in the regulatory process and organization which occurred since that time have also not been included.
4
_. ~
[
'o UNITED STATES
~
f*'
NUCLEAR REGULATORY COMMISSION o
5 E
ADVISORY COMMITTEE ON REACTOR SAFEGUARD.
k WASHINGTON, D. C. 20555 s,...../
December 17, 1979 The Honorable John F. Ahearne Chairman U. S. Nuclear Regulatory Commission Washington, DC 20555
Dear Dr. Ahearne:
The experienta at Three Mile Island, Unit 2, was a dramatic reminder that improvements in the nuclear regulatory process are needed, even though the existing process has been quite effective in protecting the health and safety of the public and provides a solid base for the needed improvements.
The experience of 25 years of nuclear power production stands as evidence of that protection.
'n this context, and while continuing its review of the TMI-2 accident implications, the ACRS has been reexamining the regulatory process, and submits herewith the results of its study.
We had two objectives. Fi rst,
we wanted to provide our understanding of how the system has functioned up to now.
The many investigations of TMI have revealed considerable confusion about the structure of thi:, complex and interactive process, and we have tried to describe it and its geneology.
Second, we wished to point out weaknesses, as we see them, and to make appropriate recom-mendations for change.
We have found this exercise instructive to our-selves and hope that it will be to others.
You will find that we have not separately listed our recommendations in an l
" executive summary," so a reading of the document is necessary.
It is our l
view that recommendations for change should be contained in the description of the existing system to make them meaningful, but some of our more important recommendations appear in Chapter 8.
We are, of course, aware of the recommendations of the President's Commis-sion, the President's response to those, and of the other reviews now in progress.
We hope that this document will be generally useful, and submit it with that intent.
Sincerely, Max W. Carbon Chairman 1
i i
FOREWORD The recent accident at Three Mile Island, Unit 2 (TMI-2), made the oublic extremely sensitive to nuclear regulatory activities and emphasize'd the well-known fact that any important government function deserves periodic examination to de). ermine whether it is serving the public need in an ap-propriate manner.
The Congress is giving serious consideration to alter-ations in the regulatory structure, anticipating that such changes may enhance the national public safety.
The President appointed a Commission to examine the TMI-2 event and to make recommendations concerning the regulatory process and functions as a result of information derived from that accident.
These actions all point toward a need for prompt reexami-nation of the United States Nurlear Regulatory Commission (NRC), which has been in existence since 1975 to regulate nuclear matters affectin] the health and safety of the public through a goverment licensing process.
While both NRC and the President's Commission are developing independent assessments of the regulatory process, nuclear regulation cannot be examined in the context of a single event or a single point in time.
The process has been evolving over a period of about 25 years and has had the advantage of thoughtful and probing review over that entire period, much of it broadly displayed through the communications media to the entire population.
Hence, it is appropriate at this time to understand well what has developed over the 25-year period be' ore considering changes that materially affect the current regulatory processes.
Changes are needed urgently in some areas, and many are already being effected or planned by the NRC organization and its licensees.
Care must be taken, however, to assure that the changes under consideration or to be identified in the future will, in fact, strengthen the regulatory process and functions.
The Advisory Committee on Reactor Safeguards (ACRS) has spent much time over many years observing and examining the NRC licensing process.
The Committee is, consequently, in a position to comment on the situation, and it believes this review will be helpful to those examining the regula-tory process by discussing how it works, where it is weak, and the oppor-tunities for improvement. The Committee's review may also help put current proposals and discussions in perspective.
l
11 CONTENTS PAGE 1.
INTRODUCTION...............................................
I 2.
REGULATORY G0ALS...........................................
3 3.
THE CHANGI NG STYLE OF THE RECULATORY PROCESS...............
5 4.
RCuULATORY ORGANIZATION....................................
7 4.1 The Documenta ry Ba si s for Regul atica..................
7 4.2 The Nucl ear Regul ato ry Commi ssion.....................
8 4.3 Atomic Sa fety and Licensi ng Boards....................
10 4.4 Regul atory Ope rating Functions........................
11 4.4.1 Office of Nuclear Reactor Regul ation...........
11 4.4.2 Office of Inspection and Enforcement...........
12 4.4.3 Of fice of Standards Development................
13 4.4.4 Office of Nuclear Material Safety and Sa fe g u a r d s....................................
14 4.4.5 Office of Nuclear Regul atory Research..........
15 4.5 Advi sory Commi ttee on Reac tor Sa feguards..............
16 5.
NUCLEAR INDUSTRY 0REANIZATION..............................
19 5.1 Plant Licensing Responsibilities of the Owner.........
19 5.2 Archi tec t-Engineers ' Ro1 e.............................
21 5.3 Nuclear Steam Supply System Vendors' Rol e.............
22 5.4 Nucl ear Fuel Suppl iers' Rol e..........................
23 5.5 Speci al Nucl ear Support Services......................
24 5.6 The Nucl ear Pl ant Construc tors' Role..................
24 5.7 Assessment of Collective Industry Capability..........
25
i i
l 111 PAGE 6.
MAJOR TECHNOLOGICAL ISSUES.................................
26 6.1 Engineering Methodology for Public Safety Protection.
26 6.1.1 Design-Basis Accidents and Probabilistic An a l y s i s....................................
27 6.1.2 Fa i l ure De fi n i tio n............................
29 6.1.3 Sy s tem I n te rac ti o n s...........................
31 6.1.4 Ma n-Mac hi ne In te rac tio ns......................
31 6.1.5 Separation of Safety from Non-Safety Systems..
33 6.2 Siting Aspects of Public Safety Regulations..........
34 6.2.1 Si ti ng C ri te ri a...............................
35 6.2.2 Mul ti pl e Un i t Si te s...........................
36 6.7.3 Si te-Rel ated Sa fe ty Improvements..............
37 6.2.4 Nucl ear Power Pl ant Waste Management..........
37 6.2.5 Emergency Response............................
38 6.2.6 Ac c i de n t Reco v e ry.............................
38 7.
REGULATORY M ANAGEMENT MATTERS..............................
40 7.1 Organi za tio nal I s sue s................................
40 7.1.1 Sta f f Compe te nc e..............................
40 7.1.2 In du s try Compe tence...........................
41 7.1.3 ACRS Effectiveness............................
42 7.1.4 Cl ari fication of Responsibil i ty...............
43 7.2 Re g ul a to ry Fo nna t.....................................
A3 7.2.1 Preservation of Regul atory Base...............
44 7.2.2 Sta nd a rd i za ti o n...............................
44
-7.2.3 Leg al Framewo rk...............................
45
u.
..m.
2
.__,_m-.m_m_.,
..m.a iv PAGE 7.3 Re g ul a to ry Ac t i o n s.....................................
47 7.3.1 Reporti ng of 5.t fe ty Probl ems..................
48 7.3.2 Resol uti on of Generic Probl ems................
48 7.3.3 Back-and Forward-Fitting of Safety Improvements................................
49 7.3.4 Publ ic Communicati ons........................
50 8.
OVERALL ASSESSMENT..........................................
51 i
+
- +---
m
--r.---
4, w-
1.
INTRODUCTION The Congress of the United States established the Nuclear Regulatory Com-mission (NRC) along traditional regulatorv lines, wherein the Commission sets regulatory criteria and requirem.
for industrial participants who must meet the regulatory requirement as a condition of licensing.
The NRC places the onus on the licensee to show compliance and on the regulator (the tyrnission) to determine compliance.
The Commission has authority to impose both legal restraints and monetary penalties on those who fail to comply with the regulatory requirements.
The Commission's authority generally transcends that of state and local governments, but it has acted to establish a cooperative relationship with all levels of government in order to maximize public acceptance of the regulatory process.
The operation of NRC has some unusual aspects, including the way in which the Commission itself functions, the statutorily defined functions of 'he regulatory operations staff, the hearing process of the Atomic Safety and Licensing Boards (ASLB) and the review by the Advisory Committee on Reactor Safegurads (ACRS).
Much of this is unique among United States regulatory processes, but the principles are similar to those of other regulatory systems.
The Congress assigned to NRC the responsibility for regulating the con-struction and operation of nuclear power plants operated by privately financed public utilities and publicly owned power agencies.
NRC dis-charges this responsibility by imposing technical and administrative requirements as a condition of issuing construction pennits and operating licenses and by monitoring the performance of licensees.
The prime re-sponsibility for safe design, construction, and maintenance of nuclear power plants rests, however, with the licensees.
Insofar as safety is concerned, the system has a number of advantages, but the primary one is that the licensees have both financial and legal incentive to operate the power plants in a safe fashion.
The regulatory organization acts as a " watchdog" to make certain that the conditions of the licue are satisfied.
The system suffers from unevenness of appli-cation tnet leads to shallow audits of some areas of safety interest and ov. fly detailed review of others.
On the other hand, the system puts grave responsibility on licensees to make certain that the nuclear tech-nology is used in a way which minimizes the potential for harm to the l
public, even though they have counteractive pressures to minimize costs and improve profitability.
Other regulatory systems can be visualized.
One such system would involve operation of a plant built with private or public funds by a governmental organization while a second governmental organization served as a " watchdog" over the first.
Some countries use this arrangement.
The advantages of one system over another can be discussed only in qualitative terms.
2 The NRC functions under the requirements of the Atomic Energy Act of 1954 and its subsequent modifications but was created by the Energy Renrgani-zation Act of 1974.
The staff currently numbers more than 2000 people, and by comparison with some other regulatory agencies, it is large.
The Atomic Energy Act specifies the duties of the Commission in the interest of public safety as they apply to regulation of the use of ratioactive and fissionable material, with the main emphasis on nuclear power plants and the nucelar fuel cycle.
The National Environmental Policy Act (NEPA) re-quires the NRC to direct a large portion of its activities to an environ-mental evaluation of licensing actions.
The NEPA review requires a signi-ficant commitment in terms of manpower - perhaps 50-75 percent as much effort as the safc +.y review.
Thus, when examining the nucelar regulatory process, it is important to recognize the Commission's respnose, not only to the Atomic Enere,y Act, but also to the responsibilities derived from NEPA.
The agency'.; functions are further complicated by its overlapping responsibilities with the Department of Energy (00E). These, too, must be taken into account when considering the regulatory process.
Although the review of the nuclear regulatory process presented herein was performed from the vantage point of TMI-2 experience, the entire history of nuclear power regulation is considered.
The present system has a sub-stantial base of experience developed over a quarter of a century; hence, attention in this review is directed mainly to the existing regul atory concept, its strengths, its weaknesses, and the need for improvements.
The reference time for this discussion of the state of the regulatory process is that period just prior to the TMI-2 accident.
Since that time, changes have been made or are being planned by the NRC and by its licensees.
The changes of which we are awared are noted herein.
m
3 2.
REGULA10RY G0ALS The Atomic Energy Act of 1954 and its subsequent ar.andments and the Energy Reorganization Act of 1974 provide a broad charter for the NRC, its staff, its hearing boards, and its advisors to regulate nuclear energy processes and products, as needed, to protect the health and safety of the public.
NEPA, as interpreted in the Calvert Cliffs decision, includes requirements for balancing of costs and benefits and evaluation of enviromental 17 acts j
as conditions for nuclear licensing.
These statutory requirements com,orise the basis for judgments about the effectiveness of nuclear regulatory processes.
W5ile identifying important organizational participants, the legislation does not specify the regulatory process ia great detail, and thereby allows the Commission latitude in establishing the :nethods for satisfying statutory eequirements.
The Commission ha5 not set forth specific objectives or goals irc Dy offi-cial document or statement, but they can be inferred from the types of activities in which NRC is involved and the resultant decisions.
Although not stated fonnally, the goals of ths. Commission should be kept in mind when judging the organization and programmatic thrust of NRC.
These goals include:
1.
establishment of regulatory policies, standards, practices, and pro-cedures that, while recognizing the societal need for energy and the associated economic considerati ons, make due allowance for public safety and moral obligations to present and future generations, P.
provision of criteria for public safety or other regulatory daci-sions that are set forth in understandable form and, where practical, are based on the use of quantitative risk-evaluation methods that permit nuclear risks to be related to other societal risks, 3.
provision and maintenance of the regulatory staff needed to establish requirements and enforce regulations, 4.
establishment of a regulatory system such that licensee compliance with the requirements can be demonstrated, 5.
provision of evidence, through documentation and regulatory actions, that the goals of the regulatory process are being met, and 6.
establishment of procedures for keeping the public informed on all matters of public interest, whether societal or technological.
4 One 0,f the purposes of this review is to determine whether these goah can be met.
It is important that the process include the capabilities needd to achieve the goals if it is to serve the public adequately.
- Safety, environmental protection, and economics can have conflicting demands; NEPA acknowledged this in its requirement for environmental balancing.
The balance may be altered as industry grows, technological understanding broadens, or political circumstances change.*f Public acceptance of the regulatory process depends upon conveying to the public an accurate and fair representation of regulatory effectiveness with respect to established regulatory goals. This report provides evidence as to how nearly the goals are being attained, but no attempt is made to establish a grading system because the standards for judgment will always be influenced by time and circumstances.
- ]
When electric power generated from nuclear energv was originally in-troduced in the United Statec, the main consideration was its economic compet tiveness with power generated from other forms of energy, such as %1, gas and oil.
Recently its availabiity has become a matter of strategic importance to our national defense and international policy.
Public safety and national or world economic investment caa also influence political circumstances.
These matters can have a bearing on how, whether, and where to use nuclear power.
5 3.0 THE CHANGING STYLE OF THE REGULATORY PROCESS The NRC institutional arrangement has developed over about a 25-year period.
Initially, the regulation of nuclear power plants was carried out by an arm of the now defunct Atomic Energy Commission ( AEC).
The regulatory function became more active in the mid-1950s, when the first commercial nuclear in-sta11ations were being planned.
During that period, the AEC participated in the development of a number of nuclear power concepts.
The ACRS was established in late 1947 by the AEC to review safety-related aspects of the AEC-owned research, test, experimental, and production reac-tors.
In 1955, the AEC established a small, full-time hazards evaluation staff to perform safety reviews, with technical guidance and oversight pro-vided by ACRS.
The AEC staff and the applicants for licenses were respon-sive to the recommendations of the ACRS, which was in many respects the ultimate reactor safety authority.
In 1957, the ACRS was established as a statutory body. At the same time the licensing process was opened to public participation by the establishment of the AEC public hearing process conducted by a " hearing exami ne r."
The hearing process was a procedural mechanism to demonstrate on the public record that the review was complete and to adjudicate differences between parties.
Although the ACRS was not a party to the hearing, its recommendations were given serious attention by all parties, including the hearing examiner.
By the early 1960s, the nature of the hearing process had changed, and the hearino examiner was asked to make technical decisions regarding interpreta-tions of AEC regul ations, the scope of the regulations, and the technical basis for the regulatory licensing process.
The AEC regulatory staff had to develop its own expertise to address these issues and began to make its own independent judgments, which were tested along with those of license applicants during the review process.
In 1962, the Atomic Safety and Licensing Board (ASLB) was established to conduct licensing hearings.
It consisted of three members:
two with technical backgrounds and one skilled in conducting hearings.
A small overlap of ACRS and ASLB functions may have resulted, but the primary functions of the ASLB were to adjudicate dis-agreements between parties concerning the licensing action and to Sovide a public forum for discussing the adequacy of the safety review.
fne ASLB was not expected to conduct an independent review which duplicated that of the AEC regulatory staff or the ACRS, although an occasional test for compre-hensiveness was considered within the ASLB review scope.
An ACRS report was required before safety-related aspects of the ASLB review could begin, but the ACRS report was not a formal part of the record, and the ACRS did not present testimony to the hearing board.
The hearing boards relied on the AEC staff for an interpretation of the ACRS recommendations and relied on the testimony of the staff, the applicant, and the intervenors as the principal basis for judgment.
6 In the early 1970s, the regulatory organization was extensively revised by the AEC.
NEPA requires more attention to environmental issues apart from the nuclear safety evaluation process. At the same time, the AEC regulatory staff was substantially expanded and its capability enhanced in response to public concern for the adequacy of some nuclear power plant safety features.
This was the situation at the time of the split of AEC into NRC and the Energy Research and Development Administration (ERDA) under the Energy Re-organization Act of 1974.
The creation of NRC did not materially change nuclear pouer plant licensing, but the - new Commission did provide a different perspective on regulatory management.
For instance, the regulatory staff began to act more auton-omously with regard to the ACRS.
While the ACRS continued to review each case and to provide broad safety guidance, it began to function primarily as a sounding board where the staff judgments could be tested and ' tuned, with the staff accepting ACRS recomendations selectively.
NRC is now an independent government unit that judges nuclear regulatory matters by a set of rules it has generated internally.
When so disposed, the NRC staff responds to ACRS recommendations.
When it deems such action inappropriate, it defers the action or sets it aside by making a brief record of it in the Safety Evaluation Report.
The ASLBs have become the principal judges in determining whether NRC regulatory actions are in accord with NEPA and the Atomic Energy Act.
It is with this style of operation in mind that the organization of NRC must be examined.
l
l 7
4.
REGULATORY ORGANIZATION When NRC was created by the Energy Reorganization Act of 1974, a large part of the regul atory organization was already in existence.
The Re-organization Act created the Commission of '.ive members, and assigned to it the regulatory responsibilities of the AEC.
The fonn of the regulatory process was already established as a combination of safety regulation and a review to determine compliance with NEPA requirements.
The regulatory procese was expected to continue under the guidance of a regulatory com-mission unfettered by previous commitments to the development of atomic energy. Nevertheless, a new administrative operation had to be established, the offices created by the Reorganization Act had to be staffed, and the regulatory functions had to be apportioned among these offices.
The reg-ulatory documents also had to be reviewed, gaps filled, and plans for extension of the document preparation program had to be developed to pro-vide an adequate documentary basis for regulation.
In a number of areas, notably waste management and material safeguards, there was no regulatory precedent of substance and a new regulatory program had to be created.
The development of an effectiv' regulatory organization was one of the major goals of NRC, and this effort is still in progress.
This review of the present status indicates where further development is needed.
4.1 The Documentary Basis for Regulation NRC adopted the regulations developed by the AEC as the basis on which nuclear power plant licenses would be processed.
The basic regulations were in existence and identified in the Code of Federal Regulations.
They had been extended by other documents prepared by the staff when it was still a part of AEC. The basic documents consist of:
1.
rules established as a basis for regul ation and published in the Code of Federal Regulations to provide policy and technical guid-ance for the licensing process, i
2.
Regulatory Guides that describe methods acceptable to the NRC staff for implementing specific parts of the Commission's regu-lations, and 3.
a Standard Review Plan that sets forth the internal review procedures followed by the NRC Staff safety interpretations used in evaluating documents ar.d other information submitted for licensing review.
8 These documents contain an extensive set of requirements and practices, many, of which are used throughout the world.
They are further expanded by various technical documents prepared by the NRC technical Staff, govern-ment laboratories, NRC-approved industrial reports, and well-known national standards.*/
Some of these documents, particularly some regulatory guides, are excessively prescriptive, while some other types of documents tend to identify objectives without establishing a basis for determining conformance with the requirements.
Even though there is need for changes, improvements, and additions in many portions of the documentation, on the whole the present documentary base is substantial and has provided an effective regulatory tool.
The preparation of new regulatory documents would benefit from a thorough review of pre-cise needs and intentions and an analysis of the existing information to establish where serious gaps exist and where upgrading of the quality of information in the documents would be beneficial to the regulatory program.
4.2 The Nuclear Regulatory Commission The five members of the Commission are appointed by the President of the United States with the advice and consent of the Senate.
The Commissioners are appointed for overlapping terms of five years, and not more than three may be members of the same political party.
The Chairman is selected by the President.
The Commission or its delegate must approve the NRC rules published in the Federal Register and all mandatory requirements.
The Commission reviews and approves the budget and manpower levels submitted to the President and the Congress, and may review the decisions of the Atomic Safety and Licens-ing Appeal Panel ( ASLAP) on their own initiative or in response to a peti-tion for review.
They select and appoint the heads of the five independent offices and the Executive Director for Operations, as well as members of ACRS, the ASI.B panel, and ASLAP.
They may direct the regulatory staff to proceed along specified lines to satisfy regulatory objectives.
For the most part, the Commissioners have avoided direct involvement in the adju-dicatory process to assure their independence when called upon to review adjudicatory decisions.
-*/ Section III, " Nuclear Components," of the ASME Boiler and Pressure Vessel Code is the best known standard applied to nuclear plants but most of the professional engineering societies have contributed useful j
standards through the American National Standards Insti tute.
These professional societies include the Institute of Electrical and Elec-tronics Engineers, the American Concrete Institute, the American Society of Civil Engineers the American Society for Testing and Materials, the American Nuclear Society, the American Society for Nondestructive Testing, the American Society of Mechanical Engineers and many others.
9 Because of their professional backgrounds, political allegiance, and indi-viduai actitudes, the Commissioners can have widely divergent views concern-ing nuclear power plant regulation.
They do, however, act as a collegial body, operating on a majority-rule basis.
The individual regulatory offices often have to work out plans for implementing their duties with the intent of obtaining continuing support for their activities from a Commission majority.
The Congress evidently intended the regulatory process to func-tion under this democratic style of control, but this approach does not al-ways lead to the development of a clear regulatory position on important public safety matters.
Many styles of operation could be envisioned for the Commission, but so far it has chosen to function as a referee in determining whether the regulated industry was conforming to the rules and to enter the adjudi-catory process only when regulatory actions were challenged.
This choice left the regulatory functions to the NRC staff and the initial judgments concerning the appropriateness of regulatory licensing actions to the ASLBs.
Conceivably, the Commission could become the determining body in licensing actions, accepting opinions from the ASLB, the NRC staff, the ACRS, or other sources as part of the bases for its judgments.
While the licensing rules would still have to be considered, other judgmental factors might be intro-duced into the licensing process.
In its determinations, the Commission might be more responsive to the public attitudes existing on local, regional, and national levels. Alternatively, the Commission could leave the judgments on technical safety matters to the regulatory staff and direct its attention to the regfrements of NEPA.
Administration of the licensing process and enforcement of licensing rules would require a different type of Commission involvement.
Actions involv-ing inspection, technical review, and conformance reporting would have to be delegated to subordinates, who would need authority to enforce the regul ations.
An administrative executive would be essential to provide a point of authority.
If the Commissioners were adequately equipped by training and experience, they could evaluate whether speci fic regulatory functions were being performed appropriately.
The present Commission has a broad distribution of capability, ranging from training in law to nuclear physics, but the divergent individual backgrounds of the Commissioners raise the question of whether each opinion deserves equal weight in other than broad ' policy matters.
In-depth knowledge of the subject matter by each Commissioner should be required for equal weighing of their opinions on technical matters.
As conceived under the Energy Reorganization Act of 1974, the Commission is intended to be responsive to public attitudes as influenced by the prevail-ing political environment.
If the law were changed to emphasize technologi-cal background as a requirement for Commission appointment, the qualifica-tions of the Commissioners might justify are intinate involvement in licensing decisions with respect to rul es. inspection, enforcement, and J
10 technical specifications.
If the law were changed to put the primary emphasis on health and environmental impacts, the Commissioners could become more intimately involved in the NEPA matters.
If the law required that they have legal training, the Commissioners could have more intimate involvement in legal interpretation of the regulations and could judge directly how the regulations satisfy the requirements of the Energy Re-organization Act.
Since none of these is presently a dominant require-ment and the collective background of the Commissioners encompasses all of them, a policy-making role for the Commission seems to be appropriate.
There could be some advcntage gained by granting substantial power to the Chairman as chief executive officer of the Commission.
Alternatively, there could be some advantage in assigning individual areas of decision authority to each Commissioner in addition to his overall policy-making role.
Another option, which would be consistent with the present struc-ture of the Commission, could give appreciable technical management power to the Executive Diredor for Operations, who could also serve as the spokesman for the Commission.
This position would then require consider-able technical skill in addition to management experience, and his rela-tionship with the Comnission would have to be carefully dafined.
These options should be considered as alternatives, depending on public needs and interests, if the present Commission form of regulation is to be re-tained.
4.3 Atomic Safety and Licensing Boards Each three-member ASLB is drawn from a panel of board members preselected by the Commissioners.
The panel members have a range of capabilities, and all have a reputation for significant professional accomplishment.
They are expected to have understanding of the hearing process and technical knowledge of the regulatory approach and the requirements of NEPA.
They are expected to make technical judgments and to evaluate the evidence available to assess the sufficiency of the record compiled by the staff.
Board decisions may be appealed to an ASLAP if the license applicant, the regulatory staff or an intervening group challenge the ASLB rulings.
The ASLB hearings are adversary in nature, with matters argued before the boards in a quasi-legal,*/ format, and the decisions of the boards are recorded and used as precedents in subsequent hearings.
The legal staff of NRC is, to a major extent, occupied with the preparation of' cases to be presented before the hearing boards.
Members of the regulatcry staff develoo their safety reviews in a form suitable for use in this quasi-legal envircament.
-*/
The reference here is intended to indicate the character of the hear-ings which have no procedural rules and no preestablished legal scope established by either law or regulation.
The hearings do conform to law.
s
11 4.4 Regulatory Operating Functions The NRC staff, under its Executive Director for Operations, is divided into three statutorily established and two Commission-established equally ranked offices:
Regulation, Inspection and Enforcement, Nuclear Materials Safety and Safeguards, Standards, and Research.
In addition, the Office of the Executive Legal Director establishes and implements legal procedures.
Each statutory office has explicit duties in response to the organizational plan set forth in the Energy Reorganization Act of 1974, and NRC has estab-lished documented rules and regulations under which its operational staff functions. The discussions that follow are intended to show how the organi-zation currently works and where redirection might be of value.
4.4.1 Office of Nuclear Reactor Regulation The Office of Nuclear Reactor Regulation (NRR) is the focal point for defin-ing licensing requirements.
Licenses are granted when NRR has determined that the necessary documentation has been submitted, that the plant is to be designed or to be operated in accord with established r'J1es and regulations, and that the licensee has shown the required compete e to meet the regula-tory requirements.*/
The NRR staff includes personnel with backgrouads in many aspects of nuclear technology, including nuclear physics, radiation protection, chemistry, fluid mechanics, thermal analysis, structural design, seismology, hydrology, mechanical engineering, chemical engineering, and electrical and instrument engineering.
To evaluate applications with respect to NEPA requirements, -
some economics and social science skills are also provided.
To review a license application, the staff uses NRC Regulations, Standards, Standard Review Plans, preapproved submittals of vendors, recognized engineering practice, and comparable information as bases for judgment.
Prior to granting an Operating License (0L), the NRR Staff requires that the li-censee provide a set of proposed technical specifications to which he will conform when operating the plant.
Technical Specifications approved by the NRC staff are incorporated in the license as requirements.
- ]
The documentary evidence of regulatory compliance is usually covered by a Final Safbty Analysis Report (FSAR), a set of technical specift-cations, a preoperational test program, and a qualification program for operating personnel.
This is required for an operating license, which must be granted before a licensee can load nuclear fuel.
A construction license is granted prior to plant construction and is based on a Preliminary Safety Analysis Report (PSAR) prepared to show that the design and construction will comply with regulations.
12 Since the staff that performs reviews cannot be large enough to examine every detail of every design, each new application is related to a large degree to some previously approved application, and attention is focused on the differences.
Some standardization has naturally evolved from this process.
The NRR staff tries to concentrate on what is new in the license application and to accept without reexamination features which have been previously accepted.
When new infomation, operating experience, or regu-latory prudence indicate the need, however, the staff reexamines an area that has been previously reviewed, even if previously accepted practice is being followed.
The technical strength of the NRR staff is critically important.
The staff must have a good understanding of the basis for licensing and the subtleties of engineering variations among plant designs, and they must recognize operating circumstances that may challenge the performance of the safety features of a plant.
The staff reinforces its own skills with expert consultants and technical assistance contracts.
Where necessary, it draws upon the Office of Nuclear Regulatory Research to develop new or sup-portive infonnation to aid in licensing evaluation.
Over the years, this mode of operation has built a very extensive store of knowledge on which the NRC staff can draw; however, the extremely broad range of characteristics and performance which may have important consequences and the complicated interrelationships between them invite concern for the ability of NRC to cover the entire range of technology.
Staff attention to conformance with regulatory logic and the ability to relate regulatory requirements to proper construction of the plant and its control by human operators under circumstances that might lead to accidents are paramount considerations.
4.4.2 Office of Inspection and Enforcement The Office of Inspection and Enforcement (IE) is the regulatory control arm of NRC.
It investigates licensed installations for confonnance with regulations, and it establishes whether licensees and their agents are conforming to licensing requirements.
The IE staff uses the rules pub-lished in the Code of Federal Regulations, NRC Regulatory Guides, and Technical Specifications as bases for regulatory enforcement.
The capa-bilities of the IE staff were for many years conceatrated on assuring that construction practices, such as material control, welding, equipment storage, and pressure testing, conformed to regulatory requirements be-cause experience had shown these practices to be the main sources of non-conformance.
Attention in the public press to reports of poor workman-ship and worker malefaction intensified this interest.
There was always, however, general attention to other areas of regulatory compliance.
The IE staff uses a system of audits to examine both plant records and phy-sical installations. Members of the staff visit supplier factories periodi-cally to establish qualifications, and they obtain written reports from the licensees to determine compliance with regulations.
More recently, NRC has
.,,a.-
13 added a staff of in-plant construction and operation inspectors.
Primarily, howcVer, the IE organization relies on a set of " quality assurance" practi-ces established by the owner in compliance with NRC regulations to assure that installed quality meets the regulations.
Preoperational test programs are used to verify required operational capabilities, wherever practical, and the IE staff monitors these programs.
Of ten the tests require engi-neering analysis, and when they do the analytical methods used and the oper-ational results are reviewed by the NRR staff.
With the existing capability in the IE organization, regulatory evaluation of operational adequacy is infomation oriented.
Operational procedures are reviewed by the IE staff, but the intent is mainly to show that pro-cedures confom to technical specifications.
The actual efficacy of the procedures is left to the judgment of the licensees.
In addition, the IE Staff has developed an outline of study to be employed in the licensees' training program to assure operator competence.
A aroup of NRC training examiners, by observation and testing, determine the competence.of operators.
To rev : 1w operational matters not identifiable in procedures would require a level of technical understanding available only in those who have a back-ground in design logic and system performance.
The NRR staff evaluates this broad subject matter as a basis for licensing approval, but the IE Office uses the information in a condensed fom suited only to the infomation-checking actions it must perform.
With additional emphasis now being di-rected to simulator training, fundamental system behavior, symptomatic an-alysis of instrumentation signals, and similar matters, the current style of review of operational matters by the IE organization will need altera-tions in order to allow a new technical role in the licensing process Jor IE. When asked, the NRR staff through its Division of Operating Reactors works in support of IE to provide broader expertise on an as-needed basis.
While the present arrangement could work in principle, an improvement in the IE organization's ability to address unusJal technological matters through reorganization, training, staff additions, or other approaches seems to be required.*/
4.4.3 Office of Standards Development The Office of Standards Development (SD) prepares the regulatory documents that form the basis for regulations.
All radiation exposure standards, reg-ulatory guides, and many of the rules published in the Code of Federal Regu-lations emanate from this office.
This office is primarily a coordinator
-*/
The loose coupling of these capabilities seen in the TMI-2 experience does not serve the regulatory function adequately.
Too much time elapsed between the identification of difficulty and the effective use of the NRR expertise.
Recently, there has been discussion of setting up a technical review function separate from both IE and NRR to provide service to both.
14 f
of information and acts as the Secretariat for the NRC staff in the prep-aration of material for use in the regulatory process.
SD has created a substantial body of documents that define acceptable engi-neering practice.
These have been most effective when addressing design, construction, and installation.
The standards associated with operating procedures, instrumentation, emergency response, radionuclide cleanup, and comparable matters have tended, with a few exceptions, to be general and oriented to performance goals rather than to explicit requirements.
Such standards serve a useful purpose in directing the interested organizations to' the proper objectives, but they do not provide the type of regulatory definition needed as a basi s for enforcement.
Technical specifications provided by licensees and approved by the NRC staff are the main regulatory controls.
While the present organization of SD adequately serves its assigned purposes, this office should also have additional capability in the operational areas in order to provide more effective documents for IE purposes.
Some addi-tional skills relevant to operational procedures in emergencies are an urgent need.*/
4.4.4 Office of Nuclear Materials Safety and Safeguards The Office of Nuclear Materials Safety and Safeguards (NMSS) is primarily concerned with the nuclear fuel cycle external to the power plant.
It is responsible for public safety regulation with respect to accountability for fissionable materials, fuel manufacturing and reprocessing, spent fuel storage, waste management, and physical security of all licensed facilities.
Problems of material diversion and industrial sabotage are also under its jurisdiction.
The NMSS staff has concentrated its interest on materials accountability, protection and industrial security.
Its rules and regulations, except for material accountability, have a base of practice that developed during the AEC era and, at least until recently, very little has been done to realign this base in accordance with current public interests.
Not until the last few years has ESS organized to direct the NRC's waste management regulatory program in an effective manner.
Previously it appeared to have adopted a reactive style of regulation directed toward correction of problems exposed in the public press and to providing inputs to DOE and the Environmental Protection Agency (EPA), both of which are attempting to establish a national posture in this area.
- /
Thus far, operating standards have consisted mainly of test pro-cedures and listings of required tests.
Standards seem to be lacking for measuring capabilities of operating organizations in meaningful terms.
i 15 NRC's jurisdictional responsibility in waste management has been vaguely defined in the Energy Reorganization Act making the regulatory program difficult to impl ement, but the matter of nuclear power safety cannot be divorced from either nuclear-waste management or spent-fuel handling.
The nature of the problem suggests that NRC needs to expedite its own regulatory approach to these matters rather than waiting for other agencies to offer solutions.
Since certain aspects of the assignment of federal responsibility are vague */, new legislation may be needed to enable NRC to accomplish these tasks. -
4.4.5 Office of Nuclear Regulatory Research The confirmation of safety bases used in the regulatory process has always been a fundamental requirement for ensuring the health and safety of the public.
The safety research programs, first initiated under the direction of the AEC, have been continued at a substantial level under the direction of the Office of Nuclear Regulatory Research (RES).
This office e. cts as a research manager by contracting the research work to national laboratories, universities, and private contractors, including nuclear industry organi-zations, and others.
Probabilistic analysis methodology is also the re-sponsibility of this office.
The major part of the research program fund-ing is assigned to conduct of experiments in facilities designed for study-ing emergency core cooling (ECC) and fuel-failure mechanisms.
Other im-portant work of this office includes experimental studies of pressure vessel reliabil ity, core melting behcvior, advanced-reactor safety, steam generator degradation phenomena, and a number of miscellaneous investi-gations. The need for research to improve safety has recently been rec-ognized, but so far it has been funded at a minimal level.
The effectiveness of RES has to be considered in relation to its preestab-lished obligations.
The prior commitments to ECC system investigations and fuel-failure experiments leaves little latitude for other tyoes of sa fety research within the funding limits.
The "confi ma tory" approach RES is expected to follow allows very limited opportunity for new safety initiatives.
While the work underway is well managed in an administrative sense, its contribution to overall reactor safety is mainly through enhanc-ing confidence in current practice rather than by providing technical in-vesti gation of innovative ideas to enhance safty.
- I EPA has been designated to set environmental standards for radio-nuclide releases and DOE is assigned responsibility for establishing waste-isolation techniques.
Until DOE has a definitive technology 4
that is consistent with EPA environmental standards, NRC cannot es-tablish meaningful regulations.
)
-j-
16 i
4.5 Advisory Comittee on RerMr Safeguards The 15-member ACRS, appointed by the Comission under the requirements of the law, reports on the public safety adequacy of specific licensing ac-i tions.
The Comittee reports directly to the Comission, and its budget and staff support are provided as an item within the overall NRC authori-zation and appropriatbn.
The Committee is careful to assure that its membership is free of financial influence that might affect its regulatory review and also that it is free of all NRC staff involvement.
During the early nuclear power era, ACRS established safety criteria on an ad hoc basis as questions arose during licensing reviews.
It was dur-ing this period that containment requirements were established, design practices developed, design-basis accidents (DBAs) identified, and the engineering methodology for accident evaluation was documented.
The ACRS became the principal body for identifying supportive research and develop-ment work to establish safety adequacy of nuclear power plant design, although the sources of information on which such recommendations were based often came from the national laboratories and the nuclear industry.
Such important experimental investigations as the nuclear shutdown char-acteristics of water-cooled reactors under reactivity excursions, pressure vessel integri ty, BWR pressure suppression containment characteristics, nuclear fuel failure properties, and ECCS performance grew out of ACRS reviews.
ACRS was the principal motivating force in establishing the importance of reliable emergency core cooling and shutdown heat-removal capability for large nuclear power installations.
Many of these require-ments have since been embodied in the NRC Regulations under 10 CFR Part 50, Appendix A, and are generally covered by Standard Review Plans or Regulatory Guides in connection with other reference documents.
The ACRS has, with the support of the Comissioners and the NRC staff, main-tained an active review of NRC rules; regulatory guides dealing with design, construction, and operational experience; experimental programs; and analy-tical studies.
In 1977 the Congress asked the ACRS to review the Safety Research Program of NRC on an annual basis and report its findings to the Congress.
Implicit in these assignments is the expectation that the ACRS will provide carefully weighed advice and that it will not passively accept staff action or inaction that reflects deleteriously on safety recommenda-tions concerning licensing actions.
In the early 1960s, ACRS began to concentrate its attention on siting guidelines, with the intent of looking beyond the literal interpretation of the regulations.
Siting near high population centers, behavior of the reactor core under degraded cooling conditions, including potential core melts, seismic design methodology, and instrumentation to follow the course of accidents beyond the design basis, were regularly discussed with the NRC staff.
More recently, probabilistic analysis methodology for safety assess-ment has been actively encouraged by ACRS.
17 Emphasis on sophisticated technological questions may have diverted the attention of ACRS and the NRC staff away from many of the more routine safety-related problems that often precede major accidents.
The Committee tends to assume that once it has identified a safety problem, the problem will be investigated in detail by the NRC staff.
An individual member often must be extremely persistent before his colleagues will devote extended attention to, his safety concerns.
Except for transcripts and minutes of meetings, there is no record of the differences of opinions expressed by Committee members during formulation of a Committee position,.
unless one or more members dissent from the collegial view.
The ACRS has identified many matters that need safety attep. ion because of their accident potential, but it has not devoted serious attention to the effectiveness of operator training or to the behavior of control systems under accident conditions.
In calling attention to common-mode failure problems, electrical reliability questions, probabilistic analysis and sys-tem interactions studies, the Committee has tended to express its interests in fairly general terms without attempting to determine how those matters would be pursued or what personnel capabilities are needed by the licensees or the NRC staff to rescond to these inquiries.
The ACRS could have done more to help the Commission identify NRC staff weaknesses so that staff enhancement would have produced more valuable safety analysis results.
The ACRS is often passive in its response to staff work and has thus sanctioned work in areas in which the Committee did not expect the results to be useful. The Committee could respond more actively in such instances.
The ACRS serves on a part-time basis, and most of its members have oth.r duties and responsibilities.
To perform its work, the Committee relies on the knowledge and experience of its membership, the assistance of well-qualified consultants, a small supporting staff, and a recently added group of short-term " Fellows."
Because of the limited time available, the Com-mittee cannot effectively review all staff work. There is a need to deter-mine whether the Committee's attention is being directed to the correct areas. Certainly an independent committee cannot be constrained in its re-view actions, but the level of detail to which it pursues some matters and the cursory level of attention it addresses to others does raise some questions.
It may be appropriate for ACRS to undertake a serious review of how its functions could be made more effective, and the Committee would benefit from a thorough introspective examination of the manner in which it performs its role.
During development of the early reactors it was essential that ACRS review license applications in as much detail as feasible, and the Committee has continued such reviews in areas where new designs or new technologies have appeared.
The ACRS is required under the law to report on each nuclear power plant license.
This it does through prereview by subcommittees,
18 followed by full Committee action when the NRC staff license review has reached an appropriate point.
When a large number of license applications were being processed, this represented a major part of the ACRS workload.
The Comittee has recomended to the Congress that it be given the latitude to review plants on a selective basis in order to improve its effectiveness and minimize the time spent on matters already having acceptable safety precedent. The Committee needs to estsblish more order in its review func-tions so that important matters will not be overlooked and the Committee
, work will provide optimum benefit to public health and safety.
19 5.
NUCLEAR INDUSTRY ORGANIZATION The nuclear power industry is an outgrowth of the electrical utility indus-try, and its organizational structure is similar.
The suppTiers of electri-city to the public, using conventional methods of raising capital, procure the funds to design and construct nuclear power plants, to purchase the nuclear power and turbine generator equipment, and to buy the nuclear fuel.
In most cases, the electrical utility organization provides the plant oper-ating staff.
The organizational structure of the whole electrical utility and supply industry is directed toward a regulated mode of business.
The industry must establish a service rate structure for the sale of electrical power to the public before it can arrange financing or proceed through the licensing process.
It is therefore important that the industry know the regulatory requirements and be able to translate them into a plant design that can be built and operated in accordance with its electrical supply schedule and cost commitments.
The utility organizations make use of many service and supply sources on a purchase contract basis to supplement their own capabilities.
In review-ing the regulatory process, it would be unrealistic to evaluate the adequacy of the industry on the premise that each utility has within its own corpor-ate structure the capability to meet all the requirements of public safety.
The collective industry capability must be evaluated.
5.1 Plant Licensing Responsibilities of the Owner The plant owner is the designated license holder under NRC rules and must show both financial and technical competence to meet the licensing ob-ligations.
The owner, either a private electrical utility corporation or a public power organization, is responsible to NRC for defining the nuclear steam supply system (NSSS) to be licensed, for identifying and showing the adequacy of the site on which it is to be placed, for providing appropriate l
engineered safety features for the system, for coupling the system to a turbine generator and electrical distribution network, for establishing a i
l fuel supply, for showing compliance with spent fuel and radioactive waste disposal requirements, and for providing a competent organization to design, construct, and operate the plant.
Normally, an owner can satisfy only a portion of this capability with his own organization.
The remainder is pro-vided through contract ageeements with other. organizations.
Neverthe l ess, the owner is ultimately held responsible by NRC for the safety of the pl ant.
Normally, the plant owner employs his own operating staff, which is quali-fied in accordance with NRC regulations.
The system of operator training includes simulator training under the guidance of the NSSS vendor's techni-cal staff, hands-on operational experience, and direct training programs l
l l
l
20 l
dealing with the owner's licensed facilities.
Operators are effectively trained to respond to events encountered in normal operation and to rep-resentative events of an unusual nature that can occur in emergencies.
The training programs should be expanded, however, to include a broadened spectrum of emergency events.*/ There is a particular need to include unusual events which, at the outset, are minor but which if not adequately controlled coul d escalate into mcjor emergencies.
The effectiveness of this preparatory program depends on the dedication of the owncr's operat-ing staff and its initial level of skill.
Many licensees have benefited from the United States Navy's nuclear program by hiring personnel trained in that program.
These operators are well versed in the nuclear operational desciplines of the Navy, but their limited technical background makes it difficult to translate their Navy experience directly to operation of com-mercial nuclear power plant equipment.
Enhanced capability is a recognized need.
The plant owner is expected to provide a technical support organization, as well as the operating staff for the plant, and these groups are some-times supported by a centralized technical service group.
The technical organization usually prepares operating procedures, establishes technical specifications to assure that the plant is operated in accordance with design intent, evaluates nalfunctions and failures, maintains an awareness of technical problems in other plants that may influence the operating facility under its technical surveillance,**/ does trouble shooting, plans shutdowns, and carries out other functions appropriate to the installation.
The technical skill of the supporting staff is crucial to successful plant operation.
Recent changes in regulatory requirements for operators have been directed toward enhancing in-plant capability of the owner's technical staff.
In addition, owner groups are developing plans for operating support centers to enhance existing capabilities.
This effort is aimed toward upgrading operating capabilities at licensed power plants to reduce the likelihood of accidents such as the one at TMI-2.
~-*/
Simulator training is intended to provide this understanding, but no simulator equipment can cover all operational circumstances.
Simulator equipment can be set up to address peculiar operating con-ditions, however, and this type of training is now receiving priority attention by licensees.
- / A recent study by ACRS has established that such awareness is not as widespread as desirable in the industry.
In many companies there is a need for the owner's technical organization to establish a systema-tized effort to ensure being infonned of unusual events in other plants and to determine the applicability of such events to their facilities.
I
21 Operating organizations are expected to have internal emergency response capability and to establish a working relationship with governmental or-ganizations designated to handle emergencies extending beyond plant bound-artes.
Operators are also expected to coritrol, within regulatory limits, the handling and discharge of radionuclides and other radiation sources.
The plant owner must assure that his operating staff will handle such matters in accordance with regulatory restrictions.
These specialized operationp functions are still being developed in many operating organ-izations 5.2 Architect-Engineering Role 1
Some large ut1iity organizations have sufficient capability to develop a complete plant design once the NSSS has been purchased, but most use out-side architect-engineer organizations to prepare a design that meets the plant owner's requirements.
The architect-engineer (A-E) may be brought in to help select the NSSS or after its purchase, but in either case, the A-E normally designs the balance of the plant around the system selected.
This effort includes the design for the containment structure, the fuel. storage 4
facilities, waste disposal and effluent systems, offsite power supply sys-tems, electrical distribution and emergency power systems, the foundations, j
the secondary piping systems, and other related equipment and facilities.
The A-E often serves as the plant owner's agent in developing responses to licensing requirements related to plant design but is not normally a party to the licensing commitments.
Although not directly licensed, the A-E is treated by NRC as an integral part of the owner's licensed capability.
l Hence, many A-E firms have obtained approval from NRC for their engineer-ing practices and have had these approvals extended to cover a number of installations.
The range of architect-engineer work includes design of many highly com-plex safety features, such as emergency power systems, secondary heat i
removal systems, and radionuclide effluent cleanup systems.
Foundations and other structures designed to acco;amodate earthquakes, tornadoes, fl oods, and fluid system rupture are particularly sensitive safety areas handled by A-Es.
Earlier designs were found to have numerous minor design faults that required corrections, but the A-Es have learned through experi-The ' abilities of A-E organizations are being strengthened through ence.
experience gained by perscnnel with repeated application of their nuclear l
plant designs.
- /' The TMI-2 experience showed ' operating weaknesses in these areas in the aftermath of the accident.
NRC had not emphasized the need for such capability rufficiently, but current actions should correct the
.the deficiency.
22
.Some A-E firms have elected to develop standardized design concepts to be preapproved by NRC and thus expedite the licensing process.
Even 1
if " custom" designs are used, the practices followed are intended to mini-mize the amount cf new licensing review once a design has been approved for licensing.
The desire to minimize licensing review and to use designs that. have a well-established cost basis has inhibited design innovation in I
standardized plants, as well as "nonstandcrdized" or custom designed plants, l
even though such changes might enhance public safety provisions and improve reliability.
Even when there are opportunities for substantial cost savings coincident with othe.r advantages, the problems brought about by a delay in j
licensing because of extensive reviews of the new design features usually discourage design innovation.
"The importance of establishing " licensable design" is emphasized by plant owners to their A-Es.
This approach has tended to stablize the design pro-cess so that recent designs have corrected most of the deficiencies observed in earlier submittals 'and minimized innovations requiring further review.
Neverthel ess, the scale of the engineering effort for a nuclear plant i s so broad that no plant could be completely error free.
Nonnally, the A-F,s provide continuing engineering services to the plant owner in evaluating errors in design and construction or in new licensing matters that may 1
arise ove; tne plant lifetime.
When errors are exposed, a design review may show that the conservatism incorporated in the design will accommodate the error <, safely.
However, this error tolerance has not immunized nuclear plants from difficulties introduced by design mistakes.
On occasion, misapplication of recognized design practice has resulted in serious engi-nee-ing flaws, as for example, improper summing of directional forces from earthquakes.
The A-E organizations are expected to maintain quality l
assurance systems to provida satisfactory design quality, but there is still rcon for considerable improvement in the design qual ity-assurance i
practices in nuclear installations.
Attention is needed to proper use of design methodology and to assurance that equipment is fabricated and in-stalled ir. accordance with design intent.
5.3 Nuclear Steam Supply System Vendors' Role In a business sense, the NSSS vendor is an equipment supplier selling a system to be installed as part of a licensed power plant.
As a practical 1
matter, the NSSS vendors have, through licensing negotiations with NRC when i
each system was initially submitted, established a licensing basis that is 1
- ]
The advantage of standardized design approval is that it makes further NRC staff review of these systems unnecessary, unless' some new safety problem appears.
=
-i--r
->-+-rr--v
--yv r-w
-n w
g
-e
- ~ -
7
r 23 used repetitively in subsequent appl ications.
NSSS vendors have offered explicit standardized designs for licensing under the NRC standardization program, but these are nonnally variations of previously licensed instal-lations where some of the " standardization" had already been established.
The NSSS vendor's obligation to the plant owner is to furnish a licensable system, and usually his contractual agreement includes handling, as the plant owner's technical representative the NSSS licensing negotiations with NRC.
This has often created confusion concerning placement of the licensing j
)
responsibility.
In most cases, the NSSS vendor's licensing obligations are limited to those he accepts as a contractor of the plant owner.
In spite of this limited responsibility, NSSS vendors have most of the nuclear system safety expertise associated with licensing the equipment they supply.
The plant owner relies heavily on this capability for advice and training and anticipates its availability for the life of the plant.
To ensure public safety, the NSSS vendor organizaticn must be maintained at a high level of technical competence as a backup to the plant owner's organization, since the owner might not have adequate capability to respond to emergencies on his own.
The NSSS vendors, as shown by TMI-2 experience, do not study every safety aspect of their systems because they consider some matters outside the bounds of the licensing requirements.
Yet, their involvement in prompt resolution of safety questions when they arise is essential.
5.4 Nuclear Fuel Supplier's Role I
Normally, the NSSS vendor provides the first loading of fuel for a reacter core and may also contract to provide subsequent fuel loadings.
The plant owner may elect to obtain reactor fual independently of the NSSS vendor. In any case, the nuclear fuel supplier must show that the fuel he will supply is compatible with the reactor system in which it will be used.
This re-quires both experimental and ar.alytical evaluation of the fuel. NRC has now developed a set of analytical procedures to be followed to show that the fuel is acceptable.
The supplier is also required to show that his manufacturing l
processes will produce the needed fuel quality. The plant owner then accepts i
responsibility for the fuel as a purchased item to be used in the nuclear l
p! ' Int.
NRC limits its relations with the nuclear fuel supplier to account-ability, performance verification, and manufacturing control questions rel-evant to the regulatory process.
l l
24 5.5 Special Nuclear Support Services Matters such as in-service inspection, pressure system evaluation, radio-active effluent disposal, fuel management strategies, and others of ten handled through service contracts with outside organizations. The pl ant owner usually contracts for such services on an ad hoc basis when they are needed, although they are important operational elements of the plant owner's licensed capability.
The qualifications of these speciality organizations are. generally not determined by fomal procedures; but, with rare exception, those performing the services have established a high level of expertise through long participation in nuclear power industry activities.
5.6 The Nuclear Plant Constructor's Role The nuclear power plant owner will sometimes act as the constructor of the plant by purchasing all materials, subcontracting for conventional buildings and erection services, and hiring his own labor force to perform installation work, including piping, electrical distribution, special service systems, and other work normally outside the scope of his contracts.
Al ternatively, the plant owner may elect to contract for a turn-key installation.
There may also be intermediate arrangements between these two extremes.
The owner l
sometimes acts as his own construction manager, and at other times he may hire an cutside service organization, such as an A-E firm, to perform that service.
The owner is expected to have a quality-assurance organization to establish that the work is being perfomed in accordance with nuclear regulatory requirements.
The owner will require that each portion of the constructor-installer organization have a related quality-assurance organi-zation to meet regulatory requirements.
The owner's quality-assurance responsibility also covers the adeduacy of the quality-assurance precedures of the A-E, the NSSS vendor, and the equipment and materials vendors to en-sure adequate design, engineering, and testing.
There will normally be an understanding between tiie owner and the constructor-installer as to what will be provided to the operating organization.
In any case, this entire construction program is required to conform to the drawings and soecifica-tions prepared by the A-E, the NSSS vendor, or other engineering organiza-tions that have participated in developing the plant design.
Although much emphasis is placed on establishing qualification standards for craft skills, there is always some residual concern as to whether the quality of the workmanship will meet anticipated regulatory standards and whether the work will be done in accordance with the requirements stipulated by the drawings and specifications.
Many construction faults have been reported over the 25-year nuclear power plant history, and in spite of the quality-assurance requirements, there is still evidence that some organi-zations do not exercise adequate control over the construction work.
The
25 r
NRC Office of Inspection and Enforcement can identify such matters early in the construction program, but the regulatory action is often of such limited forcefulness that constructors fail to respond adequately. The need for high-quality construction must be further emphasized in the regulatory program.
5.7 Assessment of Collective Industry Capability The licensing of nuclear installations obv iously requires consideration of all the industrial elements on which the owner-licensee depends.
The industrial system limits the liability of the industrial participants to those established by the owner through contracting.
Many A-E organizations do not have independent sel f-audi t procedures to check drawings adequately to, ensure that they reach the field with a min-imum of errors.
They rely excessively on the construction forces of test personnel to expose and correct errors in the field.
While more systematic than the A-Es in their design ar.d manufacturing controls, the NSSS organiza-tions would also benefit from improved review processes.
The interfacial relations between nuclear steam supply systems and the balance-of-plant systems are especially deserving of attention.
The quality-assurance system on which NRC depends to assure adequate qual-ity in the licensed installation needs to be strengthened in the areas of design methodology and installation conformance with design intent.
The opportunities for engineering blunders that may affect public safety are too numerous to allow the present management style to continue.
Under the present arrangement, the regulator needs more direct control over the licensee's contrac tors, since the owner-licensee cannot assure ti; he will have access to all these capabilities if required for main-tenance of public safety.
Al ternatively, the regulations could require that the owner establish capabilities equivalent to those of his con-tractors whenever they are important to safety.
In particular, the ca-pabilities of the NSSS and the A-Es in system behavior, trouble shooting, and performance analysis could be required to be a part of the owner's capabilities.
I o
l I
1 26 t
6.0 MAJOR TECHNOLOGICAL ISSUES Limiting damage to the core and restricting the dispersal of radionuclides resulting from accidents in nucle the " engineered safety features."*pr power plants are primary functions of By design, these features are required to meet more stringent standards than equipment provided only for power pro-duction and special attention is directed to their reliability under accident circumstances.
To establish the adequacy of the engineered safety features,
" design basis accidents" (DBAs), are postulated that are supposed to bound the accident contingencies having a probability large enough to require consider-ation.
Some engineered safety features are evaluated in relation to features of the site, in particular the size of the site and its distance from the nearest population center.
All engineered safety features are designed to function properly in the event of severe natural cccurrences, including earth-quakes, tornadoes and floods.
6.1 Engineering Methodology for PLblic Safety Protection In considering the capability of engineered safety features, each DBA is related to a range of failure considerations.
Some of these are concerned with how f ailures are initiated, some with how they propagate, and some with the conditions pravailing when failure occurs.
Although the TMI-2 accident did not exceed the ' bounds of the postulated accident conditions with regard to release of radioactive materials, it did lead to core damage greater than that predicted in the analysis of DBAs, and the TMI-2 event has raised re-newed interest in how accident bounds should be defined.
The objective of the engineered safety features is to control the consequences of failure. in such a way that the health and safety of the public are not jeopardized.
Unless there is a precise definition of what is meant by " failure," the ef fectiveness of the regul atory approach cannot be evaluated.
Therefore, ittention must be directed towaPd the meaning of failure as it affects pub-
..c safety.
The question of whether there is an effective way to separate the safety-re-leted features of the plant from those intended for nonnal operational use an1 not considered essential to public safety protection is among the import-an; nuclear safety technology matters highlighted by the TMI-2 accident. The
- j Engineered safety features are defined as the systems and equipment needed to assure that consequences of a design-basis accident do not ex-ceed the site radiation exposure limits specified in 10 CFR Part 100; however, many other systems are important for preventing or mitigating accidents.
\\
27 assumption of separation of safety from non-safety features has had a profound l
influence on the manner in which nuclear safety regulations are imposed, and the separation philosophy must be understood and used properly.
Of special significance is the interaction between the " safety" and "non-safety" portions of the plants.
The accident conditions themselves may cause interaction, or the initiating events can involve unexpected interactions that al ter the performance of the engineered safety features.
System interaction questions are complicated further by man-machine relationships associated with operator actions in nuclear plants.
Many of these issues are amplified further in the following subsections.
6.1.1 Design-Basis Accidents and Probabilistic Analysis Since the early history of nuclear power plant regulation under the AEC, the design-basis accident conditions used for design of the containment structure and of the features intended to remove radioactive materials from its atmos-phere were based on the release of very large amounts of fission products in a containment building that was assumed to be intact.
The assumed radionu-clide release was derived in part from core-melting experiments, but the would be maintained and that no fuel melting would occur. gat core cooling containment design pressure was based on the assumption The containment structure is not required to include provisions to cope with a molten core or the heat, hydrogen, and other aspects of an accident in which the whole core mel ts.
On the other hand, engineered safety features must be designed to prevent severe core damage for a large number of design-basis events, including earthquakes, a pipe rupture in the primary system, a ruptured steam line, a loss of offsite power, and others.
In connection w'
'1 the establishment of design-basis events, the regulatory process should, se account of both the probability and consequences of the event in order to establish a risk-evaluatSn basis. Much could be learned by examining the possible differences in behavior of existing plants compared l
~*/ The TMI-2 incident involved accident conditions very much like those of l
the DBA, except that containment building pressurization did not extend l
over a long period of time and the fuel probably did not melt.
Core i
cooling disruption for short but significant periods of time led to core damage and gaseous fission-product release after the nuclear reaction had been halted.
Cladding damage also exposed the bare fuel pellets to the reactor cool ant, and some solid radionuclides were laaked out.
The containment building did not maintain its leak tightness perfectly, but the leakage experienced did not result in damaging radionuclide release to the public environment. The extent of the TMI-2 failure and the manner in which the core cooling system was operated heightened interest in DB A assumptions, but the subject was not new.
28 with those studied in the " Reactor Safety Study" (WASH-1400)*/ to determine whether such differences could resul t from design variatfons, site con-ditjons, and a host of other variables.
Such variations are known to exist because of changes in technology and differences in engineering judgments.
The " Reactor Safety Study" showed that the probabilities of accidents involv-ing core melting without adequate core cooling were high enough to deserve attention.
Since 1966, ACRS had urged AEC, NRC, and the nuclear industry to look beyond the design-basis accident for circumstances that might warrant mitigation by design.
More recently, the floating nuclear plant vendor was required, in response to an environmental impact evaluation, to provide features to reduce the consequences of a core melt.
Design-basis events, such as earthquakes, are usually examined in the design of nuclear plants to show that they can occur without resulting in accidents, but these and other events, unless dealt with adequately, could subsequently lead to an accident of greater severity.
For example, continuing loss of offsite power without the provision for long-term continuity of the emergency in-pl ant power supply coul d eventually interrupt core cooling enough to permit core damage or even core melt.
Some of the events, such as large double-ended pipe breaks, have a low probability of occurrence but, neverthe-less, are now dominant considerations in safety evaluations concerning design basis accidents.
Other more likely events might be identified as deserving greater emphasis if probabilistic analysis were used instead of the DBA approach.
The DBA approach to safety analysis has been useful and relatively effective in the analysis of reactor systems.
However, the experience gained with its use, the continuing development of probabilistic methe is, and experience in power plant behavior that has been accumulated all sugAst that the approach should be modified to include increasing use of probabilistic considerations.
Severity of the DBA is one of the crucial technological issues.
Should core melting be assumri, and if so, how completely?
If not, is the core damage experienced at TM1-2 the appropriate basis for establishing containment leak tightness?
Are the previous design bases for containment, which allow for large-scale fission-product release but not the other phenomena associated with core melt, adequate to protect the public health and safety? The tech-nical basis for the previously used accident assumptions involves a compro-mise that tries to cope with most accidents, but the logic does not always involve totally consistent assumptions.**/
- /
U.S. Nuclear Regulatory Commission, " Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," WASH-1400 (NUREG-75/014), October 1975. Available from USNRC or NTIS.
Self-consistency has been an issue before the ASLAP. The NRC staff once required a BWR containment vessel to be inerted because of the hydrogen combustion potential, but the ASLB ruled that the assumed hydrogen gen-eration potential was inconsistent with other assumptions.
29 A more logical method for establishing severity levels would be to use the
" Reactor Safety Study" (WASH-1400) approach. The method would have to include j
consideration of both consequence uncertainty and engineering reliability, and it would involve applications where little experience exists and quantitative safety goals would be needed.
Probabilistic methods are not presently developed to the point where they can be substituted completely for consideration of DBAs in the traditional way, and it appears necessary for the immediate future to continue the current policy of specifying arbitrary accidents as a basis for regulation.*/
Th6 present umbrella of DBAs may need modification, and a study should be made to determine which, if any, additional accidents should be added to those now considered.
The regulatory process should be able to show the public and the regulated industry how safety requirements are established and to clarify inconsisten-cies when they appear.
6.1. 2 Failure Definition The primary interest of nuclear safety regulation is to prevent the spread of radionuclides to the external environment and thereby protect the health and safety of the public.
Therefore, the failure mechanisms that might re-sult in a release of radionuclides are the first safety considerations.
The failure boundaries in a nuclear power plant have been described as:
(1) the fuel cl adding, (2) the primary system pressure boundary, and (3) the con-tainment boundary.
Each has some independence from the others, but they l
are not three truly independent barriers.
It would have been desirable if the regulatory safety approach could have minimized the interdependence of these boundaries so that failure of one boundary would not lead to fail-ure of the others.
However, this failure approach cannot be fully realized.
Under some circumstances, failure of the primary pressure boundary could cause fuel cladding failure, but the reverse is unlikely.
Simil arly, fail-ure of the primary system could cause failure of the containment boundary i
under some circumstances.
NRC has nevertheless placed great reliance on these separate lines of defense and has developed its requirements for engineered safety features consistent with this failure-protection concept.
The engineered safety features are i
expected to function independently of the normal plant equipment that affects l
-*/ Arbitrary accident definitions can take several fonns.
Current practice is to assume core-melt-level fission-product releases but perfect contain-l ment and core cooling.
Other combinations, such as partial melting with degraded core cooling, could be selected. Containment leakage could be an accident variable.
30 l
the primary coolant boundary even when postulated failures of the primary boundary are considered. Failure of the primary system is therefore permissi-ble from a public safety standpoint because the separate lines of failure pro-tection provide defense in depth. However, a definition of acceptable failure involves a number of controversial matters.
One aspect of that definition is establishing failure tolerance.
Piping sys-i tems, for example, have suffered stress-corrosion cracking, but the cracking has never been extensive enough to result in a loss-of-coolant accident that would actuate the ECC system. One failure concern is whether the cracks could propagate uncontrollably and create a rupture that would excessively challenge the ECC system.
Another possible concern is that some severe condition, such as an earthquake, might cause a set of cracks to propagate into a failure of uncontrollable character. Hence, failure can be defined as acceptable only if it is controllable within public safety limits under the transient conditions i
stipulated for consideration by regulatory practice.
A second aspect of the definition is the influence of the operating environ-ment on the failure.
A failure may be initially acceptable under regulatory requirements, but if its control requires the continuing integrity of equip-ment that cannot survive the operating environment after failure, i t may eventually become uncontrollable.
For instance, severe fuel failure that released radionuclides to the primary containment and, within a short time, through excessive heat or ionizing radiation, caused a failure of a contain-ment seal would not have been an adequately controlled failure.
The third aspect is the question of how many failure events must be con-sidered when defining an acceptable failure.
The current approach is to use the single-failure criterion, for which it is assumed that there is an initial system or equipment failure and then there is one more equipment failure, usually associated with the mitigation actions intended to control the initial failure consequences.
This " single failure criterion," adopted from electri-cal circuitry design practice, has been used in the NRC regulations as a way of defining acceptable failure, but it is likely to be applicable only to very simple systems.
For complex systems, multiple failures may be experienced subsequent to the initial failure and some other standard of acceptability is needed.
These several aspects of failure are sufficient to illustrate why an under-standable definition of acceptable failure is needed to provide a basis for regulatory practice.
With a well-founded definition, it would then be possi-ble to show which types of failure would not constitute a cause for public safety concern; which types of failure known to be unacceptable, if allowed to run their course unchecked, could be controlled within acceptable conse-quences by mitigating features, such as physical restraints or backup opera-tional features; and which types of failure are clearly outside the bounds of acceptability, even with mitigating features, unless further failure con-trol provisions, such as emergency evacuation, are provided.
I 31 Much of the safety research program sponsored by NRC is aimed at establishing the nature of failure and showing that the consequences are acceptable within regulatory limits.
Mowever, the tolerance of equipment for failure and the distinction between important and unimportant failure events are not yet ade-quately defined; more work is needed.
6.1.3 System Interactions In the prior discussion of failure, reference was made to the interactions be-tween various operating systems and how they might lead to significant fail-ures from a public safety standpoint.
As currently used, the term " system interaction" refers to all those circumstances that could arise where there is a possibility of the events occurring in one system imposing safety-related stresses on another system.
For example, actuation of a fire-water sprinkler system that damaged the electrical controls could invalidate the capability of all engineered safety features.
System interaction questions involve such matters as (1) the relationship be-tween - the normal control systems and the so-called protection systems that are presumed to be isolated from each other but could have interactive ef-fects; (2) the release of radionuclides or heat into the operating environ-ment of engineered safety features to degrade their short-or long-tenn per-formance and possibly negate their safety function;*/ and (3) a crossover of a short-circuit fault from one circuit to another that could destroy redun-dant electrical equipment provided for reliability.
Most of these matters are given some consideration in the licensing process.
The regulations are intended to avoid deleterious system interactions, but recent experience suggests that the whole subject should be under constant surveillance by personnel who have insight into potential system interaction difficulties.
6.1.4 Man-Machine Interactions Nuclear power stations cannot be operated solely by human action or by machine automation.
Operators are needed to establish a state of readiness for the plants, to relate them to the external electrical demands and to provide fuel loading, maintenance, and other service activities. One way to minimize human mistakes is to automate the plants or to provide better computerized analysis so that the likelihood of human thinking errors will be minimized.
None of the older plants have sufficient computerized analysis capability to be useful in analyzing most operational symptoms quickly.
Some newer plants have improved computerized inalysis capability but still provide only a i
limited set of automated functions, such as the emergency power supply sys-l tems, reactor safety protection systems, pressure relief, containment iso-l lation valves, and a few basic mechanical equipment functions.
-*/ The Browns Ferry fire was an illustrative circumstance.
The fire des-troyed the electrical control circui try, and it was necessary for the operators to find an alternate power supply for actuating certain valves to depressurize the system in order to establish the core cooling safety function.
w
32 There may be advantages to expanding the automated features to reduce the need for operator action during transient operating periods, but how and whether this should be done deserves con:iderable thought.
Most of the core modern plants are providing additional computerized control capability that could by computer-initiated control signals ease the knowledge requirements put on the operators, but concern has been expressed about such systems causing undesir-able operational actions through computer malfunction. The safety threat from such malfunction offsets to some extent the desirability of computerized re-sponse.
There is need to improve the information displays in control rooms.
These have been developed along lines that follow customary display practice for nonnuclear steam power stations combined with the now-traditional displ ay scheme for nuclear controls.
This display has considerable merit because operating personnel are accustomed to it.
But it may not draw operator attention adequately to the crucial instrumentation needed in emergencies.
The alarm systems may be excessively confusing and some information displays could be better located.*/
Even if information displays are improved, the diagnostic needs for accident control purposes will not be met.
In order for either operating personnel or automated controls to respond to instrumentation signals, there must be less ambiguity of interpretation that could lead to erroneous safety actions of the sort that occurred at TMI-2.
Attention will have to be concentrated on ir.tegrating information from diverse sensors and combining the infonnation in such a way that the accident symptoms lead the operators to initiate correct scfety control actions.
Symptom correlation with instrument signals to direct oor.rator action to the appropriate safety procedures could eliminate much of the concern about man-machine interfacial response.
Not enough attention has been given to this matter.
In addition to information needed for diagnostic purposes, operating person-nel must have some emergency instrumentation provisions to maintain cogni-zance of accidents that do not proceed along anticipated lines. An example is instruments that show whether fuel has failed and what type of failure may have occurred.
Without such provisions, the operating personnel are less able to correct unforeseen events that aiay have been overlooked during ac-cident analysis, even though the corrective action might be easily performed.
-*/ This is not to say that the existing control rooms are unacceptably poor.
The experience at TMI-2, although justifiably drawing criticism for the quality of the instrument displays, did not show that operators were un-able to identify operating conditions or to detennine whether control equipment was functioning.
Some valve closures and the condition of the steam-relief quench tanks were nct adequately displayed, but minor design changes could correct these problems.
The real concern is whether the diagnostic burden on operating personnel is excessive.
33 6.1.5 Separation of Safety from Non-Safety Systems The NRC regulations are generally founded on the idea that if the systems important to safety are reviewed carefully and the plants are properly con-structed with suitable features, taking into account the plant site, the pub-li will be protected adequately.
The NRC review practice has been to sepa-rate safety from non-safety systems, with primary attention given to the safety systems.
The initial intent of the separation philosophy was probably to avoid conflict between demands from normal operating modes and those peculiar co safety func-tions. As the scope of reactor licensing broadened, the separation philosophy permeated the design process but not with consistent 1c,gic.
One typical ex-ample is the removal of decay heat.
In what is perceived as an " emergency,"
the ECC system is classified as a system important to safety and receives commeinsurate treatment and attention.
On the other hand, those aspects of decay-heat removal associated strictly with normal shutdown, a much more frequent need, do not receive the same emphasis.
Thus, this separation philosophy has resulted in the creation of two systems that are treated differently in safety reviews. The safety system is scrutin-ized carefully, but the non-safety system may be totally ignored.
Important safety matters could be excluded from review if improperly classified.
In some cases, the concept of separation results in overdependence on a special-ized safety provision, the safety capability of which would be better realized if it were considered as a part of the whole operating plant. Feedwater sys-tems for steam generators cannot, for example, be uniquely separated into safety and non-safety categories.*/
As now applied, the philosophy is also used to distinguish between safety re-lated and non-safety-related functions with respect to their quality and reli-ability. An advantage of a properly implemented separation philosophy is that safety-related systems requiring very high reliabilty can be designed specif-i ically to meet their requirements without imposing these requirements on those non-safety-related features that require less rigorous design. A disadvantage of the separation philosophy is that it cannot be implemented perfectly and is l
thercfore sometimes arbitrary and artificial.
For example, a control system and a shutdown protection system could be considered an integrated control t
system because they are interactive **/
i i
- / The TMI-2 auxiliary feedwater systems obviously had safety-related func-tions that had to be integrated with normal feedwater supply capability.
-*/ Detailed consideration of anticipated transients without. scram (ATWS) showed that current power reactor desig1s routinely depend on " scram" pro-tection for shutdown systems in certain " anticipated transients" to pro-vide needed corrective actions to prevent overpower.
Thus, the " shutdown system" is made a part of the control system.
Nevertheless, Appendix A, Criterion 24, of 10 CFR Part -50 requires that control systems be separated from protection systems.
4 v
34 The separation of sa fety from non-safety functions is necessary when the functions have contradictory requirements.
It is desirable in some cases to make them independent to prevent the circumstances which interfere with normal functions from also destroying the safety-protection function.
For example, an operating electrical power system might be damaged by a light- ~
ning strike, and if the emergency power system wert iightly coupled, it also might be damaged by the same lightning.
This type of separation has been encouraged in the regulatory process, and in some parts if the world, delib-erate " bunkering" of some engineered safety features ns s been introduced to assure the integrity of the safety function.
In recent years, concern has been expressed about the use of engineered safety features to perform other normal plant functions, although such optional use could be desirable since, under some circumstances, such arrangements might enhance the re-liability of the safety features by providing a means for monitoring their operabil ity.
Care still needs to be taken to assure that the non-safety functions cannot interfere with the capability of the engineered safety features at the time of need.
Because it is impractical to impose all the safety stringencies on every plant detail, the separation concept must be used.
A few very important features with extremely high public safety protection value will need special quality, redundancy, and testability properties that cannot be extended to every plant element. The extent of this type of treatment may need to be greater than has been provided in the past.
Alternatively, new design approaches could be de-veloped wherein the safety treatment placed less dependence on such safety-related features.
Higher reliability might be attained in some cases if the separation concept were discarded so that the entire system could be con-sidered as responding to the safety requirements.
Credit for the capability of features previously considered outside the public safety provisions might also be justifiable.
Indeed, the review process itself cannot.be pennitted to follow arbitrary lines of separation between safety and non-safety fea-tures, since this could easily result in overlooking important system inter-actions or malfunctions that could have public safety importance.
The whole principle of safety separation needs to be redefined with the intent of developing a more logical and more effective result.
6.2 Siting Aspects of Public Safeti Regulations An established precept of nuclear safety practice is to seek sites with ac-ceptable public safety characteristics, including remoteness from population centers.
The NRC Reactor Site Criteria,10 CFR Part 100, use the site prop-erties as a reference basis and require the engineered safety features to be designed to limit the release of radioactive materials to acceptable limits under postulated accident conditions.
However, the containment structure is not designed to cope with core melting, and the use of currently employed engineered safety features to permit reactor siting in more populated areas has been questioned.
Certain types of accidents could create conditions beyond the control capability of such features.
It is therefore necessary to reevaluate the criteria for siting, including the accident conditions under which site safety is judged, when establishing regulatory requirements.
35 l
j 6.2.1 Siting Criteria l
Under early safety practices, the criteria for nuclear per plant siting re-volved around the definition of power plant exclusion areas, low population zones, and the dependence to be placed on engineered safety features to assure the health and safety of the public in the event of accidents.
At one time during the most active period of power plant licensing, the provision of engineered safety features to mitigate accidents was a major consideration in determining how close to population centers a power plant could be sited.
More recently, there has been a tendency to discount this dependence on engi-neered safety featu', es. Nevertheless, containment structure leak tightness is still a determining factor in establishing the rate and quantity of radio-nuclides that could escape to the environment if an accident were to release large quantities of radionuclides from the core.
The direction of the dis-persal, the dilution of gaseous radionuclides, and the settling-out of parti-culates are detennined by analyzing site-related meteorological data.
The TMI-2 accident resulted in conditions well below 10 CFR Part 100 limits, even though radionuclide releases into the containment building were close to design-basis assumptions and the containment leak tightness was not equivalent to that assumed by design.
There were compensatcry factors; although the opening from the containment allowed some radionuclides to escape, it escaped only through a route that included an array of piping, tanks, and filters where water, steam, and surface contact could capture some of the released products.
Thus, factors in addition to the usual engineered safety features associated with containment were beneficial to public safety protection.
Not all accidents involving design-basis radionuclide releases would have the benefit of these mitigating factors if containment integrity were lost.
For example, at TMI-2, the hydrogen generated from the zirconium-water reaction evidently resulted in combustion within the containment building that caused pressures higher than those provided by design for some low-pressure contain-ment structures associated with other commercial plants.
The " Reactor Safety Study" (WASH-1400) showed that the likelihood of a core melt was high enough to deserve consideration in reactor siting.
The study al so indicated that the hydrological path for radionuclide dispersal was generally !ong enough to eliminate it as a short-term threat to the public in the event of a melt-through accident.
However, more attention should be directed to the ultimate consequences of such events.
Siting criteria should be aimed toward establishing sites best able to accommodate core melting over the long term.
In particul ar, the hydrological considerations involving potable water systems should not be ignored.
Practical methods for protect-ing such systems from radionuclide contamination should be available for all nuclear power plant sites.
These siting matters have been con.dered by both AEC and NRC for many years, but the circumstances surrounding the TMI-2 accident have placed new emphasis on them.
The initial public safety protection considered for nuclear reactor
36 systems was primarily the selection of sites remote from highly populated regions, and this remains a valuable public safety protection feature if other lines of defense are not adequate.
Where practical, maximum advantage should be taken of remote siting as a public safety provision.
6.2.2 Multiple-Unit Sites The selection of sites for nuclear power stations and related facilities has to include consideration of fuel and waste transportation, electrical power distribution, waste heat dispersal, and accident interactions between units, as well as the environmental surroundings, including population distribution.
Most nuclear power plant sites involve only one or two nuclear reactor units, but a number of installations have been planned involving several reac tors, and others have been discussed that extend the sites to as many as ten 1000-Mwe units.
There are advantages in multiple-unit sites that concentrate installations where the best siting conditions prevail and, at the same time, establish a large enough power complex to justify adequate technological sup-port to enhance operating skill.
The disadvantage of multiple-unit siting is that an accident at one unit could jeopardize all others and multiply the property risk and vulnerability of the power system from a single accident.
There is no clear basis for the selection of one approach over another at this stage in the technological development.
Whether large multiple-unit sites would be desirable depends very much on whether an accident ac one site of the type that occurred a'c TM1-2 could be isolated in such a way tnat the remaining facilities could be operated in a mode acceptable from a public safety stana-point.
Before the latter approach could be accepted, however, a number of matters would need to be resolved. They include:
1.
showing that an accident involving one unit at a site could be iso-lated in a manner that would eliminate its effect on other units, 2.
defining the technological skills needed to make the site acceptable in terms of operational capability, and 3.
identi fying the physical arrangements of nuclear power plant support facilities, emergency control, transportation resources, and plant orientation to optimize the risk considerations introduced by the mul tiple-unit approach.
Specific site development plans of this type have not been studied adequately.
The criteria for acceptability should include not only the capacity to handle a large number of units but also the characteristics that minimize jeopardy of i
population centers.
Further work is needed before a policy for evaluating large multiple-unit sites can be established.
i
I t
37 l
I l
6.2.3 Site-Related Safety Improvements Nuclear power stations have incorporated many features intended primarily to enhance their safety as the result of direct regulatory requirements.
These features have included off-gas filtration, automated containment isolation, and hydrogen recombiners for containment.
Further improvement in some areas may be desirable.
A comprehensive study should be made to define the most urgent needs.
The discussion that follows illustrates the types of safety improvement that could be of value.
An important safety contribution would be a system that could remove radio-active materials from the containment atmosphere after an accident so that the remaining gases could be vented to the atmosphere.
Specification of the details of such a system and the needed performance reliability would in-volve research and experimental work.
If such a system could be provided, public safety actions after a TMI-2 type of event would be easier.
More versatile and more reliable core cooling capability might enhance public sa fety.
The experiences at Browns Ferry and TMI-2 both point to the desir-ability of being able to provide reliable core cooling from multiple sources.
Diversity of the capability, its independence from accident circumstances, its resistance to deliberate sabotage, and its ability to directly cool the core under a range of circumstances could directly reduce the likelihood of a TMI-2 type of accident, as well as other accidents offering the potential for core damage and even fuel melting.
Conceptual engineering studies would be valu-able in detemining how this capability could be realized.
The ACRS has supported the investigation of both these features as part of the NRC research program to improve reactor safety.
Other types of safety improvements might be envisioned.
These include different means for primary system pressure relief, changes in materials of construction, techniques for minimizing accumulation of retiNCtive materials that directly interfere with in-service inspection, and modifications in existing containment concepts.
More independent initiative is needed, however, by the nuclear industry in identifying safety improvements.
6.2.4 Nuclear Power Plant Waste Management A problem that had, until the TMI-2 accident, received virtually no attention is the ; natter of radionuclide cleanup following such an event.
Similar prob-lems pertain to the decommissioning processes for nuclear installations.
NRC has, in the past, left these responsibilities to its licensees.
As a result, the associated planning and supporting research have been inadequate. This is clearly shown by the inability to handle the large volumes of radioactive gaseous and liquid wastes that were generated by the TMI-2 accident. Neither the industry nor the involved federal agencies or their advisory groups ade-quately envisioned or planned for accident situations in which the character and magnitude of the waste management problems would be significantly differ-ent from those of routine nuclear power plant operations.
The associated consequences included increased personnel exposures, inability to collect
38 adequate samples to assess the situation, and a delay in restoration activi-ties.
The accompanying public opposition to plans for the disposal of the decontaminated waste fluids, even though these involve risks no greater than those associated with similar wastes resulting from normal operations, has also delayed cleanup of the plant.
The need for usable low-level waste disposal technology that meets established criteria, policies, procedures, and regulations is apparent. Meaningful regu-latory action directed toward opening and operating new low-level waste dis-posal facilities might reduce public concern over this matter.
6.2.5 Emergency Response Questions concerning nuclear industry capabilities for handling off-site emer-gency-response problems associated with accident situations have been of in-terest since the beginning of nuclear power development.
Those responsible for the safety of nuclear installations, beginning with the AEC, recognized the need to develop such capabilities, but the development was not pursued vigorously, partly because of industry concerns and partly because of a lack of sufficient interest on the part of state and local authorities.
As a re-sult, even though NRC has required licensees to establish emergency plans in cooperation with state and local governments, this planning has been in-adequate because the state and local government units have not had either the funds or the personnel to participate on an effective basis. Also contribut-ing to these problems is the fact that, as implied above, NRC has had no regulatory authority over state and 1ocal governments.
As a result, the NRC l
staff could only indirectly review the radiological emergency plans of such agencies.
j In the past AEC and NRC considered evacuation primarily in terms of the con-trolled releases of radionuclides which would occur if containment integrity were maintained.
Only in recent years has the NRC staff begun to examine emergency preparedness in terms of more serious accidents, where evacuation might be considered at distances of ten or more miles.
With the occurrence of the accident at TMI-2, there has been a substantial alteration in this situation, particularly with respect to the interest of state and local governments.
In addition, several bills now pending before Congress hold promise of correcting certain aspects of these problems.
These actions are necessary to implement needed changes in the regulatory procers.
6.2.6 Accident Recover,y_
The degree of difficulty encountered in restoration of a nuclear power plant that has been subjected to severe accident conditions is dependent in large part on the forethought given to such a probability during the design phase.
When a significant amount of radioactive material escapes from the primary i
coolant system, its confinement within the containment structure minimizes the j
i
39 immediate jeopardy to the public. As the TMI-2 experience has shown, however, the ultimate recovery from such an accident is impeded greatly if the contain-ment structure cannot be entered and there is no effective way to remove the radioactive materials.
A thorough study of accident-recovery methods is needed to ease the problems associated with handling this type of situation should it recur.
Tne options include addition of internal decontamination water sprays or com-parable cleanup systems, robot-type equipment that could be used to reduce the concentration of radioactive material to a level suitable for human access, or possibly secondary types of enclosures intended mainly to limit the spread of radionuclides from unanticipated accidents.
Ultimately, even previously molten fuel may need to be removed from the containment structure and trans-formed to a more suitable condition for long-term isolation. Attention is now being devoted to these problems as they apply to TMI-2, but the question is of sufficient general interest that it should be a part of the longer term con-tingency planning.
w,-
,e..
- ~ -,
,.e
40 7.
REGULATORY MANAGEMENT MATTERS Public understanding and acceptance of nuclear power as a beneficial source of energy depends to a large measure upon effective regulatory management.
In establishing NRC, the intent of the Congress was to create a regulatory agency that was free from promotional bias.
It was believed that such an agency could oversee the safe use of nuclear energy and improve public confidence in the regulatory process.
The law implied, by its sanctioning of nuclear plant licensing, that nuclear power was an acceptable source of energy but that the policies and practices under which it was regulated needed modification.
Any such regulatory process is, however, extremely complex.
It has legal, economic, social and political aspects, and it involves very complex tech-nology.
The regulatory process must be stable in the eyes of the industry, it must be vigilant in protecting the safety of the pubitc, and it must handle safety questions intellegently, responsively, and expeditiously.
To satisfy these regulatory obligations, the competence and responsibility of those involved in the regulatory process must be shown to be suited to regulatory purposes.
If they are then able to develop a format that is understood by all the participants, a suitable regulatory system should resul t.
The effectiveness of the regulatory process should be evident from the regulatory reporting system, the regulatory actions involved in correcting safety problems, and the communications releases through which the regulatory agency provides -information to the public.
These matters are not all handled satisfactorily in the current regulatory system.
Attention is directed to some of the most urgent matters in the following discussion.
7.1 Organizational Issues As discussed in Chapters 4 and 5, the regulatory organization and the nuclear industry have both structured their organizations for interactiu response to regulatory demands.
The organization structure is not set forth with such clarity, however, that every need can be identified and shown to be met.
The responsibilities of the organizations, their competence, and the manner in which they perform their duties detennine whether the organizational struc-ture is adequate.
In,many cases, as subsequent discussions show, organiza-tional problems exist that need attention.
7.1.1 Staff Competence Taken as a whole, the professional competence of the NRC staff is impres-sive because of its varied talents and the high level of academic training and experience its members have attained.
Nevertheless, each time a signi-ficant new safety problem appears, it usually points to a weakness in the regulatory process.
This is particularly true with respect to the desig-nation of problem areas for attention.
Areas that now seem to need the most
a 41 attention are systems analysis and plant operations.
With respect to systems analysis, the NRC staff, which has been highly compartmentalized, needs to build a stronger capability to understand and anticipate the interactions between plant systems, including the effects on such systems of accident environmentals and external phenomena.
Relative to plant operations, the IE staff needs to be able to understand better the behavior of operating systems, to assess the capabilities of the operating staff, and to assure that their activities do not jeopardize public safety because of design, construction, or operational errors.
The recent organiution of a systems engineering group within the NRC staff will be helpful in reducing the compartmentalization of technical skills and may ultimately satisfy the systems analysis need.
The operational aspects of nuclear power plants have not yet been examined sufficiently to clarify how the NRC staff capability should be altered.
Areas in need of attention in-clude a better understanding of methods for training nuclear power plant per-sonnel, improved procedures for analyzing systems interactions, a broad cap-ability for accident simulation, improved methods for the control of radio-nuclide effluents, and upgraded procedures for irservice inspection of plant safety features.
All these examples suggest a need for reorientation of ex-isting review procedures rather than the addition of new staff skills.
If the present staff is preoccupied with existing tasks, however, new sources of manpower may need to be obtained.
One possible way of expanding the IE capability is through the use of third-party review.
The development of outside sources to review other plant fea-tures on a systems basis might be a useful approach.
This approach is al-I ready accepted by NRC for the primary coolant circuit and containment struc-tures under the ASME Boiler and Unfired Pressure Vessel Code,Section III, Nuclear Components.
The qualifications of such reviewers would need to be established, but in principle this approach could extend the capabilities of the NRC staff in matters pertaining to nuclear quality assurance.
To provide an independent assessment of its capabilities, the NRC staff should consider the establishment of ad hoc review groups. While the ACRS could con-tribute to this activity, it does not appear to be an effective use of the Committee's limited time.
Other arrangements should be sought.
Individual i
ACRS members might be able to lead ad hoc review groups composed of consulting I
experts.
It is important that such reviews be conducted by people who have an understanding of administrative as well as technological matters.
7.1.2 Industry Competence The nuclear industry infrastructure is broad enough to satisfy most licensing requirements, given financial support and management backing.
Thus far, how-ever, segments of the industry have tended to limit their interests to comply-ing with specific requirements of licensing, while managing the engineering aspects of nuclear power plants along the lines of conventional utility prac-tice.
Following this approach, many utilities have relied heavily on outside
42 consulting services for technical guidance, although some of the larger util-ities have established substantial nuclear engineering competence.
Recent events indicate that nuclear power plant licensees need more basic capability to prepare for accident contingencies, to diagnose and respond to such events as they evolve, and to provide backup resources when needed.
The operating organizations cannot become totally knowledgeable about all nuclear steam system transient characteristics, but they can strengthen their understanding through training programs and professional staff additions. The organization of this additional capability will have to be adapted to existing operating situations, but it is extremely important that each licensee or li-cense applicant establish direct top-level management interest in this cap-ability on a continuing basis.
The nuclear steam system suppliers and the architect-engineers also need to strengthen their capabilities in support of the operational organizations.
It would be appropriate for NRC to encourage each of the major participants in the nuclear industry to commit themselves to an aggressive program for the development of safety improvements.
Regulatory action alone will not satisfy the interest of public safety.
The industry needs to demonstrate not only a commitment to the task, but also the methodology and a timeable for its accompl ishement.
7.1.3 ACRS Effectiveness The ACRS is assigned the responsibility for reviews prior to license issuance and reporting the results of its deliberations to NRC.
In the Committee's view, some monitoring of current license applications and of operating ex-perience will always be needed to assure up to date and comprehensive treat-ment of safety matters.
Similarly, ACRS review of NRC's safety requirements, as embodied in regulations, standards, and standard review plans, must be con-tinued, since these requirements provide the basis for staff judgment on such matters.
ACRS also needs to keep currently informed of safety research and international nuclear safety matters. When specific safety issues arise, ACRS will frequently be asked to use its range of expertise to assist the regula-tory administration in defining a path for minimizing public safety risk. All such matters are important and would appear to deserve priority over other demanos on the Connittee.*/
This is especially true since the time of ACRS members is limited by their part-time status.
'-*/ In the past, ACRS has reviewed radionuclide shipping-cask design and verification programs, waste-management plans, and other comparable matters of lesser safety significance. The Committee can continue handling of such matters when licensing activities are slow, but it could not carry a heavy extra load concurrently with intensive licens-ing.
It is noted that in Japan, the advisory functions are divided between two committe.es, one for power plants and the other for the balance of the fuel cycle.
43 7.1.4 Clarification of Responsibility Within the regulatory organizational structure, there are five line offices under the direction of the Executive Director for Operations (E00).
Because the law provides for direct access to the Commissioners by the Directors of three of these offices, the authority of the E00 for public safety decisions may be diluted.
Further, these offices have sometimes acted independently of each other when their action should have been coordinated.
The result is apparent confusion concerning the source of authority for regulatory positions.
This has adversely affected public confidence in the regulatory process.
Integrated and identifiable authority is needed to correct this situation.
The Commissioners also do not at present have a well-defined role.
Legisl a-tive action should be taken to establish how the Commissioners, as a collegial body and as individuals, should meet their responsibilities and display appro-priate regulatory leadership.
If some other form of regulatory management approach is ul timately established, similar definition of the regulatory management role is needed.
A matter of equal concern is whether NRC has delegated too much responsibility for public safety to the licensees.
NRC could interject itself more into operational planning and training.
The presence of an NRC representative at plant site offers NRC the prerogative to decide when and whether plants a
should be started up or shut down.
In addition, NRC could set more explicit requirements with respect to plant design, operating procedures, and effluent dischacges, and it could require all applicants to follow these NRC direc-tions.
Thus far, NRC has avoided this because it would essentially relieve the licensees of any responsibility for design and operational decisions.
Such an approach might also result in the loss of NRC review objectivity, since the agency would be defending its own designs and operating initiatives.
There is a crucial need to establish that licensees who accept responsibil-ities are capable of meeting them.
7.2 Regulatory Format The conduct of the regulatory process requires a well-understood fomat in which the technological matters are presented and public review is effected.
No system as complicated as the nuclear regulatory process could have a detailed prescription for every regulatory requirement.
Much that exists in the regulatory process is a result of continual development of review docu-ments, and adversarial discussion between license applicants and safety reviewers, as well as the application of recognized conventional engineering methodology to important safety matters in every technological area.
The application of this well-understood base and the manner in which "standardi-za tion" is used to assure public safety must be appreciated by those con-cerned with regul atory management.
The legal framework, i tsel f, depends upon this fomat, but its use may be distorted if conventional legal pro-cesses are applied to safety areas.
The ensuing discussion will show where some adjustment of the regulatory fomat is justified and desirable.
44 7.2.1 Preservation of Regulatory Base The good safety record of the nuclear power industry is largely attributable to the regulations of NRC and its predecessors and to the efforts of the nuclear industry.
In considering the need for change in the regulatory process, care must be taken to preserve the good qualities of the regulatory system while seeking improvements.
The current approach, based on the use of regulatory documents, is well understood, even though some of the docu-ments may be subject to misinterpretation, some may need to be more de-finitive, and some may need to be expanded.
It is important to work with the existing base to the maximum extent practical.
If a new set of docu-ments were introduced, the interpretation process, itself, could lead to regulatory chaos.
The experienced personnel involved in the regulatory process in both the regulatory and licensee organizations are also an important part of the base. Although management changes are needed, and the definition of respon-sibility should be improved, those knowledgeable about the safety logic and the implicit but unstated cost-benefit balance must be permitted to function in a system not overly encumbered by procedural requirements or arbitrary management edicts.
7.2.2 Standardization The concept of " standardization" was originally envisioned as a way to accel erate the licensing process by minimizing review time.
Most NSSS vendors have established basically uniform configurations.
All major equipment is standardized in manufacture and perfomance.
The thrust of recent standardization has been to obtain " design approval" on a system basis so that system review will not have to be performed repetitiously.
Balance-of-plant designs by A-Es have followed a similar trend.
The level of detail provided in standardized designs is not as complete, however, as might be seen, for example, in air transport systems.
The adequacy of the system definition, including the level of detail to be provided for final approval of the standardized design, has not yet been established.
In-sufficient experience is avail abl e to confirm the benefits anticipated from standardization.
Standardized designs, up to now, have added further variability to designs seen in previously licensed plants.
A standardization approach that has received considerable support is "repli-cation" of existing designs.
This approach reduces design variability, since the intent is to follow closely what has been done before. As applied in recent licensing actions, replication approaches have, unfortunately, tended to restrict initiatives for safety improvements on the premise that they violated the principle of " design stability," which standardization is intended to promote as a means of streamlining the approval process.
This restriction might al so be interpreted as a mechanism for circumventing requirements for public safety improvements.
45 There are certainly advantages to standardization that could be realized if many nuclear plants needed to be licensed rapidly.
It is not certain that the present NRC approach really brings forth the advantages of standardiza-tion.
The mode in which " standardization" is being used should be reex-amined to determine whether alterations */ would enhance nuclear plant reliability and safety without loss of the streamlining effects on licensing that it is intended to provide.
The range of reliablity and safety in current designs can be measured, in part, by the current study of the critically required PWR auxiliary feed-water systems, wherein a range of 100 or more in apparent reliability between various designs has been discovered.
Comparable ranges of relia-bility may well be found in each of the other functional systems ' required for safe shutdown and accident mitigation.
These range from the service water system through component cooling (including considerations of whether such a system is necessary), the secondary steam system (again, if neces-sary), environmental and equipment cooling systems, and the like.
These systems, as exemplified by the PWR auxiliary feedwater systems, may all satisfy the minimum requirements of present regulations, and yet still show an extreme range from very poor to generally excellent practice.
In the final analysis it may well be argued that study would show that some BWR or PWR design features should be eliminated from a future standardized design.
l A concept of standardization could be established that would be based almost entirely on the LWR experience over the 1ast 20 years plus consideration of comparative accident vulnerability, as determined by careful study of criti-cal systems design under all modes of operation.
Unproven extrapolations l
of nuclear technology might be excluded, although evolution of design im-provements within a few developmental plants could be part of the overall effort.
j 7.2.3 Legal Framework A sound legal basis is essential to the regulatory process.
One of the i
mechanisms in this process is the revies of a license applict tion by an ASLB.
Such a review is intended to establish that the NRC tas a basis for its rules and regul ations, that it is following its own regul atory l
requirements and policies, and that it has satisfied the inte1t of NEPA.
l Since the NRC staff has satisfied itself as to the adequacy of the safety of a given facility prior to such a review, its legal staff generally supports the licensing actions before the ASLB.
The NRC's legal staff also serves as a channel through which the Boards can probe the NRC staff posi-l tions on licensing actions.
- ) The concept of a standard LWR design for national use has been sug-gested. Such a design could evolve from careful sifting of the current designs to determine the most reliable and economical means by which functions common to all plants are accomplished.
46 There are some significant advantages to the public in this process.
It sometimes provides an opportunity for - further examination of legitimate safety concerns not fully exposed in the previous reviews.
It also provit.s a valuable forum for discussing NEPA issues of concern to the public.
Nevertheless, the hearing process leans more toward legal maneuvering than to a position supportive of public safety and environmental concerns.
In addition, it seems to have discouraged discussion of safety issues in the Safety Evaluation Report (SER) and in other documentary evidence intended for Hearing Board review.
It also leads to legally oriented oral statements by NRC staff. members.
Most importantly, this approach discourages the NRC staff from discussing controversial subjects of safety concern in open meet-ings, including those with ACRS. These self-imposed restraints are probably intended to eliminate extraneous matters that might unnecessarily delay the hearing process.
Unfortunately, they may also prevent full exploration of some significant safety issue. Hence, the interests of legal expedience may need to be sacrificed or provided through a different form of regulatory re-view in order to assure complete exposure of safety issues.
Under present conditions, the staff SER appears
'.o be prepared mainly to provide information for the ASLB hearing.
As a result, the SER consists-primarily of repetitive " boiler plate," which often tends to obscure and provide little amplification of safety issues.
The result is that the SER ~
has become a document of little value to those people responsible for safety reviews of nuclear facilities.
This includes members-of ACRS.
Public safety is not well served by this style of safety issue presentation.
If the SER included discussion of the various aspects of each significant safety issue, together with a judgment basis for the NRC staff conclusions, the report would serve a more appropriate role at the ASLB hearing.. The i
reasoning of the NRC staff could be examined by ACRS and ASLB without the need for advocacy by the NRC legal staff.
Where a basis for ruling on a particular safety issue had been previously' established, it could readily be identified.
The public would then be able to see why, where and how the NRC staff's safety conclusions were drawn.
ASLB rulings on specific safety issues have sometimes, because of legal considerations, adversely affected public safety interest, as the following example illustrates. -
The ASLB has on occasion ruled that NRC could not require planning for emergency action beyond the low population zone (LPZ).
It has also ruled in some cases that the radius of the LPZ must be reduced because of population growth near a' plant site.
These two rulings have combined to permit a high popul.ation density adjoining some sites without commensurate planning for emergencies.
The ASLB hearings are also used as a mechanism for determining whether the
]
NRC staff has an appropriate basis for ' rulemaking.
Although the hearing provides an' opportunity for open debate, the subject matter is sometimes i
outside the context of _ specific licensing actions.
Whether such hearings
~
provide the ' proper forum ~ for establishing technological validity. is not entirely clear.
For example, adversary proceedings lasting more than a i
l 4
a
.m..
_..-...-..m_._.,
..~....s
-. * ~.
..,,.,,r..
47 year were noded to develop rulemaking*/ for analytical techniques to demon-strate the perfonnance adequacy of ECC systems.
Even so, some reliability aspects were never adequately addressed during this hearing process.
If such 3 process is to be used as the basis for rulemaking, the manner in which the issues are to be addressed and the rules established needs further study The attention directed to NEPA may be indirectly interfering with public safety reviews by diverting attention to other interests, such as power system load growth, cost-benefits of alternate power sources, and other environmental matters.
These are concerns of major public interest, and NRC is probably justified in its view that the applicable statutes require diligent attention to them.
However, there has sometimes been a tendency to move NEPA matters ahead of public safety matters.
The selection of a power plant site, for instance, is weighed carefully by NRC with respect to its economic benefits, social impacts, and power system demand, but in most cases, safety alternatives are weighed only with respect to whether a particular site meets the minimum safety requirements.**/
The Public Hearings are an important aspect of the nuclear regulatory process, but some consideration needs to be given to changing the style of the hearings so that the safety issues can be exposed fully wit'aout un-necessarily delaying licensing actions.
The combining of NEPA and Safety Reviews in the ASLB hearings may be a contributing complication.
To the extent practical, it would be desirable to further separate these two issues in the hearing process.
7.3 Regulatory Actions Public perception of regulatory actions will be improved if safety problems are reported on a timely basis and actions are implemented promptly when needed to assure the protection of the public. Since the accident at TMI-2, the NRC staff has been reexamining the manner in which public safety prob-lems are identified and how it implements corrections.
Specific changes to be proposed are still under discussion.
The areas where alteration in the regulatory style could be of immediate value are noted below.
- /
Published in 10 CFR Part 50 as Appendix K.
- /
An exception is noted in the case of the Hope Creek Nuclear Station,
~
the site which was changed from Newbold Island af ter NEPA review focused attention on the less than desirable population distribution in the proximity of the previously selected site, but only after the earlier site had been carried through an extensive licensing review, including ACRS hearings.
1
48 7.3.1 Reporting of Safety Problems New safety problems will appear in nuclear installations, and it is unreal-istic to assume that all will be predictable. NRC requires all licensees to report safety-significant happenings promptly so that necessary regulatory actions can be taken.
The comprehensiveness of the reporting requirements may not, however, be adequate to cover all areas of interest nor to include all participants who might make a safety contribution.
Action should be taken to make certain that nuclear plant owners and operators, constructors, NSSS and other equipment suppliers, inspection and service organizations, craftsmen, operating personnel, an even the public at large report matters of public safety significance as soon as they are known.
While this may occasionally cause unnecessary reaction to minor safety matters, it will assure that maximum time is available to correct serious difficulties.
At the same time, the reporting system should not be excessively burdensome.
The informational requirements should be defined in such a way that those involved in reporting can, without excessive effort, provide whatever information is necessary to assess the safety significance of the problems that arise.
Of particular importance is the need to avoid a prosecutory environment */ for those who report errors, faults, and maloperations, parti-cularly whe71 deliberate wrongdoing is not evident.
Only in this way can the regulatory system assure a positive response from licensed participants, their contractors, and their employees.
7.3.2 Resolution of Generic Problems Some years ago, ACRS developed a list of safety matters that, al though requiring attention, were not of such urgency that they required final resolution for all specific license applications.
It was intended that these matters be covered by NRC and its licensees over the long term and that the problems be corrected as solutions were found.
The rate at which these " generic safety items" were being examined and resolved was, however, relatively slow and this has caused considerable public concern **/.
In
-*/
Although it is difficult to excuse mistakes and unintended violations of regulations, the threat of legal jeopardy in such instances can only create an environment of protective cover-up among the threatened that tends to hide important safety information.
If the legal threat is sufficiently serious, career-minded professionals will seek other employment areas and thus weaken the industry's capability.
- /
The need for " instruments to follow the course of accidents" is a
~
generic item that was to be resolved through issuance of Regulatory Guide 1.97.
The guide was excessively vague in some areas and overly demanding in others, and NRC was never able to reach an understanding with the industry concerning implementation.
In a similar vein, the ATWS issue has been debated for more than 10 years, but an agreed upon implementation plan for resolving the issue has not yet been established.
L 49 the past two years, the NRC staff has established a more complete generic items list of its own that incorporates all the ACRS items, and has recom-mended priorities for addressing each item.
Although the NRC staff list is more extensive than the ACRS list, there is agreement on most of the high-priority matters.
Action plans for resolving the items of highest priority have been established and an " Unresolved Safety Issue Task Force" was re-cently formed by the NRC staff to assure that high-priority matters are given adequate attention.
Although the NRC staff actions in the past have not appeared to be aggres-sive in addressing generic problems, or timely in implementing their solu-tions, current efforts appear to be more acceptable. Some matters cannot be readily resolved by physical changes and will require surveillance or other types of controls to minimize public risk.
Others may involve implementa-tion of major plant changes during planned outages.
The correction of generic problems can be handled on a longer term basis, if the risks are well understood and appropriate defenses are maintained.
The current staff actions appear to be responsive to regulatory needs, and they should be continued in an aggressive mode.
Establishing positive implementation plans once resolution actions are known is essential to maintaining public confidence in the regulatory process.
7.3.3.
Back-and Forward-Fitting of Safety Improvements l
The public risk associated with omitting or delaying desirable safety im-l provements or correcting safety deficiencies may be quite small if only a few plants are involved and operating organizations can provide compensat-ing surveillance, for example. Changes in existing plants are often costly, and redesign sometimes delays the licensing process.
These factors must be taken into account when NRC imposes new requirements. Nevertheless, a limit must be established with respect to the cumulative risk from delaying such actions.
Some matters currently under consideration have been deferred for such a long time that they might be viewed as the object of deliberate pro-l crastination.*/
NRC needs to show how its judgments concerning back-fit or forward-fft actions are established.
Cost and schedule cannot be over-l riding considerations if there is real concern for public safety.
l
-*/
The recirculation-pump trip provision intended to alleviate concern for ATWS consequences in BWRs is not yet fully implemented, even though this has been a recognized need for about a decade. Also, recommenda-tion for increased pressure-relief capacity in PWRs seems to be meeting high industry resistance, even though recent ATWS reviews show that such capability will eliminate most concerns for this safety issue.
l
50 7.3.4 Public Communications The public anticipates that NRC will keep it informed in an intelligent and responsible way concerning safety problems, licensing actions, regulatory deficiencies, health effects, waste disposal, and similar matters.
The public, as well as the NRC licensees, often have difficulty in determining which sources of information are authoritative and whether information provided by NRC staff members is fact or opinion, official or reivate, preliminary or final.
Clearly, as was recognized in connection ' ith the accident at TMI-2, a single, well-informed spokesman is essential to avoid confusion in responding to an emergency.
The NRC organization should be prepared, through such a spokesman, to explain, clarify, correct, modify, amplify or otherwise inform the public of matters appearing in tha public information media in a timely fashion so that the public can identif) the authoritative regulatory voice and discern the public safety significance of the information.
The provision of a designated spokesman to express the official NRC view-point should not, however, be a mechanism for stifling expression of di-vergent views.
Indeed, some Commissioners and some members of the NRC staff may differ with the official position, and they should be encouraged to express those views.
Speakers should state that they are expressing personal views if they do not represent the collective NRC viewpoint. When appropriate, NRC may even wish to have its spokesman discuss divergent posi-tions that are under consideration.
The benefit from having a designated spokesman is that the press and the public can see the regulatory thought processes at work in both the official and the independent positions and can have some understanding of their bases.
51 8.
OVERALL ASSESSMENT The regulatory base being used by NRC is substantial.
Over the 25-year period of development, the regulatory process has evolved methodology for accident assessment in the interest of public safety that covers virtually all the major issues.
It has many imperfections, but the goals outlined in Chapter 2 of this report have all been addressed. As has been indicated in preceding sections of this report, there is considerable unevenness in the effectiveness of the regulatory activities, and in some cases, the capa-bility does not measure up to the need.
There are a number of strong points in the current regulatory process.
They include an established review methodology that !s comonly understood and used by the regulatory staff and the regulated industry, a regulatory staff on the whole of high caliber that handles the technological issues knowledgeably and with dedication, and a system for identification of problem areas that draws attention to safety matters.
These are valuable assets of the current regulatory system, and they should not be jeopardized by changes in the management structure or in the scope of the regulatory authority.
There are also shortcomings in the regulatory process that need improvement.
The President's Commission appointed to investigate the TMI-2 accident made l
a number of recommendations in this respect.
l The ACRS concurs with many of these recommendations and offers the following seven recommendations as its interpretation of the needed actions pertaining
[
to the regulatory process:
1.
The nuclear regulatory function requires strong leadership.
This could be provided by one of several options, such as (a) a Regulatory Commis-sion Chairman having full executive authority, (b) a single administra-tor to whom all regulatory functions report, (c) an administrator with full executive responsibility and reporting to the Comissioners on l
policy matters, or (d) a Commission formed from the chief technical, I
legal and enforcement executives of the regulatory organization, with one of them designated to be the chief executive officer. The essential requirements of the leadership assignment are a knowledgeable under-standing of the regulatory processes, a sound technological background, and the ability and authority to act decisively on regulatory questions, incluiing the handling of nuclear safety emergencies.
2.
The President's Commission proposed that an oversight committee be established to examine the performance of a nuclear regulatory organi-l zation headed by a single administrator.
ACRS is not persuaded of the need for such a part-time oversight committee specific to nuclear energy, and believes that, if such a committee were to be created, it should have a much broader charter with regard to technological issues in society.
I
}
52 3.
ExceptL for a few limited cases considered during the past few years, the staff has been unwilling to investigate potentially significant 4
. safety matters if they were not identified as part of the " design
. basis."
Its consideration of, the ramifications of accidents involving degraded safety _ feature performance or other circumstances leading to accident consequences beyond those covered by the " design basis" was too restrictive, causing both the industry and the regulatory staff to be inadequately prepared for unanticipated accident circumstances.
There has been a salutary change in the NRC staff views of such matters since the TMI-2 accident that seems responsive to the need.
Future
~
i organizational arrangements should. assure that this interest will be sustained.
4.
Some NRC staff functions need to be strengthened, including those related to (a) provision of a systems approach to safety review, (b) a better audit of design, and (c) improved regulatory monitoring of licensee performance, including operations and technical support.
5.
The role of ACRS should be strengthened by establishing the necessary arrangements for. assuring that timely and adequate attention to ACRS concerns is given by the Commissioners, as well as the NRC staff.
6.
The. nuclear industry must strengthen its ability to handle safety matters.
A strong technical and managerial capability in this area on the part of all licensees and their contractors is very important.
l The industry has taken some positive steps in this direction since the TMI-2 accident, but further changes are still needed.
J.
The relevant knowledge and expertise gained during plant design and construction must-be transferred to those responsible for plant operations.
The licensees, individually and cooperatively, should
-take an active rather than a passive role in a design decision-making process..
The utility licensees must show they have effective and timely access to the technical resources of - their contractors and suppliers or the equivalent over the plant lifetime.
i In-addition to the preceding seven general recommendations, ACRS recommends that the following nine technological matters be considered at the earliest opportunity.
4 8.
Accidents beyond the current design bases should be considered in j
deciding on the future approach to siting, to reactor design, and to emergency measures.
Future reactors should not be located at sites with high population densities.
Using a risk-benefit evaluation basis, design and other. measures should be considered to further reduce -the probability of. serious accidents and to mitigate their consequences.
i j
53 1
- 9. ACRC. believes that the fundamental safety goal of both NRC and the nuclear industry should be to achieve a degree of safety that is as good as reasonably achievable, taking into consideration appropriate technical, social, and economic factors.
- 10. Where practical, a quantitative approach should be used in establish-ing safety criteria, in assessing potential enhancement of sa fety, and in providing well-qualified comparative risk assessments relating nuclear power to other technological aspects of society.
Publicly stated goals with regard to acceptable risk, the levels of safety which are thought to have been achieved, and the uncertainties in-herent in such estimates of risk should be available to provide a basis for judgment by the public.
- 11. The " single-failure criterion" and other failure-control design bases thould be modified as necessary to encourage more consideration of progressive, common cause, and multiple failures arising from a single initiating event.
A systematic evaluation should be made of the needed reliability for components, systems, er groups of systems, commensurate with the impact of their failure on accident consequences affecting the public health and safety.
dedicated safety systems can and should be used where
- 12. Separate and appropriate to enhance reliability; however, future safety review and evaluation should consider not only safety-designated items, but also the potential safety influence of all portions of the plant.
- 13. Substantially increased attention should be given by the nuclear industry and the regul atory staff to potentially adverse system interactionc.
A method for studying system interactions needs to be developed and used for this purpose.
- 14. Much more attention must be given to man-machine interactions with respect to the manner in which they can affect public safety.
- 15. Regulatory and industry organizations should agg'ressively investigate such safety improvements as fil tered, vented containment, dedicated shutdown heat-removal systems, and design changes to reduce the proba-bility of successful sabotage.
Those improvements found to be appro-should be implemented.
The nuclear industry should be more priate aggressive in seekir g safety improvements beyond those required by the regulations and the regulatory process should provide incentives for this purpose.
- 16. Where practical, the techniques of probabilistic analysis should be applied to operating plants and to plants under construction to as-certain whether there are design improvements that could be implemented to reduce the overall risk to the public.
54 With regard tc the regulatory and industry organizations, there is need for skill enhancement in some areas, improved quality-assurance arrungements for design, and greater industry initiative to improve safety.
The actions required to satisfy these needs are outlined in the following eight recom-mendations:
- 17. A procedure is needed whereby operating nuclear plants are periodically reexamined to take into account current nuclear criteria and standards.
The performance of the operating organization and the technical support available to it should also be examined during these periodic reviews.
The existing systematic review program should be restructured and expedited, with responsibility pl aced on licensees to periodically evaluate and report on the safety acceptability of continued plant operation.
- 18. The basic orientation of the NRC safety research program should be shifted from overemphasis on " confirmatory research" to substantial effort in research intended to improve nuclear power safety by assisting in the resolution of identified safety concerns, by examining possible safety improvements and by exploring for issues or problems of potential signi ficance.
The probabilistic techniques developed for risk assess-ment should be made an active working tool in the safety-improvement effort. Legislative ;upport will be needed in this matter.
- 19. NRC should use its powers vigorously under 10 CFR Part 21 to require that NSSS vendors, A-Es, and licensees promptly report safety concero, l
that may be raised within their organizations, including submittal of l
pertinent internal document?..
- 20. It is important to public safety that the nuclear steam system vendor organizations be maintained at a high level of competence or that an equivalent scurce of expert knowledge of the performance and function of the nuclear steam supply systems be developed and maintained as a direct support available to licensees when needed during plant life time.
- 21. A fundamental change in approach by both A-Es and plant owners must be developed in which the objective of the A-E is to make the safety of the plant as good as reasonably achieveable, rather than merely meeting existing regulatory requirements at minimum cost.
For example, the use of probabilistic techniques and systems engineering studies, perfomed jointly by the A-E and owners' staff, should help to determine where significant gains in system reliability or safety margin can be obtained at reasonable cost.
A-Es should be required to demonstrate that appropriately safe design has been attained.
55
- 22. Methods should be developed and implemented to provide a meaningful, more extensive design check and audit of the balance-of-plant than has been the general custom.
This night be partially achieved through appropriate, certified third-party organizations that are independent of both the nuclear industry and the NRC staff.
However, the internal review functions of the owner and the A-E must also be improved.
- 23. As stated in its recent Review of Licensee Event Reports (USNRC Report NUREG-0572)*/, the Committee believes that operating experience can provide an important source of safety guidance for commercial power pl ants.
The Committee encourages NRC to continue to develop a program under which benefits of the lessons learned from LERs can be fed back into the design, construction, operation, and maintenance of.. clear pl ants.
- 24. The development of a limited number of standard LWR plant designs using an as good as reasonably achievable design philosophy would provide guidance in judging public safety adequacy and should be encouraged.
Where appropriate, these designs shoul d include ideas that depart from previous practice.
The safety of operating nuclear power plants and of those nearly ready to be licensed can be improved during the current licensing " pause" adopted by NRC. ACRS agrees that some of the safety improvements could be significant.
The Committee does not believe, however, that the absolute or incremental risk from operation of several more newly completed nuclear power plants will pose unusual or unacceptable individual or societal risks.
Serious consideration should be given to permitting startup tests for plants ready for licensing that have safety features at least equivalent to those now required for currently operating plants.
These plants could then be placed on standby, as being ready for operation if required in the national interest, while NRC is deciding on the needed changes in safety requirements beyond those already announced.
-*/
U.S. Nuclear Regulatory Commission, " Review of Licensee Event Reports 1976-1978," NUREG-0572, September 1979.
Available at NRC and NTIS.
1
QC Pcm M u.s. NucLa A2 naGulATORY COMMIS$40N 87 778 NUREG-0642 BIBLIOGRAPHIC DATA SHEET pey, 1
- 0. TITLE AND SUBTITLE (Add Volume No, s/ sparapncwp 2.(tes, eof,,4j A Review of NRC Regulatory Processes and Functions
- 3. REctPIENT'S ACCESSION NO.
- 7. AUTHOR $1
- 5. D ATE REPORT COMPLETED l YEAR M ON TH May 1981
- 9. PE FORMING ORGANIZATION N AME AND MAILING ACDRESS (lactude 2,0 Codel DATE REPORT ISSUED Advisory Committers on Reactor Safeguards lay" I '^" 1981 U. S. Nuclear Regalatory Commission s.(t m e o<,nal Washington, DC 20555
- 8. (Leave blankl
- 12. SPONSORING ORGANIZ ATION NAME AND MAILING ADDRESS (Include lip Codel p
Same as 9, above.
- 11. CONTRACT Nd
- 13. TYPE OF REPORT PE RICO COV E RE D //nclus.ve dates /
- 15. SUPPLEMENTARY NOTES
- 14. / Leave DImkl
- 16. ABSTR ACT 000 words'or less)
A reexamination by the ACRS of the Regulatory Process has been made.
Objectives were to provide in a single source, ACRS' understanding of the Regulatory Process and to point out perceived weaknesses and to make appropriate recommendations for change.
- 17. KEY WORDS AND DOCUMENT AN ALYSIS 17a. DESCRIPTORS 17b. IDENTIFIERS /OPEN ENDED TERMS
- 18. AVAILABILITY STATEMENT
- 19. SECURITY CLASS (Th s report)
- 21. NO. OF P AGES tinclassified Unlimited 20 SECURITY Ct4SS tra,s o,yes 22 price Unclassified S
NEC POnM 335 (7 77)
--