ML20214E199
| ML20214E199 | |
| Person / Time | |
|---|---|
| Issue date: | 05/13/1987 |
| From: | Kerr W Advisory Committee on Reactor Safeguards |
| To: | Zech L NRC COMMISSION (OCM) |
| References | |
| ACRS-R-1248, NUDOCS 8705220003 | |
| Download: ML20214E199 (9) | |
Text
{{#Wiki_filter:7 s ucog'o f UNITED STATES c ~g /" NUCLEAR REGULATORY COMMISSION i o
- ,U ADVISORY COMMITTEE ON REACTOR SAFEGUARDS O
WASHINGTON, D. C. 20555 May 13, 1987 i The Honorable Lando W. Zech, Jr. Chairman U.S. Nuclear Regulatory Commission i Washington, D.C. 20555
Dear Chairman Zech:
j 1
SUBJECT:
ACRS COMMENTS ON AN IMPLEMENTATION PLAN FOR THE SAFETY GOAL POLICY During the 325th meeting of the Advisory Committee on Reactor Safe-guards on May 7-9, 1987, we formulated comments on the NRC Staff's-proposec implementation plan for the Commission's August 4, 1986 Policy Statement on Safety Goals for the Operations of Nuclear Power Plants. This topic had previously been considered during our 321st, 322nd, 323rd, and 324th meetings in January, February, March, and-April of 1987, and during a subcommittee meeting on January 7, 1987. In our. review.we had the benefit of discussions with'the.NRC Staff and the documents listed. We do not consider the current Staff proposal (Reference 1) suitable as a plan for implementing the Safety Goal -' Policy. Instead, we propose a plan of three elements: 1. Use of safety goal criteria by the NRC Staff. to judge' the adequacy of regulation rether than to make regulatory judgments about specific plants. 2. Recognitiun and formulation of an explicit hierarchical struc-ture among the interrelated criteria in the overall goal. 3. Continuation of a program to make risk estimates for specific plants, 'as a sampling process to--. assist in the evaluation of regulation. USE OF THE SAFETY G0AL It appears.that the plan proposed by the NRC Staff is intended for their use in judging whether a specific nuclear power. plant can be-permitted to operate or continue to operate. If the Staff concludes that a plant does not meet certain quantitatively stated elements of 81oswooo3 X AJ-
r 1 o Tre Honorable Lando W. Zech, Jr. May 13, 1987 4 the Safety Goal Policy Statement, an evaluation would 'be made of 1 possible changes, for example in design, equipment, or procedures, to determine if such changes: would result in an-improved or 4 acceptable level of risk in a cost-effective manner. We do not believe that probabilistic risk assessment (PRA), on which the proposed process is based, is sufficiently developed to be used to make narrowly differentiated decisions about specific plants. Rather, the Safety' Goals should be used in a more global manner to judge the suitability of existing regulations and regulatory. practices, or to assist 1 in formulating whatever changes are' necessary to provide confidence that nuclear plants are operating within an envelope established by the Safety Goals. We continue to believe that systematic examinations of individual power plants as described in the Severe Accident Policy Statement, based in part on insights gained from risk analyses, can serve many ] useful purposes. For example, the search for risk outliers for individual plants should be performed. We believe that detailed-qualitative information on plant characteristics and behavior is-an important result of such a search, but that quantitative information (such as core melt frequency estimates for an individual plant) developed by a PRA is less robust. We are convinced also that direct participation by managerial, engineering, and operational personnel in a systematic examination of their plant can provide them with valuable insights and understanding of plant behavior in abnormal situations. The Safety Goal Policy should be used by the NRC Staff chiefly as 'a standard for judging the adequacy and appropriateness of regulations and regulatory practices to assist them in reaching decisions about - regulatory requirements. However, to make the ' Safety _ Goal Policy usable for these purposes, development in two areas-is needed. The multiple goals and criteria should be related more logically in a hierarchical structure, and the " sampling" of existing plants should-be expanded beyond the work which served as a basis for NUREG-1150, " Reactor Risk Reference Document," Draft for Comment, dated February 1987. HIERARCHICAL STRUCTURE OF THE SAFETY G0AL AND IMPLEMENTATION PLAN Several goals and guidelines are included in.the Safety Goal Policy. We believe that it would be useful to present these in a hierarchi-cal structure to facilitate implementation of the Policy in a range of circumstances. The highest level would serve as the Commission's-statement of intent in regulating nuclear-power and could then be used in decisions about broad policy matters and general comparisons [
'l 1 May 13, 1987 l The Honorable Lando W. Zech, Jr.. with other industrial and technological activities. The lower levels could then be used, as development is completed, by the NRC '] Staff in making specific regulatory decisions. Each subordinate i level of the hierarchy should. be consistent with the level above, but should be a more practical surrogate, representing a e simplification or quantification of the previous level. Each surrogate should not be so conservative that it creates a de facto a new policy. It should also provide a basis by which to assure that 'l the Safety Goal Policy objectives are being met. A recommended hierarchical arrangement of the multiple goals in the Policy Statement is presented below. Level One: This would be the pair of qualitative goals as stated in the Commission Policy Statement of August 4, 1986. " Level Two: This would be the pair of. quantitative health objectives as stated in the same Policy Statement.
- Level Three:
This would be the previously proposed general performance guideline that the likelihood of a large accidental release should be less than.10E-6 per reactor year. If this general performance guideline is to serve as a surro-gate for the Safety Goal Policy objectives, as proposed in our letter of April 15,1986 it should represent a level' of safety consistent with the Level One and Two goals. A definition of a large release as one that will. lead to whole body doses of 5 or 25 rem to an individual at a plant boundary,:as has bee _n given some public mention, does not satisfy this criterion. Such a definition is so much more restrictive than the Level One and Two goals that it, in effect, establishes an alternative policy rather than serving as a more easily applied surrogate. We believe that this is a distortion of the intent of the Policy and suggest that a consistent definition of a large release would be one that, if it occured, would result in'significantly larger whole body doses.
- Level Four: This level of the hierarchy would consist of three performance objectives to be relied on in ensuring that the safety of operating plants is consistent with the Level One, Two, and Three criteria.
These objectives should be explicit enough that they could be used.by the NRC Staff in. making. decisions about specific regulations and regulatory practices. Such objectives are described below.
t The Honorable Lando W. Zech, Jr. May 13, 1987 i l (1) The first performance objective would be an expression of the effectiveness of plant accident prevention systems. We have previously recommended a goal of "less than 10E-4 per reactor-year" for the mean core ' melt frequency "for all but a few existing plants." By core melt, we mean loss of assured core cooling which can result in-severe core damage. There.i s an unquantified, but probably l substantial, difference between the probability of loss of l 1 assured core cooling and the probability of the " core on the floor stage". The latter is more surely threatening to the health and safety of the public, but is also less likely. In relating this performance objective to the risk-based ) Safety Goals, one will have to confront the difficult technical issues associated with the progress of a severe j accident. This will not be easy, but a core melt prob-ability objective is less useful at this level of the hierarchy if its relation to the ultimate objective is unclear. Core melt, as defined here, is an identifiable waypoint in the development of a severe accident. (2) The second performance objective would be an expression of the effectiveness of the design of plant accident mitica-tion systems. Between core melt, as defined above, and j challenge.- to containment, as normally understood, there are several stages at which the accident sequence may be arrested. A containment performance objective cannot be stated simply in terms of the Level Three probability of. a large release and the probability of a core melt as discussed above, i We recommend that as a minimum the containment performance objective should be such that there is.less than one chance in ten for a large release for the entire family of core melt scenarios. (3) The. third performance objective would be an expression of ~ how well the plant is. operated. This remains' to be. developed. A separate objective of this sort would not be necessary if operating performance were appropriately considered in the first two performance objectives. However, present methods' of. analysis. for performance objectives are based primarily on system design only. For this reason it seems necessary at this time to consider operations in a separate objective, if the Safety Goal
I l l 1 l The Honorable Lando W. Zech, Jr. May 13, 1987 i Policy is to be applied to plant operation and not just to plant design. We recognize this to be a major undertak-ing, but regard it as essential to a meaningful imple-mentation of the Safety Goal Policy. Level Five: The final level of the Safety Goal Policy logic is the existing body of regulations and regulatory practices. Implementation of the Safety Goal Policy, as we propose, can be viewed as a review of " Level Five" to ensure that it is con-sistent with and carries out the intent of the goal levels above it. The overall policy implementation that we propose consists, in effect, of transforming a bottom-up system of ) regulation to a top-down system as the maturing of the nuclear industry and regulation and enderstanding of risk have per-mitted. In the end, as the effectiveness of the deterministic regulations and regulatory practices is more closely related to the Safety Goal Policy, it will be appropriate to adjust the regulations and regulatory practices to make them consistent with the Safety Goals. SAMPLING 0F PLANTS As indicated above, our recommendation for implementation of the Safety Goal Policy is that it should be used principally as a measure of the adequacy of the regulations and regulatory practices. Safety performance at nuclear power plants then should reflect to a substantial degree the success of these procedures. Further in order to measure effectiveness of the regulations and regulatory practices, the product must be tested. The essential difference between what the ACRS proposes and what the Staff has proposed in this regard is that we believe the measurement of specific plants against the safety goal should be explicitly recognized as a sampl-ing process. The goal of the process should be to determine why and how the regulations and regulatory practices have caused an individual plant or a class of plants to conform with or fall short of the goal, not to simply determine whether an individual plant or class of plants conforms with or falls short of the goal. The purpose of the body of regulations and regulatory practices should be to provide a population of nuclear power plants that conforms to the Commission's safety policy intent, as expressed by the Safety Goal Policy. A Safety Goal Policy implementation plan structured as suggested above can and should be used by the NRC Staff in its evaluation of proposed changes in regulation that arise from a variety of sources, such as operating experiences and resolution of generic issues. However, we believe a more proactive program should be undertaken as
The Honorable Lando W. Zech, Jr. May 13, 1987 part of the Policy implementation. This would be a prioritized, systematic review o' the body of regulations and regulatory prac-tices (i.e., Level Five of the recommended Safety Goal Policy hierarchy) for conformance-with the overall Policy. Such a program would be, in some regards, a continuation of the work that has resulted in the draft NUREG-1150 and in previous assessments of full-secpe PRAs for particular plants. However, we believe a new q program can be better focussed on sampling a sufficient number of-plants and classes of plants with the aim of assessing the effectiveness of regulations and regulatory practices that have guided the design, construction, location, and operation of these 1
- plants, j
LIMITATIONS We note that there must be recognition of important limitations in the implementation of the Safety Goal Policy. These limitations are essentially those of the PRA methodology used, and are caused by a fundamental inability to accurately predict and calculate precise values of risk. Variability in data, uncertainty about applica-bility of data, imperfect understanding of important physical phenomena, and inevitable incompleteness in analysis all contribute to this limitation. The NRC Staff must recognize the limitations of risk analysis and-limitations in the definition of the Safety Goals themselves.and must apply sufficient margins within its regulations and regulatory practices to accommodate these limitations. They have always had to make such judgments and allowances. The key point is that the.NRC Staff and the. industry will be better able to make balanced and consistent decisions about regulation, design, and plant operation with guidance provided by the Safety Goals and PRA than without. I The development of a Safety Goal Policy has been a long and diffi- -j cult, but an important and pioneering, effort. We believe an imple-1 mentation plan along the lines we have proposed will ensure that the. Policy is used effectively in regulation. Additional comments by ACRS Member David Okrent are presented below. Sincerely, i William Kerr Chairman 1
i The Honorable Lando W. Zech, Jr. May 13, 1987 Additional Comments by ACRS Member David Okrent 1. The general plan proposed by the ACRS for implementation of the Safety Goal Policy seems attractive at first sight. The ACRS recommends the use of safety goal criteria to judge the adequacy of regulations rather than to make regulatory judgments about specific plants. The ACRS does not believe that PRA is sufficiently developed to be used to make narrowly differentiated decisions about specific plants. One major problem with this approach, in my opinion, arises from the current USNRC backfitting rule, which says in 50.109 Part(3): The Commission shall require the backfitting of a facility only when it determines, based on the analysis described in paragraph (c) of this section, that there is a substantial increase in the overall protection of the public health and safety or the common defense and security to be derived from the backfit and that the direct and indirect costs of implementation for that facility are justified in view of this increased protection. A host of more easily specified backfits was hurriedly required in the United States after the accident at Three Mile Island, some with inadequate evaluation. However, the more difficult but often more significant issues have been deferred for years. These have now met up with a backlash against backfitting where I fear the pendulum has swung too far. France and the Federal Republic of Germany (FRG) have each maintained a disciplined program of backfitting, as well as promulgating safety improvements for nuclear plants to be built. France and the FRG have utilized PRA methodology in a way which resembles the ACRS proposal. Deterministic require-ments were developed, frequently with the aid of insights obtained from PRA, to deal with perceived vulnerabilities in the overall safety approach. Cost / benefit analysis was not ignored but does not appear to have had a dominant impact on the decision-making process in France and the FRG. I would have more hope for the proposed ACRS approach if the basic USNRC safety position was to achieve in timely fashion a reasonable assurance that the high level safety goals and quantitative design objectives were being approached or met, without undue emphasis on cost / benefit analysis and the test
r The Honorable Lando W. Zech, Jr. May 13, 1987 4 I for "a substantial increase in the overall protection" as has been practiced during the past few years. 2. I agree with the ACRS that an additional sampling of nuclear plants is needed in order to consider the adequacy of current regulations. In my opinion, draft NUREG-1150 not only is inadequate for this purpose, it is also misleading with regard to the present level of safety of LWRs in the United-._ States, and should not be used.by the.NRC to provide such. a perspec-tive. I have many reasons for' this opinion,.some. of which follow:
- External events are not included in draft NUREG-1150-(Reference 3).
- Many other potentially important contributors to risk, such as design and construction errors, aging and inade-quate qualification of equipment, certain aspects of human error, certain types of systems interactions, and the effect of poor management quality are also not included in draft NUREG-1150.
Some of the plants studied in draft NUREG-1150 had previ-1 ously received the benefit of safety improvements result-ing from one or two earlier PPAs on the same plant. This is not the case for the majority of operational LWRs. ' The PRAs in draft NUREG-1150 do not account adequately for the kinds of significant events which have occurred during the past two years or so at Surry,: Brunswick, Trojan, Davis Besse, Rancho Seco, and TVA, among others.
- The PRAs in draft NUREG-1150 report core melt frequencies much smaller than those estimated for many of the plants examined in connection with USI A-45.
Hence, not only is much additional sampling needed, but also some means must be developed for factoring into policy de-cisions the uncertainties and the significant gaps which exist in current PRAs,. and for providing confidence that nuclear plants are operating within an envelope establisned by the Safety Goals and the supplementary objectives. 3. In view of the uncertainties and imprecision in PRA results, I-disagree' with the ACRS position that, if the general perfor-mance guideline on large releases is to serve as a surrogate, it should represent a level of safety consistent with.the.
{ 4. ~The Honorable Lando W..Zech, Jr. - 9.- May 13, 1987 Safety Goals. First I should note I do not look upon the general performance guideline on the frequency of a large release as wholly or primarily a surrogate. Furthermore, I prefer that one seek some level of assurance via performance guidelines that successively higher level goals or objectives will be met. I question the suitability of the definition of a large. release which is currently proposed by the NRC Staff. If a complemen-tory cumulative distribution function of one or more early fatalities has a chance of 10E-6 per. reactor year, may not the chance of 100.early fatalities be uncomfortably high at sites with large nearby population densities? Also, does. such a proposed definition of a large release allow adequately for severe radioactive contamination of large land areas and for other relevant factors?
References:
1. Memorandum dated January 2, 1987 from Victor Stello, Jr., Executive Director for Operations, to the Commission,
Subject:
" Safety Goal Implementation-Status," with enclosures on Frame-work for Safety Goal Implementation, Implementation of _ Safety Goals in Decisionmaking for Changing Generic Requirements, and Central Issues Treated in the Safety. Goal Implementation Framework 2. U.S. Nuclear Regulatory. Commission Report, 10 CFR Part 50, " Safety Goals for the Operations of Nuclear Power Plants," Policy Statement, dated August 4, 1986 3. U.S. Nuclear Regulatory Commission Report, " Reactor Risk Reference Document," NUREG-1150, Volumes '1! to 3, Draft for Comment, dated February 1987. =}}