Text

{{#Wiki_filter:}8 i\\1 I O \\ /q\\g' + R[((ff[g ' O a ?] *V1 3 198 s A ( = 4 g %, a. J 4/7 9 I ut NRC REGULATORY PERSPECTIVE ON RELIABILITY AND RISK ASSESSMENT Thomas E. Murley, Malcolm L. Ernst, Ashok Thadani Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555, U.S.A. P NOTE: This paper reflects the views of the authors. It should not be read as a policy statement of the Nuclear Regulatory Commission. International ANS/ ENS Topical Meeting on Probabilistic Risk Assessment September 1981 8111300505 810930 PDR MISC x PDR

1 t i i 1 f 'NRC REGULATORY PERSPECTIVE ON RELIABILITY AND RISK ASSESSMENT Thomas E. Murley, Malcolm L. Ernst, Ashok Thadani Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555, U.S.A. l ABSTRACT l The NRC is making increasing use of Probabilistic Risk Analysis methods in the regulation of nuclear power plant safety. 2 The current regulatory usage is described in the TMI-2 Action Plan (NUREG-0660, May 1980), the Commission int-rim policy state-ment (June 1980) regarding consideration of radiological impacts in preparing EIS, and the near-term CP application requirements (NUREG-0718, August 1980). NRC is requiring licensees and applicants to perfota site-and plant-specific PRA studies in special circumstances such as, for example, nuclear plants located in high population density areas. The goal of NRC in requiring these studiet is to gain a better understanding of the unique safety aspects of these plants. Current plans call for j the requirement of PRA studies for all operating nuclear plants on a phased schedule over the coming few years. The staff has used PRA studies to identify design or operational weaknesses which have not been identified by current deterministic approaches. Although specific criteria for making regulatory decisions based solely on PRA results are not available today, risk perspectives nonetheless provide a valuable aid in making regulatory judgments. This paper reflects the views of the authors. It should not be read as a policy statement of the Nuclear Regulatory Commission. i INTRODUCTION 1 In the past, the NRC's regulatory and licensing decisions have been l-based on the defense-in-depth concept which emphasizes good management; quality assurance; conservative design, construction, and operations; pre-l vention of core damage accidents by requiring' appropriate emergency shutdown I and cooling systems; mitigation of any accidents that might lead to core damage through the use of systems that reduce the amount of fission products released to the environment; and siting in areas that are not in close proximity to highly populated areas.. Analyses to demonstrate compliance

/ ' f l 1 with'NRC's requirements have_ generally been based on conservative engineer-ing judgment, with little emphasis on probabilistic assessments as to the likelihood of meeting the engineering intent of the requirements. Early attempts at risk analyses received their impetus from the desire 1 != to establish Price-Anderson accident indemnity levels. The first such study, done in 1957, was WASH-740, which attempted to set upper bound j accident consequences but which did not seriously attempt to establish the 1 probabilities of such accidents. An attempt to update WASH-740 in 1965 was 'insuccessful because it was judged to be beyond the stats of the art to establish reliable probability and consequence estimates for serious accidents. I In early 1972, at the prodding of the Joint Committee on Atomic Energy which wanted a basis for renewal of the Price-Anderson Act, the AEC con-i tracted with Professor Norman Rasmussen of MIT to direct a comprehensive study of the risks from accidents at nuclear power plants. This study j proved to be far more difficult than originally envisaged, but under the i leadership of Professor Rasmussen and Saul Levine the methodology was develop-ed to identify the dominant accident sequences leading to release of radio-j. activity and to quantify the risk from such accidents. The final report, WASH-1400, was published in late 1975, and it immediately became a source of controversy. Proponents of nuclear power used the report to reassure the l public of the safety of nuclear power, while opponents attacked the method-ology and the probability estimates as being too unreliable for meaningful risk estimates. A subsequent review in 1978 by the Risk Assessment Review L Group, chaired by Professor Harold Lewis, found that the risk assessment j methodology was sound and should be used more widely in the regulatory process; but that, due to an inadequate data base, the error bounds on the 4 risks quoted in WASH-1400 were greatly understated. At the direction of the Commission, the staff presently is drafting a safety goal, which likely will include proposed quantitative guidance or criteria on parameters such as individual and societal risk, core melt i frequency, containment performance, and the use of the "as low as reasonably ^ achievable" (ALARA) principle in the regulatory decision process. Adoption of such quantitative guidance is very important to the long-teen, effective use of PRA as an aid to decision makers. George Sege, NRC, has a companion paper at this conference on the status of this project, and portions of our paper are reflective of some of the current staff thoughts regarding the use of PRA ist the implementation of such quantitative guidance. It is against this background that the NRC today is making increasing use of probabilistic risk assessment C".A) methods as a valuable aid in making regulatory judgments. While there is a good deal of caution in using absolute values of risk estimates, PRA techniques are quite useful for making comparative safety assessments. A companion paper at this conference by El-Bassioni, et. al., describes some exampins of tha application of PRA in licensing activities. l l .~. -. 4 ,,m

a s Procedures for Probabilistic Risk Assessments At the present time, there are no standardized procedures for the con-duct of probabilistic risk assessments. Because of'the evolving nature of the science, it would be premature at this time to prescribe rigorously the procedures for performing such assessments. Even if there were a present consensus of such procedures,.it would be unwise to codify the details as a l regulation. Experience has taught that excessive codification of calculation-al techniques may lead to burdensome regulation that focuses more on form than on substance. However, lacking some degree of standardization of PRA methodology, quantitative guidance (such as might ensue from a safety goal) would find little useful application in either regulation or licensing due to the large uncertainties and possible subjective judgments inherent in the performance of PRA. The IEEE and ANS, under NRC grants, are at present developing a Procedures Guide for the systematic application of probabilistic risk and reliability analyses to nuclear power plants.1 When the Procedures Guide is completed, the NRC will consider adoption of guidance with respect to various aspects of risk assessment methods. Guidance on the following topics, or at least some of them, could be considered for inclusion. Acceptable analytical methods Proper treatment of uncertainties, common cause failures, and operator error Acceptable treatment of data bases Acceptable assumptions regarding phenomenology 1 The Procedures Guide is intended to define acceptable methods for performance l of such studies, and it will address the following subject areas: (1) system reliability analysis; (2) accident sequence classification; (3) frequency assessment for classes of accident sequences; (4) estimation of radiologic release fraction for core-melt accident sequences; and (5) cocsequence analysis. For these subject areas, the Procedures Guide should delineate (1) acceptable analytic techniques; (2) acceptable assumptions and modeling approximations including treatment of statistical data, common-cause failures, and human errors; (3) treatment of uncertainty; (4) acceptable standards for documentation; and (5) quality assurance. The Procedures Guide is expected to define a practical scope of analysis for such systematic reviews conducted in the next few years. Thus, the Procedures Guide might re:ommend omission, simplification, or postponement of some elements of a complete analysis. If if does, the Procedures Guide may or may not include specific guidance on when or how to address these elements later.

s Treatment of external event accident initiators Requirements regarding quality assu ance, documentation, peer review, and appropriate public involvement. The final guide is scheduled to be available in the summer of 1982, and the NRC at that time will determine which portions of the guide represent useful procedures to be used in the regulatory or licensing processes. If for some reason the ongoing IEEE/ANS effort does not produce a guide that is useful to NRC, then the NRC will utilize the in-house guide that is being developed in conjunction with the Interim Reliability Evaluation Program (IREP). However, IREP only includes the assessment of plant and con-tainment systems--it does not consider external events, fission product transport, or consequence analyses. Benefits and Uncertainties Inherent in PRA Probabilistic risk assessment can be used to aid in determining the relative risk-reduction capabilities of alternative safety components or systems. In fact, even if quantitative guidance were not adopted, probabilis-tic assessment techniques would still provide a powerful tool to cnalyze plant systems, identify major contributors to the unreliability of systems important to safety, and point out plant or procedure modificatiend that would lessen the significance or frequency of those accident sequences that provide a dominant contribution to risk on a relative basis. Examples of significant safety problems that have been identified in the past through the use of relative probabilistic analyses include the interfacing systems LOCA problem in WASH-1400, the risk importance of the drain plugs at Sequoyah, and the ac/dc dependencies at Crystal River 3. Use of PRA in a relative sense reduces to some degree the importance of uncertainties, particularly if the alternatives being considered are similar enough to share most of the uncertainty characteristics. The use of PRA in such a sense can contribute valuable insights 'egarding: (1) Prioritization of safety issues and proposed new regulatory requirements to enhance effective utilization of available NRC and industry resources. (2) Relative effectiveness of various accident prevention and consequence mitigation alternatives. (3) Prioritization of research programs. (4) Relative merits of various siting and emergency preparedness j options. (5) Weaknesses in routine and emergency operating procedures (6) Weaknesses in test and maintenance procedures.

(7) Comparisons of different plant designs and plant-site combinations with regard to overall risk. (8) Improvement of the reliability of systems and components important to safety. Of course, these relative uses of PRA have one major drawback--one will never objectively know when one attains such a level of safety that it is no longer prudent to continue investing resources to reap further risk reductions. That is the importance of an implementable safety goal; i.e., establishment of quantitative guidance that can serve as useful yardsticks by which to measure safety performance. Such quantification ultimately is necessary to serve as the backbone for an effective risk allocation and management program. However, to have useful quantitative guidance one must be able to adequately manage and understand the uncertainties associated with risk or reliability analyses. While probabilistic risk assessments have potential benefit, they also have many aspects of uncertainty. This includes uncertainty in phenomeno-logical assumptions, data base, completeness, human interactions, and accident and systems modeling. Although uncertainty can be reduced by development of better analytical methods and expansion of the data base, the probabilistic nature of risk assessment as applied to nuclear reactors dictates that uncertainty can never be completely eliminated. In many cases, the estimated risk value, even reasonably considering uncertainties, may fall well above or below the relevant quantitative safety guidance. In such cases, regulatory decisions may be considerably influenced by the results of PRA studies. However, where the realistic best-estimate results of PRA studies are in the same range as the applicable quantitative safety guidance, sound engineering judgment must provide the principal support for regulatory or licensing decisions. In such situations, PRA re-varts principally to an analytical tool that provides information to add to the perspective of the decision maker, including information regarding the quantification of uncertainty so as to augment, but not replace, good engineering judgment. The quantification of uncertainty is a subject of substantial importance. There are many possible sources of uncertainty in PRA, including those summarized below: Completeness of accident initiators, system. failures considered, time sequencing of events, possible operating states, detail in event and fault-trees, partial failures, and consideration of common mode failures or initiators such as earthquakes. Human behavior with regard to errors of omission or commission, actions to terminate the accident or mitigate consequences, maintenance and testing errors, design and tabrication errors, and construction and installation errors. i I f h

Correct modeling with regard to proper success / failure criteria, dependencies, grouping of source terms, fault tree / event tree coding, test and maintenance, and behavior of people during evacuation. Data problems, including general lack of good data, plant-specific vs. generic data, classical vs. Baysian statistical techniques, failure times, and meteorological data. Assumptions and modeling associated with phenomena such as failure of penetrations, core meltdown, magnitude and frequency of natural phenomena (earthquakes, floods, etc), hydrogen production, containment pressure-temperature transients, concrete penetrations by a molten core, pressure vessel failure or ex-cessive motion, fission product deposition and transport within the primary system and containment, environmental trans-port, fission product pathways, and resultant exposures of people. Clearly, the uncertainties are not all in one direction. While many may result in an underestimate of the risk, such as incompleteness in accident initiators and common mode failures; others may overestimate the risk, such as conservative failure criteria or failure to consider appro-priately partial failures or act hoe operator intervention. Therefore, it is difficult to judge whether the bottom line results of any PRA represent an underestimate or an overestimate of risk. One of the largest areas of uncertainties is in the area of phenomencl-ogy. For example, in estimating the frequency of high intensity earth-quakes or very large floods, the spread in the distribution may be so broad as to make it virtually meaningless to speak in terms of mean estimates. The best we can do in such cases is base our estimates on expert judgment in view of the lack of historical data. Also, estimates of containment failure due to overpressurization and estimates of fission product release from the primary system and from containment are subject to great uncertainty. In these latter cases, calculations typically are biased toward conservatism. Full-Scope vs Partial-Scope PRA The conclusion that one arrives at from the preceding discussion on uncertainties is that full-scope PRAs (i.e., ones that consider external events and predict resultant expected-value prompt and latent deaths) are subject to substantially greater uncertainty than partial PRAs aimed principally at the reliability of plant shutdown and plant and containment heat removal systems (such as the general scope of an IREP study). Also, the more narrowly focused studies dealing principally with system reliability (excluding external events) provide more reproducible results when used in a comparative or relative sense, because uncertainties in the assessments have a greater tendency to cancel out. This means, for example, that engin-eering reliability criteria placed on diesel generators would be much more easily applied in the licensing process, due to less uncertainty and

l-f 4 I F l l greater reproducibility of analytical results, than would a calculation of a the expected value of latent deaths per year from a given plant-site combin-ation. However, diesels (for example) are not equally important to safety for all reactor designs. Therefore, the results of a full-scope PRA, including a reasonable quantification of uncertainties, could provide a better risk perspective for use in the regulatory process and could recult in the establishment of reliability criteria (such as diesel reliability) that would,be'more sensitive to actual system design. The As Low As Reasonably Achievable Principle A logical function of risk management is to evaluate the expected risk reduction (or increase) resulting from new or modified safety requirements (or exemptions from existing requirements).in relation to the costs of their achievement. (i.e., a value-impact analysis)..In 1975 the Commission adopted -Appendix I to 10 CFR 50, which established'the principle that routine radio-I logical releases from nuclear power plants should be reduced to the maximum extent reasonably achievable but need.not be reduced without limit. The < costs of reduction of routine releases are then considered in deciding whether additional effluent control measures should be required. It is also possible to use a similar "as low as reasonably achievable" approach in deciding how far to go in reducing reactor accident risks, or to judge whether certa'in forward-looking or aspirational goals need be met for plants currently in operation or under construction. The ALARA principle would be particularly valuable in decisions con-cerning the necessity for and timing of retrofitting older plants to reduce f_ public risk and granting exemptions from safety-related regulations where special circumstances are involved. Plants already licensed to operate and plants with substantial construction completed often poce special backfit-ting problems. Because of sunk capital investment and the cost of replace-ment power, older plants may not necessarily be subjected to the same safety objectives as new plants, provided some upper-bound level of risk is j achieved. The logic behind such a value-impact policy position is simple-- l we live in a world of progressive technology where changes in design: occur L (and should occur) all the time. Some of these changes result in the more { efficient production of electricity, and these should rightfully be pushed l by the utility industry. Others could result in a forward-looking reduction of risk, but these would not be supported by the industry, if they believed that all progress in this area would automatically result in retrofit of all ( older plants. It is in the public interest to establish'a logical regula-tory process that encourages forward-looking, cost-effective, technology advances with regard to improvements:in the protection of public heelth and safety, without encumbering it with the requirement for expensive retrofits for the purpose of attaining marginal improvements in safety. There must be a proper balance-struck between the extremes. It makes no sense to grandfather all old plants regardless of any future technology developments that could improve safety-neither does it make sense to stifle future technological progress with an extreme regulatory posture on L I' - ~ .. +. ~ 'L..

retrofit. An implementable ALARA principle offers the hope of such a bal-ance; however, such a principle demands that a dollar value be placed on risk. There is understandable reluctance to assign a dollar value to human life, but an appropriate surrogate (such as dollars per person-rem or dollars per incremental reduction in core melt frequency) might offer a way to imple-ment a workable ALARA principle. Use of Standards and Criteria in Regulatory and Licensing Decisions Licensees and license applicants will continue to be expected to demon-strate compliance with the Commission's regulations in 10 CFR Parts 50 and 100. However, PRA will also be used both in regulation and in licensing to augment NRC's current safety reviews and to provide a quantitative perspec-tive on the effectiveness of our requirements. In most situations PRA should be performed using realistic assumptions and best-estimate analyses, and should include an understandable presenta-tion of the magnitude and nature of uncertainties, Our present regulatory practices, combined with the conservative proposed safety standards, are intended to provide sufficient protection to public health and safety, and PRA would be used only to find existing weak points in the regulatory fabric. Therefore, striving for high confidence or the use of conservative assump-tions in the risk analyses in a search for possible weaknesses would not normally be warranted. However, in some situations the uncertainties surrounding the analyses could be so large that conservative assumptions coupled with high confidence could yield upper-bound values that would result in a postulated accident sequence clearly dominating risk, even if all other risk contributors were evaluated using the same degree of conserv-atism. In such situations, the magnitude of uncertainties could indicate a need for regulatory action, even when mean-value calculations using realistic assumptions would not of themselves necessitate such action. In such a situation the results of the PRA, coupled with good engineering judgment and other case-specific considerations, could result in regulatory or licensing action being taken. The NRC staff regularly develops new rules, standards, and guides for use in reactor regulation. The assessment of the merits of these, as well as any proposals to eliminate certain requirements, is now based predomi-nantly on engineering analysis and judgment. The use of probabilistic risk assessment attempts to quantify the engineering analyses so as to assist the decision maker in considering alternatives, which will serve to strength-en the logical basis of NRC's regulatory requirements. The use of PRA in conjunction with quantitative safety guidance will provide a strong rein-forcement to engineering judgment, assuming that either uncertainties can be quantified reasonably or a sufficiently conservative analysis can be supported. Presently, the NRC is also using PRA to better understand the relative importance of the various generic safety issues, i.e., their relative con-tributions to residual risk. Such use will provide clearer guidance for setting priorities for the allocation of staff and industry resources, since l 1

e there are insufficient resources to work on all of the potential safety issues that have been identified. The use of risk assessments, safety goals, and quantitative safety guidance in the regulatory process could also serve as a basis for developing additional rules, standards, or guides governing the design reliability of some systems and components important to. safety. In essence, this would represent the allocation of unreliability to those systems or components important to the prevention of core melt or to the mitigation of conse-quences. If such an allocation of unreliability among important systems or components were to evolve, these would then become an appropriate requirement for consideration in licensing reviews. The NRC staff does not now routinely require that a full-scope PRA be performed as a part of reactor licensing proceedings, although a few licensees and applicants have, on occasion, been required to perform selec-tive PRAs, and others are performing such studies of their own. The Commis-sion has under consideration a rule that would codify the requirement for a risk assessment for near-term construction permit applicants, and the TMI Action Plan (Task II.C.2.) requires risk or reliability assessments to be performed on all operating plants. Although applicants are not now required to perform full-scope PRAs as part of their safety analysis report in support of their license applications, it would be. safety beneficial to perform reliability analyses at least equal to the scope of the IREP studies as part of the support for an operating license application. The benefits of such an analysis would be: The applicant would become more familiar with the design, interactions, and dependencies of reactor, auxiliary, and containment systems. There would be an excellent analytical base established for developing improved test, maintenance, operating, and emergency procedures. The relative risk reduction potential of proposed design or procedure changes could be more easily determined. Weaknesses in system design could be identified and i measured against applicable engineering criteria. j If initiated early enough, it could serve as a useful l vehicle for marrying reliability engineering to design j development. Such analyses would be useful building blocks to feed into the evaluation of accident risks now required as part of the environmental report. As uncertainties in the analysis of external events and other j phenomena decrease, as methodologies become more standardized, and as

4 m quantitative guidance for, accident prevention and mitigation becomes better developed, the requirement for reliabili+.y studies might perhaps be expanded into full-scope risk studies submitted in s'upport of OL licensing. Mean-while, as described above', even a relatively narrow PRA scope focused only on core melt accidents' generated by internal events has substantial merit. It would be far better to'do a reasonably, good job today in using PRA to augment the regulation of areas that arefsomewhat amenabic to;quantification, then to do a poor and controversial jobcdn areas that are subject to large ~ 4 PRA uncertainties. With regard to the queation of possible retrofits, should an operating plant require corrective acti'on,'or should some generic action be required, the necessary action should-be taken in a time cornensurate with the increased risks involved. When the risks are not judged to ba sericus y enough to demand immediate action, the timing of-corrective action may include reasonable consideration of cinimizing.nnscheduled'dewn time,and any continued need for power.' f,The basic criterion of timing should be that the y increased risk to be permitted while avaiting' correction,should be generally consistent with the risks ac'eptable from plant operation throughcut the' c plant's useful life. If numa'rical guidelines:are developed,'they will be s subject to all the previously stated cautions ~on the uce of PRA in chie il s decisional process, and they should be considered as one factor among'others' in connection with decisions regarding the timing of corrective actions. 4 \\ k h t 1 ( t / v l I

49 - @d' N ,f ng 8 3-1 v

v, v.y 3[

x 4 . 4: 3). $g ~. s. s' q. a m, /' _j/A,;s-7- >3 s j V..

tre-{*i L'%

) 1 .f,s !1 j s. o v n a,, ( ? 4; r 4s W w, I [

- g UNITED STATES r

b ,gh.:,l

h g s

• \\/

NUCLEAR REGULATORY COMMISSION L i WASHINCTON, D. C. 20555 hJjj q 1 Yt n. e a F/ Y p.. H s 1 ' { fJ/c/4 /g MEMO FOR: ~ th, DMB FROM: P. Larkins, TIDC / ~ i ~ j J. Resner, TIDC _C6 's -SUBJEdT: Transmittal of Speeches x %y p% is. .L Attached -are twe copies of a speech to be 'h/ ,ess sent to the PDR and TERA. We have filed the NRC Form 426. .,f ~ ~,., 1 g l* r u g g Y g\\ $ N E t4y131o t a>,. cat r3 Y65. M utM ..s 4 O,% / f w..., /. ' /f t ~ (I { $ $4)'~ 5' s s ), i ,5}}