ML20072M336
Text
-
=
i 4
RISK-BASED REGULATION i
i l
HERSCHEL SPECTER NEW YORK POWER AUTHORITY JUNE, 1991 DRAFT FOR COMMENT 4
0 REV. 6 i
9409010279 940629 m
PDR COMMS NRCC CDRRESPONDENCE PDR i
]
,I J
ACKNOWLEDGMENTS l
1 1
1 1
time in commenting on earlier versions of this document.The i
them are Professors Norman Rasmussen and Nathan Siu of MIT,Among Dr. William Vesely (SAIC), Drs.
S. Baron, Pranab Samanta, and i
I. Kim (BNL), Dr. David Carlson (SNL), and Dr. Ian Wall.
j Several staff members within the New York Power Authority also j
contributed their time and. thoughts.
Additionally, Carl Johnson i
and other NRC staff members are to be thanked for their guidance j
and encouragement.
1 Most of all, the author appreciates the support given by
)
John C.
Brons, President New York Power Authority who has i
provided both encourageme,nt and the resources needed to develop j
this draft document.
4'
}
i
}
1 i
i i
1 1
l t
i.
1 i
1 i
o
I 1
RISK-BASED REGULATION EXECUTIVE
SUMMARY
EX-1 1.
Introduction 1
===2.
Background===
1 3.
Applying PSA Technology 4
3.1 Ranking Systems and Components.
4 3.1.1 Systems 3.1.2 Components-3.2 Evaluating Regulatory Processes 9
3.2.1 Introduction 3.2.2 General Observations R3.2.3 Data Bases 3.3 Human Actions 17 3.4 Summary 18 4.
Packaging 18 5.
Jul Overall Regulatory Framework 21 5.1 Severe Accidents 21 5.2 Normal Operations 24 5.3 Reclassified Plant Features
'24 6.
Advanced Nuclear Power Plants 26 7.
Policy Issues 27 8.
Institutional Benefits 29 i
9.
Program Description 29 9.1 Three Main Phases 29 1
9.2 Task Descriptions 30 9.3 Schedule 32
- 10. Summary 32
- 11. Bibliography 33
FIGURES 1.
Sensitivity of Core Damage Frequency or Person-Rems to Unavailability of System X 2.
Packaging Concepts 3.
An overall Regulatory Framework 4.
Program Description e
j j
Executive Summarv
)
I This document is a response to the NRC Commissioners' 1
interests in applying risk technology to the NRC's regulations j
and practices.
i This response is intentionally written in a comprehensive i
manner'so that it could serve as a " road map" for achieving j
integrated risk-based regulation covering many safety subjects j
and for all U. S. nuclear plants,.both present operating plants
)
and futura plante.
It envisions a shared effort by the NRC and the nuclear industry and builds upon research sponsored by the
{
NRC over many years.
Much of the technology needed to bring about risk-based i
regulation is already at hand, although some methodology 4
development would be required.
Supplemental data bases may have
)
to be created and this could become a significant task.
The j
main purpose of the data base effort would be to quantify the i
change in the failure rates of plant features after various i
regulatory processes, such as quality assurance, inspection, j
testing, etc., have been applied to them.
Similarly,.the impacts of training, ergonomic activities, and other actions l
j that' affect human error rates would be measured, where possible.
The effort envisioned here would use an advanced version of-
"importance weighting".
Importance weighting is a technology based on probabilistic safety assessment (PSA) methodologies.
It enables one to rank plant features;according to~their j
importance to safety.
Application of this would, by itself, be 4
a very important step forward.
It would provide a technical i
I basis for deemphasizing the lowest ranked systems in favor of the more risk significant systems.
Theilower ranked systems j
will not be ignored, however.
They would be monitored to i
demonstrate that having a lower. ranking does not lead to risk significant issues over time.
PSA techniques can also be used to evaluate the risk reducing effectiveness of different regulatory practices.
Such evaluations would be most accurate should they use the above mentioned data bases.
- However, i
PSA-based bounding calculations can provide valuable insights
{
when sufficient data are not available.
Once the effectiveness l
of the various regulatory processes have been determined, the most effective practices would be applied to the most important systems.
i It is proposed to go forward with a three-phased pilot-i
- program, This pilot program would result in the'New York Power Authority's (NYPA) James A. FitzPatrick (JAF) nuclear power plant becoming a model of.a present operating plant utilizing i
risk-based regulation.
In the first phase of.this pilot program a reference document would be developed using the JAF j
Probabilistic Safety Assessment.
At this time level one of this i
{
EX-1 i
I i
1
A j
PSA has been submitted by NYPA to the NRC and level two is expscted to bs available for NRC review by mid-1991.
During the i
latter two phases of this pilot program a number of " packages"
}
would be created where the regulatory requirements placed_on a j
number of systems or components would be modified at the same i
time.
Each package would entail a net decrease in risk and a j
net decrease in plant operating burden, i.e., a " win-win" i
situation.
Initial packages would concentrate on improvements j
within the technical specifications and in maintenance j
practices.
Similar packages have already been achieved on a smaller scale by the NRC and some other nuclear utilities.
J 4
Enough technological capability exists now to form many J
" packages"; additional " packages" will be possible once the i
above-mentioned data bases have been developed.
4 The New York Power Authority is sponsoring PSA research on
]
maintenance at MIT, using the James A. FitzPatrick plant as the i
reference plant.
The MIT results would be shared with the NRC and, hopefully, would be incorporated into the risk-based j
maintenance part of this program.
}
This program also envisions the creation of an overall j
regulatory framework, perhaps based on the Commission's safety i
goals.
Such an overall regulatory. framework would resolve two j
long-term issues:
"How safe is' safe enough?" and "Which plant features are safety-related and which are not 7" Answers to such questions would more precisely determine'which plant i
features and operator actions should come within the scope of j
regulatory review.
Advanced packages could.then be used to
~
refine the list of systems and components that are defined as
{
safety-related.
A means of implementing these advanced packages is described in the text of this document.
s I
Perhaps the greatest long term benefit of this program is j
the institutional changes it may bring about.
Safety 3
improvements, beyond those that are justifiable by backfit i
requirements, may be achieved.
Moreover, it would be the j
nuclear utilities, not the NRC, that would be the initiators of l
such safety improvements.
Their incentives for initiating these l-improvements would be greater safety, reductions in operating i
and maintenance costs, reduced economic risks, and gains in public acceptance.
Such incentives may yield the most practical 4
and effective way to achieve "living PSAs" as utilities j
constantly search their plant operations and PSAs to create new
" packages".
While the NRC still retains its backfit regulatory authority, modifying plant designs and procedures might take on l
a more cooperative and constructive nature under these packaging i
approaches.
Thus the public would-be doubly served:
safer
]
power plants and lower cost electricity.
6 2
i 1
EX-2 i
1 4
h i
1
1 l
Risk-Based Rsgulation i
i 1.
Introduction Recently the NRC Commissioners encouraged the NRC staff to aggressively move forward with a risk-based technical i
specifications program, including plans for a pilot program.
l The Commissioners also encouraged the staff to " extend the sgue j
fundamental focus on risk to other areas of our regulations".
?
This document is a response to these objectives.
Part of
{
this response is an effort to bring about a comprehensive.
i risk-based technical specifications program at an actual U.S.
I nuclear power plant.
However, tdus Commissioners' invitation to extend a risk-based approach to other areas within the NRC's j
regulations calls for a comprehensive review of many technological issues.
A larger framework is needed so that i
l eventually all risk-based regulations can be implemented-in an integrated manner.
This broader scope has been adopted here.
s j
The need.to proceed in an integrated, risk-based manner has j
been recognized by others.
For example, in a letter 2 from the j
ACRS to former NRC Chairman Zach it is stated that:
i j
"we would endorse a well-conceived reevaluation of I
j current regulations which would undoubtedly suggest i
that more regulatory emphasis should be placed on some j
systems that in the past have been treated as
]
balance-of-plant, and less on others.
However, this i
evaluation should be done in an integrated manner j
which would, on the basis of what has been learned about risk contributions, identify some systems for j
special attention."
i It is hoped that the three phased program described in this document could serve as one way to bring about risk-based j
regulation for U. S. nuclear plants.
{
2.
Backaround i
}
In the 1960's the former Atomic Energy Commission developed the General Design Criteria (See Title 10 CFR, Part 50, Appendix A).
The very first sentence of General Design Criterion One put i
1USNRC Staff Requirements Memorandum M900413A, S.J.
Chilk to l
J. M. Taylor, " Staff Requirements - Briefing on Risk Based j
Technical Specifications Program", May 14, 1990 t
2Forrest J. Remick, Chairman of the ACRS, to Lando W.
- Zech, Chairman, U.S. NRC. " Proposed Final Rulemaking Related To j
Maintenance of Nuclear Power Plants", April 11, 1989 I
i j 1 I,
forward a basic principle: "Structuras, systran and componants importent to safety shall ba dnsignsd, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed".
The principle behind this long-standing statement is the recognition dtat a gradation of safety importance exists among plant features and that resources are to be applied according-to this gradation.
In order to make the best use of resources, a regulatory system should distribute requirements, and therefore resources, according to the plant features' importances to safety and apply only those processes which are effective in minimizing risks.
The need to allocate resources in a structured manner, as imbedded in the General Design criteria, is carried forward into the present regulatory process.
For example, page 5 of the NRC's November 23, 1988 document, Generic Letter GL88-20, a
Individual Plant Examination For Severe Accident Vulnerabilities, states:
"...there are a number of potential benefits in performing PRA's...(5) rank issue importance such that the most important are dealt with first.
This prioritization of actions benefits the licensees and the NRC by providing a rational schedule for implementation of actions and provides.a basis for the possible elimination of actions determined to have low safety. significance for the individual plant".
The Commission has also applied this basic concept of rankingactionsandrequirementsaccordingtosafetygmportance by classifying violations according to their' severity There are a number of indications that the regulatory approach discussed in this paper will be of considerable importanceinadvancegnuclearpowerplants.
As recently reported in the media, fundamental NRC. decisions will be made on advanced plants using a ranking process:
"The Commission adopted a staff recommendation'that the agency take a ' graded approach' to the level of detail issue.
Under this approach, the level of detail required for certification review will vary depending on a structure's, system's, or component's relationship to safety".
3NRC's General Statement of Policy and Procedure for Enforcement Actions, 10CFR Part 2, Appendix C.
4Nucleonics Week, February 28, 1991, pg.
9, " Vendors Pleased With NRC Decision on Detail Level For Advanced Units" i
Tharafore this ranking concept has bsen a fundamsntal principle of the regulatory process for anny daccdss.
While this principle has long remained unchanged, the technical ability to implement it has improved dramatically.
In the past, because of technical limitations, various regulatory requirements were often issued without a quantitative analysis of the safety benefits they might achieve.
However, things are markedly different today.
We have made significant strides in developing the technology to quantify and rank the safety significance of systems and com the use of a PSA methodologies.ponents* more precisely through We also have a greatly expanded data base on system and component performance and on accident precursors.
Safety experiments and actual accidents likewise have expanded our knowledge.
What is also different today is that each U.S. nuclear power plant.is now undergoing its own plant-specific PSA as part of the IPE (Individual Plant Evaluation) effort.
. Implementation of the NRC's Severe Accident Policy Statement through the IPE process. represents a major undertaking both by the nuclear industry and the NRC.
This same process also creates fresh opportunities.
With the development of PSA's for each nuclear plant, an even larger body of knowledge will be available in several years.
Use of this body of knowledge can result in lower operating and maintenance o&M costs at nuclear plants, as expensive practices that have little or no risk significance are identified and replaced by standard commercial practices.
The remaining activities, and perhaps new ones, will emerge from this " refocusing" process as those that actually have risk significance.
Not only can PSA technology be used to rank systems and components, it should also be-capable of evaluating the effectiveness of various regulatory processes such as quality assurance, maintenance, testing,'the technical specifications, etc.
Thus PSAs could be applied in two phases. -First they would be used to identify the risk important plant specific i
features and second they would be used to evaluate the risk effectiveness of various regulatory processes that are applied to these important plant features.
Safety is enhanced when such significant activities are clearly identified, rather than maintaining an undifferentiated mix of risk-significant and risk-insignificant processes which can divert attention and resources from truly important issues.
Thus, by upgrading the regulatory process with modern technology, the public would be doubly served:
safety would be enhanced and the costs of producing nuclear generated electricity would be lowered.
- In principle, structures could be treated in the same manner as systems and components.
This document does not explicitly address structures. _
i' 3.
ADolvina PSA Technoloav This section contains a discussion of how PSA technology can i
be used to evaluate the risk importance of plant systems and i
components.
Following this is a discussion of how this same j
technology can then be used to evaluate the risk effectiveness i
of various regulatory processes.
The object here is to answer j
two questions:-
(1)
What systems are important to safety, and (2)
Which regulatory processes are truly effective?
}
4 3.1 Rankina systems and comoonents
?
3.1.1 Systems
[
h Plant systems can be evaluated according to their importance i
to risk by use of a ranking process based on a PSA technology 4
called importance weighting.
Importance weighting provides a
)
numerical measure of'each system's or component's safety worth.
i i
During the past few years a number of importance measures l
have been developed such as the " risk achievement worth", " risk i
reduction worth", the Birnbaum structural importance measure, l
and the Fussell-Vesely importance measure.
At this time there j
is no universally accepted importance measure.
For the purpose of illustration only, the importance measure chosen here is the
" risk achievement worth".
The " risk achievement worth" ranking process itself is a 3
straightforward one.
After a PSA analysis of an individual j
plant has been performed, the PSA results would be recalculated j
assuming system X1 was totally. absent from the plant (unavailability = 1.0).
The absence of system X1 could cause an i
increase in various calculated results, such as the core damage i
frequency or the mean value of the potential number of public person-rems of exposure / year due to accidents.
This increase could be called delta X1.
The base case would then be. perturbed i
again by assuming that a different system, X2, was totally l
absent and its associated delta X2 would be found.
This 1
perturbation process of the base case would then be repeated one j
system at a time and the resultant deltas would then be ranked i
from large to small.
The importance of a plant system would be j
determined by the size of its " delta" or the ranking of its i
delta relative to other deltas.
Instead of using a " delta" i
ranking format, one can also take the results of these i
perturbation analyses and form ratios of the new numbers to the j
base case numbers.
9 Table I is an example of the above " risk achievement worth" a
l ranking process using core damage frequency as a measure of importance, based on several systems from an actual operating i
boiling water reactor (not JAF).
CDFx/CDFo is the ratio of the j
core damage frequency with system X totally unavailable (CDFx),
-4_
4 l
- l..
i to tha buco caco cora damagn fraquancy (CDFo).
This excmple has l
CDFx/CDFo valumn that are apscific to the plant that was 3
analyzed.
Other plants would likely have somewhat d3fferent.
j values.
Based on the rankin j
as the main condenser, gs in Table I, a number of systems such fire protection, drywell coolers, and CRD pumps, have relatively low importances.
Neither their operation i
nor their failure has a major effect on the core damage i
frequency.
It is expected that systems with relatively low importance would be subject to standard commercial practices
- only, s
on the other and of the table are the highly ranked systems, i
such as the service water system and the automatic depressurization system.
Before immediately concluding that j
such systems require the most elaborate regulatory. efforts further judgements should be applied, as discussed further in Section 3.2.
a 3.1.2 Components.
Y 4
j The same kind of importance weighting process applied to a i
system could be applied to components within a system,thereby i
separating out which components are important to the core damage i
frequency.
In theory this process'can be done at the component subcomponent level.
5 a
k i
1 l
t i
1 I,
i 1
4 i i
\\
~
i l
Tablo I ILLUSTRATIVE EXAMPLE OF RANKED SYSTEMS.
Plant System Assumed CDFx/CDFo I
To be Totally Unavailable i
Service Water 4260 Automatic Depressurization System 160' RCIC 24 LP/RHR 13 Feedwater/ Condensate 7.8 Feedwater Alone 7.7 HPCI 7.0 Vent 2.5 Core Spray 2.4 Main Condenser 1.4 Fire Protection 1.2 Drywell Coolers 1.2 Condensate Alone 1.1 CRD Pumps 1.1 Base Case 1.0 CDFx = Core Damage Frequency with system x totally unavailable CDFo = Base Case Core Damage Frequency Note:
Table I is only a pLrtial list of the plant systems'and is only intended as an aid to understanding ranking processes.,
..e.
In addition to the cora damago (or cora malt) fraqusncy ranking providsd in a display like Table I, it has also been proposed that ranking systems should be based on offsite person-rems, i.e.,
a radiological ranking system.
Level one PSA importance weighting results would be used for core damage frequency ranking.
Level two PSA results should' provide both containment' failure frequencies and the source terms associated with such containment failures.
Knowing both the containment failure frequencies and the associated source terms, one can calculate offsite consequences and risks.
One way to do this is with a level three PSA.
However, for this program a simplified approach may suffice.
Both core damage frequency and radiological ranking systems offer valuable insights and both are somewhat. incomplete.
For example, ranking systems based on core damage criteria alone does not evaluate the risk significance of mitigative devices (e.g. containment sprays, containment isolation, etc.).
Moreover, all core melts are treated equally.
However, a core melt.from a highly unlikely interfacing systems'LOCA in a PWR j
("V" sequence] can be far more serious than a more probable core melt that does not lead to containment. failure.
Therefore, all core melts are-not eqpal.
Consequently, a ranking system based l
only on core malt or damage frequency is incomplete.
On the other hand, radiologically-based ranking.may not j
fully recognize a licensee's.need to protect the company's financial investment and to encourage public trust.' Core damage e
events with little or no offsite radiological impact, such as j
TMI, can have profound onsite economic effects and severe public reactions. -It appears that comprehensive decision-making would need to be based on more than one ranking system to account for both accident prevention and consequence mitigation.
In fact, true " risk" ranking would have to consider both frequency and consequences.
l i
A ranking system, such as the " risk achievement worth" system that generated Table %, would be very useful in obtaining 1
an initial screening a,Nt of the plant's systems and components.
It would point.out the most likely candidates, the ones with smallest " deltas", for reassignment to'different regulatory requirements.
However, this approach also has
}
limitations in that the numbers in Table I are only a measnre of i
a system's averaus risk importance.
The. risk importance or a j
system or component can change significantly depending on the status of other plant components.
For example, consider a j
system that has four fully capable redundant pumps.
Each pump has the same averace risk importance.
If any one of these pumps becomes unavailable, the risk impact would be low.
If one pump were unavailable and a second pump also became unavailable, then the risk impa9L of the loss of the second pump would be greater i
than that calcalated for the loss of the first pump.
The loss j
of the third pump (given that pumps one ar.d two were i
unavailable) would be still more important and the loss of the
_7_
i l
1
i i
i i
fourth pump could be very important because this could result in l
a lots of function.
This pump example demonstrates that the i
Ayfraae risk importance is an insufficient measure by which l
-~s decisiens can be made.
It does not address the status of the
{
plant at the time that the pump becomes inoperative and the j
possible loss of function.
A related concern are those j
situations where, as equipment becomes unavailable, the i
remaining operable equipment experiences more strenuous l
conditions which leads to higher failure rates.
Removal of all redundant components that serve the same I
-function is clearly unacceptable.
Other undesireable actions i
are less obvious.
A more subtle example would be certain j
combinations of components in redundant systems (e.g., diesel A and turbine pump B). that become simultaneously unavailable, j
thereby causing a loss of function.
Such concerns are the basis for configuration control efforts in the technical l
specifications.
An even more subtle concern are systematic and j
generic effects, such as component aging, that can involve multiple components, sometimes in.different systems.
Here we i
rsy not be witnessing a binary situation, such as a component or 4
system being either available or unavailable, but rather a drift I
in reliability.
The importance of a component being out of j
service is also tied to the potential impact of common cause j
failures, human errors, and particular initiating events such as i
station blackout, all of which could affect multiple components
)
j and systems simultaneously.
The issue to examine here is I
whether or not the unavailability of a component in conjunction l^
with a multi-component loss event causes a loss of a valuable safety capability, v
Several lessons can be derived from the above.
It is useful to perform an initial average risk ranking of individual systems and components using some ranking scheme such as " risk achievement worth" as a screening device.
However, a more exact test of the impact of the unavailability of a system or component is not the particular averaae risk importance.
Rather, the risk importance of plant features is a function of the then present plant status.
In this program there would be a task, Methodology Development, which would address issues like calculating the importance of functions and processes, the impact of systemic and generic effects on'aultiple equipment, the integration of individual and multiple equipment importances, and the selection of a particular importance measure [See Section 8.2).
Therefore "importance weighting", as used in the context of this document, means the process which results from the completion of the Methodology Development task.
It should be understood that although the methodology development task is a refinement over present importance weighting approaches, some members of the PSA community believe that this task is readily achievable..
n
..,-n r-a
.~
=_
)
i 3.2 Evaluatino Reaulatory Processes 1
3.2.1 Introduction 1
i Not only is it valuable to rank systems and components-j.
according to their importance to safety, it is also valuable to j
determine the effectiveness of different regulatory processes (e.g. training, QA, testing, maintenance, etc.) in influencing i
risks.
Achieving a quantitative evaluation of different i
regulatory processes is a challenging task, but the rewards i
could be substantial.
For example, consider the regulatory 1
impact if it were shown that, in general, operator training was
{
a hundred times more coat-effective than QA in reducing risks.
1 It is timely to answer questions like:
for a given system or l
component what amount of risk reduction is achieved per quality f
assurance dollar, per maintenance dollar, per training dollar, etc.?
With answers to such questions an optimal allocation of resources among these processes could be made.
'J 1
This document first provides some general observations on identifying the effectivaness of regulatory processes in keeping-risks low.
It is expected that supplemental data bases would have to be developed during the course of this pilot program to j
measure the effectiveness of regulatory processes.
Creation of such data bases is described after the general observations.
i 3.2.2 General Observations A number of general observations have been made which can j
guide the search for effective regulatory processes.
s.
The first point to be made is that if a particular system i
itself is not risk significant when its unavailability equals j
1.0, then no regulatory process,.as applied.to that particular 4
system can be risk significant.
Once it has been determined l
through PSA technology that such a system or component is not risk significant, the requirements placed upon these plant j
t features should follow commercial practices.'
As discussed in greater detail later, the application of present commercial i
practices has generally lead to high reliabilities.
(see Section 5.3).
Additionally, monitoring of plant features reclassified as subject to commercial practices will assure that j
they do not become risk significant over time (see discussion in j
Section 5.1).
A second point is to concentrate on the dominant failure 3
j modes of the risk significant systems and components.
PSAs'can be used to identify the important failure modes of the risk j
significant systems and components.
1 1
Concentrating on the dominant failure modes is important I
because an initial response to a system that has a high core j
damage frequency ranking or a high person-rem ranking might be i
to expend maximum resources, such as maximum QA efforts, i
- I l
L
frequent inspections and testing, etc. on this systra
- Howsvar, one must be celective on what and how rasourcas are cp. plied, i
even for highly ranked systems.
To illustrate this, has the highest rank in Table I. consider the service water system which It may be that the dominant failure modes of a service water system are initiating events that cause a total loss of a critical support system.
It then follows that efforts put into non-dominant failure modes may be wasteful, unless the absence'of such efforts would cause a non-dominant failure mode to become a dominant mode.
For example, a fire that causes a loss of all the electrical cables that power the service water pumps could be a dominant failure mode.
Efforts to reduce the frequency of fires that initiate service water system common cause failures may be valuable whereas efforts to reduce the random failure rates of the active service water components (pumps, valves, etc.) may be of very limited value.
In fact, by concentrating on the dominant failure modes there may be justification for reducing test and maintenance outage times, which would actually reduce risks.
A third general observation is concerned with random-failures of active and passive systems.
Most plant systems that have active components are built with sufficient redundancy to meet the single failure criterion.
It is unlikely that enough random failures of active components would occur simultaneously to cause a system failure.
There are a number of ways to measure the risk importance of random failures in active components.
A review of the PSA risk dominant sequences will oftentimes reveal that risks ~are mostly-determined by the impacts of the joint occurrence of an initiating event human errors, and common cause events [beyond those common caus,e events that are already incorporated into the initiating events and human errors).
If PSA results are indeed dominated by such multicomponent events, then combinations of simultaneous random failures of active components will not likely be risk significant.
If so, then regulatory processes used to reduce the random failure rate of active components would not be risk significant either.
A review of the impact of random failures on RASXiY.R i
components, such as the reactor vessel, the containment, water storage tanks, and the reactor pressure beundary is also useful in identifying which regulatory processes are important.
Here the situation is rather. opposite that of active components.
Random failures in active components are likely to be unimportant, whereas random failures in some passive systems / components could be quite serious.
Random failures of j
certain passive components could lead to large releases of radioactive material, particularly if such failures caused both a core melt and a prompt containment failure.
i <
l
In spite of potentially marious consaquancas, many pazziva compontnts do not and up as anjor contributors to the cvorall plant risk.
More specifically, random failures of passive components as accident initiators are infrequent.
The lack of Ilat dominant random failures of passive components is likely the result of effective regulatory and/or non-regulatory.
processes.
For example, consider the reactor vessel.
If an unavailability of 1.0 were assumed for the reactor vessel, its resultant ranking on both the core damage frequency and person-ren lists would be extremely high.
Yet a review of typical PSA results would not show reactor vessel failure as an accident initiator to be a risk dominant sequence.
One concludes that various effective regulatory and/or non-regulatory actions'have been taken, such as limiting the radiation exposure of critical' areas of the vessel, which result in a very low reactor vessel random failure rate.
Failure of the containment (e.g., loss of the containment integrity function) as.an initial condition would likely also have a high ranking on the person-rom list, even though such a failure by itself usually would not initiate an accident seguance that could lead to core' damage.
The containment has a high ranking because it is the ultimate mitigative system and i
its success or failure is key to almost all severe accident sequences.
Loss of containment integrity (e.g. failure to isolate) is made improbable by various useful regulatory processes.
Other passive systems may occupy a more middleground' person-rem ranking position.
For example-failure of a tank containing water may lead to internal flooding,'which in an extreme situation could result in core damage.
Such events cause neither an immediate failure of the reactor vessel nor a prompt loss of containment integrity.
The risk significance of such failures would be highly dependent on the plant design and on operator action.
Failure of other pressure boundaries, such as the reactor coolant piping, has a risk significance which is also dependent on the plant's design.
- Since, l
characteristically neither cause a pro,mpt failure of the reactor vessel (themany of the ultimate source of radioactive material) nor a prompt failure of the containment risk-reducing acc[the ultimate sitigator), there can be time for ident management.
Furthermore, unlike the reactor versel or containment which are one-of-a-kind systems, many "middleground" passive systems are parts of a redundant system.
If, after failure, they were isolated prior to core damage, then their impacts would be limited because their functions could be performed by their redundant counterpart (s).
Therefore the risk significance of passive components other than the containment or the reactor system pressure boundary would have to be determined on a case-by-case basis.
Based on the above, random failures.in passive systems / components can exhibit a distribution of risk significances.
The regulatory processes which are expected to a
f In addition to those gennral observations, submaction 3.2.3, bnlow, providos more spncific anthods on how to evaluate the j
effectiveness of various regulatory processes.
i 3.2.3 Data Bases A great deal of data have been collected during the last i
i twenty years by the NRC and the nuclear industry on system and component performance.
Additional data can be found in non-nuclear electric power plant experience and in other industries, such as the chemical industry.
Where there have l
been failures of components in the nuclear industry, efforts often have been made to understand the causes of these i
failures.
Data collection and analysis efforts have been j
undertaken in the United States and in other countries, as j
well.
Therefore, one may be able to extract a significant amount of useful information from this present extensive data 3
{
base.
l 1
The ideal situation would be to have data on component j
performance, with and without a particular regulatory process, j
and under service conditions that are essentially equivalent.
i Defining level A as the effort utilized in standard commercial i
practice on a component
- and level x as the effort utilized to implement regulatory practice x for the same type of component, one could then measure the change in component unavailability i
when going from level A to level x.
If little change is observed, then regulatory practice x is of limited value.
However, it is expected that such ideal situations would be i
infrequent.
If such data.are very important, but missing, it j
may be necessary to construct careful experiments to make these i
measurements.
i A far more likely situation is to have components that have been exposed.to several regulatory processes, designated here as x, y and z.
For example, let x represent QA, y represent testing, and z represent maintenance.
One can compara a level A
{
component to a level x+y+z component of the same type.
If it j
turns out that the unavailability of the level A component is statistically similar to the level x+y+z component, then little a
j had been gained by the implementation of the x+y+z regulatory processes.
i A third possibility is that one finds that the level A l
components do have statistically different unavailabilities compared to level x+y+z components.
One can than substitute level A unavailabilities back into the PSA to determine if this makes an important change in the core damage frequency or the i
person-rem figure.
If the risk difference is small enough, then processes x+y+z for these components are not too valuable.
}
{
- Enough components of the same type would be used to assure j
statistical significance.
i 1
I 4
4-
)
bn important are those that pravant a plant fonture that is highly ranksd on ths parson-ram list (liks tha racctor veessl) i j
from also being among the PSA risk dominant sequences.
j Preventing random failures of passive plant features ranked more i
to the middle of the person-rem list may be of lasser importance.
A i
At this point we have made several general observations.
i The first point that was made is that plant systems can be ranked according to their risk significances.
Those systems l
with a lower ranking are of lesser risk significance because j
neither their. operation nor their failure makes a large core j
damage frequency or person-rem difference.
If a system itself j
is not risk significant, then no regulatory process applied to
^
that system can be risk significant.' Secondly, guidance was l
given to concentrate on dominant failure modes identified-by the PSA.
One must also determine if the absence of some regulatory i
process would cause a non-dominant failure mode to become a j
dominant mode.
l The third point that was made dealt-with random failures of 1
plant features.
It'is expected that most random failures of active components would not be significant.. This needs to be verified by~ examining the PSA dominant failure modes to see if 1
random failures are important.
If they are not important, then i
regulatory efforts dedicated to reducing random failures in i
active components, even ;Ln important systems, would be of lesser i
significance.
However, regulatory processes' focused on, limiting i
or-preventing systematic failures and common cause failures can be very significant.
Later it was pointed out that some passive plant features can exhibit characteristics opposite to active components.
Random failures in~some passive features could'ba quite serious and various regulatory (and, possibly, non-regulatory) practices are in place to make them very i
unlik,aly.
Therefore such processes art. quite valuable.
It was further stated that'an aid to identifying where an important
}
regulatory practice might be found is to compare person-rem I
rankings with the PSA sequences risk rankin plant feature has a high ranking in person gs.
Where a passive rems, yet does not appear as an accident initiator in a risk dominant sequence,
{
effective practices can be limiting. the random failure rate.
j As a further aid in evaluating the effectiveness of regulatory processes, one can examine timing.
One can look for g
circumstances where failures might soon lead to reactor core damage and to a prompt loss of containment integrity.
Examples are interfacing systems LOCAs, severe reactivity excursions that j
could cause reactor vessel rupture, multiple steam generator tube ruptures, and steam generator shell failures, excessive reactor vessel thermal fatigue or excessive damage due to irradiation, and pressure spikes in PWR's when the pressurizar t
is "colid".
Those regulatory practices and plant systems that i
minimize the frequency or severity of such events can be of high l
risk significance.
l j !
I
}
1
Stating it differently, the overall level of risk from a nuclear powar plant would not bn appraciably different if thsza particular components utilized standard commercial practices.
j Purther insights might be gained by understanding the failure mechanisms of components (failure mode analyses).
For example, it -is important to retain the integrity of primary piping throughout the power plant so to minimize the likelihood of loss-of-coolant-accidents (LOCAs).
An element in keeping the LOCA probability low is to assure adequate pipe wall thickness.
However, pipe walls have thinned and failed at nuclear power plants.
An examination of the mechanisms by which these failures have occurred may reveal that such failures-are mostly due_to erosion / corrosion mechanisms in carbon steel pipes.
However PWR primary. system pressure boundaries are made of stainless steel.
A review of operating experience with stainless steel is likely to show few, if any,' erosion / corrosion caused boundary failures.
Therefore the assumed LOCA frequencies used in the PSAs of PWRs may be too high if they are derived from carbon steel data.
i i
Even where there have been pressure boundaries failures it may be valuable to review the regulatory efforts expended on them.- Those regulatory efforts made to assure adequate initial pipe wall thickness of the pipes delivered to a nuclear plant have far less to do with wall thinning issues than the implemantation of plant water chemistry programs to limit erosion / corrosion effects.
Regulating water chemistry programs may be far more important than regulating initial pipe wall J
thickness, in this example.
The point here is that the risk effectiveness of a regulatory process may be evaluated by understanding the failure modes.
Effective regulatory processes need to address the important, or potentially important, failure modes of the components the process is applied to.
Returning to the previous example of an assumed fire in the electrical cables that supply power to the service water system, one might ask a question such as "what effect does quality assurance and quality control (QA/QC) have on the frequency of electric cable fires or on the recovery from such fires?
It may be that the answer to this would be that QA/QC is important in preventing the installation of poorly insulated electric power cables which could initiate fires, QA/QC could also be important in having a high probability that the fire suppression systems near the i
electric cables actuate when needed.
One would conclude that some QA/QC efforts directed at the active service water components themselves were not nearly as risk significant as QA/QC efforts directed at the' failure modes of the support i
systems of these same components.
Understanding these different QA/QC roles is valuable.
If regulatory efforts do not address the actual or potential dominant failure modes, they are not valuable.
However, even if a regulatory process is in place to limit a dominant failure mode in safety related equipment and experience shows that this
. - =
=.
--.~-
l New) or APower Authority
" e e:'
- .g.
sa....
a...
- .~.... :..
ca.:...,
F t cruRe odas
%~.NSIT \\ cT V of C udtt DAmApr FarquenJcv on.
Pqni.s>- Rems To ut4 PrvMLAnit tw oF SYSTsM
)('
_C D I M j (
c,O F o l
o tt, f _,b w - R e m ) y
..tcasoa-Rer)o (owra)/
QPit4 (rs oF SS NStTiU TtCS M TTODY I
\\.o l
l t
I i
[
l I
i i
l i
l i
n O
\\'O F-n n
PE %TEc,7 5'istek V N M b\\\\ b 61l\\T Y OE s ysTo u v
t i
i failure mode is of comparable frequency in commnrcial grada j
squipannt, than thera may ba little justification for implementing this particular regulatory process.
Conversely, if commercial equipment exhibits a significantly higher frequency of a par ular important failure mode than that observed in i
their sa y grade counterparts, this may be the result of an i
effective regulatory process.
Some progress may also be made in evaluating regulatory i
processes by use of analytical methods.
For example, let Uxo be defined as the unavailability of system x due to random i
failures.
As part of an individual plant's PSA development, j
system by system Uxo values would be determined.
One can then perform a sensitivity study with the PSA on system x by varying i
system x's unavailability between the range of Uxo/F to (Uxo) (F) i where F is a given factor variation.
It may be assumed that the values are approximated by a lognormal distribution where Uxo is the median value and F is the factor for a 95% probability range.
If little change is observed in person-rems or in core a
j damage frequency over this range-[See Figure one), then random failures may'not be risk significant for system x.
If so, then j
regulatory processes intended to reduce the random failure rate i
of system x would be of limited risk significance.
1 Another sensitivity analysis would be to set a system's 2
unavailability equal to zero.
The physical interpretation of this is that the system is " perfect".
If the difference in core damage frequency or person-rems at the actual unavailability versus the " perfect" value (U=o) is small, then additicnal 4
i regulatory efforts to further reduce the: system's unavailability l
would not be an efficient use of resources.
{
A review and evaluation of the present extensive data base, i
as described above, could have many benefits, both on an
{
individual _ plant basis and generically.
These benefits extend j
beyond the evaluation of the various regulatory processes j
themselves.
A few such additional benefits are listed below:
(1) One effect could be a generic restructuring of what data j
are collected and how they are analyzed.
Some data collection efforts may be reduced if it is shown that they have marginal I
risk reducing value.
On the other hand, there may be good
{
reasons to expand the data base and analyses of initiating i
events, human errors, and common cause failures.
It would be very valuable to measure how maintenance errors, operator.
{
errors, etc. are affected by training.
Some data on this exist J
at various utilities.
i.
j (2) An exuaination of this data base may also reveal that j
certain safety grade equipment is actually less reliable than commercial grade equipment.
For example, commercially available j
electrical switches may have a higher reliability than those j
that meet all the safety grade criteria but are based on i
outdated technology.
Exchanging these switches would be an j
example of a double benefit, improved safety and lower costs. -
. ~
l (3) Sinca common cause failuras are usually far mora
]
important than rendom failuras it any ba nacascary to improva i
the common cause failure data bases and analyses.
Perhaps some j
j potential common cause failures are mistakenly reported as random failures because the common components that were affected j
had failures that appeared at different times.
I i
(4) This data base effort may also change our understanding j
of the risk profile of nuclear plants.
Returning to the pipe i
thinning example, it may be justified to derive two values for pipe break [LOCA) frequencies, one for carbon steel and one 4
j stainless steel piping.
Based on present operating experience j
and failure mode analyses, a lower large break LOCA frequency j
value may be justified for stainless steel piping than carbon l
steel.
This could result in a somewhat reduced calculated core i
melt frequency valt:e for PWRs since PWR primary system -
j boundaries are made of stainless steel.
More~ importantly, this could sharply reduce the calculated contribution to the core i
damage frequency that is now. attributed to-large breaks.
Even i
now much of the core damage frequency is dominated by-non-lOCA i
[zero break area events, e.g., station blackouts) and small l
break area events.
A further reduction of the.large break area contribution to the overall core damage frequency could alter t
j the risk importance of those components used in the emergency j
core cooling systems of PWRs to cope with large breaks, relative
)
i to those components needed for the zero to small break area range.
If more appropriate data lead to the conclusion that virtually all of the core damage frequency is to be found in the i
zero to small break area size for PWRs, then significant ECCS j
regulatory burdens could be reduced and more attention could be l
turned to accident prevention / management in the appropriate
{
break size range.
In fact, based on leak-before-break analyses
[See NUREG/CR-4792 " Probability of Failure in BWR Reactor Coolant Piping"]' data already exist that show that large double-ended guillotine breaks are extremely unlikely.
i j
(5) Another potential benefit to a more refined data base collection and analysis effort is the possibility that even where it is appropriate to apply regulatory requirements to important systems, these requirements can be further focused i
i using this more appropriate information.
(6) Much of what is discussed above relates to generic i
issues.
On a plant specific basis the pertinent data that are i
generated during plant operation could be fed back into the PSA j
to keep it a "living" document.
4 i
similarly, it may be valuable to develop performance based j
indicators to monitor plant systems.
These indicators could i
provide inputs to performance based regulations.
Present NRC and INPO plant monitoring efforts may be sufficient for this j
need.
They would monitor performance to assure the validity of I
l i
i i
)
the risk avaluations and to identify trends that naad to ba controlled.
Part of this monitoring procons would bn evaluations of newly imposed regulations, if any.
New regulations may evolve out of a clearer-understanding of the risk significance of initiating events, common-cause failures, i
human errors, and balance-of-plant systems, and new perceptions derived from the expanded data base and PSA importance weighting methodology (See section 5.1).
l 3.3 Human Actions i
Sections 3.1 and-3.2, above, are.largely " hardware" i
oriented.
Yet it is well established that human actions can be important determinant in core damage sequences.
Human actions can also affect the containment conditional failure, probability.
/.
l Therefore risk-based regulation would address both hardware issues and "the partial derivative of risk with respect to human actions".
This partial derivative might be expressed as the sum i
of three terms, i.e.,- the human component in:
1 A
}
h Common cause Failures, and j
g Accident Recovery.
t l
Present PSA's may use initiating event and common cause frequencies derived from data. tables which da not necessarily j
identify how much of the frequency of a types of event is due to j
human actions.
Yet we know that the fire at the Brown's. Ferry 4
plant, the locking out of the auxiliary feedwater valves at TMI, the power excursion at SL-1, and the destruction of the Chernobyl plant all involved initiating events that were largely i
due to human error.
By reexamining the data bases,-as already j
-discussed in section 3.2.3, one may be able to extract the role j.
of humans in accident initiation and in common.cause failures.
1 i
The role of humans in accident recovery has been and still ir an area of considerable study.
Once again PSAs can be i
valuable.
One may recalculate a PSA without-taking any credit for recovery actions by the plant operators.
The difference between the base case PSA, with recovery actions, and the L
i modified PSA, without giving credit for recovery actions, would 4
yield an overall measure of the merit of human recovery j
actions.
PSAs can also identify tha specific benefits of human j
actions in various accident sequences, even to the point of l
identifying which human actions applied to which plant features
)
produces the largest risk reduction impacts.
4
}
Understanding the role of humans in the initiating events, i
common cause failures, and in accident recovery actions would provide valuable guidance ~in structuring training programs.
i Such information would also be a major step towards quantifying j
the risk significance of training and how resources should be j
distributed in this area relative to others.
3 J
3.4 Summary Regulatory optimization involves two processes, one of scope and the other of content.
The PSA based ranking process applied to systems and components helps identify which plant features should be subject to regulatory requirements, i.e.,
the scope.
The data collection and analysis process helps determine the content of such regulations to assure effectiveness.
Note that it is not intended that the regulatory process be i
so finely tuned that there is a different level of requirements j
for every point on the risk ranking list or that applying a j
particular regulatory process would differ fru plant to plant.
(
Such a finely divided structure would become ao complicated that i
it would not be manageable.
Therefore it is suggested that the j
levels of effort be limited to two or three, i.e., a standard l
j commercial practice level.plus one or two safety related levels, j
per regulatory process.
i 4.
Packaaina As discussed in the Executive Summary, an important element of this pilot program would be the " packaging" concept.
Each i
l package would have two characteristics:
a nat decrease in risk j
and a Dat decrease in burden on the operator, i.e., a win-win j
process.
For example, a plant's technical specifications may be j
modified to reduce the allowable' outage time or to. test more frequently a very important system.
This would increase safety, i
i.e., reduce the core ' damage frequency and/or the expected value i
of the person-rems.
The other part of the package might be a relaxation of allowable outage times (AOTs) or surveillance test intervals (STIs] for many plant featurer where, based on a j
plant's PSA such relaxation has been shown to have a limited 1.
impact on risk.
When taken together as a package, there would i
be DRt decrease in risk and a nat decrease in operating burden.
]
Similar packages have already been constructed by licensees and j
the NRC, so that a precedent exists for this approach.
I i
certain packages can be put into place in the near term j
since they build on precedents and do not require complete resolution of methodology development (see Section 3.1]-or i
i improved data bases (see Section 1.2.3 Tradeoffs could be on j
a core damage frequency basis or on a p]erson-rem basis.
For i
example, one could show that tighter configuration control of l
some plant features would yield a reduction in core damage frequency that exceeds the increase in core damage frequency i
brought on by extending the AOTs of other plant features.
Alternatively, one might show that tighter configuration control i
might reduce the expected person-rems by an amount that exceeds i
the increase in person-rems due to AOT extention.
Both arrangements would meet the objective of a nat risk 4
j improvement.
However, some cautions may have to be exercised.
There could be situations where there is a not decrease in core i
damage frequency, but a significant net increase in l
j l i
, _ _. _ _ - - _ - ~ _ _ _
parson-rems.
An example of this would bn to dscraass tha i
frequsncy of small break LOCAs while increasing tha frsquancy of interfacing system LOCAs
("V" sequences in PWRs).
Since small l
break LOCAs generally have higher frequencies than "V"
sequences, a not decrease in core damage frequency in such a t.radeoff should be achievable.
However, many small break LOCAs do not lead.to releases of radioactive material to the i
environment while "V" sequences could have large consequences.
Therefore, it would seem logical to forbid this kind of a I
tradeoff.
Risk is often defined as the product of the frequency l
of release of radionuclides to the environment times the i
consequences (in person-rems) of such a release.
Often a net j
decrease in release frequency or a net decrease in person-reas would result in a net decrease in risk for a given package.
When this is not the case, such a package would not be i
acceptable.
Hopefully, there will be many situation's where both the not core damage frequency and the net person-reas are improved in the same package and such packages might be l
developed first.
After having established a net decrease in j
risk, a package would be formed if this also showed a net decrease in burden.
I j
A number of examples already exist where a risk-based i
approach to the technical specifications has been used (see i
references 9-12].
- CEC, l
implemented some improvements.NEU and CP&L have successfully I
In addition to these efforts Brookhaven National Laboratory j
has been investigating various packaging possibilities based on i
NUREG/CR-5200 (13).
This NUREG examined AOT and STI i
requirements at the ANO-1 nuclear power plant.
BNL recently reported that it has utilized these earlier ANO-1 analyses to develop two case studies.
In the first case a single system, the emergency feedwater initiation control system (EFICS), was examined.
As presently structured, there are 19 low-risk-impact monthly EFICS logic.
tests and three monthly high-risk-impact tests.
BNL found that if the test interval of the 19 low-risk-impact tests was doubled and the test interval of the 3high-risk-impact tests were halved
[ increasing the test frequency by a. factor of two], there would be an overall reduction in the core melt frequency by about 3.5%.
However, the total number of [EFICS] tests per year would decrease by about 30%, from 264 to 186.
In the second case examined by BNL, two different systems were looked at.
The high-risk-impact system is the ECCS and the low-risk-impact was a HPIS, RBSS, and RBCS composite.
By doubling the test frequency of the high-risk-impact system while halving the frequency on the low impact group the overall decrease in core melt frequency was 6.6% and there was a 28%
decrease in the number of tests per year.
Dr. William Vesely plans to present a paper, " Reliability and Risk-Based Prioritization of Operational Activities", at the _
1
{
July 22-25, 1991 ANS gooting in Portland, Oragon.
This papsr parallels the discussions in this docuannt.
Ths Vcaaly ANS paper will identify packages with even larger risk and burden j
reductions than in the above BNL cases.
i In general, any time there are two systems with different risk significances it is likely that a package can be created by increasing the test frequency of the more important system while i
decreasing the frequency of the less important system.
In some circumstances it may be particularly valuable for a utility to j
modify test frequencies so that there is concurrence between 1
planned refueling outages and testing that can only be done in a l
shutdown condition.
Some thought needs to be given to the j
definition of the word " burden".
It may be measured in total
}
number of tests, total test hours, operating norsonnel radiation 4
exposure, dollars, etc.
Somewhat different packages may be l
created by different definitions of what constitutes " burden".
There is no reason to limit the number of different definitions and the choice.in a particular package would be up to the j
originator of the package.
a Because of Commission interest and experience in these areas, the most likely places to begin creating " packages" would i
be in the risk-based technical specifications area:and then in maintenance.
NYPA is now sponsoring an effort at the Massachusetts-Institute of Technology under the. direction of Professors Norman Rasmussen and Nathan Siu. -This.MIT effort, "Research for Operating and Maintenance Cost Reduction Using Probabilistic Risk Analysis (PRA)", also uses the JgF 'PSA.
In i
view of the Commissioners' interest in this subject
... maintenance as an~ ideal opportunity to incorporate some of the lessons that we have learned from our experience with j
technical specifications", it appears that the MIT effort could j
be very useful.
. Phase two would include a review of the MIT l
effort and a determination of how its results could be utilized i
in meeting the commissioners' risk-based maintenance goals.
A i
" packaging" approach to maintenance should be explored in this phase, based on insights gained from the MIT effort and the technical specifications packaging effort.
There appears.to be two types of packages, " horizontal"-
packages and " vertical" packages (See Figure 2).
Horizontal packages involve tradeoffs where every element of the trade started and ended within the scope of regulatory review, e.g.,
shorter AOTs for a more risk significant system traded for i
extended AOTs for less important systems.
Vertical packages i
involve tradeoffs that can move new items into the scope of I
l regulatory review and other items into the commercial practica area.
An example of vertical packaging would be:
A plant operator proposes to the NRC to modify his plant by adding a new piece of 4
j
- hardware, e.g., a new source of emergency electric power.
A reanalysis of the plant's risk level would then show that by i
i
)
5: \\ G-v G E 7WO PRC.y:.AG.twG.
C.o MCEPTS
/
/
/
/
/
c
/
/
/
/
m
=
/
" HossaowvA L" vrtAoroves N
conc D Amas.t vmegowe y
/
/
,/
/
/
2
" Mons mo9tmu" T Aave ov-vs iW i
Pea. sow - ags
/
./
./
/
/
- NEN W.E.qugerMeur4 NEW REEV12.sMarw T.s OSSidrtJ MODtpu::PrTLows 95GlS.W N0 dip IGA"fleNJ e
d e
/
/
/
" V EtLT\\c AL "venteA L"
/
7 54.A c t o p p s IN ift.Aegwfs$w #
c.cer omm*H pgnsou tem
/
FR,E4 W Y j
/
/ sca 0;
/
REGULeeram
/
9e9tew W
/
i
/
/
/
/
/
/
/
/
/
/
/
/
/ /
V V
RECLASG tvs EP n.cc.umssiw n PLAwT vewrucis PLewT V g h r u m.e s STANVe12.D C oMMERct AL
?tec.Ttegs
i-adding this naw courca of electric power and reclassifying other j
enfaty grada cquipannt en commnrcial grada, rink levels would ba lower than before, i.e.,
a net decrease in risk.
The investment in the new source of emergency electric power would have to be more than offset by savings achieved by reclassifying the former j
safety grade equipment to demonstrate a net decrease in burden.
l I
When the methodology development and data base collection and analysis tasks are sufficiently mature, then an advanced i
type of package can be created.
It maintains the dual l
objectives of decreased risks and reduced operator burden:
l-Determine the quantitative risk reducing effectiveness of various regulatory processes such as quality assurance, i
training, maintenance, etc.
Once such quantific~ation has i
been done, form packages, e.g.,
increase operator training l
while reducing quality assurance expenditures in areas where j
QA is of limited effectiveness.
i The above is only one example of an " advanced" package and many other packages are possible.
In fact, should this program succeed in quantifying the effectiveness of various regulatory processes, an-interchangeable " currency" is created.
In theory l
cne could then trade off, for example, design improvements for j
reduced maintenance efforts.
i' This pilot program is intentionally structured to pr. ogress from the simplest packages to more advanced ones.
It is j
important to gain experience and confidence in packaging as the i
program goes along.
At the end of each phase there would be a j
program review and the success of packaging would be evaluated.
l S.
An overall Re7dlatory Framework
/
i The use of risk-based regulations lands itself to an overall regulatory framework.
The overall regulatory framework suggested here is divided into regulatory actions governing I
potential severe accidents and other regulatory actions governing normal operations (including emergency planning).
I 5.1 Severe Accidents j
one way to regulate severe accidents, as depicted in figure i
three, is to make use of the long discussed NRC safety goals.
l The interpretation of this figure is that nuclear plants are i
designed and operated so that'both the core melt frequency 1
criterion and the early and latent fatality public health goals
)
are met.
These goals are deflued as follows:
'j A.
Core Melt Frequency criterion:
The mean frequency of events at a nuclear power plant leg /RY.
ding to a core melt i
shall be equal to or less than 10~
I J
- i f
I
l B.
Public Health Goals:
Early Fatality Goal:
The mean early fatality risk to the average individual in the vicinity
- of a nuclear power plant shall be less than one part in a thousand compared to the background non-nuclear early fatality risk the average individual is exposed to..
Latent Fatality Goal:
The mean latent fatality risk to the average individual in the vicinity
- of a nuclear power plant shall be less than one part in a j
thousand compared to the background non-nuclear latent i
fatality risk the average individual is exposed to.
Use of the above core melt frequency criterion and public health goals would require decisions on the role of external i
even,ts in calculating if a plant meets these criteria.
One thought that may be helpful is to divide external events into two-categories, those that affect the surrounding population in non-radiological ways and those that do not.
Seismic events and major floods are two examples of-initiating' events which, by themselves, affect the non-nuclear public health risks.
As
-l pointed out by NUREG-1420, "Special Committee Review of the Nuclear Regulatory Commission's Severe Accident Risks Report (NUREG-1150)" in section 4.3.2, seismic events that are-large enough to cause significant plant damage and large releases would most probably result in considerable other societal damage in terms of loss of life and property.-
As stated in NUREG-1420, "This finding should be kept in mind-as the NRC safety' goals are basically related to other types of risks _through comparisons".
With this thought in mind, earthquakes, major floods and other external events that by themselves cause widespread damage may not increase the ratio of nuclear fatalities relative to background non-nuclear fatalit'ies.
One conservative way to apply this thought.is to not include the effects of area-wide external. events in either the numerator or the denominator of the public health safety goals calculations.
Other external events that are not area-wide, such as plant fires, might be added to the more traditional internal events to test for i
compliance.
It has also been observed that severe external events have the potential to lead to station blackout situations.
(See NUREG/CR-5042, Supplement 2, " Evaluation of External Hazards to Nuclear Power Plants in the United States", Section 4.2).
Depending on the containment design, station blackouts that_ lead to a core melt situation may not have very large radioactive releases to the environment because of source term reduction during the long time it takes to reach containment failure.
This observation, if generally true, would indicate that
- The definition of vicinity could differ for the two health goals, e.g. within one or two miles of the plant for the early fatality goal and ten miles for the latent fatality goal.
1 l
~ _. -
I j
cxternal events, bs they aran-wide or not, would not bn major i
contributors to offsite radiological risks.
)
For both of the above reasons it may be valid to only
{
consider the role of external events in meeting the core melt i
frequency criterion, if at all.
In any case, this subject would j
have to be resolved during the course of this effort.
t There is uncertainty in the absolute values calculated by l
probabilistic safety studies.
Some of this uncertainty is due i
to the variability.of parameters which can affect the final' risk i
results.
For example,.the normal variability of meteorological l
conditions would give rise to a range of consequences values i
even if all other parameters in a PSA calculation were j
single-valued.
In an actual PSA many portions of the analysis l
are not single-valuad, but are represented by some distribution curve.
Because of this,_PSA results are often displayed as a i
band whose width encompasses the 5% and 954 confidence levels, i
It is suggested here that when comparing a plant's calculated j
core melt' frequency or public health risks to their associated safety goals, that mean calculated values are used. Mean values i
represent, typically, confidence levels in the 80-90% range.
l Therefore the use of mean values is on the conservative side.
I Other contributors to PRA uncertainty are unknowns.
There i
are several types of unknowns such as incomplete data, modeling
{
limitations and unidentified accident sequences.- _Therefore it i
is possible to have situations that lie beyond the range of calculated PSA values.
The traditional deterministic licensing i
approach in dealing with unknowns is to require some margin I
beyond conservatively calculated values.
An identical approach l
is suggested here.
It is suggested that margins of 3, 10, and i
20 be applied to the calculated mean core damage frequency, the i
early and the latent fatality health effect goals, respectively, i
to deal with unknowns.
Use of such a regulatory framework means that:
the scene of the severe accident nortion of the total reaulatorv nrocess then
}
becomes those reauirements that are innosed unon a nuclear nower j
nlant so that the calculated core dammae and nublic health j
safety coals are met, with marains for unknowns.
This scope is i
depicted in figures two and three by the hash-marked boundary.
Should such a severe accident overall regulatory framework
{
be adopted, then certain systems and componen'cs and plant j
procedures must be functional, and associated regulatory processes implemented,_to demonstrate compliance with the safety
}
goals, with a margin for unknowns.
All systems, connonents, and crocedures bevond those needed for connliance with the safety i
coals (with marains) would then be outside the reaulatorv j
framework and standard commercial cracticas would anolv to them.
unless they were cart of 5.2. below.
1 i
j i f
i
E l @ \\J R E T M s2,E E AW OMEE W.
R E G.0 L A rOra.y p a e,mg y os_ v.
x x x x x x x x _ x._x x xx x x s s
s s s s
N
\\
90 % L\\ c.
R EALT 4 u party
\\
C0"I G. o m \\. e,
N DAmm&E s
EARLY FMAut y LhwT F#rf%Ty N
pg,gyggey DME7Y fr*AL SAFf"TY G C A \\.
N gggg, y
\\
N 10 C.ogg OW6 NT
- A O W ?W WA s
~
\\
M 6145 p eit.
Tyous Awe co MFA8FD Twous AWD co MfAt* s gggmg_ ym
-f o S Ac x. 6-8Lo W O
-t o BAcxmwo S.swo ntsws
\\
s N
s
\\
s N
s
\\
\\
s N
\\
TWARG\\WS F o S.
N N
VWcesTAiwTv s
N s
\\
s N
t
< xs s
s s
s s
s s
s s
s s
s s
s 9
j
' W S-Sco9E OF Se m.x - 3.w.w l
3 DT A N D OR9 CO Mf6tRC\\AL P roc.T s c e s 4
,c ev,---+--
l A nsw PSA_tschnique may bn used to idantify which plant 1
l featuras and procrdures cro rsquired to achisva tha risk lovels 1
set by these safety goals (with margins).
For example, suppose
}
it were agre d that the core melt frequency goal.had a mean j
valueof10-g/RYwithamarginof3 for unknowns, i.e.,
a 4
j regulatory boundary set at 10
/3RY.
Suppose, further, that the base case PSA for a particular plant revealed a mean core melt frequency of 10-5/RY.
One could then as'aume that certain lower ranked plant features or procedures vara totally absent 4
[i.e. set their U=1.0], and then recalculate the core melt frequency on-this basis.
The result of analytically eliminating i
certain plant features would.be a higher calculated core melt frequency.
Thi process would be repeated until PSA results i
matched the 10-g/3RY figure.
j Those lant features and procedures needed to achieve the 10-g/3RY would be j
j safety-related, all others would not be.
This is a very conservative approach because it assumes a U=1.0 for those plant i
features that are not safety-related.
A more realistic, yet still conservative, approach would be to use a U' values closer to, but somewhat higher, thkn chose derived from plant j
unavailability experience.
The. monitoring program of j
reclassified, plant equipment, discussed elsewhere in this 4
document, would signal if any plant feature exceeded the U' I
values used in this analysis, corrective action would be taken i
if the observed U values exceeded U' values.
If U' is used j
instead of U=1.0, the' list of safety-related plant features and a
procedures would be shorter and the action levels of the l
monitoring program would be consistent with the PSA analysis.
The above use of PSA techniques to correlate safety goals to i
the list of equipment defined as' safety-related-is new.
It may be easier to use than the previously discussed importance j
weighting techniques.
The validity of this new technique would l
be reviewed in the Methodology Development task, c
I Regardlass of the method used to separate the risk important plant features from the unimportant ones, only those regulatory processes'that are effective would be applied to the risk important features.
5.2 Normal Onerations e
Section 5.1 addresses offsite severe accident concerns.
other regulations dealing with onsite normal operations, such as i
implementing the ALARA principle, emergency planning, plant security, the handling and storage of nuclear fuel and l
radioactive wastes, and routine releases to the environment, i
would supplement severe accident based regulations.
This i
document does not address the regulatory aspects of normal l
operations.
1 5.3 Reclassified of Plant Features i
i If such an overall regulatory framework were adopted, then j
some systems and components that are today within the scope of l a 4
_ _ _ ~ _ _ _
}
j regulatory raview may be reclassified into tha standard j
commnrcial practicas category.
Rsclassification in in the i
spirit of Generic Letter GL88-20, as discussed in.the i
introduction of this document, namely,
"...and provides a basis i
for the possible elimination of actions determined to have low l
safety significance for the individual plant".
t l
Reclassification may initially raise concerns that this opens the door to significant potential degradation of the j
reclassified systems and components.
There are, however, a
(
number of considerations that can be used to dispel this i
concern, such as the.use of monitoring and other assurances j
listed below, one only needs to look at how the electric power j
industry maintains non-nuclear facilities to observe that many forces exist to prevent unwarranted degradation of plant.
1 equipment or procedures.
There is the force of economic j
competition.
Degraded equipment can result in a lower capacity i
factor and reduced earnings.
Further, most electric utilities i
are subject to economic regulation through their Public Service l
Commissions.
Economic regulators can disapprove the recovery of j
financial losses through unwarranted plant degradation.
Worker j
safety is another force. ~ Union contracts, labor laws, OSHA, i
etc. all exert an influence to keep the workplace free of
{
hazards that could be brought about by improper equipment i
degradation.
Last, but not least, is corporate pride.
Most l
utilities would not want to be viewed as an inferior operation i
that allows plant equipment to fall below standard industrial j
norms.
Evidence that commercial practices at nuclear power plants j
meet high standards independent of the regulatory process can j
also be seen by observing the strict specifications in the purchase orders of non-safety grade equipment bought by the-e electric utilities.
Further, the equipment manufacturers themselves often produce identical safety grade-and commercial grade components in order to be cost effective.
It does not usually pay to manufacture two different quality levels.
In j
these cases, being classified as " safety grade" may be mostly a matter of expensive documentation.
l Before a system or component is reclassified this would have to be justified by a PSA analysis of its contribution to meeting i
the core damage frequency and health safety goals.
Application j
of the improved PSA importance weighting methodology and the j
improved data base means that'there is a carefully controlled process by which such decisions would be made.
Secondly, there
{
is monitoring.
Previously we spoke of monitoring equipment j
performance as part of the "living PSA" process.
Such j
monitoring would also include observing the long tern effects of reclassified plant equipment.
Reclassification may lead to removal of some' plant equipment.
The effects of such removal should also be observable through the monitoring process.
I Thirdly, it is also possible that reclassifying plant features into the commercial category could actually raise the overall
! 1 I
cvailability.
Commsrcial grada cquipmsnt often costs significantly 1ces thnn equivalent equipm:nt with a " safety grade" identification and may be more available because of a larger number of equipment vendors.
Because of these lower costs and greater availability, replacement of reclassified aging equipment with new equipment becomes more attractive than what exists.today.
Further, replacement equipment, being in the commercial category, may use more reliable up-to-date technology.
With lorar costs due to reclassification, there could be a shift f.c1 repair to replacement of cging equipment.
Lastly, reclassification can go in the direction of adding regulatory requirements, if a case can be made for it [i.e., it is required to meet the safety goals or required by the backfit i
process).
Reclassifying plant features into commercial gra'de status may not alter actual risks in any meaningful way.
PSAs today show very low risks, yet much of the data bases upon which these low risk values are calculated are derived from commercial grade equipment unavailabilities.
Further, nuclear plants today are already divided into safety grade /NRC reviewed plant features and commercial grade /not NRC reviewed plant features.
Therefore the application of this overall regulatory framework does not introduce a new regulatory principle; rather it implements present regulatory practice with greater precision and in a more consistent manner.
In fact, it would not be surprising if PSA analyses revealed that some plant features, now labeled as safety-related, and some plant features, now categorized.as not safety-related, had comparably low risk significances.
6.
Advanced Nuclear Power Plants Risk-based regulation can apply to all nuclear power plants, be they present operating plants or advanced units.
- Moreover, the use of an overall regulatory framework may have some advantages in encouraging public acceptance of nuclear power.
Communicating the strict core melt frequency criterion and the very low early and latent health risks that nuclear plants are held may be an additional way to encourage public support.
Furthermore, if it is the NRC policy to require that advanced units meet even more stringent criteria, this too might be more clearly communicated when overall regulatory frameworks g/RY re used.
For example, if present plants need to meet a 10-coremeltfrequencycrg/RYcriterion, terion while advanced plants would be required to meet a 10~
it should be apparent that advanced plants would have to conform to a ten-fold stricter criterion.
Thus, while nuclear vendors can describe the special advantages of their advanced designs, the nuclear regulator can discuss the strict criteria present plants are held to and the even more stringent requirements of future plants.
Of even greater importance, is tha fact that risk-based regulation could provide a regulatory continuum. It appears that advanced reactors may be regulated on severe accident criteria with an approach similar to that proposed hara.
By having
}
present plcnts also on risk basis, a significant sourca of j
confusion could be avoided.
For example, it would be difficult to regulate a present operating plant on a deterministic basis j
and its neighboring advanced plant on a risk basis.
The use of i
an overall regulatory framework has the advantage of regulating j
all nuclear power plants in a standardized and compatible way.
I 7.
Poliev Issues I
Taplementation of this program involves some fundamental pol,~y decisions that should be established at the beginning of i
t' effort.
To illustrate this, first consider the issus of j
rs.Gassification.
4 i
i There are several pathways by which present'safehy-related l
l equipment might become reclassified into the commercial grade l
category. They are:
i a
A " vertical" package is implemented where a former safety-related plant feature is reclassified becaues a new plant feature has been introduced (See Section 4),
.and 1
i t
h A plant feature is importance ranked and shown to have 1
a low risk significance, such as.tte examples derived j
from Table I (See Section 3.1), and i
s A plant feature is not part of the complement of j
equipment needed to meet the requirements of the overall regulatory framework (See Section 5.1).
I j
In one way, items A, h, and s, above, are similar.
All three pathways to reclascification to commercial grade status require NRC/ industry agreement on_how such reclassification is 1
to be implemented.
A clear understanding-must be achieved of i
the requirements placed upon the. licensee to achieve and i
maintain plant features in a reclassified status.
1 i
j Items n, h, and g also differ from each other and each would
{
require different policy decisions, if implemented.
The use of packages, such as discussed in item A, appears to i
be the easiest to implement.
All packages, horizontal and
}
vertical, deal with risk on a relative basis.
All that need be j
shown is that should a package be implemented, there is a net decreas~e in risk.
This approach avoids any decisions on the j
acceptability of any absolute value of risk or the ability of 3
any technological approach to demonstrate compliance by i
comparing calculated absolute risk values to numerical goals.
4
)
In order to implement item h one would rank plant features i
according to some bassline figure which, itself, would be an i
1 i i i
1 i
i absolute risk numbar.
Thara would t'han hava to b3 a policy decision undo that sotablichts a " cut-off" isval in tha ranking list that separates the safety-related plant features from the i
not-safety-related ones.
Even if a standard " cut-off" level were agreed to which was applied to all nuclear plants, in absolute risk terms the cut-off point could differ from plant to j
plant.
For. example, it could be agreed that all plant features
}
whose total absence (U=1.0) did not increase the CDFx/CDFo ratio by more than 1.05 were considered not-safety-related (See Section 3.1.1 for a more complete discussion).
However, a 1.05 j
factor in one plant could be at a very different risk level than j
the risk level at another plant.
However, such variations may, nonetheless, be acceptable, since nuclear plants today already i
operate at different risk levels.
Therefore item h involves policy decisions on the cut-off value and agreement that the i
potential variability of the absolute risk from plant-to-plant is acceptable.
1 3
i Item n may represent the most difficult approach to reach i
agreement on because it deals with absolute risk.
Further, if i
the approach used in item g were used, one might need to address what one does with plants whose PSAs indicate that they are I
capable of achieving risks below the levels called for by the overall framework.
Would it be permissible to relax regulatory l
requirements to the point that calculated' risks rose to the i
level established by the overall framework, assuming no credit for the next safety-related equipment?
[ Item h has a similar i
concern due to the effect of those features below the cut-off j
level).
2 While the item s approach may present greater regulatory challenges, the potential rewards also appear to be greater.
)
Solving for the complement of plant features and procedures needed to meet a set of goals (with margins) may be technically easier to do than developing an advanced ranking process.
i Further, all nuclear plants would be " standardized" to the same i
overall risk level, leaving economic and public acceptance
{
incentives up to the plant operator who may wish to operate at i
an even lower risk level.
The associated clear definitions of f
'"How safe is safe enough?" and "What is safety-related and what is not?" that this method produces have great value.
The benefits of a regulatory continuum between present and advanced plants that item g might achieve may more than compensate for i
the efforts to bring it about.
So one major policy decision in this program would be the i
commitment to try to resolve issues of absolute risk within a i
reasonable time period.
It is recognized that packages, i
particularly horizontal ones, are more readily achieved.
Fortunately both relative and absolute risk activities can take j
place simultaneously and this program intentionally pursues the more readily achievable tasks first.
1 l
1 I i
e-~
i w--n-a-
( -. -._.
ij' Tho nsxt. major policy dscision is ths commitarnt to qunntify i-the effcctivenzsa of rsgulatory proczemos cnd to cet upon tho
~
results of such quantifications.
This can mean either relaxation or more restriction of regulatory requirements, depending on,the merits of the situation.
I In summary, the major policy issues are commitments to:
}
h (1)
Implement packages, where justified.
l l
(2)
Separate the more risk important plant features from the less important ones, i
j (3)
Quantify the risk effectiveness of regulatory processes and to apply only the effective processes to the risk important plant features, and j
i (4)
Establish the program for plant features that are l
reclassified as not-safety-related.
j 8.
Institutional Benefits I
l An overall regulatory framework, improved PSA importance 6
weighting technology, an expanded data base, and the packaging concept can yield enormous institutional benefits.
The regulatory process becomes more integrated, more objective, and more predictable.
It is interesting to note other ramifications of this i
approach.
It encourages plant operators to seek further safety improvements and, by doing this, obtain cost reductions, reduced economic risks and gains in public acceptance as additionpl i
benefits.
Such incentives may yield the most practical and i
effective way to achieve "living PSAs" as utilities constantly i
search their plant. operations and PSAs to create new " packages" l
or to find more efficient ways to meet the objectives of the j
safety goals.
It is quite likely that many such safety improvements could l
never be justified either by tha NRC or the licensee using i
i traditional value/ impact backfit analyses.
Moreover, with the incentive of reduced operating burden, etc., the licensee, i
rather than the NRC, becomes the initiator in seeking out such j
safety improvements.
This is a fundamentally " healthier" i
process.
While the NRC still retains its backfit regulatory j
authority, modifying plant designs and procedures might take on 4
a more cooperative and constructive nature with this approach.
9.
Procram Descrintion
]'
9.1 Three Main Phases i
j It is proposed to move forward with a three phased pilot program [See figure four).
Phase one, Data and Methodology
.I
} i i
il' 4
Developannt, would procard along savaral parallel paths.
On3 i.
path would b3 concsrned with the crection of a basic docum:nt.
Such a document would be completed upon the staff's approval of i
NYPA's level II PSA of the James A. FitzPatrick [JAF) plant.
i The other paths would include a more detailed description of the l
risk-based technical specifications program and the j
establishment of the method development and data base tasks.
i Phase two, Applications and Policy Development, would i
include implementation of the risk-based technical specifications effort, including packaging efforts that would j
trade off tighter configuration control requirements for j
extended ADTs and STIs.
During this phase the MIT risk-based maintenance effort would be reviewed and baplemented.
i Experience gained from the implementation of risk-based technical specifications would be applied to this risk-based
)
maintenance task.
1 Phase two should also mark the completion of both the methodology development and data base collection and evaluation efforts.
This would pave the way for advanced " horizontal" j
packages, described earlier [See Section 4].
a' During phase two a new task, the establishment of an overall j
regulatory framework (See Section 5), would be established.
j i
Phase three, Reclassification and Advanced Applications, j
would include the completion of the regulatory framework task, j
the reclassification of JAF systems and components according to this regulatory framework, and the use of advanced " vertical" packages, as available.
When phase three is completed the JAF j
i plant would be a model of a present operating plant which is
]
regulated on a risk basis.
}
At the conclusi be written, discuss.on of each of the three phases a report would j
ing the progress made and agreements reached.
i 1
This pilot program, while utilizing a great deal of present i
technology, would also be breaking new ground.
It is expected j
that many basic policy questions would need to be resolved.
New data bases may have to be generated.in order to quantify various i
regulatory activities.
Agreements on how to maintain the dual nature of improved safety and reduced operator burden during i
this evolutionary program would have to be reached several i
times.
Therefore it is proposed that prior to initiating the second and third phases of this effort, the major contributors assess their positions to determine the desirability and form of j
their continued involvement.
9.2 Task Descrintions i
j Phase One Data and Methodology Development i,
j Task I complete Level I PSA of JAF plant 4'
j Task II complete Level II PSA of JAF plant 4 i
Tack.III Ragulatory rsview of JAF PSA Task IV Establish data base review and evaluation effort Task V Establish methodology development effort Task VI.
Establich Technical-Specifications effort Task VII Phase one' review and evaluation Task VIII Issue report on phase one' I
Phase Two Applications and Policy Development Task I Rank JAF systems according to person-rem and core damage frequency criteria Task II Identify JAF risk dominant sequences and identify dominant failure modes of the risk dominant sequences Task III Implement. risk-based Technical Specifications Task IV Complete data base review and evaluation task Task V Complete methodology development task i
Task VI Review MIT effort, implement risk-based maintenance efforts Task VII create basic packages in Technical Specifications and maintenance areas Task VIII create advanced packages, using.the results from Tasks I, II, IV and V of phase two Task IX Establish overall regulatory framework Task X Phase two review and evaluation Task XI Issue report on phase.two Phase Three Reclassification and Advanced Applications Task I Reclassify JAF system and components, based on phase one and two' efforts l
)
Task II Form advanced packages for JAF Task III Issue final report 1
t
^i 4
N=
6 jod g
i o u E r$ $ !
b J$
1 g
za w.#
e-g h
(I hk %
- ou24, d
$ @2b
, r e' (
F ET k fs) 2 i
+
Jh~
- s 's t
=.,
s.
. y.
!i -,af n
,.v;)
s' -
5M C
0 Dj II'
'.9 3 0 05 "If 4
F S
e-af jgj $}
$w 4
A$.
a
<= 'N es-s
~
2
\\
o s
vi e w, > b )
b h
J I
g,
<c e g d
+
g n 3 d d
y '7 4e f h F F
- 7W" V
U s
n J
- 1 _c m.
,g l
rJV 4C'
.y
-p - l lEr 2* {i Gl j!
N5 1 I
bi iiiii; 0 0
% d g
i d
FWA n-1 i
o 7
m
( d, c
a e -
ac >-
Q
<d
}
i' f'
I~
fI' 4
a a
a a
ifg
_glp_____
e n$a v
- .a
.g a
(H 4 :
g a
8 f
P3
[ 0 )*
R I
$. x ',
23 J
k 5
E o
963 b Ef4 {
0-d $
.w$
m o.r.e me; 2
.c p8 r
6 wr A
$3 S.
y, 9
d% M 0
o mW w
e C
/
PH p
y[
6 g
s s;
7-y4 1
00
I 9.3 Schedule A complete schedule would be developed later.
However, Task II of phase one should be completed by June 30, 1991.
The MIT effort should be ready by September, 1991.
- 10. Summary We have the potential to bring about significant changes in the regulation of nuclear power, to evolve from the deterministic criteria established 20 or so years ago by applying modern technology.
To do this would require both technological and institutional advances.
Achieving the technological advances is anticipated to be, by far, the easier task.
Yet, if all this could be accomplished there would be a healthier nuclear' industry, licensees would be " rewarded" for being proactive on safety, NRC activities would be optimized, and the public would be well served.
b -
Biblicarachv 1.
Vesely, W.
E., et al, " Measures of Risk Importance and Their Applications", NUREG/CR-3385, July 1983.
2.
" Categorization of Reactor Safety Issues from a Risk Perspective", NUREG-1115, March 1985.
3.
Scott, W.
B., et al, " Review of Light Water Reactor Regulatory Requirements", Vols 1-3, NUREG/CR-4330, May 1987.
4.
Coats, D. W., " Recommended Revisions to NRC's Seismic Design Criteria", NUREG/CR-1161, May 1980.
i 5.
Coats, D. W. and D. A. Lappa, "Value/ Impact Assessment for Seismic Design Criteria", NUREG/CR-3480, August 1984.
6.
" Application of Reliability-Cantered Maintenance to component Cooling-Water System at Turkey Point Units 3 and 4", EPRI Report NP-4271, October 1985 7.
"Use of Reliability-Cantered Maintenance for the McGuire Nuclear Station Feedwater System", EPRI Report NP-4795, September 1986.
8.
" Application of Reliability-Centered Maintenance to San Onofre Unita 2 and 3 Auxiliary Feedwater Systems", EPRI Report NP-5430, October 1987.
9.
" Risk-based Evaluation of Technical Specifications", EPRI Report NP-4317, December 1985.
- 10. " Risk-based Evaluation of Technical Specification Problems at the La Salle County Nuclear Station", EPRI Report NP-5238, June 1987,
- 11. " Identification and Classification of Technical
, Specification Problems", EPRI Report NP-5475, December 1987
- 12. " Technical Specification Improvements to Containment Neat Removal and Energency Core Cooling Systems - Hatch - 2",
EPRI Report NP-5904, July 1988.
- 13. P. K. Samanta, et al, " Evaluation of Risks Associated with AOT and ST1 Requirements at the ANO-1 Nuclear Power Plant",
NUREG/CR-5200, August 1988.
i
~.
1 14.
H. Specter, "How to Rsduca Nuclear O&M Costs Through the j
Use of PRA [With Application to Quality Assurance)," draft j
paper, New York Power Authority, October 1989.
im j,'
15.
M.
Dey, " Maintenance Approaches and Prac,tices in Selected Foreign Nuclear Power Programs and Other U.S. Industries:
j Review and Lessons Learned," NUREG-1333, April 1990.
i 16.
J. H.
Bickel, "Use of Probabilistic Safety Analysis in
)
I obtaining A one-Time Variance in the Technical Specification Action Statements," Northeast Utilities Service Company, 1987 j
17.
E. D. Sylvester (Project Manager, BWR Project Directorate
]
Utley (Senior Executive Vice President, Power Supply and i
Engineering and Construction, Carolina Power and Light ~
j Company), March 27, 1987.
j i
i i
18.
G.
E. Vaughn (Vice President, Nuclear Operations, Houston i
Lighting and Power), letter to USNRC, ST-HL-AW-3283, February 1,
- 1990, i
19.
H. Rood (Senior Project Manager, Project Directorate V, j
Division of Reactor Projects - III, IV, V, and Special
]
Projects, Office of Nuclear Reactor Regulation, USNRC),
letter to J.
D. Shiffer (Vice President, Nuclear Power l
Generation, Pacific Gas and Electric), October 4, 1989.
~
- /'
20.
T.
P. Speis (Dipactor, Division of Safety Review and lNs Oversight, USNRC), meno to H. L. Thompson, Jr.
I' (Director, Division of PWR Licensing-A, NRR), January 15, 1-
,1985.
21.
W. Greek, " Application of Reliability Centered Maintenance i
to San Onofre Units 2 and 3 Auxiliary Feedwater Systems,"
EPRI NP-5430.
i l
22.
W. E. Vesely and F. F. Goldberg, " FRANTIC - A Computer Code for Time Dependent Unavailability Analysis, "NUREG-0193, 1977.
i i
23.
R. E.
Barlow and F. Proschan, " Statistical Theory of 1
Reliability and Life Testing:
Probability Models, To Begin j
With", Silver Spring, MD,'1981.
j j
24.
A. Pages and M. Gondran, " System Reliability:
Evaluation j
and Prediction in Engineering", North Oxford Academic, London, 1986.
l 1
1 i
1 l'
^
i
)
'25.
D. H. Worladga, S.
B. Chu, J. Gnartnzr, and W. Sugnat, 1
- Practical Ralitbility Enginscring Applications to Nuclear
}
Safety," NUREG/CR-0058, Proceedings of the USNRC 12th Light j
Water Reactor Safety Research Information Meeting, Vol.
6, pp. 309-330, 1985.
i 1
26.
G. Apostolakis, " Mathematical Methods of Probabilistic j
Safety Analysis," UCLA-ENG-7464, September 1974.
~j 27.
A. E. Green and A. J. Bourne, " Reliability Technology",
j Wiley, 1972.
t
}
28.
J. K. Vaurio, " Unavailability of Components with Inspection j
and Repair," Nuclear Engineering and Design, 54, 309 j
(1979).
]
29.
V. Dimitrijevic, "A Methodology for Incorporating Aging in i
system Reliability calculations, " Massachusetts Institute j
of Technology, Ph.D. dissertation, September 1987.
2 30.
W. J. Puglia, "A Reliability Program of Nuclear Power Plant j.
Safety Systems," Massachusetts Institute of Technology, i
S.M. thesis, February.1990.
31.
E. J. Henley and H. Kumamoto, " Reliability Engineering and Risk Assessment", Prentice-Hall, 1981.
i 32.
S. E. Cooper, " Uncertainty and Importance Analyses of the Reliabilities of Systems Experiencing Aging,
{
" Massachusetts Institute of Technology, Ph.D. dissertation, December 1987.
1 33.
W. E. Vesely, " Evaluation of Allowed Outage Times (AOTs) l from a Risk and Reliability Standpoint," NUREG/CR-5425, August 1989.
1 l
34.
W. E. Vesely, " Evaluation of Diesel Unavailability and l
Risk-Effective Surveillance Test Intervals," NUREG/CR-4810, May 1987.
1 35.
W. E. Vesely and P. K. Samanta, " Framework for Integrating Surveillance Testing with other Activities, " BNL Technical i
Report A-3859-12-15-89, December 1989.
4 36.
1 W. E. Vesely, " Outline of Principles and Requirements for Performance-Based Regulations," BNL Technical Report A-3230-1-4-88, January 1988.
37.
P. K. Samanta, et. al., " Risk Methodology Guide for ACT and STI Modifications," BNL Technical Report A-3230-12-01-86, j
December 1986.
1 l
i 5-m
+ - -
22.
P. K. Saminto, ct. al., " Rick-Based Configuration control Systems, #17th Watsr Rinctor Safsty Information Mocting, October 1989.
39.
P. K. Samanta, W. E. Vesely, and I. S.. Kim, "Towards Risk-Based Control of Nuclear Power Plants,
" Nuclear Enaineerina and Desian, Submitted July 1990, to be published.
0 0
' /