Insights from the Three Mile Island accident—Part 2: Improvements

The TMI-­2 accident was beyond the events in the plant’s design basis, which were analyzed in the plant’s final safety analysis report (FSAR). It was most similar to scenarios described in the Reactor Safety Study (RSS)[3], which had been prepared by a team at the Massachusetts Institute of Technology for the NRC in 1973–1975. The accident shocked the nuclear power community worldwide. It had been thought by nearly everyone that such an accident was only hypothetical and could never happen because of the emergency safety systems that were in place at every nuclear power plant. Hardly anyone beyond the team that prepared the RSS seriously considered that human actions would dominate and would turn an expected, but complicated, event into a beyond-­design-­basis, severe accident. Fortunately, the plant’s robust design, particularly its reactor vessel and containment, kept radiological releases very small, and the accident produced no physiological health effects.

The bases for many improvements in nuclear plant safety were recommendations made in the Kemeny Report[4] and in the Rogovin Report[5]. Bulletins[6,7,8], lessons learned[9], and new requirements[10,11] issued by the NRC provided other bases for safety improvement. Industry initiatives, particularly the formation and continuing actions of utility owners groups (OG)[12] associated with each reactor vendor and the Institute for Nuclear Power Operations (INPO)[13], defined and implemented many safety improvements. This article discusses the most important and sweeping improvements; other improvements not covered herein are listed at the end of the article.

EOPs and operator training

The TMI-­2 emergency operating procedures (EOP) were based primarily on the plant’s FSAR. Each EOP listed actions, primarily confirmations of automatic equipment responses, to be taken in response to a specific event in the FSAR, such as reactor trip, turbine trip (or loss of load), loss of feedwater, loss-­of-­coolant accident, steam line break, and steam generator tube rupture. These EOPs are referred to as “event-­based” emergency procedures. Each procedure listed certain key symptoms to be used to identify what event was happening (and, hence, indicated which EOP to use), and further symptoms were annotated throughout the procedure to be used to confirm equipment operation. Given the number of symptoms that appeared in the TMI-­2 control room, the operators were severely challenged to diagnose the situation and to determine which procedures to use. In fact, they used many normal and abnormal procedures and EOPs simultaneously. Meanwhile, they continued to intervene in the progress of the accident through actions such as throttling the emergency core cooling system high-­pressure injection, which was not anticipated in either the FSAR or the procedures.

The TMI-­2 operator training for transients and accidents was based primarily on the plant’s FSAR and EOPs. This included training scenarios on the Babcock & Wilcox full-­scope control room simulator, which were quite stylized (based largely on the FSAR transient and accident analyses), with little deviation from expectations. Random operator actions were not included in the training scenarios.

The NRC Bulletins[6,7] issued immediately following the accident addressed both emergency procedures and operator training, and the TMI Action Plan[10,11] addressed training simulators. Within days of the accident, OGs associated with each reactor vendor were formed [12], first to respond to NRC questions and new requirements, and then to address a wide range of nuclear power plant issues well beyond those arising from the TMI-­2 accident[14]. A major initial task of each OG was to develop guidelines for new “symptom-­based” EOPs[15,16], which were quickly deployed to each plant. These guidelines were used by each plant owner to develop and to implement symptom-­based, plant-­specific EOPs.

At the time of the accident, there were only five full-­scope control room simulators in the United States. These were owned by the four reactor vendors—Westinghouse, General Electric, Combustion Engineering, and Babcock & Wilcox—and the Tennessee Valley Authority. Because of a huge variation in control room designs (determined by both utilities and the architect-­engineering firms that built the plants), most reactor operators were trained on simulators that poorly modeled their plant’s control room. The mismatch between the TMI-­2 control room and the B&W simulator may have been one of the worst[17].

In the years following the TMI-­2 accident, full-­scope control room simulators were deployed at all nuclear power plants in the United States. This trend was continued on an international scale following the Chernobyl accident[18]. These simulators incorporated three major design improvements from those that existed in 1979. First, their control panels closely (or exactly) replicate those of their plants’ respective control rooms. Second, they use extremely fast computer processors. Third, they employ high-­fidelity models to represent the plants’ physical processes, including reactor kinetics and reactor coolant system thermal-­hydraulics; this feature is made possible by the second improvement. Most simulators’ computers and process model software have been upgraded one or more times since their initial installation.

Simulators in the United States must conform to the requirements stated in 10 CFR 55.46[19]; this can be done by following the guidance given in NRC Regulatory Guide 1.149[20], which endorses ANS standard 3.5–2009[21] and NEI 09-­09 guidance[22].

INPO

INPO was established in December 1979 in response to recommendations in the Kemeny Report. INPO is a U.S. nuclear utility industry “self-­regulating” organization. Every U.S. utility that owns a nuclear power plant is a member, and each reactor vendor and several other major equipment suppliers serve on the INPO Supplier-­Participant Advisory Committee. INPO’s mission, as stated on its website, is “to promote the highest levels of safety and reliability—to promote excellence—in the operation of commercial nuclear power plants.” This differs from the mission of the NRC, which, as a regulator, is to set and to enforce “acceptable” levels of design, construction, operation, and maintenance.

INPO’s operations are composed of plant and corporate evaluations, training and accreditation (through INPO’s National Academy for Nuclear Training), events analysis, emergency preparedness and response, plant and corporate assistance, and support for new plant deployment. INPO’s most visible activity after its formation was assisting and accrediting utility reactor operator training programs. This long ago expanded to address nuclear utility personnel in all disciplines. INPO plant and corporate evaluations are conducted by peers and provide significant insights and recommendations relative to not only technical matters, but also organization, management, and culture issues. INPO assists a utility in reviewing any significant event at its nuclear plants, and through information exchange and publications communicates lessons learned and best practices throughout the industry. Upon the request of a utility, INPO provides assistance with specific technical or management issues using teams of peers. INPO conducts “review and assist visits” (also using teams of peers) relative to emergency preparedness. Since the Fukushima Daiichi accident, INPO is the lead industry organization for coordinating industry support during an emergency event.

Since the TMI-­2 accident, all U.S. nuclear utilities have greatly expanded their nuclear training organizations and have upgraded their training materials and techniques, including installation of full-­scope training simulators (noted above), and submit continuously to review and accreditation of their training programs by INPO. The response to INPO has been uniformly positive. Utilities highly value INPO’s assistance, evaluations, and communications. Although they conduct their activities entirely independently, the NRC and INPO have a memorandum of agreement[23] under which they exchange experience, information, and data related to the safety and security of nuclear power plants.

Sharing operating experience

One of the major findings of all immediate post-­TMI studies was that communications to share operating experience within the nuclear industry had to be improved. This was immediately facilitated by the NRC Bulletins relative to the accident and dialogue within OGs, and later was greatly enhanced by new data gathering and dissemination mechanisms established by INPO. The NRC’s TMI Action Plan required that each utility establish formal procedures for feedback of operating experience. Utility response to this requirement included establishing new organization units staffed with engineers, former operators, and human reliability specialists dedicated to the task of interrogating information sources, evaluating the safety significance of events, entering the operating experience feedback into corrective action programs, and reporting events at their plants to INPO and the NRC.

INPO operates the Significant Event Evaluation and Information Network[24], which annually screens several thousand reports of abnormal operating situations from domestic and international utilities, vendors, and the NRC. Each is entered into a computerized database and then evaluated by INPO’s Events Analysis Department, which determines whether an event is safety significant and, if so, sends a Safety Significance Notification to every nuclear plant simultaneously. If INPO determines that the event requires action by the utilities, it issues either a Significant Event Report or a Significant Operating Experience Report, which contains a list of recommendations. Under the INPO-­NRC memorandum of agreement, all reports are also forwarded to the NRC, but neither organization makes the reports public.

INPO operates the Equipment Performance and Information Exchange (EPIX) system, which tracks the performance of equipment important to safety and reliability. The industry reports equipment performance information to EPIX following INPO guidelines. Utilities use the data to identify and solve plant equipment performance problems, with the goal of enhancing plant safety and reliability. The information is also used by INPO for performance trending to identify industry-­wide performance problems. The data is also available to the NRC.

Under 10 CFR 50.73[25], utilities are required to submit Licensee Event Reports. These reports are publicly available on the NRC’s website.

Severe accident mitigation

The Kemeny Report made the following recommendation: “Continuing in-­depth studies should be initiated on the probabilities and consequences (on-­site and off-­site) of nuclear power plant accidents, including the consequences of meltdown.” The Rogovin Report stated, “Should loss of core cooling and resulting core damage occur in a nuclear plant, there are certain predictable consequences that might be substantially mitigated . . . by design improvements of less than staggering cost or complexity.” It went on to state that “expedited consideration should be given to the use of vented, filtered containment systems to guard against the high-­pressure rupture of existing containments.” These statements imply the need for severe accident research.

In 1980, the NRC initiated a long-­term rulemaking to consider to what extent nuclear power plants should be designed to deal with degraded core and core melt accidents[26]. The rulemaking supported research and came to conclusions in many areas, including post-­accident hydrogen control, emergency planning, and preparedness, source term reassessment, severe accident research, evaluation of plant-­specific severe accident vulnerabilities (discussed further below), containment performance, external events, and severe accident management[27]. A list of NRC reports arising from these activities is provided in NRC Generic Letter 88-­20[28]. NRC report NUREG-­0933[29], which has 34 supplements, documents the resolution of various generic issues arising from both the TMI-­2 accident and the Chernobyl accident. As a result, the NRC required no design changes in operating nuclear power plants beyond those specified in the TMI Action Plan.

In response to the NRC rulemaking, industry conducted the Industry Degraded Core Rulemaking (IDCOR) Program[30] from 1981 to 1985. The principal conclusions of this program were (1) the fission product source terms—quantities and types of radioactive material released in the event of severe accidents—are likely to be much less than had been calculated in previous studies, (2) the risks and consequences to the public of severe nuclear accidents are significantly below those predicted by previous studies (e.g., the RSS) and are much smaller than the risk levels incorporated in the NRC interim safety goals, and (3) major design or operational changes in currently operating reactors are not warranted. A list of IDCOR reports is also provided in NRC Generic Letter 88-­20.

Severe accident research studied the physical and chemical characteristics of many phenomena experienced during the TMI-­2 accident and worse scenarios, including core degradation, molten core interaction with the reactor vessel, reactor vessel lower head failure, high-­pressure accidents in pressurized water reactors, unique features of severe accidents in boiling water reactors, corium-­concrete interaction, hydrogen behavior, and control, direct containment heating, steam explosions, containment failure, and fission product release and transport[31]. These results were applied in subsequent activities to define severe accident management guidelines and severe accident mitigation alternatives (SAMA) for operating nuclear plants and severe accident mitigation design alternatives (SAMDA) for new plants.

On August 8, 1985, the NRC issued a policy statement on severe reactor accidents[32] that set the framework for actions taken by both the commission and industry ever since. The statement encouraged “risk management” and outlined potential new licensing requirements for both existing and new nuclear plants. It led to a major effort to identify plant-­specific vulnerabilities to severe accidents (discussed in the next section) and to extensive industry activity to develop guidelines for the mitigation of a severe accident.

The Nuclear Utility Management and Resources Council (NUMARC---NUMARC became the Nuclear Energy Institute in 1994 by the merger of several nuclear industry organizations) led the industry in developing guidelines to address severe accident issues. In 1991, the council issued NUMARC 91-­04[33], which required each nuclear plant licensee to “assess current [plant-­specific] capabilities [of each of its plants] to respond to severe accident conditions” and to “implement appropriate improvements identified in the assessment, within the constraints of existing personnel and hardware, on a schedule to be determined by each licensee and communicated to the NRC, but in any event no later than December 31, 1998.” NUMARC 91-­04 gave detailed guidance and precautions relative to the use of probabilistic risk assessment (PRA) in this process.

Perhaps most important, NUMARC 91-­04 outlined a process by which a licensee would develop severe accident management guidance for its nuclear plant emergency response organization, including staff from plant operations, technical support, and plant management. The process included consideration of severe accident management guidelines developed by the OGs; the plant-­specific PRA, EOPs, emergency response plan, and training program; and interactions with other utilities, both directly and through the OGs, INPO, the Electric Power Research Institute (EPRI), and the NRC. In April 1992, NUMARC issued NUMARC 92-­01[34], which was prepared by EPRI. It presented a template by which a licensee could meet the requirements of NUMARC 91-­04.

In 1996, the NRC issued NUREG-­1437[35], which required a SAMA evaluation as part of the plant license renewal process. However, based on the NRC’s previous experience with three pilot SAMDA reviews, containment reviews, the Individual Plant Examinations (IPE) discussed in the next section, and implementation of the NUMARC severe accident program, the NRC stated that it “expects that a site-­specific consideration of severe accident mitigation for license renewal will only identify procedural and programmatic improvements (and perhaps minor hardware changes) as being cost-­beneficial in reducing severe accident risk or consequence.” The Nuclear Energy Institute provided guidance for these evaluations in NEI 05-­01[36]. A review[37] of the first 30 SAMA evaluations encompassing 50 nuclear units confirmed the NRC expectation stated in NUREG-­1437 and tabulated the cost-­beneficial improvements from those evaluations. The most prevalent SAMAs that involved hardware modifications concerned station blackout or loss of power sequences.

In 2003, the NRC issued a new regulation, 10 CFR 52.47[38], stating the requirements for the FSAR of new reactors, specifying for light-­water reactor designs, “a description and analysis of design features for the prevention and mitigation of severe accidents, e.g., challenges to containment integrity caused by core-­concrete interaction, steam explosion, high-­pressure core melt ejection, hydrogen combustion, and containment bypass.” Applications to the NRC for certification of new plant designs have included a wide variety of unprecedented features in response to these requirements, including passive safety features; additional trains of emergency safety features; filtered, vented containments; and core catchers.

On March 11, 2011, a 9.0-­magnitude earthquake struck close to the coast of Japan, northeast of Tokyo[39]. The epicenter was near the six-­unit Fukushima Daiichi site, which lost all power from the electric grid such that all site electric load transferred to emergency diesel generators (EDG). Plant equipment survived the earthquake as designed. However, the earthquake produced an estimated 45-­foot-­high tsunami that damaged many of the EDGs, the EDGs’ fuel supplies, and some of the site’s backup battery systems. Three reactors were operating; the other three were shut down. The three operating reactors each experienced a partial-­to-­full core meltdown. The accident was unprecedented in many ways, especially in causing core damage to multiple reactors at the same site.

On March 12, 2012, the NRC issued an order[40] to all power reactor licensees and holders of construction permits, stating new requirements for mitigation strategies for beyond-­design-­basis external events. The order specified three phases of compliance. The initial phase required the use of installed equipment and resources to maintain or restore core cooling, containment, and spent fuel pool cooling. The transition phase required providing sufficient portable on-­site equipment and consumables to maintain or restore these functions until they could be accomplished with resources brought from off-­site. The final phase required obtaining sufficient off-­site resources to sustain those functions indefinitely. For operating plants, the compliance deadline was two refueling cycles or the end of 2016, whichever came first.

The requirements of the first two phases were partially met by severe accident management strategies and equipment already in place from the NUMARC/NEI initiatives described above. NEI led an extensive industry effort to assist and to coordinate licensees’ responses. NEI issued NEI 12-­01[41] in May 2012. In August 2012, NEI issued NEI-­12-­06[42], which has been modified several times since then. It provided detailed guidance relative to the off-­site resources requirements of the third phase of the NRC order. The NRC endorsed this guidance, known as “Diverse and Flexible Coping Strategies” (FLEX), key elements of which were detailed specifications of interfaces with existing EOPs and emergency plans; establishment of plant-­specific capabilities to make connections (power, water, lubrication, etc.) to supplemental equipment brought from off-­site; and storage, maintenance, and transport of a large inventory of supplemental emergency response equipment being stored and maintained at regional response centers (RRC). Currently, RRCs are located in Phoenix, Ariz., and Memphis, Tenn.[43]. An industry group called the Strategic Alliance for FLEX Emergency Response (SAFER) manages the RRCs. This organization also has two control centers that are separate from the RRCs and would coordinate equipment deliveries. In addition, the NRC has approved the use of SAFER RRC resources during a nonnuclear exigent emergency situation[44].

On January 25, 2019, the NRC commissioners approved a final rule[45] that amends 10 CFR 50 and 10 CFR 52 to incorporate most of the requirements issued by NRC Order EA-­12-­049[40], discussed above, and NRC Order EA-­12-­051[46], which concerned spent fuel pool instrumentation. These amendments will be published in the Federal Register later this year.

Risk management

The Kemeny Report recommended that in-­depth studies be initiated “on the probabilities and consequences (on-­site and off-­site) of nuclear power plant accidents, including the consequences of meltdown.” Those studies, the report said, “should include a variety of small-­break loss of coolant accidents and multiple-­failure accidents, with particular attention to human failures.” The Rogovin Report explicitly cited the PRA techniques used in the RSS and recommended that “more rigorous and quantitative methods of risk analysis . . . be employed to assess the safety of design and operation.”

During the nine years following these recommendations, both the NRC and the nuclear industry expended considerable effort to develop and apply PRA techniques in various studies and applications[47]. More progressive practitioners even began to use the term “risk management” to describe their efforts. However, the NRC made no significant changes to regulations that governed nuclear power plant design, licensing, and operations, and the industry accordingly made no major use of PRA in these areas.

Then, on November 23, 1988, the NRC issued Generic Letter 88-­20[28], which required each nuclear plant owner to prepare an IPE to be used in identifying plant-­specific vulnerabilities to severe accidents. The letter required each licensee to submit the IPE within three years. Over the next seven years, the NRC issued five supplements to this generic letter that gave submittal guidance, requested accident management strategies, gave insights from the NRC’s Containment Performance Improvement Program, requested IPEs with external events (IPEEE) within three years, and allowed modified methods for seismic IPEEEs within 60 days. The intensity of effort by both the NRC and the industry over this seven-­year period can be realized by referring to the lists of references and reports in Generic Letter 88-­20 and its supplements, to reports from industry conferences[48], and, of course, to the IPE and IPEEE submittals themselves.

Some utilities and vendors immediately applied the results of the IPE development. The most prominent application was to provide input to on-­line risk monitors, which display the risk (calculated by the IPE model or its upgrade) for the current plant configuration (accounting for equipment out ­of ­service). These risk monitors were, and continue to be, used primarily in support of decisions made in plant operations and maintenance. The OECD Nuclear Energy Agency’s Committee on the Safety of Nuclear Installations reported[49] that the first risk monitor in the United States was installed in the San Onofre plant in 1993 on a trial basis and was in full use in 1994, with subsequent upgrades to include a Level 2 PRA in 1996 and external events and shutdown modes in 1998. The committee reported that within 10 years, by 2003, there were approximately 12 risk monitor designs in use or under development. In the same report, the committee listed the risk monitors used in all OECD member states’ nuclear power plants.

The NRC took its first major steps to accept the use of PRA in the regulatory process in 1998, almost 20 years after the TMI-­2 accident, by issuing five regulatory guides that specified acceptable methods for making risk-­informed decisions in regulated activities. The subjects of this guidance were plant-­specific changes to the plant licensing basis[50] (i.e., license amendment requests [LAR]); in-­service testing[51]; quality assurance[52]; technical specifications[53] (submitted by LARs); and in-­service inspection[54].

Responding to the NRC’s new acceptance of risk-­informed decision-­making required significant upgrades of PRAs from those that had been developed in the IPEs and IPEEEs[55]. The industry, led first by the OGs[56] formed after the TMI-­2 accident and later by NEI[57,58,59], conducted an extensive program of peer reviews to certify the quality of PRAs. The NRC issued its own guidance on confirming PRA quality, which endorsed the NEI approach point by point, with clarifications and exceptions[60]. The industry has conducted a years-­long development of PRA standards[61,62,63,64,65]. Utilities developed and implemented rigorous procedures for applications of the upgraded PRAs[66].

Industry applied the upgraded PRAs to a host of risk-­informed initiatives[67]. The applications provided significant insights in many areas of plant design, operation, and maintenance[68]. Risk management using these insights produced tremendous improvements in these areas[69]. Utilities that embraced risk management showed dramatic improvement in safety based on INPO performance indicators[70].

One of the most significant improvements in the safety of nuclear plants began in 1999, when the NRC amended “the maintenance rule,” stated in 10 CFR 50.65[71], by adding Section (a)(4). This section states, “Before performing maintenance activities . . . the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities.” It describes the assessment as “a risk-­informed evaluation process.” 10 CFR 50.65 had already required the scope to include safety-­related and non-­safety-­related structures, systems, and components (SSC).

Prior to the addition of Section (a)(4), 10 CFR 50.65 was concerned primarily with providing input to preventive maintenance programs. Most utilities complied by using traditional methodology not dependent on a PRA. Although complying with 10 CFR 50.65 required determining the SSCs’ importance to risk, risk significance, reliability, availability, or safety significance, the NRC encouraged the use of “reliability-­based methods” and did not promote the formality and comprehensiveness of a PRA.

Some utilities had used their risk monitors for years to perform the assessments required by 10 CFR 50.65(a)(4) to manage maintenance practices, both on-­line and during outages[72]. However, many had not because the practice was given no regulatory credit, and prior to late 1998, the NRC did not accept risk-­informed LARs to change Technical Specifications, particularly to extend allowed outage times (AOTs).

Industry and NRC guidance on acceptable means to comply with 10 CFR 50.65(a)(4) has evolved over nearly 20 years. Initial industry guidance was provided in July 2000, when NEI issued Revision 3 of NUMARC 93-­01[73]. For the next 12 years, the NRC maintained separate guidance in Reg. Guide 1.182[74] and did not endorse the NEI guidance. There were frequent and extensive discussions between the industry (represented by NEI) and the NRC during this period of time. Finally, in May 2012, the NRC issued Revision 3 of Reg. Guide 1.160[75], which endorsed NUMARC 93-­01, Rev. 4A, issued in April 2011. ­NUMARC 93-­01, Rev. 4A, incorporated Reg. Guide 1.182, which was then withdrawn. Reg. Guide 1.160, Rev. 4, issued in August 2018, endorses the most recent NEI guidance given in NUMARC 93-­01, Rev. 4F, issued in April 2018; both documents refer extensively to the FLEX program described above.

Today, utilities continuously monitor the level of risk that is both forecast and actually produced by their nuclear plants using sophisticated risk monitors driven by PRAs that are several generations beyond the IPEs. Input to the PRA is provided by the plant’s work control department, which schedules all maintenance activities. Thus, the risk calculated by the PRA represents the current plant configuration, including any equipment that is out of service. The calculated risk is used to determine whether a particular maintenance activity is acceptable, to set limits on maintenance duration, to determine what compensatory measures must be put in place, and to determine the level of plant management authorization that is required before the maintenance is started. These activities are called “configuration risk management,” and they provide compliance with 10 CFR 50.65(a)(4). The risk level is also communicated broadly to plant personnel to be considered in their particular activities.

Safety categorization of SSCs

The Kemeny Report stated, “NRC’s design safety review places primary emphasis on those items labeled ‘safety-­related’ . . . [but] there are no precise criteria as to which components and systems are to be labeled ‘safety-­related.’” It made no explicit recommendation for replacing this system. The Rogovin Report stated, “The current classification of systems and equipment into ‘safety related’ and ‘nonsafety related’ is especially unsatisfactory.” It made the explicit recommendation, “Provide a risk-­related scheme for classifying equipment on the basis of safety significance.”

The major impediments to responding to the Rogovin Report recommendation were (1) the history and precedence of the existing method for classifying SSCs and (2) the unavailability of PRAs to apply a new approach to SSC classification. The history of safety-­related SSCs originates in 10 CFR 50.2, “Definitions,” which was issued on January 19, 1956. From this and related requirements developed a huge hierarchy of deterministic regulatory guidance, industry codes and standards, design practices, and AEC/NRC licensee reviews for 310 nuclear power reactors[76]. Immediately following the TMI-­2 accident, full-­scope PRAs for only two plants existed in the RSS, and plant-­specific PRAs did not exist for other reactors. Response to the IPE and IPEEE requirements discussed above changed the situation; a plant-­specific PRA was developed for every power reactor.

The genesis for the framework of risk-­informed classification of SSCs in place today was “Option 2” of the NRC’s SECY-­98-­300[77], issued at the end of 1998. The NRC issued an advance notice of proposed rulemaking near the end of 1999 that initiated three-­and-­a-­half years of intense activity by the NRC and the industry (led by NEI). The NRC published a proposed new rule (regulation) for public comment on May 16, 2003. The new rule, 10 CFR 50.69[78], was approved by the NRC commissioners near the end of 2004. Associated Reg. Guide 1.201[79], was published a little over a year later, in January 2006. Reg. Guide 1.201 describes a method for categorizing SSCs given in NEI-­00-­04[80] that had been developed by industry consensus.

Fig.1: RISC Categorization Matrix (Ref. 79).

The NEI-­00-­04 process places SSCs into one of four risk-­informed safety class (RISC) categories as illustrated in Fig. 1. According to Reg. Guide 1.201, “The safety significance of SSCs is determined using an integrated decision-­making process which incorporates both risk [PRA] and traditional engineering insights. The safety functions of SSCs include both the design-­basis functions (derived from the safety-­related definition) and functions credited for preventing and/or mitigating severe accidents. Treatment requirements are then commensurately applied for the categorized SSCs to maintain their functionality.” “Treatment requirements” means the application of specified design and construction codes and standards, operational procedures, and Technical Specifications.

The NRC’s endorsement of NEI-­00-­04 in Reg. Guide 1.201 states that a licensee may use methods other than those given in NEI-­00-­04 if those methods are reviewed by the NRC and are found to meet the requirements of 10 CFR 50.69. Reg. Guide 1.201 also states, “Licensees must use risk evaluations and insights that cover the full spectrum of potential events (i.e., internal and external initiating events) and the range of plant operating modes (i.e., full-­power, low-­power, and shutdown operations).” Reg. Guide 1.201 further specifies the attributes that are required of a PRA used in this application, including reference to Reg. Guide 1.200[60], existing NRC-­endorsed PRA standards, and PRA standards that are under development (which then requires the license to provide an independent justification).

NEI is coordinating an industry-­wide process for preparing and submitting LARs to meet 10 CFR 50.69[81]. This process includes a standard LAR template and review and oversight by a committee of industry peers. A pilot plant (Vogtle) submitted the first LAR in 2012, which the NRC approved in 2017. As of the end of November 2018, the NRC reported[82,83] on the status of 50.69 LAR submittals and reviews: 17 50.69 LARs were submitted in the first year of reviews (after the pilot); the first non-­pilot plant 50.69 LAR (Limerick) was approved in mid-­2018; NRC staff completed four 50.69 LAR reviews in November 2018; and NRC staff had an additional eight 50.69 LARs under review and expected three more submittals by the end of 2018. The NRC also stated that a 12-­month review schedule is planned for 50.69 LARs.

Other improvements

The TMI-­2 accident stimulated improvements in many other areas, including control room staffing, reactor operator qualifications, control room designs, plant status instrumentation, instrumentation to detect degraded core conditions, various control systems, electric power supplies, RCP seals, control room habitability, emergency preparedness, emergency response, emergency communications, and post-­accident hydrogen control[84].

William E. Burchill (<burchill@tamu.edu>) is retired from a career that focused on nuclear safety. He was with Combustion Engineering for 25 years, where his last position was Director, Operations Services and Field Engineering. He was Director of Risk Management at Commonwealth Edison/Exelon. He retired as Head of the Nuclear Engineering Department at Texas A&M University in 2007 and served as the 2008–2009 president of the American Nuclear Society.

References

1. W. E. Burchill, “Insights from the Three Mile Island accident—Part 1: The accident,” Nuclear News, May 2019, 32–39.

2. Z. R. Rosztoczy, “Root Causes of the Three Mile Island accident,” Nuclear News, March 2019, 29–32.

3. Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants (also known as the Rasmussen Report), WASH-1400 (NUREG-75/014), U.S. NRC (1975).

4. J. G. Kemeny et al., Report of the President’s Commission on the Accident at Three Mile Island, October 30, 1979.

5. M. Rogovin and G. T. Frampton Jr., Three Mile Island: A Report to the Commissioners and to the Public, NUREG/CR-1250, U.S. NRC, January 1980.

6. NRC Bulletin 79-05, “Nuclear Incident at Three Mile Island,” 1979.

7. NRC Bulletin 79-06, “Review of Operational Errors and System Misalignments Identified During the Three Mile Island Incident,” 1979.

8. NRC Bulletin 79-08, “Events Relevant to Boiling Water Reactors Identified During the Three Mile Island Incident,” 1979.

9. NUREG-0585, TMI-2 Lessons Learned Task Force Final Report, U.S. NRC, October 1979.

10. NUREG-0660, NRC Action Plan Developed as a Result of the TMI-2 Accident, U.S. NRC, May 1980.

11. NUREG-0737, Clarification of TMI Action Plan Requirements, U.S. NRC, November 1980.

12. For a summary of the 40-year history of the PWR Owners Group, which is a consolidation of the Combustion Engineering Owners Group, the B&W Owners Group, and the Westinghouse Owners Group, formed immediately after the TMI-2 accident, see <https://pwrogpublic.westinghousenuclear.com/Documents/WEC_PWROG_40Facts_FIN.pdf>.

13. J. V. Rees, Hostages of Each Other: The Transformation of Nuclear Safety Since Three Mile Island, University of Chicago Press, (1994).

14. W. E. Burchill, “Impact of TMI on Combustion Engineering Technical Activities,” invited paper published in Progress in Nuclear Energy 10: 3, 267-283 (1982).

15. W. E. Burchill, W. R. Corcoran, and J. W. Pfeifer, “C-E Post-TMI Evaluation Program Being Conducted for the C-E Owner’s Group,” C-E Paper TIS-6542 (1980).

16. J. K. Gasper and W. E. Burchill, “C-E Operator Emergency Guidance Program,” invited paper presented at 1981 ANS Annual Meeting, Transactions of the American Nuclear Society 38: 468 (1981).

17. Nuclear Accident and Recovery at Three Mile Island, report to the United States Senate prepared by the Subcommittee on Nuclear Regulation for the Committee on Environment and Public Works, G. Hart, chairman, June 1980.

18. IAEA-TECDOC-1411, Use of Control Room Simulators for Training of Nuclear Power Plant Personnel, International Atomic Energy Agency, September 2004.

19. 10 CFR 55.46, “Simulation facilities,” U.S. NRC, November 24, 1992.

20. Regulatory Guide 1.149, Nuclear Power Plant Simulation Facilities for Use in Operator Training, License Examinations, and Applicant Experience Requirements, U.S. NRC, April 1981; Rev. 1, April 1987; Rev. 2, April 1996; Rev 3., October 2001; Rev. 4, April 2011.

21. ANSI/ANS-3.5–2009, Nuclear Power Plant Simulators for Use in Operator Training and Examination, American Nuclear Society standard, September 4, 2009; preceded by 1979, 1981, 1985, 1993, and 1998 versions.

22. NEI 09-09, Rev. 1, Nuclear Power Plant-Referenced Simulator Scenario Based Testing Methodology, Nuclear Energy Institute, December 2009.

23. “Memorandum of Agreement Between the Institute of Nuclear Power Operations and the U.S. Nuclear Regulatory Commission,” September 11, 2013, available on NRC website.

24. Convention on Nuclear Safety Report: The Role of the Institute of Nuclear Power Operations in Supporting the United States Commercial Electric Industry’s Focus on Nuclear Safety, INPO, September 2007.

25. 10 CFR 50.73, “Licensee event report system,” U.S. NRC, July 26, 1983.

26. “Consideration of Degraded or Melted Cores in Safety Regulation,” advance notice of proposed rulemaking, Federal Register 45: 193, pp. 65474–65477, October 2, 1980.

27. H. P. Nourbakhsh, “Insights and Perspectives on Severe Accident Regulatory Decisions,” Proceedings of the International Meeting on Severe Accident Assessment and Management: Lessons Learned from Fukushima Dai-ichi, San Diego, Calif., November 11–15, 2012.

28. Generic Letter 88-20, “Individual Plant Examination for Severe Accident Vulnerabilities—10 CFR 50.54(f),” U.S. NRC, November 23, 1988; Supplement 1, August 29, 1989; Supplement 2, April 4, 1990; Supplement 3, July 6, 1990; Supplement 4, June 28, 1991; Supplement 5, September 8, 1995.

29. NUREG-0933, Resolution of Generic Safety Issues, U.S. NRC, December 2011.

30. A. R. Buhl et al., “The IDCOR Program—Severe Accident Issues, Individual Plant Examinations and Source Term Developments,” Risk Assessment and Management, L. B. Lave, editor, 205-217, Springer Science + Business Media, New York, January 1987.

31. B. R. Sehgal, editor, Nuclear Safety in Light Water Reactors: Severe Accident Phenomenology, Elsevier, 2012.

32. “Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants,” Federal Register 50: 153, pp. 32138–32150, August 8, 1985.

33. NUMARC 91-04 (later NEI-91-04), Severe Accident Issue Closure Guidelines, NUMARC/NEI, September 1991; Rev. 1, December 1994.

34. NUMARC 92-01, A Process for Evaluating Accident-Management Capabilities, NUMARC, April 1992.

35. NUREG-1437, Volume 1, Section 5.4, “Generic Environmental Impact Statement for License Renewal of Nuclear Plants,” U.S. NRC, May 1996.

36. NEI-05-01, Severe Accident Mitigation Alternatives (SAMA) Analysis, Nuclear Energy Institute, April 2005; Rev. A, November 2005.

37. T. Ghosh, R. Palla, D. Helton, “Perspectives on Severe Accident Mitigation Alternatives for U.S. Plant License Renewal,” Workshop Proceedings of ISAMM 2009: Implementation of Severe Accident Management Measures, Paul Scherrer Institute, October 2010.

38. 10 CFR 52.47, “Contents of applications; technical information,” U.S. NRC, September 16, 2003.

39. International Meeting on Severe Accident Assessment and Management: Lessons Learned From Fukushima Dai-Ichi,” proceedings of embedded topical meeting at 2012 ANS Winter Meeting, San Diego, Calif., November 11–15, 2012.

40. NRC Order EA-12-049, “Issuance of Order to Modify Licenses with Regard to Requirements for Mitigation Strategies for Beyond-Design-Basis External Events,” U.S. NRC, March 12, 2012.

41. NEI 12-01, Rev. 0, Guideline for Assessing Beyond Design Basis Accident Response Staffing and Communications Capabilities, Nuclear Energy Institute, May 2012.

42. NEI-12-06, Diverse and Flexible Coping Strategies (FLEX) Implementation Guide, Nuclear Energy Institute, August 2012; Rev. 1, August 2012; Rev. 2, December 2006; Rev. 3, July 2009; Rev. 4, December 2016.

43. “US Resilience in Face of the Storm,” World Nuclear News, September 21, 2018.

44. COMSECY-18-0013, “Using National SAFER Response Center Resources During Exigent Situations,” September 14, 2018.

45. SECY-16-0142, “Draft Final Rule—­Mitigation of Beyond-Design-Basis Events” (RIN 3150-AJ49), U.S. NRC, January 24, 2019.

46. NRC Order EA-12-051, “Order Modifying Licenses with regard to Reliable Spent Fuel Pool Instrumentation,” U.S. NRC, March 13, 2012.

47. R. A. Knief, editor, Risk Management: Expanding Horizons in Nuclear Power and Other Industries, Hemisphere Publishing Corp., 1991.

48. Proceedings of the International Topical Meeting on Probability, Reliability, and Safety Assessment (PSA ’89), American Nuclear Society, April 2–7, 1989.

49. Risk Monitors: The State of the Art in Their Development and Use at Nuclear Power Plants, OECD Nuclear Energy Agency, 2004.

50. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, U.S. NRC, July 1998; Rev. 1, November 2002; Rev. 2, May 2001; Rev. 3, January 2018.

51. Regulatory Guide 1.175, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Testing, U.S. NRC, August 1998.

52. Regulatory Guide 1.176, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Graded Quality Assurance, U.S. NRC, August 1998; withdrawn February 2008.

53. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, U.S. NRC, August 1998; Rev. 1, May 2011.

54. Regulatory Guide 1.178, An Approach for Plant-Specific, Risk-Informed Decisionmaking for Inservice Inspection of Piping, U.S. NRC, August 1998; Rev. 1, September 2003.

55. W. E. Burchill and D. True, “Managing Simultaneous PRA Upgrades,” Proceedings of the ANS International Topical Meeting on Probabilistic Safety Assessment, pp. 1280–1283, August 22–26, 1999.

56. BWROG-97026, “Transmittal of BWR Owners Group Document BWROG/PSA-9604: PSA Peer Review Certification Implementation Guidelines,” Boiling Water Reactor Owners Group, January 31, 1997.

57. NEI 00-02, Rev. A3, Probabilistic Risk Assessment Peer Review Process Guidance, Nuclear Energy Institute, March 20, 2000; Rev. 1, May 2006; update of App. D of Rev. 1, November 2006.

58. NEI 05-04, Process for Performing Follow-On PRA Peer Reviews Using the ASME PRA Standard, Nuclear Energy Institute, August 2006; Rev. 1, December 2007; Rev. 2, November 2008.

59. NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines, draft version H, Rev. 0, Nuclear Energy Institute, November 2008.

60. Regulatory Guide 1.200, An Approach For Determining The Technical Adequacy of Probabilistic Risk Assessment Results For Risk-Informed Activities, U.S. NRC, February 2004; Rev. 1, January 2007; Rev. 2, March 2009.

61. ASME RA-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME, New York, April 5, 2002; Addendum A, December 5, 2003; Addendum B, December 30, 2005; Addendum C, July 6, 2007; Rev. 1, RA-S-2008, April 2008.

62. ASME/ANS RA-Sa-2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, Addendum A to RA-S-2008, ASME/ANS, February 2009.

63. ANS RA-S-1.2–2014, Severe Accident Progression and Radiological Release (Level 2) PRA Standard for Nuclear Power Plant Applications for Light Water Reactors (LWRs), ASME/ANS, trial use standard, January 5, 2015.

64. ANS/ASME-58.22–2014, Requirements for Low Power and Shutdown Probabilistic Risk Assessment, ASME/ANS, trial use standard, March 25, 2015.

65. ASME/ANS RA-S-1.3–2017, Standard for Radiological Accident Offsite Consequence Analysis (Level 3 PRA) to Support Nuclear Installation Applications, ASME/ANS, trial use standard, July 13, 2017.

66. W. E. Burchill, “Standardization of Risk Management Practices at Exelon’s Twelve Sites,” Proceedings of the ANS International Topical Meeting on Probabilistic Safety Assessment, pp. 577–584, October 6–9, 2002.

67. J. Gaertner, D. True, and I. Wall, “Safety Benefits of Risk Assessment at U.S. Nuclear Power Plants,” Nuclear News, January 2003, pp. 27–36.

68. W. E. Burchill, “Application of Risk Insights at Exelon,” Proceedings of the ANS International Topical Meeting on Probabilistic Safety Assessment, pp. 304–310, October 6–9, 2002.

69. W. E. Burchill, “NPP Improvement by Risk Management,” ANS Embedded Topical Meeting on Risk Management: Now More than Ever, Transactions of the American Nuclear Society 88: pp. 863 (2003).

70. A. C. Kadak and R. Matsuo, “The Nuclear Industry’s Transition to Risk-informed Regulation and Operation in the United States,” Reliability Engineering and System Safety 92: pp. 609–618 (2007).

71. 10 CFR 50.65, “Requirements for monitoring the effectiveness of maintenance at nuclear power plants,” U.S. NRC, July 10, 1991, as amended July 18, 1999, to add Section (a)(4).

72. W. E. Burchill, “Maintenance Rule (a)(4) and Integrated Risk Management,” invited presentation at ANS Utility Working Conference, Amelia Island, Fla., August 11–14, 2002.

73. NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Nuclear Management and Resources Council (­NUMARC), May 1993; Rev. 1, May 1993; Rev. 2, Nuclear Energy Institute, April 1996; Rev. 3, July 2000; Rev. 4A, April 2011; Rev. 4F, April 2018.

74. Regulatory Guide 1.182, Assessing and Managing Risk before Maintenance Activities at Nuclear Power Plants, U.S. NRC, May 2000.

75. Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, U.S. NRC, June 1993; Rev. 1, January 1995; Rev. 2, March 1997; Rev. 3, May 2012; Rev. 4, September 2018.

76. NUREG-1350, Volume 30, Information Digest 2018-2019, U.S. NRC, August 2018.

77. SECY-98-300, “Options for Risk-Informed Revisions to 10 CFR Part 50, ‘Domestic Licensing of Production and Utilization Facilities,’” U.S. NRC, December 23, 1998.

78. 10 CFR 50.69, “Risk-informed categorization and treatment of structures, systems, and components for nuclear power reactors,” November 22, 2004.

79. Regulatory Guide 1.201, Guidelines for Categorizing Structures, Systems, and Components in Nuclear Power Plants According to Their Safety Significance, U.S. NRC, January 2006; Rev. 1, May 2006.

80. NEI-00-04, 10 CFR 50.69 SSC Categorization Guideline, Nuclear Energy Institute, July 2005.

81. NEI Efficiency Bulletin 17-09, “Industrywide Coordinated Licensing of 10 CFR 50.69,” March 23, 2017.

82. NRC milestone chart for November 28, 2018, public meeting, “Risk Informed Steering Committee, NRC Activity Status, 50.69,” November 29, 2018, NRC ADAMS accession number ML18333A192.

83. NRC internal memorandum, A.H. Schwab to C.F. Fong, “Summary of November 28, 2018, Public Meeting to Continue Discussions Between the U.S. Nuclear Regulatory Commission and Industry Risk-informed Steering Committees,” December 28, 2018.

84. NUREG/KM-0001, Rev. 1, Three Mile Island Accident of 1979 Knowledge Management Digest, U.S. NRC, June 15, 2016. NN