Text

Speech Entitled Relevance of PRA to Regulatory Development, Presented at 850905 Inter-Regional Training Course on Uses of Probabilistic Safety Assessment,In Oldbury-on-Severn,Bristol,England
	ML20206H512
Person / Time
Issue date:	09/05/1985
From:	Burdick G; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
To:	;
Shared Package
ML20206H509	List: ML20206H505; ML20206H512; ML20206H519; ML20206H530; ML20206H542; ML20206H561; ML20206H593; ML20206H609; ML20206H617; ML20206H626; ML20206H633; ML20206H674; ML20206H700; ML20206H730; ML20206H738; ML20206H753;
References
	NUDOCS 8606260154
	Download: ML20206H512 (64)
	v • d • e

.

~

RELEVANCE OF PRA TO REGULATORY DEVELOPMENT

- Dr. Gary R. Burdick Chief Reactor Risk Branch Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Comission Inter-Regional Training Course on Uses of Probabilistic Safety Assessment Nuclear Power Training Center

. Oldbury-on-Severn Bristol, United Kingdom September 5, 1985 8606260154 860619 PDR MISC 8606260147 PDR i

.e i

ACKNOWLEDGEMENTS The author gratefully acknowledges substantial contributions by Richard C. Robinson and Carl E. Johnson, both of the USNRC, to Sections 3.1, 3.2, and 3.3. Material

and thoughts originally developed by Dr. W. E. Vesely, Battelle Columbus Laboratories, under the NRC-funded PETS Program, also contributed where indicated in Section 3.2.

! Special thanks go to David Campbell, JBF Associates, 1

Knoxville, Tennessee, for supplying part of the text and

} figures of Section 3.4.

i i

i 2

l e

i l

l 1

}

I

. _ . . . __ _ __ - - - _ . . . . - _ . . _ _ . . _ . . _ . , _ _ ._ . . . ~ _ . . . _ _ . . _ - - . _ _ . _ . . . _ . _ . - _ _ _ _ _ _

t I

l RELEVANCE OF PRA TO REGULATORY DEVELOPMENT j 3

j ABSTRACT

Activities of regulators of nuclear power plant opera-

tions are characterized in terms of four fundamental questions. These questions are: How safe should plants be?

How safe are the plants? How should plant risk best be reduced if need be? How should an acceptable level of risk 4

be maintained over plant lifetime? The provision of answers to these questions are inseparable elements of the role of i the regulator in carrying out his charge to protect the public health and safety. The characterization thus

! provided is a natural setting for addressing the question of relevance of PRA to regulatory development. PRA methods development, PRAs themselves, and PRA applications are all

clearly lirled in supporting roles to regulatory activities.

i With the stage thus set, four relatively recent l research initiatives sponsored by the U.S. NRC Office of

Nuclear Regulatory Research are then described. This

! research will enable PRA results to be applied in new and potentially quite beneficial ways by regulators and plant i owners alike in seeking answers to the last two questions.

! These new applications specifically deal with: coordinated i evaluation of proposed requirements, technical specifica-1, tions improvement, plant reliability program development, j and the application of PRA to the NRC Inspection Program.

) With the promise realized of improved methods for technical specification analysis coupled with effective implementation of plant reliability programs, the way would be paved for a movement from prescriptive to performance-based regulation.

l t 1. INTRODUCTION Significant strides have been made in Probabilis-tic Risk Analysis (PRA methods since the Reactor i

SafetyStudy(RSS)[1])laidthefoundationforthePRA activity that followed. These include a more detailed breakdown of initiating events and better data on their probability of occurrence. Event tree. analysis has become more proceduralized as well as more detailed.

4 Fault tree methods have been better delineated. Human

, reliability methods have been better developed and a

{ handbookpromulgated[2]. Improved computer programs allow quantification of accident sequences more i efficiently and accurately. Much more experimental l evidence and improved codes now exist for core melt l

l l

. 2 i

phenomenology and containment response. Improved codes also exist for offsite consequence analysis.

Under the auspices of the Institute of Electrical and Electronic Engineers (IEEE) and American Nuclear Society (ANS), wide peer review has been given to the methods now being used in risk analysis, and widely accepted methods were selected and published in the PRA ProceduresGuide[3]. Prescriptive procedures have been developed and tested for the PRA analysis of plant systems and are delineated in the IREP Procedures Guide

[4].

Recently the U.S. Nuclear Regulatory Comission (NRC) published a document that describes the current status of PRA as practiced in the nuclear regulatory process. The document is titled Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regulatory Ap)lication L5J. The document reviews the PRA studies tlat have been completed or are underway, discusses the levels of maturity of the methodologies used in a PRA and the associated uncertainties, lists the insights derived from PRAs, discusses the potential uses of PRA results for regulatory purposes, and high-lights areas where research could improve the utility of PRA information in regulation.

- In the nearly 2 years since completion of the Status Report, applications of PRA to nuclear power

. plants bave experienced increasing use and cautious yet increasing acceptance, particularly in addressing i regulatory issues. This usage has spanned a broad range of applications including setting regulatory priorities, resolving generic issuts, c. valuating proposed regulation changes, judging plant safety as part of licensing hearings, and attempts at identifying outlier plant characteristics. Current trends such as the safety goal evaluation, preparation of guidance for industry use in PRA, and the staff recommendation for a safety assurance program at the Indian Point plant foreshadow even greater usage of PRA and its methods and insights within the regulatory process. Moreover, management attention at the highest levels in the NRC is being given to the development and implementation of PRA-based methods for a number of end uses within the agency. It is the purpose of this paper to clearly depict the emerging role of PRA in regulation of nuclear power plants, and to describe four specific areas where PRA methods are currently being explored by

+

a

- 3 the NRC Office of Research for expanded use in the regulatory process.

2. OVERVIEW OF PRA ROLES IN REGULATION Activities of individuals involved in regulating nuclear power plant operation can be characterized as being aimed at supplying or in some way using answers to four basic questions:

(1) What constitutes acceptable risk from nuclear power plants?

(2) What is the risk from nuclear power plants?

- (3) How could that risk be reduced, if necessary?

(4) How can an acceptable level of risk be maintained over the lifetime of the plant?

This characterization has an advantage in that through it the roles of PRA in regulation can be readily brought to the fore. PRA activities related to ,

each question are displayed in Figure 1.

The answer to the first question is what has become known in the U.S. nuclear power industry as "The Safety Goal." The staff is currently evaluating a proposed safety goal as well as some alternative goals.

The proposed safety goal, a plan for its evaluation, and public comments on the proposed goal are described in Safety Goals for Nuclear Power Plant Operation [6].

The proposed set of quantitative safety goal criteria naturally require some form of PRA with which to measure safety. Indeed, how " acceptable" risk is defined and how that definition is used in the regulatory process is dependent in large part on the capabilities of PRA in its myriad possible applications. As indicated, the major activities ongoing in the search for an answer to this question are naturally PRA methods development and definition of the Safety Goal itself. Information concerning the latter can be found in the " Safety Goal Evaluation Report" which was submitted by the NRC staff to the Commission last spring and is available from the NRC public document rooms. Again, for comprehensive dis-cussion of the maturity and applications of PRA, the '

reader is referred to Probabilistic Risk Assessment (PRA?: Status Report and Guidance for Regulatory Appl'ication [,5J, often called simply the "PRA Re"erence Document."

l l

l

- . _ _ _ . . -_ _ - _ - _ _ - . _ . . _ - - _ - - _ - _ . . - - . - - _ _ _ _ - _ - - _ - - . _ . . . - = _ _ . -

~

i 1

REGULATION OF NPP OPERATION HOW SHOULD RISK HOW CAN AN ACCEPTABLE LEVEL WHAT SAFETY HOW SAFE ARE

} BE REDUCED IF NEEDED? 0F RISK BEST BE MAINTAINED LEVEL IS PLANTS?

OVER PLANT LIFETIME 7

! ACCEPTABLE?

k PRA Evaluation PRA-Based Technical Specifications Development Plant-Specific PRAs i of Safety Issues i of acceptable PRA-Based Owner-0perated Plant t

' PRA Methods Class-Specific PRAs PRA Use to Reliability Program PRA-Based Generic Identify Safety Goal PRA-Based Inspector Aids Definition Analyses of Operational Candidate Occurrences Requirements? ;

l Risk Effective Regulations

PRA BASED V/I j Analyses of Proposed l

Requirements l

t 1 Figure 1. PRA Roles in Regulation of Nuclear Power Plant Operation ;

i l

l i

1

i

< . 5 PRA is, of course, a necessary tool for answering 1 4 the second question whether that question is answered via plant-specific PRAs or on a more generic basis through some form of extrapolation from specific PRAs to the entire family of plants. In the U.S. there are now about 20 completed plant PRAs. The dominant accident sequences from some of these have been used in an attempt to obtain risk profiles, of the 100 near-tenn and Evaluation Sequence presentlyProgram operating (plants, under the AccidentASEP) sponso Office of Research. Although the extrapolation must be done with great care, the results verified against as-built plant hardware and current operating procedures, and care must exercised in using the risk profiles, in the absence of PRAs on each plant the ASEP approach is i the only known means for obtaining risk statements for all plants. A report describing ASEP and what it i revealed with respect to dominant contributors to risk at each of the 100 operating and near-tenn U.S plants will be available in the sunener of 1986.

In addition to plant-specific PRAs and ASEP dominant accident sequences, operational occurrences as reported 1

in licensee event reports can be analyzed in generic j event trees to obtain a gross assessment of nuclear industry risk over periods of time. The NRC Accident Sequence Precursor Program has completed an assessment of the 196S-1979 period [7] and also the period 1980-1981[8].

When reduction in risk is found appropriate (question 3), PRA becomes a vital tool to measure the level of reduction achieved and as part of the value/ impact considerations. Although, in the past, PRA techniques have been used in assessing risk reduction achieved by certain requirements and in measuring the value/ impact ratio for these, both of these exercises for each safety issue addressed would have been much facilitated by availability of computerized accident sequences from a complete family of plant-specific PRAs or computerized information such as that expected soon from ASEP. (The use of ASEP in this regard will be discussed in more detail in the nextsection.) Nevertheless, the NRC staff and its contractors have succeeded in formulating technical resolutions to many Generic Safety Issues and erstwhile UnresolvedSafetyIssues(USIs)throughuseofPRA techniques. Among USIs resolved by these methods are, for example, Anticipated Transients Without Scram and Pressurized Thennal Shock, while resolution is expected J

l

6 shortly for Station Blackout, Loss of DC Power, Systems Interaction, and a few others.

The potential usefulness of PRA in addressing the fourth question is ,iust now beginning to be understood by the technical community. PRAs produced to date have not been focused on such an end use which requires that the PRA be " user-friendly," 1.e., readily reviewable, economically updatable, with ease of information extraction by a variety of users beyond those interested solely in the bottom line core melt frequency and risk estimates. To achieve its full potential the PRA thus must be reviewable, updatable, and useable over the 40-year lifetime of the plant or be what some have termed a truly "living document."

Potential users not now considered in PRA documer.t design include plant Reliability Program personnel (including management and design, maintenance, test, c

and engineering staffs), human reliability personnel, and regulatory inspectors in the field. The message here for regulators and for plant owners and managers alike is that a plant PRA is a snapshot in time of the

' safety level of the plant. Unless management mechanisms are set in place to continuously utilize the PRA as 4

guidance in maintaining an acceptable level of safety l

over plant lifetime, and in so doing the PRA is kept current to reflect the as-build plant and its operating 4 procedures, the plant could drift with time into an unseceptable safety regime.

Thus, PRA has now a role and appears to have an i~ increasing role in addressing quantitatively all of these four fundamental questions. The ability of the NRC to address these questions is directly dependent upon the ability of the NRC to identify and develop useful PRA techniques and, of course, the acceptability and practicality of the PRA techniques themselves.

Thus, the capability of HRC to use PRA in the regulatory process depends upon several factors. Chief, among

! these are, in the opinion of the author:

)

(1) the acceptability and practicality of PRA l methods in addressing plant specific and generic issues '

i and in evaluation of the appropriateness of risk reduction options, and (2) the acceptability and practicality of PRA methods for assuring that an acceptable level of risk is maintained throughout the life of the plant.

i

}

7 1

i Both acceptability and practicality are necessary l

attributes. Encompassed in the term acceptability '

l implies methods that allow analysis to be done that is

sufficiently broad in scope to treat issues relevant to i a regulatory decision and that the treatment of the i issues will be judged appropriate and sufficiently l

accurate by the relevant technical and policy-making

connunity. The attribute of practicality implies in

' part that the methods are compatible with the regulatory process in which the analysis is being done.

It is also the opinion of the author that this ultimate i compatibility cannot be achieved until a shift is 4

completed from prescriptive to performance-based '

i regulation wherein the PRA is used to set reliability targets, to trigger alert and action levels, and to i monitor trends and performance.

4 For more discussion on activities related to questions 1 and 2 of Figure 1, the reader should

consult the references. In what follows, discussion

will be focused on reletively new and unexposed NRC research initiatives dealing with questions 3 and 4.

3. RECENT NRC RESEARCH INITIATIVES IN REGULATORY USAGE OF I

PRA METHODS In this section will be described four relatively l new programs, of the NRC Office of Research, each of j' which is investigating the potential benefits of using j PRA methods to improve effectiveness of those portions i of the regulatory process dealing with reduction of j risk and maintenance of an acceptable level of risk i over plant lifetime.

! 3.1 Use of PRA in evaluating proposed requirements i

The NRC has a responsibility to continuously evaluate the safety requirements utilized in its l

reviews against new infonnation as it becomes

< available. Information related to the safety of

! nuclearpowerplants(NPPs)comesfromavarietyof sources such as experience from operating reactors, research results, NRC staff and safety reviews, and j architect / engineer, vendor, and utility design reviews.

j Each time a new concern or safety issue is identified i

from one or more of these sources, the need is assessed >

i for immediate action to assure safe plant operation.

! The assessment includes consideration of the generic !

implications of the issue. The use of risk and cost !

analyses for the evaluation of safety significance and i

9 8

cost effectiveness of specific modifications to the plant has been shown effective for the prioritization

! of generic safety issues and the review of generic j requirements. These analyses have, with few i'

exceptions, considered each proposed requirement independently.

The NRC Committee for the Review of Generic I Requirements (CRGR) currently requires the use of risk l and cost analyses in the evaluation of proposed changes

to NPP safety requirements. These analyses are j generally based on results of plant-specific PRAs that

unfortunately have not been updated to reflect the

! plant modifications that have taken place since the l completion of the PRA. The concern of the CRGR is that

! no measurement of progress toward improved safety i' levels is being made. This could cause multiple modifications to be made in related areas of the plant j with the sum of the benefits being much less than the 4 benefits of each requirement calculated independently.

j Thus, there is a need to ascertain the cumulative j effect of the safety implications of both actual and I proposed plant modifications and to permit ready l display of results.

To meet this need, the NRC Office of Research has ,

j initiated a program to develop a Systems Analysis and RiskAssessment(SARA) system. The direct purpose of j the program is to develop a capability for computation

! . and analysis of NPP risk characteristics, using state-

! of-the-art, user-friendly and modularized computer

! software and existing NPP risk information develop =d j under two other key current research programs. The SARA system will enable a time-dependent display of j cumulative costs and risk reduction benefits resulting from past or future implementation of the resolution of j a number of generic issues. Ultimately, it will 4

provide a methodology for tracking, trending, and '

l sequencing of the effects of treatment of generic issues, and to display their relationships.

In the past few years several NRC research l

programs have developed and applied probabilistic risk j and reliability analysis methods to detennine and evaluate the reliability of plant safety systems and the level of risk associated with core damage accidents. One program, the Accident Sequence EvaluationProgram(ASEP),hasprovidedacatalog[9]

! of plant safety system failure logic models, accident sequence likelihood estimates, and information on a

.-w-m---,,y.m-t'--F

V - P+- t'*<v*'**y'* *"e*'- *'"M--* 't m en 'M ee' g-rTN*ww*m-r-'-*-et-gr -

-mr+-ep--g -e w-*m r, g y'*-'8-W'* e~*'rv-"" -m"T"b-" '-T*f*-w-p*FW

9 Variety of plant risk and safety system reliability characteristics derived from a number of NRC and industry-sponsored PRAs. Information on containment systems performance and failure modes, fission product source terms, and health consequences is being developed under the Severe Accident Risk Reduction Program (SARRP) scheduled for completion in the spring of 1986.

Thus, risk and reliability infomation important

to evaluating and understanding the dominant risk characteristics of NPPs will soon be available for

. access on large mainframe computers. The access to l' large mainframes is often costly if not prohibitive for security reasons. These constraints allow only limited numbers of people to access this wealth of information.

The development of high performance microcomputers

! eliminates this major obstacle and provides greater

capabilities to interact with the data to a large number of users.

Figure 2 is a block diagram outlining the SARA system structure, highlighting its interfaces with the user, input files, and mainframe storage. The lower left block represents the capability of access to a mainframe computer to extract and/or update the necessary data files. The upper left block illustrates 1 th type of information extracted from the mainframe to

) be reformatted for direct input to SARA. The upper right block itemizes some of the manipulation and 4 computing capabilities available to the user, and the

lower right block represents the modes of output available.

. The SARA system is being designed as a flexible tool to support different levels of users requiring risk and reliability information for decisionmaking and regulatory analyses. Initially, it will provide a capability for computation and analysis of information 6n NPP risk characteristics for six plants being I analyzed in depth under SARRP. The system will have the capability to search, sort, and compare safety system reliability, accident likelihood, consequence, and risk information. The system will also provide a capability to perform sensitivity studies on these reliability and risk characteristics. Eventually, the few initial plant data will be expanded to cover the 100 near-term and operating plants in a complete set of ,

NPP plant classes now being finalized in ASEP.

6 1

~

SARA SYSTEM l .

FuncTrows DATARARE INFORMATION COMPUTE i PLANT PEDIGREE SYSTEM RELIABILITY i, SYSTEMS DESCRIPTION SEQUENCE FREQUENCY CONSEQUENCE RISK i BASIC EVENT IMPORTANCE MEASURES j FAILURE RATES RECOVERY FACTORS MANIPULATE i l DISPLAY i

i ACCIDENT INITIATORS GRAPHIC & NUMERIC

! SEQUENCE CUT SETS DATABASE INFO i COMPUTED RESULTS i IMPORTANCE MEASURES CONSEQUENCE USER ED$F l l - BASIC EVENTS PROBABILITY l USER RECORDS INITIATING EVENTS FREQ v

l '- s RECALCULATE AFTER MODIFY i

. SARA ', SENSITIVITY ANALYSES

[ MENU-DRIVEN,') y (USER-FRIENDLY /

g (SOFTWARE,/

- ~~ -

IBM - PC r OUTPUT j MAINFRAME Cof@ UTER SCREEN COMPLETE PLANT MODELS CO ICATIONS l LINE PRINTER j COMPUTED RESULTS I SYSTEMS TREES DISC FILE

! SEQUENCE TREES QUANTIFICATION i INTERFACE WITH PRA CODES ,

i i i

j Figure 2. SARA System Structure .

i l

' ~

~

11 i The SARA system will support (to varying degrees) the following NRC applications:

(a) assessing the effectiveness of existing and t prcposed regulations, including backfits; i

(b) prioritizing generic safety issues, research and licensing programs, and inspection activities; (c) analyzing plant. designs, systems operations, and procedures; and (d) evaluating the significance of operational occurrences.

I To pennit modifications of the file structure and input / output, the SARA system will be developed in phases in a modularized fashion. The first phase was

operational this past July 1985; it has a limited capability and is intended as a demonstration to solicit feedback from potential users and as a way of obtaining early identification of needed improvements.

Based on the experience gained from use of the first phase demonstration system, a second phase, to be 3

operational by December 1985, will provide a more i complete capability by including information for I additional plants and by providing for the user more powerful manipulation functions (e.g., improved search,

. sort, comparison, updating, requantifying, and display capabilities). A third and last phase will produce a

. final system that will allow users to modify the safety system logic models, alter event tree structure, and incorporate dependent failure analysi:: methods.

t 3.2 Use of PRA in improving technical specifications l

, i In order to assure that a nuclear power plant I

(NPP) operates at the safety level perceived during the licensing review, certain operational limitations are l specified in the facility's license. Most of these !

operational limitations are contained in a document known as the plant's technical specifications.

1 Technical specifications are intended to delineate the ,

safe operating envelope and are derived from j assumptions of the safety analyses that may in fact l vary with time or circumstances over the life of a plant.

l

_, . _ . _ _ _ ~ ~ _ _ -

12 A number of problems with technical specifications have evolved over the years. Today, the compilation of technical specifications has grown to over 500 pages

and several thousand surveillance requirements. The absence of specific criteria as to the content of i

technical specifications has resulted in numerous items

' of vastly differing levels of importance being included,

' as well as requirements that are occasionally inconsis-

tent. This situation tends to divert attention from

principal safety parameters while focusing attention on

' detailed surveillance of lower importance systems. The l

voluminous technical specifications have also become 4 burdensome and costly to utilities, yet do not contribute corresponding benefits to safety. Further, I some technical specifications are complex and difficult ,

for the control room operators to implement, and others may actually be adverse to safety (e.g., certain forced shutdowns when in fact continued steady-state operation is the safest plant condition). Other concerns have

been expressed regarding: excessive testing contribu-ting to component wear, added maintenance downtimes y

resulting from component wear, ur.necessary test down-times, introduction of human errors, and the potential for common-cause failures. Finally, the NRC has not in the past discriminated between utilities with excellent

' preventive maintenance programs, who may not need j prescriptive technical specifications, and utilities

! with poor preventive maintenance programs who may need them. Rather, the NRC and industry have concentrated on standardized specifications which would be applied

' to utilities uniformly to protect against the worst j performers. This practice tends to place unnecessary

' burdens upon the good performers.

In order to address these various problems, the NRC has undertaken some initiatives for improving the technical specification process. One of these initia-

! tives was to establish a broad-based research program to examine the issues that arise in addressing various alternative means for evaluating the safety implica-tions of technical specifications.

1 NRC regulations (10 CFR 50.36) require that NPP j technical specifications include the five areas shown 1 in the top row of Figure 3. One portion of our program is currently concentrating on three of these, namely safety limits, allowed outage times (A0Ts) and surveillancetestintervals(STIs).'Theseareaslend j

t themselves to analysis and enhancement by reliability I

and risk techniques and, in general, include the nine plant functions (see bottom row of Figure 3) that need a to be addressed.

l t

i

,~

4

' TEOellCAL SMCIFICAfl0NS i

I .

DES 18st ANEtifSM4ffM SidRIEILLAstE SafETT Lissiles Gletilent stEgesisteEsiTS MAfiftES IWAMLS LaseTS er sm4T10s:

Jk s s CURRENT NRC PRA RESEARCH ON TECH SPEC IMPROVEMENT w

I I l I I asacTaveTV casset feten sesmeaWream essmesuTATim M N ", ,[,,, ,,,,

systes l

Figure 3. Technical Specifications: Illustrative Areas of Interest l

1

14 A main product of this research program will provide the NRC with a quantitative and coherent procedure for responding to licensee submittals that request extension to and/or modifications of plant technical

. specifications.

Owing to the comprehensive nature of investigation into this research area, related products will provide technical guidance for resolution of generic issues B-56 (on diesel generator reliability) and B-61 (on emergency core cooling system A0T). An examination of NPP data on the experience with diesel generators indicates that the emergency onsite diesel generators have an average reliability of about 0.94, compared with NRC's goal of 0.99. Events which result in a loss of offsite power necessitate reliance on the onsite emergen:y diesel generators for successful accident mitigation; and improvement of the starting reliability of the emergency generators will reduce the probability of events which could escalate into a core-melt accident. Similarly, studies have shown that the unavailability contribution to the ECCS from testing, maintenance, and allowed equipment outage time ranges from 0.3 to 0.8 of the total unavailability. This i statistic emphasizes the degradation in equipment availability which can result when too frequent test or maintenance is required of standby safety systems which

- must be removed from normal service to perform such test and maintenance.

i The maintenance unavailability of a component depends not only on the average length of time that a component is out for maintenance, but also on the frequency with which the maintenance is performed.

Currently technical specifications do not control the frequency of such component unavailability, but it is possible that a cumulative outage limit may be l effective in doing so. To provide guidance on resolving these generic issues, the program will investigate tiveral robust criteria which are considered essential to the development of a methodology to relate cumulative outage time with component reliability level, system configuration, and surveillance frequency.

! In fact, the NRC Procedures for Evaluating Technical Specifications (PETS) Program has identified i a number of areas where PRA can be used to improve technical specifications [10]. These include: l

15

1. determining limiting safety system settings and safety limits,

2. judging risk importances of A0Ts and STIs,

3. determining acceptable values for A0Ts and STIs,

4. deciding on a one-time extension or STI exemption,

5. making cumulative downtime allotments,

6. detennining the need to test af ter failure,

7. selecting the type of surveillance test to be performed,

8. transferring technical specifications to supplemental specifications.

. 9. considering shutdown risk in formulating action statements.

The following discussion of the use of PRA in addressing the first three of these items has been condensed and paraphrased from one of W. E. Vesely's recent publications [10].

W. E. Vesely has shown that, in regard to the first item, PRA can give the risk importance of limiting safety system settings since PRAs contain as risk contributors, failures of safety system settings, where failure is an unsafe setting such that the system is not actuated. In fact, the size of the risk con-tribution can be taken as the risk importance of specific settings. In general, PRAs show that a single system setting failure has negligible impact. For

-example, from one PRA any of the individual sensors in the RPS could be failed with negligible increase (less than or equal to 1x10"I4) in the core-melt frequency.

Thus, what PRAs generally show as important risk contributors are critical sets of settings all being failed. For example, failure of all the multiple pressure sensors to a signal path of the actuation system might cause the core-melt frequency to increase from 5x10-5 to 5x10-4 Thus, PRAs can show that what needs to be controlled from a risk standpoint are critical sets of settings all being failed. Equiva-lently PRAs identify the minimal sets of settings which need to be correctly specified. If all the settings of one minimal set are correctly specified, then risk will be controlled regardless of the other settings.

From a risk standpoint, safety limits should also be established to control the dominant risk contributors.

In general then, from what we have learned from PRAs to

_ ~ _ . _ _ __ _ . _ . _ _ _ ._

!* 16 date, safety limits should at least be established to

- respond to transients and small LOCAs since these initiators have been shown to be dominant risk contrib-

! utors. Thus, current limits which are based on large i

LOCAs are not necessarily risk effective because of the small risk contribution from these initiators. Specific l

criteria for safety limits can thus logically be obtained from the temperature, pressure, flux and flow characteris-tics associated with the dominant accident sequences.

l In regard to the second item, PRA can provide the

! risk importances of A0Ts and STIs. In fact, risk i importance approaches have been published for determining the risk importance of A0Ts and STIs [10]. In general,

PRAs can identify numerous A0Ts and STIs which are insignificant to risk. For example, from one PRA it I

was shown that approximately 30 percent (150) of the

. components modeled each would have a core-melt frequency contribution of less than 5x10-8 even if they 4

were never tested or repaired. Obviously, PRAs can also identify those risk important A0Ts and STIs whose values need to be specified.

i PRA can provide critical combinations of l

components which need to be controlled since PRAs give as important risk contributors critical combinations of components being simultaneously down for either testing j

i or maintenance. PRAs have shown that these critical t combinations of downed components can cause core-melt frequency to increase by an order of magnitude or more.

Current technical specifications often do not recognize these combinations because the components are in l

j ,

different systems. Obviously then, from e risk l

standpoint, it is more important to control these i

critical combinations than to control on an individual l

A0T and STI basis.

In order to be able to systematically identify the risk-important and risk-unimportant A0Ts and STIs for i

implementation into technical specification changes, the PETS program is developing methods to identify risk i importance approaches to categorize A0Ts and STIs,

{ define risk importance approaches to identify the i

critical combinations of components which need to be l

controlled, and for applying the importance approaches

either in a generic or plant-specific manner to identify the critical A0T and STI combinations.

I n

17 Also from [10] and for the third item, PRAs might be used to define risk acceptable values for the risk-important A0Ts and STIs. Risk acceptable values for A0Ts might then be used to control the risk from one downtime and control the risk from the projected number of downtime occurrences during the plant lifetime (or some other reference period).

Risk acceptable values for STIs might also be defined to control the risk from failures occurring between tests and the risk from test-caused degradations and test downtimes. However, it seems that the utili-zation of PRAs to specify acceptable A0Ts and STIs requires that some form of numerical criteria be defined for what constitutes acceptably small A0T and STI risks. In some cases, it might be possible that i risk trade-off evaluations could be performed in lieu of using numerical criteria.

Thus, to implement changes in technical specifica-l tions that specify acceptable values of A0Ts and STIs based on risk considerations, one must first develop systematic approaches for evaluating A0T and STI risks and then define criteria for specifying what constitutes acceptable A0T and STI risks.

The PETS program is scheduled to publish a procedures guide, in January 1986, which will provide details on PRA use in addressing all nine items.

3.3. Use of PRA in a Plant Reliability Program i NRC interest in a reliability program applicable to safety arose from incidents at operating reactors, particularly the Three Mile Island accident and the Salem reactor trip failures. NRC staff met with j representatives of aerospace and defense industries to better understand reliability techniques that have proven successful in other applications. NRC and others sponsored surveys of reliability techniques that i might be applicable to LWRs. In 1984, Argonne National

Laboratory coalesced the results into a set of l reliability elements that appear applicable to LWR safety. Brookhaven National Laboratory (BNL) was then ,

eng ged to evaluate the effectiveness of these elements '

1 [11.

The results of this planned evaluation of the effectiveness of reliability elements will serve two purposes. One is to serve as part of the technical i

l

i .-

- 18 basis for staff evaluations of trade-offs that licensees may propose to substitute reliability program elements in place of specific prescriptive requirements. The second purpose of this research is to help achieve NRC goals to shift its regulatory emphasis away from detailed prescriptive requirements towardperformancecriteria[12].

The concept of a reliability program, that Argonne National Laboratory identified for evaluation [13,14]

4 i

is illustrated in Figure 4. The reliability elements from a closed loop, similar to a widely-used management i

system described by Kepner and Tregoe [15]. In this concept, the utility sets perfomance standards, j

including reliability targets, establishes management controls and standards to achieve these targets, monitors the operation to recognize substandard

~

perfomance, prioritizes and identifies the root causes of important problems, and takes appropriate corrective j

}

j action.

Within this general framework, individual I

reliability techniques would be selected and applied as l

appropriate to the particular problems being addressed.

i Such reliability techniques could include, for example:

' use of PRA to set reliability / availability goals or targets; analyzing plant reliability and risk to help 1

identify and prioritize weaknesses in plant design and operating procedures; specifying requirements for reli-ability and maintainability in purchase s

' developing (as suggested in Section 3.2) pecifications; technical specifications that reflect risk considerations in the 4 selection of surveillance test intervals, allowed I outage times, and action statements; computerizing a l C configuration-control system to help keep track of :

equipment status, action statements, and commitments; j collecting and analyzing reliability data, both plant- i specific and industry-wide, to help identify risk-

important events and trends; and monitoring reliability vs. alert levels to alert utility management to po'tential problems.

Brookhaven National Laboratory is now beginning an i evaluation of this concept of an integrated reliability program and its elements. The evaluation involves four !

steps:

o Case studies. Wherein the NRC and its contractor, BNL, plan to discuss reliability i practices with about five utilities to better l

1 i

I -

! C0hTINUOUS PROCESS 0F <

1 .

l OPERATION, PROBLEM ANALYSIS, a CORRECTIVE ACTION i

i

) -

i j OPERATIONS ,

l I ,

TAKE_ ACTION .: IF.HkHH > EnMi" . noniTOR_.0,ERATIO.

k IVES D !b F .

l \ .

/

I l

DEFIIE OBJECTIVES SPECIFY DEVIATIONS

/[

\

i i

IDENTIFY ROOT CAUSE

/ ;

Figure 4. Reliability Program Flow Diagram

l i

- 20 l

understand problems related to reliability that utilities are facing, the effectiveness of reliability elements to resolve these problems, and the attributes (reasonable applications and success criteria) of successful reliability programs. l o Initial trial application. In this phase, BNL will be conducting, with a cooperative utility, a trial application of a reliability program to one system at one plant.

o Broader trial application. Here the program will be expanded to apply what was learned from the initial trial application to a broader trial application to several systems at one plant.

The experience gained and knowledge acquired of effectiveness of reliability program elements and management could be translated into an industry reliability program standard through a cooperative effort among industry groups and the NRC.

3.4. PRA Application to NRC Inspection Program The objective of the PRA Application to NRC Inspection Program being perfonned by NRC contractor personnel at JBF Associates, Inc. (in Knoxville, Tennessee, U.S.A.), is to develop methods for applyin

~the results of probabilistic risk assessments (PRAs) tgo manpower allocation decisions made by NRC inspectors.

Accomplishing this objective will help inspection personnel decide which of the activities that demand their time have the greatest risk-reduction or safety-assurance potential.

Two key observations made early in the first phase of this program have had a major influence on the program's direction. First, PRAs are limited to quantifying a plant's bottom-line risk and showing how important various component and system failures are to this risk. While inspection personnel do inspect individual components and systems, they are validly more concerned with assuring that nuclear power plant owners have adequate reliability programs in place.

Equipment reliability performance is a useful barometer for evaluating a licensee's programs; however, when equipment performance suffers, inspection personnel are more effective if they focus on the mechanisms owners

~.

\

l l

l 21 have in place to evaluate and correct root causes of failures rather than responding to individual failure events.

With that observation in mind, Phase I of the program continued until c four-step procedure was developed to relate PRA results to inspection decisions. These steps are:

1. Relate system and component failure probabilities to plant risk.

2. Relate root causes of failure to system and component failures.

3. Relate reliability program elements to root causes of failure.

4. Relate inspection actions to reliability programs.

The first step is accomplished using the results of a PRA. The second step, relating root causes of failure to system and component failures, is the key step in this procedurc because if the various root causes of failures can be ranked according to their importance to plant risk, the door is then opened for inspection personnel to carry out the last two steps.

Thus, the gap between PRA results and the needs of inspection personnel can be bridged by identifying the relationships between root causes of failure and system and component failures. The NRC has programs in progress to evaluate various data scurces from which to extract root causes of failure and root cause fractions contributing to component failure modes.

The second observation that influenced the direction of the PRA Application to NRC Inspection Program is that PRA reports are written in the language ,

Qsed by PRA practitioners--a language that is not readily understood by others. Phase II of the program is focusing on developing a program, for installation i on a microcomputer, which can be used to present PRA-based information in a manner that can be readily ;

used by inspectors as an aid in making decisions. The t Plant Risk Status Information Management System (PRISIM) is a decision-oriented, user-friendly, ,

menu-driven program that contains data base management i and interactive routines that will aid inspectors in l

22 allocating their efforts toward those areas where they l will have the greatest impact on safety.

A computer program was chosen to catalog and present the PRA infomation because the total amount of information is large, but the amount needed for any particular decision is relatively small. PRISIM allows the user to quickly and logically access the desired information without being overwhelmed by enormous quantities of data. PRISIM's data base consists largely of screen images that present PRA information in both. textual and graphic formats. Each screen image also acts as a menu, giving the user options to see more detailed information in the area of his interest.

As one option in the program, PRISIM will list NRC Inspection modules and procedures, identify decisions inspectors must make to implement the procedures effectively, and direct the user to more displays of PRA-based information that influence specific decisions of interest. The user indicates to PRISIM the areas of interest he wishes to pursue by using a cursor. The position of the cursor on the screen determines what information the data base management routine will present. The user does not need to have a background in computer operation or PRA to use the program or understand and employ the information it presents.

Because some decisions made by inspectors depend on the current status of the plant, PRISIM contains an interactive routine that allows the user to specify components or subsystems that are out of service. The user is then apprised of the impact the specified condition (s) places on instantaneous risk and the components that are most critical to maintaining plant safety under the specified condition (s). Thus inspectors can plan their actions using PRA-based information integrated with plant status information.

The risk-based information being selected for presentation by PRISIM is complete within itself and will be as compatible as possible with the four-step approach developed in the first phase of this program.

However, all the root cause information needed to implement this approach is currently not available.. As this information is documented, PRISIM will be updated and will become an even more useful tool for inspection planning and decisionmaking.

23 Programs like PRISIM can also be tailored for nuclear plant owners and operators. The benefits to an owner or operator having such a program derive readily from the easily and rapidly accessible PRA results displayed in a comprehensible manner that can help with the day-to-day and long-range planning decisions associated with operating such a complex plant.

As an example of PRISIM use, let us suppose that an inspector at Arkansas Nuclear One, Unit 1 (ANO-1),

has just learned that pump p36C has just been declared inoperative. Following the sequence of displays in Figure 5, the resident inspector first selects

" continue" to get into the program master menu (Figures 5a and 5b). From the master menu, the inspector then opts to view the listing of PRA-based information available in the program. This information is displayed in Figure Sc.

Wishing to know the importance of pump p36C being out of service, the inspector then selects item 2 from the list, risk impacts of various out of service systems / components, which brings Figure 5d to the computer display. Here PRA information has been used so that the inspector is now informed that core melt frequency increases by certain factors when various systems are out of service. In particular, pump p36C is in the high pressure injection system (HPI) which, when it is out of service, increases risk by a factor of 58.

Wishing to know additional details about the component, the inspector then selects item 9 (high pressure injection) which evokes the display of Figure 5e, the schematic of the HPI. Here the cursor is moved over pump p36C to obtain the display of Figure 5f where PRA information has again been used to discover that single failures now exist and that with pump p36C out of service, plant risk has increased by a factor of 8.3. Wishing to pursue the single failure warning indicated, the inspector now puts the cursor over WARNING, which provides the additional information in Figure 5g from which he opts for the information on control valve CV6036 displayed in Figure Sh. From here it is learned that loss of control valve CB6036 results in loss of pump p36A also.

What about pump p36B? As shown in Figure Sh, the inspector has selected LAST BP (last branch point).

This recalls the display of Figure 5e where the inspector moves the cursor over pump p36B, follows a

. 24 stem aw PLANT RISK STATUS. ,

INFORMATION MANAGEMENT SYSTEM i l

l l

enosmaan ran 1 ARKANSAS NUCIEAR ONE - UNIT 1 (a) uAsign u ovu EscArt i

un vou wa: io ar . . . 2

1. A U51MC W M PIIA-SASED OFOIWATION AVAR ASLE M DES Pft0GtAMf

2. A U51MC W DE IEMIOff MGRAIS ADOfESED M DOS Pit 00RAMT 1 A U51Md W M N MODLAES ADOfESED W DES Plt 00RAMT I

J (b)

Figure 5. PRISIM Display Sequence

r . - . . .. . . - - . . - - . . - .. - -

I

\

l 25 l

l

, PRA-8ASED D8 FORMATION AVAILABLE W TH15 PROGRAM MASTER '

ESCAPE

1. DOMINANT CONTm8UTORS TO PLANT RISK LAST BP

2. NSK SAPACTS OF VARIOUS OUT-Or-SERVICE SYSTEMS / COMPONENTS PREVICUS

3. RSK IMPACTS OF SELECTED HUMAN ERRORS CONTNUE 4, RANIONCS OF SYSTEMS / SUBSYSTEMS / COMPONENTS / HUMAN ERRORS 1 ACCORDING TO THDR CONTRIBUTIONS TO PLANT RSK g

5. OvERAu. mSK SGNIRCANCE OF SYSTEMS / SUBSYSTEMS / COMPONENTS / 3 HUMAN UtRORS 4

6. SINGLE FAILURES THAT CAN CAUSE A SYSTEM TO Fall WHEN A 016 $

COMPONENT IS OUT OF SERVICE 6

7. USTING OF PLANT LERs GROUPED BY COMPONENT TYPE 7

(CONTWUED)

(C)

ItlSK IMPACT OF A SYSTEM THAT IS OUT OF SERVIT MASTER ESCAPE FACTOR BY WHICH CORE MELT LAST BP SYSTEM FRFOUENCY INOtEASES PREMOUS

1. EMERGENCY DC POWER.. . . . . . . . . . . . . . . . 21.000 1

2. REACTOR PROTECTION ... . .. . . . . . . . . . . . . . . . 2.100 2

3. EMERGENCY AC POWER . ..... .....................280 3

4. SERVIE WATER . .... .. .. ......................78 4

5. EMERGENCY FEEDWATER . ... ... .... ............68 5

6. EMERGENCY FEEDWATER INITIATION CONTROL............ 68 6

7. BATTERY AND SWITCHCEAR EMERGENCY COOUNG ....... 62

8. 7 SAFETY REUEF . . . . . . . . . . . . . . .. ..... . . . . . . . . . . . . 38

9. 8 HIGH PRESSURE INECDON..... ...... . ..............58

10. ENGWEDtED SAFEGUARDS ACTUATION . .... ... .. .. 4.2

11. LOW PRESSURE RECORCULAMON., .. .. ...........4.1 10

12. HIGH PRESSURE REORCULATION . . . . . . . . . . . . . . . . . . . . . . . . 3.5 11

13. LOW PftESSURE INECTION . .... ....... . ............... 1.6 12

14. POWER CONVERSON . . . . . . . . . . . ......................1.4 13

15. CORE FLOOO . . . . . . . . . . . . . . . . . . . . . . . . . ..............1.2 14 15

- TO SEE THE RSK IMPACT OF A COMPONENT FAILURE.

SELECT THE SYSTEM CONTAINING THE COMPONENT *.

1 l

1 r

i (d) l Figure 5. Continued ,

-. , ,, - ..,--,,-,,.-,,--,,.,n,.

., 26 HICH PRESSURE INKCTION SYSTEW SCHEWATIC MASTER ESCAPE

.. LAST oP o a o o PREMOUS lk lk lk lb ------

lk lk lk lk l c o 1 t y

); li l; $= p , $= p.]

lH ;F lHlH lH c; e; i'

=--

{g t_i'%

.m. g

t h x, . . -: _ -,

e. SELECT COMPONENT OF WTEREST U$tNC CURSOR **

(e)

HPt PUMP P36C IS OUT OF SERME MASTER ESCAPE SINGLE FAILURES THAT ARE NOT COVERED BY TECH SPECS LAST BP WARNING EXIST WTHIN THE HPts SUPPORT SYSTEMS AND CAN CAUSE PREMOUS THE HPIS TO FAIL E

., CAunON SINGLE FAILURES THAT<ARE COVERED BY TECH SPECS ALSO 1 l CAUTION l DOST WTHIN THE HPIS'WD ITS SUPPORT SYSTEMS AND 2 CAN CAUSE THE HPIS Th FAIL 3 4

~

1 RISK INCREASES BY A FACTOR OF 8.3 k

1. HOW DOES THE RISK WCREASE FOR PUMj P36C COMPARE TO THE RISK INCREASES FOR OTHER COMPONENTS FN t4E Holst

2. WHAT ARE THE HISTORtCAL CAUSES OF FNLURE FOR P36C AND SIMILAR PUMPS?

3. WHAT OTHER COMPONENTS ARE REAUGND) TO REMOVE PUMP P36C FROM SERMCE AND/OR RESTORE IT TO SERMCE7

4. WHAT ARE THE TECH SPECS CONCERNING PUMP P36CT 1=

(:f)

,' Figure 5. Continued

- . . . . . - - - a - . -,. .. . _ . . . . . . .

I 1

. 27 ;

\

l WASTER l

- SINGLE FAsLURES THAT ARE NOT COVERED I BY TECN SPECS WHEN PUWP P36C 15 OUT Or SERVICE ESCAPE

' F E S FAILURE OF ANY Or THESC COMPONENTS IN COMBINATION g WITH THE FAILURE OF PUWP P36C CAUSES THE FAILURE OF THE HPl$ ,

A ' 3 4

S l

1. CONTROL VALVE CV6036 l

[3-WAY VALVE IN THE EMERGENCY SWITCHGEAR ROOM C000NG SYSTEM) '

2. CONTROt v ave Cv3a0s

[SERMCE WATER VALVE UPSTREAM OF HPI PUMP P36A LUBE OL COOLER) 3 FAN VUC7A

[WAKEUP PuuP ROOM S4 C00UNC FAN)

4. ORCuli BREAKER C85214

[ORCUtT BREAKER FOR CONTROL POWER TO CONTROL VALVE CV3808)

S. ORCutT BREAKER CB5216

[ORCutT BREAKER FOR CONTROL POWER TO WAKEUP PUMP ROOM COOLER VUCM-7A)

e. TO SEE PERTINENT INFORMATION ABOUT ERIFY1NG THE OPERABluTY OF ANY COMPONENT ABOVE. MOW THE CURSCA TO THE COMPONENT NUMBER AND PRESS RETURN ++

l (9)

CONTROL VRVE CV6036 WASTER ESCAPE IN THE EVENT OF AN ACODENT. IF CONTROL VALVE CV6036 IS OUT OF SERMCE. g THEN DitLL WATER UNIT VCH48 IS OUT OF SERVICE. AND AU. CHIL1ED WATER TO PREVIOUS ROOW 100 COOLER VUC2D IS LOST. THIS WILL CAUSE A LOSS OF ELECTRICAL POWER TO HPIS PUMP P36A.

ROOM C00UNG FOR 4.16KV SWITCHGEAR *Al*

1 gggy CHILL WATER 4 Wh UNIT CV6036 6 48 VUC2B TO SWS aSCHARGE .

FROM SWS LOOP 1 I

i t

( (h)

Figure 5. Continued

28 similar sequence (not shown), and discovers that loss of control valve CV6036 indeed also causes loss of pump p368. The user can return to the master menu or evoke the previous display by moving the cursor over MASTER or PREVIOUS, respectively. To exit the program, the user moves the cursor over ESCAPE, which calls up the initial display (Figure Sa), where the cursor is moved to QUIT.

This experimental inspector aid is scheduled for test at AN0-1 beginning December 1985. Upon completion of a succe:sful test, the program will probably enter a production mode with similar pmgraming of information from other plant-specific PRAs. Meanwhile, the utility of programing information from the ASEP-dominant accident sequences will be investigated.

4. CONCLUSIONS A characterization of activities of those involved in regulation of nuclear power plants exists in the form of four basic questions. In seeking or using answers to the four basic questions, "What is an acceptable level of plant safety?", "How safe are the plants?", "How should risk best be reduced if need be?", and "How should an acceptable level of risk be maintained over plant lifetime?", FRA is seen as playing a very natural and increasing role. In particular, the U.S. NRC Office of Research has four

. relatively new research initiatives that hold promise for aiding the regulator in dealing with the penultimate and the last of the four questions.

In particular, for the penultimate question, the SARA computer system will soon be available to provide a means for assessing combined effects on industry of accumulating regulatory requirements. The system holds promise as a valuable tool in avoid 6nce of overregulation.

In response to the fourth question, PRA use in formulating technical specifications seems another promising role for the technique. In addition, the NRC might use the concept of a plant reliability program in which technical specification formulation and analysis would be part, to move from prescriptive to performance based regulation. The first step in this direction uight be to revisit selected A0Ts and STIs and downgrade or discard those with little or no risk significance. - Additional steps could dettnnine how to l

l l

29 relax some other A0Ts and STIs in return for demonstrated highly reliable performance.

The concept of a reliability program being developed and to see imminent evaluation at the NRC involves a simple closed-loop framework within which to apply selected reliability and management techniques appropriate for the particular problem to be resolved.

Planned case studies and trial use with a cooperative utility will see evaluated the effectiveness of reliability program elements to help resolve or prevent safety problems.

Finally, an NRC contractor.is demonstrating the use of PRA as an aid to the resident inspector. PRA information is extracted and presented to the inspector in a user-friendly computer program, PRISIM, which the inspector can use to prioritize his activities, and thereby better use his very limited time and resources through identification of the risk significance of occurrences at the plant. This same computer program could also be used to good advantage by owners in the context of a plant reliability program. A main feature of PRISIM is that the PRA models, the mass of event trees and fault trees, are totally transparent to the uset. What the user sees are results which, of course, is what we are all after in the first place.

REFERENCES

[1] ReactorSafetyStudy, WASH-1400(NUREG-75/014),U.S.

Nuclear Regulatory Commission, October 1976.

[2] Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, Sandia National Laboratories, Albuquerque, New Mexico 87185, October 1980.

[3] PRA Procedures Guide, NUREG/CR-2300, U.S. Nuclear Regulatory Commission, January 1983.

[4] Interim Reliability Evaluation Program: Phase II Procedure and Schedule Guide, Sandia National Laboratories, Albuquerque, New Mexico, September 1981.

i [5] ProbabilisticRiskAssessment(PRA): Status Report and ;

l Guidance for Regulatory Application, NUREG-1050, U.S. ,

l Nuclear Regulatory Commission, February 1984.

i

l y

30 l

[6] Safety Goals for Nuclear Power Plant Operation, NUREG-0880, Revision 1 for Comment, U.S. Nuclear '

Regulatory Comission, May 1983.

[7] Precursors to Potential Severe Core Damage Accidents:

1969-1979, A Status Report, NUREG/CR-2497, Oak Ridge National Laboratory, Oak Ridge, Tennessee 37831, June 1982.

[8] Precursors to Potential Severe Core Damage Accidents:

1980-1981, A Status Report, NUREG/CR-3591, Oak Ridge National Laboratory, Oak Ridge, Tennessee 37831, July 1984.

[9] Catalog of PRA Dominant Accident Sequence Information, HUREG/CR-3301, EG&G Idaho, Inc., Idaho Falls, Idaho 83415, July 1985, 1

[10] W. E. Vesely, " Ways by Which Probabilistic Risk Analysis (PRA) Can Be Used to Improve Technical Specifications," Battelle Columbus Laboratories, 505 King Avenue, Columbus, Ohio 43201-2693, August 1985.

[11] C. E. Johnson, " Operational Safety Reliability Research," International Conference on Nuclear Power Plant Aging, Availability Factor and Reliability.

l American Society of Metals, San Diego, California July 8-12, 1985. Copies available from the author at U.S.

, . Nuclear Regulatory Comission, Washington, DC 20555.

[12] U.S. Nuclear Regulatory Commission Policy and Planning Guidance 1985, NUREG-0885 Issue 4, U.S. Nuclear i Regulatory Commission, February 1985.

[13] C. J. Mueller, " Operational Safety Reliability "

Proceedings of the USNRC Twelfth Water Reactor Safety Research Infonnation Meeting, NUREG/CR-0058, Volume 6, U.S. Nuclear Regulatory Comission,1985.

[14] C. J. Mueller, et al., A Scoping Study of the Potential Effectiveness of an Operational Safety Reliability l Program in Addressing Generic Safety Problems, NUREG/CR-XXXX (to be published), Argonne National Laboratory, 9700 South Cass Avenue, Argonne, Illinois l, 60439.

[15] P. C. H. Kepner and B. B. Tregoe, The Rational Manager, McGraw-Hill, New York, 1965.

t

r a s j

^

RELEVANCE OF PRA TO REGULATORY DEVELOPMENT 1

Dr. Gary R. Burdick Chief Reactor Risk Branch 4

Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission 1

Inter-Regional Training Course on Uses of Probabilistic Safety Assessment i Nuclear Power Training Center Oldbury-on-Severn Bristol, United Kingdom September 5, 1985 l

l

ACKNOWLEDGEMENTS The author gratefully acknowledges substantial contributions by Richard C. Robinson and Carl E. Johnson, both of the USNRC, to Sections 3.1, 3.2, and 3.3. Material and thoughts originally developed by Dr. W. E. Vesely, Battelle Columbus Laboratories, under the NRC-funded i>ETS Program, also contributed where indicated in Section 3.2.

Special thanks go to David Campbell, JBF Associates, Knoxville, Tennessee, for supplying part of the text and figures of Section 3.4.

l

. - .- - - - . - _ .. _ . - - - =. - --- . - - - - - -

i f

f RELEVANCE OF PRA TO REGULATORY DEVELOPMENT ABSTRACT Activities of regulators of nuclear power plant opera-tions are characterized in terms of four fundamental 4

questions. These questions are: How safe should plants be?

How safe are the plants? How should plant risk best be reduced if need be? How should an acceptable level of risk be maintained over plant lifetime? The provision of answers to these questions are inseparable elements of the role of the regulator in carrying out his charge to protect the public health and safety. The characterization thus provided is a natural setting for addressing the question of relevance of PRA to regulatory development. PRA methods development, PRAs themselves, and PRA applications are all clearly linked in supporting roles to regulatory activities.

With the stage thus set, four relatively recent -

research initiatives sponsored by the U.S. NRC Office of Nuclear Regulatory Research are then described. This i research will enable PRA results to be applied in new and

potentially quite beneficial ways by regulators and plant

! owners alike in seeking answers to the last two questions.

These new applications specifically deal with: coordinated 1 evaluation of proposed requirements, technical specifica-

'. tions improvement, plant reliability program development, and the application of PRA to the NRC Inspection Program. '

1 With the promise realized of improved methods for technical

! specification analysis coupled with effective implementation l of plant reliability programs, the way would be paved for a l movement from prescriptive to performance-based regulation.

i

1. INTRODUCTION l

l Significant strides have been made in Probabilis-

! tic Risk Analysis (PRA methods since the Reactor Safety Study (RSS) [1]) laid the four.dation for the PRA i activity that followed. These include a more detailed l breakdown of initiating events and better data on their i probability of occurrence. Event tree analysis has become more proceduralized as well as more detailed.

Fault tree methods have been better delineated. Human 4

reliability methods have been better developed and a handbook promulgated [2]. Improved computer programs i allow quantification of accident sequences more

! efficiently and accurately. Much more experimental evidence and improved codes now exist for core melt i

...,-.,--.,-n, ,--- , ------ - - - - - , - , ---,---_m- , - ,.,,n-.,a-- ,,-,n--- ,-,-n.~n--,, , . , , . , - - , - - - . , , - . - - - - , , , , , - - , , - , , , , , ,

l 1

j . 2 l l

j phenomenology and containment response. Improved codes also exist for offsite consequence analysis.

Under the auspices of the Institute of Electrical 1 and Electronic Engineers (IEEE) and American Nuclear i Society (ANS), wide peer review has been given to the methods now being used in risk analysis, and widely accepted methods were selected and published in the PRA l

Procedures Guide [3]. Prescriptive procedures have j been developed and tested for the PRA analysis of plant systems and are delineated in the IREP Procedures Guide

[4].

1 l Recently the U.S. Nuclear Regulatory Conriission (NRC) published a document that describes the current status of PRA as practiced in the nuclear regulatory process. The document is titled Probabilistic Risk ~

Assess'nent (PRA): Status Report and Guidance for Regulatory Ap)lication L5]. The document reviews the PRA studies t1at have been completed or are underway, discusses the levels of maturity of the methodologies used in a PRA and the~ associated uncertainties, lists

the insights derived from PRAs, discusses the potential l

uses of PRA results for regulatory purposes, and high-lights areas where research could improve the utility

' of PRA information in regulation.

In the nearly 2 years since completion of the i Status Report, applications of PRA to nuclear power

. plants have experienced increasing use ahd cautious yet i increasing acceptance, particularly in addressing i regulatory issues. This usage has spanned a broad l range of applications including setting regulatory priorities, resolving generic issues, evaluating l proposed regulation changes, judging plant safety as.

}

part of licensing hearings, and attempts at identifying outlier plant characteristics. Current trends such as the safety goal evaluation, preparation of guidance for industry use in PRA, and the staff recommendation for a safety assurance program at the Indian Point plant i foreshadow even greater usage of PRA and its methods and insights within the regulatory process. Moreover, t

management attention at the highest levels in the NRC is being given to the development and implementation of l PRA-based methods for a number of end uses within the j agency. It is the purpose of this paper to clearly

depict the emerging role of PRA in regulation of-j nuclear power plants, and to describe four specific areas where PRA methods are currently being explored by i

- 3 l

the NRC Office of Research for expanded use in the regulatory process.

2. OVERVIEW OF PRA ROLES IN REGULATION Activities of individuals involved in regulating nuclear power plant operation can be characterized as being aimed at supplying or in some way using answers to four basic questions:

(1) What constitutes acceptable risk froia nuclear power plants?

(2) What is the risk from nuclear power plants?

'- (3) How could that risk be reduced, if necessary?

(4) How can an acceptable level of risk be maintained over the lifetime of the plant?

This characterization has an advantage in that through it the roles of PRA in regulation can be readily brought to the fore. PRA activities related te each question are displayed in Figure 1.

The answer to the first question is what has become known in the U.S. nuclear power industry as "The Safety Goal." The staff is currently evaluating a proposed safety goal as well as some alternative goals.

The proposed safety goal, a plan for its evaluation, and public coments on the proposed goal are described in Safety Goals for Nuclear Power Plant Operation [6].

The proposed set of quantitative safety goal criteria naturally require some form of PRA with which to measure safety. Indeed, how " acceptable" risk is defined and how that definition is used in the regulatory process is dependent in large part on the capabilities of PRA in its myriad possible applications. As indicated, the major activities ongoing in the search for an answer to this question are naturally PRA methods development and definition of the Safety Goal itself. Information concerning the latte'r can be found in the " Safety Goal Evaluation Report" which was submitted by the NRC staff to the J Commission last spring and is available from the NRC public document rooms. Again, for comprehensive dis- )

cussion of the maturity and applications of PRA, the 1 reader is referred to Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regulatory Application, L5J, often called simply the "PRA Reference Document.

i

, _ . . _ _ _ _ , . _ . r _ , _

r_., A

4

~

REGULATION OF NPP OPERATION HOW SHOULD RISK HOW CAN AN ACCEPTABLE LEVEL WHAT SAFETY HOW SAFE ARE PLANTS? BE REDUCED IF NEEDED? 0F RISK BEST BE MAINTAINED LEVEL IS OVER PLANT LIFETIME?

ACCEPTABLE?

PRA Evaluation PRA-Based Technical Specifications I Development Plant-Specific PRAs of Safety Issues of acceptable PRA-Based Owner-0perated Plant PRA Methods Class-Specific PRAs PRA Use to Reliability Program a

PRA-Based Generic Identify Safety Goal PRA-Based Inspector Aids Analyses of Operational Candidate Definition Requirements?

Occurrences Risk Effective Regulations PRA BASED V/I Analyses of Proposed Requirements i

Figure 1. PRA Roles in Regulation of Nuclear Power Plant Operation t

4 l

2

.--- . . -. ~-. .- - . . -. . _ _ _ _ _ _

i 1

i

. 5 j PRA is, of course, a necessary tool for answering the second question whether that question is answered via plant-specific PRAs or on a more generic basis through some form of extrapolation from specific PRAs to the entire family of plants. In the U.S. there are now about 20 completed plant PRAs. The dominant accident sequences from some of these have been used in i an attempt to obtain risk profiles, of the 100 near-plants, under the Accident tem and presently Sequence Evaluationoperating Program (ASEP) sponsored by the NRC i

Office of Research. Although the extrapolation must be

done with great care, the results verified against as-built plant hardware and current operating procedures, and care must exercised in using the risk profiles, in the absence of PRAs on each plant the ASEP approach is the only known means for obtaining risk statements for all plants. A report describing ASEP and what it ,

revealed with respect to dominant contributors to risk at each of the 100 operating and near-tem U.S plants

)

will be available in the. summer of 1986.

i In addition to plant-specific PRAs and ASEP dominant accident sequences, operational occurrences as reported l in licensee event reports can be analyzed in generic

event trees to obtain a gross assessment of nuclear

industry risk over periods of time. The NRC Accident

! Sequence Precursor Program has completed an assessment

! of the 1969-1979 period [7] and also the period 1980-j 1981 [8].

! When reduction in risk is found appropriate (question 3), PRA becomes a vital tool to measure the level of reduction achieved and as part of the value/ impact considerations. Although, in the past, i PRA techniques have been used in assessing risk -

! reduction achieved by certain requirements and in !

j measuring the value/ impact ratio for these, both of these exercises for each safety issue addressed would

~

i have been much facilitated by availability of computerized accident sequences from a complete family of plant-specific PRAs or computerized information such as that expected soon from ASEP. (The use of ASEP in

! this regard will be discussed in more detail in the nextsection.) Nevertheless, the NRC staff and its

! contractors have succe:ded in formulating technical l resolutions to many Generic Safety Issues and erstwhile

! Unresolved Safety Issues (USIs) through use of PRA ,

i techniques. Among USIs resolved by these methods are, l

! for example, Anticipated Transients Without Scram and i l Pressurized Themal Shock, while resolution is expected

6 shortly for Station Blackout, Loss of DC Power, Systems Interaction, and a few others.

The potential usefulness of PRA in addressing the fourth question is just now beginning to be understood by the technical comunity. PRAs produced to date have not been focused on such an end use which requires that the PRA be " user-friendly," 1.e., readily reviewable, economically updatable, with ease of information extraction by a variety of users beyond those interested solely in the bottom line core melt frequency and risk estimates. To achieve its full potential the PRA thus must be reviewable, updatable, and useable over the 40-year lifetime of the plant or be what some have termed a truly "living document."

Potential users not now considered in PRA document design include plant Reliability Program personnel (including management and design, maintenance, test, -

and engineering staffs), human reliability personnel, and regulatory inspectors in the field. The message here for regulators and for plant owners and managers

! alike is that a plant PRA is a snapshot in time of the safety level of the plant. Unless management mechanisms are set in place to continuously utilize the PRA as guidance in maintaining an acceptable level of safety over plant lifetime, and in so doing the PRA is kept current to reflect the as-build plant and its operating procedures, the plant could drift with time into an unacceptable safety regime.

Thus, PRA has now a role and appears to have an increasing role in addressing quantitatively all of these four fundamental questions. The ability of the i NRC to address these questions is directly dependent upon the ability of the NRC to identify and develop useful PRA techniques and, of course, the acceptability and practicality of the PPA techniques themselves.

Thus, the capability of NRC to use PRA in the regulatory process depends upon several factors. Chief, among these are, in the opinion of the author:

(1) the acceptability and practicality of PRA methods in addressing plant specific and generic issues and in evaluation of the appropriateness of risk reduction options, and (2) the acceptability and practicality of PRA methods for assuring that an acceptable level of risk is maintained throughout the life of the plant.

7 Both acceptability and practicality are necessary attributes. Encompassed in the term acceptability implies methods that allow analysis to be done that is sufficiently broad in scope to treat issues relevant to a regulatory decision and that the treatment of the issues will be judged appropriate and sufficiently accurate by the relevant technical and policy-making community. The attribute of practicality implies in part that the methods are compatible with the regulatory process in which the analysis is being done.

It is also the opinion of the author that this ultimate compatibility cannot be achieved until a shift is completed from prescriptive to performance-based regulation wherein the PRA is used to set reliability targets, to trigger alert and action levels, and to monitor trends and performance.

For more discussion on activities related to questions 1 and 2 of Figure 1, the reader should consult the references. In what follows, discussion will be focused on relatively new and unexposed NRC research initiatives dealing with questions 3 and 4.

3. RECENT NRC RESEARCH INITIATIVES IN REGULATORY USAGE OF PRA METHODS In this section will be described four relatively new programs, of the NRC Office of Research, each of

~

which is investigating the potential benefits of using PRA methods to improve effectiveness of those portions of the regulatory process dealing with reduction of risk and maintenance of an acceptable level of risk over plant lifetime.

3.1 Use of PRA in evaluating proposed requirements The NRC has a responsibility to continuously evaluate the safety requirements utilized in its reviews against new information as it becomes available. Information related to the safety of :

nuclear power plants (NPPs) comes from a variety of sources such as experience from operating reactors, research results, NRC staff and safety reviews, and architect / engineer, vendor, and utility design reviews.

Each time a new concern or safety issue is identified from one or more of these sources, the need is assessed i for immediate action to assure safe plant operation. l The assessment includes consideration of the generic l implicatiens of the issue. The use of risk and cost j analyses for the evaluation of safety significance and 1

a

8 i

> cost effectiveness of specific modifications to the ;

plant has been shown effective for the prioritization !

of generic safety issues and the review of generic requirements. These analyses have, with few ;

exceptions, considered each proposed requirement independently.

The NRC Committee for the Review of Generic !

Requirements (CRGR) currently requires the use of risk and cost analyses in the evaluation of proposed changes i to NPP safety requirements. These analyses are generally based on results of plant-specific PRAs that unfortunately have not been updated to reflect the plant modifications that have taken place since the completion of the PRA. The concern of the CRGR is that no measurement of progress toward improved safety 3

levels is being made. This could .cause multiple j modifications to be made in related areas of the plant with the sum of the benefits being much less than the benefits of each requirement calculated independently.

Thus, there is a need to ascertain the cumulative effect of the safety implications of both actual and proposed plant modifications and to permit ready display of results.

i To meet this need, the NRC Office of Research has initiated a program to develop a Systems Analysis and Risk Assessment (SARA) system. The direct purpose of -

the program is to develop a capability for computation

-and analysis of NPP risk characteristics, using state-of-the-art, user-friendly and modularized computer

software and existing NPP risk information developed '.

under two other key current research programs. The SARA system will enable a time-dependent display of cumulative costs and risk reduction benefits resulting from past or future implementation of the resolution of a number of generic issues. Ultimately, it will provide a methodology for tracking, trending, and-sequencing of the effects of treatment of generic e issues, and to display their relationships.

l In the past few years several NRC research programs have developed and applied probabilistic risk and reliability analysis methods to determine and evaluate the reliability of plant safety systems and the level of risk associated with core damage accidents. One program, the Accident Sequence Evaluation Program (ASEP), has provided a catalog [9].

of plant safety system failure logic models, accident sequence likelihood estimates, and information on a

. . _ . , , - - ._r, ,, .- . _ - , __,-____c- _ ,-, _ _ , , . _ .._.-,.,m,, e o

0 l

variety of plant risk and safety system reliability characteristics derived from a number of NRC and industry-sponsored PRAs. Information on containment I I

systems performance and failure modes, fission product source terms, and health consequences is being developed under the Severe Accident Risk Reduction Program (SARRP) scheduled for completion in the spring of 1986.

Thus, risk and reliability information important to evaluating and understanding the dominant risk characteristics of NPPs will soon be available for access on large mainframe computers. The access to large mainframes is often costly if not prohibitive for security reasons. These constraints allow only limited numbers of people to access this wealth of information.

The development of high performance microcomputers eliminates this major obstacle and provides greater capabilities to interact with the data to a large number of users.

Figure 2 is a block diagram outlining the SARA system structure, highlighting its interfaces with the user, input files, and mainframe storage. The lower left block represents the capability of access to a mainframe computer to extract and/or update the necessary data files. The upper left block illustrates th type of information extracted from the mainframe to be reformatted for direct input to SARA. The upper

. right block itemizes some of the manipulation and computing capabilities available to the user,~ and the lower right block represents the modes of output available.

The SAR/ system is being designed as a flexible tool to support different levels of users requiring risk and reliability information for decisionmaking and regulatory analyses. Initially, it will provide a capability for computation and analysis of information 6n NPP risk characteristics for six plants being analyzed in depth under SARRP. The system will have the capability to search, sort, and compare safety system reliability, accident likelihood, consequence, and risk information. The system will also provide a l capability to perform sensitivity studies on these i reliability and risk characteristics. Eventually, the few initial plant data will be expanded to cover the 100 near-term and operating plants in a complete set of NPP plant classes now being finalized in ASEP.

9

-- y- - - r - -

SARA SYSTEM FUNCTIONS OATABASE INFORMATION COMPUTE PLANT PEDIGREE SYSTEM RELIABILITY l SYSTEMS DESCRIPTION SEQUENCE FREQUENCY CONSEQUENCE RISK BASIC EVENT IMPORTANCE MEASURES FAILURE RATES RECOVERY FACTORS MANIPULATE DISPLAY ACCIDENT INITIATORS GRAPHIC & NUMERIC SEQUENCE CUT SETS DATABASE INFO COMPUTED RESULTS

! IMPORTANCE MEASURES '

! CONSEQUENCE USER EDNh$DD

- BASIC EVENTS PROBABILITY USER RECORDS INITIATING EVENTS FREQ

'- s RECALCULATE AFTER MODIFY j

. SARA ', SENSITIVITY ANALYSES

[ MENU-DRIVEN,\ ;

(USER-FRIENDLY /

g

's SOFTWARE-OUTPUT MAINFRAME COMPUTER SCREEN l COMPLETE PLANT MODELS CO ICATIONS LINE PRINTER i COMPUTED RESULTS I SYSTEMS TREES DISC FILE SEQUENCE TREES QUANTIFICATION I INTERFACE WITH PRA CODES I

Figure 2. SARA System Structure .

l 11 The SARA system will support (to varying degrees) the following NRC applications:

(a) assessing the effectiveness of existing and proposed regulations, including backfits; (b) prioritizing generic safety issues, research 4

and licensing programs, and inspection activities; (c) analyzing plant, designs, systems operations, and procedures; and (d) evaluating the significance of operational occurrences.

To pennit modifications of the file structure and input / output, the SARA system will be developed.in phases in a modularized fashion. The first phase was i operational this past July 1985; it has a limited capability and is intended as a demonstration to solicit feedback from potential users and as a way of-obtaining early identification of needed improvements.

Based on the experience gained from use of the first

! phase demonstration system, a second phase, to be operational by December 1985, will provide a more complete capability by including information for

. additional plants and by providing for the user more powerful manipulation functions (e.g., improved search,

. sort, comparison, updating, requantifying, and display capabilities). A third and last phase will produce a final system that will allow users to modify the safety system logic models, alter event tree structure, and incorporate dependent failure analysis methods.

3.2 Use of PRA in improving technical specifications In order to assure that a nuclear power plant (NPP) operates at the safety level perceived during the licensing review, certain operational limitations are

' specified in the facility's license. Most of these operational limitations are contained in a document known as the plant's technical specifications.

Technical specifications are intended to delineate the safe operating envelope and are derived from i assumptions of the safety analyses that may in fact l vary with time or circumstances over the life of a l plant. i

---n- r, . n ..-,--.m, ,,-.n---. , + , .-.,_,,._,,,,-,--,---,r-m,,,,-, , , - - , , _ - - , - , .

.-,,--,w,--_. -~ - - -. - , , , , - ,w---

4 .

t 12 A number of problems with technical specifications have evolved over the years. Today, the compilation of technical specifications has grown to over 500 pages and several thousand surveillance requirements. The absence of specific criteria as to the content of technical specifications has resulted in numerous items of vastly differing levels of importance being included, as well as requirements that are occasionally inconsis- '

tent. This situation tends to divert attention from principal safety parameters while focusing attention on detailed surveillance of lower importance systems. The voluminous technical specifications have also become burdensome and costly to utilities, yet do not contribute corresponding benefits to safety. Further.

some technical specifications are complex and difficult for the control room operators to implement, and others may actually be adverse to safety (e.g., certain forced shutdowns when in fact continued steady-state operation l

is the safest plant condition). Other concerns have been expressed regarding: excessive testing contribu-ting to component wear, added maintenance downtimes i resulting from component wear, unnecessary test down-times, introduction of human errors, and the potential

for comon-cause failures. Finally, the NRC has not in the past discriminated between utilities with excellent preventive maintenance programs, who may not need prescriptive technical specifications, and utilities with poor preventive maintenance programs who may need 4 them. Rather, the NRC and industry have concentrated on standardized specifications which would be applied i

- to utilities uniformly to protect against the worst performers. This practice tends to place unnecessary burdens upon the good performers.

. In order to address these various problems, the

NRC has undertaken some initiatives for improving the technical specification process. One of these initia-tives was to establish a broad-based research program to examine.the issues that arise in addressing various alternative means for evaluating the safety implica-tions of technical specifications.

NRC regulations (10 CFR 50.36) require that NPP

- technical specifications include the five areas shown in the top row of Figure 3. One portion of our program is currently concentrating on three of these, namely safety limits, allowed outage times (A0Ts) and surveillance test intervals (STIs). These areas lend themselves to analysis and enhancement by reliability and risk techniques and, in general -include the nine plant functions (see bottom row of Figure 3) that need I

to be addressed.

i e

~ , , -~ , -- - -- -

,,-,y- , c,-~ -,--_.r .

...y _ ~ ~ . - - . - - - , ,

f TEOctiCAL $PECIFlCATIONS

! DElleil ACIGIBISMAff0N SuhtiLLAsCE SANTT LiseflIIS GIISITICIIS FEATlatf8 Gleffil0LS 0F WWIATICII IIE4tilflOGITS L8100Ts i s sL j g CURRENT NRC PRA RESEARCH ON TECH SPEC IMPROVEMENT l U I

I I afastems nos Eccs conTAsasswr Puurr stacmsc stacTeesTT pensa lastaneurAften POWER OPWIAflGIS SYSTBS SYSTDS Glielsek 00$mealSecu swTels l

Figure 3. Technical Specifications: Illustrative Areas of Interest

14 A main product of this research program will provide the NRC with a quantitative and coherent procedure for responding to licensee submittals that request extension to and/or modifications of plant technical specifications.

Owing to the comprehensive nature of investigation into this research area, related products will provide technical guidance for resolution of generic issues.

B-56 (on diesel generator reliability) and B-61 (on emergency core cooling system A0T). An examination of NPP data on the experience with diesel generators indicates that the emergency onsite diesel generators have an average reliability of about 0.94, compared with NRC's goal of 0.99. Events which result in a loss of offsite power necessitate reliance on the onsite emergency <"esel generators for successful accident mitigation; and improvement of the starting reliability of the emergency generators will reduce the probability of events which could escalate into a core-melt accident. Similarly, studies have shown that the unavailability contribution to the ECCS from testing, maintenance, and allowed equipment outage time ranges from 0.3 to 0.8 of the total unavailability. This statistic emphasizes the degradation in equipment availability which can result when too frequent test or maintenance is required of standby safety systems which must be removed from normal service to perfonn such test and maintenance.

The maintenance unavailability of a component depends not only on the average length of time that a component is out for maintenance, but also on the frequency with which the maintenance is perfonned.

Currently technical specifications do not control the frequency of such component unavailability, but it is possible that a cumulative outage limit may be effective in doing so. To provide guidance on resolving these generic issues, the program will investigate several robust criteria which are considered essential to the development of a methodology to relate cumulative outage time with component reliability level, system configuration, and surveillance frequency.

In fact, the NRC Procedures for Evaluating Technical Specifications (PETS) Program has identified a number of areas where PRA can be used to improve technical specifications [10]. These include:

15

1. determining limiting safety system settings and safety limits,

2. judging risk importances of A0Ts and STIs,

3. determining acceptable values for A0Ts and STIs, ;

4. deciding on a one-time extension or STI exemption, l

5. making cumulative downtime allotments, :

6. determining the need to test after failure,

7. selecting the type of surveillance test to be perfonced,

8. transferring technical specifications to supplemental specifications,

. 9. considering shutdown risk in fonnulating action statements.

l The following discussion of the use of PRA in j addressing the first three of these items has been condensed and paraphrased from one of W. E. Vesely's recent publications [10].

W. E. Vesely has shown that, in regard to the first item, PRA can give the risk importance of

- limiting safety system settings since PRAs contain as risk contributors, failures of safety system settings, where failure is an unsafe setting such that the system is not actuated. In fact, the size of the risk con-tribution can be taken as the risk importance of l

specific settings. In general, PRAs show that a single system setting failure has negligible impact. For

- example, from one PRA any of the individual sensors in the RPS could be failed with negligible increase (less than or equal to 1x10-14) in the core-melt frequency.

l Thus, what PRAs generally show as important risk contributors are critical sets of settings all being failed. For example, failure of all the multiple pressure sensors to a signal path of the actuation system might cause the core-melt frequency to increase from 5x10-5 to 5x10-4 Thus, PRAs can show that what

, needs to be controlled from a risk standpoint are critical sets of settings all being failed. Equiva-

lently PRAs identify the minimal sets of settings which need to be correctly specified. If all the settings of

)

one minimal set are correctly specified, then risk will l be controlled regardless of the other settings. l From a risk standpoint, safety limits should also i be established to control the dominant risk contributors.

In general then, from what we have learned from PRAs to l

l

,gs_ , -<. yr.. _

y,m,.- ..-w- r,w,.- .-.,,_.y ....,,--% _y.,.m,. .,,v., . , . , . , . , . - . , , . , - , ,

.,e _ , . .

16

+ date, safety limits should at least be established to respond to transients and small LOCAs since these initiators have been shown to be dominant risk contrib-utors. Thus, current limits which are based on large l LOCAs are not necessarily risk effective because of the small risk contribution from these initiators. Specific criteria for safety limits can thus logically be obtained from the temperature, pressure, flux and flow characteris-tics associated with the dominant accident sequences.

In regard to the second item, PRA can provide the risk importances of A0Ts and STIs. In fact, risk importance approaches have been published for detennining the risk importance of A0Ts and STIs [10]. In general, PRAs can identify numerous A0Ts and STIs which are insignificant to risk. For example, from one PRA it was shown that approximately 30 percent (150) of the l

components modeled each would have a core-melt l frequency contribution of less than 5x10-8 even if they were never tested or repaired. Obviously, PRAs can also identify those risk important A0Ts and STIs whose values need to be specified.'

PRA can provide critical combinations of components which need to be controlled since PRAs give as important risk contributors critical combinations of components being simultaneously down for either testing or maintenance. PRAs have shown that these critical combinations of downed components can cause core-melt

' frequency to increase by an order of magnitude or more. ,

l Current technical specifications often do not recognize !

these combinations because the components are in )

different systems. Obviously then, from a risk '

i standpoint, it is more important to control these critical combinations than to control on an individual A0T and STI basis.

In order to be able to systematically identify the risk-important and risk-unimportant A0Ts and STIs for implementation into technical specification changes, the PETS program is developing methods to identify risk importance approaches to categorize'A0Ts and STIs,.

define risk importance approaches.to identify the critical combinations of components which need to be controlled, and for applying the importance approaches either in a generic or plant-specific manner to

. identify the critical A0T and STI combinations.

l 17 -

l Also from [IO] and for the third item, PRAs might be used to define risk acceptable values for the risk-important A0Ts and STIs. Risk acceptable values for A0Ts might then be used to control the risk from one downtime and control the risk from the projected number of downtime occurrences during the plant lifetime (or some other reference period).

Risk acceptable values for STIs might also be defined to control the risk from failures occurring between tests and the risk from test-caused degradations and test downtimes. However, it seems that the utili-zation of PRAs to specify acceptable A0Ts and STIs requires that some form of numerical criteria be defined for what constitutes acceptably small A0T and STI risks. In some cases, it might be possible that risk trade-off evaluations could be performed in lieu of using numerical criteria. l Thus, to implement changes in technical specifica-tions that specify acceptable values of A0Ts and STIs based on risk considerations, one must first develop systematic approaches for evaluating A0T and STI risks and then define criteria for specifying what constitutes acceptable A0T and STI risks.

The PETS program is scheduled to publish a procedures guide, in January 1986, which will provide details on PRA use in addressing all nine items.

3.3. Use of PRA in a Plant Reliability Program NRC interest in a reliability program applicable to safety arose from incidents at operating reactors, particularly the Three Mile Island accident and the Salem reactor trip failures. NRC staff met with representatives of aerospace and defense industries to better understand reliability techniques that have proven successful in other applications. NRC and others sponsored surveys of reliability techniques that -

might be applicable to LWRs. In 1984, Argonne National l Laboratory coalesced the results into a set of j reliability elements that appear applicable to LWR I safety. Brookhaven National Laboratory (BNL) was then l eng ged to evaluate the effectiveness of these elements

[11.

The results of this planned evaluation of the effectiveness of reliability elements will serve two purposes. One is to serve as part of the technical

- 18 basis for staff evaluations of trade-offs that licensees may propose to substitute reliability program elements in place of specific prescriptive requirements. The second purpose of this research is to help achieve NRC goals to shift its regulatory emphasis away from detailed arescriptive requirements toward performance criteria :12].

The concept of a reliability program, that Argonne National Laboratory identified for evaluation [13,14]

is illustrated in Figure 4. The reliability elements from a closed loop, similar to a widely-used management system described by Kepner and Tregoe [15]. In this concept, the utility sets performance standards, including reliability targets, establishes management controls and standards to achieve these targets, mcnitors the operation to recognize substandard perfonnance, prioritizes and identifies the root causes of important problems, and takes appropriate corrective action.

Within this general framework, individual reliability techniques would be selected and applied as appropriate to the particular problems being addressed.

Such reliability techniques could include, for example:

use of PRA to set reliability / availability goals or targets; analyzing plant reliability and risk to help identify and prioritize weaknesses in plant design and operating procedures; specifying requirements for reli-ability and maintainability in purchase specifications; developing (as suggested in Section 3.2) technical specifications that reflect risk considerations in the selection of surveillance test intervals, allowed outage times, and action statements; computerizing a configuration-control system to help keep track of equipment status, action statements, and commitments; collecting and analyzing reliability data, both plant-specific and industry-wide, to help identify risk-important events and trends; and monitoring reliability vs. alert levels to alert utility management to potential problems.

Brookhaven National Laboratory is now beginning an evaluation of this concept of an integrated reliability program and its elements. The evaluation involves four steps:

o Case studies. Wherein the NRC and its contractor, BNL, plan to discuss reliability practices with about five utilities to better

CONTINU0US PROCESS OF OPERATI0L PROBLEM ANALYSIS, a CORRECTIVE ACTION 4

I

! OPERATIONS -

TAKE_ACIl0N . hfbb ) bb ),MONITOROPERATION l

i EVALUATE RECOGNIZE a PRIOR"TIZE &

, ALTERNATIVES l \ DEVIATIONSFROM SPECIFY DEVIATIONS

\DEFINEOBJECTIVES i

I IDENTIFY _R00T CAUSE l

! Figure 4. Reliability Program Flow Diagram l

- 20 ,

understand problems related to reliability that utilities are facing, the effectiveness

' of reliability elements to resolve these problems, and the attributes (reasonable applications and success criteria) of successful reliability programs.

o Initial trial application. In this phase, BNL will be conducting, with a cooperative utility, a trial application of a reliability program to one system at one plant.

Broader trial application. Here the program 4

o will be expanded to apply what was learned from the initial trial application to a j

broader trial application to several systems at one plant.

a, The experience gained and knowledge acquired of l

j effectiveness of reliability program elements and management could be translated into an industry reliability program standard through a cooperative effort among industry groups and the NRC.

3.4. PRA Application to NRC Inspection Program The objective of the PRA Application to NRC Inspection Program being performed by NRC contractor personnel at JBF Associates, Inc. (in Knoxville, Tennessee, U.S.A.), is to develop methods for a

'the results of probabilistic risk assessments (pplying PRAs) to manpower allocation decisions made by NRC inspectors.

Accomplishing this objective will help inspection personnel decide which of the activities that demand their time have the greatest risk-reduction or

safety-assurance potential.

Two key observations made early in the first phase of this program have had a major influence on the program's direction. First, PRAs are limited to quantifying a plant's bottom-line risk and showing how important various component and system failures are to ,

this risk. While inspection personnel do inspect individual components and systems, they are validly more concerned with assuring that nuclear power plant owners have adequate reliability programs in place.

Equipment reliability performance is a useful barometer for evaluating a licensee's programs; however, when equipment performance suffers, inspection personnel are J more effective if they focus on the mechanisms owners ,

l

-- - - , _ . -- , , - - . , . , , . , , . , .---.e.,,_. e_.- . , , - , , , , , , , , , . - , , , , . , , . . , _ . . , . ,

l l

21 have in place to evaluate and correct root causes of failures rather than responding to individual failure events.

With that observation in mind, Phase I of the program continued until a four-step procedure was developed to relate PRA results to inspection decisions. These steps are:

1. Relate system and component failure probabilities to plant risk.

2. Relate root causes of failure to system and component failures.

3. Relate reliability program elements to root causes of failure.

4. Relate inspection actions to reliability programs.

The first step is accomplished using the results of a PRA. The second step, relating root causes of

. failure to system and component failures, is the key l step in this procedure because if the various root causes of failures can be ranked according to their importance to plant risk, the door is then opened for inspection personnel to carry out the .last two steps.

Thus, the gap between PRA results and the needs of

. inspection personnel can be bridged by identifying the relationships between root causes of failure and system.

and component failures. The NRC has programs in l progress to evaluate various data sources from which to extract root causes of failure and root cause fractions contributirig to component failure modes.

The second observation that influenced the '

direction of the PRA Application to NRC Inspection Program is that PRA reports are written in the language j Gsed by PRA practitioners--a language that is not '

readily understood by others. Phase II of the program i is focusing on developing a program, for installation l on a microcomputer, which can be used to present l PRA-based information in a manner that can be readily used by inspectors as an aid in making decisions. The Plant Risk Status Information Management System (PRISIM) is a decision-oriented, user-friendly, menu-driven program that contains data base management and interactive routines that will aid inspectors in l

- g,-- . , ---,- , . , - - .- ,, e ,- , _ ,- - , , , - . .- .-v, ,,, -m,e---y4,,,,-- - m ,-- - -g- -

\

l l

22 :

allocating their efforts toward those areas where they

- will have the greatest impact on safety.

1 A computer program was chosen to catalog and present the PRA infomation because the total amount of ;

information is large, but the amount needed for any i

particular decision is relatively small. PRISIM allows the user to quickly and logically access the desired information without being overwhelmed by enormous quantities of data. PRISIM's data base consists l largely of screen images that present PRA information l in both textual and graphic fomats. Each screen image i 4

also acts as a menu, giving the user options to see l more detailed infomation in the area of his interest.

As one option in the program, PRISIM will list NRC Inspection modules and procedures, identify decisions inspectors must make to implement the procedures effectively, and direct the user to more displays of PRA-based infomation that influence specific decisions of interest. The user indicates to PRISIM the areas of interest he wishes to pursue by using a cursor. The position of the cursor on the screen determines what information the data base management routine will present. The user does not need to have a background

.in computer operation or PRA to use the program or understand and employ the information it presents.

Because some decisions made by inspectors depend on the current status of the plant, PRISIM contains an interactive routine that allows the user to specify components or subsystems that are out of service. The user is then apprised of the impact the specified condition (s) places on instantaneous risk and the ;

components that are most critical to maintaining plant i safetyunderthespecifiedcondition(s). Thus j

, inspectors can plan their actions using PRA-based i information integrated with plant status information.

The risk-based infomation being selected for presentation by PRISIM is complete within itself and

! will be as compatible as possible with the four-step

! approach developed in the first phase of this program.

However, all the root cause information needed to-implement this approach is currently not available.. As this information is documented, PRISIM will be updated and will become an even more useful tool for inspection planning and decisionmaking. .l

\ -

23

' Programs like PRISIM can also be tailored for nuclear plant owners and operators. The benefits to an owner or operator having such a program derive readily from the easily and rapidly accessible PRA results displayed in a comprehensible manner that can help with the day-to-day and long-range planning decisions associated with operating such a complex plant.

As an example of PRISIM use, let us suppose that an inspector at Arkansas Nuclear One, Unit 1 (ANO-1),

has just learned that pump p36C has just been declared inoperative. Following the sequence of displays in Figure 5, the resident inspectcr first selects

" continue" to get into tha pro 9 tam master menu (Figures 5a and 5b). From the master menu, the inspector then opts to view the listing of PRA-based information available in the program. This information is displayed in Figure Sc.

Wishing to know the importance of pump p36C being out of service, the inspector then selects item 2 from the list, risk impacts of various out of service systems / components, which brings Figure 5d to the computer display. Here PRA information has been used so that the inspector is now infomed that core melt frequency increases by certain factors when various systems are out of service. In particular, pump p36C is in the high pressure injection system (HPI) which, when it is out of service, increases risk by a factor of 58.

Wishing to know additional details about the component,theinspectorthenselectsitem9(high pressure injection) which evokes the display of Figure Se, the schematic of the HPI. Here the cursor is moved over pump p36C to obtain the display of Figure 5f where PRA information has again been used to discover that single failures now exist and that with pump p35C out of service, plant risk has increased by a factor of 8.3. Wishing to pursue the single failure warning indicated, the inspector now puts the cursor over WARNING, which provides the additional information in Figure 5g from which he opts for the information on control valve CV6036 displayed in Figure Sh. From here it is learned that loss of control valve CB6036 results in loss of pump p36A also.

What about pump p35B? As shown in Figure Sh, the inspector has selected LAST BP (last branch point).

l This recalls the display of Figure 5e where the inspector moves the cursor over pump p36B, follows a l

! l 1 -- . . _ - - , - - __

24 l l

1 M

OUlf PLANT RISK STATUS.

INFORMATION MANAGEMENT SYSTEM i

M&M ARKANSAS NUCLEAR ONE - UNIT 1 i

(a)

MASTDt MD4; ESCAPE O

1 WOULD 100' LEE 10 SEE . . .

3

1. A U51MC IIF DE PHA-SA5ED OFORMAllCN AVAIUBLE W DES PROGRAMT i 2. A U51MC W DE IEMIDIT McomIS ADDfESSED W DES PR00RAuf

3. A U51md W DE IE010NAL HODULES ADDRESSED M DES pit 00RAuf 1

i l

l (b)

Figure 5. PRISIM Display Sequence l

l

25

. PRA-BASED INFORW ATION AVA*.LABLE W THIS PROGRAW MASTER ESCAPE

1. DOWINANT CONTRIBUTORS TO PLANT RfSK LAST BP

2. RSK SAPACTS OF VARIOUS OUT-OF-SERVICE SYSTEMS / COMPONENTS PREMOUS

3. RSK WPACTS OF SELECTED HUMAN ERRORS CONTINUC

4. RANKINGS OF SYSTEMS /SUBSYSTEWS/COMPONENTSA4UMAN ERRORS 1 ACCOROING TO THDR CONTRIBUTIONS TO PLANT RSK M

5. OVERALL RSK SGNIFICANCE OF S13TEMS/ SUBSYSTEMS / COMPONENTS / 3 HOWAN ERRORS 4

6. SNCLE FAILURES THAT CAN CAUSE A SYSTEM TO Fall IIHEN A G6 5 COMPONENT IS OUT OF SERMCE 6

7. L.5TNG OF PLANT LERs CROUPED BY COMPONENT TYPE 7

(CONTNUED)

(C)

RISK IMPACT OF A SYSTEM THAT IS OUT OF SERMT WASTER ESCAPE FACTOR BY WHICH CORE MELT LAST BP SYSTEM FREOUENCY INCREASES PREMOUS

1. EMERGENCY DC POWER . . . . . . . . . . . . . . . . . . . 21.000 1

2. REACTOR PROTECTION ... . .. . . . . . . . . . . . . . 2.100 2 ,

3. EMERGENCY AC POWER . .. .. . . . . . . . . . . . . . . . . 280 3 l

4. SERMCE WATER . . .. ... .. .. . .....................78 4 '

5. EMERGENCY FEEDWATER . .. . ..................68 5

6. IMERGENCY FEEDWATER INITIATION CONTROL............ 68 6

7. BATTERY AND SWITmCEAR EMERGENCY COOUNC ...... 62 i 7

8. SAFETY REUEF.. .. . . ... .....................5.

S. RGn eRESSURE N xCu m. ................. ....... 5.

10. ENQNEERED SAFEGUARDS ACTUATION . .. . .. . . 4.2 I

u. TOW eRtSSuRE REaRCutATiON. ........... io u RGu eRLSSuRC REoRCumuON. .. . .. . . . . . . . . . . . . 3.3 u !

13. LOW PRESSURE NJECTION . .. ... . ..... ... . ......... 1.6 12 l 14. POWER CONWRSION. . ... . ... .. . .. ...... .... 1.4 13

15. CORE FLOOO . . ... .. .. ... . . .. ..... ............1.2 14 15

- TO SEE THE RSK IMPACT OF A COWPONENT FA.' LURE.

SELECT THE SYSTEM CONTAINING THE COMPONENT ee (d)

Figure 5. Continued

26 McH PRESSURE iwxCTiOn SvStru ScHEuxnc uASTER ESCAPE

. LASr eP n n n a PREMOUS k lH lk lk ------

lh lb lh lh I 1- i, M i i g

5 )[ I [ m ,', ****' ,

H ;F lH :H :H r q; i x._ . . x l

s:s t rew ~' lb '

.y

. 2 F H Efcu" ' ' l 'e's% ~' ' a m. ,

M , j' , * = "

x.. < b x.-

7 e SELECT COMPONENT OF MTEREST USING CURSOR **

(e)

HP! PUWP P36C IS OUT OF SERMCE MASTER ESCAPE SNGLE FAILURES THAT ARE NOT COVERED BY TEQt SPECS LAST BP WARNING DOST WTHIN THE HPIS SUPPORT SYSTEMS AND CAN CAUSE PREMOUS THE HPIS TO FAIL E CAunON SINCE FAILURES THAT ARE COVERED RY TECH SPECS ALSO 1 l CAUTION l DOST WITHIN THE HPIS AND ITS SUPPORT SYSTEMS AND 2 CAN CAUSE THE HPIS TO FAIL 3

4 M RISK INCREASES BY A FACTOR OF 8.3 k

1. HOW DOES THE RISK MCREASE FOR PUWP P36C COMPARE TO THE RISK MCREASES FOR OTHER COMPONENTS M THE HPIS?

2. WHAT ARE THE HISTORICAL CAUSES OF FAILURE FOR P36C AND SIMILAR PUuPST

3. WHAT OTHER COMPONENTS ARE REAUCNED TO REMOVE PUMP P36C FROW SERMCE AND/DR RESTORE IT TO SERMCET '

4 WHAT ARE THE TECH SPECS CONCERNING PUMP P36Ct (f) l l

Figure 5. Continued I. -

l 27 WASTER SINGLE FA3 LURES THAT ARE NOT CovCRED 8v TECH SPECS WHEN PUWP P36C 85 OUT Or SERWCC [ SCAPE LAST SP 3 7 FAILURE & ANY & THESE COMPONENTS IN COMBINATION WITH THE FAILURE OF PUMP P36C CAUSES THE FArLURE & THE HPIS 2 L

J 3 '

4

1. CONTROL VALVE CV6036 5

[3-WAY VALVE IN THE EWERCENCY SWITCHCEAR ROOM C00VNC SYSTEM)

2. CONTROL VALVE CV3808

[ SERVICE WATER VALVE UPSTREAW W HPt PUWP P36A LUBE Olt COOLER)

3. FAN VUC7A

[WAKEUP PUMP ROOu S4 COOUNG FAN)

4. ORCUlf BREAKER C85214

[ORCUlf BREAKER FOR CONTROL POWER TO CONTROL VALVE CV3808]

5. ORCUti BREAKER CB5216

[ORCUlf BREAKER FOR CONTROL POWER TO WAKEUP PUWP ROOM COOLER VUCW-7A)

.. TO SEE PERTINENT INFORMATION ABOUT WRlFY1NG THE OPERABIUTY OF ANY COMPCWENT ABOVE WOVE THE CURSOR TO THE COMPONENT NUW80t AND PRESS RETURN ++

(g)

CONTROL VALVE cv6036 MASTER ESCAPE N THE EVENT OF AN ACODENT. IF CONTROL VALVE CV6036 IS OUT OF SERMCE. g THEN CHLL WATER UNIT VCH48 IS OUT OF SERMCE. AND ALL CHELED WATER TO PREMOUS ROOW 100 COOLER VUC2B IS LOST. THIS inu. CAUSE A LOSS OF ElEC1RICAL POWER TO HPts PUMP P36A.

ROOW C00UNC FOR 4.16KV SWITOiCEAR *A3*

A ROOM CHILL WATER 4 Qh UNIT CV6036 D#

TO SwS VUC2B OiSCHARcE ,

rRou SwS LOOP 1 (h)

Figure 5. Continued

28 i i

similar sequence (not shown), and discovers that loss of control valve CV6036 indeed also causes loss of pump p368. The user can return to the master menu or evoke the previous display by moving the cursor over MASTER or PREVIOUS, respectively. To exit the program, the user moves the cursor over ESCAPE, which calls up the initial display (Figure Sa), where the cursor is moved to QUIT.

This experimental inspector aid is scheduled for test at ANO-1 beginning December 1985. Upon completion of a successful test, the program will probably enter a production mode with similar progransning of information from other plant-specific PRAs. Meanwhile, the utility of progransning information from the ASEP-dominant accident sequences will be investigated.

4. CONCLUSIONS A characterization of activities of those involved in regulation of nuclear power plants exists in the form of four basic questions. In seeking or using answers to the four basic questions, "What is an acceptable level of plant safety?", "How safe are the plants?", "How should risk best be reduced if need be?", and "How should an acceptable level of risk be maintained over plant lifetime?", ppa is seen as playing a very natural and increasing role. In particular, the U.S. NRC Office of Research has four

.relatively new research initiatives that hold promise for aiding the regulator in dealing with the penultimate and the last of the four questions. ;

In particular, for the penultimate question, the SARA computer system will soon be available to provide a means for assessing combined effects on industry of accumulating regulatory requirements. The system holds promise as a valuable tool in avoidance of overregulation.

In response to the fourth question, PRA use in formulating technical specifications seems another promising role for the technique. In addition, the NRC might use the concept of a plant reliability program in which technical specification formulation and analysis would be part, to move from prescriptive to performance based regulation. The first step in this direction might be to revisit selected A0Ts and STIs and downgrade or discard those with little or no risk significance. Additional steps could determine how to l .

l l . _ . .. __ _

~

29 -

relax some other A0Ts and STIs in return for demonstrated highly reliable performance.

The concept of a reliability program being developed and to see imminent evaluation at the NRC involves a simple closed-loop framework within which to apply selected reliability and management techniques appropriate for the particular problem to be resolved.

Planned case studies and trial use with a cooperative utility will see evaluated the effectiveness of reliability program elements to help resolve or prevent safety problems.

Finally, an NRC contractor.is demonstrating the use of PRA as an aid to the resident inspector. PRA information is extracted and presented to the inspector in a user-friendly computer program, PRISIM, which the inspector can use to prioritize his activities, and thereby better use his very limited time and resources through identification of the risk significance of occurrences at the plant. This same computer program could also be used to good advantage by owners in the context of a plant reliability program. A main feature of PRISIM is that the PRA models, the mass of event trees and fault trees, are totally transparent to the user. What the user sees are results which, of course, is what we are all after in the first place.

REFERENCES

[1] ReactorSafetyStudy, WASH-1400(NUREG-75/014),U.S.

Nuclear Regulatory Commission, October 1976. l

[2] Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, Sandia National Laboratories, Albuquerque, New Mexico 87185, October 1980.

[3] PRA Procedures Guide, NUREG/CR-2300, U.S. Nuclear ,

Regulatory Connission, January 1983. 1

[4] Interim Reliability Evaluation Program: Phase II l

Procedure and Schedule Guide, Sandia National Laboratories, Albuquerque, New Mexico September 1981.

[5] ProbabilisticRiskAssessment(PRA): Status Report and Guidance for Regulatory Application, NUREG-1050, U.S.

Nuclear Regulatory Commission February 1984.

. - . . - . . ._-- _. - . .- - _~ . . - . - - --

I

!' 30

[6] Safety Goals for Nuclear Power Plant Operation, NUREG-0880, Revision 1 for Comment, U.S. Nuclear Regulatory Consission, May 1983.

i [7] Precursors to Potential Severe Core Damage Accidents:

3 1969-1979, A Status Report, NUREG/CR-2497, Oak Ridge

National Laboratory, Oak Ridge, Tennessee 37831, June 1982.

[8] Precursors to Potential Severe Core Damage Accidents:

1 1980-1981, A Status Report, NUREG/CR-3591, Oak Ridge National Laboratory, Oak Ridge, Tennessee 37831, July 1 1984.

[9] Catalog of PRA Dominant Accident Sequence Information, i NUREG/CR-3301, EG&G Idaho, Inc., Idaho Falls, Idaho j 83415, July 1985.

I 1 [10] W. E. Vesely,)"

Analysis (PRA CanWays by Which Be Used Probabilistic to Improve Technical Risk l Specifications," Battelle Columbus Laboratories.

505 King Avenue, Columbus, Ohio 43201-2693, August 1985.

[11] C. E. Johnson, " Operational Safety Reliability

Research," International Conference on Nuclear Power i Plant Aging, Availability Factor and Reliability.

American Society of Metals, San Diego, California, July

! 8-12, 1985. Copies available from the author at U.S.

. Nuclear Regulatory Commission, Washington, DC 20555.

j [12] U.S. Nuclear Regulatory Commission Policy and Planning

Guidance 1985, NUREG-0885. Issue 4. U.S. Nuclear j Regulatory Commission, February 1985.

[13] C. J. Mueller, " Operational Safety Reliability,"

j Proceedings of the USNRC Twelfth Water Reactor Safety

Research Infomation Meeting, NUREG/CR-0058. Volume 6, U.S. Nuclear Regulatory Commission,1985.

[14] C. J. Mueller, et al., A Scoping Study of the Potential Effectiveness of an Operational Safety Reliability Program in Addressing Generic Safety Problems.

NUREG/CR-XXXX (to be published), Argonne National

Laboratory, 9700 South Cass Avenue, Argonne Illinois l 60439.

! [15] P. C. H. Kepner and B. B. Tregoe, The Rational Manager,

! McGraw-Hill, New York, 1965.

i l

- ... - ._- - - ,__.- . _ , _ _ _ . __. - , _ .._. - , - _ - - _.. - _.

ML20206H512

Text

Navigation menu

Search