ML20216E159
| ML20216E159 | |
| Person / Time | |
|---|---|
| Issue date: | 07/16/1999 |
| From: | Dicus G, The Chairman NRC COMMISSION (OCM) |
| To: | Powers D Advisory Committee on Reactor Safeguards |
| References | |
| NUDOCS 9908020083 | |
| Download: ML20216E159 (2) | |
Text
$
[
UNITED STs h~7 0-
- ~ *1 NUCLEAR REGULATOF. q# 'ON o
' WASHINGTON. D.C. 20h.
To ij k...../
July 16,1999 CHAIRMAN Dr. Dana W. Powers, Chairman Advisory Committee on Reactor Safeguards U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001
]
Dear Dr. Powers:
Your letter to former Chairman Shirley Ann Jackson dated May 19,1999, discussed the role of defense in depth in a risk-informed regulatory system. The letter provided the ACRS' perspectives on the historical role of defense in depth and the need to reshape this role as probabilistic risk analysis is utilized more frequently in NRC's regulatory processes. I commend the Committee for a thoughtful and useful report on this subject that focused on the key issues j
associated with the integration of defense in depth into a risk-informed regulatory system, i
The Committee's perspectives on defense-in-depth measures and the need for associated, more quantitative, acceptance values are particularly germane to important ongoing staff activities. The staff's work to risk-inform 10 CFR Part 50, to modify the Commission's Safety Goal Policy Statement, and to update Regulatory Guide 1.174 will benefit from these perspectives. Your insights will be factored into these efforts, and future interactions between the staff and the Committee on these activities will provide an opportunity for further dialog on their practical application.
l encourage the Committee to continue to identify and address such long term, important issues.
Sincerely, a
~
Greta Joy Dicus t
/
d l
y{/
010007 99080200s3 990716 PDR COMMS NRCC CORRESPONDENCE PDR
[;.
[gn ato UNITED STATES NUCLEAR REGULATORY COMMISSION 3"
4 g
WASHINGTON, D.C. 20555-0001 duly 16,1999 CHAIRMAN r
l Dr. Dana W. Powers, Chairman Advisory Committee on Reactor Safeguards U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 l
Dear Dr. Powers:
Your letter to former Chairman Shirley Ann Jackson dated M: y 10,1999, discussed the role of defense in depth in a risk-informed regulatory system. The letter provided the ACRS' perspectives on the historical role of defense in depth and the need to reshape this role as
. probabilistic risk analysis is utilized more frequently in NRC's regulatory processes. I commend the Committee for a thoughtful and useful report on this subject that focused on the key issues associated with the integration of defense in depth into a risk-informed regulatory system.
The Committee's perspectives on defense-in-depth measures and the need for associated, more quantitative, acceptance values are particularly germane to important ongoing staff activities. The staff's work to risk-inform 10 CFR Part 50, to modify the Commission's Safety Goal Policy Statement, and to update Regulatory Guide 1.174 will benefit from these perspectives. Your insights will be factored into these efforts, and future interactions between the staff and the Committee on these activities will provide an opportunity for further dialog on their practical application.
I encourage the Committee to continue to identify and address such long term, important issues.
Sincerely,
{
Original signed by
]
Greta Joy Dicus Greta Joy Dicus l
Originating Office: EDO Ref: CR-99-128 GJD - Approved Commission Correspondence NJD - Approved EXM - Approved /cmt JSM - Ap: roved / edits OFC SECY OCM/GJD Jbpaker 2 /1 NAME DATE 7/16/k9 L
OFFICIAL RECORD COPY
E suruq%
l,-
UNITED STATES 8
NUCLEAR REGULATORY COMMISSION o
I ADVISORY COMMITTEE ON REACTOR SAFE 3UARDS WAltHINGTON, D. C. 20666 l
o May 19,1999 The Honorable Shiriey Ann Jackson
' Chairman i
U. S. Nuclear Regulatory Commission l
Washington, D.C. 20555-0001 j
Dear Chairman Jackson:
SUBJECT:
THE ROLE OF DEFENSE IN DEPTH IN A RISK-INFORMED REGULATORY l
SYSTEM During the 462"' and 461 meetings of the Advisory Committee on Reactor Safeguards, May 5-8 and April 7-101999, we discussed issues identified in the Staff Requirements Memorandum dated March 5,1999, concoming the appropriate relationship and balance between probabilistic risk assessment (PRA) and defense in depth in the context of risk-informed regulation. We previously discussed this matter with the Commission durirg our meeting on February 3,1999.
l l
We are attempting to identify pitfalls that may exist along the path the Commission is taking toward risk-informed regulation so they may be addressed in a timely manner. We have communicated previously on the need for plant-specific safety goals that are practical for licensees to evaluate, the need for risk assessmenM for all modes of plant operation, and the need for research to support further use of risk inform, tion in regulatory activities. Several ACRS members, working with an ACRS Senior Fellow, have produced the attached paper in which two views of defense in depth are discussed along with a preliminary proposal regarding its role. Here, we further discuss the role that defense in depth should have in a risk-informed regulatory scheme.
Our motivation for this report has arisen because of instances in which seemingly arbitrary appeals to defense in depth have been used to avoid making changes in regulations or regulatory practices that seemed appropriate in the light of results of quantitative risk analyses. Certainly, we have seen defense in depth used as a basis for delaying changes in the existing regulatory practices:
there has been reluctance to develop new, risk-informed limits on leakage from steam
=
oenerator tubes because these are part of the defense-in-depth barriers, the development of extensions of the Regulatory Guide 1.174 process to define criteria for risk-informed revisions to 10 CFR 50.59 has been delayed because of defense in depth
- issues, U
U M d
Q!
U O3 ca
+n
/
1
[.
\\
l -
the development of graded quality assurance measures has been overly conservative because of concems about the imputed importance of quality assurance to defense in depth, and
. the development of regulatory requirements on software-based digital instrumentation and
=
control systems was debyed because of concems related to defense in depth.
We are concemed that arbitrary appeals to defense in depth could inhibit the effective use of risk information in the regulatory process. At the same time, we are mindful that risk analyses are not posfect. Defense in depth can be an effective means for compensating for any weaknesses in our ability to understand the risks posed by nuclear power plants.
~ As discussed in the attached paper, the defense-in-depth approach to safety arose in an earlier time when there was less capability to analyze a nuclear power plant as an integrated system.
Subsystems were designed such that the necessity and sufficiency of defense in depth could be determined from experience and through exercising engineering judgment. Defense in depth was a design and operational philosophy that called for multiple layers of protection to prevent and mitigate accidents. Its practicalimplementation was most often associated with control of initiating event frequencies, redundancy and diversity in key safety functions, multiple physical barriers to fission-product release, and emergency response measures. This philosophy has been invoked primarily to compensate for uncertainty in our knowledge of the progression of accidents at nuclear power plants.
' Improved capability to analyze nuclear power plants as integrated systems is leading us to i
reconsider the role of defense in depth. Defense in depth can still provide needed safety assurance in areas not treated or poorly treated by modern analyses or when results of the analyses am quite uncertain. To avoid conflict between the useful eiernents of defense in depth and the bene'its that can be derived from quantitative risk assessment methods, constraints of necessity and sufficiency must be imposed on the application of defense in depth and these must somehow be related to the ur: certainties associated with our ability to assess the risk.
We believe that two different perceptions of defense in depth are prominent. In one view (the "structuralist" view as described in the attached paper), defense in depth is considered to be the application of multiple and redundant measures to identify, prevent, or mitigate accidents to such a degree that the design meets the safety objectives. This is the general view taken by the plant designers. The other view (the " rationalist"), sees the proper role of defense in depth in a risk-informed regulatory scheme as compensation for inadequacies, incompleteness, and omissions of risk analyses. We choose here to refer to the inadequacies, incompleteness, and omissions collectively as uncertainties. Defense-in-depth measures are those that.are applied to the design or operation of a plant in order to reduce the uncertainties in the determination of the overall regulatory objectives to acceptable levels. Ideally then, there would be an inverse correlation between the uncertainty in the results of risk assessments and the extent to which defense in depth is applied. For those uncertainties that can be directly evaluated, this inverse correlation between
- defense in depth and the uncertainty should be manifest in a sophisticated PRA uncertainty analysis.
I l
h
r-
)
3-When defense in_ depth is applied, a justification is needed that is as quantitative as possible of both
)
l the necessity and sufficiency of the defense-in-depth measures. Unless defense-in-depth l
measures are justified in terms of necessity and sufficiency, the full benefits of risk-informed l
regulation cannot be realized.
The use of quantitative risk-assessment methods and the proper imposition of defense-in-depth measures would be faciliteted considerably by the availability of risk-acceptance criteria applicable at a greater level of detail than those we now have. Development of the additional risk-acceptance criteria would have to take into consideration safety objectives embodied in the existing regulations.
For example, risk-acceptance criteria are needed to meet the Commission's safety objectives with respect to worker health and environmental contamination and to meet additional public health and safety objectives [e.g., total fatalities, land interdiction]. All of these may not be currently reflected in conventional risk assessments.
i We believe that a key missing ingredient needed to place quantitative limits on defense-in-depth measures is acceptance values on the level of uncertainty for each safety objective. Setting such acceptance values is a policy role, very much like setting safety goal values. The uncertainties that are intended to be compensated for by defense in depth include all uncertainties (epistemic and aleatory). Not all of these are directly assessed in a normal PRA uncertainty analysis. Therefore, when acceptance values are placed on uncertainty, these would have to appropriately incorporate j
consideration of the additional uncertainties not subject to direct quantification by the PRA. These considerations would have to be determined byjudgment and expert opinion. As a practical matter, we suggest that the acceptance values be placed on only those epistemic uncertainties quantifiable by the PRA but that these be set sufficient ly low to accommodate the unquantified aleatory uncertainties.
When acceptance values have been chosen as policy for the regulatory objectives and their i
associated uncertainties, it would be possible to develop objective limits on the amount of defense
)
in depth required for those design and operational elements that are subject to evaluation by PRA.
To do this, it is necessary to incorporate the effects of the defense-in-depth measures into the PRA uncertainty analysis and the designer or regulator must be able to adjust the defense in depth until
' the acceptance levels for the regulatory objectives and the acceptance values for the associated uncertainties have both been achieved.
The balance between core damage frequency (CDF) and conditional containment failure probability (CCFP) can serve as an example of this defense-in-depth concept. We have previously recommended that CDF be elevated to a fundamental safety goal. Let us suppose, for example sake, that our acceptance value on this is 10d per reactor year. If that is the value actually achieved by the design, then a CCFP of about 0.5 has been shown (NUREG-1150) to be generally sufficient to meet the safety goal regulatory objective of individual risk of prompt fatality (which can be adequately represented by an acceptance value of 104 per reactor year on large, early release frequency (LERF) as noted in Regulatory Guide 1.174). Does this CCFP provide sufficient defense in depth?
n 4
l In our view, three acceptance criteria must be satisfied - one each on CDF, LERF, and the
[
epistemic uncertainty associated with LERF. The Safety Goal Policy Statement suggests candidate acceptance values on CDF and LERF. In addition to these, we must establish the acceptance value on the uncertainty associated with LERF. For the particular value of LERF achieved, let's say that the acceptance value has been set by policy to be on the epistemic uncertainty that can be directly developed from the PRA [but which properly reflects the unquantified aleatory uncertainties). Now suppose our PRA uncertainty analysis tells us that the quantified uncertainty for this design is greater than the acceptance value. Employing our concept, the design with the 0.5 CCFP does not have sufficient defense in depth. The design must, then, include provisions for more defense in l
depth (e.g., a better containment perhaps) or reduction of the LERF to values for which the achieved uncertainty is acceptable. The acceptance value on uncertainty for any given regulatory objective could be a function of the absolute value achieved for the regulatory objective. That is, as the achieved mean value for LERF gets further below the acceptance value, the acceptable level of uncertainty on its determination can be greater.
We believe this concept of defense in depth can provide a rational way to develop sufficiency limits wherever the defense-in-depth measures can be directly evaluated by PRA. We acknowledge however, that considerable judgment will have to be exercised to set limits on uncertainty, especially uncertainties not quantified by the PRA. Our preceding example suggests one approach to ma' sging these uncertainties.
F sose regulatory functions that are not well suited for PRA or where the current capabilities of PD%s are not sufficient, we suggest that the limits on application of defense in depth be placed at les s lower than the top-level safety objectives (see Figure 1 of attached paper). We emphasize that, even under these circumstances, the PRA can still dictate when defense in depth is needed.
Let us illustrate how we envision defense in depth to be applied under these circumstances with an example. Fire is one of the initiating events of interest. PRAs quantify the o::urrence of fires in nuclear power plants and, among other things, their impact on control and power cables. The plant response to the loss of the relevant systems (due to the loss of these cables) is also analyzed.
The frequency of fires in specific critical locations, that is, locations in which cables of redundant systems may be damaged, is estimated in the PRA using experience-based rates of occurrence of fires, multiplied by subjective estimates of the fraction of fires that are large enough to have the potential to cause damage and the fraction of those fires that occur in the specified criticallocations.
4 This is a highly subjective part of the risk assessment (therefore, highly uncertain). It is, therefore, a suitable area to invoke defense in depth and to impose prescriptive requirements regarding the prevention of fires in those critical locations (e.g., strict administrative controls and periodic inspections). Thus, the relative inadequacy of the PRA model suggests how defense in depth should be applied at levels lower than the top-level safety objectives.
We further realize that the fire risk assessment does not include the damaging effects of the smoke generated by a fire.' This is a case of omission of a potentially significant effect. Therefore, we would, again, resort to defense in depth and may demand barriers to limit the spread of smoke and to protect sensitive equipment.
?
Since the impact on the risk metrics of these lower-level defense-in-depth measures cannot be quantified, nor can the uncertainties, the necessity and sufficiency of the defense-irHiepth measures will have to be simply prescribed and that prescription would constitute the acceptance criteria.
We note that our Arst example dealing with CDF and CCFP addresses the top level of Figure 1 of the attached paper. If one adepts the structuralist viewpoint at that level, as the paper's preliminary proposal suggests, then the tradeoffs of our example between CDF and CCFP will have to be performed under the assumption that at least some level of defense in depth will be required. If, on the other hand, one adopts the rationalist view even at that level, it is conceivable that the LERF objectives could be satisfied without a containment. Our second example dealing with fires exemplified the rationalist view at lower levels, as the preliminary proposal recommends.
We acknowledge that these preliminary thoughts on the role of defense in depth in a risk-informed regulatory system identify a direction but fall short of closing the issue. We recommend that the Commission give further consideration to this matter.
Sincerely,
\\ ceA W
Dana A. Powers Chairman
References:
1.
U. S. Nuclear Regulatory Commission, Reguistory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-informed Decisions on Plant-Specific Changes to the Licensing Basis," July 1998.
2.
U. S. Nuclear Regulatory Commission, NUREG-1150, Vols.1-3, " Severe Accident Risks:
An Assessment for Five U. S. Nuclear Power Plants," December 1990.
3.
Report dated August 15,1996, from T. S. Kress, Chairman, ACRS, to Shirley A. Jackson, Chairman, NRC,
Subject:
Risk-informed, Performance-Based Regulation and Related Matters.
4.
Memorandum dated March 5,1999, from Annette Vietti-Cook, Secretary of the NRC, to John T. Larkins, Executive Director, ACRS,
Subject:
Staff Requirements - Meeting with the Advisory Committee on Reactor Safeguards, February 3,1999.
Attachment:
U. S. Nuclear Regulatory Commission, Advisory Committee on Reactor Safeguards, J. N.
Sorensen, G. E. Apostolakis, T. S. Kress, D. A. Powers, *On the Role of Defense in Depth in Risk-Informed Regulation," to be presented at PSA 1999, August 22-25,1999.
ON THE ROLE OF DEFENSE IN DEPTH IN RISK-INFORMED REGULATION To be presented at PSA '99 Washington, D.C.
August 22-25,1999 J. N. Sorensen, Senior Fellow G. E. Apostolakis, Member T. S. Kress, Member D. A. Powers, Member Advisory Committee on Reactor Safeguards U. S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 ABSTRACT HISTORICAL DEVELOPMENT The nascent implementation of risk Defense in depth is a nuclear industry informed regulation in the United States safety strategy that began to develop in the suggests a need for reexamination of the 1950s. A review of the history of the term Nuclear Regulatory Commission's (NRC) indicates that there is no official or l
defense in depth philosophy and its impact preferred definition. Where the term is i
on the design, operation, and regulation of used, if a definition is needed, one is nuclearpowerplants. This reexamination created consistent with the intended use of is motivated by two opposing concerns:
the term. Such definitions are often made (1) that the benefits of risk informed by example.
regulation might be diminished by l
arbitrary appeals to defense in depth, and In a 1967 statement' submitted to the Joint (2) that the implementation of risk Committee on Atomic Energy by Clifford informed regulation could undermine the Beck, then Deputy Director of Regulation l
defense in depth philosophy. From either for the Atomic Energy Commission, three perspective, two questions are suggested:
basic lines of defense for nuclear power (1) How is defense in depth defined? (2) reactor facilities were described. The first How should the implementation of risk line was the prevention of accident informed regulation alter our view of initiators through superior quality of defense in depth? A preliminary proposal design, construction and operation. The for the role of defense in depth in a risk-second line was engineered safety systems informed regulatory system is presented.
designed to prevent mishaps from escalating into major accidents. The third line was consequence-limiting safety systems designed to confine or minimize
l-
' the_ escape of fission products to the by_the fuel cladding, primary system, and environment.
containment.
2 A' 1969 paper by an internal study group One of the essential properties of defense of the Atomic - Energy Commission in depth is the concept of successive identified the issue of balance among barriers or levels. This concept applies accident prevention,- protection, and equally well to multiple physical barriers L
_ mitigation, with the conclusion that the and to high level lines of defense. A greatest emphasis should be put on closely related attribute would be i
prevention, the first line of defense.
requiring a reasonable balance among l
prevention, protection and mitigation.
A 1994 NRC document' identifies the elements of the defense in depth safety EMERGING REGULATORY strategy as accident prevention, safety PRACTICE
- systems, containment, accident management, and siting and emergency The most recent.NRC policy statement plans. Other interpretations of defense in that deals with defense in depth is the depth can be found in INSAG-3' and Probabilistic Risk Assessment (PRA) 5 6
INSAG-10 Policy statement published in 1995, which states, in part:
The historical record indicates an evolution of the term from a narrow "The use of PRA technology should be application to the multiple barrier concept increased in all regulatory matters to the i
to an expansive application as an overall extent supported by the state-of-the-art in I
safety strategy. The term has increased in PRA methods and data and in a manner scope and gained stature over time. The that complements the NRC's deterministic history also indicates that defense in depth approach and supports the NRC's is considered to be a concept, an approach, traditional defense-in-depth philosophy."
a principle or a philosophy, as opposed to being a regulatory requirement per se.
The policy statement, thus, places PRA in l
a subsidiary role to defense in depth.
l Currently the term is commonly used in two different senses. The first is to denote In'1998, the NRC published Regulatory the philosophy of high level lines of Guide 1.174.7 This guide establishes an defense, such as prevent accident initiators approach to risk-informed decision from occurring, terminate accident making, acceptable to the NRC staff, j
sequences quickly, and mitigate accidents which includ.:s the provision that that are not successfully terminated. The proposed changes to the current licensing second is to denote the multiple physical basis must be consistent with the defense barrier approach, most often exemplified in depth philosophy.
The RG 1.174 2
L
E
' discussion states that, "The defense in characteristic of this model that balance depth philosophy... has been and must be preserved among the high-level continues to be an effective way to.
lines of defense, e.g., preventing accident account for uncertainties in equipment and initiators, terminating accident sequences human performance."' The discussion quickly, and mitigating accidents that are i
goes on to say that PRA can be used to.
not successfully terminated. One result is help determine the appropriate extent of-that certain provisions for safety, for defense in depth, which, by example, is example reactor containment and equated to balance among core damage emergency planning, must be made prevention, containment failure prevention regardless of our assessment of the and consequence. mitigation.
The probability that they may be required.
regulatory guide thus addresses the Accident prevention alone is not relied l:
concem of preventing risk-informed upon to achieve an adequate level of regulation from undermining defense in protection.
depth. Defense in depth is primary, with PRA available to measure how well it has There does not appear to be any question been achieved.
that the implementation of defense in depth up to the present time reflects the STRUCTURALIST MODEL structuralist model. While this philosophy has served the industry well from the We have identified two different schools safety perspective, it is now realized that, of thought (models) on the scope and in some instances, it has led to excessive nature of defense in depth. These models regulatory burden. Furthermore, the lack came to be labeled "structuralist" and of an integrated. view of the reactor
" rationalist."
systems has resulted in some significant accident sequences not being identified The structuralist model asserts that until PRA was developed, e.g.,
the defense in depth is embodied in the interfacing-systems LOCA sequence.
structure of the regulations and in the design of the facilities built to comply The next issue, then, becomes how should with those regulations. The requirements the insights from PRA be integrated into for defense in depth are derived by this structure to reduce unnecessary repeated application of the question, burden and makc,it more rational? In the "What if this barrier or safety feature structuralist model, defense in depth is fails?" The results of that proces.s are primary, with PRA available to measure documented in the regulations themselves, how wellit has been achieved.
specifically in Title 10, Code of Federal Regulations. In this model, the necessary and sufficient conditions are those that can be derived from Title 10. It is also a 3
4 l
THE RATIONALIST MODEL example, a judgement is made oc &
balance between prevention m
The rationalist model asserts that defense mitigation.
l in depth is the aggregate of provisions made to compensate for uncertainty and What distinguishes the rationahst ntode:
incompleteness in our knowledge of from the structural model is the fxgcec io accident initiation and progression. This which it depends on establishing model is made practical by the quantitative acceptance criteria, and then development of the ability to quantify risk carrying formal analyses, including and estimate uncertainty using analysis of uncertainties, as far as the probabilistic risk assessment techniques.
analytical methodology permits.
The The process envisioned by the rationalist exercise of engineering judgement, to is: (1) establish quantitative acceptance determine the kind and extent of defense criteria, such as the quantitative health in depth measures, occurs after the objectives, core damage frequency and capabilities of the analyses have been large early release frequency, (2) analyze exhausted.
the system using PRA methods to establish that the acceptance criteria are A PRELIMINARY PROPOSAL met, and (3) evaluate the uncertainties in the analysis, especially those due to model The structuralist and rationalist models are j
incompleteness, and determine what steps not generally in conflict. Both can be should be taken to compensate for those construed as a means of dealing with uncertainties. In this model, the purpose uncertainty, Neither incorporates any of defense in depth is to increase the reliable means of determining when the degree of confidence in the results of the degree of defense in depth achieved is PRA or other analyses supporting the sufficient. In the final analysis, they both conclusion that adequate safety has been depend on knowledgeable people achieved.
discussing the risks and uncertainties and ultimately agreeing on the provisions that The underlying philosophy here is that the must be made in the name of defense in probability of accidents must be depth. The fundamental difference is that acceptably low.
Provisions made to the structural model accepts defense in achieve sufficiently low accident depth as the fundamental value, while the probabilities are defense in depth. !t rationalist model would place defense in should be noted that defense in depth may depth in a subsidiary role, be manifested in safety goals and acceptance criteria which are input to the The remaining question is which model design process. In choosing goals for core provides the better basis for moving damage frequency and conditional forward with risk-informed regulation.
containment failure probability, for How can capricious imposition of 1
4
defense-in-depth be prevented from hierarchy. An example is shown in Figure undermining the-focus that can be 1.
provided by risk-informed methods of regulation? PRA methods have identified The PRA uncertainties increase as we gaps in the regulations and in the safety move from the initiating events to risk profiles of individual plants. They have (from left to right). The structuralist view also identified regulations and plant dictates that intermediate goals be set, systems that do not make a significant such as core damage frequency (CDF),
contribution to safety.
Typically, large early release frequency (LERF) or however, regulatory reactions to findings conditional containment failure probability that regulations or plant systems are (CCFP),or frequency-consequence (F-C)
I superfluous to safety have been less curves.
This would satisfy the aggressive than reactions to apparent requirement of balance between safety deficiencies.
prevention and mitigation. We note that l
l the actual numerical value chosen for core Two options can be identified:
damage frequency can express a preference for prevention, and such a l
(1) Recommend defense in depth as a preference is unrelated to defense in supplement to risk analysis (the rationalist depth. One could proceed and set goals at view) the " cornerstone" level, i.e., one' level below.
This could include goals on (2) Recommend a high-level structural initiating-event frequencies,' safety-view and a low-level rationalist view.
function or safety-system unavailabilities, and so on. How far down one would go Option (1) requires a significant change in would be a policy issue. The structuralist the regulatory structure. The place of view would not be applied at lower levels.
defense in depth in the regulatory hierarchy would have to change. The The rationalist model would be applied at PRA policy statement could no longer levels lower than the cornerstones of relegate PRA to a position of supporting Figure 1. Defense in depth would be used defense in depth. Defense in depth would only to address uncertainties in PRA at the become an element of the overall safety lower levels, thus becoming an element of l
analysis.
the overall safety analysis. For events or processes that are not modeled in PRA, Option (2) is to a large degree compatible defense in depth would play its traditional with the current regulatory structure. The role. Such is the case with the impact of structuralist model of defense in depth smoke from fires on plant safety. Current would be retained as the high-level safety fire risk assessments do not account for i
philosophy, but the rationalist model the effects of smoke, therefore, would be used at lower levels in the safety prescriptive defense-in-depth based 5
i l
l
F.
measures would be taken to limit this Regulation of Nuclear Reactors, impact.
April 4,5,6,20, and May 3,1967.
We view Option (2) as a pragmatic 2.
Internal Study Group, " Report to approach to reconciling defense in depth the Atomic EnergyCommission on with risk-informed regulation. There can the Reactor Licensing Program,"
be little doubt, however, that the submitted to the Joint Committee l
rationalist model,. Option (1), will on Atomic Energy, Congress of the l
ultimately provide the strongest theoretical United States, Hearings on AEC l
foundation for risk-informed regulation.'
Licensing Procedure and Related When more experience has been gained Legislation, June 1969.
with the application of PRA in the design l
and regulation of nuclear power plants, 3.
F. E. Haskin, and A. L. Camp,,
when PRA models can adequately treat
" Perspectives on Reactor Safety,"
most of the phenomena ofinterest, the role NUREG/CR-6042, Nuclear of defense in depth can and should be Regulatory Commission, changed to one of supporting the risk Washington, DC, March 1994, analyses. This transition will need to be.
supported by-the development of 4.
International Nuclear Safety subsidiary principles from which Advisory Group, " Basic Safety necessary and sufficient conditions could Principles for Nuclear Power be derived.
Plants," Safety Series No. 75-INSAG-3, International Atomic Eqts Energy Agency, Vienna, Austria, 1988 The views expressed in this paper are the authors' and do not necessarily represent 5.
International Nuclear Safety the views of the Advisory Committee on Advisory Group, " Defense in Reactor Safeguards Depth in Nuclear Safety,"INSAG-10, International Atomic Energy REFERENCES Agency, Vienna, Austria,1996 1.
C.
- Beck,
" Basic Goals of 6.
U.
S.
Nuclear Regulatory Regulatory Review:
Major Commission,"Use of Probabilistic Considerations Affecting Reactor Risk Assessment in Nuclear Licensing," Statement submittedto Regulatory Activities; Final Policy the Joint Committee on Atomic Statement," Federal Register, l
Energy, Congress of the United 60 FR 42622 States, Hearings on Licensing and 6
l
9 7.
U.
S.
Nuclear Regulatory Commission, "An. Approach for Using Probabilistic Risk Assessment in Risk-Informed 1
Decisions on Plant-Specific Changes to the Current Licensing Basis," Regulatory Guide 1.174, June 1998 i
I i
l i
7 l
I 1 '.
L
C) l a
k u
7 d
a F-l s
i t (
i v. e ikik R
d s cs ",
nioi s
IRSR
- e s
n ye l
o cn e
e t ns d
, e s e e g-i.
o r
,t p
sM i
r n e r
e C E ~,,.
o n es s
s a e ev et l
l Cr e a e
u t
v FC RS e
l t
h r
l g
t o a
i
, cp v
h us o
a
,dnoad m t
a
,,rr n e yPTaR l
e d
o m
l a
n ru o
t c
i t s u
r ns ts P
F e e 7
e d r h
F R
3 t
gs C
E i
f c on o
CreL c ri n
APB o
ita t
t e
nc n
.m -
en e
n a m
N s
e a
e am l
la r p
t o m
nf i
r o e e
CP lb is e
s l
g o
P as F
t e
D nmt 1
C a a a e
r l
t u
PDS l
g iF
\\
?
ml N
e e d ts o
~
kyM S
sen a e ir nt a
s ny s
n E S :.s g
e nn
.n o goI i
s t
t s ni r t
t r i e t ae
+ a n i gi a
i n
i r t
e r
t t r o iia ih CIMB n
n I