- Email: [email protected]
Safety goals in ‘risk-informed, performance-based’ regulation
Reliability Engineering and System Safety 80 (2003) 163–172 www.elsevier.com/locate/ress
Safety goals in ‘risk-informed, performance-based’ regulation Genn Saji* Secretariate of Nuclear Safety Commission, Cabinet Office, Joint Central Government Office Building #4, 3-1-1 Kasumigaseki, Chiyoda-ku, Tokyo 100-8970, Japan Received 27 May 2002; accepted 27 December 2002
Abstract The recent overall improvement in key operational safety indices in the United States, combined with ‘risk-informed, performance-based’ regulation by the US Nuclear Regulatory Commission (NRC), has indicated that ‘safety goals’ are indispensable; thereby both licensee and regulator can share common objectives and common indicators of safety performance. Recognizing these, the author proposes a new concept of safety goals1 to facilitate engineering application, while removing some of the uncertainties often encountered in implementing the safety goals, by extending a framework of the International Nuclear Event Scales (INES) being widely used in the world. In this article, safety goals are characterized from a point of view of nuclear regulation by oversight, as established by the US NRC. This is a new tendency of nuclear regulation to motivate initiatives of licensees to improve safety and operational performance and to minimize potential nuclear risks, without the regulatory side specifying how the specific safety requirements should be met. Whereas in the ‘compliance-based regulation,’ which is a more widely used approach of nuclear regulation in many countries, detailed prescriptive safety requirements are specified to enforce the licensees to strictly follow them. The author observes, through the past experience of the US NRC, the latter approach has a basic limitation in improving total safety of nuclear facilities, and supports the new direction to be taken more widely in the nuclear community. q 2003 Elsevier Science Ltd. All rights reserved. Keywords: Safety goals; Risk-informed; Performance-based regulation; How safe is safe enough?; Organizational accident; Safety culture; Performance indicators
1. Introduction Over the last several years, the US Nuclear Regulatory Commission (NRC) is gradually introducing ‘risk-informed and performance-based’ (RI&PB) regulation [1 –6]. This approach is being applied in regulatory inspection, technical specification changes, graded quality assurance (QA), riskinformed in-service inspection, rule governing changes and testing (10 CFR 50.59), and maintenance rule [6].
2. ‘Risk-informed, performance-based’ regulation by oversight The United States’ success clearly demonstrates that safety improvements should be accomplished by a licensee’s own * Tel.: þ81-3-3581-9484; fax: þ 81-3-3581-9436. E-mail address: [email protected] (G. Saji). 1 See also ‘A New Approach to Reactor Safety Goals in the Framework of INES,’ another article in this issue.
initiative and ingenuity (having in-depth knowledge of risks), and by monitoring objective and measurable performance indicators (PIs). Also, an analysis of successful operational and maintenance experiences in nuclear power industries are now showing that it is essential to prevent accidents caused by human errors, or inadequate infrastructure support within the organization that operates the reactor. The RI&PB regulation seems to supplement the ‘compliance-based’ regulation, which directs the licensee to strictly meet safety criteria [7]. The compliance-based regulation has a basic limitation in assuring the safety of complex nuclear facilities, since it is not possible to identify and enforce all the necessary safety requirements by the regulatory side. Some of the regulatory safety requirements are no longer correctly addressing an appropriate risk of the facility, thereby providing inhomogeneous protection [8]. It also tends to produce negative side effects, such as forcing a licensee to comply with technically unnecessary regulatory requirements or interfacing with regulators not on the ground of safety significance, but rather on rhetoric
0951-8320/03/$ - see front matter q 2003 Elsevier Science Ltd. All rights reserved. doi:10.1016/S0951-8320(03)00026-7
164
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
interpretation of safety criteria, resulting in just following the regulation without going deep into the safety implication of the issue. Compliance-based regulation also resulted in exorbitant escalations of cost, mostly associated with providing a excessive regulatory compliance document, or forced use of antiqued but ‘qualified’ equipment thereby stagnating technology development. Discouraging the licensee to introduce improved technology, as well as more reasonable and effective safety approaches, are often cited as contributing to the decline of nuclear power plants in the US [9]. The RI&PB regulation eliminates many of the obstacles that have led to the decline in nuclear power in the US. The RI regulation (1) encourages probabilistic safety assessment (PSA) by both the licensee and regulators, thereby enabling safety discussions amongst stakeholders; (2) allows more flexibility in safety regulations, motivating creative solutions by the licensee; (3) requires that the plant shall not produce unacceptable radiological consequences even if it does not meet all the required operational standards; and (4) the regulators oversee performance of licensee by using objective indicators and reports of inspectors. Table 1 summarizes a result of the author’s comparison study of these two approaches, e.g. ‘compliance-based’ and ‘risk-informed, performance-based’ regulation. The author does not intend to define these in the table, since interpretation of these two approaches are somewhat subjective and can be expressed differently. Integration of RI regulation with PB regulation is highly desirable, when we recall the success of the modern TQM (Total Quality Management) approach in production industries [10,11]. In this approach, the quality of products, expressed in a statistical defect rate, is continuously improved by driving a Plan-Do-Check-Action (PDCA) cycle.2 Today, the quantitative measure of safety performance and quality of operation and maintenance (O&M) in nuclear facilities are called Performance Indicators (PIs). The PB approach achieves greater risk reduction by proper operation and maintenance, in addition to safety provisions incorporated in the design of the plant. It also incorporates preparedness for countermeasures in an event of severe accident, such as preparedness for accident management and emergency responses. Although it is desirable to derive PIs starting from Safety Goals (SGs), it appears impossible to develop a complete and sufficient set of PIs that effectively reduce latent risks by directly linking precursors with the potentials to develop into severe accidents. For such an objective, the PIs should monitor the plant’ status and the frequency of incidents and anomalies that have the potential of developing into severe accidents. The PIs are now considered global indicators of quality of operation, maintenance, management, and security. The PIs being used by the NRC were originally extracted from a system by the World Association of Nuclear Operators (WANO). Efforts 2
Plan-Do-Check-Action cycle [11].
are underway to establish an International PI System [12] for possible regulatory application in other countries. By planning and checking PIs in each PDCA cycle, the owners’ and operators’ initiative will become an engine for safety improvement through a ‘Do’ and ‘Act’ process in integrating safety consideration in their activities. Without the PI, it is impossible to objectively prove whether the effort to improve safety is really effective in an actual plant. In employing the RI&PB regulation, the regulatory side confirms the more fundamental roots of safety assurance, such as (1) safety culture, (2) quality assurance, (3) technical competence of management and workers, and (4) transparency of technical information used in judging safety. These essential elements are monitored through indirect regulation, i.e. regulators are not directly evaluating all the technical details of design, construction, operation and maintenance. Because of the regulators’ indirect approach to RI&PB, it is sometimes called ‘oversight’. This approach indicates that the primary responsibility of assuring safety is not on the regulatory side, but that of the owner, operator, and manufacturer/constructor of the plant. The initial success of the RI&PB regulation can be observed from the remarkable improvement of PIs such as demonstrated by a continued downward trend over the last several years. This is illustrated in the NRC Significant Event Graph of the Institute of Nuclear Power Operations (INPO) [13], which indicates a reduction to 0.03 event per unit per year in 1999 from a previous frequency of 2.38 event in 1985. It also seems to be compatible with the recent tendency of deregulation of the US electrical power industries. Although there exists some limitation to the current approach, a trend analysis using an accident sequence precursor study [14], has shown that, ‘there is no reason that nuclear plants cannot maintain or even improve their safety performance in a competitive environment’ [15]. It also results in overall improvement of public trust towards nuclear plants, thanks to improved transparency of the regulatory process and risk communication, as demonstrated in the Pilot Program for both the Salam and Hope Creek Plants [16].
3. Management of organizational issues in ‘riskinformed, performance-based’ regulation Although the RI&PB regulation, being integrated with SGs and PIs, seems to work well, these are just a part of what is needed for total assurance of safety of nuclear facilities. In a highly automated nuclear power plant with a conservative ‘defense-in-depth’ approach, it is unlikely that just a single operator error or a single component malfunction would result in a large off-site release of radioactive substances. Typically, such incidents involve an initiating event, with one or more equipment failures, coupled with an operator error(s). When the causes for initiating events and equipment failures are identified, most
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
165
Table 1 The ‘compliance-based’ and ‘risk-informed, performance-based’ regulation, a comparative study Attribute
Compliance-based
Risk-informed, performance-based
Safety philosophy
† Defense-in-depth † Single failure criteria † Deterministic approach
† Defense-in-depth † Probabilistic decision making † PIs
Safety goals
† Do not directly address the question ‘How safe is safe enough?’ † Introduced ,1026/RY for severe accidents in 1970s (WASH-1270)
† Intrinsic hazard levels are addressed with how likely they can be † Scientific bases on quantitative health effects
Design basis events
† Clear distinction between ‘design basis events (DBEs)’ and beyond DBEs
† Total spectra of accidents are taken into account in consideration of probabilities, not limiting to DBEs and their sequences † Practically all events are analyzed in combination of several break points
† Limited numbers of DBEs are specified with conservative assumptions, e.g. a double-ended break, to envelop spectra of events † Residual risks were considered negligible because they are rare events † Fortify design of ‘safety-related’ systems, which are designed to cope with DBEs, the systems isolated and separated from other systems and components used for normal operation
† Taking into account of risk weights, operational experiences, and engineering judgments † Incorporating uncertainties of the probabilistic approach
† Improve design, operation, and maintenance of those systems and components with large risk weights † There should be no cliff-edge effects in severe accidents
Regulatory safety criteria
† Detailed prescriptive criteria, by specifying how the basic safety objectives should be implemented
† SGs and minimum functional requirements, without specifying how the basic safety objectives should be implemented
Operation and maintenance safety
† Should strictly comply with the technical specification in compliance with the regulatory criteria and bases of safety assessment
† Flexibly applies technical specification as long as it has no significant degradation of risks
† Monitoring the PIs representing quality of operation and maintenance † Encourages licensees’ initiatives for implementing safety objectives Role of the regulatory body
† The regulators should show good practice of safety design approach † Must specify all the regulatory criteria necessary to implement the basic safety objectives † Enforce licensees’ compliance to prescriptive regulatory criteria by law
† Must clarify acceptable level of safety by specifying SGs and minimum functional requirements † Oversight of licensees’ implementation of safety provisions and performance of operation and maintenance
166
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
Fig. 1. A ‘mandala’ of total safety management. Note: A ‘safety engine,’ utilizing a TQM methodology of PDCI cycle, is implemented by management programs that deal with availability and risk, quality, and organizational errors, and an assessment program for safety performance. The safety culture should surround all these activities. Note the roles of SGs and PIs as the essential information behind the scene.
often human errors are partly, if not solely, responsible. A large accident involves complex organizational and management causes, which can include hardware, design, operation, maintenance, manuals, error-enforcing conditions, skill-based routine works, incompatible goals, poor communication, organizational issues, and training. It is beyond the scope of this paper to discuss details of the organizational factors, where latent organizational defects should be investigated by performing a techno-psychological assessment of human factors. The reader is referred to a textbook by Reason [11], for example. Only a basic framework of managing organizational accidents, relevant to the nuclear community, is introduced here to provide a perspective view of a role of SGs in an overall strategy of safety assurance. An analysis of successful operational and maintenance experiences is now showing that the basic components (systems) outlined below, although sometimes integrated into just one to two systems, are necessary for preventing organizational nuclear accidents. Fig. 1 shows a ‘mandala’3 of this safety approach, where safety is assured by integrating a Safety Engine with several management programs, within a good safety culture. Basically the following components are necessary for engineering implementation: 1. A ‘safety engine’ which drives organizations to improve safety and availability continuously. This system should 3 A ‘mandala’ is a form of oriental art, in which a complex spiritual (religious) world of universe is illustrated in a picture containing various spiritual images of the Buddha appreciable for the public who were often illiterate.
be a driving force of safety assurance, involving everyone in the organization, and can be implemented by using TQM methodology, which recommends activation and continuation of the Plan-Do-CheckImprove (PDCI) Cycle. The TQM approach has proven to be effective in many industrial sectors, including the nuclear industry. However, since the original PDCA cycle was proposed to implement statistical quality control of mass production lines to reduce the number of defects, the methodology is not directly applicable for reduction of incidents and accidents since these are very rare for a plant during a typical operational cycle. Instead of the statistical data of defects, the PIs are being developed to assess a healthy status of the plant being operated essentially with no event. Each action of the PDCI cycle should be specified in several management programs, as indicated in the following component. 2. Availability and risks management program for ‘plan’. This component can be combined with a QA Program for ‘Do’ into a single program, and called Safety, Availability and Quality Management Program, since there are many common requirements between the two. The word ‘management’ is preferred here, since the program should be managed while balancing availability and risks. This should be a starting point of the PDCI cycle. This is more of a management than engineering program and management’s commitment is essential [17]. The program should be ‘risk-informed’ and based on SGs in deploying into lower level requirements by performing a PSA. PSA is often used in the nuclear community as a basic technology tool to evaluate the safety significance of components, systems, or events [18]. The Lines of Defense (LOD) approach [19] also provides a simplified reliability assessment methodology. The LOD was originally proposed by the US Department of Energy for risk-informed management of R&Ds for fast reactors in 1974 [20], and is now being widely used for nuclear regulation in France. The IAEA has issued a good reference for a nuclear QA Program [21]. 3. Performance assessment program for ‘check’. It is beyond the scope of this paper to discuss PIs in detail, therefore, only a brief introduction is given herewith. The author proposes the necessity of an objective scale of total safety, which is to provide measurements of improved operation [10]. The PIs are a recent methodology to improve quality of operation and maintenance. Objective, measurable and safety-relevant indicators are desirable for PIs to be honored by stakeholders. This should be more of a performance assessment system than a management program, since an objective measurement of safe operation is necessary to feed unbiased review data to other management programs. In the US, the Reactor Oversight Process [22] integrates the NRC’s inspection, assessment, and
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
enforcement programs. The Operating Reactor Assessment Program evaluates the overall safety performance of operating commercial nuclear reactors, and communicates those results to licensee management, members of the public, and other government agencies. An assessment program collects information from both inspections and PIs in order to enable the agency to arrive at an objective conclusion about the licensee’s performance. The NRC’s three strategic performance areas for monitoring PIs include reactor safety, radiation safety, and safeguards. Each of these performance areas, are further specified * Reactor safety: initiating events, mitigating systems, barrier integrity, and emergency preparedness); * Radiation safety: public radiation safety, and occupational radiation safety, * Safeguards: physical protection. 4. Organizational error management program for ‘improve’. Assessments of plant performance using the PIs do not usually result in investigation of organizational factors directly. For the latter, there are several methodologies [11] that deal with organizational issues before the actual occurrence of an accident, including Tripod-Delta, Review and MESH (Managing Engineering Safety Health), as well as HEART (Human Error Assessment and Reduction Technique). Motivation of individuals is essential, since the organizational issues deal with human performance. The system should be directed to improve human performance beyond skillbased, to rule-based, and finally to knowledge-based [23]. An incident investigation methodology is being proposed with the goal of identifying organizational and managerial weaknesses that have contributed to significant nuclear incidents [24]. The Canadian Nuclear Safety Commission has developed a method for evaluating various organizational factors that relate to safety performance [25]. 5. Engineering of safety culture. We need to establish a good safety culture such as defined by the IAEA [26], although the implementation process is not well known. At a minimum, the following four aspects of a good safety culture are necessary: * Safety culture of justice, high morale, and excellence; * Safety culture of flexibility and collaboration; * Safety culture of communicating and reporting; * Safety culture of learning and reflecting. These aspects are extended from those proposed by Reason [11], concurring that a good safety culture is something attainable by human activities (engineering), although very difficult to realize. It is not something that exists inherently among members of an organization and in the organization itself. More recently, Sorensen has discussed the role of safety culture in the RI regulation [27].
167
4. The background of safety goals In applying the RI&PB regulation, it is essential to establish SGs, which address the fundamental policy of acceptable safety levels and the question of ‘how safe is safe enough.’ The motivation to develop SGs in the US was triggered by the Three Mile Island (TMI) reactor accident in 1979. The NRC’s Advisory Committee on Reactor Safeguards (ACRS) recommended that consideration be given to the establishment of quantitative SGs for nuclear reactors [28]. While the US has a long history in establishing SGs, the effectiveness of regulation by oversight with the SGs is now being appreciated by the successful implementation of the RI&PB regulation. Major progress in the early development stage of the SGs is described in two excellent articles [29,30]. Perhaps NUREG 0739 in 1980 should be credited as a remarkable early effort [31], which allowed the NRC to consider and used preliminary numerical values. Moreover, it noted that the NRC and the US Congress ‘must ultimately consider a wide range of sociopolitical and economic factors’ that include public risk. However, the draft SG concept was not accepted by ACRS, which was of the opinion that the numerical core damage limits were arbitrary. The current framework of the US SGs was established in 1986, which generally specifies that (1) an average individual near a plant should not be exposed to reactor risks greater than 0.1% of the sum of all accident risks; and, (2) the population near the plant should not be exposed to increased cancer risks from the plant that are greater than 0.1% of all cancer fatalities [32]. In 1990, considering the uncertainties in applying the SGs based on the quantitative health objectives (QHOs) [33], the NRC endorsed subsidiary goals that limit the Core Damage Frequency (CDF) to less than 1024 and Large Early Release Frequency to less than 1026. The latter goal was recently changed [34] to 1025. The 1986 SG has strongly influenced Backfit Rule [35] and Regulatory Guides [36], including RG 1.174 – 1.178. Although the usefulness of SGs was clearly demonstrated through implementing RI&PB regulation in the US, the present SGs are still somewhat debatable, as well as controversial. Since the early development of the NRC’s SGs, several important issues have emerged. In particular, the cost-benefit guideline and the core-melt design objectives have been subjected to continuing scrutiny and debate [30]. Even though it is 20 years since the initial evaluation by the US NRC, there are still significantly divergent views about SGs. Some of the criticisms include: (1) because of the large amount of uncertainty involved in translating the QHOs into an engineering guideline, such as the CDF and conditional containment failure probability, subsidiary goals are necessary [37]; (2) at the time that the SGs were established in the US in 1986, the number of PSAs that had been performed, particularly with respect to the containment response to core damage, was not inadequate to support further refinements in the QHO program; (3) as
168
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
a result, compliance with the NRC PSA goals was considered neither necessary nor sufficient to demonstrate safety; and (4) ‘defense-in-depth’ and ‘safety-related’ were considered by some to be archaic concepts. Since the criticisms are generally related to uncertainties, the need for subsidiary goals and retention of the defense-in-depth philosophy are repeatedly discussed by the NRC [37,38]. Here, the needs of subsidiary goals are understandable, although it may only result in shifting uncertainties from the PSA into SGs. In order to translate the QHOs into subsidiary goals, it is necessary to perform up to the Level 3 PSA. The subsidiary goals are to provide practical, applicable engineering goals by focusing on the results of Level 1 PSA, assuming that the subsequent consequence is conservative enough for the QHOs, although the more probable situation is that it is too conservative. Most of the difficulties are in the Level 2 PSA, where it is necessary to address all the complex thermal, and thermo-mechanical phenomena involved in severe accident sequences, including: (1) hydrogen generation and combustion; (2) steam explosions; (3) debris cooling; (4) vessel failure; (5) invessel cooling; (6) external cooling; (7) direct containment heating and failure [39]. In addition, the following chemical and thermo-chemical phenomena, accompanied in the source term behavior, are too complex to investigate to a level with good confidence: (1) loss of submerged state of the core in the reactor coolant, releasing volatile fission products (FP); (2) meltdown of fuels, additional release of FP; (3) resolution of FP into the remaining reactor coolant, including formation of stable chemical compounds such as CsI; (4) leakage of FP and particulates from the reactor vessel; (5) aerosol behavior inside the containment atmosphere, agglomeration, deposition and redistribution; (6) leakage of the reactor coolant, noble gases and aerosol from the containment vessel. At the time of TMI-2 accident, the criticism was that the actual radiological consequence was several orders of magnitude lower than the license basis accident analysis. The NRC policy statement on SGs places PSA in a subsidiary role to defense-in-depth, because of uncertainties of the PSA approach [40]. The RG 1.174 discussion states that ‘[T] he defense-in-depth philosophy…has been and continues to be an effective way to account for uncertainties in equipment and human performance.’ The discussion goes on to say that PSA can be used to help determine the appropriate extent of defense-in-depth, which, for example, is equated to balance among core damage prevention, containment failure prevention, and consequence mitigation. Defense-in-depth is primary, with PSA available to measure how well it has been achieved. The author fully supports this view. The defense-in-depth positively declares that the risk can be controlled adequately by engineered (man-made) safety provisions. The philosophy gives a practical methodology
for safety assurance in which safety provisions are made in three completely different dimensions—prevention, protection, and mitigation—acknowledging limits of human knowledge and activities [10].
5. Objectives, requirements, and application of safety goals The basic objectives of establishing SGs for a nuclear facility are to indicate an acceptable space of safety, by realizing that it is impossible to achieve a zero risk or a zero defect plant. Thus, it is necessary to clarify a minimum, tolerable level of safety margin in an event of troubles, incidents or accidents. The SGs should show a region in a safety space as a measure that can be used in assessing, planning and implementing in the design, construction, inspection, maintenance, and operation. It is also necessary to provide a region where further improvement is not justified when weighing the benefits indicate undue costs with little improvement of already very low risks. The SGs can guide the accumulation of safe operating experiences that could help establish an active safety culture, improve transparency and simplicity in communication with the general public, and eventually recover the public confidence towards nuclear energy. To achieve these objectives, the following attributes are required: 1. The SGs should clearly indicate a magnitude and probability of potential nuclear hazards. Considering the public’s concern of the ultimate safety of nuclear facilities, the SGs should be able to reconstruct the severe accidents so far experienced, e.g. the TMI accident and the Chernobyl accident. 2. The SGs should be technically accountable, with reasonable scientific basis. The SGs with a scientific basis of QHOs are preferable, since the main objectives of nuclear safety are assuring the health and safety of the general public and workers. However, it is important to recognize the inevitable large uncertainties that can be introduced during a process of translating the fundamental SGs into more practical technical guidelines that are necessary for actual implementation. 3. The SGs should be practically applicable for risk communications with the public, as well as for actual regulation, and should motivate licensees to improve safety in design, maintenance and operation. While the SGs may be better expressed in a qualitative expression for risk communications, they should also be quantitative for engineering applications. For risk communications, the expression should be accurate and lucid. It should also be noted that the public may evaluate nuclear-related risks differently than experts or regulators do [41].
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
4. SGs should provide a practical safety methodology for assuring all the safety aspects of the facility. This implies that the SGs should have a wide implication, not just limited to hardware reliability, but should also address software issues, as well as operator performance and organizational factors. Usually the SGs are defined to clarify an acceptable frequency of occurrence of latent events that have the potential to develop into an active, severe accident. However, the author thinks that more frequent troubles and minor incidents should also be addressed in the SGs. These more frequent minor events, which challenge safety barriers, can eventually develop into a severe accident. These frequent troubles are inducing fears among the general public against the safety of nuclear power, thereby jeopardizing public acceptance of nuclear energy. 5. SGs should enable evaluation of safety performance by both the regulators and licensees on an equal footing. Since the primary responsibility of safety assurance is with the owner, operator and manufacturer/constructers of the facility, the SGs should provide a ‘scale of safety’ that can be directly applicable to them. And, the regulator should also be able to perform their safety oversight by comparing the SGs. The author believes that these requirements can be met by using the author’s new approach as explained in an accompanying article in this issue.
6. An approach to total safety goals The author proposes a new framework, that deploys the objectives, requirements, and application of practical SGs as discussed in the preceding chapter, using the following approach. [The detailed deployment as well as the initial evaluation is provided in the other article in this issue.] 1. Integration of SGs in the framework of INES. The International Nuclear Event Scale (INES) [42], first introduced in 1990 jointly by the IAEA and the OECD, is a means for promptly communicating to the public in consistent terms the safety significance of events reported at nuclear power plants, and is now widely accepted as an international standard for event scales. As early as in 1993, the INES was in formal use in 26 countries, with the exception of the two most important nuclear countries, the United States and France (although they later adopted its use). By putting events into proper perspective, the Scale can facilitate a common understanding between the nuclear community, the media, and the public. Fig. 2 shows the basic safety concept of the INES. It defines level/descriptor of events in 7 þ 1(below scale/zero)
169
levels, generally classified in terms of amounts of release, ranging from an Anomaly without release to a Major Accident. By showing examples of the application, it provides criteria in terms of off-site impact for public safety, on-site impact for worker safety and defense-in-depth degradation for events with/without release of radioactivity. The author proposes an expansion of the current framework of INES to include major source terms and a probabilistic scale, which are necessary to construct SGs. By incorporating SGs, the author believes that the usefulness of the INES can be further advanced. 2. Addressing frequent incidences without off-site effects. Although SGs can be simplified by specifying primarily in terms of radiation health effects after severe accidents, the author believes that it is better to define SGs for all spectra of events, since the objectives of safety assurance in a nuclear facility is not just limited to prevention and mitigation of severe accidents.
7. Risk management of organizational accidents with safety goals The probabilistic SGs for Levels 4 –7 can be directly used in judging how well the design (and sometimes maintenance and operation) meets the SGs, by performing PSA. However, below Level 4, the expected doses are so small (a few mSv for Level 4) that it is debatable whether to extend the health effect down below such low doses. In addition, more strictly limiting consequences for minor but more frequent events may not directly improve overall safety and availability, suggesting that a different framework of safety, i.e. different from the RI approach, is necessary. The author thinks that this is where the Performancebased approach, integrated with the TQM methodology, is expected to work, i.e. improving the quality of operation and maintenance as well as reducing the frequency of minor events challenging the safety barriers. The probabilistic SGs (occurrence rates) for these levels of incidents (Levels 3 –0) can be directly deployed as an acceptance criterion of PIs. The impact of a small release is more of an issue of reliability and availability of the plant than the health effect, although psychological impacts and a loss of public trust for nuclear energy far exceed the real risk of radiation. The SGs that are derived from QHOs are mostly addressing accidents (Levels 4 – 7 in the INES), since they will induce off-site impacts. For these accidents, safety is basically accommodated with Safety Systems, Accident Management and Emergency Response, combined with the RI approach. The proposed ‘engineering’ SGs should be useful in planning and assessing these essential safety activities. Whereas for more frequent events (Levels 3– 0),
170
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
Fig. 2. The safety concept of the INES. Reproduced from Thomas, BA, the ASSET (Assessment of Safety Significant Events Team). IAEA February 1991.
the author proposes an approach where safety is assured by integrating a Safety Engine with TQM methodology, such as illustrated in a PDCA cycle [10,11], which are integrated with management programs dealing with availability and risk, quality, and organizational errors, and with an objective assessment program for safety performance. The PIs are essential for these management and assessment programs. A good safety culture should surround all these activities.
8. Conclusions 1. The new direction of regulatory approach should be ‘regulation by oversight,’ evolving from the more common ‘compliance-based’ regulation. A successful example is being established as ‘risk-informed, performance-based’ regulation by the US NRC. This new approach is attractive, since it is expected to remove the stagnation of nuclear technology development and improve good safety records by encouraging initiatives of the licensees. It makes clear that the ultimate
responsibility of safety is on the side of the owner and operator of the plant, with the regulatory side overseeing proper implementation of safety objectives and monitoring PIs. 2. In implementing ‘regulation by oversight,’ quantitative SGs are indispensable. The author proposes a new approach by expanding the current framework of INES to address potential risk a-priori. The radiological SGs are mostly addressing accidents (Levels 4– 7 in the INES). For these, safety is basically accommodated with Safety Systems, Accident Management and Emergency Response. The countermeasures could be very effective in protecting the public, as demonstrated in the Chernobyl accident. To be prepared for such emergency situation, a-priori estimation of radiological consequences, as well as frequencies, should be helpful. 3. Whereas for more frequent events (Levels 3 – 0), the author proposes an approach where safety is assured by integrating a Safety Engine with a TQM methodology, which are further integrated with management programs dealing with availability and risk, quality, and
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
organizational errors, as well as with an objective assessment program for safety performance. The PIs are essential for these management and assessment programs. A good safety culture should surround all these activities. This approach, proven to be effective in production industries, can improve public confidence towards nuclear energy, by gradually improving safe operational records.
Acknowledgements Opinions explained in this paper are the author’s personal view and do not represent in any way the Nuclear Safety Commission (NSC) of Japan. This work was done independently as an extension of the author’s previous work [10] for international audiences, and it is independent from the current on-going activities of the NSC and its committee trying to develop safety goals for a domestic application. Special acknowledgement is directed to Dr Charles Gordon who reviewed the initial draft and advised to reorganize for readability, and Professor George Apostrakis who sent me more recent articles related to SGs. The author appreciates all this support, although the entire content is the author’s responsibility. The author obtained a bulk of the US regulatory information by attending the MIT Special Summer Program for Professionals: Nuclear Systems Safety 1 and 2 (1986 and 2000), for which the author appreciates the efforts made by many lecturers.
References [1] US NRC. Use of probabilistic risk assessment methods in nuclear regulatory activities: final policy statement, FR 42622; August 1995. [2] Cullen LJ. White paper on risk-informed and performance-based regulation, SECY-98-144, US NRC; 1998. [3] US NRC. Risk-informed, performance-based regulation, White Paper; March 1999 (available on NRC website). [4] US NRC. Recommendations for reactor oversight process improvements, SECY-99-007; January 1999. [5] US NRC. Status of risk-based performance indicator development and related initiatives, SECY-00-0146; June 2000. [6] Extended Bibliography is available in ‘A new paradigm for reactor regulation,’ by R.A. Meserve, Chairman US NRC, presented at MIT special summer program for professionals. Nucl Syst Safety 2001:I&2. [7] Some of the representative safety criteria include, but not limited to, 10CFR Part 50. Appendix A, US Federal Register; ‘Standard review plan for the review of safety analysis reports for nuclear power plants,’ (SRP), NUREG 800, US NRC (last major revision 1981); Regulatory Guides, etc. [8] For example, for safety systems, Apostolakis, G. Risk management, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2000–2001;I&2. [9] For example, in several discussions at MIT special summer program for professionals. Nucl Syst Safety 1984;I&2.
171
[10] Saji G. Total safety: a new safety culture to integrate nuclear safety and operational safety. Nucl Safety 1991;32(3):416–23. [11] Reason J. Managing the risk of organizational accidents. Ashgate Publishing Ltd; 1997. [12] IAEA TECDOC-1141. International Atomic Energy Agency; 2000: OECD/NEA CSNI Performance Indicator Workshop in Madrid; 2000. [13] Hastie WJ. Looking back, moving forward—an INPO perspective, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2001;1 and 2. [14] Belles RJ, Cletcher JW, Copinger DA, Dolan BW, Minarick JW, O’Reilly PD. Accident sequence precursor program results. Nucl Safety 1996;37(1):73 –83. [15] Murley TM. Safety goals in a deregulated market, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2001;1 and 2. Also SECY-99-289. [16] Garshow SF. NRC revised oversight process, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2000;1 and 2. [17] INSAG-12, Basic safety principles for NPP. Safety management. INSAG-3 Rev. 1, Vienna: International Nuclear Safety Advisory Group, IAEA; 1999. [18] ANS and IEEE. PSA procedures guide. NUREG/CR-2300, US NRC; 1983. [19] Justin F, Petit J, Tanguy PF. Safety assessment of severe accident in fast breeder reactors. Nucl Safety 1986;27(3):332–42. [20] Griffith J. Discussion at ANS-USAEC Meeting on Fast Reactor Safety, Los Angeles; April 2–4, 1974. [21] Safety Series 50-C/SG, Quality assurance. Vienna: IAEA; 1996. [22] NRC inspection manual. www.nrc.gov/NRC/IM/0305.html; issue dates: 03/23/01. [23] Rasmussen J. Human errors: a taxonomy for describing human malfunction in industrial installations. J Occup Accid 1982;4: 311–33. [24] Weil R, Apostolakis G. Identification of important organizational factors using operating experience. Proceedings of the Third International Conference on Human Factor Research in Nuclear Power Operations, Mihama, Japan, September 8–10, 1999;. [25] Atomic Energy Control Board (now the Canadian Nuclear Safety Commission). Development of a regulatory organizational and management review method. Report No. RSP-0060; January 20, 1998. [26] INSAG-4. Safety culture. Vienna: International Nuclear Safety Advisory Group, IAEA; 1991. [27] Sorensen JN, Apostrakis GE, Powers DA. On the role of safety culture in risk-informed regulation. PSAM 5, Probabilistic Safety Assessment, held on November 27–December 1, 2000, Osaka, Japan 2000;4/4:2205–10. [28] Carbon MW. ACRS letter to J.M. Hendrie, subject: quantitative safety goals; 15 May 1979. [29] Okrent D. The safety goals of the US Nuclear Regulation Commission. Science 1987;236(April). [30] Rathbum D, Modarres M. Development of safety goals for nuclear power plants. Nucl Safety 1987;28(2):155 –63. [31] US NRC. An approach to quantitative safety goals for nuclear power plants. NUREG 0739, US NRC; 1980. [32] US NRC. Safety goals for the operations of nuclear power plants: policy statement, 51 Fr 30028; August 1986. [33] US NRC. Staff requirement memorandum on SECY-89-102: implementation of the safety goals, US; June 1990. [34] US NRC. Modifications to the safety goal policy statement. SECY-97208; 1998. [35] US NRC. Appendix D: safety goal policy statement and backfit rule. NUREG/BR-0184, US NRC; 1990. [36] US NRC. An approach for using probabilistic risk assessment in riskinformed decisions on plant-specific changes to the licensing basis. Regulatory guide 1.174; 1999.
172
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
[37] Seal, RL. A letter to Jackson, SA. Elevation of CDF to a fundamental safety goal and possible revision of the commission’s safety goal policy statement; March 11, 1998. [38] Powers, DA. A letter to Meserve, A. Chairman of US NRC, reactor safety goal policy statement; April 17, 2000. [39] Henry RE. Severe accident phenomena: a lecture at MIT Special summer program for professionals. Nucl Syst Safety 2000–2001;1 and 2. [40] Sorensen JN, Apostrakis GE, Kress DA, Powers DA. On the role of defense in depth in risk-informed regulation. PSA99, Probabilistic
safety assessment, risk-informed performance-based regulation in the new millennium, Washington, DC, August 22–26, 1999;1: 408 –13. [41] Meyer MA. The nuclear community and the public: cognitive and cultural influences on thinking about nuclear risks. Nucl Safety 1996; 37(2):97–108. [42] INES. The international nuclear event scale: user’s manual, jointly prepared by the International Atomic Agency and the Nuclear Energy Agency of the OECD. Vienna: IAEA; 1990.
Safety goals in ‘risk-informed, performance-based’ regulation Genn Saji* Secretariate of Nuclear Safety Commission, Cabinet Office, Joint Central Government Office Building #4, 3-1-1 Kasumigaseki, Chiyoda-ku, Tokyo 100-8970, Japan Received 27 May 2002; accepted 27 December 2002
Abstract The recent overall improvement in key operational safety indices in the United States, combined with ‘risk-informed, performance-based’ regulation by the US Nuclear Regulatory Commission (NRC), has indicated that ‘safety goals’ are indispensable; thereby both licensee and regulator can share common objectives and common indicators of safety performance. Recognizing these, the author proposes a new concept of safety goals1 to facilitate engineering application, while removing some of the uncertainties often encountered in implementing the safety goals, by extending a framework of the International Nuclear Event Scales (INES) being widely used in the world. In this article, safety goals are characterized from a point of view of nuclear regulation by oversight, as established by the US NRC. This is a new tendency of nuclear regulation to motivate initiatives of licensees to improve safety and operational performance and to minimize potential nuclear risks, without the regulatory side specifying how the specific safety requirements should be met. Whereas in the ‘compliance-based regulation,’ which is a more widely used approach of nuclear regulation in many countries, detailed prescriptive safety requirements are specified to enforce the licensees to strictly follow them. The author observes, through the past experience of the US NRC, the latter approach has a basic limitation in improving total safety of nuclear facilities, and supports the new direction to be taken more widely in the nuclear community. q 2003 Elsevier Science Ltd. All rights reserved. Keywords: Safety goals; Risk-informed; Performance-based regulation; How safe is safe enough?; Organizational accident; Safety culture; Performance indicators
1. Introduction Over the last several years, the US Nuclear Regulatory Commission (NRC) is gradually introducing ‘risk-informed and performance-based’ (RI&PB) regulation [1 –6]. This approach is being applied in regulatory inspection, technical specification changes, graded quality assurance (QA), riskinformed in-service inspection, rule governing changes and testing (10 CFR 50.59), and maintenance rule [6].
2. ‘Risk-informed, performance-based’ regulation by oversight The United States’ success clearly demonstrates that safety improvements should be accomplished by a licensee’s own * Tel.: þ81-3-3581-9484; fax: þ 81-3-3581-9436. E-mail address: [email protected] (G. Saji). 1 See also ‘A New Approach to Reactor Safety Goals in the Framework of INES,’ another article in this issue.
initiative and ingenuity (having in-depth knowledge of risks), and by monitoring objective and measurable performance indicators (PIs). Also, an analysis of successful operational and maintenance experiences in nuclear power industries are now showing that it is essential to prevent accidents caused by human errors, or inadequate infrastructure support within the organization that operates the reactor. The RI&PB regulation seems to supplement the ‘compliance-based’ regulation, which directs the licensee to strictly meet safety criteria [7]. The compliance-based regulation has a basic limitation in assuring the safety of complex nuclear facilities, since it is not possible to identify and enforce all the necessary safety requirements by the regulatory side. Some of the regulatory safety requirements are no longer correctly addressing an appropriate risk of the facility, thereby providing inhomogeneous protection [8]. It also tends to produce negative side effects, such as forcing a licensee to comply with technically unnecessary regulatory requirements or interfacing with regulators not on the ground of safety significance, but rather on rhetoric
0951-8320/03/$ - see front matter q 2003 Elsevier Science Ltd. All rights reserved. doi:10.1016/S0951-8320(03)00026-7
164
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
interpretation of safety criteria, resulting in just following the regulation without going deep into the safety implication of the issue. Compliance-based regulation also resulted in exorbitant escalations of cost, mostly associated with providing a excessive regulatory compliance document, or forced use of antiqued but ‘qualified’ equipment thereby stagnating technology development. Discouraging the licensee to introduce improved technology, as well as more reasonable and effective safety approaches, are often cited as contributing to the decline of nuclear power plants in the US [9]. The RI&PB regulation eliminates many of the obstacles that have led to the decline in nuclear power in the US. The RI regulation (1) encourages probabilistic safety assessment (PSA) by both the licensee and regulators, thereby enabling safety discussions amongst stakeholders; (2) allows more flexibility in safety regulations, motivating creative solutions by the licensee; (3) requires that the plant shall not produce unacceptable radiological consequences even if it does not meet all the required operational standards; and (4) the regulators oversee performance of licensee by using objective indicators and reports of inspectors. Table 1 summarizes a result of the author’s comparison study of these two approaches, e.g. ‘compliance-based’ and ‘risk-informed, performance-based’ regulation. The author does not intend to define these in the table, since interpretation of these two approaches are somewhat subjective and can be expressed differently. Integration of RI regulation with PB regulation is highly desirable, when we recall the success of the modern TQM (Total Quality Management) approach in production industries [10,11]. In this approach, the quality of products, expressed in a statistical defect rate, is continuously improved by driving a Plan-Do-Check-Action (PDCA) cycle.2 Today, the quantitative measure of safety performance and quality of operation and maintenance (O&M) in nuclear facilities are called Performance Indicators (PIs). The PB approach achieves greater risk reduction by proper operation and maintenance, in addition to safety provisions incorporated in the design of the plant. It also incorporates preparedness for countermeasures in an event of severe accident, such as preparedness for accident management and emergency responses. Although it is desirable to derive PIs starting from Safety Goals (SGs), it appears impossible to develop a complete and sufficient set of PIs that effectively reduce latent risks by directly linking precursors with the potentials to develop into severe accidents. For such an objective, the PIs should monitor the plant’ status and the frequency of incidents and anomalies that have the potential of developing into severe accidents. The PIs are now considered global indicators of quality of operation, maintenance, management, and security. The PIs being used by the NRC were originally extracted from a system by the World Association of Nuclear Operators (WANO). Efforts 2
Plan-Do-Check-Action cycle [11].
are underway to establish an International PI System [12] for possible regulatory application in other countries. By planning and checking PIs in each PDCA cycle, the owners’ and operators’ initiative will become an engine for safety improvement through a ‘Do’ and ‘Act’ process in integrating safety consideration in their activities. Without the PI, it is impossible to objectively prove whether the effort to improve safety is really effective in an actual plant. In employing the RI&PB regulation, the regulatory side confirms the more fundamental roots of safety assurance, such as (1) safety culture, (2) quality assurance, (3) technical competence of management and workers, and (4) transparency of technical information used in judging safety. These essential elements are monitored through indirect regulation, i.e. regulators are not directly evaluating all the technical details of design, construction, operation and maintenance. Because of the regulators’ indirect approach to RI&PB, it is sometimes called ‘oversight’. This approach indicates that the primary responsibility of assuring safety is not on the regulatory side, but that of the owner, operator, and manufacturer/constructor of the plant. The initial success of the RI&PB regulation can be observed from the remarkable improvement of PIs such as demonstrated by a continued downward trend over the last several years. This is illustrated in the NRC Significant Event Graph of the Institute of Nuclear Power Operations (INPO) [13], which indicates a reduction to 0.03 event per unit per year in 1999 from a previous frequency of 2.38 event in 1985. It also seems to be compatible with the recent tendency of deregulation of the US electrical power industries. Although there exists some limitation to the current approach, a trend analysis using an accident sequence precursor study [14], has shown that, ‘there is no reason that nuclear plants cannot maintain or even improve their safety performance in a competitive environment’ [15]. It also results in overall improvement of public trust towards nuclear plants, thanks to improved transparency of the regulatory process and risk communication, as demonstrated in the Pilot Program for both the Salam and Hope Creek Plants [16].
3. Management of organizational issues in ‘riskinformed, performance-based’ regulation Although the RI&PB regulation, being integrated with SGs and PIs, seems to work well, these are just a part of what is needed for total assurance of safety of nuclear facilities. In a highly automated nuclear power plant with a conservative ‘defense-in-depth’ approach, it is unlikely that just a single operator error or a single component malfunction would result in a large off-site release of radioactive substances. Typically, such incidents involve an initiating event, with one or more equipment failures, coupled with an operator error(s). When the causes for initiating events and equipment failures are identified, most
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
165
Table 1 The ‘compliance-based’ and ‘risk-informed, performance-based’ regulation, a comparative study Attribute
Compliance-based
Risk-informed, performance-based
Safety philosophy
† Defense-in-depth † Single failure criteria † Deterministic approach
† Defense-in-depth † Probabilistic decision making † PIs
Safety goals
† Do not directly address the question ‘How safe is safe enough?’ † Introduced ,1026/RY for severe accidents in 1970s (WASH-1270)
† Intrinsic hazard levels are addressed with how likely they can be † Scientific bases on quantitative health effects
Design basis events
† Clear distinction between ‘design basis events (DBEs)’ and beyond DBEs
† Total spectra of accidents are taken into account in consideration of probabilities, not limiting to DBEs and their sequences † Practically all events are analyzed in combination of several break points
† Limited numbers of DBEs are specified with conservative assumptions, e.g. a double-ended break, to envelop spectra of events † Residual risks were considered negligible because they are rare events † Fortify design of ‘safety-related’ systems, which are designed to cope with DBEs, the systems isolated and separated from other systems and components used for normal operation
† Taking into account of risk weights, operational experiences, and engineering judgments † Incorporating uncertainties of the probabilistic approach
† Improve design, operation, and maintenance of those systems and components with large risk weights † There should be no cliff-edge effects in severe accidents
Regulatory safety criteria
† Detailed prescriptive criteria, by specifying how the basic safety objectives should be implemented
† SGs and minimum functional requirements, without specifying how the basic safety objectives should be implemented
Operation and maintenance safety
† Should strictly comply with the technical specification in compliance with the regulatory criteria and bases of safety assessment
† Flexibly applies technical specification as long as it has no significant degradation of risks
† Monitoring the PIs representing quality of operation and maintenance † Encourages licensees’ initiatives for implementing safety objectives Role of the regulatory body
† The regulators should show good practice of safety design approach † Must specify all the regulatory criteria necessary to implement the basic safety objectives † Enforce licensees’ compliance to prescriptive regulatory criteria by law
† Must clarify acceptable level of safety by specifying SGs and minimum functional requirements † Oversight of licensees’ implementation of safety provisions and performance of operation and maintenance
166
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
Fig. 1. A ‘mandala’ of total safety management. Note: A ‘safety engine,’ utilizing a TQM methodology of PDCI cycle, is implemented by management programs that deal with availability and risk, quality, and organizational errors, and an assessment program for safety performance. The safety culture should surround all these activities. Note the roles of SGs and PIs as the essential information behind the scene.
often human errors are partly, if not solely, responsible. A large accident involves complex organizational and management causes, which can include hardware, design, operation, maintenance, manuals, error-enforcing conditions, skill-based routine works, incompatible goals, poor communication, organizational issues, and training. It is beyond the scope of this paper to discuss details of the organizational factors, where latent organizational defects should be investigated by performing a techno-psychological assessment of human factors. The reader is referred to a textbook by Reason [11], for example. Only a basic framework of managing organizational accidents, relevant to the nuclear community, is introduced here to provide a perspective view of a role of SGs in an overall strategy of safety assurance. An analysis of successful operational and maintenance experiences is now showing that the basic components (systems) outlined below, although sometimes integrated into just one to two systems, are necessary for preventing organizational nuclear accidents. Fig. 1 shows a ‘mandala’3 of this safety approach, where safety is assured by integrating a Safety Engine with several management programs, within a good safety culture. Basically the following components are necessary for engineering implementation: 1. A ‘safety engine’ which drives organizations to improve safety and availability continuously. This system should 3 A ‘mandala’ is a form of oriental art, in which a complex spiritual (religious) world of universe is illustrated in a picture containing various spiritual images of the Buddha appreciable for the public who were often illiterate.
be a driving force of safety assurance, involving everyone in the organization, and can be implemented by using TQM methodology, which recommends activation and continuation of the Plan-Do-CheckImprove (PDCI) Cycle. The TQM approach has proven to be effective in many industrial sectors, including the nuclear industry. However, since the original PDCA cycle was proposed to implement statistical quality control of mass production lines to reduce the number of defects, the methodology is not directly applicable for reduction of incidents and accidents since these are very rare for a plant during a typical operational cycle. Instead of the statistical data of defects, the PIs are being developed to assess a healthy status of the plant being operated essentially with no event. Each action of the PDCI cycle should be specified in several management programs, as indicated in the following component. 2. Availability and risks management program for ‘plan’. This component can be combined with a QA Program for ‘Do’ into a single program, and called Safety, Availability and Quality Management Program, since there are many common requirements between the two. The word ‘management’ is preferred here, since the program should be managed while balancing availability and risks. This should be a starting point of the PDCI cycle. This is more of a management than engineering program and management’s commitment is essential [17]. The program should be ‘risk-informed’ and based on SGs in deploying into lower level requirements by performing a PSA. PSA is often used in the nuclear community as a basic technology tool to evaluate the safety significance of components, systems, or events [18]. The Lines of Defense (LOD) approach [19] also provides a simplified reliability assessment methodology. The LOD was originally proposed by the US Department of Energy for risk-informed management of R&Ds for fast reactors in 1974 [20], and is now being widely used for nuclear regulation in France. The IAEA has issued a good reference for a nuclear QA Program [21]. 3. Performance assessment program for ‘check’. It is beyond the scope of this paper to discuss PIs in detail, therefore, only a brief introduction is given herewith. The author proposes the necessity of an objective scale of total safety, which is to provide measurements of improved operation [10]. The PIs are a recent methodology to improve quality of operation and maintenance. Objective, measurable and safety-relevant indicators are desirable for PIs to be honored by stakeholders. This should be more of a performance assessment system than a management program, since an objective measurement of safe operation is necessary to feed unbiased review data to other management programs. In the US, the Reactor Oversight Process [22] integrates the NRC’s inspection, assessment, and
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
enforcement programs. The Operating Reactor Assessment Program evaluates the overall safety performance of operating commercial nuclear reactors, and communicates those results to licensee management, members of the public, and other government agencies. An assessment program collects information from both inspections and PIs in order to enable the agency to arrive at an objective conclusion about the licensee’s performance. The NRC’s three strategic performance areas for monitoring PIs include reactor safety, radiation safety, and safeguards. Each of these performance areas, are further specified * Reactor safety: initiating events, mitigating systems, barrier integrity, and emergency preparedness); * Radiation safety: public radiation safety, and occupational radiation safety, * Safeguards: physical protection. 4. Organizational error management program for ‘improve’. Assessments of plant performance using the PIs do not usually result in investigation of organizational factors directly. For the latter, there are several methodologies [11] that deal with organizational issues before the actual occurrence of an accident, including Tripod-Delta, Review and MESH (Managing Engineering Safety Health), as well as HEART (Human Error Assessment and Reduction Technique). Motivation of individuals is essential, since the organizational issues deal with human performance. The system should be directed to improve human performance beyond skillbased, to rule-based, and finally to knowledge-based [23]. An incident investigation methodology is being proposed with the goal of identifying organizational and managerial weaknesses that have contributed to significant nuclear incidents [24]. The Canadian Nuclear Safety Commission has developed a method for evaluating various organizational factors that relate to safety performance [25]. 5. Engineering of safety culture. We need to establish a good safety culture such as defined by the IAEA [26], although the implementation process is not well known. At a minimum, the following four aspects of a good safety culture are necessary: * Safety culture of justice, high morale, and excellence; * Safety culture of flexibility and collaboration; * Safety culture of communicating and reporting; * Safety culture of learning and reflecting. These aspects are extended from those proposed by Reason [11], concurring that a good safety culture is something attainable by human activities (engineering), although very difficult to realize. It is not something that exists inherently among members of an organization and in the organization itself. More recently, Sorensen has discussed the role of safety culture in the RI regulation [27].
167
4. The background of safety goals In applying the RI&PB regulation, it is essential to establish SGs, which address the fundamental policy of acceptable safety levels and the question of ‘how safe is safe enough.’ The motivation to develop SGs in the US was triggered by the Three Mile Island (TMI) reactor accident in 1979. The NRC’s Advisory Committee on Reactor Safeguards (ACRS) recommended that consideration be given to the establishment of quantitative SGs for nuclear reactors [28]. While the US has a long history in establishing SGs, the effectiveness of regulation by oversight with the SGs is now being appreciated by the successful implementation of the RI&PB regulation. Major progress in the early development stage of the SGs is described in two excellent articles [29,30]. Perhaps NUREG 0739 in 1980 should be credited as a remarkable early effort [31], which allowed the NRC to consider and used preliminary numerical values. Moreover, it noted that the NRC and the US Congress ‘must ultimately consider a wide range of sociopolitical and economic factors’ that include public risk. However, the draft SG concept was not accepted by ACRS, which was of the opinion that the numerical core damage limits were arbitrary. The current framework of the US SGs was established in 1986, which generally specifies that (1) an average individual near a plant should not be exposed to reactor risks greater than 0.1% of the sum of all accident risks; and, (2) the population near the plant should not be exposed to increased cancer risks from the plant that are greater than 0.1% of all cancer fatalities [32]. In 1990, considering the uncertainties in applying the SGs based on the quantitative health objectives (QHOs) [33], the NRC endorsed subsidiary goals that limit the Core Damage Frequency (CDF) to less than 1024 and Large Early Release Frequency to less than 1026. The latter goal was recently changed [34] to 1025. The 1986 SG has strongly influenced Backfit Rule [35] and Regulatory Guides [36], including RG 1.174 – 1.178. Although the usefulness of SGs was clearly demonstrated through implementing RI&PB regulation in the US, the present SGs are still somewhat debatable, as well as controversial. Since the early development of the NRC’s SGs, several important issues have emerged. In particular, the cost-benefit guideline and the core-melt design objectives have been subjected to continuing scrutiny and debate [30]. Even though it is 20 years since the initial evaluation by the US NRC, there are still significantly divergent views about SGs. Some of the criticisms include: (1) because of the large amount of uncertainty involved in translating the QHOs into an engineering guideline, such as the CDF and conditional containment failure probability, subsidiary goals are necessary [37]; (2) at the time that the SGs were established in the US in 1986, the number of PSAs that had been performed, particularly with respect to the containment response to core damage, was not inadequate to support further refinements in the QHO program; (3) as
168
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
a result, compliance with the NRC PSA goals was considered neither necessary nor sufficient to demonstrate safety; and (4) ‘defense-in-depth’ and ‘safety-related’ were considered by some to be archaic concepts. Since the criticisms are generally related to uncertainties, the need for subsidiary goals and retention of the defense-in-depth philosophy are repeatedly discussed by the NRC [37,38]. Here, the needs of subsidiary goals are understandable, although it may only result in shifting uncertainties from the PSA into SGs. In order to translate the QHOs into subsidiary goals, it is necessary to perform up to the Level 3 PSA. The subsidiary goals are to provide practical, applicable engineering goals by focusing on the results of Level 1 PSA, assuming that the subsequent consequence is conservative enough for the QHOs, although the more probable situation is that it is too conservative. Most of the difficulties are in the Level 2 PSA, where it is necessary to address all the complex thermal, and thermo-mechanical phenomena involved in severe accident sequences, including: (1) hydrogen generation and combustion; (2) steam explosions; (3) debris cooling; (4) vessel failure; (5) invessel cooling; (6) external cooling; (7) direct containment heating and failure [39]. In addition, the following chemical and thermo-chemical phenomena, accompanied in the source term behavior, are too complex to investigate to a level with good confidence: (1) loss of submerged state of the core in the reactor coolant, releasing volatile fission products (FP); (2) meltdown of fuels, additional release of FP; (3) resolution of FP into the remaining reactor coolant, including formation of stable chemical compounds such as CsI; (4) leakage of FP and particulates from the reactor vessel; (5) aerosol behavior inside the containment atmosphere, agglomeration, deposition and redistribution; (6) leakage of the reactor coolant, noble gases and aerosol from the containment vessel. At the time of TMI-2 accident, the criticism was that the actual radiological consequence was several orders of magnitude lower than the license basis accident analysis. The NRC policy statement on SGs places PSA in a subsidiary role to defense-in-depth, because of uncertainties of the PSA approach [40]. The RG 1.174 discussion states that ‘[T] he defense-in-depth philosophy…has been and continues to be an effective way to account for uncertainties in equipment and human performance.’ The discussion goes on to say that PSA can be used to help determine the appropriate extent of defense-in-depth, which, for example, is equated to balance among core damage prevention, containment failure prevention, and consequence mitigation. Defense-in-depth is primary, with PSA available to measure how well it has been achieved. The author fully supports this view. The defense-in-depth positively declares that the risk can be controlled adequately by engineered (man-made) safety provisions. The philosophy gives a practical methodology
for safety assurance in which safety provisions are made in three completely different dimensions—prevention, protection, and mitigation—acknowledging limits of human knowledge and activities [10].
5. Objectives, requirements, and application of safety goals The basic objectives of establishing SGs for a nuclear facility are to indicate an acceptable space of safety, by realizing that it is impossible to achieve a zero risk or a zero defect plant. Thus, it is necessary to clarify a minimum, tolerable level of safety margin in an event of troubles, incidents or accidents. The SGs should show a region in a safety space as a measure that can be used in assessing, planning and implementing in the design, construction, inspection, maintenance, and operation. It is also necessary to provide a region where further improvement is not justified when weighing the benefits indicate undue costs with little improvement of already very low risks. The SGs can guide the accumulation of safe operating experiences that could help establish an active safety culture, improve transparency and simplicity in communication with the general public, and eventually recover the public confidence towards nuclear energy. To achieve these objectives, the following attributes are required: 1. The SGs should clearly indicate a magnitude and probability of potential nuclear hazards. Considering the public’s concern of the ultimate safety of nuclear facilities, the SGs should be able to reconstruct the severe accidents so far experienced, e.g. the TMI accident and the Chernobyl accident. 2. The SGs should be technically accountable, with reasonable scientific basis. The SGs with a scientific basis of QHOs are preferable, since the main objectives of nuclear safety are assuring the health and safety of the general public and workers. However, it is important to recognize the inevitable large uncertainties that can be introduced during a process of translating the fundamental SGs into more practical technical guidelines that are necessary for actual implementation. 3. The SGs should be practically applicable for risk communications with the public, as well as for actual regulation, and should motivate licensees to improve safety in design, maintenance and operation. While the SGs may be better expressed in a qualitative expression for risk communications, they should also be quantitative for engineering applications. For risk communications, the expression should be accurate and lucid. It should also be noted that the public may evaluate nuclear-related risks differently than experts or regulators do [41].
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
4. SGs should provide a practical safety methodology for assuring all the safety aspects of the facility. This implies that the SGs should have a wide implication, not just limited to hardware reliability, but should also address software issues, as well as operator performance and organizational factors. Usually the SGs are defined to clarify an acceptable frequency of occurrence of latent events that have the potential to develop into an active, severe accident. However, the author thinks that more frequent troubles and minor incidents should also be addressed in the SGs. These more frequent minor events, which challenge safety barriers, can eventually develop into a severe accident. These frequent troubles are inducing fears among the general public against the safety of nuclear power, thereby jeopardizing public acceptance of nuclear energy. 5. SGs should enable evaluation of safety performance by both the regulators and licensees on an equal footing. Since the primary responsibility of safety assurance is with the owner, operator and manufacturer/constructers of the facility, the SGs should provide a ‘scale of safety’ that can be directly applicable to them. And, the regulator should also be able to perform their safety oversight by comparing the SGs. The author believes that these requirements can be met by using the author’s new approach as explained in an accompanying article in this issue.
6. An approach to total safety goals The author proposes a new framework, that deploys the objectives, requirements, and application of practical SGs as discussed in the preceding chapter, using the following approach. [The detailed deployment as well as the initial evaluation is provided in the other article in this issue.] 1. Integration of SGs in the framework of INES. The International Nuclear Event Scale (INES) [42], first introduced in 1990 jointly by the IAEA and the OECD, is a means for promptly communicating to the public in consistent terms the safety significance of events reported at nuclear power plants, and is now widely accepted as an international standard for event scales. As early as in 1993, the INES was in formal use in 26 countries, with the exception of the two most important nuclear countries, the United States and France (although they later adopted its use). By putting events into proper perspective, the Scale can facilitate a common understanding between the nuclear community, the media, and the public. Fig. 2 shows the basic safety concept of the INES. It defines level/descriptor of events in 7 þ 1(below scale/zero)
169
levels, generally classified in terms of amounts of release, ranging from an Anomaly without release to a Major Accident. By showing examples of the application, it provides criteria in terms of off-site impact for public safety, on-site impact for worker safety and defense-in-depth degradation for events with/without release of radioactivity. The author proposes an expansion of the current framework of INES to include major source terms and a probabilistic scale, which are necessary to construct SGs. By incorporating SGs, the author believes that the usefulness of the INES can be further advanced. 2. Addressing frequent incidences without off-site effects. Although SGs can be simplified by specifying primarily in terms of radiation health effects after severe accidents, the author believes that it is better to define SGs for all spectra of events, since the objectives of safety assurance in a nuclear facility is not just limited to prevention and mitigation of severe accidents.
7. Risk management of organizational accidents with safety goals The probabilistic SGs for Levels 4 –7 can be directly used in judging how well the design (and sometimes maintenance and operation) meets the SGs, by performing PSA. However, below Level 4, the expected doses are so small (a few mSv for Level 4) that it is debatable whether to extend the health effect down below such low doses. In addition, more strictly limiting consequences for minor but more frequent events may not directly improve overall safety and availability, suggesting that a different framework of safety, i.e. different from the RI approach, is necessary. The author thinks that this is where the Performancebased approach, integrated with the TQM methodology, is expected to work, i.e. improving the quality of operation and maintenance as well as reducing the frequency of minor events challenging the safety barriers. The probabilistic SGs (occurrence rates) for these levels of incidents (Levels 3 –0) can be directly deployed as an acceptance criterion of PIs. The impact of a small release is more of an issue of reliability and availability of the plant than the health effect, although psychological impacts and a loss of public trust for nuclear energy far exceed the real risk of radiation. The SGs that are derived from QHOs are mostly addressing accidents (Levels 4 – 7 in the INES), since they will induce off-site impacts. For these accidents, safety is basically accommodated with Safety Systems, Accident Management and Emergency Response, combined with the RI approach. The proposed ‘engineering’ SGs should be useful in planning and assessing these essential safety activities. Whereas for more frequent events (Levels 3– 0),
170
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
Fig. 2. The safety concept of the INES. Reproduced from Thomas, BA, the ASSET (Assessment of Safety Significant Events Team). IAEA February 1991.
the author proposes an approach where safety is assured by integrating a Safety Engine with TQM methodology, such as illustrated in a PDCA cycle [10,11], which are integrated with management programs dealing with availability and risk, quality, and organizational errors, and with an objective assessment program for safety performance. The PIs are essential for these management and assessment programs. A good safety culture should surround all these activities.
8. Conclusions 1. The new direction of regulatory approach should be ‘regulation by oversight,’ evolving from the more common ‘compliance-based’ regulation. A successful example is being established as ‘risk-informed, performance-based’ regulation by the US NRC. This new approach is attractive, since it is expected to remove the stagnation of nuclear technology development and improve good safety records by encouraging initiatives of the licensees. It makes clear that the ultimate
responsibility of safety is on the side of the owner and operator of the plant, with the regulatory side overseeing proper implementation of safety objectives and monitoring PIs. 2. In implementing ‘regulation by oversight,’ quantitative SGs are indispensable. The author proposes a new approach by expanding the current framework of INES to address potential risk a-priori. The radiological SGs are mostly addressing accidents (Levels 4– 7 in the INES). For these, safety is basically accommodated with Safety Systems, Accident Management and Emergency Response. The countermeasures could be very effective in protecting the public, as demonstrated in the Chernobyl accident. To be prepared for such emergency situation, a-priori estimation of radiological consequences, as well as frequencies, should be helpful. 3. Whereas for more frequent events (Levels 3 – 0), the author proposes an approach where safety is assured by integrating a Safety Engine with a TQM methodology, which are further integrated with management programs dealing with availability and risk, quality, and
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
organizational errors, as well as with an objective assessment program for safety performance. The PIs are essential for these management and assessment programs. A good safety culture should surround all these activities. This approach, proven to be effective in production industries, can improve public confidence towards nuclear energy, by gradually improving safe operational records.
Acknowledgements Opinions explained in this paper are the author’s personal view and do not represent in any way the Nuclear Safety Commission (NSC) of Japan. This work was done independently as an extension of the author’s previous work [10] for international audiences, and it is independent from the current on-going activities of the NSC and its committee trying to develop safety goals for a domestic application. Special acknowledgement is directed to Dr Charles Gordon who reviewed the initial draft and advised to reorganize for readability, and Professor George Apostrakis who sent me more recent articles related to SGs. The author appreciates all this support, although the entire content is the author’s responsibility. The author obtained a bulk of the US regulatory information by attending the MIT Special Summer Program for Professionals: Nuclear Systems Safety 1 and 2 (1986 and 2000), for which the author appreciates the efforts made by many lecturers.
References [1] US NRC. Use of probabilistic risk assessment methods in nuclear regulatory activities: final policy statement, FR 42622; August 1995. [2] Cullen LJ. White paper on risk-informed and performance-based regulation, SECY-98-144, US NRC; 1998. [3] US NRC. Risk-informed, performance-based regulation, White Paper; March 1999 (available on NRC website). [4] US NRC. Recommendations for reactor oversight process improvements, SECY-99-007; January 1999. [5] US NRC. Status of risk-based performance indicator development and related initiatives, SECY-00-0146; June 2000. [6] Extended Bibliography is available in ‘A new paradigm for reactor regulation,’ by R.A. Meserve, Chairman US NRC, presented at MIT special summer program for professionals. Nucl Syst Safety 2001:I&2. [7] Some of the representative safety criteria include, but not limited to, 10CFR Part 50. Appendix A, US Federal Register; ‘Standard review plan for the review of safety analysis reports for nuclear power plants,’ (SRP), NUREG 800, US NRC (last major revision 1981); Regulatory Guides, etc. [8] For example, for safety systems, Apostolakis, G. Risk management, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2000–2001;I&2. [9] For example, in several discussions at MIT special summer program for professionals. Nucl Syst Safety 1984;I&2.
171
[10] Saji G. Total safety: a new safety culture to integrate nuclear safety and operational safety. Nucl Safety 1991;32(3):416–23. [11] Reason J. Managing the risk of organizational accidents. Ashgate Publishing Ltd; 1997. [12] IAEA TECDOC-1141. International Atomic Energy Agency; 2000: OECD/NEA CSNI Performance Indicator Workshop in Madrid; 2000. [13] Hastie WJ. Looking back, moving forward—an INPO perspective, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2001;1 and 2. [14] Belles RJ, Cletcher JW, Copinger DA, Dolan BW, Minarick JW, O’Reilly PD. Accident sequence precursor program results. Nucl Safety 1996;37(1):73 –83. [15] Murley TM. Safety goals in a deregulated market, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2001;1 and 2. Also SECY-99-289. [16] Garshow SF. NRC revised oversight process, a lecture at MIT special summer program for professionals. Nucl Syst Safety 2000;1 and 2. [17] INSAG-12, Basic safety principles for NPP. Safety management. INSAG-3 Rev. 1, Vienna: International Nuclear Safety Advisory Group, IAEA; 1999. [18] ANS and IEEE. PSA procedures guide. NUREG/CR-2300, US NRC; 1983. [19] Justin F, Petit J, Tanguy PF. Safety assessment of severe accident in fast breeder reactors. Nucl Safety 1986;27(3):332–42. [20] Griffith J. Discussion at ANS-USAEC Meeting on Fast Reactor Safety, Los Angeles; April 2–4, 1974. [21] Safety Series 50-C/SG, Quality assurance. Vienna: IAEA; 1996. [22] NRC inspection manual. www.nrc.gov/NRC/IM/0305.html; issue dates: 03/23/01. [23] Rasmussen J. Human errors: a taxonomy for describing human malfunction in industrial installations. J Occup Accid 1982;4: 311–33. [24] Weil R, Apostolakis G. Identification of important organizational factors using operating experience. Proceedings of the Third International Conference on Human Factor Research in Nuclear Power Operations, Mihama, Japan, September 8–10, 1999;. [25] Atomic Energy Control Board (now the Canadian Nuclear Safety Commission). Development of a regulatory organizational and management review method. Report No. RSP-0060; January 20, 1998. [26] INSAG-4. Safety culture. Vienna: International Nuclear Safety Advisory Group, IAEA; 1991. [27] Sorensen JN, Apostrakis GE, Powers DA. On the role of safety culture in risk-informed regulation. PSAM 5, Probabilistic Safety Assessment, held on November 27–December 1, 2000, Osaka, Japan 2000;4/4:2205–10. [28] Carbon MW. ACRS letter to J.M. Hendrie, subject: quantitative safety goals; 15 May 1979. [29] Okrent D. The safety goals of the US Nuclear Regulation Commission. Science 1987;236(April). [30] Rathbum D, Modarres M. Development of safety goals for nuclear power plants. Nucl Safety 1987;28(2):155 –63. [31] US NRC. An approach to quantitative safety goals for nuclear power plants. NUREG 0739, US NRC; 1980. [32] US NRC. Safety goals for the operations of nuclear power plants: policy statement, 51 Fr 30028; August 1986. [33] US NRC. Staff requirement memorandum on SECY-89-102: implementation of the safety goals, US; June 1990. [34] US NRC. Modifications to the safety goal policy statement. SECY-97208; 1998. [35] US NRC. Appendix D: safety goal policy statement and backfit rule. NUREG/BR-0184, US NRC; 1990. [36] US NRC. An approach for using probabilistic risk assessment in riskinformed decisions on plant-specific changes to the licensing basis. Regulatory guide 1.174; 1999.
172
G. Saji / Reliability Engineering and System Safety 80 (2003) 163–172
[37] Seal, RL. A letter to Jackson, SA. Elevation of CDF to a fundamental safety goal and possible revision of the commission’s safety goal policy statement; March 11, 1998. [38] Powers, DA. A letter to Meserve, A. Chairman of US NRC, reactor safety goal policy statement; April 17, 2000. [39] Henry RE. Severe accident phenomena: a lecture at MIT Special summer program for professionals. Nucl Syst Safety 2000–2001;1 and 2. [40] Sorensen JN, Apostrakis GE, Kress DA, Powers DA. On the role of defense in depth in risk-informed regulation. PSA99, Probabilistic
safety assessment, risk-informed performance-based regulation in the new millennium, Washington, DC, August 22–26, 1999;1: 408 –13. [41] Meyer MA. The nuclear community and the public: cognitive and cultural influences on thinking about nuclear risks. Nucl Safety 1996; 37(2):97–108. [42] INES. The international nuclear event scale: user’s manual, jointly prepared by the International Atomic Agency and the Nuclear Energy Agency of the OECD. Vienna: IAEA; 1990.