PRA (probabilistic risk assessment) and NOEDs (Notice of Enforcement Discretion)

Book Report on: NEI White Paper, "Assessing the Net Risk Associated with Notices of Enforcement Discretion (NOEDs)"

The conclusions of my book report are as follows:

1. There is little in the way of guidance for making a shutdown decision in the NEI White Paper.  The NEI White Paper should have addressed issues raised in a document produced for the NRC by Information Systems Laboratories (ISL).
2. Much of the NEI White Paper deals with calculating low-power and shutdown (LPSD) risk.  However, it provides little in terms of resolving technical issues associated with calculating LSPD risk.  ISL noted several modeling issues that the NRC is now aware of, for example, treatment of recently tested SSCs, common-cause adjustment, initiating event management.
3. The NEI White Paper over-simplifies issues surrounding the choice of on-line repair versus a repair during LPSD. 

The "White Paper" (WP for short), is largely composed of Appendix A, which was written by Doug True using input from John Gaertner and Biff Bradley.  The WP is an industry take on an August 2002 study of the NOED process done by Bob Youngblood at Information Systems Laboratories for the NRC staff, paid for by the NRC, (ISL for short; NRC accession number ML022550620).  The aim was to address the desire by NRC to know the alternate risks ("net radiological risk") associated with a licensee application for an NOED.  The main issues are determining the transition and shutdown risks, as well as quantifying the benefits of compensatory measures. 

The NRC created the NOED process to quickly entertain licensee requests.  Public involvement is provided via the rules that allow NOEDs.  The public interest is guarded by assuring the NRC that the action allowed by the NOED has no "net radiological risk."  The obvious problem is how to convincingly show no "net radiological risk."

The WP infers that 10CFR§50.65(a)(4) requires specific compensatory actions for a hypothetical set of plant conditions.  However, there is no such requirement in the CFR.

WP Figure 4 illustrates "margin" allowed by Technical Specifications.  Figure 4 illustrates an idea pervasive in the WP (see also Figure 7).  That is, the CDF associated with either one AOT or permitted concurrent-AOTs, becomes the benchmark for alternate actions.  Of course, knowing the uncertainties and approximations made in PRA models, we know that any CDF calculated is likely to overstate the actual risk of the AOTs.  It seems disingenuous to use Tech Spec configurations to determine available margin.  The reason is that the AOT-risk not the proper surrogate for "net radiological risk."  It would be ill advised to state that there is "no net radiological risk" as long as the CDF remains below what is permitted by Tech Specs.  It would be more rigorous to compare specific configuration-risk to the "no-maintenance-today (everything is perfect) case" and define "acceptable" as how far above zero-maintenance is tolerable.

Section 3 starts off with a succinct description of the choice faced by plant management, i.e., the risk of continued operation and repair versus LPSD and repair.  Preceding that, Figure 5 and Figure 6 in the WP show hypothetical risk profiles for the NOED case versus the "shutdown-and-fix-it" case.  These figures neither show a line for the AOT-risk, nor one for the no-maintenance case.  The problem is there is always some non-zero risk associated with plant operation.  Figure 5 shows risk above the long-run average.  Figure 6 seems to show incremental risk above zero.  Thus, the figures are inconsistent and do not paint a realistic picture of the choices faced by plant management.  Furthermore, Figure 6 does not conform to a realistic risk profile – except in the case when operators flood the steam generator secondaries while using RHR.  The lack of system redundancy during LPSD tends to keep the risk through transition and shutdown above the long-run average risk of plant operation.  LPSD risk is significantly higher than the long-run average when the equipment out-of-service is in a system actively used in LPSD, e.g., AFW, ADVs, RHR. 

Figure 8 in the WP does not clearly show the actual benefit of resolving the equipment out-of-service problem.  The initial risk is somewhat elevated because a degradation has manifested itself as an LCO violation.  Presumably, once the immediate repair is done, and all of the corrective actions are taken, the long-run average risk will be lower than before the problem was uncovered.  The formally hidden latent failure mechanism is presumably addressed in new versions of preventative maintenance procedures.

Section 3 goes on to discuss accounting for the compensatory measures taken in the course of an AOT.  ISL repeatedly recommends that the NRC obtain as much information as necessary to quantify the benefits of compensatory actions.  ISL implicitly believes that the "no net radiological risk" is only achieved via compensatory actions.  The WP authors are drawn into the ISL reasoning.  But just as the AOT-risk is a false benchmark, so is the "compensatory action" myth false.  The choice is between fixing the problem on-line or during a LPSD.  The question is which strategy results in "no net radiological risk."  The issue is how to calculate the LPSD side of the issue aptly summarized at the beginning of Section 3 in the WP.

The LPSD risk from two references cited by the WP is used to argue that the LPSD risk is small.  That conclusion is only possible in a few circumstances – usually conditions found in a full fledged refueling outage.  Section 3.2.1 in the WP suggests banking the "remain-on-line" risk out of the LPSD risk calculated for a particular NOED.  Statements like that confuse the issue of comparing an on-line repair with a repair done during LPSD. 

Section 3.2.3 in the WP (concerning return-to-power risk) is an affirmation of 4.6.1 in ISL.  As the start-up processes exposes the plants to many fail-to-start probabilities, this phase of LPSD is not a benign as the two documents imply.

The ISL points out a number of technical issues associated with estimating "net radiological risk" when evaluating an application for an NOED.  ISL makes a strong case for using LERF instead of CDF as a better surrogate for radiological risk.  Note that simplified Level 2 models also include an end-state called LATE, which also results in a post core-damage release.  Therefore LERF+LATE would be the best surrogate for "radiological risk."

The ISL describes features important to the NOED process that are missing from typical PRA models.

1. Each LPSD phase should have a risk measurement directly comparable to the at-power risk. 
2. Correct LPSD risk accounts for a decay heat rate as a function of time after core shutdown.  As the outage continues and the decay heat rate goes down, more success scenarios become possible, e.g., core cooling with charging pumps.
3. It is difficult to determine the time to core-damage during LPSD because it is difficult to determine the initial volume of water on the secondary side of the steam generators.  The time becomes an issue in adjusting HRA values and in adjusting standby-failure probabilities for mitigating SSCs.
4. It is difficult to determine the length of each LPSD phase – each outage will have its own timeline dictated by the available SSCs (and at some plants, seasonal considerations).
   ISL section 4.2 says, "… basic event failure probabilities are … typically quantified as average values, even though for most components, best-available reliability models would imply a time-dependence of failure probability. … [ a rigorous model would account for] how recently a given item was tested … [as a way to adjust] its current 'demand failure probability,' and recent operating history would bear on the decay heat level." 
5. Section 4.6.3 of ISL goes on to explain that, "[f]or items whose demand failure probability is dominated by failures in standby, a successful test justifies assignment of a failure probability substantially lower than the time-averaged value used in the PRA.  Alternatively, increased recovery probability may sometimes be justified by stationing operators in advance where they may be needed in order to accomplish recovery."
6. ISL section 4.4. says, " … the licensee can look at high frequency initiating events to see if there is a means to reduce risk by reducing the frequency of that event."  In section 4.6.2, ISL discusses two types of initiators.  (1) Initiating events that directly challenge the down equipment (initiating events to which the down equipment normally provides the preferred response).  (2) Initiating events that lead to challenges to the down equipment if other success paths fail (events for which the down equipment normally plays a back-up role). 
7. In section 4.6.1, ISL encourages the use of NUREG/CR-6141, "Handbook of Methods for Risk-Based Analyses of Technical Specifications," relative to common cause failure analysis to estimate the risk increase. 
8. Section 4.6.3 of ISL ends with a strong argument that a compensatory action to avoid concurrent maintenance on all safety-related equipment "may not translate into much real risk avoidance: some of this maintenance is forbidden anyway, and other portions of it may be carried out later with the same risk impact it would have had during the NOED."

PRA and design basis analyses (Appendix K) assumptions

Over-reliance on DBA assumptions is causing the nuclear industry to overstate the baseline CDF for the plants. The effect is to limit operational flexibility, and increase the burden on the regulator to keep the public health and safety risk as low as is reasonable. If the current generation of nuclear plants had a reported CDF similar to what is estimated for the IRIS plants (i.e., ~1E-08/year), could we end the hair pulling and cultivation of new rules? Could we replace out-dated (i.e., hard to replace) SSCs with other SSCs that take advantage of technological developments since the 1970s without arguing about the incremental reliability differences between analog and digital? Could we finally get to a state where surveillances and inspections were actually done to maximize the value of the capital assets at the plant? If it can be shown that the best estimate public health and safety risk from commercial nuclear power is on a par with IRIS, can we fall in love with nuclear power all over again?