ML20236X529
| ML20236X529 | |
| Person / Time | |
|---|---|
| Issue date: | 07/27/1998 |
| From: | NRC |
| To: | |
| Shared Package | |
| ML20236X251 | List: |
| References | |
| NUDOCS 9808100069 | |
| Download: ML20236X529 (32) | |
Text
. _ _ _ __
DRAFT 7/27/98 I
i A NEW REGULATORY OVERSIGHT PROCESS {
Toward Risk-Informed, Performance-Based' Assessment, Inspection and Enforcement l i
l I
I
)
9800100069 980730 l PDR REVQP ERONUMRC 1
PDR '
L_-_________ _ _ _ _ _ . .r_ -
DRAFT 7/27/98 1
l f
l I
TABLE OF CONTENTS Section I. Introduction II. Toward a New Paradigm of Regulatory Oversight III. -Risk-Informed, Performance-Based Oversight IV. Framework for Risk-Informed, Performance-Based Regulatory Oversight Program
-V. Implementation l
l L
I
(
i i
DRAFT 7/27/98 I. INTRODUCTION The purpose of this paper is to describe a new approach to regulatory oversight of the commercial nuclear power industry which is risk informed and performance-based. While these concepts can, and have been, used in rulemaking and licensing activities, this paper focuses on the regulatory oversight activities of Assessment, Inspection, and Enforcement. The paper provides a discussion of the current regulatory oversight process, why the time is ripe for a new paradigm, what is meant by " risk informed, performance-based," how a new regulatory oversight process would work, and what the licensee and NRC roles and responsibilities would be.
Section II addresses the past and current process, and why the time is ripe for a paradigm shift toward the concepts of risk informed, performance-based oversight.
Section III defines the concepts of risk-informed, and performance based regulatory
~
oversight, their rationale, their relationship to one another, and how they relate to traditional regulatory oversight.
Section IV discusses the safety framework of the new regulatory oversight process.
The objectives of the process are stated; the key success attributes are described; safety expectations and levels are defined; and the specific performance indicators and action thresholds are discussed.
Section V describes the implementation of the new risk informed, performance-based regulatory oversight process. The roles and responsibilities of nuclear power plant licensees and the Nuclear Regulatory Commission are described, as well as reporting requirements.
l 1
b
DRAFT 7/27/98 II. TOWARD A NEW PARADIGM OF REGUIATORY OVERSIGHT A. Deterministic Regulatory Oversight Criteria Since the advent of commercial nuclear energy in the early 1960s, regulation of the design and operation of nuclear energy plants has been based on various deterministic criteria. To obtain and maintain an operating license, a licensee must assure that its plant can be placed in a safe condition following a number of postulated design basis accidents. Given the minimal test data and operating experience that existed when these criteria were established, both the postulated accidents and the analytical methods used to evaluate a plant's response were intentionally conservative. Thess deterministic criteria also provided the basis for identifying what plant structures, systems, components (SSCs) and activities were important from a safety perspective. Requirements were then established to regulate these " safety related" SSCs and activities.
The implementation of regulatio.ns based on the deterministic framework has traditionally been accomplished through a detailed programmatic and prescriptive regulatory approach. This approach focuses on the process of how regulations are implemented, relies on licensee commitments to prescribed implementation methods (or programs), and uses inspection and enforcement to ensure compliance with specific processes and commitments, rather than on the safety intent or objective of the regulations themselves. The determination of compliance depends heavily on a review of records documenting the methods used by the licensee to implement the regulatory requirements. In short, the focus has been on the inputs to the program, and not on the outputs or safety results actually achieved.
In retrospect, the traditional regulatory framework, based on deterministic criteria to identify what is important to safety, and implemented through prescriptive regulations and regulatory guidance, has served its purpose in assuring the protection of public health and safety. It is widely acknowledged, and demonstrated by both NRC and industry performance indicators, that high levels of safety and reliability have been sustained by the U.S. operating plants.
Since 1984, however, when the NRC initiated a program to eliminate requirements marginal to safety, it was recognized that some of the regulatory requirements and guidance that had been issued were imposing burdens that were not commensurate with their safety benefits.
Initiatives by both the industry and the NRC have begun to improve the safety focus of regulations. These initiatives have identi6ed areas where regulations or regulatory guidance are out of date, where operating experience or improved technology provide a better understanding of a source of risk, and where areas of marginal safety significance can be found that are highly resource intensive. In the course of these initiatives, it has been recognized that the traditional regulatory 2
f . .
DRAFT
, 7/27/98 !
framework, deterministically-based and implemented prescriptively, can often lead I to circumstances where NRC and industry resources are expended on matters that have little to do with the safe and reliable operation of a plant. )
J Two regulatory initiatives have contributed toward an improved focus on safety and risk insights. First, in response to NRC Generic Letter 88-20, U.S. commercial nuclear energy plants committed to producing plant-specific probabilistic safety assessments (PSAs). Increasingly, the insights from PSAs have been incorporated into the regulatory process as these studies advanced to their level one (core l damage frequency) and level two (containment failure frequency, source term)
! results. PSA is a powerful analytical tool tha' t provides a different means to cvaluate the design and operational safety of a plant and complements traditional deterministic methods. Additionally, PSA insights can highlight which SSCs and activities are important to safety from a risk perspective.
The second initiative is the NRC's promulgation of 10 CFR 50.65, the maintenance rule. This rule relies on a risk informed, performance based approach as the means of regulatory oversight. The licensee is required to monitor the performance or l condition of specific SSCs against licensee established goals or performance criteria
- to provide reasonable assurance that nese SSCs are capable of fulfilling their intended safety functions. In this approach, the licensee is afforded great flexibility in implementation methods and in determining how it will comply with the regulation. In addition, regulatory oversight ofimplementation is based on monitoring the results of the licensee's efforts, rather than on the traditional review of programmatic compliance.
Risk informed regulation, using PSA insights as a means of determining what is important, and performance based regulation, wbere implementation methods are not prescribed and regulatory oversight focuses on the results oflicensee activities, are concepts that can significantly improve the traditional regulatory framework.
More and more, both industry and NRC activities aimed at regulatory improvements are relying on these new types of regulatory approaches to continue to improve plant safety and reliability. However, these concepts have largely been applied on an ad hoc basis to different technical areas or to areas where additional regulations, are under consideration. In doing so, they are often interpreted differently for different applications. In other cases, they are not well understood by many individuals. Confusion over these concepts and their relationship to and distinction from traditional regulatory approaches can only detract from important initiatives that seek a more effective, efficient and stable regulatory framework and process.
l l It is important to make clear at this point that we do not intend to propose I
overthrowing the deterministic criteria, particularly defense in depth. As will be shown later in this paper, we believe that the deterministic criteria can be applied in setting the framework for the regalatory oversight assessment, but that the 3
DRAFT 7/27/98 actual measurement of success in achieving safety should use objective and l measurable performance indicators directly related to safety. Additionally, it should be made clear that this proposal does not require or envision any revision to the Code of Federal Regulations to make the regulatory oversight process more risk-informed. While there are other industry initiatives pursuing the safety benefit of various deterministic rules, this proposal does not.
B. Current NRC Assessment Process The NRC is appropriately concerned that there be an effective assessment process for accurately assessing the safety performance of U.S. commercial nuclear power plants. The current system evolved over time and has been the subject of much review and discussion by senior NRC management. Most recently, the staff proposed a new system to the Commission (outlined in SECY 98 045). Because this l
approach is being revised, it will not be discussed in this paper; however, it does not appear to correct the weaknesses of the current process.
The current system includes a hierarchy of reviews and assessments from the lower levels of NRC (inspectors, both residents and special inspection teams) to the Commission itself. In summary the current system involves: l e Inspection Program, performed on a " continuous" basis, and augmented by ;
specialinspections.
. Analysis of Operational Data, a program to collect and evaluate operational safety data.
. Plant Performance Reviews (PPR), which are conducted by regional managers about every six months. PPRs provide short term perspective on licensee performance and allow managers to determine the focus and detailed planning for inspection over the next six months. Information for the PPRs comes from the Plant Issues Matrix, a listing of allinspection report findings and licensee reporting information.
. Systematic Assessment of Licensee Performance (SALP), which is an assessment i conducted about every 12 to 24 months to evaluate each licensee's long term l l
performance and provide an avenue for discussion of performance between licensees and the NRC. The SALP board reviews PPRs, performance indicators, licensee self assessments and third party assessments, and management meetings with the licensee, and provides its recommendations to the Regional Administrator. The results are used for long term resource allocation and inspection emphasis.
4 J
DRAFT 7/2'i/98
-. Senior Management Meetings (SMM), which are held to review licensees' individual performance on a national basis and bring to the attention of top NRC management those plants whde operational safety performance is of the most concern. These meetings are held approximately every six months by the Executive Director for Operations. The actions taken can include sending a
' letter to a licensee whose performance is deemed to be declining, and placing plants on the "watchlist." (The Commission itself can determine that a plant is
" category 3," which means it requires Commission approval before restart is -
permitted by the EDO.)
The Commission, the staff, the industry, the news media and the public - all of the stakeholder in nuclear power plant safety - are unhappy with the current system.
Among its shortcomings are:
. The system of assessment is based primarily on the number and type of violations and findings discovered by NRC inspectors or reported by licensees, i The system does not provide any balancing credit with what is working and in
. total compliance with the regulations. Thus the system is negatively biased.
. The system does not have an objective safety focus. The system collects all the violations (in each of the SALP areas) but does not have any consistent logic with which to determine what violations are safety significant, and what they mean as a whole.
l
. The SALP scoring does not have any defined logic and is based on subjective judgment which is overly influenced by perceived responsiveness oflicensee l management.
l l .
. The system is oriented to a "zero-defect" mentality. Yet we know that no industrial process is zero defect - Dr. Deming taught us this, emphasizing that there will always be deviation around a mean. The real objective is to determine what level of deviation is acceptable and to work to raise the mean to an acceptable level.
. The system requires enormous amounts of NRC management attention, all based on a pile of violations uninformed by any safety rationale.
. The system is not integrated with inspection activity and enforcement activity, with the result that resources are not effectively allocated, and enforcement includes the citation of minor noncompliance, despite their lack of safety significance.
5
DRAFT 7/27/98
. Results such as SALP scores and watch list designations are neither clearly defined nor well understood by the public, industry or news media.
. An underlying problem with the current approach is that "the map is not the territory."(The more abstract the assessment, and the more numbers that are used that are subjective rather than objective, the less the indicators reflect the underlying reality.
. The system measures the relative performance of plants with the result that as average performance improves, the standard for what is acceptable also rises, with no change in regulatory requirements. (While it is appropriate for the industry to take the initiative to improve performance, the NRC should oversee against the current :egulations.)
C. We are ready for a new Paradigm These criticisms of the current approach to iegulatory oversight suggest that a better system is needed. As this paper will discuss in succeeding sections, we believe the nuclear industry is ready for a new approach - a new paradigm which builds on the proven safety record of the commercial nuclear industry, the maturity of the technology and its application, and our ability to use risk analysis and operating experience to focus our attention and activities on truly significant safety indicators.
As was discussed above, nuclear electric generation is not a zero defect industry.
Our approach has consisted of defense in depth. We have selected systems which are redundant, diverse, and single failure tolerant in order to both prevent and mitigate the consequences of potential events. The net effect ofincorporating defense in depth into design, construction, maintenance, and operation is that the systems are more tolerant of defects. This was the deterministic foundation when we didn't have any operating experience upon which to base our regulatory structure.
But today nuclear electric generation is a mature industry with over 40 years experience. Our 2208 reactor years of operation reflect an experienced industry which can look at its operating experience and performance in an informed manner.
We have learned and fixed a lot. We now know where to focus our management attention and resources to operate and maintain our power plants safely.
Industry has also matured in its ability to self assess and correct problems. Tne l
Institute for Nuclear Power Operations sets standards of excellence for operations, maintenance, engineering and other plant processes, and it has established performance indicator goals which the industry is exceeding. Human performance, self assessment and corrective action programs at nuclear plants are mature and aggressive in improving safety and production outcomes. Operating experience is 6
DRAFT 7/27/98 shared within the industry and incorporated directly in self assessment and corrective action programs.
Our ability to use probabilistic risk assessment techniques has also expanded. Risk insights are now commonly used (e.g., the maintenance rule implementation and the use ofIndividual Plant Evaluations).
We now need to use the combination of operating experience and risk insights to establish objective safety and regulatory thresholds to better focus our resources and energies to achieve the desired performance results and to de-emphasize the regulator's focus on inputs, i.e., processes and procedures.
Before we describe the proposed new paradigm, it is worthwhile to discuss what we mean by " risk informed, performance based oversight." That discussion follows in Section III.
l i
l l
l i
7
DRAFT 7/27/98 III. RISK INFORMED, PERFORMANCE BASED OVERSIGHT In any regulatory regime with the aim of assuring the protection of public health and safety, there are two fundamental questions that must always be addressed.
One question is, "What aspects of the licensee's facility and operation are important to safety and therefore merit regulatory oversight?" The next question that follows is,"What are the appropriate regulatory oversight activities for those aspects that are important to safety?" In short, these questions are "what's important," from the standpoint of assuring public health and safety, and "how does one regulate what's important."
In the previous section, it was noted that the traditional means of answering these questions were deterministic criteria for identifying what is important to safety and a prescriptive / programmatic approach for regulating licensee activities pertaining to the items important to safety. Risk insights offer a different means for identifying what is important to safety and performance based regulation is a different means of regulating item 6 important to safety, The following subsections discuss risk informed and performance based regulatory concepts. Then we discuss risk informed, periemance based oversight and contrast its use with the current oversight approach.
A. Risk informed Oversight Using risk insights as an aid to decision making in the regulatory process is often referred to as risk informed regulation. A more comprehensive definition of risk-informed regulation is:
A regulatory approach in which operating experience and engineeringjudgment are used in concert with the analytical insights derived from probabilistic safety assessments to focus licensee and regulatory attention on design and operational issues commensurate with their importance topublic health and safety.
The concept of risk informed oversight is consistent and compatible with the overall goal ofimproving plant safety and reliability through a regulatory process that is more focused, objective and efficient. With respect to being efficient, clear and reliable, a risk informed regulatory oversight approach offers a means to focus resources in a manner that effectively complements and improves the current deterministic approach.
It must also be noted that risk-informed methods are not new and have been in use by both the industry and the NRC for many years. While the use of risk insights has limitations, just like any other analytical toel, these limitations have been 8
DRAFT 7/27/98 overcome by blending the insights derived from risk analysis with operating experience and engineering judgment. Operating experience includes that compiled and made available through codes, standards and guidance documents. The first part of the maintenance rule implementation is a good example of this blend. First, the scope of SSCs is defined in the rule itself deterministically. The risk - 4 significance of these SSCs is then initially derived from plant specific PSAs by calculations using standard PSA importance measures. An expert panelis then {
utilized to review, adjust and finalize the list of risk significant SSCs. The NRC has recognized this approach as providing an effective means of establishing the risk significance of plant SSCs.
B. Performance-Based Oversight l
Performance based regulation is defined and characterized as follows:
A regulatory approach that focuses on results as the primary means of regulatory oversight, and that has the following attributes:
)
- Measurable parameters to monitorplant and licensee performance;
- Objective criteria to assessperformance based on rish insights, deterministic analyses and/orperformance history; and e Licensee flexibility to determine how to meet established performance criteria.
A performance based regulatory oversight approach is also consistent with the goal of continued improvements in plant safety and reliability through a more focused, objective and efficient regulatory process. By establishing objective criteria from which to assess performance, clarity, consistency and stability in the regulatory process can be dramatically improved.
In addition, a performance-based regulatory oversight approach helps to establish and maintain an appropriate distinction between NRC's regulatory oversight role and the licensee's responsibility to manage plant operations in a safe and effective manner- 1 l
C. Risk-Informed, Performance Based Regulatory Oversight A risk-informed, performance-based approach to regulatory oversight combines the i
" risk informed" and " performance based" elements described in subsections A and B ;
above, and applies these concepts to NRC assessment, inspection and enforcement !
activities. Stated succinctly, I
9 1
t
DRAFT 7/27/98 Rish-informed, performance-based regulatory oversight is an approach in which rish insights, engineering analysis andjudgment, and performance results are used to:
- develop measurable and/or calculable parameters for monitoring safetyperformance, e establish objective criteria for evaluating safetyperformance,
- establish objective safety and regulatory thresholds, and
- focus on the results as the primary basis for regulatory oversight actions.
D. Discussion and Implications for Regulatory Oversight Risk informed, rierformance based regulatory oversight is different philosophically from the current programmatic / prescriptive regulatory regime. The focus is on the results, on assuring safety, or the output oflicensee programs rather than on the procedures and processes that make up licensee programs. A criticism of this approach is that it is reactive in waiting for failures to occur before any actions are taken. On the contrary, risk informed, performance based regulatory oversight provides a focus on those items important to safety and reliability and is a natural incentive to maintain high performance levels. Additionally, objective performance monitoring can provide early indicators of declining trends in safety performance.
A premise of risk-informed, performance based oversight is that monitoring provides reasonable assurance that challenges to radionuclides barriers will be minimized and that safety functions will be fulfilled. This monitoring can also indicate the onset of problems which, if not addressed, could become more significant. To be effective, the objective performance criteria used to monitor performance must be set at a level that maintains safety margins above the standard of adequate protection of public health and safety. Licensee actions must be designed to preclude fdlures that threaten this standard. Many failures,
! however, that occur in the course of normal operations, do not significantly reduce l
the margin of safety due to the " defense in depth" principles reflected in the design and operation of each plant. For these failures, the key aspect is that appropriate cause determinations and corrective actions are taken so that performance is restored or maintained above the performance criteria. This ensures that adequate safety margins are maintained and are not allowed to degrade to a point that does i not meet the standard of adequate protection of public health and safety.
l l The concept of a risk informed, performance based regulatory approach has often l been confused with other concepts. For example, many people believe performance-based means inspecting and auditing work processes while they are occurring rather than reviewing paperwork documenting those processes after the fact. While real-time audits and inspections may be useful, they do not represent a risk-l l
l 10 i _ _ _ _ _ _ _ _ _ _ _ _ _ _ -
DRAFT 7/27/98 inforced, performance based regulatory approach that assesses the overall effective less of meeting the regulation. As another example, many people use the terms performance-based regulation and risk based regulation synonymously. This confusion may stem from the fact that calculated values or assumptions (e.g.,
reliabili+y and availability numbers) used in PSAs may also be used to establish performance criteria for SSCs in a risk informed, performance based regulatory approach. Risk insights may also be used to establish testing intervals for important plant equipment. Again, while these practices are advocated and are highly complementary, their effective implementation requires that the distinction between the two concepts be understood and maintained.
E. Comparison of Current versus Risk-Informed, Performance-Based Oversight The current approach to regulatory oversight is prescriptive in nature, involves reviewing the details oflicensees programs, procedures, and management actions, and cites deficiencies regardless of safety outcomes. A risk informed, performance-based approach, in contrast, focuses on objective safety outcomes and allows the licensee management the flexibility to determine how to achieve safety in an effective and efficient manner.
Figure I will be used to illustrate the differences between the current approach and the risk-informed, performance based approach. The licensee is responsible for all aspects of safely operating and maintaining the nuclear power plant. This responsibility includes providing the key inputs (plant, people, processes, and procedures), and exercising prudent management (shown here as effective human performance, robust self assessment, and effective corrective action) to ensure )
successful outcomes (safety performance and cost effective production).
In the current regulatory oversight regime, the regulator attempts to assess all aspects of the licensee's activities (with the exception of cost effective production),
regardless of the nexus to safety. In this regime, the regulator specifies what the licensee must do, i.e., the requirements and also prescribes how to meet those l requirements. Regulatory compliance is achieved by the licensee meeting its
! programmatic commitments to the prescribed methods or processes detailed in the j- regulatory guides and the interpretations ofindividual NRC staff. The regulator, without a framework in which to determine what is genuinely important for review, tries to review everything, including areas for which there are no regulations (such as human performance). The regulator also errs in viewing anE error or deviation as a violation, even though it does not result in an unsafe outcome.
Under a risk informed, performance based approach, the regulations still specify what the requirements are; however, the licensee has the flexibility to determine how to meet the requirements. Achievement of the requirements is assured by monitoring performance relative to established safety performance goals.
11
DRAFT 7/27/98 Performance Model for Successful Plant Operations Inputs Management Actions Outputs People +
Safety y Performance Human Performance 1 Plant >
Self Corrective Assessment Action Processa >
Cost m Effective Production Procedures >
Figure 1 Regulatory oversight using the risk informed, performance based approach should become more safety focused and succinct. The level of regulatory oversight should be commensurate with the degree of achievement of the safety performance criteria.
For example, one would expect less inspection for those licensees who are maintaining high levels of safety performance above the regulatory threshold, and more inspections for those who are not meeting their safety performance criteria.
Enforcement policy would be similar. If the licensee is meeting its performance criteria, then there should be no reason for enforcement actions in areas covered by those criteria.
As long as the licensee continues to meet the established safety performance criteria and takes appropriate actions to prevent recurring functional failures, the regulator should continue to allow the licensee flexibility in managing itr.
implementation of the regulations. If performance degrades to the point where the licensee fails to meet safety performance criteria, this does not necessarily mean that the licensee is no longer in compliance with the regulation. Rather, it is a flag that increased regulatory oversight oflicensee activities may be warranted, including focused inspection. However, should safety performance continue to decline and the corrective action is not providing reasonable assurance that the safety performance criteria or goals will be satisfied or the issue will be resolved, 12
DRAFT 7/27/98 then more extensive regulatory interaction will occur. At this point, the licensee has lost much of the flexibility afforded when safety performance criteria were being satisfied, and corrective measures are likely to be reviewed in detail by the regulator. This additional regulatory attention may result in enforcement action to assure that appropriate corrective action is taken to comply with the regulations and satisfy the appropriate safety performance indicators.
In conclusion, regulatory oversight in an improved framework would be a graded approach based on safety sigmficance and the safety performance results of the licensee. This approach provides an incentive for licensees to keep safety performance levels high, enables the NRC to focus its resources more effectively on safety significant matters when increased regulatory oversight is warranted, and allows licensee management to achieve safety and cost effective power.
l 13
DRAFT 7/27/98 IV. FRAMEWORK FOR RISK INFORMED, PERFORMANCE BASED REGULATORY OVERSIGHT PROGRAM A. Purpose The purpose of this framework is to define a safety focused regulatory oversight process for those activities that can be effectively monitored using risk-informed, performance-based approaches. The process acknowledges the need to preserve the current regulatory requirements (e.g., rules, regulations, operating license) that -
define the design and licensing basis of plants. It is recognized that those activities for which objective measures of safety cannot be provided (e.g., Security, Emergency Planning), traditional oversight will be required. It is suggested, however, that this oversight should rely more on evaluating licensee self assessments as an alternative to NRC team inspections.
B. Objectives The new risk informed, performance-based approach is designed to meet the nuclear power plant stakeholder needs for an effective regulatory oversight program:
- Accurately and objectively measure the safety performance of nuclear power plants in protecting the public health and safety.
. Provide accurate and understandable safety performance information to the public, news media, and other stakeholder.
. Provide utility licensees and the NRC with objective indicators to assess safety performance and trends, to rationalize the NRC Enforcement Policy, and to allocate resources in a effective and efficient manner.
- Provide Congress with objective information to perform its oversight and authorization responsibilities.
C. Program Attributes Necessary To Achieve Objectives The following attributes are considered necessary to achieve the desired objectives:
. The program should be directly linked to the NRC's mandate to assure protection of public health and safety.
. The program should preserve current deterministic requirements of the regulations (e.g., defense in depth, single failure, redundancy).
14
DRAFT 7/27/98
. The program should apply the concepts of risk informed, performance based oversight.
Safety performance assessment should be based on public health and safety thresholds and regulatory thresholds, not on relative plant performance.
- Assessment conclusions should be supported by the direct measurement of the performance indicators.
. Attributes of appropriate indicators are:
a direct relationship should exist between the indicator and safety performance expectations data necessary to measure the indicator should be available or capable of being generated
- indicators should be capable of being expressed in quantitative terms that are not ambiguous
- indictors should be meaningful, i.e., their significance is readily understood
- indicators should be able to be validated
- Program implementation should include:
- clear roles and responsibilities of the NRC and licensees
- public communication of results j
- include a decision model or criteria so that NRC actions are predictable -
- be simple, nonredundant, and resource efficient D. Program Structure Under the Atomic Energy Act, the Nuclear Regulatory Commission (NRC)is charged with issuing and enforcing requirements that are necessary to ensure adequate protection of public health and safe +y. While adequate protection is not l defined in the Atomic Energy Act, NRC policy considers adequate protection to have
- been achieved if a plant is operating in conformance with the regulations. This position is reasonable because regulations are largely promulgated on the basis that they are necessary to establish adequate protection of public health and safety.
~
10 CFR Part 50 (and appendice[) contains most of the technical regulations that l apply to power reactors. The primary purpose of these regulations is'to establish requirements that define: J
- 1. the robustness of the barriers to radionuclides release,
- 2. the postulated plant events and accidents that must be considered and the methodologies for analyzing the events, and
- 3. the capabilities of the engineered safety features for mitigating postulated events.
15
DRAFT 7/27/98 Nuclear power plants were granted a license largely on the basis that a review of the design, construction and intended operation of the facility would comport with the requirements of 10 CFR part 50 and meet the guidelines of 10 CFR Part 100.
Part 100 directs the NRC to consider "the safety features that are to be engineered into the facility and those barriers that must be breached as a result of an accident before a release of radioactive material to the environment can occur." Public health and safety is not adversely impacted by nuclear plant operations unless radiation exposures exceed the limits imposed by 10 CFR Part 100.
Therefore, performance expectations that relate to public health and safety can be grouped as follows for assessment purposes:
LEVEL 1: Maintaining the barriers to radionuclides release, LEVEL 2: Minimizing events that could challenge the barriers and ensuring that engineered safety systems can perform their intended safety function.
LEVEL 3: Trends that may predict changes in LEVEL 1 and LEVEL 2.
Figure 2 depicts a three level approach that would provide the structure for the assessment program.
l LEVEL SAFETY PERFORMANCE EXPECTATIONS I;EVElli - ,
y.gf '
PUBLIC HEALTH AND e BARRIER INTEGRITY SAFETY r 1 :y, ,1
_ ,, w .~ g
,4,.a. ) p h.
. M I LEVEIlH M ;Q 06 f 4 4 SAFETr PERFORMANCE'tL 94 OPERATING CHALLENGES MARGIN; ;71;[h,i.;plM5.
n:- - tfatcon 4r+ MITIGATION CAPABILITY
~l D .' % i L J.*:
' %; '. .. p; y ;a.j 3Mi N LEVEI!
OVERALL'PLA Elf [s (N V E ,;PLANT PERFORMANCE TREND PERFORMANCE'3 7 , -~~ g . 3;. t,' g g:
Figure 2 16
i
. . I DRAFT 7/27/98 E. Safety Performance Expectations i
Within each level of nuclear power plant safety assessment, there are safety performance expectations which must be achieved. t LevelI: Public Health and Safety Barrier Integrity for all three barriers (fuel, reactor coolant system boundary and j containment boundary) should be maintained within design specifications. j I
This performance expectation acknowledges the concept of defense in-depth that is a stated policy objective for nuclear safety regulations. Unacceptable l performance in this performance area represents the potential for exceeding 10 CFR Part 100 exposure guidelines. Acceptable performance in this area means a j plant is operating in a manner that does not impact public health and safety. {
LevelII: Safety Perforrnance Margin Operating Events that could test the robustness of the barriers should be minimized to ensure the event class frequencies assumed in the accident analyses are not exceeded.
This performance expectation recognizes the importance of minimizing operating challenges that could, in turn, challenge the barriers to radioactive release to the public. A low operating event frequency equates to a high margin of safety to challenging the barriers to radioactive release.
Mitigation Capability should be maintained at a level that provides reasonable assurance that the engineered safety features that are credited in the accident analyses can perform their intended function. The maintenance rule provides a framework for monitoring and measuring whether reasonable assurance is being achieved. ,
This performance expectation recognizes that operating challenges will eccur to
- the plant over its lifetime and, therefore, a mitigation capability will be needed, i Mitigation capability also provides defense-in-depth through redundant trains and systems. Equally important, this expectation also provides a measure of the margin of safety to challenging the barriers to radioactive release. Strong performance in this expectation equates to a high margin of safety.
17
DRAFT 7/27/98 LevelIII: Overall Plant Performance Plant Performance Trend should be evaluated as a leading indicator for problems that might develop in the Level I and Level II performance areas.
The LevelI and LevelII performance expectations discussed above address only one aspect of plant operation. To be successful, a nuclear power plant must not only operate safely, but reliably and economically as well. In fact, analyses show that the plants with the best safety records also have the best production and cost performance records. Keeping track ofintegrated plant performance can provide an overallindication of how well the organization is functioning. Early indication of a problem affords the opportunity to allocate resources accordingly to correct a declining trend, before it can impact Level I or Level II.
F. Safety Performance Indicators, Thresholds, And Performance Bands i
- 1. Indicators Each performance expectation has a set of specific safety performance indicators for evaluating the achievement of each performance expectation. Each indicator is )
plotted over time to identify the trend in performance. Plotting the indicators also shows the available safety performance margin for each indicator.
l The set ofindicators provides an objective measure of the overalllevel of safety !
performance at each nuclear power plant. Figure 3 below identifies the specific I indicators used for evaluating each performance expectation.
LEVEL PERFORMANCE SAFETY PERFORMANCE 1.NDICATORS EXPECTATIONS I LEVELI - M9 BARRIER REACTOR REACTOR CONTAINMENT 2PUBLIC : M INTEGRITY COOLANT COOLANT INTEGRITY
[FREALTH$AND( SYSTEM ACTIVITY SYSTEM
" SAFETY " BOUNDARY
^?l2 VELI M 33 OPERATING TOTAL SAFETY SHUTDOWN OPERATING
!0 SAFETY, O 7b CHALLENGES SCRAMS SYSTEM OPERATING TRANSIENTS NTERPORMANCE' ACTUATIONS MARGIN > 15%
iMARGIN [I! ~
E1,d 2f MITIGATION MAINTENANCE RULE
%MA? WC CAPABILITY HIGH RisR SIGNIFICANT SSC PERFORMANCE TLEVELIII 3;% PLANT -
MOVERALLW@? PERFORMANCE .
PLANT [isgny TREND _-
N
$].e;;;m:%
PERFORMANCE:w Figure 3 18
DRAFT 7/27/98 The definition and frequency of reporting for each of the indicators identified in the above figure is described below:
1 Level 1: Public Health and Safety Barrier Integrity Public health and safety impacts do not occur unless radioactivity is released to the environment. For this to happen, three barriers must be breached: (1) fuel cladding, (2) reactor coolant system boundary and (3) containment. The following indicators measure a licensees performance in maintaining barrier integrity.
- RCS Activity - The RCS Activity indicator monitors the level of fission products in the coolant and provides an indication of the integrity of the fuel cladding. -
. RCS Boundary - The RCS Boundary indicator monitors the leakage rate from the primary boundary.
- Containment Performance - The Containment Performance indicator measures the integrity of the containment boundary.
I LevelII: Safety Performance Margin Operating Events N i Operating events cause plant transients that challenge the ability of the engineered safety features to perform their intended safety function of maintaining the barriers l to releasing radioactivity to the public. The following indicators measure a licensees performance in minimizing operational challenges.
- Unplanned Automatic Scrams - The Unplanned Automatic Scram indicator
- tracks the number of unplanned scrams. Unplanned scrams result in thermal I l and hydraulic transients and represent challenges to plant safety systems.
(Manual scrams are included with Unanticipated Operating Transients)
- Safety System Actuations -The safety system actuations indicator tracks the number of safety system actuations that occur in response to actual plant l conditions. Not included in this indicator are safety system actuations resulting !
from errors in conducting maintenance and surveillance activities.
. Unanticipated Operating Transients - This indicator tracks the total number of unanticipated challenges that cause a greater than 15% change in power (not including automatic scrams, which are counted above). j i
19
DRAFT 7/27/98
. Shutdown Operating Margin - This indicator tracks the amount of margin maintained by a plant during shutdown conditions for temperature and cooling water inventory.
Mitigation Capability Operating events can be minimized but not totally eliminated. Engineered safety features were designed to provide reasonable assurance tht t operating events could be mitigated so as not to breach the barriers to the release of radioactivity to the environment. The following indicators measure a licensees performance in-maintaining mitigation capability. Design basis defects and human errors may be important causes for degraded performance in this area. If these conditions exist, they will affect the availability and reliability of the important safety systems.
. High Risk Significant SSC Performance - this indicator monitors the achievement of performance levels established under the maintenance rule for high risk significant SSCs.
LevelIII: Overall Plant Performance Plant Performance Trend Successful nuclear plants show strong safe, reliable and economic performance.
Key indicators can be combined into an index that represents overall plant performance. the index value can be trended to show the direction overall performance is headed.
They can also provide valuable insights to plant management on areas to focus attention to in improving performance. The set ofindicators are as follows:
. Unit Capacity Factor
. Forced Outage Rate
. Unplanned Automatic and Manual Scrams e Safety System Actuations e Safety System Failures e Significant Events
. Operating Transients Greater than 15%
e . Safety System Performance
- Equipment Forced Outages per 1000 Hours e Collective Radiation Exposure
. Industrial Safety Accident Rate Each indicator would be weighted equally in calculating an index value for trending purposes.
-20
DRAFT 7/27/98
- 2. Performance Thresholds Each indicator has an objective regulatory threshold and safety threshold value.
. Regulatory Threshold defines the level of performance at which the safety performance margin has declined to a point where regulatory attention is warranted.
. Safety Threshold defines the level of performance at which the safety performance margin has declined to a point where plant operation is not permitted until corrective action is taken to restore margin.
The following guiding principles for establishing threshold values should be j considered: j
. Wherever possible, the performance indicator thresholds should be tied to the assumptions of plant specific safety analyses and/or PSA analyses, as appropriate. ,
I l
. Safety thresholds will be tied to plant specific safety analyses for Tier 1 j l indicators and to risk insights for Tier 2 indicators. )
. Regulatory thresholds will be established based on historic industry performance such that licensee management has sufficient flexibility to address ,
performance, and, if performance drops, the regulator has sufficient opportunity to take appropriate action prior to approaching the safety threshold. ,
l )
(For example, the use of Maintenance Rule data would rely on plant specific performance criteria for the regulatory threshold and NRC risk informed regulatory decision criteria for the safety threshold.)
. The Tier 3 indicator is provided as a trend plot and will not have an established
, threshold.
I 21
DRAFT 7/27/98
SUMMARY
OF PROPOSED THRESHOLD VALUES INDICATOR / PURPOSE MEASURED PARAMETER BASIS FOR THRESHOLDS Reactor Coolant System Maximum activity level Regulatory Threshold:
Activity - Provide indication 50% tech spec limits of fuel cladding barrier integrity Safety Threshold:
Exceedence of tech spec limits Reactor Coolant System Maximum leakage Regulatory Threshold:
Jeakage - Provide 50% tech speclimits indication of reactor vessel barrier integrity Safety Threshold:
Exceedence of tech spec limits Containment Leakare - Maximum leakage value (%I.) Regulatory Threshold :
Provide indication of containment barrier integrity Safety Threshold:
- 1. > 1.0 Total Automatic Snama - Total number of automatic Scrams do have a linkage to PSA.
Provide indication of scrams) per 7000 critical hours frequency of operational Regulatory Threshold:
challenges > 3 per calendar year 19931997 95th percentile value = 3 Safety Threshold:
> 10 per calendar year 1980 industry avg > 8 NRC IPE Database showed avg.
CCDP of 1 x 10Nscram Safety System Actuations - Number of times safety Safety system actuations do not Provide indication of rate at systems are actuated per have a direct linkage to PSA.
which plant safety systems rolling year are challenged Regulatory Threshold:
>3 per calendar year 1991 1997 95th percentile value = 3 Safety Threshold:
>8 per calendar year 1985- 1990 95th percentile = 8 22
DRAFT 7/27/98
SUMMARY
OF PROPOSED THRESHOLD VALUES INDICATOR / PURPOSE MEASURED PARAMETER BASIS FOR THRESHOLDS Shutdown Ooeratine Number of events and severity Loss ofinventory and loss of Marrin - Provide indication involving loss ofinventory thermal margin do have a linkage to of effectiveness of shutdown margin or thermal margin. PSA.
operations (See Note 1)
Regulatory Threshold :
Ref. EPRI TR-109014, >1 loss of margin event per outage "An Analysis of Loss of Decay OR any event with severityindex of Heat Removal Trends (1989- greater than 0.2 1996)"
Safety Threshold:
>3 loss of margin event per outage OR any event with severity index of greater than 1.0 Operatine Transients >15% Number of unanticipated Except for scrams, plant transient Provide indication of changes in power level >15% conditions do not have a direct stability of plant operations that do not result in an - linkage to PSA.
automatic scram (already Investigating numbers...
counted in Scram Indicator) Regulatory Threshold:
1990-1995 95th percentile value Safety Threshold:
19851990 95th percentile value Maintenance Rule Hich Utilize existing plant specific Reculatory Threshold:
Bisk Significant SSC Maintenance Rule monitoring Plant specific performance criteria Performance - approach, but define a risk. established as part of Maintenance Provide indication of informed approach to (1) Rule implementation reliability / availability of selecting systems (importance systems found to be of high measures) and (2) establishing Safety Threshold:
risk signi5 cant on a plant unacceptable performance level Performance such exceedence of the specific basis as part of (RG 1.174). threshold for any sincie system Maintenance Rule could cause the R.G.1.174 decision criteria to be exceeded.
Plant Performance Trend - Combined index based on Reculatory Threshold:
Provide overall (integrated) weighted average of other None. Provides trend only.
indication of plant indicators (similar to lhTO performance Index) Safety Threshold:
None. Provides trend oniv.
NOTE: The severity of a shutdown incident is determined by the fraction of the thermal or inventory margin used during the incident. For example, if the reactor coolant system heated up 30 degrees Fahrenheit from an initial temperature of 140 degrees, the thermal margin used would be 30/(212- i 140) = 0.42. If the reactor coolant system lost 5,000 gallons with an initial inventory of 50,000 gallons (prior to loss of decay heat removal), the severity would be 5,000/50,000 = 0.1. {
23 ,
( )
DRAFT 7/27/98
- 3. Performance Bands The Regulatory Threshold and Safety Threshold define a Utility Response Band, a Regulator Response Band and an Unacceptable Performance Band as shown:
Performance Response Bands ue -s old
.g Regulator Response band b
a rE I I Safety
- Threshold Time >
Figure 4 Utility Response Band - This band recognizes and acknowledges that all l manufacturing processes have a control band for performance. Utility l management's role is to maintain performance within the control band.
I Performance within the control band provides an indication that corrective actions, programs and processes related to the performance area are effective. The Regulatory Threshold is set at a value that provides an adequate margin of safety I to the Safety Threshold such that there are no unacceptable consequences for departing from the Utility Response Band and there is sufScient time to take corrective action before exceeding the Safety Threshold.
Regulator Response Band - This band defines the point at which the regulator departs from a purely monitoring role and questions the adequacy of corrective actions, programs and processes related to the performance area. While performance is still acceptable within this band, it represents a degree of reduction in safety margin that warrants increased regulatory actions. The degree of regulator response would be determined by how close performance is to the Safety Threshold.
Unacceptable Band - This band defines the point at which plant operation is not allowed.
24
DRAFT 7/27/98 Color coding the band levels provides a clear way of communicating plant l performance. The colors for each indicator would be transferred to Figure 3 to l provide an overall performance " window" to effectively communicate the overall j plant performance levels to the public and the industry. Levell and Level II I
indicators would be color coded as follows:
l GREEN Acceptable performance within Utility Response Band l
l WHITE Acceptable performance within Regulator Response Band RED Unacceptable performance i
i 1
l 25
DRAFT 7/27/98 V. IMPLEMENTATION A. Overview This section describes how the risk informed, performance based regulatory oversight program would be implemented in a manner that is more participatory than the current process. The roles and responsibilities of the licensees and the NRC are outlined below. Three general concepts should be kept in mind. First, licensees and the NRC have individual, but complementary roles in the program in achieving adequate protection of the public health and safety. Second, the process is a continuing cycle (see figure 5) of assessment, inspection plan development, inspection, regulatory action, assessment, etc. Third, while these steps' generally follow the order displayed, they are in continual interaction.
B. NRC Responsibilities
- 1. OverallResponsibilities The NRC is responsible under the Atomic Energy Act for ensuring that nuclear power plants provide an adequate level of protection of public health and safety.
This responsibility requires that margins to safety be maintained such that single performance problems do not result in adverse consequences to the public.' At the same time, the NRC needs to exercise caution so as not to encroach on plant management's primary responsibility to safely operate and maintain nuclear power plants by regulating to a zero defect threshold. The risk-informed, performance-based oversight process outlined in this paper recognizes this distinction.
Figure 6 identifies three performance bands that define the appropriate approach for NRC's regulatory oversight process given the separate, but complementary, roles of the NRC and its licensees in assuring safe plant operation.
a) Utility Response Band - This band recognizes and acknowledges that all manufacturing processes have a control band for performance. Utility management's role is to maintain performance within the control band.
Performance within the control band provides an indication that corrective actions, programs and processes related to the performance area are effective.
The regulator's role is to ensure that the performance indicator is being properly measured and to monitor the indicator to determine ifit remains within the Utility Response Band. Variations in performance within the band would be recognized by the regulator as acceptable performance fluctuations and no regulatory action would be taken. The threshold between the Utility Response Band and the Regulator Response Band is set at a value that provides an adequate margin of safety to the Unacceptable Band such that there are no unacceptable consequences for departing from the band and there is sufficient 26
DRAFT 7/27/98 time to take corrective action before entering the Unacceptable Band.
b) Regulator Response Band - This band defines the threshold at which the 7 regulator departs from a purely monitoring role and questions the adequacy of corrective actions, programs and processes related to the performance area. The degree of regulator response would be determined by how close performance is to the Unacceptable Band. Performance high in the Regulator Response Band would receive minimal regulatory action (Level 4 violations) while performance low in the band would receive more aggressive action (AITs, IITs, Confirmatory Action Letters, civil penalties, DETs, etc.).
c) Unacceptable Band - This band defines the threshold at which plant operation is not allowed. The threshold for this band is set at a value that recognizes that
!- - significant erosion of the margin to safety for the performance expectations has occurred such that the performance expectations are in jeopardy of being met.
Risk insights and operating experience are used to establish the threshold value of the Unacceptable Band.
- 2. Regulatory Oversight Responsibilities a) Assess results i
For areas covered by the safety performance indicators, the NRC would verify the completeness and accuracy of the indicators reported by the licensee and review the results against the Regulatory Action Model (Figure 6).
For areas not covered by the safety performance indicators, the NRC would review the results of the licensees performance based on previous inspections and corrective actions taken by the licensee in response to previously identified
! de5ciencies.
b) Develop Inspection Plans The NRC would develop its inspection plan based on the results ofits l assessment oflicensee performance in the safety performance indicators, its
!' review oflicensee corrective actions on previous regulatory actions, and its
! requirements to assess deterministic regulatory areas not covered by the safety i
performance indicators, such as Emergency Planning and security.
For areas covered by the safety performance indicators, the scope of future inspection activities is determined by the performance results relative to the response bands. For example, performance in the utility response band would mean that NRC inspection of specific procedures and processes would not be necessary for that performance area. Performance in the regulator response band would warrant increased inspection activity to determine the cause of 27 l
DRAFT 7/27/98 performance problems.
For areas not covered by the safety performance indicators, the NRC would plan to perform baseline inspections or opt to evaluate / participate in licensee self assessments and audits. By reviewing the licensee's self assessment and audit schedule for the next inspection cycle, the NRC could conserve resources by opting to evaluate licensee self assessments and/or audits rather than conduct redundant inspections. (A precedent for this approach already exists: Inspection Procedure 40501 " Licensee Self Assessments Related to Team Inspections.)
c) ConductInspections Carry out inspection plans and document results in inspection reports, d) Regulatory Actions For areas covered by the safety performance indicators, regulatory actions would depend on the performance results. For example, performance discrepancies that did not cause the results to drop below the utility response band would be documented in the inspection report as an inspector follow up item without the ;
need to take enforcement This would avoid the expenditure of NRC and licensee resources on matters oflow safety importance. For performance within the regulator response band, regulatory actions would depend on the available margin to safety as depicted on Figure 6. For performance below the safety threshold, the NRC would issue a shutdown order unless corrective was already effective in returning performance above the safety threshold.
For areas not covered by the safety performance indicators, the degree of regulatory action should be commensurate with the safety significance or actual consequences of the discrepancy.
C. Licensee Responsibilities
- 1. Overall Responsibilities The licensee is responsible for all aspects of safely operating and maintaining the ;
nuclear power plant. Figura 1 (on page 11) provides a model depicting the key inputs (plant, people, processes, and procedures), management activities (human performance, self assessment and corrective action), and results/ outputs of running )
the plant (safety performance and cost effective production).
In assessing the performance ofinputs, management actions, and outputs, the licensee will develop its own unique self assessment methods and a set ofindicators with which to monitor performance. These assessments and indicators are at the discretion oflicensee management as they deem appropriate. (It will also have in 28
...-...--.......-..__.-.4
l DRAFT 7/27/98 place a Quality Assurance Program in accordance with 10 CFR 50 Appendix B.) The performance indicators will be created to monitor and assess performance in those areas deemed important to plant management to achieve its own goals and objectives.
The licensee will use its self assessment program and its own internal performance i indicators to assess performance of plant equipment and systems, workforce, l procedures and processes. When deficiencies or opportunities for improvement are identified, the licensee will use its corrective action program and other management actions to achieve improvement. The licensee will continue to report events and de5ciencies as currently required in the regulations.
i
- In addition to the licensee's staff, the industry has established an industrywide plant evaluation program under the Institute of Nuclear Power Operations (INPO).
INPO's role is to assist utilities in achieving high standards for nuclear plant operations.
Utility management's role is to maintain safety performance within the utility response band. (See figure 4.) It is the responsibility of the licensee to monitor performance and correct individual errors or trends that are detected before '
dropping below the regulatory threshold by performing root cause analyses, taking I
corrective actions and monitoring the effectiveness of those actions to restore i performance.
- Performance within the utility response band provides an indication that corrective action, self assessment, and human performance are effective in operating and maintaining the plant.
If performance drops below the regulatory threshold, the licensee conducts an in-j depth review of why its actions have been unsuccessful, and establishes an '
integrated plan to restore performance.
- 2. Regulatory Oversight Responsibilities a) Assessment The licensee will monitor and report the safety performance indicators described in Section IV to the NRC on a quarterly basis prior to the NRC assessment.
b) Develop Inspection Plans The licensee should make the NRC aware ofit's self assessment and audit plans that it intends to make available to the NRC to assist the NRC in planning its future inspection activities.
29 i
DRAFT 7/27/98 c) Inspection The licensee provides the results of self assessments and audits in regulatory oversight areas to the NRC in advance of NRC inspections. This include regulatory areas not covered by the safety performance indicators such as security, emergency planning, etc. l d) Regulatory Actions The licensee performs root cause analyses, identifies corrective actions and reports the status of corrective nctions to the NRC prior to any NRC regulatory actions.
Regulatory Oversight Model Licensee Provide Licensee Provide Self Assessment & SelfAssessments Audit Plans Develop Inspection Plan Assess Conduct Results Inspections Determine Regulatory
^
Licensee Provide Licensee Assess Safety Performance & Correct Indicators Deficiencies Figure 5 30
DRAFT 7/27/98 Regulatory Action Model A
NRC monitor indicators / Reduced inspection
.E Document performance deviations in E
( inspection reports e Regulatory 1 Threshold Indicator b Value j NOVs issued for non-compliance
}
tE
'=c","l,';1,,,
activity tscainted enrorcemen,
, CAL Safety Threshold Time >
Figure 6
)
31 i t