ML20010C417
| ML20010C417 | |
| Person / Time | |
|---|---|
| Issue date: | 07/23/1981 |
| From: | NRC |
| To: | |
| Shared Package | |
| ML20010C401 | List: |
| References | |
| NUDOCS 8108200062 | |
| Download: ML20010C417 (42) | |
Text
o 1
t ROSSIE SUTTON I l UN1TED STATES OF AMERICA I
2l NUCLEAR REGULATORY COMMISSION 3l SECOND WORKSHOP ON SAFETY GOALS 4
l I
5 i Cliffside Inn I
n i
[
6; Harpers Ferry, West Virginia g
R l
5 7
Thursday, July 23, 1981 s
k 8
The meeting of the Second Workshop on Safety Goals was a
k 9
convened,. pursuant to notice, at 9:00 a.m.
zoy 10 l WORKSHOP PARTICIPANTS:
a i
E II y
l Dennis Rathbun, Chairman f
Office of Policy Evaluation 5
12 '
Nuclear Regulatory Commission 5
i g
13 l Geore Sege, Program Chairman I4lj Office of Policy Evaluation d
Nuclear Regulatory Commission
=
15 g
Dr. Herbert J.C.
Kouts.
P'nel Chairman a
i Panel A - Quantitative Safety Goal g'
16 '
Brookhaven National Laboratory l
'A i
C 17 l
g Dr. Lester Lave, Panel Chairman
=
l Panel B - Qualitative Safety Goal b
IO l The Brookings Institution C
h i
I9 g
Dr. Paul Slovic, Panel Chairman 3
Panel C - Economic, Ethical, and Socio-political a
20.
Considerations Decision Research 21 !
j 22 1 l
23 l
24 r
25 q i
.I
- l l
1 I
8108200062 810724 ALDERSON REPORTING COMPANY, INC.
y2 j'
t 1
_P _R O _C _E _E _D _I _N G _S i
2, MR.
RATHBUN:
The comments here will be recorded and I
3 consequently the recorder urges that the people particularly at 4
the far end speak loudly such that we can pick up all of the I
5 comments that we receive.
e R
I n
j 6i This is the second workshop on the safety goal project.
R s
7i My name is Dennis Rathburn and I am Acting Director of the Office I
l U
g 8
of Policy Evaluation.
I am taking the place of Ed Henryhan who d
d 9
has gone to DOE.
I would like to welcome you in particular for i:
g 10 i coming to our workshop, and I am going to give afew preliminary z
i
=
l j
11 remarks,and then turn to Tony Romano who will have a couple notes l 3
l j
12 ' of housekeeping to bring to your attention, and then to George 5
13 Sege who will have some introductory remarks as well.
A 14 '
Our panel chairmen for this workshop include Herb l
t i
e E
15 Kouts, Lester Lave, and Paul Slovic, and then lastly, Bob w
I
=
y 16 Bernero from the NRC probabilistic risk analysis staff will have A
d 17 some things to say, too.
After that, we will go into separate E
E 18 l panel discussions.
I just might note in passing that l
=
H I
19 Commissioner Bradford plans to attend tomorrow but will not be i
5 20 ' able to be here today, and that there will be a summary prepared i
a l
hbyBrookhavenaswellasaverbatimtranscriptprepared.
21 W
22 ]
We prepared a discussion paper which I believe that you j l
23]I I
all received, and I have noticed that some carticicants have i
i l
24 passed out written comments.
I would urge that they feel free to 25 i bring those out in the panel discussions.
Let me just go over i
1 ALDERSON REPORTING COMPANY. INC.
l
i s
3 1! briefly some overview remarks on the discussion paper.
In 2
responding to the recommendations of the Kemeney Commission, the 3
Commission stated that it was prepared to move forward with an 4
explicit policy statement on safety philosophy and the role of i
5l safety-cost tradeoffs in NRC safety decisions.
The discussion e
9 j
6 paper which we labored on at some length.has been drafted for your R
7 consideration in this workshop.
M j
8 The results of the workshop as well as comments which d
9 we have received wil' be used by the Office of Policy Evaluation
?
10 to prepare a policy statement on safety goals for the Commission's 3
h Il consideration in the early fall of this year.
George will have 3
g 12 some specific questions which he would like you to focus your
=
13 I comments on in the forthcoming discussion sessions.
1
~
w i
5 I4 If this policy statement is accepted by the Commission, j
15 the safety policy statement would be used in future regulatory
{
j 16 action to assure that the public is adequately protected from w
I b
17 ;
the hazard of nuclear power accident.
Since nuclear reactor 5
l 6
18 i j
f saf tety is of considerable importance not only to the NRC but also C8 19 g
to the Congress and the public, we have given considerable n
20 attention to trying to clarify the purpose of such a statement.
21 We think that the statement should do the following; 22, provide or contribute to a better understanding by the public i
23 !
as well as regulators and the affected industry of the rist to 24 the public resulting from nuclear reactor accidents and the role 25 of safety-cost tradeoffs in regulatory decision making.
- econdly, i,
ALDERSON REPORTING COMPANY. INC.
- 4 I, to provide a firmer basis for making safety evaluations and f
2 decisions and thereby leading to more predictable and consistent 3
regulation and licensing of nuclear power plants.
Third?y, to I
4 provide a sound basis for studying priorities and safety related 5ll research and other regulatory activities.
e 0
3 6l The draft that we have prepared focuses on the risk to R
7 the public which could result from nuclear power accidents.
AS s
j 8
a follow-on we would expect that after experience is gained in C
1 0
9t 3,
implementing these particular goals, that the Commission would 10 consider explicit goals *or other types of nuclear facilities and 3
h 11 activities, as the discussion paper notes, we have identified 3
y 12 three broad optiona for consideration.
=
f 13 The first of these is continuation of the present NRC I
14 safety policy; the second is adoption of qualitative safety goals; 5
E 15 and then the third is adoption of quanitative safety goals which i
5 l
j 16l flow from or are based upon in turn qualitative statements.
A l
d 17! Adoption of the qualitative goals might be accomplished either s
5 18 by a Commission statement of safety philosopy which further
?
19 l interprets the Atomic Energy Act's standard of adequate 5
20 l protection of the public health and safety.
21 This statement would include guidance to the NRC staff 22 on application of qualitative goals in the regulatory process.
23 Adoption of quantitative goals based on qualitative statements or 24 j goals we believe is potentially the most useful for guiding 25 regulatory actions relevant to nuclear power plant saftety, and in f
ALDERSON REPORTING COMPANY, INC.
i I ! that regard I would particulary call attention to the increased I
2 2i use of probabilistic risk analysis in our regulatory work and i
3 Bob will comment on that in afew minutes; it's potential as well asi 1
1
)
4 limitations at this point.
s 5,
However, a defensible basis for'a qsantitative safety N
l j
6l goal must be established amd a practical mode of use and regulatory i
E I
j S
7 decision making really must be found.
I am particulary concered 1
3 j
j 8, about this area.
While we believe that quantitative goals based d
y 9
upon qualitative goals would be most usefuly, realistically we ze
]
g 10 '
recognize the possibility that it may be difficult to develop I
E
)
IIl satisfactory quantitative goals. In that event, an alternative
]3 i
f 12 would be to formulate, as I said before, a more precise j
j 13 i qualitative statement of safety objectives and continue the present.
=
i w
j 5
I4 practice perhaps augmented by a Commission statement in that 1
b 4
=
15 g
regard.
=
i y
16 Establishment of a defensible basis for the use of I
=
d 17 i quantitative safety goals leads us into the real controversy of w
- l
=
1 6
18 j
g specifying in numerical terms just exactly how safe is safe l
P j
"g 19 l enough.
Decision analysts and other professionals who have a
20 j
studied this problem have highlighted various logical and 1
l 2I methodological dif ficulties.
Doubtless, I an sure that there will 1
}
22 be quite a bit of discussion of that in the forthcoming panel i
i 23 sessions.
24 Some risk of death from an activity with the scope and 25 value of nuclear power is unavoidable, but clearly a large number l
ALDERSON REPORTING COMPANY, INC.
- 6 i
I l
l 1 ! of deaths or even statistically estimated deaths would not be I
2 acceptable,at least without some pompelling justification or 3
reason.
As the literature in this area suggests, there is simply 4
no sharp line between what is acceptable and what becomes too 1
5j many or too large.
e R
u i
g 6
Another aspect of formulating quantitative safety goals R
7 which I have found particularly to be a nettlesome issue is to s
j 8
establish some basis for comparison, what do we look to; small d
=}
9 with respect t,what, comparable on what terms.
The choice of
?
10 what the risk is to be compared to is a key to the formulation of 3
h II quantitative safety goals.
Adoption of specific quantitative 3
I 12 safety goals requires a decision on how much modification is E
s 13 desirable.
A complex system of quantitative safety goals is 1
5 14 I likely to add to the difficulty of implementation which is already 5
y 15 l present in the use of Probabilistic risk analysis.
(
=
i j
g 16 l On balance, however, we have come down on the side of i
l l
d 17 l attempting to lay out specific numerical goals.
What we seek then E
i c
i 3
18 is quantitative safety objectives that are aimed at the area of g
19 ; greatest concern; that is, protection of human life and health, n
i 20l Our discussion paper proposes for you consideation a-comment 21 three quantitative goals.
The first one is relating to individual 22 risk, one to societal risk, and one to reactor design.
r I.
23!
The first goal we have stated as follows, the 24 i estimated mean probability of fatality from an accident at a l
i 25 j nuclear power plan should.'be less than some number between five J
l h
4 ll ALDERSON REPORTING COMPANY. INC.
J l
7 4
i i
l 1
l l
I
{
ten in a million per year to individual members of the public I
f 2
living or working in the vicinity of the plant site throughout i
3 f
l their lives."
We think, subject to your comments here, that the I
4 ' achievement of this first quantitative goal would insure that the l
1 g
5 radiological risk to the individual members of the public in the I
9 l
f6 vicinity of nuclear power plants is small with regard to, small n
3 i
S 7
relative to the risks of other hazardous activity and technologies.
A j
8 The second quantitative goal is stated as follows, 0
l
- [
9 "the statistically estimated mean fatalities per thousand
\\
E i
C 10 l
j electrical megawatts nuclear power plant capacity should be less j
=
l l
II ! than two per year of plant operation. "
This goal relates to the d
12 E
aggregated risk to society and is needed to take into account the 1
=
y 13 size of populations at some risk and the efforts which should be n
I4 expended to mitigate the consequences of major accidents.
1 a
f h
IS The third goal relates to reactor design.
The goal 1
=
j that we have offered for your consideation is the following, 16 i
i
{
g l, "the estimated mean probability of a nuclear power plant accident i
=
4 l
h I0 that results in a large scalle core melt should normally be less I
P I'
3 19 ! than one in ten thousant per week of reactor operation." The j
20 public risk associated with serious core damage is a matter of i
21 vital concern to the NRC since it can lead to a major release of i
22 l
radioactivity.
23 i We believe, as a result, that a goal specifically l focused on such types of reactor accidents is needed.
With 1
25 respect to implementation of the proposed goals, we suggest that 4
1 i
i ALDERSON REPORTING COMPANY,INC.
~
-___...-._,,.____.,_____.._.,__--.___,__.____..___,,m___.
c 8 g
l l
I I
the philosophy, principles, and goals should not substitute for 2, the regulations embodied in 10 CFR, parts 50 and 100.
Individual l
3l licensing decisions should still be based primarily on compliance 4 l with the Commission's regulations.
What we believe should be I
y 5l required in implementing quantitative safety goals is to develop n
6l and disclose the relevant probabilistic risk estimates along with R
=S 7
the underlying assumptions and uncertainties for consideration as 8
one factor among others in regulatory decisions involving major e
i z.
9i safety issues, ar in particular when those decisions relate to U
2 10ll rule making or decisions not covered by the regulations such as z
E II y
questions of retrofit of existing plants, exemptions from rules, i
12 '
2 and enforcement actions.
E.
I f
13 :
In this way, each proposed safety decision will be w
j I4 f related to quantitative safety goals with due regard to the nature, s
i g
15 l range, and potential consequences of uncertainties that are
=
g 16 i present.
m 17 So much for my introductory remarks.
Agair., I welcome M
IO,
t you for coming, and I really plan to listen attentively to what i
C i
6 3
I9, you have to say.
I would like to turn now to Tony Romano who has n
s
,0hacoupleofhousekeepingnotes, l
and immediately after that, I 21 i will turn the floor over to Georae who has some remarks of his i
22 l own, and then to the panel chairmen and Bob Bernero.
23 '
MR. ROMANO:
What I have to say will not need to be on I
i 24 ] the record.
i 25 (Discussion off the record) 1 0
I, 1
ALDERSON REPORTING COMPANY. INC.
I
9
)
t l
I l MR. RATHBURN:
Now, to George Sege who will pres 2nt i
2 l his introductory remarks and his thoughts and questions.
I 38 MR. SEGE:
Thank you, Dennis, and good morning every-f I
4 body.
g 5
This workshop as indicated by Dennis is part of the 9
l g"
6: Commission's project to define more clearly the level of R
2S y
protection of the public health and safety that the Commission s
j 8
believes is adequate.
The Commission issued a plan for developing d
9l a safety goal last October.
Subsequently, in accordance with the t
z 10 plan, the Commission issued a preliminary statement of policy i
z E
I 4
II considerations which may enter into an articulation of the l
M l
12 l
E agency's safety goal. A report reflecting those consicaations, i
=
l g"
13 l
including the Commissioner's statement, was issued as NUREG-0764 l
z i
5 I4 l entitled "Toward a Safety Goal:
Discussion of Preliminary Policy l
E i
b 15 l Considerations."
That report was issued in March.
It was
=
l 16l discussed at a workshop in Palo Alto, California on April 1 to 3, g'
a 17 '
2 b
in which many of you participated.
E l
[
18 l The workship in April was designed to eliminate the H
i i
e 8
I9 l important. issues of safety goal formularion including both l
20 l quantitative and qualitative elements and economic, ethical, 2I f social, and political issues as well as technical considerations.
l 22)Thepresentworkshophasamorespecificfocus.
As indicated l
1 by Mr. Rathburn, itwilladdressadiscussionpaperwhichcontainsl 23 l
l 24 ] a reference safety goal statement.
Like the first workshop, thisl l
l 25 is a discussion workshop involving invited knowledgeable persons I
ALDERSON REPORTING COMPANY. INC.
10 I 4 representing a broad range of viewpoints drawn from technical and 2
social disciplines, from industry, public interest groups, 3
universities, and elsewhere.
1 1^
4 The meeting is open to the public for attendance as 4
e 5
observers.
I am glad to see a number of oberservers present this 3
s a
j 6, morning.
We would be please to receive written comments, R
7 perferably within ten days from any of the observers who wish to j
j 8
share their points with us.
As mentioned before, a verbatim l
0 0;
9 record is being made of all the discussions at the workshop.
The zoy 10 transcript will be publicly available.
A summary-report of the 3
h 11 proceddings will be prepared for NRC by Brookhaven National M
j 12 Laboratory, the arrangements contractor for the workshop.
The 5
g 13 report is scheduled to be issued in September.
As mentioned by i
W l'
5 14 Mr. Romano, Brookhaven plans to invite participants to comment on i
b i
E 15 a draft of the report.
1 w=
2 j
16 The results of the two workshops will be availabl^ to I
d 17 l the Commission and will be used by the office of Policy Evaluation 5
i
{
18 along with other information in preparation of a policy paper to P
$ '19, be submitted for the Commission's consideration in the ei
^* fall
.9 20 of 1981.
)
21 Now to take a brief look at the agenda of our wcrkshop.
22, As you know, after this initial orientation session the workshop I
h 23 ! will briefly break up into three separate panels for discussion j
24 l of different aspects of the reference safety goal and he(
frame 3
25 j issues recommended for discussion in the plenary sessions to ALDERSON REPORTING COMPANY. !NC.
4 11
, i o
I f
a f
i l
1 follow.
Panel A, to be chaired by Dr. Herbert Krouts, will 1
i l
2 address quantitative elements.
Panel B, chaired by Dr. Lester i
3 Lave, will address auslitative elements.
Panel C, with Dr. Paul I
4 4:
Slovic as chairman, will take up economic, ethical, and socio-5 political issues.
l 6
Af ter conclusion of the panel discussions early this k
7, i
afternoon, the remainder of the discussions will be in plenary i
j j
8 sessions.
After receiving and very briefly discussing the panel f
o c
9 chairmane's reports, the workshop will devote the rest of the I
a e
i y
10 afternoon to technical evaluation of the reference goal.
Social i
z 1
=
l j
11 evaluation und implementation issues will be taken up tomorrow i
8 12 morning.
After lunch tomorrow, there will be a short general l
f 13 discussion.
The workshop is scheduled to adjourn at 2:30 tomorrow t
n s
g 14 i afternoon.
4 Y
2 15 I shall now turn to a very brief overview of some of x
1
=
g" 16 the salient issues and how they fared in the reference safety s
d 17 ; goal statement before you, and I will suggest some topics for x=
18 your consideation and discussion.
The discussion paper reflects
~s j
19 a proposed settlement of a nn.ber of issues pretty much up in l
20 line with prevailing views which emerged from the first workshop.
21 Also addressed in the paper, sometimes incompletely, are issues p
{
22, that the first workshop discussions left very much open.
I I
{
23 !
There may well be room for further discussion about
}
i j
24 both groups of issues, but participants views are particularly 25 soi!ght about the latter group.
The reference safety goal j
,n j
ALDERSON REPORTING COMPANY,INC.
,-...y
.._.y
._.y
_,,,,_v,
12 1
1 I
i 1' includes the following elements that appeared to elicit wide 2
agreement amount the participants of the first workshop; one, I
l 3
qualitative goals are formulated and used as a basis for quanti-4I tative goals; two, quantitative goals are supplements to qualita-1 i
g 5
tive principles and do not supplant them; three, the implementa-4 e
6* tion process is an integral part of the goal specification; four, i
o
]
S 7
the safety goals are envisaged as dynamic with special provisions 1
e g
8l for existing plants, transition, and future evolution; five, d
1 j
[
9 costs, benefits, and practicalities are considered in both the 1
E-10 l basis and the implementation of the goals; six, protection of the z_
i i
=
- i i
11 individual and society are both provided for; seven, the basic B
j 11 scope of coverage at this time is reactor accidents.
4 4,
5 13 l The reference goal statement also addresses the i
=
i w
l 5
14 following issues about which no wide consensus had emerged from i
5 15 the first workshop.
On some of these issues there was contro-1 16 q
d-versy.
On others, the discussion did not reach the issue or did s
s 1
I i
U 17 : not proceed to a conclusive result.
I will skim the surface of S
)
18 ten substantive issues in this category.
One, what should be the j
{
19 lt P
qualitative goals?
The goals stated in Section VI of the t
i n
20 discussion paper should be read in conjunction with the principles i
21 l guiding development of a safety goal In Section IV.
22 l j
1 The qualitative goals themselves are stated in terms of i
l l
23 ' limiting risk to any one person and in keeping aggegated social l
24l rist adequately low in relation to other risks.
Such qualitative 25 goals tend to have something very general and commonplace in h
4 I
i ALDERSON REPORTING COMPANY. INC.
J
~
13 4
I.
I
}
j their articulation; perhaps necessarily so, perhaps properly so.
4 2
j We would, however, welcome improvements that the workshop may i
j 3
develop in the draf ted qualitative goals to help make them as i
4 sound and as useful as possible.
5 j
Two, what should be the extent of quantification?
Our 1
1 4
]
0 l-draft's approach is simple limiting itself to three elements; i
E 7
j y
is more needed and can more be managed in a practical scheme 8
of implementation?
Three, what quantitative elements should be d
9 specified, at what values?
The reference goal specifies an -
10 individual exposure limit, a social impact per unit of energy l
i 5
II production, and a core melt probability.
Should other parameters 3
1 12 g
be specified in addition to or instead of these?
What are 1
5 g
13 l workshop participants views about the numerical values of the i
I4 I quantitative goal?
i z
]
j 15 Four, what qualitative elements should be specfied.
1
=
j j
16 The reference goal statement includes rudimentary specifications l
4 A
1 f
h.
! for individual and social protection and discusses some i
E IO l
[
qualitative principles that have guided development of the goals.
1 9
19 8
Five, what should be the implementation process?
How should n
i 20
{
goals be used?
How should uncertainties.be. dealt with?
How
.9 I
21 I
should any burden of proof be. allocated?
The proposal in the 22
{
discussion paper would implement the safety goals with a very t
i i
23 '
J.
light hand. The goals would influence rulemaking and other 24 standard setting with respect to major safety issues.
f 25 They would also influence decisions on issues not 4
il ALDERSON REPORTING COMPANY. INC.
i
!4 -.. _.__-.-,
-. ~.
' 14 I
i kcovered by regulations; backfitting of existing plants, exemptions {
l i
i 2 i from rules, enforcement actions.
But the key is analysis and i
3l disclosure; disclosure of the bases and uncertainties as well as 4
4' results of analysis, and consideration of this information as i
5I one factor among others in the major safety decisions involved.
g 9
j 6l The manner and extent of the use of information would be g
7 determined by the nature of the isrue.
Uncertainties would be b
8{
g respected; prescription and proof would generally not be involved.
U 9
Six, should the scope of the safety goals be extended to 7
O I
i y
10 i aspects other that accidents and to facilitate other than nuclear I
z E
j 11 power plants?
The discussion paper suggests deferment of any s
j 12 ! such extension.
Seven, how should equities be taken into account, E
l j
13 ' particularly (a) in the distribution of risks and benefits and
'n 5
14 (b) genetic risks?
The discussion paper acknowledges that it may T
j 15; not be possible to devise a system of regulation whereby the E
j 16 l distribution of risks and benefits is always equitable to each l
i d
17 individual.
S 5
18 However, if the rists are small enough, the should i
=
w I
19 be correspondingly reduced concern by individual's regarding n
i 20 i the balance of risks and benefits.
Genetic risk is not specified j i
21 ; as such.
Rather the reference goal structue depends for validity 22 on the thesis that regulatory actions with respect to reactor 23 accidents would not be sensitive to inclusion or exclusion of a l
l 24 ' genetic rish specification.
j l
1 25 i Eight, should there be safety goals beyond a specified
{
i i
1 i
- l ALDERSON REPORTING COMPANY,INC.
I
l 15 I
level of minimal adequacy?
The discussion paper endorses a 2
consept of "as low as reasonably achievable" without specifying 3+ a numerical formula for cost based cutoff in cost-risk tradeoffs.
l 4l In a broader sense, the issue of safety improvements beyond I
5 y
minimum adequacy is left somewhat open by the non-prescriptive i
j 6l nature of the implementation process.
R 1
- E 7
Nine. whould there be a special emphasis on high A
ia 8, consequence accidents even at low probability of occurrence?
O
}".
9 Ihat form shoud that emphasis take? The discussion paper expresses 10 I interest in considering incorporation of some special approach.
5 y
II We would welcome suggestions.
The paper notes remote siting and 12 I
- measures to mitigate accident consequences as specific actions I
13
=
to reduce catastrophic potential.
mf I4 !
Ten, what should be the role of economic considerations?
l
=
0 15 b
i The discussion paper provides proposed guidance on recognition of
=
y 16, economic factors in ALAR, the "as low as reasonably achievable"
^
17 g
concept, in decisions concerning the possible backfitting of 3
IOll C
existing plants to new requirements, and in timing of corrective C
i n
t g
l9 l actions whn required in an operation plant and the severity of e
1 20 l the problem is not such as to demand immediate action.
I 21 6 j
I hope that the workshop participants will give us the i
22 benefit of their views on a number of these issues.
An at 1
23 least equally important desired result of this workshop is 24 3q identification and illumination of any additional issues that I
f 25 i should be considered further at this time.
I 3i ALDERSON REPORTING COMPANY. INC.
l 16 i
1 j Thank you, Mr. Chairman.
l 2
MR. RATHBURN:
Thank you, George.
3>i Now, I would like to turn to Heri Kouts who is the I
4 panel chairman of the quantitative elements panel discussion for i
5 g
any introductory remarks that he might have.
S 3
6i MR. KOUTS:
I do not have very much to say.
We ar-R 7
going to have two sessions at which we can talk about the D
g 8l quantitative aspects of the goals that are in the discussion paper G
I 9
that Dennis and George talked about. The first of these will come
~d 10l shortly.
It wil.1 be about an hour long, and during this I think e
1 i
j ll j that we ought to pay attention primarily to the question of how 3
i N
12 l well the goals established in the discussion paper address
=
m j
13 '
themselves to the admonitions or the questions that aere brought
=
x 5
I4 l< up at the Palo Alto meeting. I have a list of those that we will E
i j
15 l be going down, and perhaps we can get comments on that.
=
s' 16 '
I think the discussion paper, we will find, has A
h 17 ; addressed these to a more or less degree of success, and perhaps
=
["
l 18 that is quite adequate for our purposes, or maybe we have some j
p l
I9 !
further things to say in that respect.
We do have a plenary I
g i
l 20 l session this af ternoon, plenary session III at which the l
2I quantitative aspects are again going to be discussed, and this il 22 will give an opportunity for all to jump in and have something 23 to say about this.
24 j{
At that time, I hope that we will primarily take up l
25 I things like do we have the right goals, the right types of goal j
f h
)
1 ALDERSON REPORTING COMPANY. INC.
I
.~-
~
17 I
l 1 I stucture, especially the right quantitative safety goals, and are i
I i
2 the numbers reasonably correct; what do we have to say about the 3
numbers which are in the quantitative safety goals, what can we i
4 say about the method of application? And finally, to take up this 4
)
k 3
5 important question which is left open in the discussion paper on N
f j
6 do we include risk aversion, and if so, how?
7 That is all I would like to say, Dennis.
I A
j 8
MR. RATHBURN:
Thank you, very much, Herb.
O i
C[
9 Now, I would like to turn the floor to Lester Lave who i
3 l
10 is the chairman of the panel discussion on qualitative elements.
z 1
j j
11 MR. LAVE:
I would prefer to reserve my time to later, 3
f g
12 thank you.
}
O j
f 13 MR. RATHBURN:
Thirdly, Paul Slovic will be chairman of i
i a
5 14 the panel discussion on avonomic, ethical, and sociopolitical I
l 2
15 issues.
1 W
4
=
16 MR. SLOVIC:
I would like to just briefly remind
'j b.
17 j people of the issues that were salient in our discussions last N
18 l
{
April and then to just quickly review a handful of tie issues that i
P h
19 l sort of caught my attention in reading the discussion paper.
)
20 l 1
n Last time, the central issues in the economic, ethical, and socio-l I
i i
i
(
21 political domain were things like questions of distribution 1
i 22 risk and benefit and how should these equity considerations be i
1 23 j
incorporated into safety goals and indeed could they be a'
j 24 [
rporated.
i 4
25 We discussed problems of the scale of the nuclear effort r
i I
ALDERSON REPORTING COMPANY. INC.
1
.,r...,------..
- ~, - - -
.., - -.. _,, _.. ~.,, - - - -,. - - -.., - -. -, - -
l 18 I
and whether it made a dif ference to goals how many reactors were 2l operating.
We talked about the level of risk in quantitative 3
goals and whether nuclear power should be required to meet more
<4 stringent standars than other energy technologies.
The risk 5
[-
aversion problem which almost everyone has mentioned this morning 3
6l was a key area of concern, and I anticipate that we will certainly R*E 7
be discussing it again today.
There were concerns about i
j 8
developing incentives for better performance in design, maintenance d
i e
9
~.
I and operation of nuclear power plants and whether the goals could z
O g
10 somehow incorporate such incentives.
I
_3 II There was a lot of discussion of the *srocess questions d
12 E
and the problems of verification of the goals.
I think that 3
13 '
5 that sort of summarizes just the topics, some of the topics of l
I4 discussion in the panel last time.
I am sure that everyone in 15 reading the discussion paper has their own list of salient issues.
j 16 I just mentioned the things that caught my attention in A
17 ' particular.
There is a reference to a comparison of nuclear
=
{
18 risks with other risks of life,aand that raises a question in P"
19 3
my mind as to how this comparison should be carried out.
n 20 Risk is multi-dimensional; how do you make seemingly 2I non-commensurable things commensurate in a comparison?
One of 22 the statements in the goals is that public perceptions of risk 23 and public values should be taken into account in establishing 24l safety goals.
I think that we all agree with this, but I see 25 ) it as a very big and difficult responsibility.
How do we i
I ALDERSON REPORTING COMPANY, INC.
~
_=
j 19 1
determine which perception and which values to take into account 4
I l
2 and how do we do this?
How do we incorporate these values with 3
technical, analytic considerations?
I 4
l As I mentioned earlier, there were questions about I
5! whether or not risk aversion should be built into the goals and y
H, 1
3 l
3 6
how one does that.
Another statement that seems to be central SS 7
here is that costs, benefits, and practicalities are to be s
j 8,l considered as a basis for goals, but in my mind this raises a Q
O 9
question as to what costs and what benefits are legitimate.
One I
z 4
c j
10 can contrast a rather narrow view of health, that just looks at d
h II health effects, sort of immediate damage, lives lost, or latent 3
j j
12 fatalities with a much broader view of costs and benefits that E
I j
13 l takes into account a kind of higher order considerations i
W I4
'l relevant to the availability of more or less nuclear energy in E
j j
15 society.
)
j E
I6,
I think that the breadth of costs and benefits that w
l 17 are considered has definite implications for the kinds of goals i
=
18 that are derived.
One statement that really catches my eye in the i
n I9 l document is the statement that some risk levels are unacceptable I
e j
a i
I
]
20 or intolerable regardless of the benefits to be obtained. I think 2I an extremely interesting question is this really true and how do l
22 you determine the level above which the risks are intolerable 23 i regardless of the benefits in a system where benefits are to be 24 l considered.
l 25 These are just some of the nettlesome issues that I I
i ALDERSON REPORTING COMPANY. INC.
1
.~
l 20 W
h I
think are worth discussing, and I am sure that there will be a lot i
i 2l more i= sues raised today and to nmorrow.
k 3f MR. RATHBURN:
Thank you, Paul.
1 1
4!
I would like to turn the floor to Bob Bernero who most 5' of you know, and he wants to talk a little bit about the problems g
O 6I and uncertainties associated with probabilistic risk analysis or R
i R
7!
assessment.
\\
N I
j 8
MR. BERNERO:
I have copies of these remarks which are d
- [
9i being distributed right now and you can have them for later
?
10 j pe rusal.
z c
t j
11 j In the business of risk analysis, people frequently or
's 1
f 12 at least sometimes accuse risk assessors of two modes of physical
- }
13 !
behavior.
One is arm waving where a decision is made to be 14 ! supported and risk analysis is used in a rather energetic way to E
E 15 j support that decision sometimes stretching it beyond the bounds l
=
g' 16 l of credibility; and the other is hand wringing where the risk A
d 17 analyst is agonizing over the decision and cannot give any useful w
18 l advice or cannot make the decision.
E l
19 f The upper part of my body is covered with painful sun n
l!
20 $ burns so I am physically unable to arm wave today.
I will, t
21 however, try to do a little hand wringing because I think that it 22
- is warranted.
We have in probabilistic risk analysis a very 23 useful tool, something that I think can add a great deal to the 24 j responsible regulation of nuclear power or any other high l
I 25 j technology activitiy.
However, we are dealing here with something i
ALDERSON REPORTING COMPANY,INC.
a
=
l.
21 l
1 I
that has been sort of the swing of a pendulum.
I i
1 2l There was rapid and very powerful development in 3
probabilistic risk analysis back in the mid
'70's, and then for 4l a period of four or five years the pendulum swung the other way.
g 5
Probabilistic analysis probably was not used and it was set aside N.
6 and almost in effect rejected.
Frequently, people cite the R
8 7
Lewis committee report on WASH 1400 as a basis to reject u
g 8
probabilistic risk analysis.
If'you ever read that report, it i
d j
0; 9
does not say that at all.
It says, use it but use it with care.
2 j'
10 l Well, that pendulum is swinging the other way now.
zg
{
y 11 Three Mile Island was a traumatic event.
I think that if we had 2
j 12 used probabilistic risk analysis that there is an excellent 5
l g
13 l possibility that that accident would not have happened, that the 1
x 5
14 plant behavior would not have been misinterpreted or misunderstood 4
i 5
j 15 so persistently and for so long a time.
Now, with the wisdom 4
i g
16 l of that trauma worxing on us, probabilistic risk analysis is i
'A l
j 17 i being used very, very extensively, l
{
18 We are finding companies, owners, agencies like the
~
h I9 I NRC going going off en masse doing individual case analyses, J
M i
20 probabilistic analysas in the IRA program, the ENRA program, and 4
I j
21 any other kind of reliability evaluation you think of.
It is f
22 very popular.
Some members of the NRC staff like to use the 23 phrase, it is very trendy, very attractive.
I have a concern l
24f that our enthusiasm for it should be tempered, it should be I
25 tempered.
We should recall those precautions that are necessary to 4
I t
ALDERSON REPORTING COMPANY. INC.
t
l
- 22 1 ! use probabilistic risk analysis.
I 2!
I asked the senior staff of our group at NRC, the 4
4 3
division of risk analysis, to put together some notes on the
]
4 individual parts of probabilistic risk assessment or analysis, g
5 and I asked one our contractors, the Battelle Columbus N
j 6
Laboratories to cooperate in this, and those are the notes which E
k l
M 7
I have just distributed to you or are being distributed to you 4
i n
j p
8 rignt now.
What I would like to do is to go through them and 0
c; 9
go through some of the highlights of them just touching on some i
2 10 of the easier ones.
z I
=
j j
11 If we pause for a moment and think what is probabilistic l
8
}
l 12 risk analysis, actually what one does is select events to be i
5 j
13 considered, accident initiators.
You start out to construct x
3 14 event trees which are really a logical structure of the events s
E 15 j
g that you wish to consider. Starting with a11oss of coolant
=.
16 i
g accident or starting with e 'ransient, you identify the nature s
d 17 I of the event and the nature of subsequent events which your logic W
E j
3 18 and your analysis of the plant tells you is necessary so that you 4
c 1
h g
19, can where the event might go given success or failure of inter-M l
i 20 !
related parts of that plant design.
21l These are called event trees. When you have an event 22 l tree, then you can construct a fault tree which is sort of an i
t 23 j equation whereby you can relate things which affect system failure
.I
{
24 l or element failure where a function of a system will not fail i
25 ) unless three things fail, and one can then set up an equation J"
l t
ALDERSON REPORTING COMPANY, INC.
l m.
.y..
-._,.,_.,...m.
-.__y.,--
j' 23 I
i I jorlogicwhichsaysthis,andthis,andthis, all three things, f
2 must fail to fail this upper function.
This is called a fault l
3 tree.
When that is done, when one has the event trees and the, j
4 fault trees for the scope of interest, Boolean algebra 1
3 5
manipulation is used to sort out the combinations and permutations 8
6 to get them into a manageable size.
1 E
S 7
Then when you have a manageable set of event tress and i
1 j
j 8
fault trees, there is a quantification where you fill in the 0
{
best available data for the failure of component A,and the C
9 3
10 failure of component B, or the failure of component C, and then 3
h 11 l' I
the machine, the calculating machine, can sort out all of these i
3 f
I 12 individual failures by their relationship and give you the
=
13 ! probability of system failure, the probability of core melt.
m 5
14 So basically what you get st t.
stage is the probability of I
E I
j 15 serious system failure or the probability of core melt.
=
16
-d That does not tell you what the public health risk is h
I7 yet.
Then you have to go into the event tree and describe 3
i
{
18 l
=
1 physically, model physically, what is happening and how this C
I 19 g
process leads to core melt or how the containment system is n
20 challenged; its cooling, its pressure retaining capability, and i
21 how it might fail, how a molten core might go through the base
)
22,
mat, or cause over pressure, failing the containment.
I
)
Subsequently, you must model how the fission products 23 j
24 j are released from the core, move out of the reactor coolant i
9
)
25 l system, move through the containment, and through 'ts breech,-if i
I i
j ALDERSON REPORTING COMPANY,INC.
- 24 t
I I
there be one, to reach the public; to get out of its containment 2i l
and then one must model the atmospheric conditions by which the f
3l radioactive material can rise in the air, move out, possibly be 4
precipitated by rain, or a fallout drive if tn. a is no rain, an?
I e
5l then one must model the health physics ef fect that given a 0
j 6l certain amount of nudide reaching people in a certain location, R
l 7l what are the bodily effects.
Is that enough to kill a person, 5
I g
8j is that enough to cause serious radiation injury, or is that J
2.
9! enough to have a significant probability of latent cancer showing d
i 5
10 l up some ten, twenty, or thirty years hence?
z E
4 II l All of this modeling is part of a probabilistic risk I
I2 ! analysis.
Some of us use a shorthand expression that in programs 4
13 like IREP, interim reliability evaluation program, where we w
4 5
I4 ! describe the first three elements of this down to the core melt b
15 l
=
g
- probability as a reliability evaluation and the whole thing as
=.
l 16 l a risk assessment where one is actually calculating public health j
z N
I7 effects, the offside impact as a risk assessment.
5
{
18 Now, I would like to go through some of these and high-i I9 g
light the problem.
Let's start with the problems in event and n
20 i fault tree modeling.
One of the first things here is what l
21 f specific initiators are to be considered ties to thing one down i
22 ) here, the definition of how to treat external events.
Basically, 23 ' you have the difficulty here of setting up a manageable scope and I
24 yet being complete.
Frequently, when a risk assessment is set up,I 25 it is neces :ary for it to be manageable to set aside some things.
ALDERSON REPORTING COMPANY. INC.
l
l 25 I
I 1
J 1
I!
Now, that does not mean that you solve that problem, l
2 that you have assessed that risk.
It just means that you set it 3
aside for later consideration.
Probably the most significant of
]
4 these, or notable I should say, not necessarily significant, we 5
g do not know, is safeguards.
We frequently approach a risk j
6 analysis and say, I won't attempt to rigorously include safe-l g
l 7
guards; that is, the threat from a malevolent person causing s
4 l
j 8
system failure, because it is not clear how I can manage that, i
G j
q 9
how I could quantify that.
So I will knowingly set it aside.
z0
]
g 10 Obviously, you carry that unresolved question throughout that risk i
z i
E II y
i assessment.
E
- f I2 l When you get to the end, you have not solved safe-i j
g 13, guards, you have not addressed.
You have merely set it aside, and 1
i 5
I4li you have a problem in saying how does that affect my answer, how i
w I
b j
15 does that af fect the validity of what I am doing.
We also do 1
=
j 16 i
that sometimes with common cause failures where they are i
^
k I7 i analytically difficult to manage.
Seismic risk analysis is a l
E y
18 good example of that, where it is very difficult to do the 3
19 technical work to fit seismic caused failures into failures caused s
l 5
20 l
by just random failure of components or human error.
1 I
21 Another problem that one runs into here is the 22 definition of what causes system failure.
When you are doing a l
4 23 !
probabilistic risk analysis, it is convenient, and in fact almost i
24 l necessary, to use a binary logic, to say the answer can only be I
N 25 yes or no, and there is no practical way to treat a partial 1
L ALDERSON REPORTING COMPANY. INC.
1 i
.. ~. _ _ - - - - _..,.. - -
. _ = _.
i l
26 I
failure or a partial success.
It is just too complicated.
It is i
2 going to mess up the equations, make them vastly larger.
4 i
j 3
For instance, in a risk analysis like the reactor I
4l safety study, given a loss of coolant accident, let's say an f
5 g
intermediate size break in a pipe, the definition of system a
6 success is to go to the previous safety analysis and say for that I
O 7
size pipe how many pumps had to work to meet the licensing l
A j
8 1
criteria, and if the licensing analysis said one high pressure i
d 9
injection pump and one low pressure injection pump are necessary, 1
E
{
h10 then that is the definition of system success that was used.
e II y
System failure is the failure of either one of those.
i S
f I2 Now, if you look carefully at some of those pipe break analyses 9
y 13 in the safety review, you will find some instances where it is m
5 I4 asserted in the licensing review that a low pressure injection I
O 15 i
b pump, a larger flow pump, is necessary to provide abundant J
=
k Ib cooling water.
However, a careful scrutiny of the limited flow w
i i
h I7 l that you would get from one high pressure injection pump, which is i
5 j
g 18 smaller of course, would show that a realistic estimate might t
i c
1 1
h I9 j
g clear 1v say that one high pressure injection pump is enough.
n 20 So the rish analyst who went to that safety review for i
2I the definition of system failure can build a bias into the 0
l 22 analysis there by the definition of system failure, and thi is 1
23 l cot uncommon.
There is one other on here that is worth pointing i
24 i
out, the very bottom one; the system interactions that need to be 4
j 25 i
studied.
One of the most important events in nuclear plant f'
I ALDERSON REPORTING COMPANY. INC.
27 1
I ! safety or failure of recent years was the Rancho Seco light bulb I
4 i
2 j
incident of some four years now, '77 or '78 that it occurred.
i 3
In March of '77 or '78, I cannot remember which, there was an 4
incident that many of you may remember where an operator was 5
g changing a burned out light bulb and he dropped it on the i
j 3
6 instrument panel, and it caused a short circuit in what is called u
j f7 the non-nuclear instrumentation.
It is not the safety grade 0
instrumentation, it is the stuff that does not get a hard review.
n d
e 9
I As it turns out, the non-nuclear instrumentation bus
~
J 2
i O
10 a DC power buss that powers that instrumentation, shorted out,
=
j II failed, and it resulted in the plant control system reading blind i
3
)
f I2 l instruments.
The plant control system reads those non-nuclear I
i j
j 13 l intruments to decide whether more feed water is necessary or less 1
n i
j feed water, or whether the pressurizer's spray valve should be I4 I
E 15 I
opened in order to cool down the reactor coolant pressure, and j
16 so on.
What happened by the mere dropping of that light bulb s
4
)
h 17. and shorting out that DC buss the plant was suddenly blind, its
=
l j
{
18 ' control system was reading signals from instruments that are now c
i 8
I9 I'
g unpowered and it depends on where the needle went, whether the n
i 20 needle went.to a mid-range no position or a bottom range no I
position.
2 So the plant started doing strange things.
The control 23 system was trying to make sense out of these conflicting signals.
j 24 The operator of the plant was suddenly blinded with what I would 25 describe as white noise.
If you have ever been in a reactor L
I i
ALDERSON REPORTING COMPANY. INC.
4 L.
.- - -_. ~ __
. - - - =.
g 28 i
l I
control room, there are a lot of inspections, a lot of alarms, and 2 ! many, many of them are housekeeping things about low pressure on II 3f some expensive bearing and things like that.
Well, all of a f
t 1
4; sudden, an awful lot of those things lit up.
There was an C
5 operator who really did not know what was going on. That incident O
I j
6l started the plant down a path that could have let to a core melt, R
7l and simultaneously blinded the operater.
s I
j 8l Now, in a risk analysis, it would comforting if we had d
9 said, yes, we discovered that in a risk analysis.
Now, it 10 happened in Rancho Seco, as I said, in 1977 or 1978, and we were a
t 3
II I doing a risk analysis, a reliability analysis, as I should 5
i j
12 l qualify, of the. Crystal River 3 in late '79 and early
'80, and we
=
i 13 tried to look for that and we did not find it.
We did not express x
7) i l
5 I4 i
in our fault tree analysis a clear indication of the plant i
]r 15 dependency on that.
That event has actually happened now in one l
y 16 !
form of another three times.
25 l
h I7,
It happened in Rancho Seco, it happened in Oconee once, 3
18 and it happened in Crystal River itself in February of 1980.
I h
I9 !
The problem has to a very great extent been fixed by alternate DC t
20 l power supplies for that non-nuclear instrumentation.
I must be l
t 2I quick to point out though that it was fixed by the sheer force of I
22 ;
looking at the experience.
One of the problems in probabilistic i
23 '
risk analysis for a subtle problem like that is findiing it by extensive analysis.
It is not easy to draw that out of the 25 j analysis.
I ALDERSON REPORTING COMPANY. INC.
I
29 l
l l
l 1 k MR. ZEBROSKI:
Bob, may I interject in a little bit of l
2[ accuracy.
3 MR. BERNERO:
Sure.
1 1
4, MR. ZEBROSKI:
You know we studied all three of these I
g 5i things in great depth and documented them, and it is precisely 9
3 6
because of PRA that not much was changed in the early days of it, i
G 7l and I have to take exception to your statement that it could have j
8 l lead to core melt.
The reason that the vendor argued that he J
i
[
9l was harmless and the design was safe is that all the scram systems 2
i c
g 10 l were designed to coverf just tthis situation of failure of the z
I
=
i j
11l control system.
I haigen to think that that a lousey bit of 3
y 12 judgment, but it was precisely because those regulatory required E
I j
13 ! scram systems were in place and did shut the plant down safely i
e i
5 14 ' despite of some of the irrational behavior of some of the l
Eg 15 ! instruments, that nothing was changed after the early events.
E I
g 16 l There was a great deal of pointing out that there is no w
d 17 sense in subjecting the operator to a white knuckle situation from 5C p
18 l!anywhere from ten to thirty minutes.
There is no sense in 5
19 l; designing the plant to frustrate the operator, but that began to M
I 20 ! be turned around.
It is precisely because this.. analysis _did not l
21 show that it was risky that it came so slow.
ll 22 ME. BERNERO:
A risk analysis would have shown, in 23 '
countering that somewhat -- the incident of that type that 24 '
occurred in Crystal River where the initiating event was not a a
i llightbulbbut shorting of two pins of a terminal block going in, 25 ALDERSON REPORTING COMPANY. INC.
j
- 30 i
I. the operator's reaction was diametrically opposite of what it was I
2 in TMI to an event of that type.
The operator in Crystal River, 3
if one could just simply state it, in effect said, I do not really 1
i 4
know what is going on in this plant, but I do know that lots of i
1 l
3 water is good,and not enough water is bad, and TMI is fresh in my 5
)
j 6
mind and he turned on the high pressure injection syitem.
I do R
I eE 7
not say that the Rancho Seco light bulb incident was a core melt 1
N S
8 j
n or that it was a certain core melt, but it was just, as you put 4
9
~.
it, a white knuckle situation with a much higher desirable 2
i c
l h
10 probability of getting into a human error caused or a human error 4
=
II abetted core melt, and. it was evaluated.
J 3
d 12 j
E That is the problem.
It was a challenge which was
]
g' 13
=
, occuring, and it occurred three times.
It was not being i
a m
I4
'l
)
l quantitively being evaluated.
i j
j MR. ZABROSKI:
I think that your main theme here, if I 15 d I0 l!
=
might say despite my dissent on your point there, your main theme 1
m a
37l, that PRA which amounts to. square _ filling can be counter 1
i
=
l b
IO productive, and I agree with that.
c i
MR. BERNERO:
Then if we go on to some further problems, n
I 20 l i
- I will just single out a couple of them.
We just mentioned the i
21l second one here, the definition of possible and not only i
i 22 probable human actions which can occur in an accident scenario.
)
i 35 At Three Mile Island, there was a situation where the mechanics I
24,
j of the system -- there was a failure.
The power operator release i
25 I l
l valve stuck open, and it was a mechanical failure tantamount to a i
i i
ALDERSON REPORTING COMPANY. INC.
4
.._.y__
---,r
--i--- -
31 l
l 1
small loss of coolant accident.
Then the operator was mis-2 interpreting the signs, misinterpreting the signals, and he would 3
cut back on high pressure injection,and then he would allow it to i
44 go forward, and then he would cut back.
I I
g 5i The human intrusion drastically changed the equation.
O l
j 6l It did follow the simple logic, and the point that I would make R
7 is that in the probabilistic risk analysis it is so much easier to
~
j 8
start a chain of events going and just follow according to the d
[
9 physics of the thing.
It is much more difficult to come in and 10 modulate this chain of events by the possible human intrusion in z
11 particular.
There are some failures here that may or may not be
?
l 12 considered in the fault tree analysis.
=
f 13 One of the most intriguing is design errors.
Design
=
}
14 errors are supposedly caught in the test program, but the test s=
\\
j 15 program of a plant cannot thoroughly wring out every aspect of it.
i
=
l j
16 '
It cannot discover all design errors.
Obviously, if the designer i
d 17 of the reactor pressure vessel instead of designing it for x
5 18 l 3
operation at 2200 pounds of. pressure designed it to operate at P
I 19 l 1200 pounds of pressure in a PWR, you would discover that very 5
20 !
painfully in the hydrostatic test because you tested it at almost i
21 l 4000 pounds.
22 When you squeeze the pressure up to that level, that i
23 '
vessel would deform or burst, and that would be an assurance that 24l you would<not go into operation with that grossly under designed l
i l
25 vessel.
However, if the vessel is designed for thermal transients)
I sl ALDERSON REPORTING COMPANY. INC.
]
32 l
i 1' in a certain area, it is not always possible to have tests which 2l will reproduce bounding challenges of thermal transients combined 3
with pressure, something like that.
Therefore, if a designer was 4
wrong there, the event might show it up if it happens, if an I
g 5' accident or a transient occurs.
N j
6!
So in a probabilistic risk analysis, there is a serious R
7 question to ask, what failures, what errors, what mishaps should sj 8
I include in a probabilistic risk analysis, and of course if you J
c; 9
choose to do that, if you choose to insert a design error, for 3
10 example, and want to do a risk analysis with some rigor, you of
_3 j
11 course are going to 'c m to ask yourself what probability should I 2
y 12 assign to the designer mistakenly designing for therman stress or 5
g 13 ;
whatever it might be.
4 l
4 l
l 5
14 6 MR. KOUTS:
Could I say something about that?
l 2
15 l MR. BERNERO:
Sure, Herb.
N
\\
i j
16 j MR. KOUTS:
Because that was a point that we went
^
l
[
d 17 very thoroughly into in the Lewis panel, and the point that was s
i M
18 l made to us and I think that we finally agreed with, was that P
i 19 !
design errors of this kind probably get into the data base on 5
20 !
which failure probabilities are based.
So they naturally work i'
21l their way into the risk analysis even in a more natural vay than 1
22 f including them into branches of the event trees or fault aees.
I 23 '
MR. BERNERO:
Yes, with time.
24 f MR. KOOTS:
With the data base, they tend te be there.
l l
25j MR. ZABROSKI:
Well, if I may illuminate that point.
i L
l ALDERSON REPORTING COMPANY, INC.
i i
33 2
l l
I I
That also makes the point that you have confidence on many of these 2
things.
For instance, the vessel is based not because you have I
i 3
some high level gold on the vessel, but because you have an l
l 4
hundred years of experience,and cogent standards, many inspections, 1
5 g
procedures, processing.
So it is this whole body of experience 1
3 6
and some discipline,in the extent to which you believe that there R
7 is discipline in enforcing them, that gives you some confidence
{
8 ll
?
when you say that the vessel has got ten to the minus six or d
1 z.
9l seven probability of unexpected failure.
You have the ability to 0
o G
10 make that sound plausible.
E l
II In that one rare case, you have almost a million years
\\
12 s
! of experience on vessels to make that experimentally possible.
l 5
l 13 i MR. KOUTS:
That was one of the things in the data l
n m
l 5
I4 base considering the failure probability.
i i
j 15l MR. BERNERO:
In effect what you are both saying is l
t i
i
(
y 16 I that you will ascribe confidence to that process, the cogent A
{
I7 j
standards experience, and the ASME pressure vessels, and the E
i IO '
[
growth of technology that sets that particular design error so
{
I g
low in probability that you can set it aside, n
i 20 f MR. KOUTS:
No.
l i
2I MR. BERNERO:
That is in effect what you are doing.
(
l 22 i
MR. KOUTS:
That is not what we are saying at all.
d l
23 MR. COCHRAN:
We could be here all day if we are going i
24 ; to discuss this.
25 j MR. RATHBURN:
I have my eye on the clock.
We are due ALDERSON REPORTING COMPANY. INC.
1
l
'34
{
i i
I for a break at 10:30.
I think that probably you should hold the i
2I comments until the panel sessions.
3 MR. BERNERO:
Let ne single out one more thing here.
I 4; This second one from the bottom, how to treat phasing.
As example l g
5l that came out of a risk analysis which we were doing recently H
2' 6
brought this out.
As it turned out, it was very frustrating l
R l
6, 7
because it was based on a wrong piece of information.
There was
- j 8
a part'_cular safety pump in a plant that originally was designed
'J l
?.
9!
such that it could run at shutoff head; that is with no flow C
10 !
delivery.
It could run at shutoff head for only fifteen minutes z
i I
II l before it would start to overheat.
It was an ECCS low pressure is Y
I2 injection pump.
5 13 If you ever had a safety injection signal on a small r
5 I4 li break -- that pump did not have the delivered head to deliver Ei j
15(
flow to the reactor coolant system.
It would automatically start
=
s' 16 i with that plant's control system, it would automatically start i
f 17 with its shutoff head, and while the operator is busy coping with e
18 3
the accident, he had also to reach over and put that thing on j
i s
39 l reset, shut it off so it will not burn out. Then the unfolding of an 20 l a chain of events, uncertain loss of coolant accidents would give e
2I the signal once again, and it would start again, and he would i
d 22 have to reset it once again.
23 :
To quantify that was extremely difficult because in some 24 ) sequences as many as four. or five times that would come up, and 25 what it pointed out was that that is a dumb way to desi n the li d
ALDERSON REPORTING COMPANY,INC.
~
35 1
)
i
\\
j 1
system.
The owner had recognized that separately and had changed l
l i
2 the system.
We discovered that on further pursuit, because it i
j 3
appeared thac we had a very poorly designed pump there.
They had 1
l 4
changed the cooling flow setup so the pump would not burn out.
j i
i e
5 The reason that I bring up the example is it is extremely difficult 0
l
)
6' to deal with that sort of phasing, that timing, and to deal with s
1 6
7 it quantitativeln.
It is just not eaay to quantify.
i s
j 8,
Let me turn to the problems in Boolean manipulation and 4
i d
z.
9!
I will just touch on this a little more briefly because it one of d
I e
10 the more arcane parts of this.
I think that there is one thing
_E ll ' worth noting there, it is the middle element.
This is how to a
a
]
N I2 i detect. event free and fault free construction errors.
Right now, I
5 j
j 13 l the quality assurance of probabilistic risk analysis almost 1
t i
n
\\
j 5
I4 '
forces you to do the work again.
It is very difficult to screen j
j 15 event free and fault free analysis short of going back into it z
]
y 16 j and devoting almost as much time to redo the effort in order to I
I U
17 l find the errors.
d 18 This is one of the real problems.
So frequently when I
p" I9 j
s
! a risk assessment is done, it stands there really untested by l
6 I
i j
20 l I
that close scrutiny because few people other than the ones who i
t i
2I did it will expend the resources to go down to the same level cf f
22 detail and work that out.
If we turn to quantification, event l
23 l free and fault free quantification, here we start getting to the i
l 24 i numbers, the probabilities of system failure and core melt.
I
(
l 25 There are a number of problems there.
One, to quantify an I
l ALDERSON REPORTING COMPANY,INC.
I
-.._,-___o.-.
_m.
..~,.._.y-,
'36
]
l I
1 f independent component failure contribution, there was a great deal l
i 2
of discussion after WASH 1400 because if you go to look for the 3
reliability data associated with certain components or classes 4; or components, you find that some of them are new, some of them I
j g
5i are not.
The probabilities of pipe failure, one starts looking at 9
l j
6l chemical refineries saying how could I relate the failure I
-k7 experience in chemical refinery piping with that in nuclear power j
8! plant piping, cecause of their similar quality assurance d
I q
9I provisions and so forth.
3 I
10 l There is a great deal of need for improved data base 3
l
)
11 in component failure, but even more so in the quantification of a
N 12, common cause and human error.
These two elements here will E
I j
13 ! frequently show up as significant elements in a risk assessment, x
5 14 even more significant than component failure data, and they are 15 both very subjective in their treatment.
There is a great deal of g'
16l s ubj ectivity.
A l
17 l In particular, the quantification cf numan error is so
=
18 difficult to do, because we do not have the good, rigorous
~
t 19 understanding of performance shaping factors.
What are the n
20 g circumstances that will greatly increase the likelihood of an 21 operator making a mistake when he has to shut off a system,or turn 22, on a system, or switch a system from direct flow to recirculation, l
23 I or whatever his role might be.
l 24 ';
It all comes down to the question of the very last item h
25 j on this chart; how do we model and quantify the uncertainties.
3 l
AL")EPSON REPORTING COMPANY. INC.
l
37 I
We have been dealing here with the event tree and the fault tree
]
2l analysis, and the question that comes is, is there a way to state 4.
3 the uncertainties in a quantitative way, so that we could, one 4
would hope, someday be able to say that the probability of core j
g 5
melt is calculated to be x with a level of confidence that is 9
3 6
rigorously derived from a quantification of the uncertainties.
R n
7 That is not a well developed science right now.
- l u
g 8
The calculation of core melt is in the minds of some d
[
9l the easy part; now comes the hard part, the problems of accident Z
]
10 phenomenological modelling. It is cne thing to go after the z
i
=
l 11 probibilities of valve failure, but when one is trying to model u
l j
12 the processes by which the core melts and causes the surrounding E
i j
g 13 l metal to reach temperatures that will make it react with water
=
I z
5 14 l chemically.
All of these phenomena here are extremely difficult b
I
=
i g
15 to do, and there is no hard data base for it.
E
~
16 g
The NRC has just put out a report that basically z'
~
g 17 addresses these last two, sort of a state of the art report, new
]
18 reg 0772, which I think is an useful document if you would like 1
P j
h 19 to read it.
To give you an idea of the difficulties of
?
n 20l describing the physical processes of melt down, energy release, 21 the generation of fission products in mobile form, and how they 3
1 1
22 are transported through the reactor coolant system and out to l
23! the containment, and then of course, this transport extends up to 1
24 the containment and through it.
J 25]
One has to analyze the containment failure, and then a
i i
i j
i ALDERSON REPORTING COMPANY. INC.
1 i
'38 1
carry on off site where there are other problems that plague the 2' analyst. For instance, you have meterol,gy data for a site, but 3
you are now analyzing the transport of radioactivity over rather 4
large distances, depending on which way the wind blows. It would g
5 be much more rigorous if you used detailed meterology data for S
6 each of the locations over which it was blowing, and that is what R
R 7
the models usually use, the site data, and extrapolate it out to s
j 8
ranges of tens and even to hundreds of miles.
d y
9 A lot of the,models take a probabilistic approach to 3
10 wind direction, but then for simplicity keep the wind blowing in 3
j 11 that direction for the time of interest, and just deal with the s
f 12 j probability of the atmospheric conditions, for instance, rain, l
t 13 as the plume goes out in that direction.
There is also difficulty l
14 in modeling the movement of people.
Here again, for emergency 2
15 ' planning purposes, each accident sequence has a different j
16 characteristic; it has a different timing by which the operator s
d 17 must recognize the problem and by which the operator might a=
5 18 notify the state authorities; and circumstance.> under which the
{
19 l state authorities would decide to evacuate. if such is warranted; n
20! and then how do the people respond to that evacuation; do they 21 all move, do they all move at the same velocity.
Modeling that 22 ;
is quite complex.
\\
23 '
Lastly, when you are out there with the radionuclide 24 modeling,'the health physics modeling; what are the fatality effectsofradiationexposures,whatarethelatentcancereffectsi 25 ALDERSON REPORTING COMPANY, INC.
i 39 o
l 1
l I
I' of radiation exposure, and how does one treat them.
That is 2
another difficult part.
Then throughout this, just as in the j
3 preceding part on calculating core melt probabilit?, there ia a 4
very serious question of how can you quantify the uncertainties in 5
this model, and there is no method that exists whereby one can R.
6 quantify that uncertainty.
That was the fundamental comment of the R
=E 7
Lewis committee where the comment was that WASH 1400 seriously s
j 8
understated the uncertainties in the health effects or in the a
c; 9
risk estimates.
z O
g 10 If this sounded like a pessimistic account, it was E
=
II ' intended to be.
It was intended to be hand wringing.
This is not
'.s a.
j 12 to say that recent analysis or probabilistic risk analysis should i
5 13ll a]
be rejected.
It is a developing tool that has a great deal to j
m
)
{
I4
! offer to us, but the reason for my remarks here touay is to warn
=
j 15 l you against what I like tc call terminal bottom line illess where 1
=
l i
j 16 the bottom line number, the probability of health effects, whether i
'A I7 l a death,or a latent cancer,or whatever, is taken as the sacred 5
E l
l 3
38l' decision point.
j i
P 19 i
g It is very difficult to calc. ate the probability of' o
20 death using this analytical tool c it is even more difficult to i
2I assess the certainty or uncertainty of that calculation.
So the 22 whole purpose of these remarks is not to discourage the use of 4
23 probabilistic risk analysis but to encourage careful use of it.
24 Later on this evening, one of the members of your staff, Matt j
25 Taylor, will offer some optional remarks on the risks that we have i
h ALDERSON REPORTING COMPANY. INC.
--c.
.-m.
..w.,,..~,
~..
40 *
~
I
- seen or sort of an overview of the core melt,and containment l
2 failure challenge, and release results of a variety of risk j
3 analyses that I think might shed useful insight on the relative j
4 significance of preventing core melt as against the containment 5
systems or mitigating systems that would tend to protect the j
6 public health even if the core does melt.
n
~
7 4
I think that you might find that an useful discussion.
s 1
5 8
M It is going to be held in this room at about 6:00 while the cash i
1, 4
9 i
~.
bar is outside, and you can get a drink and come here and listen i
E 10 to Matt Taylor's remarks.
1 E
[
5 II Thank you, very much.
i
's I2 MR. RATHBURN:
Thank you, Bob.
3
-5 13!
I am going to forego the opportunity, the temptation to
~
i 14l' comment by anyone, because I think that we would quickly go to l
2 g
15 l a large number cf comments.
I think that we should break now i
y 16 j until 10:50 and then take up again in the separate panel
^
)
h I7 discussions.
z M
18 '
l Yes, Tom.
P j
19 !
MR. COCHRAN:
Aren't,
ifteen minutes ahead of E
1 5
i 1
j 20I schedule?
i i
21 l d
1 i
MR. RATHBURN:
Ten minutes.
I I
2 22
- l MR. COCHRAN:
Why don't we use that in our sessions 23 '
rather than break?
1 24 4 tl MR. RATHBURN:
Okay, fair enough.
1, t
25 Why don't we thea reconvene at 10:40?
l 3
1 l
ALDERSON REPORTING COMPANY. INC.
41 0
I !
MR. COCIIRAN :
Or 10:30.
I i
2i MR. RATIIBUN:
The Chair has decided 10:40, 3
(Whereupon, at 10:17 a.m.,
the plenary session recessed to 4
reconvene in panel discussions.)
M S
j El I
j 6l n
i A_
7 s
8 8
a d
ci 9
iei:
10 n
b I
~A 11 1 5
I j
12 '
=
E 13 !
5 l
14 l uH 5
i r
15 5_
16 '
s A
d 17 5
Si 18 l i
=
t u
H l
I E
19 !
T I
5 l
20 l 21 !
22 i i
23 24ll i
l 25 q l
lj f
il ALDERSON REPORTING OMPANY. INC.
i
O I
i NUCLE,V REGULATORY COMMISSICN This is to certify Cha: the attached proceedings before the in the matter of SECOND WORKSHOP ON SAFETY GOALS Date of Proceeding:
July 23, 1981 4
Docket tiu=ber:
j Place of Proceeding: Harpers Ferry, West Virginia were held as herein appears, and that this is the original trar. scrip:
thereof for the file of the Co= mission.,
3 i
Rossie Sutton Official Reporter (Typed)
.3 J
Official Reporter (Sigt.acure) 9 4
,.