ML20087J997
| ML20087J997 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 03/20/1984 |
| From: | Gad R PUBLIC SERVICE CO. OF NEW HAMPSHIRE, ROPES & GRAY |
| To: | Atomic Safety and Licensing Board Panel |
| References | |
| CON-DSB-75 OL, NUDOCS 8403230180 | |
| Download: ML20087J997 (36) | |
Text
_ _ _ _ _ _ _ - - - - - - - . - - - - - - - - - - - - - - - - - - - - - - -
{_._
(
5 Filed: M:trch 20, 198k 75 Tgegen
'84 MbR 23 pto;35 UNITED STATES OF AMERICA'.U y ~
i CC;- if,j 7 NUCLEAR REGULATORY COMMISSION G' M 6
before the ATOMIC SAFETY AND LICENSING BOARD
)
In the Matter of )
)
PUBLIC SERVICE COMPANY OF NEW ) Docket Nos. 50-443 OL HAMPSHIRE, et al. ) 50-444 OL
)
(Seabrook Station, Units 1 & 2) )
)
APPLICANTS' RESPONSE TO "NECNP MOTION TO FILE SUPPLEMENTAL CONTENTION ON NEW HAMPSHIRE STATE AND LOCAL EMERGENCY RESPONSE PLANS" NECNP has moved for the late admission of a contention challenging the as-yet undesigned public alert system on the grounds that maybe that system will depend on off-site power, maybe the off-site power will fail from time to time, and therefore the system is inadequate under the Regulations. For the reasons set forth herein, the motion should be denied.
As the Board is aware (and NECNP admits) the design for the public notification system has not yet been H
8403230100 840320 PDR ADOCK 05000443 8 PDR yg
(
. s l
l published. The emergency plans presently contain what amounts to.a " blank" for this item. In fact, a design study has recently been completed, and, we understand, will be contained in an amendment to the New Hampshire State Plan to be published in the near future.
The proposed new contention says, in effect, that "If the public alert system depends upon off-site AC power for operation, and if the offsite AC power system may from time to time fail, then the public notification system is inadequate under the applicable regulations." The contention is hopelessly hypothetical, and therefore fails the first teaching of the Catawba case. Moreover, if'the contention were permissible in the hypothetical form, it would be hopelessly out of time, since nothing in the Seabrook Station Probabalis'ict Safety Assessment ("SS-PSA"),
which is the sole proffered basis for excusing tardiness, supplies any new information.
The first prong of the contention is that maybe the public notification system, when the design is
! published, will depend upon offsite AC power for l
operation. NECNP Motion at 2: "To the extent that any of these systems depend upon offsite power sources to i
e- ,
. =
operate . . . ." (Emphasis added.) In fact, NECNP doesn't know whether there is any basis on this score in fact; there is no way that the Board can know whether there is any basis on this score in fact; and the contention is hopelessly premature and hypothical.
NECNP proposes to deal with these problems by relying upon later amendment once the system design is available: "The issues will be clarified, however, when the design of the audible alert system, showing the extent to which the system relies on sirens and other offsite power-dependent systems, is submitted."
NECNP Motion at 5. Such a contention is inadmissible (without regar.d to timeliness), and the notion of admitting a contention now in order to wait and see if it has any basis when later information is available has been explicitly rejected. Duke Power Company (Catawba Nuclear Station, Units 1 and 2), ALAB-687, 16 NRC 460, 466-67 (1982), rev'd on other points, CLI 19, 17 NRC 1041 (1983).
The second prong of NECNP's proposed contention is that there is some correlation -- some connection --
between a loss of offsite power to the circuits that feed residential houses and street lighting poles, and l
)
e ,
O
- the circuits that provide off-site AC power to Seabrook Station for plant operations. It is on the basis of such an assumed connection that NECNP infers a correlation between the happening of an emergency at Seabrook and the need for the off-site notification system. NECNP Motion at 2-3 & n:
"The [SS-PSA] demonstrates that over half of the accidents at Seabrook leading to a significant radioactive release (and thus requiring an emergency response) would involve a loss of offsite power. Therefore the sirens and any other notification devices dependent upon offsite power are likely to be disabled and rendered useless in an emergency at Seabrook."
(Emphasis added; footnote omitted.) There is, however, no basis for the assertion contained in NECNP's motion, nor does the SS-PSA supply any.2 For this additional 1Indeed, what the SS-PSA does show is that the probability of an accident leading to a significant offsite release is quite rare, and that if it were to happen, the time before the offsite release occurs is so long that it is difficult to imagine that any l inefficiencies in notification due to loss of AC power-depended devices would have any effect at all:
"It is clear from the Seabrook Station Probabilistic Safety Assessment that events leading to fatalities due to exposure to radioactive material following an accident are indeed very rare. An ' upper bound' esimtate on the frequency of events that result in a small number of fatalities, say 1 to 100, is one such every half l
l t
r I
4 reason, the contention lacks basis and is therefore inadmissible, without regard to timeliness.
Finally, even if the basis and specificity rules permitted a contention to be advanced in the form in which this one is offered, this contention would be inadmissible because it is untimely. If it is sufficient to say that some sirens need AC power and sometimes AC power goes out, then this contention could have been admitted months -- maybe even years -- ago.
If there is no need to await the public notification system design, then there was no need to wait for the New Hampshire State Plan. The PSA adds nothing to the hypothetical (nor, indeed, does it even support it).
million to a million years. The 'best' estimate for the frequency of such an event is one every 30 million to 50 million years. Thus for all practical purposes, there is no appreciable risk of early fatalities from the operation of Seabrook Station. The reason for essentially no early fatality risk is related to the very high strength of the Seabrook Station containment. The ultimate strength was analyzed to be above 170 pounds per square inch (gauge) --
nearly three times the design pressure. Thus, containment failure is almost an impossibility. About the only accidents that directly fail the containment and contribute to risk are those that occur some 2-1/2 days or so following a damaged core. Such accidents must result in a loss of all' . containment ~ heat removal capability. As is observed below, these accidents I
\
e P
For these reasons, the pending motion should be denied.
Respectfully submitted, er l' -
._N 1homas . Ji an, v r.
R. K. Gad I Ropes & Gray 225 Franklin Street Boston, Massachusetts 02110 Telephone: 423-6100 Dated: March 20, 1984 affect, for the most part, only the delayed health effects."
Seabrook Station-Probabilistic Safety Assessment, Summary Report at 17-18. For the convenience of the Board, a copy of this Summary Report is attached to this Response.
. m
CERTIFICATE OF SERVICE I, Robert V. Gad III, one of the attorneys for the Applicants herein, hereby certify that on March 20, 1984, I made service of the within APPLICANTS' RESPONSE TO "NECNP MOTION TO FILE SUPPLEMENTAL CONTENTION ON NEW HAMPSHIRE STATE AND LOCAL EMERGENCY RESPONSE PLANS" by mailing copies thereof, postage prepaid, to:
Helen Hoyt, Chairperson Ms. Diana P. Randall Atomic Safety and Licensing 70 Collins Street Board Panel Seabrook, NH 03874 U.S. Nuclear Regulatory Commission Washington, DC 20555 l
Dr. Emmeth A. Luebke William S. Jordan, III, Esquire Atomic Safety and Licensing Harmon & Weiss Board Panel 1725 I Street, N.W.
U.S. Nuclear Regulatory Suite 506 Commission Washington, DC 20006 Washington, DC 20555 Dr. Jerry Harbour G. Dana Bisbee, Esquire Atomic Safety and Licensing Assistant Attorney General Board Panel Office of the Attorney General U.S. Nuclear Regulatory 208 State House Annex Commission Concord, NH 03301 Washington, DC 20555 Atomic Safety and Licensing Robert G. Perlis, Esquire Board Panel Office of the Executive Legal U.S. Nuclear Regulatory Director Commission U.S. Nuclear Regulatory Washington, DC 20555 Commission Washington, DC 20555 Atomic Safety and Licensing Robert A. Backus, Esquire Appeal Board Panel 116 Lowell Street U.S. Nuclear Regulatory P.O. Box 516 Commission Manchester, NH 03105 Washington, DC 20555
r Philip Ahrens, Esquire Anne Verge, Chairperson Assistant Attorney General Board of Selectmen Department of the Attorney Town Hall General South Hampton, NH 03827 Augusta, ME 04333 Charles Cross, Esquire JoAnn Shotwell, Esquire Shaines, Madrigan & McEachern Assistant Attorney General 25 Maplewood Avenue Department of the Attorney General P. O. Box 366 One Ashburton Place, 19th Floor Portsmouth, NH 03842 Boston, MA 02108 Ms. Roberta C. Pevear Mr. Patrick J. McKeon Assistant Attorney General Selectmen's Office the Town of Hampton Falls 10 Central Road Drinkwater Road Rye, NH 03870 Hampton Falls, NH 03844 Mrs. . Sandra Gavutis Mr. Calvin A. Canney Assistant Attorney General City Manager the Town of Kensington City Hall RED 1 126 Daniel Street East Kingston, NH 03827 Portsmouth, NH 03801 Senator Gordon J. Humphrey Mr. Angie Machiros U.S. Senate Chairman of the Washington, DC 20510 Board of Selectmen (Attn: Tom Burack) Town of Newbury Newbury, MA 01950 Senator Gordon J. Humphrey Mr. Richard E. Sullivan 1 Pillsbury Street Mayor Concord, NH 03301 City Hall (Attn: Herb Boynton) Newburyport, MA 01950 Mr. Donald E. Chick Town Manager's Office Town Manager Town Hall Town of Exeter Friend Street 10 Front Street Amesbury, MA 01913 Exeter, NH 03833 i
1 l
r l
0 Brian P. Cassidy, Esquire Brentwood Board of Selectmen Regional Counsel RFD Dalton Road Federal Emergency Management Brentwood, NH 03833 Agency - Region I 442 POCH Boston, MA 02109 Gary W. Holmes, Esquire Hclmes & Ells 47 Winnacunnet Road Hampton, NH 03841
( , -
l k
a III Robert K. G'd
G
~
W 0
E ,
0 .
U SEABROOK STATION 3 PROBABILISTIC SAFETY ASSESSMENT 1
i
SUMMARY
REPORT 1
1 1
B. John Garrick 1
Study Director I
I .
Prepared for
' PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE Manchester, New Hampshire and 1 YANKEE ATOMIC ELECTRIC COMPANY w Framingham, Massachusetts December 1983 J
- ?ickarc.,:Lowe anc Garrick,::nc.
Engineers
- Scientists . Management Considiants Irvine, CA Washingtonm DC _ - - _ _ _ _ --
TABLE OF CONTENTS h , Section Paae INTRODUCTION I HISTORY OF PROBABILISTIC RISK ASSESSMENT I 1 RISK ASSESSMENT STUDIES OF NUCLEAR POWER PLANTS 2 2 The Reactor Safety Study Z Plant Specific PRAs 2 h RISK ASSESSMENT METHODS Accidents 3
3 Likelihood 4 I Consequences Assuring Quality in Risk Assessment Studies 5
7 OBJECTIVES AND SCOPE OF THE SEABROOK STATION PRA 8 QUALITY ASSUR NCE OF THE SEABROOK STATION PRA 8 The Study Taam
]
8 Quality Assurance Procedures 10 The Review Program 12
] THE SEABROOK STATION MODELS AND ANALYSIS 12 E The Plant Model 12 The Containment Model 15 The Site Mocel 16 Assembly of Risk Models 17 RISK ASSESSMENT RESULTS 17 .
Key Findings
]- Early Fatalities 17 17 Latent Cancer Fatalities 18
[1 Early Injuries 19 d Core Melt 20 Risk and Uncertainty 20 Perspectives 21 REFERENCES 24
?
mi
~ .
Lb c
d 1
.J .
[] ii 1022P010984~ _
LIST OF TABLES AND FIGURES
.Tabl e Page 1 Review Responsibilities 11' 2 Seabrook Station Systems Analyzed in Detail 14 g 3 The Risk at Seabroo'k Station 22 Figure 1 Block Diagram Showing Support. Systems for Instrument Air System 6 5 2 Risk of Radiation Injuries at Seabrook Station 21 G
I .
E
~
1 E .
i n 4 d
l l
~
>n d
1
%r e umJmunw:vt _ _ _
iii 4
0_
INTRODUCTION A, full scope probabilistic risk assessment has been perfomed for the Seabrook Station nuclear power plant. The study provides an independent assessment of the health and safety risk to the public based on unique -
features of the plant including its location, design, plans for opera-h tions, maintenance, and emergency response. The methods and results of the assessment are documented in detail in the Main Report and its
] Appendices. The purpose of -this Summary Report is to describe with a a minimum of' technical terms the methods of probabilistic risk assessment and their application to Seabrook Station, and to present 6 brief summary of the results of the study.
i HISTORY OF PROBABILISTIC RISK ASSESSMENT Probabilistic risk assessment-(PRA) is currently the most systematic and 1 comprehensive.way to determine the risk of complex technical systems. .
4 PRA's unique value stems from its methodology that integrates many technical disciplines and analysis techniques to provide a quantitative assessment of risk. PRA encompasses the engineering disciplines, the mathematics of probability and statistics, human factors analysis, computer models, mathematical models, and extensive data bases.
The safety analysis discipline of PRA evolved from earlier efforts to
] enhance the effectiveness of engineered systems. For example, following the First World War, multiengine aircraft were introduced as a means of improving the reliability of aircraft. The early 1940s saw the intro-I duction of mathematical models for use in reliability engineering.
of such models enabled General Motors to extend the useful life of their Use traction motors used in locomotives fr.om 250,000 to 1,000,000 miles.
During the 1950s, new industries with increasingly complex systems
.] - stimulated the need for more sophisticated reliability analysis.
Quantitative failure analysis and reliability modeling were developed J further in support of the manned space flight and defense programs of the 1960s. The backbone of modern PRA methodology is event tree and fault -
tree analysis which was developed at such places as Bell Laboratories, the National Aeronautics and Space Administration (HASA), and the Department.of Defense. Event trees are used to identify and examine accident scenarios, while fault trees are the basis for calculating the probabilities Jf those sequences.
]
In recent years, PRA methods have developed rapidly and are being, applied 71 with increasing frequency to complex industrial systems. Examples of d these include commercial aircraft, chemical plants, NASA programs, and nuclear power plants.
l 3.
-q N.: -
a 1 1022P010984 ,
m -
R
- RISK ASSESSMENT STUDIES OF NUCLEAR POWER PLANTS 1
i PRA methodology has been extensively applied to nuclear power plants.
The first full scope PRA performed for comercial nuclear power plants .
was the Reactor Safety Study (RSS). This study was comissioned by the Nuclear Regulatory Commission (NRC) and directed by Dr. Norman C. Rasmussen of the Massachusetts Institute of Technology. The study was completed in 1975 &fter 3 years of work; .its charter was to analyze the generic risk
} from nuclear power plants. Consideration of plant specific factors was limited to two plants.
THE REACTOR SAFETY STUDY The benchmark Reactor Safety Study report, called WASH-1400,- was thoroughly reviewed and critiqued in the years following its publication.
In response to some of these critiques, the NRC established an indepen-dent review group to evaluate .the critiques and challenges. This independent review group was chaired by Dr. Harold W. Lewis, Professor of Physics at the University of California, Santa Barbara. The review group's findings, published in a report popularly referred to as the Lewis Comittee Report, exemplify the scientific review process. While 1 the Lewis Comittee expressed some criticism of the RSS, it concluded 4 that the study was competently perfonned in good faith and employed sound methodology.
l We find that WASH-1400 was a conscientious and honest effort to apply the methods of fault tree / event tree analysis to an extremely complex system, a nuclear reactor, in order to determine the overall proba-bility and consequences of an accident.
We do find that the methodology, which was an important advance over earlier methodologies applied to reactor risks, is sound... . ,
This critical review of WASH-1400 also identified weaknesses which included inadequate treatment of common cause failures (simultaneous fai. lures of more than one system) and understatement of some of the h uncertainties. More recent probabilistic safety studies in this country and in Europe have built on the foundation of the Reactor Safety Study '
f] and have incorporated advances that addressed these critiques as well as L4 other advances.
5 PLANT SPECIFIC PRAs 4
PRA is an evolving scientific discipline which continues to expand, and formalize new insights into risk management. Two recent plant specific
] studies performed for the Zion and Indian Point nuclear plants exemplify the state of the art at the time the Seabrook Station PRA got started.
PRA advancements incorporated into the Indian Point Study included:
m -
d e Use of matrix formulations which.make the final process of assembling l the information from the different parts of the analysis more visit.e 1 m and therefore easier to understand. This method of risk informatien . l l1 p ,
2 _
assembly also reveals more visibly the factors that contribute to risk and therefore makes the information more useful in risk management.
e Development of a master logic diagram to assist in identifying
- initiating events. .
e Introduction of a framework in which uncertainty is included as an integral part of the presentation of risk.
e An expanded data base, including plant and site specific data and inproved methods for quantifying uncertainties due to lack of data.
More accurate risk models for earthquakes, fires, and winds.
h e e Improved methods for analysis-of damaged core phenomena.and the role g of engineered safety systems during an accident.
e Use of mathematical analysis to express the extent of conservatism in g the radioactivity release values which were calculated for the RSS 31 methodology. .
e Use of a site specific accident consequences model which allowed for l changes in radioactive plume trajectory during the course of a release.
RISK ASSESSMENT METHODS Modern PRA embraces rigorous logic, computer models, reliability theory, systems analysis, human factors analysis, and the mathematics of proba-bility and statistics. These and the scientific and engineering disci-
- j. plines are integrated into a formal process that addresses the two components of risk: likelihood and consequence. In general terms, risk is defined and quantified by answering the following three questions:
- 1. What could happen; i.e., what accident sequences or scenarios are possible? .
h 2. What is the likelihood of these scenarios?
- 3. What would their consequences be?
4#
" ACCIDENTS w*e The first question is essentially a "what if" question: "what if" some d piece of ' equipment fails; "what if" some error is made; "what if" there is an earthquake, a flood, or a fire? The systematic and comorehensive nature of PRA requires a spectrum of technical experts and the applica-q tion of rigorous logic to answer this question. The major steps'are:
Q e Develop detailed understanding of the equipment, systems, and structures to be analyzed. In addition, knowledge of procedures, f
J d .
3 1022P010984
maintenance, and other aspects must be integrated into a plant model. The detail required includes not only the operation of equipment and systems, but their interrelationships, knowledge of wiring, piping, spatial relationships, and so on.
e Identify " initiating events"; that is, those events that could start an accident scenario. While literally thousands of initiating events are considered, they are discussed as two major classes; " internal" and " external." Internal events are those which originate with gy malfunctions or failures of plant equipment or systems including (
E4 those caused by operator error. External initiating events originate from other causes and include. earthquakes, fires, high winds, and floods.
e Analyze the possible responses of different systems to initiating events. This process entails development of rigorous logic models R which identify all possible combinations of success or failure states El for each piece of equipment or system affected. These logic models 1 l
are described in risk analysis by the use of event trees. Following is a sample event tree:
g INITIATING i SYSTEM SYSTEM 0 l EVENT l @ l @
i l
l I_ I I aSYSTEM i @ SUCCEEDS l g
j SYSTEM l 9
" @ FAILS
, 3 i e 4
~
1 The scenarios.
event trees for a complex plant trace literally billions of possible .
The purpose of developing trees is to trace sequences leading to situations which pose a threat to human health or to the environment.
} It should be noted that while it may not be possible to identify abso-lutely all possible sequences, the approach is to be as complete as 7 possible and then make allowances for scenarios not identified.
2 LIKELIHOOD .
T j Answering the second question, "What is the likelihood of these accident scenarios?" requires careful analysis of how failures can occur and how 1.ikely it is that a given safety system will fail. The likelihood.of
" success or failure of individual systems is investigated using fault tree diagrams, reliability block diagrams,. and cause tables. Fault trees and reliability block diagrams express the logical relationships between the
___ _ -------4-------------
F \
\
l functioning of a system and its subsystems and components and then identifies those factors which could lead to the failure of the entire
, system. Figure 1 shows an example of a reliability block diagram for the instrument air system and its support systems at Seabrook Station. ,
]
I The purpose of fault tree analysis is to consider the system in a degree of detail such that statistical evidence can be used to detemine the {
likelihood of failure of components and subsystems which are then used to l 3 calculate the likelihood of failure of the entire system. The potential l g for common cause failures (that is, simultaneous failures of more than one component or system) are also evaluated. In fact, much of the effort that is required to perform such a systems analysis'is devoted. to the identification and analysis of these " common causes."
The expression "1.ikelihood of failure" embodies two concepts: frequency and uncertainty. Frequency is a measure of how often some event can D
happen, whereas uncertainty expresses how sure we can be about the frequency estimate. Estimates of the frequency of failures are based on information about the past operation of components, systems, and structures. For each component or system, a range pf failure rates D (frequencies of failure) is considered and a confidence level for each failure rate is determined. Quantification and representation of uncer-g tainty is central to probabilistic risk assessment. The importance of J displaying uncertainty lies in the ability to express the state of knowledge about the system being analyzed in quantitative terms. Quanti-fying the state of knowledge in each step of the risk assessment process facilitates logical and consistent analysis of both frequent and rare events. The amount of data available affects the confidcnce that can be expressed in the frequency estimates. If there is a large amount of data q available about a given system, a high degree of confidence can be l J assoc 11ted with the frequency estimates. Conversely, if historical data are sparse or sketchy or not fully relevant, the level of confidence in the estimates will be low; i.e., more uncertain.
CONSEQUENCES rg The next major task is to detemine what the consequences of given J accidents would be. Assessment of consequences is not a straight, deterministic process. Even for an accident of extreme severity, there .
is a range of potential consequences. . For example, in a severe aircraft
],
' accident, a crash, the consequences in terms of loss of life and injury can vary. In some cases, there might be no fatalities or major injuries, but in other similar crashes, the consequences could be extreme. In other words, there is some degree of uncertainty associated with the 4 consequences. This uncertainty is analyzed in a manner'similar to the uncertainty associated with frequencies of failures. For an accident of a given severity, a range of damage levels is considered and, for each G
S damage level, a probability or confidence level is calculated. The confidence levels associated with the frequency of accident estimates and the confidence levels associated with the potential consequences are e incorporated into the final statement of the risk assessment.
q .
a q
_a 1022P010984 5
m _
E. .3 / -) Eid d C O O O M E E M M M M M~M U d' SC 4@V AC 4MV AC MCC E523 SCC MCC E631 DRYERINLET AND OUTLET INSTRUMENT 4 VALVES AIR IIEADERS COMPRESSORS- COMPA Al Cl -
lAllA -
4
/ I VALVE 12 81 r--
SERVICE AIR RECEIVERS
,' m --
COMPB SERVICE I I AIR RECEIVER -
SARA -
SARB -
j CROSSTIE VALVES 82 VALVE 13 s I
COMPC A2 ------- C2 -
lAH8 -
INLET VALVES 1
TO RECEIVERS LEGEND:
O couronEni etock SCC 460V AC O INTERMEDIATE GATE
~
MCC 141 .
3 O SUPPORT SYSTEM FIGtJRE 1. BLOCK DIAGRAM Sil0 WING SUPPORT SYSTEMS FOR INSTRUMENT AIR SYSTEM -
U c
ASSURING QUALITY IN RISK ASSESSMENT STUDIES The essential differences between a rigorous scientific study and a
' onscientific, intuitive evaluation are the use of appropriate and n
consistent methods, careful documentation, and peer review. PRA is a
- highly scientific endeavor requiring the highest levels of technical competence and integrity.
As with any scientific endeavor, the quality of a PRA study hinges on the use and documentation of appropriate assumptions, methods, data, and analysis. The purpose of careful documentation is essentially twofold.
One major purpose is to aid the analysts in maintaining control over the process; i.e., it builds a " blueprint" of the progress which permits tracing logical progressions from initial assumption to final results.
The second function of the documentation is to facilitate peer review, critiques, and reproducibility.
Given the requirements for a quality study, it is easy to see that the competence and integrity of the people involved are of paramount importance. For a PRA to be successful, the study team must be made up of at least the following:
e Experts in the analytical and probabilistic methods employed in the analysis.
e Engineers who have hands-on knowledge of the workings of the engineered systems being analyzed.
o Practitioners who can translate analytical methods and plant knowledge into meaningful models for quantifying risk.
e Engineers and scientists with concentrated knowledge of the behavior >
of systems under normal and abnonnal conditions. .
e Specialists in phenomena that are relevant to the study. Such phenomena might include earthquakes, fires, floods, and extreme winds.
e Authors who have special skills in communicating highly technical and .
scientific work. ,
The most important consideration for verifying the quality of a PRA is to perform the work correctly in the first place. Quality assurance is f enhanced by segmenting the study into stages such that the analyst has checkpoints on his progress. Internal procedures require the analyst to present his work to his associates and defend the results'. This tech-nique is very effective in creating a sense of responsibility and
< professionalism. In addition, a different analyst checks the model and ,
duplicates the key calculations. The work.is subject to detailed review by senior members of the study team. This review team checks on the overall methods employed, makes spot checks of detailed models and calculations, questions all assumptions, carefully reviews all documenta-tion, and identifies weakest and strongest points in the analysis. 'An
[ external review board of technical experts provides an additional measure L of quality assurance. .
Y I
3 1022P010984 t .
_.. ~._. .__ _._ _ _ _ . -
i 0
OBJECTIVES AND SCOPE OF THE SEABROOK STATION PRA The objectives of the Seabrook Station Probabilistic Safety Assessment were to: -
e Perfom an independent and plant specific assessment of the health and safety risk to the public based on the unique factors associated with the site, design,. plans for operations, maintenanca, and emergency response at Seabrook Station.
e Provide documentation of the results and methods in a form suitable for detailed technical review' as well as for presentation to the public.
e Provide a risk model which can be used to aid in decision-making with O regard to possible modifications to the plant design, operations, and emergency response plans.
The Seabrook Station study is a full scope probabilistic risk. assessment; i.e., it considers events that can initiate accidents from inside or outside the plant. Full scope also means that different levels and types of damage from potential accidents are analyzed and quantified. Of particular importance is the calculation of uncertainty for the different damage levels.
The most advanced state-of-the-art methods were used in the Seabrook -
Station risk assessment and, in some aspects, even more rigorous methods were employed than had been used in risk assessments of other nuclear plants. A key feature is that the study is plant and site specific; that is, the actual design and construction of Seabrook Station was analyzed.
The results reflect the plant's geographic location and its relationship
. to the surrounding population.
The study and its results are an objective, independent assessment of the risks associated with the operatien of Seabrook Station. The assessment provides infomaticn about the risks, but is not intended to determine or supplant social values.
QUALITY ASSURANCE OF THE SEABROOK STATION PRA i
, A full scope, plant specific PRA is a complex technical endeavor. To ensure a quality oroduct, it is necessary that the study team be fully l competent; that the, work be carefully reviewed; and that the final
, documentation be complete in its reporting of all assumptions, calcu-g lations, data, methods, and results.
! THE STUDY TEAM d .
$3 The.Seabrook Station PRA project was carried out by Pickard, Lowe, and l Garrick, Inc. (PLG), as the main contractor. PLG managed the project, provided the methods and data base, and performed about 78". of the ,
d 32 1022P010984 8
u _
l technical work. PLG, its principals, employees, and consultants, are recognized as leaders in the development and application of risk assess-
- ment methods. A team of subcontractors selected by PLG supported them in i
the remaining 22*. of the project. The subcontractors were selected for, their particular expertise and competence in specific disciplines.
Structural Mechanics Associates, Inc. (SMA), provided an analysis of components and structures with respect to sensitivity to earthquake damage. They also perfomed analyses to determine the response of containment structures to accidents involving damage to the reactor I
core. Dames & Moore (D&M) perfomed the seismic hazard analysis which took into account previous assessments of seismic hazard at.
Seabrook Station performed by Weston Geophysical, Inc. Westinghouse Electric Corporation, as the reactor vender, provided information about the nuclear steam supply system.
Offshore Power Systems (OPS), a division of Westinghouse, performed analyses of the core and containment atmosphere for a wide spectrum of core damage scenarios. OPS also quantified the source terms and other release characteristics for the set of potential accident. sequences relevar.t to the site (consequence) model. Fauske and Associates, Inc.,
provided site specific an.alyses of the behavior of a degraded core and debris formed within and outside the reactor vessel, which was also valuable input to the core and containment response analysis.
In support of the site analysis effort, Mesomet, Inc., provided data and analyses of the influence of the Atlantic Ocean on meteorological condi-tions, and Digital Graphics, Inc., supported post-processing of data generated by the computer-based site consequences model. The site analysis team also coordinated its efforts in modeling evacuation with HMM Associates, Inc., which is performing a separate study in support of the development of site emergency plans for Seabrook Station.
Several individuals who occupy distinguished faculty positions at presti-gious institutions made important contributions to the project, acting as private consultants. Donald A. Norman, Director of the School of Cognitive Science at the University of California, San Diego, provided review and guidance in the modeling of t uman 1 responses to accidents. -
Norman C. Rasmussen, Professor of Nuclear Engineering at the .
Massachusetts Institute of Technology, served on the technical review board for the project. C. Allin Cornell of Stanford University was an -
advisor on the seismic analysis.
g To assure accuracy in the modeling and assumptions regarding "as-built" M plant features, operating and maintenance procedures, and factors related to how the plant 15 to be managed, and to increase the usefulnes.s of the g, risk model in support of decision-rcking, it was necessary to elicit input from the utility organizations responsible for startup and opera-tion of Seabrook Station. These organizations are Public Service Company of New Hampshire (PSNH) and Yankee Atomic Electric Company
==r (YAEC). Utility input to this project, which was coordinated th~ rough maA; YAEC, consisted of providing information and documentation of the plant design, construction, and plans for operation. !
7 sa 9 i W 1022P010984 l t .
QUALITY ASSURANCE PROCEDURES The objective of the quality assurance (QA) rogram developed by PLG was to ensure that the services provided were re iable, traceable, and in
' full compliance with all applicable Federal regulations and industry '
standards. For this project, additional emphasis was placed on technical review. A description of the technical review levels is provided in )
Table 1. A brief description of the QA procedures follows:
e The document control system specifies procedures for identifying and logging documents transmitted and received and for storing and retrieving project files.
e Corrective action procedures establish requirements for controlling corrective actions for QA program deficiencies discovered during technical analysis and reviews or quality assurance program audits.
The procedures address the responsibility for detection and correction of the deficiency, the filing of Corrective Action Reports (CAR), and the tracking of report status.
- e. Quality assurance pro the frequency, scope, gram audit procedures and documentation establish of internal guidelines audits, for and the responsibilities of the company offices and managers. The internal audit is made to ascertain that the specified quality assurance procedures are being followed and to uncover any deficiencies in the procedures.
e Independent technical review guidelines establish the scope of the reviews and the responsibility of the project managers in these reviews.
i e
The computer code quality assurance program establishes the responsi-bilities of the project manager, computer coordinator, computer code author, and code verifier. The program also sets guidelines to -
ensure that the codes perform as intended and are properly documented, e
The document change control defines procedures for processing and approving changes to project documents. Project documents include l
the project plan, quality assurance manual, and any other documents affecting contrcl of the project. .
e Subcontractor selection procedures set responsibilities and selection and documentation guidelines to ensure that subcontractors meet the 2'. same technical and quality assurance standards as set forth in the manual.
e T Federal regulat' ion compliance procedures set guidelines to ensure
" that the appropriate lawful actions are taken should significant safety defects in the plant be revealed.
10 h1 1022P010g84
r v TABLE 1. REVIEW RESPONSIBILITIES 1
'S tage Review Objective Person Responsible h 1 Check all calculations, computer input and output; proofread documents Analyst / Author prepared by publications department for technical accuracy.
2 Double-check all calculations; review Task Leader documentation for technical accuracy; h ensure consistency of documentation within tech.nical area (e.g., systems);
ensure that the right tools are used. .
3 Spot check calculations; ensure that Technical Review Board acceptable PRA methods'and procedures are utilized; perform indepandent .
review of all deliverables and supporting calculations and documents as necessary focusing on reasonableness E of results and conclusions and whether project documentation adequately reflects what was done; recommend corrective action when appropriate.
4 Review all deliverables; ensure Project Manager Project objectives are met; ensuro consistency among technical areas and documentation; responsible for ' ,
resolution of all review comments '
and assignment of work needed to resolve review issues. .
5 Assure that all parts of the project Project Director-U team perform their assigned responsibilities; review results and conclusions of key deliverables. .
h 6 Review all deliverables for correctness of interpretation of plant design and -
Client (PSNH and YAEC) planned operation, documentation, safety S
G analyses, and modeling of plant and site unique characteristics.
7 Perform QA audits; conduct QA training; PLG QA Manager maintain QA records.
l w
C l
w
- 11
]
1023P010984
3 w
~
THE REVIEW PROGRAM The scientists and engineers who perfomed the Seabrook Station study were chosen for their competence and integrity. To further ensure accuracy and thoroughness, PLG developed and implemented a review progrant that involved review by other qualified scientists, PLG management, and independent experts. The clients, PSNH and YAEC, reviewed PRA project documents for accuracy in modeling the plant and performed independent quality assurance audits of PLG and the subcontractors.
l THE SEABROOK STATION MODELS AND ANALYSIS O The Seabrook Station risk assessment was divided into three major segments: the plant model, the containment model, and the site (consequences) model. The plant model segment is all of the modeling and
- analyses that trace potential accide'nts from initiating events up to a determination of the damage'to the active plant systems. Several M
s.3 different accident sequences could lead to the same " plant damage state." Plant damage states are defined in terms of the time following l core damage and the physical state of the safety systems. Therefore, the plant model also includes the work necessary to group scenarios into different plant damage states. This process enables further analysis to
, be done in a more efficient manner. The progression of an accident past the plant damage state is only dependent on the systems damaged and not on how that state was reached. For example, if the reactor core is uncovered early and the containment sprays have failed, the further analysis is the same whether this state was initiated by a loss of coolant accident (LOCA), a loss of offsite power, or some other circumstance.
The containment model consists of the work necessary to model the containment response to the various plant damage states. The containment model results in a set of release categories that identify the timing and quantity of radioactive releases from potential accidents.
.The release categories from the containment model are the input to the .
site model. The site model traces the movement of radioactive releases, their fallout to the ground, and their effects on the population present. The damage predicted depends on the type of release, weather conditions at the time, the population pattern, and'on whatever evacu-ation or sheltering actions are implemented. ;
& l 4 THE PLANT MODEL The objective of th'e plant model is to quantify the frequency of ' occur-rence of different accident scenarios. The essential steps are: l
- 1. Definition of a Comprehensive Set of Initiating Events. Initiating y q events that simultaneously fail safety systems that would otherwise terminate an accident sequence receive special treatment. Such A
u 1022P010984 r m
U -
F L events are a special class of what is known as " common cause" j events. ence a set of initiating events has been defined, they are grouped into categories to facilitate the structuring of accident scenarios.
- 2. Development of a Set of Event Sequences; i.e., Accident Scenarios T[ specific to the seabrook station. The initiating event categories from step 1 serve as input for structuring accident scenarios. Final disposition of the scenarios is dependent on the response of individ-
]j ual systems that could terminate or alter the sequence. Thus, this step involves extensive' systems analysis including the processing of large amounts of reliability d.ata. It also involves detailed 4 analysis of system dependencies including the'effect of equipment location and human error.
, 3. Quantification of the Accident Scenarios. The initiating event and l system unavailability frequencies provide the input necessary to perfom the quantification process. In effect, this information is propagated through the logic diagrams, that is, the event trees, to quantify the frequency of occurrence of the different plant damage I] states. The propagation includes the treatment of uncertainty.
( The development of the Seabrook Station plant model required detailed modeling of the plant, its systems, components, and structures and all their interdependencies. To obtain the necessary knowledge of the plant,
[
the PLG team first spent 6 weeks at the Seabrook Station site' studying
~
the plant. Infomation was obtained from physical inspection of the !
plant, engineering drawings, quality assurance documents, and discussions i with the engineering consultants at YAEC. Additional. visits were made by specialists to obtain information for expert analysis of such features as spatial relationships. l A detailed analysis was performed for the plant's systems.- The analysis included a description of the system, its function and operations, development of a system logic model, and quantification of system unavailability. The systems analyzed in detail are identified in Table 2.
~
Particular care was taken to identify initiating events specific to the
_ Seabrook plant and site. Six distinct approaches were used to identify possible initiating events including those from outside causes. Each approach had its own unique value in helping to identify an as-complete-as-possible set of potential accident initiators for Seabrook Station.
i The possible accident initiators include loss of coolant accidents;
- transients.(a transient is a malfunction or error that impacts proper operation of equipment or systems); and common causes such as fires, d turbine missiles, tornados, hazardous chemicals, loss of support systems, and seismic events. .
The sequence of events that could follow each initiating event was
' defined using event trees. Literally billions of potential scenarios -
were developed and analyzed. Data such as component failure rates and 13 1022P010984
- g. .
3 TABLE 2.
SEABROOK STATION SYSTEMS ANALYZED IN DETAIL Electric Power ' System S&vice Water System Primary Component Cooling Water System l
Instrument Air System Reactor Trip, En'gineered Safety Features Actuation and Solid State Logic Protection Systems 1
Containment Enclosure Air. Handling System Emergency Core Cooling System Emergency, Main, and Startup Feedwater Systems Reactor Coolant Pressure Relief Main Steam System Containment Building Spray System Containment Isolation Functions 1
Control Room Complex Heating, Ventilation, and Air Conditioning I
O i
14 1023P010984
- 7. -
F 4
component maintenance frequency and duration were obtained from industry
, data bases to quantify the frequencies of the scenarios. These data werE derived from experience with operating the same type of systems and {
' components at other plants. Expert opinion and mathematical techniques were used for initiating events or components for which data is sparse. '
The modeling and analyses incorporated such desigr. features as the condenser cooling water system; the service water system (which also depends on seawater); Seabrook Station's advanced control room alarm h indicators; and environmental factors unique to the plant's site such as the potential for earthquakes, tornados, floods, aircraft crashes, and fires.
The results of the plant model, a listing of groups of possible damage states to the plant, formed the input for the containment model.
h THE CONTAINMENT MODEL The containment model consists of analyses of degraded reactor cores,
)) . core melt processes, and thennodynamic conditions in the containment E4 building; an assessment of the ability of the containment structure to withstand these thermodynamic conditions; and radioactive release analyses. The starting point of the containment model is the set of plant damage states identified in the plant model. Given that a partic-ular plant damage state or external event has occurred, the subsequent events are represented by a containment event tree. Each path through the containment event tree begins with a plant damage state and ends with.
I a " release category." A release category represents the types, quanti-ties, timing, and elevations of radioactive material released, if any.
The core and containment response analysis of Seabrook Station made maximum use of the same research and development programs used for the Indian Point risk assessment. Specifically, the core and containment response analysis perfonned for the Indian Point Units 2 and 3 risk assessment could be applied to Seabrook for several reasons. First, there is the strong similarity in design and construction of the Indian Point and Seabrook plants. The Indian Point PRA was performed by the same team of analysts. The very extensive core and containment response analyses performed for the Indian Point study have undergone detailed .
review and acceptance by the Nuclear Regulatory Commission. While the methodology and models used for Indian Point are directly applicable to Seabrook Station, considerable care was taken to address differences in l the design and construction of the two plants. For example, Seabrook p Station's " double containment" (i.e., the existence of a contai'nment
( enclosure building outside the main containment) is a significant departure from the Indian Point design.
] During accident sequences involving core damage, the containment N
structure can be exposed to pressure and temperature conditions which 1 '
15 1022P010984
=
4 exceed the design basis for the containment. In order to quantify the time, rate, and magnitude of radioactive releases, it is necessary to know the following:
e The internal pressure at which the containment is realistically expected to fail.
l e The location of the failure.
e The leakage path and the effective leak rate.
e The tondition of the enclosure building when the containment building fails.
l The Seabrook Station containment model e'xamined the different ' ways the containment butiding could fail during each important accident scenario. .
THE SITE MODEL Given that a particular release has occurred including the magnitude and -
timing of the radionuclide mix, the site model is used to determine the 6 consequent damage to the area and people around the plant. For each particular release, this model traces the movement of the radioisotopes, their fallout to the ground, and their interaction with the population present given a variety of weather conditions. The resulting damage calculated' depends not only on the weather conditions (wind direction, speed, precipitation, etc.), but also upon the population pattern and the evacuation or " sheltering actions implemented. Several different measures of damage are customarily used to present the risk results: early deaths, early injuries, thyroid cancers and other cancer fatalities (latent), whole body dose, property damage, etc.
- An elaborcte computer program is used to model radioactive releases and i their' interaction with the specific topography, meteorology, and demography relevant to Seabrook Station. Meteorological data for the l
{
Seabrook site include air flow patterns, storms producing rain or snow, land-sea interactions, and seasonal variations in the weather. The terrain around the Seabrook site is relatively flat. Previous analyses !'
j of sites with flat terrains have shown that local topography does not
- significantly influence local dispersion of radioactive material.
- Therefore, no terrain effects on dispersion were considered for Seabrook j Station. ,
, Three sets of population and evacuation data were prepared for an evacu-1 ation zone consisting of the area within 10 miles of the plant. The l three scenarios used are the winter weekday, summer weekday, and sumer weekend day. . The last of these represents the worst case scenario. An evacuation inodel for each of the three scenarios was developed by HMM Associates. The model included traffic routes, travel distances, and delay times. The biological effects of radiation exposure were ccicu-lated in accordance with methods used oy the National Academy of Sciences in the report entitled, "The Biological Effects of Ionizing Radiation" (BEIR) (Reference 1).
16 ,
1022P010984 '
__ ___ _ _ _ . _ . - _ _ - . - - _ . . _ _ _ _ . _ _ . _ _ .. _ , _ _ . _ _ , _ , ,_m _ .
l l .
s s
ASSEMBLY OF RISK MODELS
' .The final step in a risk assessment is the assembly of the individual risk models into a full statement of risk on the Seabrook Station. The .
four components, or " pinch points" of a full scope risk assessment have
]J been identified as: (1) initiating events; (2) plant damage states; (3) release categories; and (4) final damage states (consequences). The
- last three pinch points are,a direct result of the three models covering the plant, its containment, and the site. While the pinch points are
~ sequentially dependent, the methodology pennits them to be developed independently until the final assembly step. Thus, the unconditional results from pinch point 4 depend on the results of pinch point 3 and so on to pinch point 1. The assembly process removes the dependencies on each of the three models.
, RISK ASSESSMENT RESULTS 1
[ KEY FINDINGS
- The risk to the public from the operation of Seabrook Station is presented in terms of the frequency of occurrence of different levels of -
' damage; in this case, different types of health effects. Five different offsite health effects were considered: (1) early fatalities; i.e.,
fatalities occurring within a short time after radiation exposure; (2) nonfatal radiation injuries due to exposure; (3) thyroid cancers -
(most of which are treatable and nonfatal); (4) latent cancer fatalities occurring over a 30-year period; and (5) total population dose or man-rem (whole body). For purposes of highlighting the health and safety risk of
" Seabrook Station, three of these indices are discussed: (1) early fatalities, (2) early radiation injuries, and (3) latent cancer fatal-ities. In addition, the frequency of core melt is quantified. It is necessary for the core to melt before significant amounts of radioactive material can be released into the containment and, hence, the interest in core melt.
EARLY FATALITIES It is clear from the Seabrook Station Probabilistic Safety Assessment i l
that events leading to fatalities due to exposure to radioactive material l
following an accident are indeed very rare. An " upper bound" estimate *
~
I g
on the frequency of events that result in a small number of fatalities, say 1 to 100, is one such event every half million to a million years.
} The "best" estimate fur the frequency of such an event is one every
- Upper bound is taken to be the 95% confidence value which has the meaning that we are 95% confident that the indicated frequency of occur-rence of the damage level in question will not be exceeded. The best estimate is the 50% or median value.
17 022P010984
E '
El 30 million to 50 million years. Thus, for all practical purposes, there is no appreciable risk of early fatalities from the operation of, Seabrook Station. The reason for essentially no early fatality risk is related to the very high strength of the Seabrook Station containment. The ultimate I strength was analyzed to be above 170 pounds per square inch (gauge) -
--nearly three times the design pressure. Thus, containment failure is almost an impossibility. About the only accidents that directly fail the containment and contribute to risk are those that occur some 2-1/2 days g or so following a damaged core. Such accidents must result in a loss of 3 all containment heat removal capability. As is observed below, these accidents affect, for the most part, only the delayed health effects.
Q The only failure mechanism that 'has any appreciable chance of leading to fatalities immediately (within hours) following an accident is one that would either permit a bypassing of the containment system through coolant pathways between the reactor coolant system and systems outside the l containment; or, even less likely, an earthquake of such severity as to '
simultaneously fail the containment and lead to core meltdown. Of course, containment bypass has been essentially " designed out" and earthquakes strong enough to fail the containment and cause a meltdown G hase never been observed or diagnosed in the vicinity of Seabrook.
LATENT CANCER FATALITIES
. In addition to the health effects that occur near the time of an accident, there is the.need to consider residual or latent effects.
Thus, consideration is given to cancer fatalities occurring over a B 30-year period following exposure. The frequency of events that can contribute to cancer fatalities is much greater than those leading to early effects. For example, those releases that develop slowly (say 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> or more following an accident) can contribute to latent cancers but most likely would not result in any early fatalities. One reason for this is that ample time exists to remove people from the zones suscep-tible to lethal doses of radioactive material. Thereford, radiation exposures to individuals would fall below thresholds for producing early health effects. Another factor is that when a delay is involved, there M is more time for radioactive material to settle out inside the contain-Q ment as well as to decay--both contributing to reductions in the inventory of material available for release.
The upper bound , estimate of the frequency of occurrence of accidents resulting in 1 to 100 cancer fatalities is once every 3,000 to 5,000
-years. The best estimate frequency is once in 7,000 to 20,000 years.
While even less frequent than events that lead to early fatalities, these frequencies are still very small especially when considering the frequen-cies associated with other risks routinely taken. Even though the latent fatality risk is sm'all, it is important to know what is contributing to I
d it to enable actions to keep it smal.1 or make it even smaller. As already implied, the events most responsible for the latent effects are those involving delayed releases; that is, a delay between when fuel q damage occurs and when a release actually takes place. What this means W is that at Seabrook Station, there is containment of the damaged fuel until well after such time at which all core cooling and containment heat g removal systems fail. Without heat removal capability, 3 *
- 18 d 1022P010984
} .
the containment integrity cannot be assured indefinitely. Of course,
_' such a combination of events is very unlikely, as the low frequencies
! indicate.
EARLY INJURIES ,
~ Early injuries include radiation illnesses that are usually observed after large, acute deses of radiation. They can occur within days to u
weeks after exposure. Such injuries also include illnesses that are manifested within a year or more following exposure. Thus, early s
injuries involve those radiation illnesses that result from high
- exposures occurring at or near the time of a very major ~ accident and that generally do not result in fatalities. For Seabrook Station, the. risk of r such exposures is extremely small. The upper bouna of the frequency of events leading to 1 to 100 early injuries is calculated to be once every >
- u. 200,000 to 300,000 years. The best estimate of this frequency is once {
every 7,000,000 to 17,000,000 years.
l
" These results again indicate that the risk of high radiation exposure events at Seabrook Station is essentially zero. Since both early fatal-r iti.es and early injuries require large, acute doses of radiation (the kind that can only come from especially severe accidents), they are both a
caused by the same types of initiating events. Thus,~ the principal contributors to early injuries are events that somehow bypass the 7 containment.
The above results of the risk assessment have broken out the separate components of accident likelihood, as measured by its frequency, and
[
L consequences as measured by early and latent fatalities and injuries. A similar perspective of these results is afforded by combining the frequency and consequence values into a single risk measure. This is done to express risk in terms of the expected frequency of health effects
[ projected for the population near Seabrook Station. The tabulation below shows the minute increase in risk estimated for the period when Seabrook Station is in operation.
[
~ Risk .
(number of health effects per .
Heal th Population thousand people per year)
Effect Segment I Before Plant During Plant '
' Operation Operation l I (nonnuclear causes) (all causes)
~
Early 4,435. peopl e 0.5 0.5002 i
Fatality within 1 mile
' of Seabrook -
Stati on.
} .
J Latent 4,200,000 2.0 2.00001 Cancer people within Fatality 50 miles of .
Seabrook Station.
! 1022P010984
l 5
CORE MELT In order for there to be any offsite radiation risk from a nuclear plant, it is necessary that the fuel be severely damaged and the containment ,
i ntegrity . viol ated. Thus, a necessary but not sufficient precursor event to any adverse health effects from a potential accident at Seabrook Statiun is core damage or core melt. Core damage does not always lead to offsite health effects. In fact, as long as containment 3 integrity is maintained, there will not be a significant release no J matter what happens to the core. Such was the case during the Three Mile Island accident. Thus, the frequency of events leading to offsite injuries and fatalities following an accident is, as expected, l far less than the frequency of events damaging the core. That is, it is not just a case of core damage but how the core damage takes place that dictates the outcome of an accident. 'For example, core melts that incapacitate containment systems are certainly much more serious.and less frequcnt than those that do not.
The best estimate of the core melt frequency for Seabrook Station is calculated to be 1 in 5,300 per reactor year with an upper bound of once every 2,400 reactor years. While the frequency of occurrence of core melt is considerably greater than that of injury or fatality, it can still be considered a rare event. Events which contribute most to the core melt frequency involve failures in electric power to operate important safety systems. Other contributors include such external events as very large earthquakes and fires and, to a lesser extent,
.j accidents that are caused by a loss of coolant. Of course, these are all events that occur very infrequently; thus the small risk of core damage.
RISK AND UNCERTAINTY The above results have been given for the most part in terms of point estimates and ranges. It is important to try to put these results into j their proper context. In the Seabrook Station Probabilistic Safety ,
Assessment, great care was taken to quantify and comunicate the uncer-tainty associated with the results. The language for communicating 3 uncertainty is probability. In particular, for each damage index such as JS injuries, a family of probability curves was generated on the frequency of occurrence of different levels of damage. Those " risk curves" are in J
what is referred to as risk assessment in " probability of frequency" h format. For example, the following figure shows the risk curves for radiation injuries generated for Seabrook Station.
3 l
~1 h
n 20 i
' 1022POIO984
G 10-5 _
Ed a __
o.95 s1r O 15 gglo-S - ............. "
l ... o.go - 3
- u.
- MEAN l
RISK O5 0.70
., CURVE et .
$h3o-7 __ p *
$5 b j 0.5o 5e i me O ,
o,30 ow .,
4 4 .
l ~ 10
, o,1o , .
e l E ~
l 0.05 10~9 to o jo 1 jo 2 jo 3 jo 4 5 10 l EAR LY INJURIES
' @ LINE TO SELECT NUMBER OF EARLY INJURIES
@ LINE TO READ EXCEEDANCE FREQUENCY '
FIGURE 2.
RISK OF RADIATION INJURIES AT SEABROOK STATION S
Suppose it is desired to know the best estimate of the frequency of I having 10 or more injuries from an accident at Seabrook Station. If we take as the best estimate a probability of 0.5 that is the 50% confi-dence value), we see that the frequency is 10-7(per reac, tor year.
t Inverting this frequency indicates that the damage level of 10 injuries occurs but once every 10,000,000 reactor years.
l Curves 'of this type are f Findings." Table 3 presents some additional results entitled the source of the respits presented in the section "Xey from the SSPSA.
l PERSPECTIVES
'In general, the health and safety risk from Seabrook Station is ext'remel ow, far lower than other risks to which we are routinely exposed While comprehensive risk studies such as the SSPSA have not been made on~
21 t 1022P 011184__ ___ ______-.--
a TABLE 3. THE RISK AT SEABROOK STATION i Best Estimate (50% probability) Upper Bound (95% probability) h Frequency of Exceeding Number Number of Early Frequency of Exceeding Number of Indicated Early Fatalities Fatalities of Indicated Early Fatalities (per reactor year) (per reactor year)
~
l 3.1 x 10-8 or 1 in 32,300,000 1 1.7 x 10-6 or 1 in 590,000 2.7 x 10-8 or 1 in 37,000,000 10 1~.4 x 10-6 or 1 in- 710,000 R 2.1 x 10-8 or 1 in 47,600,000 100 1.1 x 10-6 or 1 in 910,000 1.2 x 10-8 or 1 in 83,300,000 1;000 6.9 x 10-7 or 1 in 1,500,000 i .
Best Estimate (50% probability) Upper Bound (95% probability)
Number of Frequency of Exceeding Number Latent Frequency of Exceeding Number
' of Indicated Latent Cancer Cancer Fatalities of Indicated Latent Cancer Fatalities (per reactor year) Fatalities (per reactor year) i 1.4 x 10-4 'or 1 in 7,140 1 3.8 x 10-4 or 1 in 2,630 1.1 x 10-4 or 1 in 9,100 10 3.1 x 10-4 or 1 in 3,230 5.4 x 10-5 or 1 in 18,500 100 1.8 x 10-4 or 1 in 5,560 7.4 x 10-6 or 1 in 135,000 1,000 4.4 x 10-5 or 1 in 22,700 .
i l
)
Best Estimate (50% probability) Upper Bound (95% probability) -
Number of Frequency of Exceeding Number Radiation Frequency of Exceeding Number pJ l of Indicated Radiation Injuries Injuries of Indicated Radiation Injuries (per reactor year) (per reactor year)
W 1.4 x 10-7 or 1 in 7,140,000 1 5.7 x 10-6 or 1 in 175,000 i 1.1 x 10-7 or1 in 9,100,000 10 4.8 x 10-6 or 1 in' 208,000
(( 5.8 x 10-8 or 1 in 17,200,000 100 3.0 x 10-6 or 1 in 330,000
- 9.3 x 10-9 or 1 in 107,500,000 1,000 4.7 x 10-7 or 1 in 2,130,000 y
51 V
li 22 Q 1023P010984
,o i
alternative energy sources, there are some qualitative estimates. Based on one study (Reference 2), there is reason to believe that greater risk in terms of accidental death rates w'ould result if Seabrook Station were h
J replaced by a fossil plant (other than one fueled by natural gas). Thus, not only has the risk been assessed to be extremely small, but among the .
alternatives available there are indications that Seabrook Station is the
} most attractive alternative with respect to health and safety.
There are other perspectives from which to consider the SSPSA results.
g One of these is the safety goals covering nuclear power plants proposed by the NRC. The NRC safety goals have been published for a 2-year trial period to supplement already existing guides and regulations but not to replace them. There are two aspects of the goals. The first has to do with the societal risk and the second relates to the risk to an individual. Societal risk considers the cancer fatalities in the popula-tion within a 50-mile radius of the power plant that might result from its operation. Individual risk involves the early (acute) fatalities within 1 mile from the plant that might result from a nuclear plant accident. The societal risk calculated in the SSPSA is o'nly a very small fraction of.the safety goal when applied to Seabrook Station. In partic-ular, the calculated risk at Seabrook Station is only one-thousandth to I one-hundredth of the safety goal. The reason for the range is to reflect l the uncertainty associated with such calculations.
With respect to the safety goal for individual risk, again the calculated risk for Seabrook Station is well below the applicable safety goal.
Specifically, the risk of early' fatalities to the population within 1-mile of the plant was found to be between a factor of 5 and 6 below the individual risk goal.
Reflecting on the Seabrook risk analysis results and how they compare 8 with other risks and the NRC safety goals, in one respect, leads to somewhat of a letdown. The reaction is "what is all the fuss about?"
Here is a situation where consideration has been given to billions of different accident sequences, millions of pieces of data, hundreds of
- thousands of dollars worth of computer runs, dozens of logic models, tens I
of thousands of calculations, and what does it tell us? It tells us that, for all practical purposes, there is no discernable risk to the health and safety of the public'. These are the most sophisticated and comprehensive risk assessments ever performed on any system of any kind.
- Surely we must be able to get more out of it than risk--a risk very much invisible against the risks routinely taken by all members of the public. In fact, we do get more out of it than that.
!? First, we learn that the risk is indeed extremely small based on the most m thorough and systematic analysis techniques at our disposal (and now, based on nearly 1,500 plant years of commercial reector experience throughout the world). Second, we have a comprehensive risk model of the plant--a model fully capable of being employed as a management tool.
I Thus, the opportunity for controlling risk and keeping it small is greatly enhanced. We know more about what to expect when certain things M
al go wrong, what the alternatives are for corrective action, and hos to 4 -
9 .
4
. 23
" 1022P010984 l d . l
7
. . io quantify the effect on risk of changes in the plant. Additionally, we are in a position to include such knowledge in training and in creating a greater awareness and respect for the responsibility of safe operations and effectiveoccur.
surprisingly emergency response should that rare event actually and By tackling the extremely difficult problem of quantifying the frequency of the very rare events that threaten public safety, we bring ourselves much closer to better controlling more frequent events--events that, while not a safety threat, are nevertheless very important to making power generation a much more cost effective and attractive. business.
This occurs because the same principles can be applied to quantify financial risk events as are used to quantify health and safety risk'.
Such management enhancement benefits all.
REFERENCES 1.
National Acadeny of Sciences, Committee on the Biological Effects of Ionizing Radiations, "The Effects on Populations of Exposure to Low i Le'vels of Ionizing Radiation," 1980. l 2.
National Academy of Sciences. _ Energy in Transition 1985-2010, W. H. Freeman and Company, San Francisco,196U, p. 429.
i S
8 4
e e
=
y .
t 24 1022P010984
, _ _ , _ _ _ _ .- _ , - _ _ _ _ _ _ - _ __ - _ -