Use of Risk Measures in Design and Licensing of Future Reactors

ML103620079
Person / Time
Site:	Davis Besse
Issue date:	12/28/2010
From:	Jamali K Elsevier, US Dept of Energy, Office of Nuclear Energy
To:	NRC/SECY
SECY RAS
Shared Package
ML103620074	List: ML103620075 ML103620076 ML103620077 ML103620078 ML103620079 ML103620080
References
License Renewal 2, RAS 19324, 50-346-LR
Download: ML103620079 (9)
v • d • e

Text

Use of risk measures in design and licensing of future reactors Kamiar Jamali United States Department of Energy, Of"ce of Nuclear Energy, 1000 Independence Avenue, Washington, DC 20585, USA a r t i c l e i n f o Article history:

Received 17 February 2010 Received in revised form 5 April 2010 Accepted 6 April 2010 Available online 10 April 2010 Keywords:

Nuclear reactor safety Probabilistic risk assessment (PRA)

Safety goals Acceptance criteria Next generation nuclear plant Small modular reactors Frequency-consequence curve a b s t r a c t Use of information and insights from probabilistic risk assessments (PRAs) in nuclear reactor safety applications has been increasing by the nuclear industry and the regulators, both domestically and internationally. This is a desirable trend, as PRAs have demonstrated capability to improve safety and operational "exibility beyond that provided through deterministic approaches alone. But there can be potential pitfalls. The limitations of risk assessment technology can be lost through approaches that rely heavily on quantitative PRA results (referred to as risk measures in this paper), because of the unambiguous but potentially misleading message that can be delivered by risk-based numbers. This is particularly true for future reactors, where PRAs are used during the design and licensing processes. For these applications, it is important to ensure that the actual, de facto, or even perceived use of risk measures in the context of either regulatory or design acceptance criteria is avoided. While the issues discussed here can have a signi"cant in"uence on design certi"cation or combined license applications for future reactors, they can also have secondary impacts on currently operating reactors.

Published by Elsevier Ltd.

1. Introduction Probabilistic risk assessment (PRA) results and insights have helped to improve nuclear power plant safety and operational "exibility for more than 30 years. This success has led to increased use of PRAs by the nuclear industry and regulatory authorities worldwide. While this trend is largely positive, there can be potential negative consequences that have not been widely discussed in related literature, with some exceptions (e.g., [1]).

It was because of this positive contribution to safety that the US Nuclear Regulatory Commission (NRC) gradually re"ned their original deterministic-based nuclear safety regulations by incorporating the use of risk information and insights within a risk-informed framework.

Risk-informed regulations for the current "eet of operating light-water reactors (LWRs) are de"ned through a

combination of rule-making and publication of lower-tier documents, such as regulatory guides or NRCs endorsement of certain nuclear industry documents. Thus, in a risk-informed framework, risk information and insights supple-ment the traditional deterministic approaches and form a part of the overall safety case (which is sometimes referred to as the safety basis) for a nuclear plant. The Commission has also called for increased use of PRA technology in all regulatory matters in a manner that complements NRCs predominantly deterministic approaches within the con"nes of a risk-informed as opposed to a risk-based regulatory construct. Some of the distinguishing features between the two are also discussed in this paper.

The nuclear industry also has used PRA techniques extensively with bene"cial results, including in the design of advanced or evolutionary nuclear reactors. These bene"ts are, in part, related to the fact that these same users can also control and limit the in"uence of the incomplete safety information that is provided through the results of the PRA alone. Factors that are usually not fully accounted for in a PRA model but are germane to the consideration of adequacy of safety features for a speci"c issue or accident scenario may include: magnitudes of relevant safety margins, incorporation of defense in depth, potential for correc-tive or compensatory actions, degree of conservatism in analysis, and many others. The very same PRA information, however, when used to comply with well-intentioned regulatory policies and approaches can lead to some undesirable consequences. Some of the undesirable consequences in applications involving future reactors are also discussed below.

PRAs provide both qualitative and quantitative information.

Recent trends in the development of new risk-related approaches, whether they are performed by the regulatory staff, nuclear industry, or other domestic or international bodies, are towards heavier emphasis in use of quantitative PRA results (interchange-ably referred to as risk measures in this paper). It is well-known that quantitative results of PRAs, in particular, are subject to various types of uncertainties. Examples of these uncertainties include probabilistic quanti"cation of single and common-cause hardware or software failures, occurrence of certain physical phenomena, human errors of omission and commission, ARTICLE IN PRESS Contents lists available at ScienceDirect journal homepage: www.elsevier.com/locate/ress Reliability Engineering and System Safety 0951-8320/$ - see front matter Published by Elsevier Ltd.

doi:10.1016/j.ress.2010.04.001 E-mail address: kamiar.jamali@hq.doe.gov Reliability Engineering and System Safety 95 (2010) 935-943

ARTICLE IN PRESS magnitudes of source terms, radionuclide release and transport, atmospheric dispersion, biological effects of radiation, dose calculations, and many others. Unlike deterministic uncertainties related to physical phenomena (e.g., neutronics, thermal-hydrau-lics),

PRA uncertainties are not readily reducible in most instances. Uncertainties associated with physical phenomena can often be reduced by tests, experiments, operating experience on actual or prototype designs, or improvements in analytical models or computational capabilities. Despite this well-known limitation, if quantitative PRA results are used in the context of risk acceptance criteria (i.e., when they are compared against a set of threshold values established by either the industry or the regulator), it would be dif"cult to counter the unambiguous but potentially misleading or incorrect message that is delivered by such a number-based process; i.e., implying that a design is unacceptable or unsafe because it did not meet a particular risk-based numerical threshold (labeled as a risk acceptance criterion).

An important issue that is outside of the scope of this paper, but is worthy of detailed discussions of its own, is that the introduction and impact of PRAs in the design and licensing stages for a future reactor is by and large different from the way that risk-informed regulations have been applied to existing reactors.

Currently operating reactors had a deterministically established licensing basis (which included the plants safety basis) before plant-speci"c or generic risk information and insights were made available through PRAs. The PRAs generally con"rmed that the original deterministic approach to design and licensing was conservative (e.g.,

plants could respond to some accident scenarios in manners that were not credited in the deterministic analyses) and further identi"ed changes that could improve plant design or operational safety. Meeting the deterministic require-ments meant that implementation of their attendant provisions embodied within the concepts of defense in depth, safety margins, conservative assumptions and analyses, quality assurance, and numerous other factors (many of which are not readily measur-able within a PRA model) created a safety cushion or margin that protected these plants from uncertainties, including those from unknown unknowns (for which a euphemism can be emerging safety issues as discussed in Section 2). On the other hand, PRA models have to rely on realistic inputs to ensure that risk signi"cant insights are not obscured by arti"cially biased results derived from the application of uneven conservatisms. Therefore, great care must be exercised in bringing PRAs into the design process to ensure that the fundamental pillars of deterministic safety assurance process mentioned above are not unduly compromised. Thus, for future reactors, use of risk information can have a far more signi"cant impact on the safety basis of the plant, including the potential to drive some key design decisions.

The intent of risk-informed regulations is to ensure their in"uence is positive in safety tradeoff decisions.

2. NRCs approach to safety goals and risk acceptance criteria NRC published the Safety Goals Policy Statement on August 8, 1986 [2]. While the text of this Policy Statement does use the phrase acceptable risk, the title and the rest of the discussions were careful to avoid the use of the Quantitative Health Objectives (QHOs) of prompt fatalities (PFs) and latent cancer fatalities (LCFs) as regulatory risk-acceptance criteria. In other words, the selection of the terminology of safety goals was very deliberate. An important attribute of the calculation of plant-speci"c PFs and LCFs for comparison with the dual QHOs is that both are by necessity integral quantities that are derived from the contributions of all accident scenarios that are considered in the plant-speci"c PRA model.

The Commissions 1995 PRA Policy Statement on use of PRA methods in nuclear regulatory activities [3], which was issued in the aftermath of the completion of PRAs for all operating nuclear plants in accordance with the Individual Plant Examinations Generic Letter [4] states, in part:

The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data and in a manner that complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy.

The Commissions safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgments on the need for proposing and back-

"tting new generic requirements on nuclear power plant licensees.

The Commission approved the staffs White Paper on Risk-Informed and Performance-Based Regulation in March 1999 [5],

which provided de"nitions of risk-informed and risk-based regulations. It reiterates that the Commission does not endorse an approach that is risk-based, wherein decision-making is solely based on the numerical results of a risk assessment.

Regulatory Guide 1.174 [6] established the framework for risk-informed regulations in applications regarding making plant-speci"c changes to the licensing basis. Its approach ensures that numerical PRA results would not form the sole basis for making nuclear safety decisions by listing "ve key principles (i.e., meeting current regulations

[which are primarily deterministic],

meeting defense-in-depth principles, maintaining suf"cient safety margin, keeping increases in risk small, and performance monitored) that have to be met for a risk-informed approach.

Clearly, current regulations are by and large based on determi-nistic requirements. A key portion of the section on scope (Section 1.4) states:

y The NRC has chosen a more restrictive policy that would permit only small increases in risk, and then only when it is reasonably assured, among other things, that suf"cient defense in depth and suf"cient margins are maintained. This policy is adopted because of uncertainties and to account for the fact that safety issues continue to emerge regarding design, construction, and operational matters notwithstanding the maturity of the nuclear power industry. These factors suggest that nuclear power reactors should operate routinely only at a prudent margin above adequate protection. The safety goal subsidiary objectives are used as an example of such a prudent margin.

The clause about continual emergence of safety issues for plants with many years of operating experience is an alternative way to state the concern regarding uncertainties about the unknown unknowns that are a more signi"cant concern for future reactor designs.

One reason that Regulatory Guide 1.174 has worked well in application is that it was intended for operating plants with a primarily deterministic licensing basis already in place, which means that the plants were already determined to be safe before applying the results of plant-speci"c PRAs.

Finally, Note 2 of Chapter 19 of the Standard Review Plan (SRP)

[7] states that the QHO-surrogates of Core Damage Frequency (CDF) and Large Release Frequency (LRF) are goals and not regulatory requirements.

The key conclusion from the above is that the NRC Commissioners have not endorsed a risk-based approach to regulation because of the uncertainties in quantitative results of K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 936

ARTICLE IN PRESS PRAs. These uncertainties are large for currently operating nuclear plants, particularly in the so-called Level 2 and Level 3 PRAs. The fact that the large uncertainties in the estimates of probabilities for hardware failures and human errors, and understanding and probabilistic quanti"cation of occurrence of some physical phenomena in PRAs of currently operating reactors seem less so because of repeated reuse should not be overlooked. Treatment of uncertainties in severe accident progression and delineation has always been limited in risk assessments performed to date, even in the studies that went the furthest in such analyses, such as NUREG-1150 [8].

Another important consideration, also related to the general category of uncertainties, is the issue of state-of-the-art in PRA methods and data. This is an issue for risk modeling of all reactor designs as alluded to above, and it is especially so for designs that primarily rely on passive safety functions performed by safety-related Systems, Structures, and Components (SSCs) and digital systems (e.g., in instrumentation and controlI&C). The current state-of-the-art does not permit a high quality modeling for reliability evaluations for these systems. In particular, there is considerable uncertainty with respect to the contribution of software common-cause failures (CCF) to digital system relia-bility. For the potentially safer and more passive advanced reactor designs, it is possible that digital systems and human errors of commission (due in part to longer time constantssee, e.g., [13])

might have a higher relative risk contribution, a contribution that may be dif"cult to assess with any signi"cant level of con"dence.

These issues offer additional reasons to apply quantitative PRA results judiciously for future nuclear plants.

The Commission also offered another goal of 1E6/yr within the Safety Goals Policy Statement for frequency of large releases to the environment for further staff examination. A de"nition for large release was not offered in that document [2]. In [9] the staff considered several options and "nally recommended that a large release be de"ned as a release that has the potential for causing an offsite early fatality. Several other SECY papers (denotes papers submitted to the Commissioners by the NRC staff),

Staff Requirements Memoranda (SRMs), and Advisory Committee on Reactor Safeguards (ACRS) letters to the Commission (e.g., [10]) were devoted to this subject. The Commission directed the staff to ensure that their evaluation of large release magnitude be consistent with ACRS proposed guidelines linking the hierarchical levels of the safety goal objectives, where the large release guideline was considered the third level objective (the qualitative and quantitative health objectives were the level one and two objectives). According to these guidelines, each subordinate level of the safety goal objectives should:

 be consistent with the level above,

 not be so conservative as to create a de facto new policy,

 represent a simpli"cation of the previous level,

 provide a basis for assuring that the Safety Goal Policy Objectives are being met,

 be de"ned to have broad generic applicability,

 be stated in terms that are understandable to the public, and

 generally comply with current PRA usage and practice.

In the end, the staff reached the overall conclusion that development of a large release de"nition and magnitude, beyond a simple qualitative statement related to the frequency of 1E6/yr is neither practical nor required for design or regulatory purposes.

In addition, based upon the work done evaluating large releases in NUREG-1150 [8] and other related activities, the staff noted that the general performance guideline of 1E6/yr and the CDF subsidiary objective of 1E4/yr are not consistent with the original QHOs [11] (i.e., they are more conservative, and the degree of conservatism depends on the speci"c plant).

In addition, the Commission rejected the use of 1E5/yr of reactor operation as a CDF goal for advanced designs in SECY-90-016 [12] and its SRM. This rejection should be examined together with a series of Commission Policy Statements on regulation of advanced reactors. The last in the series published in October of 2008 [13] states:

The Commission expects, as a minimum, at least the same degree of protection of the environment and public health and safety and the common defense and security that is required for current generation light-water reactors. Furthermore, the Commission expects that advanced reactors will provide enhanced margins of safety and/or use simpli"ed, inherent, passive, or other innovative means to accomplish their safety and security functions. The incorporation of enhanced safety margins may help offset the effects of added uncertainties in the PRA model and/or in accident analyses arising from the novelty of advanced reactor designs. [Elsewhere other attri-butes of advanced designs are described as: reliable and less complex shutdown heat removal systems; longer time con-stants and suf"cient instrumentation; simpli"ed safety sys-tems; minimize potential for severe accidents by incorporating redundancy, diversity, safety system independence; incorpo-rate defense-in-depth; etc.].

The important aspects of this Policy Statement are: (a) it contains only qualitative but well-proven principles for enhanced safety of nuclear reactor designs, and (b) it speci"cally lacks any risk-based numerical criteria. Because of large uncertainties of risk-based numerical results, risk analysts typically do not consider variations of less than factors of 10 or so in such numbers as meaningful increments. Risk experts may convert the above policy statement into a corresponding numerical criterion by providing an order of magnitude as the smallest discriminator for deciding how much safer advanced reactors should be from current reactors. This, however, is a non-sequitur and a problem inherent to risk-based calculations. An order of magnitude is a very large increment in the real world, and current nuclear reactors are already much safer than any other comparable industrial facilities and hazardous human activities. Ultra-con-servatism in design has a

price, both economically and operationally. As discussed in Section 3, the proposed new surrogate numerical risk-based criteria can be far more restrictive than the QHOs. They are also quantitatively unpredictable in real risk space and not comparable with QHOs as they are non-integral measures of risk. They are more restrictive in the sense that a reactor that in a hypothetical case may fail to meet some of the new criteria (described in Section 3) can still meet the QHOs by orders of magnitude.

In spite of the above discussions and the broad policy guidance by the NRC Commissioners, this papers observation is that throughout many publications of the national and international regulatory agencies and commercial

entities, there is an increasing trend toward more prevalent use of risk-based regulatory concepts in general, and the use of some form of numerical risk thresholds as acceptance criteria vis-a-vis safety

goals, in particular.

For

example, a

number of NRC staff documents (e.g., [14,15]), as well as industry and international publications (e.g., [16-23]), have employed various types of risk-acceptance criteria (consistent with the terminology employed within the documents) which involve some form of a frequency versus consequence (FC) curve, or FC anchor points or regions. It can be shown that these approaches generally establish much more restrictive numerical thresholds than the QHOs, and are applied as non-integral quantities. While the intentions behind this trend are noble and motivated in part from a desire to K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 937

ARTICLE IN PRESS continuously improve nuclear reactor safety, and in part from the Commission Policy Statements on regulation of advanced reactors

[13], their actual implementation can lead to a number of undesirable consequences, as discussed in Section 3.

3. Critique of frequency-consequence curve from NUREG-1860 This section presents a brief review of a speci"c section (i.e.,

the discussion on FC curve as a potential risk threshold for Licensing Basis Events) of the representative and probably the most high-pro"le, document among the international references mentioned above, namely NUREG-1860 [15], and describes some issues that can arise in using similar approaches with regard to numerical risk assessment results. NUREG-1860 does address deterministic requirements and defense in depth guidelines, but a discussion of these topics is beyond the scope of this paper.

An important part of the reason for the prominence of NUREG-1860 in these discussions is SECY-07-0101 and its Staff Requirements Memorandum [24], in which the Commission directed the NRC staff to test the concept of this framework on an actual future reactor design.

The most likely candidate for the application of this Risk-Informed and Performance-Based Regulatory Structure for Future Plant Licensing is the Next Generation Nuclear Plant (NGNP) [25]. The rami"cations of this action can go beyond the NGNP license application, and potentially have a signi"cant impact on all future reactors, particularly advanced reactors that would largely constitute the group that is currently referred to as the Small Modular Reactors (SMRs). Moreover, they can create an environment for raising and/or revisiting questions on whether currently operating reactors are indeed safe enough, even though this question had been emphatically put to rest with a positive response in the past.

The issue that this section examines is whether the use of numerical results of PRAs (i.e., risk measures) to be compared against pre-established risk thresholds (i.e.,

risk-acceptance criteria), as employed in NUREG-1860 and the similar approaches in the other referenced documents listed above, is akin to modifying NRCs long-established risk-informed regulation paradigm towards one of being risk-based; and whether these approaches could lead to other, unintended consequences.

Discussions in Sections 2.5.1, 3.2.2, 6.2.2, and 6.3 of NUREG-1860 state:

 The FC curve is used in the following ways:

1. For the selection of Licensing Basis Events (LBEs) (discus-sion and de"nition provided in [15]), including frequent, infrequent, and rare events.

J This paper notes that the retention of accident scenarios other than severe accidents in the PRA beyond the initial screening stage creates an entirely new type of PRA that is, among other things, much larger than the current PRAs. Current PRAs do not retain for further analysis accident scenarios that terminate in states other than one of any pre-de"ned consequence categories, often referred to as plant damage states. For current plants these generally involve core damage, based on prede-

"ned thresholds (e.g., peak cladding temperature above 22001F). The NUREG-1860 PRA method would addition-ally include all intermediate accident scenarios from simple initiating events to those intermediate scenarios that are terminated successfully before reaching any plant damage state, as well as the traditional PRAs plant damage state scenarios. This type of PRA can become signi"cantly larger than the traditional PRAs, depending on the speci"cs of the methodology chosen by the analysis team. A signi"cant increase in the level and complexity of the PRA can lead to problems of cost, con"guration control, dif"culty for analysis of results and review, and issues regarding quality assurance of the product.

2. Possibly as a surrogate risk metric to the QHOs, because the CDF metric for LWRs is not fully applicable to all advanced reactors (such as the high-temperature gas cooled reac-torHTGR); and

3. As a guide to designers, i.e., it relates the frequency of potential accidents to acceptable

[emphasis added]

radiation doses at the site boundary from these accidents.

Fig. 6.2 of NUREG-1860, reproduced here as Fig. 1, is an example of a worldwide and industry-wide trend (documented in Refs. [14-23]). The ACRS expressed a number of concerns with earlier versions of this curve [26].

NUREG-1860 indicates that doses in Fig. 1 are total effective dose equivalents (TEDEs, which includes the 50-year committed dose) calculated at the site boundary on a per scenario basis.

Additional discussion related to this "gure, and those in a number of other references, e.g., [14,18,27] also reiterate a questionable relationship between an accident frequency of 1E4/yr, a dose of 25 rem, and design basis accidents (DBAs). First, it is important to note that many traditional DBA frequencies are demonstrably below this frequency, when initiating event frequencies are combined with the partial failure probabilities of safety systems imposed by the requirements of single failure criterion. For example, in the last paragraph of page, 6-7 of NUREG-1860 it is stated that:

y while those in the range of 1-25 rem are assigned a frequency of 1E4 per year. The DBA off-site dose guideline in 10 CFR 50.34 [29] and 10 CFR 100 [30] is 25 rem. [Note: The relationship or a lack thereof, between a dose of 25 rem and DBAs is discussed in Section 5.]

y doses in the range of 25-100 rem are assigned a frequency of 1E5 per year.

y doses in the range 100-300 rem are assigned a frequency of 1E6 per year, 300-500 rem a frequency of 5E7 per year, and the curve is capped beyond doses greater than 500 rem at 1E7 per year.

This paper proposes that using Fig. 1 in regulatory or even design applications as suggested in NUREG-1860 can lead to a number of unintended consequences for two principal reasons:

(1) the use of the labels of acceptable and unacceptable, and (2) comparison of the embedded criteria against the attributes of individual accident scenarios (as opposed to integral measures of risk, such as CDF or LCFs). Speci"cally:

 The Commission has long avoided establishing any kind of risk-based acceptance criteria by endorsing the QHOs as safety goals. As stated earlier, the signi"cant roles played by both the uncertainties and state-of-the-art (both of which are exacer-bated for future/advanced reactors with little or no operating experience) associated with the PRA model of a plant are the main drivers for this decision. In accounting for uncertainties, the PRA model can only provide some treatment of the known uncertainties through propagation of parameter uncertainties and performing sensitivity studies (to address some modeling uncertainties), and is generally incapable of handling uncertain-ties associated with (lack of) completeness inherent to the K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 938

ARTICLE IN PRESS analytical models and many other factors (e.g., impact of safety margins). Even then, the use of representative parameters (such as the mean) associated with the frequencies and consequences of individual or integrated accident scenarios has limitations of its own, as the types and widths of the underlying distributions of the input random variables are generally assigned by subjective judgment. It is clear that these issues become more dominant in analyses of future/advanced reactor designs with less knowledge about several key aspects of the safety of the design, such as the "delity of analyses in thermal-"uids, neutronics, "ssion product transport, material properties at high temperatures, component reliabilities, and the unknown unknowns.

 The QHOs have a logical relationship with the risk that the members of the public are otherwise exposed to as articulated in the qualitative health objectives. They establish the risks of nuclear power plant operations at a small fraction of the risks that the members of the public, not the general public at large, but those living in the vicinity of the plant are already exposed to. A reduction in these risks for future reactors proposed by any stakeholder (which would be consistent with the stated qualitative goal of the Commission), should be within reason and not so drastic as to deprive the same population from the bene"ts that they may otherwise realize from operation of these reactors.

 Plant-speci"c PFs and LCFs are calculated for comparison against the QHOs. Both of these, as well as the more widely used surrogate metrics to QHOs, such as CDF and LRF for LWR applications, are integral quantities that are derived from the contributions of all accident scenarios that are considered in the plant-speci"c risk model. Integral risk measures incorpo-rate at least three important properties:

1. De"nition or characterization of individual accident scenar-ios is dependent on both the speci"c PRA model (e.g.,

large fault tree/small event tree versus small fault tree/large event tree) and the speci"c plant design (e.g., complex with more active safety systems versus less complex with more passive safety systems). Integrated risk measures are not subject to such dependencies on the calculation model or plant design.

J It will be a challenge to establish criteria to ensure that individual accident scenarios are de"ned or character-ized at the same level of resolution across different plant designs and associated PRA models for use with this type of FC curve construct. The system would be inherently unstable and dependent on subjective inter-pretations by all sides in a dispute.

2. Relative uncertainties decrease when the associated ran-dom variables are summed, and they increase when the random variables are multiplied. Therefore, the effects of uncertainties are minimized when integrated risk measures are used as opposed to when intermediate and product quantities, such as frequencies and consequences of individual accident scenarios are used.

3. Comparison of any partial level of plant risk, such as those that are based on individual accident scenarios, against some quantitative criteria can misinform or even mislead.

The potential for misinformation is large because it would not be known as to what fraction (is it 0.001% or 10%) of the overall integral risk (even within the same category, such as internal events) is being compared against the criteria.

J Thus, the risk of an individual scenario would/should not necessarily be unacceptable if it falls in the unaccep-table region of an FC curve, because the QHOs (as safety goals) might still be met with large margin.

J A converse corollary is that the risk of individual scenarios should not necessarily be viewed as accep-table in the other region either, as a prudent approach to safety assurance always seeks to incorporate reason-able additional controls where ever a proper qualitative engineering judgment or a quantitative analysis so dictates. Falling within the acceptable region could deny the designers and others from thorough engineering thinking in the safety design process.

 If it is assumed that a future design of an HTGR or an SMR meets the FC curve, then the NRC will be on record for Fig. 1. Frequency versus consequence curve (Fig. 6.2) of NUREG-1860.

K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 939

ARTICLE IN PRESS certifying that the level of risk-based safety of this design is acceptable, and in contrast, any design that does not meet this level of safety, even for a single accident scenario with all the attendant uncertainty, is unsafe. The same problem is encountered even if the governing document is from the industry, whether or not it is explicitly endorsed by the NRC, such as an ASME or ANS standard as in [18]. How could the regulator accept a design with one or more accident scenarios in the unacceptable region when the governing industry standard itself has labeled it as such?

 Some current LWRs will likely not meet this FC curve.

A misunderstanding of the intent of this curve and the role that NUREG reports play at NRC could lead some to incorrect conclusions concerning the adequacy of safety of current plants, because the NRC and/or the nuclear industry them-selves (as, e.g., in [15,18]) have labeled plants that do not meet this curve as unacceptable.

 The FC curve is, in fact, introducing new and more restrictive acceptance criteria than the QHO safety goals as evident by inspection and as mentioned in [15], in contradiction to the ACRS guidance mentioned above.

 The combined effect of using risk metrics as acceptance criteria and applying them on the level of individual accident scenarios can lead to other undesirable outcomes. Future reactor designs offering lower total (integrated) risk than current operating reactors may be erroneously labeled as unsafe and not be pursued, or be burdened with costly and unnecessary design modi"cations.

J An example of the above (involving a potentially safer future reactor design) is a reactor coolant line break for a high-temperature gas-cooled reactor (HTGR). In a hypothe-tical case, it can be assumed that an applicant calculates the frequency and the consequences of the scenario in a way that allows them to show that it is acceptable. Anyone inclined to question the validity of the calculations can:

(a) point to the degree of uncertainty in the pipe break frequency because of very limited number of years of operating experience with these reactors; (b) point to conditions such as high operating temperatures as addi-tional reasons for much higher failure frequency potential than in the LWR experience; and (c) challenge the assumed radionuclide airborne fractions produced by uncertainties in source terms (e.g., long-term diffusion of radionuclides through coated fuel particles, resuspension caused by vibration effects, higher temperatures, lower plateout, etc.). These challenges can lead to a conclusion that the scenario falls in the unacceptable region instead.

 Simple and/or passive reactor designs would have fewer numbers of accident scenarios than complex and active designs at the same level of accident scenario de"nition (e.g.,

system level) and within the same PRA model.

The difference in the number of accident scenarios could be in multiples of 10 rather than in algebraic fractions. As a hypothetical example, two reactors may have the same risk pro"le, but the "rst has 10 sequences with 30 rem at 2E6/yr, and the second has one sequence with a consequence of 30 rem at 2E5/yr. Under the FC curve construct, one is deemed acceptable and the other is not, which does not make sense in real risk space.

J Thus, the use of risk-based acceptance criteria on the level of individual accident scenarios (as opposed to integral quan-tities) may be viewed as penalizing simple and passive designs in favor of active and complex designs, in violation of the Commission Policy Statement on Advanced Reactors [13].

 Again, because integral measures of risk are not obtained in this model, applications of these scenario-level and risk-based acceptance criteria will be variable for each design, speci"c PRA model, and reactor site. The variability can be substantial in some cases.

It is important that the NRC staff be cognizant of the above issues in complying with the Commission direction in testing the concepts embodied in NUREG-1860 in an actual licensing approval process for a future plant. The staff should ensure that their review will not deviate from the long-standing Commission precedents in establishing the many elements of a risk-informed approach. While this paper has touched upon only a few topics, future papers can discuss the use of PRA, including the introduc-tion of a proposed technology-neutral generic risk measure that will allow for cross-comparison of the level of safety for different plant designs independent of site-speci"c characteristics; ap-proach to defense-in-depth; selection of the so-called licensing-basis events; and selection of safety SSCs in a risk-informed and performance-based framework.

It should be added that alternative and complementary risk metrics to QHOs can be useful to a potential applicant for a design certi"cation or combined license, for example to assist in determination of having reached a suf"cient mix of preventive and mitigative features in a new design (i.e., safety design trade-off decisions) or to compare relative safety of different designs.

The technology-neutral generic risk measure mentioned above will satisfy the latter need for future reactor designs for which the CDF and LRF metrics may not be fully applicable. An example of an alternative FC curve that can be effectively used for safety design trade-off decisions is discussed in Section 6.

4. Use of risk measures by industry The impact of the aforementioned issues may not be as great in practice when the FC curve of NUREG-1860 or a similar construct is used only by the designer as opposed to the regulator. The designer can use such constructs or concepts as complementary information in an iterative manner throughout the design process.

A problem that may be encountered in that process is that a proper interpretation of some risk-based concepts may not be as intuitive for the designer, especially for those who are not PRA experts, as it may appear at "rst. In addition, manuals of practice, such as standards or guides that are developed by the industry may be endorsed or referenced by the regulators and be used in ways that produce the unintended results (e.g., leading to rejection of safer designs). For this reason, it is suggested that the use of quantitative PRA results in the context of design or regulatory risk-acceptance criteria be avoided by all. Instead, Section 6 provides an alternative construct that may be used by the industry that will accomplish the intended purpose (design safety trade-off decisions) without the negative connotations that are associated with NUREG-1860s version of an FC curve.

5. Interpretation of the 25 Rem criterion used in 10 CFR 100/50.34 The 25 rem criterion used in 10 CFR 100 and 10 CFR 50.34 is often used as a de facto dose acceptance criterion for DBAs by the NRC staff.

This usage is,

however, contradictory to actual Commission policy and guidance as described explicitly in NRC regulations, as discussed in this section. Since a nuclear plant is designed to adequately respond to the occurrence of Design Basis Events (DBEsincludes Anticipated Operational Occurrences and Design Basis Accidents), the expectation is that the associated offsite consequences will be small (e.g., fractions of 25 rem TEDE).

K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 940

ARTICLE IN PRESS This expectation, however, should be viewed as a safety goal or guideline as opposed to a dose acceptance criterion, as discussed below.

NRC Policy Statement on Severe Reactor Accidents [28] states:

Severe nuclear accidents are those in which substantial damage is done to the reactor core, whether or not there are serious offsite consequences. Based on this de"nition, the type of accidents described in 10 CFR 100 and 10 CFR 50.34 involving a substantial amount of core melt discharged into an intact containment is a Severe Accident, not a DBA. Elsewhere in this document, severe accidents are de"ned as a class of accidents which are beyond the substantial coverage of design basis events. And "nally, it states that a new design for a nuclear power plant can be shown to be acceptable for severe accident concerns if it meets the acceptability of safety using an approach that stresses determi-nistic engineering analysis and judgment complemented by a PRA.

Note 7 of 10 CFR 50.34 carefully avoids the labels of acceptable or unacceptable dose to the value of 25 rem total effective dose equivalent (TEDE). Rather, it states that: y this dose value has been set forth as a reference value, which can be used in the evaluation of plant design features with respect to postulated reactor accidents, in order to assure that such designs provide assurance of low risk of public exposure to radiation, in the event of such accidents.

With regards to the often cited accident that is the source of the 25 rem TEDE dose (10 CFR 100, or 10 CFR 50.34) [29] or [30], it is noted that:

(a) it is not an actual accident scenario, as the assumption of substantial core melt outside of the reactor vessel and inside the containment is the initial condition for the analysis, irrespective of the requisite sequence of events (i.e., the speci"cs of the other aspects of the plant design) that may or could have led to such conditions, (b) again, the Commissions Policy Statement on Severe Accidents

[28] considers accidents involving substantial core damage as Severe Accidents, whether or not there are serious offsite consequences. This means that the characteristics of this accident should not to be compared with DBAs, and (c) the magnitude of the calculated dose itself should not be viewed in terms of acceptability or a lack thereof. It is a dose value that is used in the evaluation of containment design (and size of the Exclusion and Low Population Zones) to assure low risk of public exposure to radiation in the event of accidents involving core melt (10 CFR 50.34, Note 7) in an intact containment.

The results of these analyses and calculations have little to do with the rest of the plant design, and thus, should not be correlated with the safety and/or acceptability of the speci"c design (with the exception of the containment systems),

(d) it should be noted that in particular, typical severe accidents (Beyond DBAs) in commercial-size LWRs could exceed this dose value by orders of magnitude, and thus:

 the 25 rem TEDE should not be viewed as a

dose acceptance criterion for any accident scenario, DBA or Beyond DBA (such as severe accidents). This distinction is critical as it may have substantial impacts on judging the safety of future designs. For example, in a hypothetical case, it can be assumed that an advanced reactor design has a risk pro"le that is orders of magnitude below comparable LWRs (in reactor size/energy output). It can be assumed further that the advanced reactor design has one DBA that is calculated to result in a 30 rem dose at the site boundary without a leak-tight containment. Would it make sense to require the design to employ a leak-tight containment system based on this scenario alone? The decision on whether the design has achieved adequate safety (within the context of accident analysis and PRA) should be derived from the consideration of all relevant information derived from the deterministic and probabilistic analysis of the accident(s) and the design attributes, such as margins, assumptions, uncertainties, potential corrective or mitigative features and factors, and other design options that could be considered.

It should also be noted that in judging the degree of seriousness of calculated exposure levels (that can be very different from actual exposures because of uncertainties), such as the 25 rem of 10 CFR 100, it is useful to be mindful of the routinely accepted exposure levels by the members of the public. For example, numerous medical procedures expose the patient to doses of more than 1 rem, with at least one procedure reaching an estimated dose of 5.7 rem [31]. In addition, background radiation doses in certain parts of the country and the world can reach the rem range and as high as around 26 [32] rem/yr (another study of the same locality arrived at 70 rem/yr [33]). Ref. [32]

found no greater incidence of cancer in the high dose population compared with those in neighboring areas of normal background radiation. Even a maximum background radiation at 1 rem/yr, which is observed in many parts of the country and the world, can be argued to be comparable to about 50 rem TEDE for a 50-year exposure.

6. An alternative frequency versus consequence curve The motivation for use of an FC curve concept is, in part, to provide an indication of reaching adequate levels of preventive and mitigative measures (collectively referred to as controls in this paper) for various accident scenarios. An alternate and conceptual FC curve for satisfying this purpose that can be used by the applicant/reactor vendor in the design stage without the negative implications that were mentioned for the FC curve of NUREG-1860 is suggested in Fig. 2. Note that this scheme would only form a part of an integrated safety decision making process for a new design, such as the "ve-element process described in Regulatory Guide 1.174.

The key feature of this curve is that it is consistent with the concept of generating risk information and insights in support of deterministic approaches, not as a means for undermining a holistic approach to the nuclear plant safety assurance process.

This FC curve can be viewed as a design or operational safety optimization tool for use by the reactor designer or plant operator.

Fig. 2 incorporates several key considerations:

(i) This FC curve is also used with single accident scenarios (or scenario groups/event families).

(ii) This is an FC curve used and conceptualized by the designer or reactor vendor in the plant design stage to establish the basis for the decisions regarding incorporation of the initial set of controls, and each additional control to be potentially considered for a given accident scenario.

(iii) The use of risk-based acceptance-criteria is avoided. There are no acceptable risk and unacceptable risk regions. It is important to eliminate this concept of risk-acceptability from the design optimization process, even in the mind of the designer.

(iv) One of the main objectives for selection of DBE and Beyond DBEs is to establish the adequacy of controls. The two distinct regions are associated speci"cally with a decision on K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 941

ARTICLE IN PRESS whether additional controls should be considered for the speci"c scenario.

(v) The two regions are separated by a band of perhaps an order of magnitude variation with diffused boundaries (such as in Regulatory Guide 1.174) on frequency and consequence, rather than "rm boundaries. This is because any single parameter of scenario frequency or consequence (the mean is typically used for all) is itself subject to uncertainty and ensuing challenges, as the ranges of variability and the underlying distributions are generally assigned subjectively.

(vi) The consequence scale may be related to appropriate public health measures and/or cost-bene"t for the inclusion of the additional control under consideration.

(vii) Since this curve is used as a design aid for the applicant, regulatory staff would have no position about the accept-ability or the lack thereof associated with any part of its construct, including the anchor points. The regulator must use the totality of the safety information delivered by the design and the proposed operational plan that includes the traditional deterministic requirements along with the supplemental PRA information in concluding that the pro-posed plant is safe.

Note that the boundary region of essentially constant risk is only conceptual.

The designer may decide that in certain sub-regions and because of speci"c considerations, such as events with particularly high or low frequencies and/or consequences, and in those areas governed by existing regulations, deviations from the boundary region are warranted.

7. Summary and conclusions Risk-informed regulation is built around the concept of using traditional deterministic techniques of safety assurance supplemented by PRA information and insights. Traditional deterministic techniques include concepts such as incorporation of redundancy and diversity, incorporation of safety margins, application of defense in depth, application of quality assurance, etc. PRA results should play a limited and supportive role in making decisions about adequacy of safety in a risk-informed regulatory framework.

However, recent trends in the development of new risk-related approaches, whether they are performed by the industry, NRC staff or other domestic or international bodies, are towards heavier emphasis in use of quantitative PRA results. These risk measures are sometimes compared to risk threshold values that have attained an actual, or even a de facto, regulatory stature of risk acceptance criteria in certain instances. Such applications of risk measures for a nuclear reactor design or a speci"c plant are not always in keeping with the tenets of risk-informed regula-tions, which call for comparing (integral) measures of the calculated risk (e.g., PFs and LCFs or their suitable surrogates such as the CDF or the LRF) against QHOs (or their surrogate targets, e.g., 1E4/yr for CDF) only as safety goals.

In addition, using numerical PRA results, particularly those that are not integral quantities, in a risk-acceptance context, even by the nuclear industry (as opposed to the regulators) can have numerous undesirable consequences. Examples of these among many discussed in the text include: the tendency to penalize simple, passive safety system designs in favor of complex, active designs; and future reactor designs offering lower integrated risk than those of the current and highly safe operating reactors may be erroneously labeled as unsafe and not be pursued, or be burdened with costly but unnecessary design modi"cations.

These issues can lead to serious unintended consequences in licensing of future reactors or creating new challenges regarding the safety adequacy of existing plants.

The paper also offered an alternative use for a frequency versus consequence curve as a design or operational safety optimization tool for use by the reactor designer or plant operator.

Disclaimer The work related to the development of this paper was conducted at the request of the Director of the Advanced Reactor Programs at the Of"ce of New Reactors (now retired) in the last quarter of 2008 at the US NRC, while the author was on loan from the US Department of Energy.

Neither the author, nor the United States Government, any agency thereof, or any of their employees makes any warranty, expressed or implied, or assumes any legal liability or responsi-bility for the accuracy, completeness, or any third partys use of the results of such use of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any speci"c commercial product, process, or service by trade name, trademark, manufac-turer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, or any agency thereof.

The views and opinions of the author expressed herein do not necessarily state or re"ect those of the United States government or any agency thereof.

Acknowledgments The author wishes to thank Dr. Don Dube (US NRC) who was the "rst expert to review the early versions of this paper and offered his broad and in-depth knowledge in support of its development. Mr. Alan Kuritzky and Drs. Mohsen Khatib-Rahbar and Doug True provided many useful insights.

References

[1] Chapman J, Hess SM. Risk-informed, technology-neutral design and licensing framework for new nuclear plants. In: ANS PSA 2008 topical meetingchallenges to PSA during the nuclear renaissance, Knoxville, TN, September 7-11, 2008.

[2] US NRC. Federal Register, 51 FR 30028. Safety goals for the operations of nuclear power plants, August 21, 1986.

Fig. 2. A conceptual accident sequence-level frequency versus consequence curve that can be used by applicant during design process.

K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 942

ARTICLE IN PRESS

[3] US NRC. Federal Register, policy statement on use of probabilistic risk assessment methods in nuclear regulatory activities, Final Policy Statement, August 16, vol. 60(158), 1995. p. 42622-9.

[4] US NRC. Generic letter GL88020. Individual plant examination for severe accident vulnerabilities, November 23, 1988.

[5] US NRC. SECY-98-144. White paper on risk-informed and performance-based regulation, January 22, 1998. Staff requirements memorandum approved March 1, 1999.

[6] US NRC. Regulatory guide 1.174. An approach for using probabilistic risk assessment in risk-informed decisions on plant-speci"c changes to the licensing basis, Revision 1, November 2002.

[7] US NRC. NUREG-0800. US Nuclear Regulatory Commission standard review plan, Revision 3, March 2007 [Chapter 19].

[8] US NRC. NUREG-1150. Severe accident risks: an assessment for "ve US Nuclear Power Plants; October 1990.

[9] US NRC. SECY-89-102. Implementation of safety goal policy; March 30, 1989.

[10] US NRC. ACRS Letter to NRC Chairman, ACRS comments on an implementa-tion plan for the safety goal policy, May 13, 1987.

[11] US NRC. SECY-00-0198. Status report on risk-informed changes to the technical requirements of 10 CFR part 50 (option 3) and recommendations on risk-informed changes to 10 CFR part 50.44 (combustible gas control);

September 14, 2000.

[12] US NRC. SECY-90-016. Evolutionary light water reactor (LWR) certi"cation issues and their relationships to current regulatory requirements, June 26, 1990.

[13] US NRC. Federal Register, vol. 73 (199), NRC-2008-0237. Policy statement on regulation of advanced reactors, October 14, 2008. p. 60612-6.

[14] US NRC. NUREG-1338. Draft pre-application safety evaluation report for the modular high-temperature gas-cooled reactor, March 1989.

[15] US NRC.

NUREG-1860.

Feasibility study for a

risk-informed and performance-based regulatory structure for future plant licensing, December 2007.

[16] General Atomics. Top-level regulatory criteria for the standard MHTGR, DOE-HTGR-85002, September 1989.

[17] European Commission.

European safety approach for modular

HTR, Document no. RAPHAEL-0903-D-ST4.2, Restricted distribution, April 15, 2005.

[18] ANSI/ANS-53.1-200X. Nuclear safety criteria and safety design process for modular helium-cooled reactor plants, Draft; June 23, 2008.

[19] Safety Report Series no. 54, accident analysis for nuclear power plants with modular high temperature gas cooled reactors, April, 2008.

[20] Hun-Joo Lee (Coauthor). Korea Institute of Nuclear Safety. Regulatory viewpoint on innovative VHTR development in Korea.

In:

4th international topical meeting on high temperature reactor technology, September 28-October 1, 2008.

[21] NEI- 02-02. Nuclear Energy Institute. A risk-informed, performance-based regulatory framework for power reactors, May 2002.

[22] Jean Joubert (Coauthor). National Nuclear Regulator, South Africa. South African safety assessment frame-work for the pebble bed modular reactor. In:

4th international topical meeting on high temperature reactor technology, September 28-October 1, 2008.

[23] PBMR (Pty) Ltd. Probabilistic risk assessment (PRA) approach for the pebble bed modular reactor, Revision 1, June 12, 2006.

[24] US NRC. SECY-07-0101. Staff recommendations regarding a risk-informed and performance-based revision to 10 CFR part 50 (RIN 3150-AH81);

June 14, 2007. Staff requirements memorandum approved September 10, 2007.

[25] US NRC. SECY-09-0056. Staff approach regarding a risk-informed and performance-based revision to part 50 of title 10 of the Code of Federal Regulations and Developing a Policy statement on Defense-in-Depth for Future Reactors, April 7, 2009.

[26] US NRC. ACRSR-2267. Development of a technology-neutral regulatory framework, September 26, 2007.

[27] Memorandum. E.V. Imbro to J.E. Dyer. Foreign travel trip report for the International Atomic Energy Agency Consultancy meeting to develop an IAEA safety guide on classi"cation of structures, systems, and components from April 24 through April 29, 2006; May 5, 2006.

[28] US NRC. Federal Register, 50 FR 32138. Policy statement on severe reactor accidents regarding future designs and existing plants, August 8, 1985.

[29] Code of Federal Regulations, Parts 1-50; January 1, 2008 [Chapter 10].

[30] Code of Federal Regulations, Parts51-199; January 1, 2008 [Chapter 10].

[31] Stabin M. G. Doses from medical radiation sources. Health Physics Society.

/http://www.hps.org/hpspublications/articles/dosesfrommedicalradiation.

htmlS; Updated May 26, 2009.

[32] Karam PA. The high background radiation area in Ramsar, Iran: Geology, norm, biology, LNT, and possible regulatory fun. In: WM 02 Conference, Tucson, AZ, February 24-28, 2002.

[33] Jaworowski Z. Ionizing radiation and radioactivity in the 20th century. In:

International conference on radiation and its role in diagnosis and treatment, Tehran, Iran, October 18-20, 2000.

K. Jamali / Reliability Engineering and System Safety 95 (2010) 935-943 943