Text

_

~

Gd/$ & R 98 a cto

1. o UNITED STATES

^g NUCLEAR REGULATORY COMMISSION N,M o

y l

ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 0

g WASHINGTON, D. C. 20655 April 12, 1988 The Honorable Lando W. Zech, Jr.

Chairman U.S. Nuclear Regulatory Comissiun Washington, DC 20555

Dear Chaiman Zech:

SUBJECT:

PROGRAM TO IMPLEMENT THE SAFETY GOAL POLICY -- ACRS COMMENTS During the 336th meeting of the Advisory Comittee on Reactor Safe-guards, April 7-9, 1988, and in previous meetings, we discussed NRC Staff efforts to devise methods for implementing the Safety Goal Policy enunciated by the Comission in 1986.

Following our report to you of May 13,1987, "ACRS Coments on an Implementai. ion Plan for the Safety Goal Policy," the Comission directed the Staff to develop a plan along the lines we had suggested.

The ACRS and its Subcomittee en Safety Philosophy, Technology, and Criteria have. met several times with members of the Of fice of Nuclear Regulatory Research (RES) to discuss means by which the implementation plan suggested in our May 1987 report might be "fleshed out." We expect that additional meetings will be necessary over the next taw months.

Our understanding is that the Staff will then document a description of its pragram.

We believe it would be useful to provide you with some interim comments.

These follow:

Definition of a "Large Release" The Safety Goal Policy includes a general perfonnance guideline that there should be a probability no greater than 1E-6 per reactor-year of a large release from any operating nuclear power plant.

Exactly what is meant by a large release was not defined in the Policy, but it has been suggested that a definition is needed in the implementation plan.

We believe the definitior, of a large release should make clear that a release to the biosphere of a substantial fraction of the core inventory is intended.

In particular, it is misleading to define it in tenns of health offects; those goals are stated elsewhere in the Policy.

Of course, in assessing whether the 1E-6 goal is met by the body of regu-latory rules and practice, one will have to consihr and evaluate specific sequences for individual plants. All of the probabilistic risk assessments (PRAs) provide examples of such sequences, and it is uni-versally agreed that the "bottom line" estimates thereby derived are among the weakest results of a PRA.

Nonetheless, a definition of a l

8804280175 880412 PDR ACRS R-1293 PDR

%)

The Honorable Lendo W. Zech, Jr. April 12, 1988 large release in terms of a number of curies released would provide a durable objective for the calculations, which will improve with time, and which must be done as hest one can at any given time.

In the end, of course, a particular number will have to be specified, and it must be consistent with the other elements of the program.

Examples of what we have in mind might be helpful.

We regard the release to the environment that occurred at THI-2 in 1979 as not a large release.

The release that occurred in the accident at Chernobyl Unit 4 in 1986 was a large release.

The fact that there were apparently no "prompt" radiological fatalities among the offsite population at Chernobyl is irrelevant under the proposed definition.

Definition of "Core Melt" In our report of May 13, 1987, we suggested a performance objective for "prevention" systems as a calculated core melt probability of less than 1E-4 per reactor-yaar.

Exactly what is meant by core melt, seemingly a simple cuestion, presents a problem for analysts and others considering the details of nuclear power plant accidents.

The most likely sequence of core overheating, melting, and displacement can be viewed as a hypothetical sequence of events.

Each event is less likely than that preceding it bacause the sequence may be interrupted at any point, for example, by successful performance of emergency procedures.

These events might be defined as:

(1) loss of odecuate core cooling (core overheating beyond design-basis limits),

(2) onset of significant damage to the core, (3) melting (asintheTHI-2 event),and displacement of the core within the reacto vessel (4) passage of molten core out of the reactor pressure vessel (e.g.,

"core on the floor").

We would apply the IE-4 objective to the first event in this sequence, with the expectation that there is a significant but undefined margin in likelihood between it and the remaining event:. We note that referring to this as a "Core Melt Performance Objective" is an unfortunate choice; however, it is one that is well established in the nuclear safety comuni ty.

I

w I

The Honorable Lando W. Zech, Jr. April 12, 1988 l

Df.finition of the Plant Performance Objective Our May 1987 report recomended that a performance cbjective expressing "how well the plant is operated" should be developed. The RES Staff has indicated that it doesn't know how to do this and plans no further work regarding this matter.

Without a performance objective of this sort, the severe gap in the logic of the Safety Goal Policy, which led to our original reconrendation, remains.

The problem is as follows:

The Safety Goal Policy is intended, as we understand it, to be a declaration of intent about how safe operating nuclear plants are to be.. However, PRA, the prirnary tool by which performance of plants against the safety goal is to be judged, uses few data on operational performance.

Most of the analyses in a PRA depend on attrioutes of the plant design.

Very little information about how a plant.is actually operated is used.

Where actual operational performar)ce is' included (e.g., equipment failure rates and pre-dictions of operator response), most of the data used are generic to industry experience and little reflect attributes of the oper-ation of the particular plant being analyzed.

This is really an inherent weaknr.ss in the present art of PRA.

Although no r.eans are presently apparent for incorporating a more complete definition of operational performance into the Policy implementation, we believe credibility of the Policy suffers without it.

Research could help.

It might be por.sible to somehow better incorporate attributes of operational performance into PRA.

If this cannot be done, a prominent caveat, e.g., a warning that PRA results do not tell the full story, should be trade a part of the Policy or of the implementation plan.

We note that at one of our recent meetings, Nuclear Reactor Regulation Staff described plans for further work having as its objective a better description (for use in PRAs, e.g.) of the contribution to risk or to safety made by the plant operating staff.

Results of this work could contribute to the formulation of a performance objective.

Use of Cost-Benefit Analysis Cost-benefit analysis has a role in regulatory practice cader the backfit rule.

In this context, the role of the safety goal should be oaly to help provic'e a definition of what is meant by "adenuate for sa fety. "

If it is found that a regulation is permitting plants to De licensed which seem to have safety performance poorer than the guidance provided by the safety goal, then that reguletion should be revised, without recourse to cost-benefit arguments.

l

The Honorable Lando W. Zech, Jr. April 12, 1988 Need For Review of Regulations From the Perspective of the Safety Goal Policy There is a need to consider what is meant by implementation of the Safety Goal Policy.

We have suggested that the Policy not be "used to make narrowly differentiated decisions about specific plants." Instead, it should be used as a primary means for judging the suitability and necessity of specific regulations and regulatory practices.

We include practices in this discussion t,ecause many of the requirements levied by the NRC on licensees are not part of formal regulation., but proceed from a more informal body of practice.

We put aside, for now, the question of whether this in itself is or is not a problem but suggest only that the informal, as well as the formal, regulatory practices should be constrained.by the Safety Goal Policy.

The next question is whether the Policy should be used only reactively in assessing p oposed regulatory changes evolving from other programs (e.g., new requirements coming from resolution of a USI), or should be used more actively in atsessing the present body of regulatory practice.

We recommend the latter.

The existing. body of regulations and regulatory practice has grown enormously over the past 30 years.

This growth has been largely a bottom-up process as the regulatory staff and ACRS have reacted to proposals from applicants and vendors and responded to developing technical information and plant experience.

We believe it is possible to make a zero-based assessment of this body of regulations to deter-mine:

(a) which parts are contributing effectively to assure that i

plants are appropriately safe, (b) which parts are unnecessary, and (c) which parts need to be strengthened or better focused.

l It is the responsibility of the NRC to move in the direction of such an assessment.

It will not be easy but should begin now for several reasons:

There is a hiatus in applications for new plants.

There is now an extensive body of experience with operation and regulation that did not exist 30 years ago.

There is now much more complete information about severe accidents than existed previously j

PRA has matured and is available as a tool.

And finally, the Safety Goal Policy is available as a thoughtful and agreed-upon measuring criterion.

The Honorable Lando W. Zech, Jr. April 12,-1988 We trust the above coments will be useful as the Staff continues with development of the Policy implementation, isdditional remarks by ACRS Member Harold W. Lewis are presented below.

Sincerely, W. Kerr Chairman Additional Remarks By ACRS Member Harold W. Lewis The Comittee has, in its May 1987 report, defined the term "core melt" to mean loss -of as.sured core cooling which can result in severe core damage, to match the probability objective of IE a per reactor year.

In this report the definition is made even more restrictive.

While there is ambiguity in the comunity about the meaning of the term (as noted by the Comittee),, the redefinition has an enonnous impact on the effect of the goal.

There is a considerable difference of probability between loss of adequate core cooling and melting of the core, the former more probable but not necessarily damaging. Since the assignmeia of the term "core melt" to an event which need not melt the core unnecessarily biases the interpretation of the safety goal, I believe it is the job of the Commission to clarify what is meant by the term, rather than for the Committee to read minds.

I take the simplistic view that a core melt requires a r.olten core.

In the law, the established procedure for resolving apparent anbiguities is to start with the plain meaning of the words.

I also believe it important that the Comission (not the Staff) clarify its intent in promulgating the Safety Goal Policy.

Though the goals were stated by the Comission two years ago, we continue to hear of Staff actions which are justified by one or another version of "if we can see a way to improve safety, we will."

Presumably the Comission, by giving an answer to the how-safe-is-safe-enough question, intended precisely to dampen such unbounded enthusiasm.

I believe the Comission should reinforce its guidance to its staff.

l

\\

.