Item A-29: Nuclear Power Plant Design for the Reduction of Vulnerability to Industrial Sabotage

DESCRIPTION

Historical Background

The safety concern of this NUREG-0371[1]item deals with the consideration of alternatives to the basic design of nuclear power plants with the emphasis primarily on reduction of the vulnerability of reactors to industrial sabotage. Extensive efforts and resources are expended in designing nuclear plants to minimize the risk to the public health and safety from equipment or system malfunction or failure. However, reduction of the vulnerability of reactors to industrial sabotage is treated as a plant physical security function and not as a plant design requirement. Although present reactor designs do provide a great deal of inherent protection against industrial sabotage, extensive physical security measures are still required to provide an acceptable level of protection. An alternate approach would be to more fully consider reactor vulnerabilities to sabotage along with economy, operability, reliability, maintainability, and safety during the preliminary design phase. Since emphasis is being placed on standardizing plants, it is especially important to consider measures which could reduce the vulnerability of reactors to sabotage. Design features to enhance physical protection must be consistent with present and future system safety requirements.

Possible Solution

The design change assumed for the purpose of analyzing this safety issue is the addition of an independent hardened decay heat removal system which is designed to be only used in a sabotage incident or other extreme emergency as determined by plant operators. This proposed design change is based on considerations and

recommendations in a NUREG/CR-1345.[2]Several other design changes were considered in the report.

The design chosen for development and for estimating cost uses electric power for its operation. Power is supplied by a diesel generator located (with the remainder of the equipment required for the system) in a hardened building. Heat loads associated with the diesel-generator and other mechanical equipment are transferred to the atmosphere by an air-cooled heat exchanger. A pipe tunnel connects the hardened decay heat removal building with the containment building. The system is a single, complete system without redundancy or

single-failure capability. The design period of unattended operation is 10 hours.[3]The independent hardened decay heat removal system is assumed to be added only to new PWRs and BWRs, based on information in the

NUREG/CR-1345.[4]

PRIORITY DETERMINATION

Frequency Estimate

This issue affects all new PWRs and BWRs. The cut-sets for Oconee (B&W) are used for the PWR analysis. The results from the PWR analysis were used to modify the accident frequencies of the Grand Gulf (GE) plant to

obtain results for the BWR analysis.[5]

In an evaluation of this issue by PNL,[6]certain parameters were modified, or "redefined," in order to account for the acts of sabotage. The parameters involved are the frequency of the loss of offsite power (T₁), the probability of failure of both emergency electrical generators (B₃), and the probability of the failure to restore offsite AC power within approximately 40 minutes (LOPRE). These changes result in a new base case for the Oconee assessment which was originally formulated to account for natural event failure probabilities only and did not include failures arising out of acts of sabotage. The "redefined" parameters for T₁ and B₃ were expanded to include sabotage, which established a more comprehensive base case for the Oconee assessment. Moreover, because of the particular resolution identified here for this issue (a hardened, independent decay heat removal system), the redefined parameters for T₁ and B₃ are not affected in the adjusted case (that is, they remain unchanged). This occurs because the add-on decay heat removal system does not deter the potential act(s) of sabotage and the potential for the loss of AC power remains the same in this case. The particular resolution for this issue does, however, affect those parameters and/or sequences that are related to decay heat removal, namely, T₂MLU and T₁MLU, through the dependence on CONST1 and CONST2. In this issue, the reduction in the core-melt frequency is entirely attributable to the complex changes in the sequences T₁MLU and T₂MLU as a result of their dependence on CONST1 and CONST2.

The parameters T₁ and B₃ were modified to add to the base case probabilities the additional values attributed to the acts of sabotage, i.e., T₁ was increased by 0.02/RY to a value of 0.22/RY, based on three acts of sabotage

out of 189 RY of operation,[7]and B₃ was increased from 0.0005 to 0.0007, based on the judgment that sabotage of the diesel generators is 100 times less likely than sabotage of offsite power. The value of LOPRE was increased from 0.2 to 1.0 since it was assumed that the sabotage attack precludes restoration of power within 40 minutes. This resulted in a calculated reduction in core-melt frequencies of 4 x 10^-6/RY for a PWR and

1.9 x 10^-6/RY for a BWR.

In addition the following additional assumptions were made:

(1)  Applicable Plants: All 71 new plants were affected, 48 PWRs and 23 BWRs

(2)          Affected Release Categories and Base Case Frequencies: Release Categories 3, 5, and 7 have new base- case frequencies due to the changes in T₁ and B₃. Categories 1, 2, 4, and 6 remain unchanged.

(3)  For forward-fit plants, the average life is 30 years.

Consequence Estimate

Based on the calculations performed by PNL,[8]the base case public risk is 79 man-rem/RY for a PWR and 96 man-rem/RY for a BWR. As a result of the resolution of this issue, the public risk reduction was estimated to be 10 man-rem/RY and 14 man-rem/RY for a PWR and a BWR, respectively. Assuming a typical midwest-type meteorology and an average population density for U.S. reactor sites of 340 people per square mile, the total public risk reduction was calculated to be 24,140 man-rem and the occupational risk reduction was estimated to be 140 man-rem.

Cost Estimate

Industry Cost: Based on NUREG/CR-1345,[9]the industry cost for the addition of an independent, hardened decay heat removal system was estimated to be $10M. For the 71 forward-fit plants, the total estimated cost was $710M. For an estimated effort of 2.5 man-weeks/year to check the diesel power source each month and the pumps every 3 months as routine maintenance, the estimated cost was (71 plants)(30 yrs)(2.5 man-wk/yr) ($100,000/52 man-wk) or $10.24M.

NRC Cost: NRC effort to review the initial add-on decay heat removal designs in each plant was estimated to be about 4 man-weeks. The total cost for this effort was (4 man-wk/plant)(71 plants)($100,000/52 man-wk) =

$0.546M. For the review of the operation and maintenance of the hardened decay heat removal system, it was estimated that 1 man-wk/RY will be required. The total cost for this effort was estimated to be (30 yrs)(71 plants) (1 man-wk/RY)($100,000/52)/ man-wk = $4.1M.

Total Cost: The total cost associated with the possible solution to this issue was estimated to be $(710 + 10.24 + 0.55 + 4.1)M or approximately $725M.

Value/Impact Assessment

Based on a total potential risk reduction of 24,140 man-rem and an estimated cost of $725M, the value/impact score is given by:

CONCLUSION

The above value/impact score indicated a low priority ranking for this issue. However, because of the relatively large risk reduction, the large uncertainty in determining the risk, and the possibility of developing a lower cost solution, the issue was given a medium priority ranking.

In resolving this issue, the staff concluded that insider sabotage at operating nuclear power plants has not been a significant problem in the U.S. Existing requirements (10 CFR 73.55) dealing with plant physical security, controlled access to vital areas, screening for reliable personnel, etc., appear to be effective. The staff found no design modification that would completely eliminate or mitigate the threat of insider sabotage.

The staff believed that licensees should continue to monitor and assess security practices in terms of: (1) hiring reliable personnel; and (2) surveillance procedures to prevent, detect, and mitigate adverse insider acts. NRC monitoring and assessment of the effectiveness of licensees' security practices are accomplished in the

Systematic Assessment of Licensee Performance (SALP) program. The staff's technical findings were published in NUREG-1267.[10]Thus, this issue was RESOLVED and no new requirements were established.[11]