Resolution of Generic Safety Issues: Task II.C: Reliability Engineering and Risk Assessment (Rev. 3) ( NUREG-0933, Main Report with Supplements 1–34 )
The objective of this task was to develop and implement improved systems-oriented approaches to safety review. The NRC was to employ risk assessment methods to identify particularly high-risk accident sequences at individual plants and determine regulatory initiatives to reduce these high-risk sequences.
ITEM II.C.1: INTERIM RELIABILITY EVALUATION PROGRAM DESCRIPTION
The Interim Reliability Evaluation Program (IREP) was a planned multiplant reliability evaluation program to develop and standardize the reliability methodology involved in performing reliability and safety studies. This program was conceived in NUREG-066048 as a pilot study with a scaled-up study of an additional 6 plants.
At the time this issue was evaluated, the pilot study had been completed on the Crystal River plant and the results reported in NUREG/CR-2515.365 Scaled-up analyses had been completed on 4 other plants and the results reported on 2 of these: ANO-1 (NUREG/CR-2787)366 and Browns Ferry-1 (NUREG/CR-2802).367 Remaining to be studied was one additional plant, probably a Mark II BWR plant, the analysis of which was to include other common cause initiators, e.g., fires, seismic events, and floods, that were considered in the other IREP analyses. Thus, this issue addressed the completion of a shortened 5-plant version of the IREP program.
Based on published PRA studies of nuclear power plants, approximately one-third had predicted core-melt frequencies exceeding 10-4/RY.
The solution was to complete the planned analysis and report on the remaining plant.
It was assumed that those plants with core-melt frequencies exceeding 10-4/RY had an average core-melt frequency of 3 x 10-4/RY which could be reduced to 10-4/RY.
As stated in the assumptions above, it was assumed that there was one chance in three that the reactor to be analyzed would have a predicted core-melt frequency of 3 x 10-4/RY and that this frequency would be reduced to 10-4/RY, a frequency reduction of 2 x 10-4/RY or a probable core-melt frequency reduction of 6.7 x 10-5 /RY.
The total whole body man-rem dose was obtained using the CRAC Code64 for the release fractions and categories of a BWR as given in WASH-1400.16 The calculations assumed an average population density of 340 persons/square-mile (which was the average for U.S. domestic sites) from an exclusion area of one-half mile about the reactor to a 50-mile radius. A typical midwest plain meteorology was also assumed. It was further assumed that the reduction in public dose was in proportion to the reduction in accident frequency.
Assuming an average public risk exposure of 6.8 x 106 man-rem/core-melt and an average remaining life of 27 years for BWRs, the reduction in core-melt frequency of 6.7 x 10-5/RY resulted in a reduction in public risk of 455 man-rem/RY and a total public risk reduction of 12,150 man-rem for all affected plants.
Industry Cost: The contract cost for performing the analyses involved with the prior IREP-assessed plants averaged $900,000/plant. Since the staff could not predict what could be identified by the analysis as candidate modifications to reduce risk, the plant change cost could not be estimated. However, based upon a risk reduction of 12,000 man-rem, it was cost-effective for plants to spend up to $12M for this reduction in risk.
NRC Cost: Review of the analysis and preparation of findings were estimated to cost $200,000 plus 0.7 staff-year, or $270,000. As in the case with the initial IREP plant analysis, it was assumed that the analysis cost would be borne by the NRC. This resulted in a total NRC cost of $1.2M.
Total Cost: The total industry and NRC cost associated with the solution to this issue was $(12 + 1.2)M or $13.2M.
Based on an estimated public risk reduction of 12,000 man-rem and a cost of $13.2M for a possible solution, the value/impact score was given by:
The findings from this analysis may have helped to identify generic safety issues for other reactors in the same class. An additional purpose of this evaluation was to demonstrate the suitability of newly developed methodology for the inclusion of external initiating events into PRA calculations. However, no credit for this benefit was considered or factored into the value/impact assessment.
Based on the value/impact score, this issue would have received a medium priority ranking. However, given the potential public risk reduction, it was given a high priority ranking (see Appendix C). Work completed by the staff in resolving the issue resulted in the publication of the following reports for the two remaining plants: NUREG/CR-3085810 and NUREG/CR-3511811 for Millstone-1 and Calvert Cliffs-1, respectively. A primary output of the IREP was NUREG/CR-2728812 which was a guide that documented methods, codes, and data used in the IREP. This guide was intended to provide guidance for PRAs performed subsequent to the IREP. Thus, this item was RESOLVED with no new requirements.813
ITEM II.C.2: CONTINUATION OF INTERIM RELIABILITY EVALUATION PROGRAM
IREP was a planned multiplant reliability evaluation to develop and standardize the reliability methodology involved in performing reliability and safety studies. It was conceived in NUREG-066048 that a National Reliability Evaluation Program (NREP) study, performed by licensees, should follow the IREP effort. This issue addressed the continuation of the IREP program to cover all the remaining operating reactors that were not covered in the initial IREP studies, to be performed either by the NRC or by licensees. Also, consideration was to be given to the inclusion of plants under design or construction.
Possible solutions ranged from the NRC sponsorship of an analysis of all plants, having the individual licensees perform an analysis on all or some plants, or reducing the effort to a limited study. The plan selected for this analysis consisted of three parts: (1) performance of an NREP by the licensees on the 4 plants without a risk/reliability analysis; (2) a careful review by the NRC of 7 other plants that had an existing PRA; and (3) an appraisal of the interim results of these reviews a year after implementation to consider the advisability of future extension of the NREP program to other plants. These 11 plants would be the same ones chosen for the first group of SEP Phase III plants.
At the time of this evaluation, there were 14 published PRA studies and the core-melt frequencies were predicted to be higher than 10-4/RY in about one-third of these studies. Thus, it could be assumed that, of the 11 plants to be studied, about 4 might have some hardware or procedural fixes implemented to reduce the likelihood of the most dominant accident sequences with respect to core-melt. In addition, there was the potential that these analyses would result in generic resolutions of identified safety issues which could reduce risk at other plants without the expense of plant-specific PRAs being performed at these plants; but this assumption remained to be proven. Calculations were based partly on an analysis64 of the issue by PNL.
It was not unrealistic to postulate that 4 of the 11 reactors had an average core-melt frequency of 3 x 10-4/RY and that changes were possible to reduce the core-melt frequency to 10-4/RY. Therefore, a reduction in core-melt frequency of 2 x 10-4/RY was postulated for these 4 plants (3 PWRs and 1 BWR).
Assuming an average public exposure of 2.5 x 106 man-rem and 6.8 x 106 man-rem following a core-melt at a PWR and a BWR, respectively, the reduction in core-melt frequency resulted in a reduction in public risk of about 42,700 man-rem for the remaining life of the 3 PWRs and 36,700 man-rem for the remaining life of the BWR. This resulted in a total reduction in public risk of approximately 79,000 man-rem.
Industry Cost: Based on previous experience, the cost for each plant was expected to be between $1.5M to $2M to perform the NREP analysis (limited to analysis of core-melt from internal accident initiators), including a state-of-the-art systems interaction study of appropriate scope and depth. Using the upper bound licensee cost, it was assumed that licensee costs were $2M/reactor and, of this amount, $500,000 was the additional cost of performing the systems interaction in conjunction with the NREP. Thus, for the 4 plants to be analyzed, the cost for the NREP analysis would be $6M. For an effective cost-benefit ratio (based on a 79,000 man-rem risk reduction), the licensee backfit cost could be as high as $73M. Thus, the total industry cost was $(6 + 73) or $79M.
NRC Cost: The NRC cost was estimated to be $200,000 and 0.7 man-year/reactor. For the 11 reactors, this cost was $3.8M.
Total Cost: The total industry and NRC cost associated with the possible solution was $(79 + 3.8)M or $82.8M.
Based on an estimated public risk reduction of 79,000 man-rem and a cost of $82.8M for a possible solution, the value/impact score was given by:
The value/impact score was strongly influenced by the uncertainty of the cost figures for licensees. Considerable risk reduction had been achieved by procedural changes that could be developed and implemented at much less cost than equipment changes. Therefore, the cost of licensee implementation could have been considerably less than the cost used in this assessment.
Although the value/impact score would only warrant a medium priority ranking, the large potential risk reduction (brought about by the reduction in core-melt frequency for those plants that were above 10-4/RY) indicated a high priority ranking (see Appendix C).
Work completed by the staff in resolving the issue was closely related to the accomplishments under Item IV.E.5. Whereas Item II.C.2 called for the initiation of IREP studies (i.e., plant-specific PRAs) on all remaining operating reactors, Item IV.E.5 called for the development of a plan for the systematic assessment of the safety of all operating reactors. The Integrated Safety Assessment Program (ISAP), presented in SECY-84-133814 and SECY-85-160,815 provided for a comprehensive review of selected operating reactors to address all pertinent safety issues and to provide an integrated cost-effective implementation plan for making needed changes. Under ISAP, each plant would be subject to an integrated assessment of safety topics, a probabilistic safety assessment, and an evaluation of operating experience.
NRC guidance, as described in the Severe Accident Policy Statement (see Item II.B.8), stated that OLs were expected to perform plant-specific PRAs to find instances of particular vulnerability to a core-melt or poor containment performance, given a core-melt. Thus, this item was RESOLVED and no new requirements were established.816
ITEM II.C.3: SYSTEMS INTERACTION
The design of a nuclear power plant is accomplished by groups of engineers and scientists organized into engineering and scientific disciplines such as civil, electrical, mechanical, structural, chemical, hydraulic, nuclear, geological, seismological, and meteorological. The reviews performed by the designers include interdisciplinary reviews to assure the functional compatibility of the plant structures, systems, and components. Safety reviews and accident analyses provide further assurance that system functional requirements are met. These reviews include failure mode analyses to assure that the single failure criterion is met.
The design and analyses by the plant designers and the subsequent review and evaluation by the NRC, take into consideration some interdisciplinary areas of concern and account for systems interaction to a large extent. Furthermore, many regulatory criteria are aimed at controlling the risks from systems interactions. Examples include the single failure criterion and separation criteria.
Nevertheless, based upon operating experience, there was some question regarding the interaction of various plant systems, both as to the supporting roles such systems play and the effect one system can have on other systems, particularly with regard to whether actions or consequences could adversely affect the presumed redundancy and independence of safety systems. The objective of a systems interaction analysis was to provide assurance that the independent functioning of safety systems was not jeopardized by preconditions that cause faults to be dependent.
Concern over systems interactions was first documented explicitly by the ACRS in November 1974 when it was requested that the staff give "attention to the evaluation of ... potentially undesirable interactions between systems" from a multidisciplinary point of view. In October 1978, NUREG-03712 was published and included Issue A-17, "Systems Interactions in Nuclear Power Plants." In May 1980, NUREG-066048 provided for broadening the staff efforts in Item II.C.3. Efforts for the resolution of Item II.C.3 were included in activities for the resolution of Issue A-17.
This issue was not considered a separate issue since the safety concern was covered in Issue A-17.
ITEM II.C.4: RELIABILITY ENGINEERING
At the time this TMI Action Plan48 issue was evaluated, there was no requirement for licensees to develop and implement a reliability assurance program. In the absence of such a requirement, it was difficult to determine the nature and extent that was being exercised by licensees to implement a reliability assurance program.
Typically, reliability assurance programs determine system availabilities, identify high component failure rates, determine basic causes for component failures, identify possible corrective actions, and perform other similar activities in what was generally called reliability engineering.
A possible solution was to develop a Regulatory Guide that would define the elements and functions necessary for an applicant to plan and establish an acceptable reliability program. Applicants would further be required to implement the operation of a reliability program as a part of the requirements to obtain a CP or OL. The functioning of the reliability program would be inspected as a part of the ongoing inspection program.
Issues of this nature are difficult to quantify since the results are highly speculative depending upon such hard to quantify variables as management acceptance and backing. The approach used to estimate the effectiveness of this issue was to determine what might be a reasonable objective and evaluate the contribution to risk reduction that could be achieved and at what cost.
The defined objective for this evaluation was to maintain the reduction in core-melt frequency that was achievable by the NREP program. From previously published PRAs and IREP analyses, about one third of the plants had forecast accident frequencies that exceeded 10-4/RY. It was assumed that, without a dedicated effort, the accident frequency for these plants would rise to 2 x 10-4/RY at the end of their life. At a constant rate of increase in accident frequency over the remaining plant life, the average increase would be 5 x 10-5 /RY. Release fractions were based on the Oconee-3 and Grand Gulf-1 plants. Calculations used below were based partly on an analysis64 of the issue by PNL.
The reduction in core-melt frequency for 33% of the reactors was 5 x 10-5/RY as previously described.
The core-melt frequency reduction resulted in a risk reduction of 128.5 man-rem/RY for PWRs and 338 man-rem/RY for BWRs. Based upon 33% of all plants, 31 PWRs and 16 BWRs with average remaining lives of 28.5 years and 27 years, respecttively, the risk reduction was estimated to be 120,900 man-rem for PWRs and 146,200 man-rem for BWRs. Thus, the total risk reduction was 267,100 man-rem.
Industry Cost: The cost/plant, based on the estimates in NUREG-0660,48 were 10 man-years to establish a program and 1 man-year/RY for operation for the remaining life of each plant. These costs amounted to $143M for implementation and $400M for operation. Thus, the total industry cost was estimated to be $543M.
NRC Cost: Implementation was estimated to require 3 man-years at a cost of $300,000. The cost for operation was estimated to be 2 man-weeks/RY or $15.4M for the remaining life of all the reactors. Thus, the total NRC cost was estimated to be $15.7M.
Total Cost: The total industry and NRC cost associated with the possible solution was $(543 + 15.7)M or $558.7M.
Based on an estimated public risk reduction of 267,100 man-rem and a cost of $558.7M for a possible solution, the value/impact score was given by:
One of the factors that drove up licensee costs was the annual cost associated with the maintenance of the program. However, given the cost of replacement power at $300,000/day, one day of increased productivity from increased plant reliability would cover three years of forecast reliability program operating costs. Thus, a reliability program had economic incentives for licensees in addition to the safety incentives.
The risk reduction was calculated only for those plants that were predicted to have a core-melt frequency exceeding 10-4/RY. An additional reduction in risk would also be realized by maintaining the core-melt frequency at the calculated value on those plants that had a core-melt frequency less than 10-4/RY.
Based solely on the value/impact score, this issue would have been assigned a medium priority ranking. However, it was given a high priority ranking (see Appendix C) based on the potential substantial change in core-melt/RY frequency and the large cost incentive that could be realized by licensees through increased availability.
The technical issue at the time the TMI Action Plan48 was published was that the essential elements and process of a reliability program applicable to operational safety had not yet been identified. Although NRC requirements, such as Appendices A and B of 10 CFR 50, strongly reflected reliability principles (i.e., safety margins, redundancy, diversity, and corrective action), these principles had been applied to nuclear power plants primarily in the design phase and not in the operations phase. Reliability engineering practices at nuclear power plants had not yet resulted in strategies to help achieve and maintain the `designed-in' capability for reliable operation during the operating life of the plants.
The concept of an operational reliability program was based on a simple closed-loop strategy: monitoring and evaluating plant performance; identifying and prioritizing potential problems; diagnosing the causes; taking appropriate corrective actions; and verifying the effectiveness of these actions. The elements of a reliability program were summarized by the staff in RIL 158.1130 These elements were included among NRC initiatives to improve maintenance and better manage the effects of aging, to improve TS, and to develop and use plant performance indicators. Also, an operational reliability program that was an acceptable means of meeting the Station Blackout Rule (10 CFR 50.63) was to be described in Revision 3 to Regulatory Guide 1.9 as part of the resolution of Issue B-56, "Diesel Generator Reliability."
Based on the above findings, the staff concluded that the safety concern of this issue was addressed in other NRC programs and the issue was considered RESOLVED with no new requirements.1131