Reactor Safety Goal Policy Statement

April 17, 2000

The Honorable Richard A. Meserve
Chairman
U.S. Nuclear Regulatory Commission
Washington D.C. 20555-0001

Dear Chairman Meserve:

SUBJECT: REACTOR SAFETY GOAL POLICY STATEMENT

During the 469^th through 471^st meetings of the Advisory Committee on Reactor Safeguards, February 3-5, March 1-4, and April 5-7, 2000, respectively, we discussed the staff's recommendations regarding possible modifications to the Commission's Reactor Safety Goal Policy Statement (SGPS). During these meetings, we had the benefit of discussions with representatives of the NRC staff and of the documents referenced.

BACKGROUND

The staff has identified, and made recommendations on, a set of eight issues for possible consideration in a revised SGPS:

1.	Plant specific usage of safety goals
2.	Subsidiary objectives [e.g., elevating core damage frequency (CDF) to a fundamental goal]
3.	Treatment of uncertainty
4.	Use of safety goals to define "how safe is safe enough"
5.	Definition of adequate protection and defense in depth
6.	Societal risk goals
7.	Land contamination goals
8.	Temporary changes in risk

In general, the staff has recommended little fundamental change in the SGPS with respect to these eight issues. The implication we draw from this is that the policy guidance with respect to these items would probably be misplaced in a SGPS. That is, the SGPS may not be the right vehicle to meet the need for policy guidance on these particular issues, which have actually arisen in the context of risk informing the regulations. Since there is still a strong need for policy guidance on these issues, we make the following recommendations.

RECOMMENDATIONS

An entirely new policy statement on risk-informed regulation should be developed that would include the following:

• Consideration of a "three-region approach" that defines CDF and large, early release frequency (LERF) boundaries that would be consistent with "adequate protection" and that would define "how safe is safe enough."
• The concept of risk limits for individual plant applications. These risk limits would be quantitatively expressed limits on CDF and LERF and would possibly consider additional limits for societal risk, land contamination, and a cap on temporary changes in risk.
• Guidance on defense in depth to address uncertainties in the risk assessments.

DISCUSSION

Three-Region Approach

The Safety Goal Policy Statement (SGPS) expresses the NRC's policy on "how safe is safe enough" for the population of plants on the average and is not intended for application to individual plants. As such, we see few deficiencies that need rectifying. So, instead of a broad restatement of the SGPS, we believe the need exists for the development of a new policy statement related to risk informing the regulations. This new policy statement should include risk criteria that each individual plant must meet. Up to now, the risk acceptance of individual plants has been dealt with through the concept of "adequate protection," which, among other things, is defined in terms of substantially meeting the requirements in the current body of regulations but is not currently associated with quantitative risk limits. Now that the NRC has embarked on a significant program of risk-informed modifications to the body of regulations, the concept that adequate protection means meeting the regulatory requirements becomes a bit ambiguous and is not nearly so useful as it is in a "deterministic" regulatory system. To ensure coherence in the modified regulations, it will be necessary to have quantitative risk limits, particularly on CDF and LERF.

As we have recommended in previous reports, a three-region approach is a practical way to express such limits. The bottom region would represent "how safe is safe enough." Plants that meet the risk-informed regulations, which may be substantially modified from the current regulations, and whose risk status falls within this region would be considered acceptable. Plants with a risk status falling into the top region would be considered unacceptable, irrespective of whether they met the other regulatory requirements. Such plants would be required to improve their risk status so as to fall at least into the middle region where something like the traditional regulatory analysis would be made for any further improvements that may be considered.

The most likely CDF and LERF candidates for the lower boundaries are those that appear in Regulatory Guide 1.174. We are not certain of the appropriate values for the upper boundaries, but believe they should be consistent with levels achieved as a result of the current adequate protection concept. This implies to us values about an order of magnitude above the limits in Regulatory Guide 1.174 (i.e., CDF of about 10^-3 /yr and LERF of about 10^-4 /yr).

To support the development of a new policy statement on risk-informed regulation, the staff should perform a study to determine the CDF and LERF limits that would be consistent with "adequate protection" and that would constitute the upper boundary. As part of this study, consideration should also be given to determine if additional limits related to societal risk (total deaths) and land contamination can be developed. One possible approach for developing such additional limits would be to set them at the cost-equivalent value of the LERF limit that is determined to be consistent with adequate protection. In principle, this approach would constitute a policy statement on the acceptable exceedance frequency of the cost consequences associated with nuclear power plant accidents. Such additional risk criteria are not likely to be expressible in terms of a surrogate LERF value. An alternative surrogate might be to express limits on exceedance frequency for fission product release which could simultaneously incorporate multiple risk acceptance objectives.

Temporary Changes in Risk

One of the limits in Regulatory Guide 1.174 focuses on the plant CDF expressed on a per-year basis. Temporary changes in CDF (i.e., spikes) that result from planned shutdown or online maintenance activities are not now included in the assessed values for the Regulatory Guide 1.174 limits. No attempts have been made to forecast over the lifetime of a plant how many such spikes to expect or how big they might be. To ensure that the contributions of such spikes do not significantly alter the assessed values that are to be compared to the Regulatory Guide 1.174 limits, there may be a need to place a cap on individual spikes. That is, the acceptability of planned maintenance activities would be contingent upon making a risk assessment for the altered configuration that shows that the spike limit will not be exceeded.

Defense in Depth and Uncertainties

Defense in depth is defined as the application of successive compensatory measures to prevent accidents or to mitigate damage. As we have stated in previous reports, there is a need for policy guidance on the proper balance among such compensatory measures (how many are necessary and how good they have to be), else the application of the defense-in-depth philosophy is subject to an arbitrariness that could hinder the progress of risk-informed regulation.

In recent reports, we have noted that the application of defense in depth can take the form of an allocated "balance" for the risk reduction to be attributed to the various successive compensatory measures for accident prevention and mitigation. Since no technical basis exists for what constitutes an appropriate balance, the establishment of such a balance becomes a matter of policy. It should be established by the Commission. If the risk-reduction contributions for each successive compensatory measure can be quantified with a probabilistic risk assessment (PRA) along with the associated uncertainties, then the PRA becomes the tool for measuring how many such measures are needed and how good they need to be to meet the overall risk objective with the specified allocation. If not, the application of successive compensatory measures becomes a matter of judgment tempered by past experience. In either case, the extent of application should reflect the overall uncertainty in the assessment of the risk. The greater the overall uncertainty, the more extensive should be the application of compensatory measures.

This defense-in-depth philosophy calls for a requirement that the uncertainties be quantified or estimated and entered into the decision on how much to rely strictly on the PRA results (rationalist approach) and how much to fall back on the traditional judgmental application of defense in depth (structuralist approach). There is a need to tie the actual values of the limits on CDF and LERF to the uncertainties associated with their quantification. The larger the uncertainty, the lower the acceptance limit should be. The staff needs to develop guidance for how to implement such concepts as a way to place quantitative limits on defense in depth in a risk-informed regulatory system.

Additional comments by ACRS Members William J. Shack, John J. Barton, and Mario V. Bonaca are presented below.

Sincerely, /RA/ Dana A. Powers Chairman

Additional Comments by ACRS Members William J. Shack, John J. Barton, and Mario V. Bonaca

We do not agree with our colleagues that there is a pressing need for a more quantitative guideline for risk-informed regulation at the present time. Development of such a guideline would require a significant commitment of resources from the staff and the stakeholders that could be more productively used on activities more directly related to the management of risk such as the implementation of the revised reactor oversight process and the revised maintenance rule, with greater impact on the focusing of licensee resources on risk-significant activities such as risk-informing the classification of safety-significant components, or the assurance of reliable risk assessments through the development of PRA standards for internal and external events.

The concept of adequate protection, the backfit rule, the Safety Goal Policy Statement, and Regulatory Guide 1.174 already provide a regulatory basis for a multiregion approach akin to that proposed in the ACRS report. Additional guidance on acceptable changes in risk is also provided in Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking Technical Specifications," and the supplement to Regulatory Guide 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." It is already clear to all stakeholders that the Commission considers PRA results an important element in the decisionmaking process to determine appropriate levels of regulatory action.

In addition, the prescription of quantitative limits in high-level regulatory guidance, such as rules or policy statements, should be minimized. Such limits often are taken to imply a greater precision than is warranted and can lead to an undue emphasis on a single element of the decisionmaking process. If they are included in the rules or policy statements, especially in terms of prescribed values for even temporary changes in risk, we can envision problems with providing defensible arguments for the values determined by the "PRA of the hour." The preferred approach is that taken in the development of the new Paragraph (a)(4) of the maintenance rule requirement that the licensee assess and manage the increases in risk, but the numerical guidelines for action thresholds are set in the associated Regulatory Guide through endorsement of Section 11 to NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants."

References:

1.	Memorandum dated January 27, 2000, from Joseph A. Murphy, Nuclear Regulatory Commission, to John T. Larkins, Advisory Committee on Reactor Safeguards, Subject: ACRS Review of Draft Commission Paper on Proposed Modifications to the Reactor Safety Goal Policy Statement (Predecisional).
2.	Memorandum dated October 28, 1999, from Annette Vietti-Cook, Secretary of the Commission, to William D. Travers, Executive Director for Operations, NRC, Subject: Staff Requirements - SECY-99-191 - Modifications to the Safety Goal Policy Statement.
3.	Memorandum dated October 16, 1997, from John C. Hoyle, Secretary of the Commission, to L. Joseph Callan, Executive Director for Operations, NRC, Subject: Staff Requirements - SECY-97-208 - Elevation of the Core Damage Frequency Objective to a Fundamental Commission Safety Goal.
4.	Report dated April 19, 1999, from Dana A. Powers, Chairman, ACRS, to Shirley A. Jackson, Chairman, NRC, Subject: Status of Efforts on Revising the Commission's Safety Goal Policy Statement.
5.	Report dated May 11, 1998, from Robert L. Seale, Chairman, ACRS, to Shirley A. Jackson, Chairman, NRC, Subject: Elevation of CDF to a Fundamental Safety Goal and Possible Revision of the Commission's Safety Goal Policy Statement.
6.	Letter dated May 24, 1999, from William D. Travers, Executive Director for Operations, NRC, to Dana A. Powers, Chairman, ACRS, Subject: Status of Efforts on Revising the Commission's Safety Goal Policy Statement.
7.	U.S. Nuclear Regulatory Commission, Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," July 1998.
8.	Report dated May 19, 1999 from Dana A. Powers, Chairman, ACRS, to Shirley A. Jackson, Chairman, NRC, Subject: The Role of Defense in Depth in a Risk-Informed Regulatory System.
9.	Report dated June 17, 1997, from Robert L. Seale, Chairman, ACRS, to Shirley A. Jackson, Chairman, NRC, Subject: Proposed Staff Position Regarding Inclusion of a Containment Spray System in the AP600 Design.