ML20206U854
| ML20206U854 | |
| Person / Time | |
|---|---|
| Issue date: | 05/19/1999 |
| From: | Powers D Advisory Committee on Reactor Safeguards |
| To: | Shirley Ann Jackson, The Chairman NRC COMMISSION (OCM) |
| References | |
| RTR-REGGD-01.174, RTR-REGGD-1.174 ACRS-R-1827, FACA, NUDOCS 9905260038 | |
| Download: ML20206U854 (13) | |
Text
, ,
ACRSR-1827 N . .
UNITED STATES PDR 8 NUCLEAR REGULATORY COMMISSION i j' ADVISORY COMMITTEE ON REACTOR SAFEGUARDS j
WASHINGTON, D. C. 20555 l
Q May 19,1999 The Honorable Shirley Ann Jackson
< Chairman U. S. Nuclear Regulatory Commission Washington, D.C. 20555-0001
Dear Chairman Jackson:
SUBJECT:
THE ROLE OF DEFENSE IN DEPTH IN A RISK-INFORMED REGULATORY SYSTEM During the 462"8 and 461" meetings of the Advisory Committee on Reactor Safeguards, May 5-8 and April 7-101999, we discussed issues identified in the Staff Requirements Memorandum dated March 5,1999, concoming the appropriate relationship and balance between probabilistic risk assessment (PRA) and defense in depth in the context of risk-informed regulation. We previously discussed this matter with the Commission during our meeting on February 3,1999.
We are attempting to identify pitfalls that may exist along the path the Commission is taking toward risk-informed regulation so they may be addressed in a timely manner. We have communicated previously on the need for plant-specific safety goals that are practical for licensees to evaluate, the need for risk assessments for all modes of plant operation, and the need for research to support further use of risk'information in regulatory activities. Several ACRS members, working with an ACRS Senior Fellow, have produced the attached paper in which two views of defense in depth are discussed along with a preliminary proposal regarding its role. Here, we further discuss the role that i defense in depth should have in a risk-informed regulatory scheme. !
Our motivation for this report has arisen because of instances in which seemingly arbitrary appeals )
to defense in depth have been used to avoid making changes in regulations or regulatory practices that seemed appropriate in the light of results of quantitativa risk analyses. Certainly, we have seen defense in depth used as a basis for delaying changes in the existing regulatory practices: 1 i
- there has been reluctance to develop new, risk-informed limits on leakage from steam generator tubes because these are part of the defense-in-depth barriers,
- the development of extensions of the Regulatory Guide 1.174 process to define criteria for risk-informed revisions to 10 CFR 50.59 has been delayed because of defense in depth issues,
. J4
- 1. , ,
g3 990519 i PDR s . . .
r
- ,- the oevelopment of graded quality assurance measures has been overly conservative because of concoms about the imputed importance of quality assurance to defense in depth, and a the development of regulatory requirements on software-based digital instrumentation and control systems was delayed because of concems related to defense in depth.
We are concemed that artstrary appeals to defense in depth could inhibit the effective use of risk information in the regulatory process. At the same time, we are mindful that risk analyses are not perfect. Defense in depth can be an effective means for compensating for any weaknesses in our ,
ability to understand the risks posed by nuclear power plants.
]
As discussed in the attached paper, the defense-in-depth approach to safety arose in an earlier time i when there was less capability to analyze a nuclear power plant as s,n integrated system. 1 Subsystems were designed such that the necessity and sufficiency of defense in depth could be i determined from experience ar;d through exercising engineering judgment. Defense in depth was a design and operational philosophy that called for multiple layers of protection to prevent and mitigate accidents. Its practicalimplementation was most often associated with control ofinitiating event frequencies, redundancy and diversity in key safety functions, multiple physical barriers to fission-product release, and emergency response measures. This philosophy has been invoked primarily to compensate for uncertainty in our knowledge of the progression of accidents at nuclear power plants.
Improved capability to analyze nuclernr power plants as integrated systems is leading us to reconsider the role of defense in depth. Defense in depth can still provide needed safety assurance l in areas not treated or poorly treated by modem analyses or when results of the analyses are quite uncertain. To avoid conflict between the useful elements of defense in depth and the benefits that can be derived from quantitative risk assessment methods, constraints of necessity and sufficiency ,
must be imposed on the application of defense in depth and these must somehow be related to the uncertainties associated with our ability to assess the risk.
We believe that two different perceptions of defense in depth are prominent. In one view (the "structuralist" view as described in the attached paper), defense in depth is considered to be the application of multiple and redundant measures to identify, prevent, or mitigate accidents to such a degree that the design meets the safety objectives. This is the general view taken by the plant designers. The other view (the " rationalist"), sees the proper role of defense in depth in a risk-informed regulatory scheme as compensation for inadequacies, incompleteness, and omissions of ;
risk analyses. We choose here to refer to the inadequacies, incompleteness, and omissions collectively as uncertainties. Defense-in-depth measures are those that are applied to the design or operation of a plant in order to reduce the uncertainties in the determination of the overall !
regulatory objectives to acceptable levels. ideally then there would be an inverse correlation between the uncertainty in the results of risk assessments and the extent to which defense in depth is applied. For those uncertainties that can be directly evaluated, this inverse correlation between defense in depth and the uncertainty should be manifest in a sophisticated PRA uncertainty analysis.
4 e >
K
1 When defense in depth is applied, a justification is needed that is as quantitative as possible of both the necessity and sufficiency of the defense-in-depth measures'. Unless defense-in-depth measures are justified in terms of necessity and sufficiency, the full benefits of risk-informed regulation cannot be realized.-
The use of quantitative risk-assessment methods and the proper imposition of defense-in-depth measures would be facilitated considerably by the availability of risk-acceptance criteria applicable at a greater level of detail than those we now have.- Development of the additional risk-acceptance criteria would have to take into consideration safety objectives embodied in the existing regulations.
For example, risk-acceptance criteria are needed to meet the Commission's safety objectives with respect to worker health and environmental contamination and to meet additional public health and safety objectives [e.g., total fatalities, land interdiction). All of these may not be currently reflected in conventional risk assessments.
. We believe that a key missing ingredient needed to place quantitative limits on defense-in-depth measures is acceptance values on the level of uncertainty for each safety objective. Setting such acceptance values is a policy role, very much like setting safety goal values. The uncertainties that are intended to be compensated for by defense in depth include all uncertainties (epistemic and aleatory). Not all of these are directly assessed in a normal PRA uncertainty analysis. Therefore, when acceptance values are placed on uncertainty, these would have to appropriately incorporate consideration of the additional uncertainties not subject to direct quantification by the PRA. These
- considerations would have to be determined byjudgment and expert opinion. As a practical matter, we suggest that the acceptance values be placed on only those epistemic uncertainties quantifiable by the PRA but that these be set sufficiently low to accommodate the unquantified aleatory uncertainties.
- When acceptance values have been chosen as policy for the regulatory objectives and their associated uncertainties, it would be possible to develop objective limits on the amost of defense in depth required for those design and operational elements that are subject to evaluation by PRA.
To do this, it is necessary to incorporate the effects of the defense-in-depth measures into the PRA uncertainty analysis and the designer or regulator must be able to adjust the defense in depth until the acceptance levels for the regulatory objectives and the acceptance values for the associated uncertainties have both been achieved.
The balance between core damage frequency (CDF) and conditional containment failure probability (CCFP) can serve as an example of this defense-in-depth concept. We have previously recommended that CDF be elevated to a fundamental safety goal. Let us suppose, for example
{
sake, that our acceptance value on this is 104 per reactor year. If that is the value actually -
achieved by the design, then a CCFP of about 0.5 has been shown (NUREG-1150) to be generally sufficient to meet the safety goal regulatory objective of individual risk of prompt fatality [which can be adequately represented by an acceptance value of 104 per reactor year on large, early release 3
frequency (LERF) as noted in Regulatory Guide 1.174). Does this CCFP provide sufficient defense in depth?
l i
. _. . - _ . _ - . . . - - . ._ . . . _ . ,. 1
In our view, three acceptance criteria must be satisfied - one each on CDF, LERF, and the epistemic uncertainty associated with LERF. The Safety Goal Policy Statement suggests candidate acceptance values on CDF and LERF. In addition to these, we must establish the acceptance value on the uncertainty associated with LERF. For the particular value of LERF achieved, let's say that the acceptance value has been set by policy to be on the epistemic uncertainty that can be directly developed from the PRA [but which properly reflects the unquantified aleatory uncertainties]. Now suppose our PRA uncertainty analysis tells us that the quantified uncertainty for this design is greater than the acceptance value. Employing our concept, the design with the 0.5 CCFP does not have sufficient defense in depth. The design must, then, include provisions for more defense in
. depth [e.g., a better containment perhaps) or reduction of the LERF to values for which the achieved uncertainty is acceptable. The acceptance value on uncertainty for any given regulatory objective could be a function of the absolute value achieved for the regulatory objective. That is, as the achieved mean value for LERF gets further below the acceptance value, the acceptable level of ,
uncertainty on its determination can be greater. '
We believe this concept of defense in depth can provide a rational way to develop sufficiency limits wherever the defense-in-depth measures can be directly evaluated by PRA. We acknowledge however, that considerable judgment will have to be exercised to set limits on uncertainty, especially uncertainties not quantified by the PRA. Our preceding example suggests one approach to managing these uncertainties.
For those regulatory functions that are not well suited for PRA or where the current capabilities of PRAs are not sufficient, we suggest that the limits on application of defense in depth be placed at levels lower than the top-level safety objectives (see Figure 1 of attached paper). We emphasize that, even under these circumstances, the PRA can still dictate when defense in depth is needed.
Let us illustrate how we envision defense in depth to be applied under these circumstances with an example. Fire is one of the initiating events of interest. PRAs quantify the occurrence of fires in nuclear power plants and, among other things, their impact on control and power cables. The plant ,
response to the loss of the relevant systems (due to the loss of these cables) is also analyzed.
The frequency of fires in specific critical locations, that is, locations in which cables of redundant i systems may be damaged, is estimated in the PRA using experience-based rates of occurrence of l fires, multiplied by subjective estimates of the fraction of fires that are large enough to have the potential to cause damage and the fraction of those fires that occur in the specified critical locations.
This is a highly subjective part of the risk assessment (therefore, highly uncertain). It is therefore, a suitable area to invoke defense in depth and to impose prescriptive requirements regarding the prevention of fires in those critical locations [e.g., strict administrative controls and periodic inspections). Thus, the relative inadequacy of the PRA model suggests how defense in depth should be applied at levels lower than the top-level safety objectives.
We further realize that the fire risk assessment does not include the damaging effects of the smoke generated by a fire. This is a case of omission of a potentially significant effect. Therefore, we would, again, resort to defense in depth and may demand barriers to limit the spread of smoke and to protect sensitive equipment.
-s
. Since the Itnpact on the risk metrics of these lower-level defense-in<fepth measures cannot be !
quantified, nor can the uncertainties, the necessity and sufficiency of the defense-in-depth measures will have to be simply prescribed and that prescription would constitute the acceptance criteria.
We note that our first example dealing with CDF and CCFP addresses the top level of Figure 1 of )
the attached paper, if one adopts the structuralist viewpoint at that level, as the paper's preliminary proposal suggests, then the tradeoffs of our example between CDF and CCFP will have to be performed under the assumption that at least some level of defense in depth will be required. If, on the other hand, one adopts the rationalist view even at that level, it is conceivable that the LERF i objectives could be satisfied without a containment. Our second example dealing with fires l exemplified the rationalist view at lower levels, as the preliminary proposal recommends.
We acknowledge that these preliminary thoughts on the role of defense in depth in a risk-informed regulatory system identify a direction but fall short of closing the issue. ' We recommend that the Commission give further consideration to this matter.
Sincerely, !
\ % d W 1
Dana A. Powers l Chairman
References:
i
- 1. U. S. Nuclear Regulatory Commission, Regulatory Guide 1.174, 'An Approach for Using Probabilistic Risk Assessment in Risk-informed Decisions on Plant-Specific Changes to the Licensing Basis," July 1998. !
- 2. U. S. Nuclear Regulatory Commission, NUREG-1150, Vols.1-3, " Severe Accident Risks:
An Assessment for Five U. S. Nuclear Power Plants," December 1990.
- 3. Report dated August 15,1996, from T. S. Kress, Chairman, ACRS, to Shirley A. Jackson, ,
Chairman, NRC,
Subject:
Risk-informed, Performance-Based Regulation and Related l Matters.
- 4. Memorandum dated March 5,1999, from Annette Vietti-Cook, Secretary of the NRC, to John T. Larkins, Executive Director, ACRS,
Subject:
Staff Requirements - Meeting with the Advisory Committee on Reactor Safeguards, Feb,uary 3,1999. !
Attachment:
U. S. Nuclear Regulatory Commission, Advisory Committee on Reactor Safeguards, J. N.
Sorensen, G. E. Apostolakis, T. S. Kress, D. A. Powers, 'On the Role of Defense in Depth in Risk- ;
~
informed Regulation,' to be presented at PSA 1999, August 22-25,1999.
i
T'
, ON THE ROLE OF DEFENSE IN DEPTH IN RISK-INFORMED REGULATION To be presented at PSA '99 Washington, D.C.
August 22-25,1999 J. N. Sorensen, Senior Fellow G.E. Apostolakis, Member T. S. Kress, Member D. A. Powers, Member Advisory Committee on Reactor Safeguards U. S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 l
ABSTRACT HISTORICAL DEVELOPMENT The nascent implementation of risk Defense in depth is a nuclear industry informed regulation in the United States safety strategy that began to develop in the suggests a need for reexamination of the 1950s. A review of the history of the term Nuclear Regulatory Commission's (NRC) indicates that there is no official or defense in depth philosophy and its impact preferred definition. Where the term is on the design, operation, and regulation of used, if a definition is needed, one is nuclear power plants. This reexamination created consistent with the intended use of is motivated by two opposing concerns: the term. Such definitions are often made (1) that the benefits of risk informed by example.
regulation might be diminished by i
arbitrary appeals to defense in depth, and In a 1967 statement submitted to~ the Joint (2) that the implementation of risk Committee on Atomic Energy by Clifford informed regulation could undermine the Beck, then Deputy Director of Regulation defense in depth philosophy. From either for the Atomic Energy Commission, three perspective, two questions are suggested: basic lines of defense for nuclear power (1) How is defense in depth defined? (2) reactor facilities were described. The first How should the implementation of risk line was the prevention of accident informed regulation alter our view of initiators through superior quality of defense in depth? A preliminary proposal design, construction and operation. The for the role of defense in depth in a risk- second line was engineered safety systems informed regulatory system is presented. designed to prevent mishaps from escalating into major accidents. The third line was consequence-limiting safety systems designed to confine or minimize
i l
. the _ escape of fission products to the by the fuel cladding, primary systeni, and environtpent. containment.
2 A 1969 paper by an internal study group One of the essential properties of defense of the Atomic Energy Commission in depth is the concept of successive identified the issue of balance among barriers or levels. This concept applies accident . prevention, protection, and equally well to multiple physical barriers ;
mitigation, with the conclusion that the and to high level lines of defense. A !
. greatest emphasis should be put on closely related attribute would be ,
prevention, the first line of defense. requiring a reasonable balance among j prevention, protection and mitigation. l 2
A 1994 NRC document. identifies the elements of the defense in depth safety EMERGING REGULATORY.
strategy as accident prevention, safety PRACTICE j systems, containment, accident '
management, and siting and emergency The most recent.NRC policy statement plans. Other interpretations of defense in that deals with defense in depth is the depth can be found in INSAG-3d and Probabilistic Risk Assessment (PRA) 6 INSAG-105 Policy statement published in 1995, which states,in part: J The historical record indicates an i evolution of the term from a narrow "The use of PRA technology should be application to the multiple barrier concept increased in all regulatory matters to the .
to an expansive application as an overall extent supported by the state-of-the-art in i safety strategy. The term has increased in PRA methods and data and in a manner scope and gained stature over time. The that complements the NRC's deterministic history also indicates that defense in depth approach and supports the NRC's ;
is considered to be a concept, an approach, traditional defense-in-depth philosophy."
a principle or a philosophy, as opposed to being a regulatory requirement per se. The policy statement, thus, places PRA in !
a subsidiary role to defense in depth.
Currently the term is commonly used in !
two difTerent senses. The first is to denote In 1998, the NRC published Regulatory the philosophy of high level lines of Guide 1.174.7 This guide establishes an defense, such as prevent accident initiators approach to risk-informed decision from occurring, terminate accident making, acceptable to the NRC staff, sequences quickly, and mitigate accidents which includes the provision that that are not successfully terminated. The proposed changes to the current licensing
. second is to denote the multiple physical basis must be consistent with the defense barrier approach, most often exemplified in depth philosophy. The RG 1.174 2 :
1
-(;. .- !
(discussion states that, "The defense in - characteristic of this model that balance depth philosophy . . . has been and must be preserved among the high-level l continues ~ to be an effective way to lines of defense, e.g., preventing acciden't account for uncertainties in equipment and initiators, terminating accident sequences human l performance." The discussion quickly, and mitigating accidents that are goes on to say that PRA can be used to not successfully terminated. One result is I help. determine the appropriate extent of that certain provisions for safety, for i defense in depth, which, by example, is . example reactor contain' ment and' i equated to balance'among core damage emergency planning, must be made prevention, containment failure prevention regardless of our assessment of the and consequence mitigation. The probability that they may be required.
regulatory - guide thus addresses the Accident prevention alone is not relied concern of preventing risk-informed upon to achieve an adequate level of regulation from undermining defense in protection. ;
- depth. Defense in depth is primary, with . ]
PRA available to measure how well it has There does not appear to be any question been achieved. that the implementation of defense in i I
depth up to the present time reflects the STRUCTURALIST MODEL structuralist model. While this philosophy has served the industry well from the We have identified two different schools safety perspective, it is now realized that, of thought (models) on the scope and in some instances, it has led to excessive nature of defense in depth. These models regulatory burden. Furthermore, the lack came to be labeled "structuralist" and of an integrated view of the reactor
" rationalist." systems has resulted in some significant accident sequences not being identified The structuralist model. asserts that until PRA was developed, e.g., the defense in depth is embodied in the interfacing-systems LOCA sequence.
structure of the regulations and in the design of the facilities built to comply The next issue, then, becomes how should with those regulations. The requirements the insights from PRA be integrated into for defense' in depth are derived by this structure to reduce unnecessary repeated application of the question, burden and make it more rational? In the "What if this barrier or safety feature structuralist model, defense in depth is fails?" The results' of that process are primary, with PRA available to measure documented in the regulations themselves, how wellit has been achieved.
specifically in Title 10, Code of Federal Regulations. In this model, the necessary and sufficient conditions are those that can be derived from Title 10. It is also a 3
e I
L . .
, THE RATIONALIST MODEL . l example, a judgement is made on the balance between prevention and 4 The ratiSnalist model asserts that defense mitigation. )
in' depth is the aggregate of provisions l
-made to compensate for uncertainty and What distinguishes the rationalist model incompleteness in our knowledge of from the structural model is the degree to accident initiation and progression. This which. it depends on establishing .
model is . made practical by the quantitative acceptance criteria, and then I development of the ability to quantify risk carrying fonnal analyses, including !
and estimate uncertainty using . analysis of uncertainties, as far as the l probabilistic risk assessment techniques. analytical methodology permits. The i The process envisioned by the rationalist exercise of engineering judgement, to !
is: (1) establish quantitative acceptance ' determine the kind and extent of defense criteria, such as the quantitative health in . depth measums, occurs after the ;
objectives, core damage frequency and capabilities of the analyses have been i large early release frequency, (2) analyze exhausted.-
the system using PRA methods to .
establish that the acceptance criteria are A PRELIMINARY PROPOSAL ;
. met, and (3) evaluate the uncertainties in the analysis, especially those due to model The structuralist and rationalist models are incompleteness, and determine what steps not generally in conflict. Both can be should be taken to compensate for those construed as a means of dealing with uncertainties. In this model, the purpose uncertainty. Neither incorporates any
, of defense in depth is to increase the reliable means of determining when the degree of confidence in the results of the degree of defense in depth achieved is PRA or .other analyses supporting the sufficient. In the final analysis, they both l conclusion that adequate safety has been depend on knowledgeable people achieved. discussing the risks and uncertainties and ultimately agreeing on the provisions that The underlying philosophy here is that the must be made in the name of defense in !
probability of accidents 'must be depth. The fundamental difference is that !
acceptably low. Provisions made to the structural model accepts defense in )
achieve sufficiently- low accident depth as the fundamental value, while the probabilities are d_efense in depth. It rationalist model would place defense in should be'noted that defense in depth may depth in a subsidiary role.
be manifested in safety goals and acceptance criteria which are input to the The remaining question is which model design process. In choosing goals for core provides the better basis for moving !
damage frequency and conditional ~
forward with risk- informed regulation. l containment _ failure probability, for How can capricious imposition of 4
l w...
c
-^ a .
i defense-in-depth be prevented from hierarchy. An example is shown in Figure
{
undermining the focus that .can be 1.
provided by risk- informed methods of regulation? PRA methods have identified The PRA uncertainties increase as we )
gaps in the regulations and in the safety move from the initiating events to risk profiles of individual plants. They have (from left to right). The structuralist view also identified regulations and plant dictates that intermediate goals be set, j systems that do not make a significant such as core damage frequency (CDF),
contribution to safety. Typically, large early release frequency (LERF) or however, regulatory reactions to findings conditional containment failure probability that regulations or plant systems are (CCFP),or frequency-consequence (F-C) superfluous to safety have been less curves. This would satisfy the aggressive than reactions to apparent requirement of balance between safety deficiencies. prevention and mitigation. We note that the actual numerical value chosen for core Two options can be identified: damage frequency can express a preference for prevention, and such a (1) Recommend defense in depth as a preference is unrelated to defense in supplement to risk analysis (the rationalist depth. One could proceed and set goals at view) the " cornerstone" level, i.e., one level below. This could include goals en (2) Recommend a high-level structural initiating- event frequencies, safety-view and a low-level rationalist view. function or safety-system unavailabilities, and so on. How far down one would go Option (1) requires a significant change in would be a policy issue. The structuralist the regulatory structure. The place of view would not be applied at lower levels.
defense in depth in the regulatory hierarchy would have to change. The The rationalist model would be applied at PRA policy statement could no longer levels lower than the cornerstones of relegate PRA to a position of supporting Figure 1. Defense in depth would be used defense in depth. Defense in depth would only to address uncertainties in PRA at the become an element of the overall safety lower levels, thus becoming an element of analysis. the overall safety analysis. For events or processes that are not modeled in PRA, Option (2) is to a large degree compatible defense in depth would play its traditional with the current regulatory structure. The role. Such is the case with the impact of structuralist model of defense in depth smoke from fires on plant safety. Current would be retained as the high-level safece fire risk assessments do not account for philosophy, but the rationalist ' model the effects of smoke, therefore, would be used at lower levels in the safety prescriptive defense-in-depth based 5
. measures would be taken to limit this Regulation of Nuclear Reactors, )
impact. April 4,5,6,20, and May 3,1967.
We view Option (2) as a pragmatic 2. Internal Study Group, " Report to approach to reconciling defense in depth the AtomicEnergyCommission on i with risk-informed regulation. There can the Reactor Licensing Program," {
be little doubt, however, that the submitted to the Joint Committee i rationalist model, Option (1), will on AtomicEnergy, Congress ofthe l ultimately provide the strongest theoretical United States, Hearings on AEC l foundation for risk-informed regulation. Licensing Procedure and Related When more experience has been gained Legislation, June 1969. l with the application of PRA in the design l and regulation of nuclear power plants, 3. F. E. Haskin, and A. L. Camp,, I when PRA models can adequately treat " Perspectives on Reactor Safety,"
most ofthe phenomena ofinterest, the role NUREG/CR-6042, Nuclear of defense in depth can and should be Regulatory Commission, l changed to one of supporting the risk Washington, DC, March 1994. i analyses. This transition will need to be I supported by the development of 4. International Nuclear Safety l subsidiary principles from which Advisory Group, " Basic Safety )
necessary and sufficient conditions could Principles for Nuclear Power '
be derived. Plants," Safety Series No. 75-INSAG-3, Intemational Atomic Nolc Energy Agency, Vienna, Austria, )
1988 I The views expressed in this paper are the )
authors' and do not necessarily represent 5. International Nuclear Safety !
the views of the Advisory Committee on Advisory Group, " Defense in l Reactor Safeguards Depthin Nuclear Safety,"INSAG- !
10, International Atomic Energy :
REFERENCES Agency, Vienna, Austria,1996
- 1. C. Beck, " Basic Goals of 6. U. S. Nuclear Regulatory :
Regulatory Review: Major Commission,"Use ofProbabilistic l Considerations Affecting Reactor Risk Assessment in Nuclear Licensing," Statement submittedto Regulatory Activities; Final Policy l the Joint Committee on Atomic Statement," Federal Register, Energy, Congress of the United 60 FR 42622 States, Hearings on Licensing and !
6 l
p.:
0;
.{
, 7. U. . -S. Nuclear Regulatory l
Commission, "An Approach for dsing -Probabilistic Risk' Assessment in Risk-Informed ,
Decisions on : Plant-Specific. l Changes to the Current Licensing Basis," Regulatory Guide 1.174, l June 1998 '
l 1
' i I
l
)
i I
7
l e .
l a C) a _
u l i
n a
ks _
d i
a t (
F- a i
v kike i
d s cs t
n o
R _
nioi IRSR C e my m , " l e
- ' *
- secn sea ,a d o
r eg ,i _
we r
r sM .
em CE e s
e v ,
s a
et e s- .
ea l
e ga r l t v e
pC RS t f l l
hg e
- a cP v e
i h
a i = n t -
sd n a -
r n e mwTaR l d
e s o -
m l
a n w
,o i
t c
u t s r ns t s
P F r ee e F R ,
d rgs ht -
C E i c f cri on o
CrL e 3-APB '
^-
^
- e.
i y-m., ;
- c. , l b
i e
s l e g
_ s o
P F t as e C
D r
, nmt aaa 1
e r
l t u 1
PD i F
g l
N>S te mse s
i4 y u.
s r
e s
tt rn yt e ei
- s r ~
smhr e
n o
E sn g
e g
n t gsi is t
s ni r imr e ta seai 4 ina t n
r r t e o rMMa r ivn cIMB- I E a : '. ' ' 1 -
-