Text

.

J.

i i

MAY 21190 Dr. George Apostolakis Mechanical, Aerosopace and Nuclear Engineering Department School of Engineering and Applied Science University of California, Los Angeles l

Los Angeles, CA 90024

Dear Dr. Apostolakis:

1 As requested, enclosed for your information are several copies of the l

talk I gave at the symposium for Dave Okrent.

l l

Yours truly, j

/s/

Eric S. Beckjord, Director Office of Nuclear Regulatory Research

Enclosure:

As stated l

-l i

i l

i l

l I

I 0707110062 870707 i

PDR FOIA l

JORDANB7-371 PDR

]

I l

J l

l

)

j ACCIDENT MANAGEMENT.

4 Eric S. Beckjord, Director Office of Nuclear Regulatory Research i

U. S. Nuclear Regulatory. Commission l

Presented at the University of California Los Angeles at the Symposium for David Okrent

[These are personal views, and they do not represent NRC policy].

==

Introduction:==

I want to share my thoughts on the risk from th'e operation of nuclear power plants with you as we celebrate Dave Okrent's 65th birthday, i

Dave Okrent has focused our concern on the sources of risk from nuclear power i

-in a consistent and technically expert way for over twenty five years; much of our knowledge has been developed in the course of answering questions he has raised, and he himself has contributed mightily to our stock of knowledge.

At this Symposium, I will address a problem common to the current generation of operating LWRs in the US. These reactors were designed many years ago to i

accomodate, with safety margins, certain design basis accidents. Today we are i

evaluating performance of these plants-in beyond design basis accidents: Those i

with severe fuel damage which in the extreme threaten containment integrity.

The argument I put before you now is that the current plants incorporate a-margin of safety that deserves study and action: the capability of managing an a::cident to restore control of the plant and bring it to a safe condition. It is my intention in the next few years to explore this margin more carefully.

This will be the major new topic in the second phase of our severe accident research program.

I will not talk about advanced reactors today, although I believe it is possible now to design plants which greatly reduce, if not eliminate severe accident risks.

I The publication of two key documents-NUPEG 0956, on the source term from severe i

nuclear power reactor accidents, and DRAFT NUREG 1150, on the risk to public herith and safety from the operation of nuclear power plants-marks the completion of the first phase of the Severe Accident Research Program.

It is appropriate at this time to think about where we are and where we should 90.

l The Brookhaven panel of experts chaired by Herb Kouts provides important insights on the resolution of the major uncertainties in our estimation of.

risk. The major conclusion of this report is that the uncertainties are real and it will take many years of work to narrow them: money, and time, that is more important in this case.

Nevertheless, we now know a lot more about reactor source' terms and risk than we did ten years ago (after the publication of the Rasmussen Report).

We know that the radiological source term is highly dependent on the exact configuration of the plant and the nature of the accident sequence. There.is no single, representative source term, although it may be useful to categorize characteristic source terms as is attempted in NUREG 1150.

i 1

4 4

We know that risk is also sensitive to small differences between apparently identical plants, that can have large effects.

Internal accident initiators, such as station blackout appear to be a dominant sequence for most of the plants surveyed. External events such as earthquakes, fires, and floods, also 4

appear to be an important part of risk. This perception is tempered by the fact j

that many of the estimates of system reliability have been based os very pessimistic models, especially of the propagation of externally generated loads. Now that our programs on seismic effects are bearing fruit, we should look at the question of seismic risk more carefully.

j We know that there are large. uncertainties in our numerical estimates of risk.

Some of these uncertainties are related to the technical models and methods used to estimate the loads on plant systems such as the containment during an accident, and on the reliability of those systems under the loads. Some of these uncertainties are inherent in PRA methods; some are reducible in principle by further research.

We know from best estimates or mean values of risk that the plants surveyed up to now meet the societal risk aspects of the safety goal. Moreover, the large dry containments do so with significant margin. On the other hand, if we consider the range of uncertainty, the chance of early failure of several containment types in a severe accident appears to be too large for comfort.

These estimates are summarized in Figure 1 which displays the range of estimates for the plants surveyed in NUREG 1150. The individual crosses mark i

specific estimates; the rectangular box indicates the range of estimation.

It is possible that the ranges are pessimistic. But if it takes too long a time to find out what the real case is, it may be advisable to consider alternatives which would provide additional margins for severe accidents.

In general, the alternatives would include:

1. Strengthening the containment or mitigating releases so as to reduce the estimated release so that, with a high degree of certainty, the net release is less than a very low number, one representing little or no public risk.

Filter systems and other features have been discussed to accomplish this end.

2. Strengthening the lines of defense, most notably the engineered safety features, so as to reduce the likelihood that there will be substantial loads on the containment.

There are advantages to each alternative, and they are not mutually exclusive.

There are also problems. The task of research is to provide the knowledge that is pertinent and needed for regulatory decisions. As a result, the weight given by the regulators to the alternatives has a strong influence on the severe accident research program.

Ways of strengthening the containment in effect, or mitigating containment releases have been studied extensively. A key design problem was first pointed out in the Zion-Indian Point Study: some of the loads on the containment occur at high rates, and the peak load should be considered as well as the average in evaluating performance. Accommodating the peak loads is a requirement of the Swedish "FILTRA" system, installed at the Barseback Plant. There have been a number of discussions of a more modest filtered vent to be installed in a number of German and French PWRs where the containments are estimated to be 2

capable of withstanding the peak loads but not the long term. Of course, such filters will also need to take the peak loads.

Recently, the Long Island Lighting Co. has proposed a number of mitigation features to be installed at the Shoreham plant. The fact the proposal will soon be on the table means that we have to deal with the issues nos not in the future.

The filtered-vent concepts pose two problems: how much radioactive material can be vented, and what do you do after the accident? In the first case, the problem is to develop a convincing case that the released radioactivity represents a tolerable risk.

You may recall that there was significant i

discussion toward the end of the TMI-2 accident of the public risk from venting the gases (almost entirely noble gases) then in the containment. The NCRP found the venting at TMI-2 posed an insignificant risk.

In the second case, one will have to dispose of the filter. That filter would contain a small l

i fraction of the radioactive inventory of a core. Presumably it would be j

disposed of as high-level waste. The ad hoc solutions adopted at TMI-2 are a useful case study.

The NUREG 1150 contains an analysis of a number of mitigative features.

It is a fact that the designs of existing plants do not lend themselves to accommodating new hardware for dealing with accidents beyond the design basis.

l Thu:;, the options for installing mitigative features on exisitng plants are limited.

Because of the limited options for mitigation, and because of the need to cover deficiencies in a relying solely on mitigation, accident management appears to be a likely candidate as a cost-effective way of reducing the estimated risk to public health and safety.

Greater attention to accident management will turn the knowledge we now have of severe accidents to the improvement of reactor l

safety, which everyone will agree is a primary goal.

l There are many cases where the plant's control and safety system were used in unforeseen fashion to regain control of a plant in the throes of a severe accident. Major events where this was the case were the fire at Browns Ferry Unit I and the TMI-2 accident. In different fashion, the Soviets used effective ad hoc emergency procedures to control the release of radiation at Chernobyl.

These cases demonstrate that accidents need not progress inexorably to the extreme. The research problem is to determine how to acquire and codify the l

knowledge to make accident management much more effective. The usual PRA J

practice is to assume that humans err, and not to take credit for favorable actions. Introducing accident management is a turn away from this assumption.

j l

The potential for recovering control is emphasized by the time available before l

a major threat to containment materializes. In Figure 2 I show a plot of the time to the onset of major damage to the reactor vessel after the start of a typical high pressure severe accident sequence such as station black out. Note that about 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br /> after the accident starts the wall temperatures in the primary system have yet to rise appreciably; if, by that time the pressure has been reduced, and, even better, cooling restored, then further threats are much reduced because the direct threat to the containment has been removed, thereby greatly reducing the risk of a large early release, though it is still necessary to dcol with hydrogen and contair. ment heat removal, a

3 l

1

)

Two examples of efforts just completed by the NRC Research Office show how accident management can work. One example is work on emergency operating procedures (NUREG/CR 4617) performed by Idaho National Engineering Laboratory that indicates that function oriented procedures can be developed that are i

effective and readily deployed to actual operating crews. The data gathered show that such emergency operating procedures enabled the crews to-regain plant I

control (both in simulated and actual circumstances) in less time, with smaller 1

crews. A key ingredient was an administrative procedure that addressed assignments and responsibilities of control room personnel; the operators considered this to be a constructive action.

The other example is a series of studies under-the Severe Accident Sequence Analysis (SASA) program that analyzed risk-dominant sequences for several i

plants to develop insignts into when, where, and how the operating crew could 1

intervene to regain control of the plant. These studies are, of course, event i

oriented instead of function oriented. But they did show the kinds of I

capability that exist to provide adequate substitutes for safety functions that 1

are disabled in the course of an eccident.

It is likely that there is no universal set of accident management procedures.

More likely I expect to see guidelines that enable licensees to develop effective procedures for individual plants. The work at INEL indicates some of the major concerns. The resources available to the operators are developed l

through SASA-type studies. Reliability of key engineereo safety function j

systems is obviously of great importance to Accident Management. Equipment j

reliability includes the availability of power to operate the equipment; this contributes to our concern over station blackout And, accident management requires the availability of some key safety systems for depressurization, injection of water, etc.

The new program in accident prevention thus requires the following major projects:

1) Assessment of management policies, to determine what policies and i

practices top management should establish to provice an effective environment for accident prevention. It is appropriate for industry to take the lead in such an effort.

2) Human factors studies to determine how to maximize the operating crew's capability and chance to restore safety functions and gain control of the plant.

3) Accident analyses to develop and codify knowledge of the effective means of restoring safety functions under severe accident conditions.

4) Accident phenomenology studies to assess whether indicated remedial actions can do more harm than good.

5) Improved risk assessment methods that incorporate the effects of using accident management procedures.

The first two of these studies are new, not yet under way. The last three studies are going on now, in one way or another. It is my intention to focus these latter efforts on accident management and prevention.

4

It is my judgment that the entire nuclear power safety community has a stake in this work, and I do not propose that NRC take the entire burden. I intend to seek out the cooperation of others; but I am convinced that the interest of public health and safety requires a lead role for the NRC.

International cooperation is clearly important: major efforts in the development of accident management techniques are under ny in France, Germany, and Swederr, to name just three places with current programs. There will be synergism in these efforts, and we can benefit each other.

While accident management can improve safety using the knowledge we now have, it still can be applied only to those event sequences we understand; if we have missed some important sequence, we can not take positive action to prevent it.

It does not appear likely that we have missed risk-dominant sequences. Our goc 1 in accident prevention is to reduce the risk from the dominant sequences to a point where such sequences contribute roughly the average amount of risk l

contributed by other sequences. At that point we reach a point of diminishing returns.

Requirements for further action on accident management will depend on the certainty in the estimated residual risk. If the risk is too high, across the board measures are needed. If the risk, including the effects of uncertainty, is low enough, we will have succeeded. To come to such a point we need to reduce the current uncertainties.

The concern over accident management, damage limitation, and restoration of control is by no means confined to the nuclear power industry. Recently the Office of Environment and Scientific Affairs of the World Bank has solicited broad support from private industrial organizations, in the nuclear industry and espeically in the petrochemical industry, to support a coherent effort at preventing major industrial accidents. The World Bank believes that it is necessary to have an upper level management that strongly supports, and provides leadership to a concerted effort to install procedures, equipment, and manpower to prevent accidents.

I completely agree with tiieir view.

Summary:

In 1980, in the aftermath of THI-2, many suggested that the estimate of risk from nuclear power should be much lower than suggested in WASH 1400 because of certain " inherent" factors, particularly the solubility of Cs1 in water. Very detailed experiments and analyses performed since that time have revealed a very complex picture that does not lend itself to easy generalization. There remain many perplexing physical problems that can only be resolved by a steady program of research. To cope with the current uncertainty I now propose to use some of the technology developed in the last few years to greatly enhance the capability of plant management and operators to regain control of a plant during a severe accident and limit the loads on containment so as to preserve the final line of defense that a P ures public safety.

i 5

f h

l g

u reu G

no e

L h d

a a1-i r n

r t

a u

ot r

l h

Ne G

l i

r a

eg M

F n uo m

iL r t

h +

+ i

+_ j :.!"

_j:.!

o ht t

n t t t

il o

e We B

M m_,

h f

c n

+* l [ =i n

+

+ ;_ j : = * + a j

i a

e P

t n

h o

a 1

y C

7 t n g1an" u e

o r

_ i -

4 u

_E g

y q

i F

e l

r S

a E

n t

+

+

t_;=E o

cg i

y e n Z

t r

i t

c t

i eg Da i

l in e

r i

oH b

Di t N

a a

h e

++t+

+.

e! '

. l -

b iH t

l y

o W

r r

u r

P

+ ?-

• + 4 + 11 : ;;i -i g;;;n' S 0

0 0

0 0

0 0

0 0

0 O

0 9

8 7

6 5

4 3

2 1

0' O

O 0

0 0

0 0

0 1

s s e o r,m r

ua Gl m

i daePo t

D l

ae e mssm iei y

t sVT tp E

i',

m e

5,i;-*;

E r

u r

e l

e i

r a

z lu F ir i

n ale o

u s,h.

F i

s s

ee s

t e

s c

rr e

n e

n e

uu r

V o

n l t P

i L

i n

a i

t a

s c

o Pr e

s e

e._

C e

2 g o n

g lep n

e r

r r

u G o

e bm u S C

L s e i

g sT e

le o

o i

g r

r t

F o

o s

H t

e le P

f s

gb e

t n

e V

a i

L t

t e

le a

a n

b t

i oi g

L e

H s

b e

e u

s L

o g

T t

r P

o u

G H

S S

e 0

0 0

0 0

0 0

0 0

0 0

0 6

4 2

0 8

6 1

1 1

1 gv22oueoE b33

_