1 UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION *** MEETING WITH ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS) *** PUBLIC MEETING *** Nuclear Regulatory Commission Commission Hearing Room 11555 Rockville Pike Rockville, Maryland Friday, May 2, 1997 The Commission met in open session, pursuant to notice, at 9:02 a.m., the Honorable SHIRLEY A. JACKSON, Chairman of the Commission, presiding. COMMISSIONERS PRESENT: SHIRLEY A. JACKSON, Chairman of the Commission KENNETH C. ROGERS, Member of the Commission EDWARD McGAFFIGAN, JR., Commissioner. . 2 STAFF AND PRESENTERS SEATED AT THE COMMISSION TABLE: JOHN C. HOYLE, Secretary KAREN D. CYR, General Counsel WILLIAM SHACK, ACRS JOHN BARTON, ACRS MARIO FONTANA, ACRS THOMAS KRESS, ACRS ROBERT SEALE, ACRS DANA POWERS, ACRS GEORGE APOSTOLAKIS, ACRS DON MILLER, ACRS . 3 P R O C E E D I N G S [9:02 a.m.] CHAIRMAN JACKSON: Good morning, ladies and gentlemen. It is a pleasure to once again meet with Dr. Seale and members of the NRC's Advisory Committee on Reactor Safeguards, who plan to discuss a number of topics of interest to the Commission at today's session. Before I launch in, my colleagues apologize. They are on travel and not able to be here. The ACRS provides advice to the Commission on the safety of proposed and operating nuclear plants as well as on safety-related policy matters, rules and regulations, elements of the NRC safety research program, prioritization, resolution, implementation of generic issues and the use of probabilistic risk assessment. The Commission is fortunate to be able to draw upon views and experiences of this selected and select group of technical experts as we try to solve and address technical concerns in licensing and regulation. During today's briefing, we will cover the following topics: Risk-informed performance-based regulation and related matters, risk-based regulatory acceptance criteria for plant-specific application of safety goals, proposed regulatory approach associated with steam . 4 generator tube integrity, low power and shutdown operations risk, status of ACRS review of the National Academy of Science's National Research Council Phase II study report on digital instrumentation and controls systems -- COMMISSIONER ROGERS: That's a mouthful. CHAIRMAN JACKSON: Yes, it is. Human performance program plan and the ACRS report to Congress on nuclear safety research and regulatory reform. Dr. Seale, my fellow commissioners and I welcome you to this meeting and we anticipate another candid and informative session with the committee and I understand that if there is any briefing material, it has already been made available. So, unless my colleagues have any opening remarks, please proceed. We have a full agenda. DR. SEALE: Thank you, Chairman Jackson. We are certainly happy to be here. We appreciate the opportunity to convey to you some of our views on a first-hand basis. We do have a full plate today and we hope we can get through it in an expeditious but, more importantly, informative way. So without further ado, I think we will get started and Dr. Apostolakis will tell us about risk-informed performance-based regulation and related matters. DR. APOSTOLAKIS: Thank you, Bob. . 5 Well, you have received our letter, but I would like to make some comments as an introduction to that letter and the whole effort. I think my fellow members agree with that, that these regulatory guides, especially 1061, are a major or significant achievement. Twenty-three years after draft WASH-1400, we are finally using PRA. We are finally recognizing that there is value to it. We stopped talking about PRAs, good PRAs, bad. We are looking at specifics now, what is modeled well, what is not modeled well. The set of principles that are stated there, in my opinion, are very good. They are the foundation of a new regulatory philosophy. We finally recognize that sacred cows such as defense in depth are not completely separate from PRA, that one can see the lack of defense in depth, for example, is reflected in some of the results of the PRA. So I think this is really major progress and also we should bear in mind we are talking about releasing these guides for public comment. This is not the final version. So, as far as I am concerned, the numbers that are there, for example an incremental -- the small increases in core damage frequency, they have to be 10 to the minus 6 or whatever per year, these numbers will be scrutinized at the next round, so we don't have to worry about it now. I think the documents should be published because the industry is . 6 very anxious to see some progress in these and they have not seen anything yet, except for the viewgraphs that have been used at various meetings. So I don't worry too much about the numbers, except, of course, for the major numbers like the QHOs, which are the Commission's policy. These numbers are not subject to change but other numbers that are proposed in the guides, I don't think we should worry about them right now. In fact, we will get feedback from the industry after we release these guides from public comment. I would like to come back to defense in depth and safety margins. As I said, we made significant progress there. I think we now understand better what the relationship is between these two concepts and PRA. CHAIRMAN JACKSON: Why don't you make such a statement for the record as to what the relationship is, as the committee sees it? DR. APOSTOLAKIS: Well, basically, with regard to defense in depth -- well, I think it also applies to safety margins, the moment you try to talk about that relationship you realize that you have to consider what PRA models well and what it models poorly and what it doesn't model at all. Now, for things that are not in the PRA, first of all, you have to find out why they are not there because maybe they were considered and dismissed as insignificant. . 7 But, for these, it seems to me, these traditional approaches such as defense in depth and good engineering practices and so on, then they can be applied the way we have been applying them because they are not in the risk model. But for other things that are in the risk model, then I would look at the major contributors to risk. I would look at the numbers, how high they are. I would look at the uncertainties around these numbers and then I would try to understand better these major contributors and ask myself now do I have enough diversity here, do I have sufficient number of barriers here. In other words, the defense in depth idea but now I am doing it in a quantitative way rather than relying on people's experience which is not necessarily bad but this is better. And then you can take it from there and go more deeply into it and so on but I think now we have a basis, a quantitative basis, in which we can implement this philosophy. In fact, speaking of philosophy, it was my understanding that the second and third principles were supposed to be stated as maintained the defense in depth philosophy, not defense in depth. Because the concern was that you can do a great probabilistic analysis and then somebody says, in the name of defense in depth, I don't like it. But the philosophy, I think, is a good idea that we want to have multiple barriers, you don't want to rely on . 8 one single element in a minimal cut set, even though that may have very low probability and so on. So the same thing goes for safety margin. Somehow, the words philosophy were dropped and I guess we will have to talk with the staff about it. The first applications of this, of these guides, will require team effort, in our opinion. We are not ready to rely on a single reviewer to review their requests for changes in the current licensing basis simply because this is very new. And, again, it is not a new method. It is not a new computer code; it is a new approach, it is a new philosophy again. I guess I use that word a lot, "philosophy," but I think it is important. So it will require a team effort, a combination of experts from various branches within the agency, until there is a wide understanding, a common understanding as to how this new approach will be implemented. Incidentally, in our introductions with the staff, we tried to figure out whether this was evolutionary or revolutionary. It was suggested it was revolutionary with a small "r", then it was suggested it was revolutionary with a Greek rho, so it is somewhere between a revolution and an evolution. Finally, I would like to state for the record that the Committee is extremely pleased with the cooperation that the staff has shown in the last several months. We have had . 9 excellent discussions with them and they were very willing to listen to our ideas, debate with us and I found that a pleasure, discussing technical issues at that level. I am sure my fellow committee members feel the same way. Now, I didn't go into the details but you have the letter and maybe if you have questions we can answer. CHAIRMAN JACKSON: Maybe I will start out, ask you a few questions and then pass to my colleague to my right and then to my left. Can you tell us how have the pilot programs informed the development of the draft regulatory guidance and standard review plan documents, or to what extent, and what do you think has to happen at this stage? DR. APOSTOLAKIS: well, the truth of the matter is that the pilots were formulated before the basic approach was formulated. It is probably due to administrative reasons or whatever. I mean, the timing in my opinion was a bit unfortunate. CHAIRMAN JACKSON: The cart before the horse? DR. APOSTOLAKIS: Yes, exactly. CHAIRMAN JACKSON: And now I know from talking to people that the pilots were put on hold in the last few months, although the staff may disagree with me, because the staff was so busy preparing these documents and I think it is obvious that the preparation of these documents is not a . 10 trivial matter. So, now, on the other hand, I am reluctant to say that the pilots did not contribute anything to this because the pilot projects had already submitted requests and I am sure the staff had read them, so that they had been influenced by those but, in my opinion, that was the extent to which these documents were influenced by the pilots. I think the timing was unfortunate and that's why we recommend in our letter that new and innovative requests should be solicited if possible by the Commission that will follow now this stated approach and we will see whether it works. Now, I happen to have seen one or two of these requests from the utilities, the current pilots. And, in my opinion, it would not take much work to take what they have done and cast it in this framework because the bulk of the work has been done. They simply don't follow the boxes that we have in these in these because they were not aware of them. CHAIRMAN JACKSON: I think there is some review going on relative to these documents and their discussions, I think. That's my understanding. DR. APOSTOLAKIS: So that is my impression. CHAIRMAN JACKSON: What about the IPE reviews? Were they -- did they inform the development of this draft document? . 11 DR. APOSTOLAKIS: I believe they did. I believe they did, especially when the staff proposed individual numbers as to how high we want to go here, how high we want to go there. I think they were influenced by the IPE results. Also, quality of the analysis int he IPEs, I think, was a major influence. CHAIRMAN JACKSON: To what extent has the Committee interacted with industry representatives on the items documents and how would you characterize their views? DR. APOSTOLAKIS: We have had presentations from NEI and from South Texas Project representatives and I don't remember now -- DR. POWERS: And Grand Gulf. DR. APOSTOLAKIS: And Grand Gulf. We found those interactions extremely useful especially, as I recall, at the last subcommittee meeting we had two gentlemen from STP and it was a very intense technical exchange and we felt that we benefitted a lot from their perspective. So that was, I think, a very good interaction. CHAIRMAN JACKSON: Let me ask you one last sort of linked set of questions. This is one of my favorite topics. What role does uncertainty play in the decisionmaking process? I mean, it seems to me that you could have two plants with the same mean core damage . 12 frequency that could lead to the same decision, although one could have an uncertainty of a factor of 10 and the other uncertainty of a factor of 100. I mean, is this issue of uncertainty and confidence intervals explicitly addressed or doe s it need to be explicitly addressed? Do you think it will be resolved in the public comment process? Give me some sense. Because the related question is whether the proposed acceptance guidelines for core damage frequency and large early release frequency would say, in effect, that no increase in risk would be permitted. That is, can you distinguish between 5, 10 to the minus four and 5.1, 10 to the minus 4. DR. APOSTOLAKIS: Well, I think how to handle uncertainty was a major driver here because people are uncomfortable with it. That is, in part, why I said this is really a new philosophy. For example, let me give you a few examples where that concern influenced our interactions. Early on, one of the early drafts of DG 1061, which is the main document, had a figure or two figures that showed the core damage frequency versus the allowed increase and there was a region of acceptability, a region. There was a major discussion regarding those so-called bright lines. We argued very strongly that because of the . 13 uncertainties this figure can be misleading, that if you are a little bit to the left of the line it is acceptable, if you are a little bit to the right it is not acceptable and, as you say, who can tell? And we had all agreed that we start working with the mean values but, of course, we have in mind the whole spectrum of uncertainties and completeness and so on. So after a lot of debate -- because the text itself was much more reasonable in my opinion in saying look, the goal is 10 to the minus 4 per year for core damage frequency, but, you know, there are many uncertainties, we should recognize them, and so on -- so I was very unhappy with the figures and I think finally the staff agreed that we shouldn't have figures with those bright lines because of the nature of this analysis. Then there is a very good discussion in the guide of the uncertainties in PRA, and again he comes back to uncertainties in what is modeled, model uncertainty, parameter uncertainty, things that are left out. So that's very good progress too. Then the fact that the staff has proposed this region of, let's say the goal is 10 to the minus 4, then they say between 10 to the minus 5 and 10 to the minus 4, there will be intense management or increased management attention. Now what does that mean? That means you . 14 scrutinize the uncertainties. You look at it. You don't go with the mean value only. You have to convince yourself that what the request says makes sense. And I think at this point in time this is very reasonable. In other words, you cannot give, in my opinion, specific rules and say this is what you do in that situation, this is what you do in that situation, because we simply don't know. And that I think is one of the things that scares some people because now they will be responsible for their actions. They will not have a guide or a table that will say if and if and if, then. Now you have to use your judgment. For example, if you are in that region, do you need seismic risk analysis? Do you need to worry about shutdown risk here? Do you need to worry about how well human error was modeled? These are questions that have to be answered in the context of the specific request. But I think three or four years from now we will know much more about it, but right now it seems to me that's where it is. CHAIRMAN JACKSON: Okay. Dr. Kress? DR. KRESS: Thank you. I'm glad you asked that question, because it's also one of my pet themes, how to deal with uncertainties in the decision making process. We're talking about having a criteria of what is an acceptable risk. Now one could apply uncertainties immediately in that in where we decide on what that level . 15 is. We have essentially decided if it were to be the safety goals that you use the mean, which is already a statement of the uncertainties. You set the level, the .1 percent, at a low enough value that it already accounts for your trouble with the uncertainties. That's one area that you can deal with uncertainties. The other area is you're talking about dealing with acceptable changes in risk, possibly. What is an acceptable increase? And it's there where you might find different levels of uncertainty because you have to evaluate this particular thing and the ability to evaluate it is not very good. So at that point is where I would think one would talk about confidence levels. You talk about the confidence level in your prediction of that delta risk for that specific change, and I would have in my criteria that you'd have to know that within some confidence levels. Now I don't know what the appropriate choice for that would be. CHAIRMAN JACKSON: Well, that was going to be my last question on this topic, which is whether the choice of confidence level is inherently a policy decision. DR. KRESS: I think it is. I think it is. You know, it's not something you can really technically say this is what it ought to be. It's a decision, policy decision. CHAIRMAN JACKSON: Right. Thank you. Last question. Are these regulatory guidance . 16 documents likely to have impacts on our regulatory analysis and rulemaking activities? DR. APOSTOLAKIS: I think they will. CHAIRMAN JACKSON: I mean, is there consistency with our regulatory analysis guidelines? DR. APOSTOLAKIS: I would defer to one of my colleagues who is more familiar with the regulatory analysis. DR. KRESS: I could express an opinion. DR. APOSTOLAKIS: Go ahead. I'm too new. DR. KRESS: I think they are consistent. CHAIRMAN JACKSON: Okay. DR. KRESS: And they're consistent in several respects. The regulatory analysis talk about substantial changes and they talk about conformance with the safety goals and the process that they use in establishing the risk and benefits or PRA's. I think they're consistent. There may be some minor inconsistencies, but the philosophy is essentially the same, and it wouldn't take much to make them entirely consistent. CHAIRMAN JACKSON: I don't usually do this. Mr. Thadani, you would agree? You're nodding. DR. THADANI: Yes, I would certainly agree. Our intention was to -- Ashok Thadani, research. Our intention was clearly to make sure that the approach we utilize here . 17 is consistent with the Commission's safety goals of security objectives as well as regulatory analyses that we use in our backfit decisions. CHAIRMAN JACKSON: Okay. Thank you. Commissioner Rogers. COMMISSIONER ROGERS: Oh, yes, I wonder if -- I'd like to come back to this uncertainty thing a little bit later, but I wonder if you could just say a little bit more about your comments with respect to graded quality assurance where you felt that the staff was being unnecessarily timid in their approach. Could you just sort of help me to understand what you really have in mind there? DR. APOSTOLAKIS: Well, it's a general impression that's formed by reading the whole document. There is extreme reluctance to categorize components or to declare components or systems as belonging to the load safety significant category. There is extreme reluctance to trust or to believe that there is some information there. The importance measures which the industry is proposing. So on top of that now we have the significant safety functions, and it's not clear when you read the guide whether everything that supports a safety function is itself of high safety significance or not. Anticipating your question I went back and I was looking for a smoking gun. I couldn't find it. So it's a . 18 general impression. And then of course what you do with the items that are in the low safety significant category -- again there is significant disagreement between the staff and the industry as to how far you go in relaxing the requirements. Now the other thing that puzzles me is that we are talking about something here whose value is not understood. It is clearly stated in the guide that we don't have any basis on which we can declare that QA makes the failure rate go down by a factor of 2 or 3 or 1-1/2 or the square root of 5. I don't know. We don't know what the benefit is, and yet we're making such a big deal about moving things from one category to another, as if, you know they will be completely inoperable if you put them in the low safety significant category. And that I must say is really a very interesting and puzzling situation. I think it's another -- I think it's primarily tradition again, but people are so comfortable with QA that they feel very uncomfortable that we will not do these things to some components, and the savings here -- CHAIRMAN JACKSON: So is your argument that recategorization does not affect operability? DR. APOSTOLAKIS: Oh, it might, but I don't know by how much, and I don't think anybody does, and I asked people, the staff, is it a factor of 10? They say no. So I . 19 don't know. We don't have any evidence. Maybe it would be worthwhile to do something to try to understand that. How much do we lose by recategorizing a system or a component? COMMISSIONER ROGERS: Well, I think that that relates to the concern which I've been hearing from some industry quarters that they don't really see any benefits from the use of PRA yet from NRC's regulatory posture other than it's another way of looking at things and it certainly is useful in understanding the plant, but in terms of regulatory relief -- I kind of hate that word, but I don't know what I've -- I haven't got a better phrase, but I think we all know what we're talking about -- some modification on the basis of reclassifying requirements on the basis of greater knowledge of their safety significance when they may have had a perfectly reasonable historical origin that seemed like a good idea at the time, but the time was a long time ago, and now we know a lot more, but there doesn't seem to be much action in that direction. I wonder if you have any thoughts as to how to approach this in a systematic way because obviously you can't do everything at once, but would there be some area of application of PRA that is so sound, so incontrovertible, that one could simply use PRA to take some steps on removing or changing regulatory requirements which clearly on a quantitative and even expert judgment point of view based on . 20 historical experience really just simply don't make any sense anymore. I know we've talked about things like limiting conditions for operations that have come out of some PRA studies, but I don't know if we've changed anything as a result of that. So I wonder if you have some thoughts there, because this is really a very important area. The other related observation, I think your comments with respect to the uncertainties are extremely interesting -- I have to say a bit disappointing, however, because I think that one of the -- not that I disagree with them -- but that one of the advantages to moving to PRA I think is to allow the NRC to be able to point to PRA analysis as a more objective set of measures for decision making than what have been used in the past when we've used things like expert judgments and good engineering practice, which we feel very comfortable about but are hard to explain sometimes to the public. DR. APOSTOLAKIS: Well I think, starting with the uncertainty, I think it is a more objective way. The problem is we cannot use decision theory as is. Decision theory tells us we should work with mean values. I think in our industry we're using mean values as a first step. The degree of uncertainty, the level of uncertainty, is very critical to us, because if the uncertainty is very large, we may change the decision problem and say well, we have to . 21 understand this better. If we start a new research project instead of making the original decision. So we are not really following a well-established mathematical theory, and that's what the problem is, that we cannot work only with mean values, because as the Chairman said, you can have examples where the means are the same, but the spread is very different, and then of course you can't tolerate that given the hazards we're dealing with. So I am not sure that at this point we can go beyond what I said. In fact I would be very reluctant to accept anything more prescriptive in terms of 95th percentiles and so on. I think it's too soon. I think too few people understand these things, and again, I don't want to be as prescriptive as in the current system in the new domain, so I think it's something to think about, but I really think that issue has to be resolved by the reviewers, and I frankly think that's why people don't like PRA. They have to now make decisions, not just follow rules, and that's why the first several cases we have to have a team doing the review, so you have the right expertise there to make people feel comfortable. COMMISSIONER ROGERS: Thank you. DR. SEALE: If I might make a comment, I think in terms of the appropriate, perhaps, applications that might demonstrate the validity and value -- or let's say the value of PRA, the industry has already voted once, in a sense, in . 22 that they identified the pilot topics as being areas in which they felt the expenditures they were making were potentially worthwhile. I think we ought to, as we move along, and as George mentioned earlier, those submittals are in many cases in extraordinarily good shape, require some recasting to satisfy the guidelines, but that we ought to try to handle those as soon as we can in a reasonably expeditious way. I think also the invitation to the industry to propose other candidate areas should be encouraged. Again, I think we have to recognize that in some cases, particularly where I won't say regulatory but financial relief is a candidate, that we have to expect to be in some respects in a reactive position in that the industry is much better able to identify the loads that they consider to be inappropriate or unduly onerous. CHAIRMAN JACKSON: And my understanding is that there is -- that there is work relative to how PRA and the guidance that would come out of these documents might be used in the areas not only of graded QA but with respect to tech specs, technical specifications, inservice testing, and inservice inspections, isn't that correct? DR. SEALE: Yes. DR. APOSTOLAKIS: Yes. DR. SEALE: And those are the things that could . 23 very well be pushed forward. CHAIRMAN JACKSON: Right, and in fact there is activity as far as I understand in moving along that line. DR. SEALE: I think some of the industry people are now kind of waiting for the shoe to drop on submitting 1061 because they haven't seen it. CHAIRMAN JACKSON: Okay, and I think we are going to be getting a briefing from the Staff, maybe it is next month or later this month on the PRA implementation plan -- maybe it is next week -- and I think we are going to get a complete update in those particular areas. DR. APOSTOLAKIS: I don't believe I answered your first question though, Commissioner Rogers, regarding the quality assurance. At one of our subcommittee meetings we had a presentation from the South Texas Project folks and they stated that if they are allowed to do what they propose, they would be saving about $1,300,000 a year, just from that. Now what do you do about it? I mean there is obviously disagreement between the staff and the industry on this and us. We received a letter from the EDO that states that the Reg Guide now has a new version that accommodates some of our concerns but we have not seen it yet. I don't know why we don't go ahead and implement . 24 one of these proposals from the industry. In 1061 there is a clear box there that says that in the decision-making process that the licensee should propose a monitoring program and we have integrated decision-making and everything. Okay. We don't even know what the benefit of QA is. Let's implement the program. Let's have a good monitoring program there and see three, four, five years down the line whether the lack of this quality assurance which is a result for the high safety significant components really makes any difference to the other components, and if it doesn't, then that's fine. We learned a lot. I mean it is not something that is cataclysmic, in my opinion. I don't understand what the big deal is. CHAIRMAN JACKSON: Okay. Commissioner McGaffigan. COMMISSIONER McGAFFIGAN: I'm sorry to extend this part of it -- CHAIRMAN JACKSON: Please. COMMISSIONER McGAFFIGAN: -- but on the issue of benefits to the industry of proceeding down this path in graded QA, inservice inspection, inservice testing, how widespread are the benefits going to be in the sense that how much of industry has good enough IPEs, PRAs that they will be able to take advantage of whatever relief is implicit in these initiatives, beyond the few pilot plants that -- the South Texases, the Palo Verdes, whatever, which . 25 apparently have good PRAs? People have said to me, even PRA advocates, that some of the IPEs are sort of junky, and how widespread will the benefits be? DR. APOSTOLAKIS: Well, first of all, I will answer your question, Commissioner, but the focus of our review of these documents was not, you know, how widespread the benefits will be. We looked at -- COMMISSIONER McGAFFIGAN: Right, I understand. DR. APOSTOLAKIS: -- at philosophy and safety and unnecessary burden, and so on. Now I believe, and again I haven't done any scientific polling on this, but the number of utilities that will benefit in the very near future from these guides is small because it takes a certain sophistication in the PRA area to be able to formulate the request the right way and use the right terms and so on, and have the right approach, but I think it will spread very quickly. It will spread very quickly. One of the problems, I think, is that a lot of the decision-makers in the industry either do not know at all or are not convinced that PRA will be useful to them. I happened to organize a course at MIT last January for mid-level managers at utilities and plants that make decisions, and the subject was how to use . 26 PRA to make decisions, and it was interesting to see how most of them had no idea what PRA could do with them, and then towards the end of the course they could see -- you know, for instance, the importance measures, how they can be used to help them with problems they are facing right now. That doesn't mean that this fellow now is ready to do it tomorrow, because he has to learn and he has to have the organization and so on, so at the beginning it is my opinion, and maybe others disagree, there will be a small number, but if the dollar numbers we are hearing from those expert utilities right now are true, then it seems to me that word will spread very quickly, very quickly. COMMISSIONER McGAFFIGAN: Does anybody else -- let me ask a question. As I understand it, when we implement these various initiatives, we are doing it through license amendments? Is that correct? So we don't get into 5059 space or -- the fundamental issue, you all are urging us to allow for small changes, and that is the direction we may be going if the legal analysis we have asked for buttresses that, but in 5059 space, the plain reading of 5059, if we have to implement any of this through unreviewed safety -- the heart of it is in unreviewed safety questions, is any increase in the probability may result in an increase in probability. That is the Staff's view. We have it out . 27 there. Do you have any thoughts as to if you want to go down this path in making broader use of PRA whether there has to be changes made in 5059 and the definition of an unreviewed safety question in 5059? DR. APOSTOLAKIS: I would let colleagues that have been on the committee longer than me -- [Laughter.] DR. APOSTOLAKIS: -- answer this question. I'm sorry. CHAIRMAN JACKSON: Dr. Kress? DR. KRESS: Since I am the senior member, which really seems strange to me, I can give you an opinion. My opinion is that these are parallel paths, that the 5059 is not affected by this process at all, and this process we are talking about is in the form of a change to the licensing basis -- COMMISSIONER McGAFFIGAN: Right. DR. KRESS: -- and you continue with the 5059 process as it is. You don't need to change the rules in it or what constitutes an unreviewed safety question. You keep that all the same, and that allows the plants to continue making those changes which are allowed within that route. COMMISSIONER McGAFFIGAN: Within the Staff's -- . 28 within the reading of the rule as it has been currently propagated? DR. KRESS: Yes. CHAIRMAN JACKSON: Let me make sure I understand something, and I don't want to be jumping in here but I am jumping in here. You seem to be saying, and I don't want to put words into your mouth, that there are classes of changes that would be within the scope of 5059 that can be left alone. DR. KRESS: That's right. CHAIRMAN JACKSON: But there are other classes of changes that may involve some increases in risks within some margins that should then come to the Commission -- DR. KRESS: -- through this other process -- CHAIRMAN JACKSON: -- come to the Staff -- DR. KRESS: That's what I am saying. CHAIRMAN JACKSON: -- and would be governed then by and guided by -- DR. SEALE: License amendments. CHAIRMAN JACKSON: -- license amendments that would also involve the PRA analysis. DR. KRESS: Yes, exactly. CHAIRMAN JACKSON: I understand. So you are saying that in fact there is a possibility to do a . 29 bifurcation, namely if your plant change can satisfy the reading of 5059, do it -- DR. KRESS: By all means -- CHAIRMAN JACKSON: -- go ahead and do it and you don't have to come in for a license amendment. DR. KRESS: Absolutely. CHAIRMAN JACKSON: But if in fact it may involve a change in risk, you bring it in -- DR. KRESS: Through the other process. CHAIRMAN JACKSON: -- through the other process, the more formalized, to which this kind of analysis can be applied. That's very interesting. COMMISSIONER McGAFFIGAN: And just to follow up on that, the benefit of the reg guides then for somebody coming in under the formal process will be that they will have certainty in advance as to how we are going to look at the change. DR. KRESS: That's exactly right, yes. COMMISSIONER McGAFFIGAN: So that the advances being made through the pilot programs and the reg guides is to define the parameters under which we will typically look at an amendment that involves an unreviewed safety question and involves potential changes in risk. DR. KRESS: That's a very good way to look at it, yes. . 30 COMMISSIONER McGAFFIGAN: Okay. CHAIRMAN JACKSON: That is very interesting. That is a useful clarification, and my understanding is -- I think we are going to need to move on -- that in next week's meeting on the PRA implementation plan we are going to hear more specifically, Mr. Thadani, about where the various pilots stand? MR. THADANI: Yes. CHAIRMAN JACKSON: Okay, so I think that with that we will, if we may, move on to our next topic, and I think it is related. Dr. Kress. DR. KRESS: That's true. It is related. It is a sort of a sub-area within that whole larger, broader area. The topic is about acceptable risk criteria, safety goals, and adequate protection and interrelationships of those things. We see in this process of the 1061 that it was necessary to come up with some quantified level that we would call an acceptable risk. And it seems to be a necessary thing if you are going to really have this type of process which would be risk informed. But our body of regulations and the way they have developed and evolved over time is they are rooted in the general design criteria and the design basis accident concepts and the philosophy of defense in depth. And the . 31 presumption is if we do all of that correctly, you will end up with a plant that provides adequate protection which, to me, really boils down to adequate protection as we now know it is compliance with all the rules and regulations and commitments. It is not a quantified level of risk. Well, that is a concept that has served us well, has worked very well. I think it has resulted in plants that do provide adequate protection but it is not a very useful thing in a risk-informed concept like we are talking about now. You really do need to quantify this thing we call adequate protection or acceptable risk. I will use those interchangeably. The safety goals are an expression of what we feel like is how safe is safe enough. They are posed in risk terms and it was our opinion that one has two options. They could decide if you want to quantify what we call an acceptable level of risk, one could just automatically select safety goals because they have already been an expression of what we say is how safe is safe enough. Or one could try to quantify what we mean by adequate protection. That is a difficult process to quantify that. It is our feeling that it is a risk level that is higher than the safety goals and the reason we say that is that since any plant out there that is licensed and operating by definition meets adequate protection standards. . 32 Then the plant that has the highest level of risk puts a bound on that. We think there are plants that are both above and below the safety goals. So it is our opinion that adequate protection, if it were to be quantified some way, is above the safety goals. Our choice, our recommendation for picking a value to use in this new process of risk informed for acceptable risk favor is the safety goals, which get you below adequate protection level and is a quantifiable level that we can deal with. CHAIRMAN JACKSON: What would that then do to plants that are above that? DR. KRESS: At the present time we are not talking about enforcement. CHAIRMAN JACKSON: So you are talking about as a pattern. DR. KRESS: We are talking about decisions on the acceptable changes to the licensee basis. Now, I think in the long run, one would like to view the safety goals as a replacement for adequate protection and one would like, in the long run, to actually enforce that. I think we have a great deal of difficulty with that because of backfit rules and -- CHAIRMAN JACKSON: But let me make sure I . 33 understand where you are. Again, I am going to paraphrase it and if I am doing it wrong, you tell me. DR. KRESS: You do it much better than I do. CHAIRMAN JACKSON: I doubt that. You were saying at this stage of the game, de facto, the fact that we are allowing plants, the universe of plants to operate, means that we have said they provide adequate protection that is adequate. DR. KRESS: Clearly. CHAIRMAN JACKSON: So then if one wants to look at the safety goals and you use it for decisions on what constitutes acceptable changes to the licensing basis, what you are really then saying is if the safety goal is where we want to place that threshold that while there are plants that are currently allowed to operate that are above it, that if they wanted to change their risk profile they would be more constrained than plants that are currently below it? DR. KRESS: Very good. CHAIRMAN JACKSON: Is that what your basic point is? DR. KRESS: Absolutely. CHAIRMAN JACKSON: I want to be sure I understand. DR. KRESS: Very well put. So we are safe, I think, in using the safety goals as an acceptable risk criteria but these are expressed in . 34 terms of prompt fatalities and latent cancer deaths which does require a level three PRA. There is no way around that. You cannot determine those things without level three PRAs. To use a level three PRA in this concept of risk- informed acceptable changes is a bit awkward, to say the least. It is not very -- it doesn't really focus one's attention on the plant features and the things that are safety significant. So it would be much better if one could have more tiered criteria, such as the core damage frequency and the conditional containment failure probability. But still be within the confines of the QHOs. In our December meeting, I said that was entirely a possible thing to do, to derive these lower tier criteria directly from the QHOs. Well, you pinned me down and said, all right, when can we see that and, being the eternal optimist that I am, I say within a few weeks, I think is what I said. Well, we are now, with our recent letter of April 11, we are providing that to you. I must say, though, in my defense that I did have it ready within a couple of weeks. We are, however, a committee. CHAIRMAN JACKSON: You just had to propagate it? DR. KRESS: That's right. CHAIRMAN JACKSON: So if the values are derived from the prompt fatality QHOs, how much would the core . 35 damage frequency or large early release frequencies change from site to site? Do you know? DR. KRESS: I don't know because I haven't done that yet, that exercise. CHAIRMAN JACKSON: Can you do that for us? DR. KRESS: I can, yes. In the attachments to our letter, we provide a technically sound, rigorous way to do that. CHAIRMAN JACKSON: To do that? Okay. DR. KRESS: In fact, as you could understand, it does have to make use of level three information but, fortunately, there is enough level three information out there to be able to do it without having to go back and do level three for every plant. In fact, one of the attachments was a very nice analysis made by our senior fellow, Rick Sherry, which gives a way to estimate the level three consequences based on site-specific characteristics, which is a very nice piece of work. That alone with the process I recommend for deriving the lower tier criteria from the safety goals should be very useful to the staff in this whole process of determining risk acceptance criteria in terms of core damage frequency and LERF or conditional containment failure probability. CHAIRMAN JACKSON: Commissioner Rogers? COMMISSIONER ROGERS: Well, this has been a topic . 36 of real interest here for a long time of how do you deal with the fact that the safety goals are founded on level three PRA results and there are different circumstances at each plant that have absolutely nothing to do with the plant design or operation. They are where it is and what the meteorological conditions are nearby and all this sort of thing. I have raised the question in the past, and it has always sort of led down a path that goes to nowhere and that is could one have a kind of standard location, population distribution and so on and so forth of some sort that more or less bounds whatever exists with our current level, our current plants, and then just say that is the one you are going to plug in when you go to look at effects of changes in anything else in the plant. You know, if you want to then take the next step of applying those, the effects to health effects, that then you would have a standard population distribution, so on and so forth, that you would always balance it against to see what the effects were. Apparently, somehow or another, that never seemed to be doable. I think we have talked about it occasionally in the past. In effect, it seems to me that when you go to surrogates for the health effects, you really are doing something like that, aren't you? Because you are not . 37 looking at the health effects, you are going to just ignore them and therefore you are going to create something else which stops short of the health effects but you are willing to accept and, in a sense, it seems to me philosophically that is about the same thing. I wonder, it doesn't have a quantitative health effects -- you don't get a quantitative health effects number out of it, you stop short of that. Wouldn't it be still nice to be able to do that? DR. KRESS: It would be. But let me -- let me tell you about two attachments. They actually do quantify the health effects. It is a way to do it on a simpler -- it is approximate but it is a very good approximation. It makes use -- COMMISSIONER ROGERS: But it still would be site specific? DR. KRESS: It would be site specific. It makes use of site specific population parameters, site specific meteorology. And so it is a way to do a level three in a much simpler, much, much simpler. And you can back out of that in site specific values that you would use for a LERF or a core damage frequency and conditional containment failure probability. That would be site specific. You would have a different value for each site to meet the safety goals. . 38 I am not sure, that would be one way to go. It may be a little awkward because you have a different set of criteria for each site. Another way to go would be to take the site that bounds these two things and use that as your criteria and you know you are safe with all others then. The staff has chosen to do this latter at the moment, to take a bounding. While the problem there was they chose a number of sites and evaluated them to get this bound, they didn't take all sites. I am not real sure -- CHAIRMAN JACKSON: They told us a complete bound. DR. KRESS: Yes, I am sure it is a complete bound. I am not quite sure that their process of backing into the CDF and the LERF was as rigorous as the one we are recommending in our attachment. But they did a good job with that. They did it right. Their option right now is to use a bound, which I think is good because it gives you one set of criteria and you don't have to deal with each individual site that way. CHAIRMAN JACKSON: Dr. Apostolakis. DR. APOSTOLAKIS: Yes, I think it is important in this discussion to bear in mind that the committee is on record recommending that the core damage frequency be elevated to a fundamental objective level and be independent of a site, independent of everything else. And the value of 10 to the minus 4 for the reactor year we thought was a . 39 reasonable number because it is not just the health effects of the accident that are important but the fact that you have had something, a serious thing, is very important. So that is something we want to prevent. In fact, if you work backwards, we are talking about LERF here, you end up in some sites with a core damage -- acceptable core damage frequency which is higher than 10 to the minus 4 per year and we felt, as a committee, that we don't want to live with that. So the whole discussion really concerns LERF only. CHAIRMAN JACKSON: Commissioner McGaffigan? COMMISSIONER McGAFFIGAN: Pardon my skepticism about this stuff but on PRA, I have had discussions with various folks including at the reg info conference. CHAIRMAN JACKSON: Commissioner McGaffigan and I are going to write a PRA paper. COMMISSIONER McGAFFIGAN: Yeah. People tell me, and you correct me if I am wrong, that -- or they are wrong, that PRAs can be pretty good at looking at incremental changes, when you make a change, but, you know, people tell me not to believe core damage frequency numbers to better than an order of magnitude and sometimes people correct me to two orders of magnitude. So when you are talking about, as I say, I understand that they may be very good at looking at . 40 incremental changes but given the fact that you at the outset, Dr. Apostolakis, said that there are things that they model well, don't model at all, why should I believe this stuff when we start talking about them as if you can calculate to 1.33 times 10 to the minus fourth? CHAIRMAN JACKSON: That was my whole point about uncertainty. COMMISSIONER McGAFFIGAN: Uncertainty. No, I agree. DR. KRESS: Go ahead, George. You were just asked. DR. APOSTOLAKIS: I think this is the -- we have to get away from statements like PRA is good, PRA is no good, PRA does this, PRA doesn't do that. PRA deals with the whole plant, it is not just a computer code doing one thing. Certain things PRA does very well. In fact, the level one PRAs are pretty good. They capture a lot of important things so I would trust them, you know, when I make decisions, depending on the decision. I think we should talk about specifics. If we talk about, say, human error and human actions recovery and so on, then I would be a little more skeptical. Maybe I can bound the number but I wouldn't really believe a distribution that somebody gives me right now. . 41 Then this issue of design errors, organizational issues and so on. But, in my opinion, just because I don't model the organizational plant, does not reject the whole approach. So that's why it's really important to understand what is modelled, what is modelled well and what is not modelled, and then depending on the context of the decision, you know, make a decision. You know, there may be decisions where what you are saying is absolutely right. I don't believe the numbers because this affects something that is not modelled there, but I believe the industry also believes this. We can make very good decisions at the Level 1 PRA. COMMISSIONER McGAFFIGAN: But if I just look at core damage frequency -- DR. APOSTOLAKIS: Yes. COMMISSIONER McGAFFIGAN: -- when I get a number for a plant on core damage frequency, to what order of magnitude should I -- is that -- CHAIRMAN JACKSON: It depends on the model. COMMISSIONER McGAFFIGAN: Should I assume that number is correct? CHAIRMAN JACKSON: It depends on the model. COMMISSIONER McGAFFIGAN: Okay. DR. APOSTOLAKIS: I think it depends on who did it . 42 and also it's not really a number. I mean they have to give you a distribution. COMMISSIONER McGAFFIGAN: A distribution, yes. DR. APOSTOLAKIS: A distribution. Now some of the better PRAs -- it's really hard for me to see how the distribution or the upper end of it would really shift too much to higher values because we have missed something. We have been doing this now for over 20 years and I don't think that we have found things like in the early days, of course, the reactor safety study dismissed external events, then the industry came back with the Zion, Indian Point PRAs and said, no, fires and earthquakes may be significant contributors. You don't see that anymore. You don't see these quantum leaps anymore. Now, you know, we are sharpening the pencil here and there -- COMMISSIONER McGAFFIGAN: See, the thing that strikes me, at least some have told me that when you make an incremental change you can understand the effect of the incremental change even if the whole distribution may be off a bit because perhaps human performance is going to be the same whatever -- you know, whatever test you are going to do or whatever other change you are making in the plant, so differences are oftentimes easier than knowing the whole curve. . 43 Is that not correct? DR. APOSTOLAKIS: I don't think there is a correct -- CHAIRMAN JACKSON: Could I address -- DR. APOSTOLAKIS: Let me just say what I feel about it. CHAIRMAN JACKSON: Okay. DR. APOSTOLAKIS: I have never believed that that was a rational approach. That was my personal opinion. I think the absolute number -- CHAIRMAN JACKSON: Dr. Kress's comment is going to be the last word because we are not going to be able to get through the agenda here. DR. KRESS: I would like to express an opinion on this delta risk versus the bottom line. A PRA basically integrates the risk contributions from a lot of things. CHAIRMAN JACKSON: That's right. DR. KRESS: It adds them up and if you could take the derivative of that integral, you would have a set of partials added together due to each of these contributions. Those partials are -- you can better define those partials. You can narrow down the uncertainties in each of those partials. The uncertainties in the sum of all of them get very large. . 44 Some of the partials are different than others, so it depends on the nature of what increment you are talking about, but in general the incremental risk that you determine due to the change is much more precisely known than the bottom line, and that you can take as a given, and it is easier to deal with those, but they still have uncertainties in them and it will be a variable uncertainty depending on which type of increment you are talking about. CHAIRMAN JACKSON: Dr. Seale. DR. SEALE: Thank you. The next topic is the proposed regulatory approach associated with the steam generator integrity issue. I think I will try to expedite this a little bit and see if we can get a little bit back. I do this in part because we still haven't heard the final word from the Staff on what they are going to come down with. We have a pretty good idea of what they are going to have on that issue. In any event, I do have to confess that back in 1994, which shows the time constants on some of these things, we were a party to the decision that, or at least we concurred in the decision to go to rulemaking on the issue of steam generator tube degradation. In the interval we have had numerous discussions with some of the Staff on some of the details in developing their approach to those issues in much the similar manner to . 45 Dr. Apostolakis's earlier reference to the work in the PRA area. As a result, when in November of this year, of this last year, we finally got a look at the proposed rule and the associated Reg Guides, it was not a complete shock to anyone that we had some serious reservations about some of the things that were there, and all of them really revolved around the problem that there was an inability to identify a risk evaluation methodology that wold allow you to take test data and come up with an assessment of risk due to indicated degradations in tube integrity that would allow you to justify continuing those tubes in service rather than going to the plugging strategy which has been the classical way of handling that problem. There were specifics that went along with that difficulty, that is -- that grew out of it, but perhaps the most significant thing was that the rule wound up or the proposed rule wound up being an admittedly performance based regulation but it had very little in the way of risk objectives or risk information in helping or in justifying those performance -- CHAIRMAN JACKSON: So in that sense it diverges from what the approach is in the -- DR. SEALE: Sure. CHAIRMAN JACKSON: -- relative to what we have . 46 just been talking about with ISI and IST -- DR. SEALE: Right. CHAIRMAN JACKSON: -- and so forth. DR. SEALE: Exactly. Now there were a few other things there but we also make the point that there was an outstanding generic issue and a differing professional opinion that had to be cleaned up in this process as well, and I won't go into all of the details there. But then in January we got a -- we sent a letter to the EDO in which we reiterated our concerns that we had expressed in our November letter and also brought up a few specific issues that members had identified having to do with things like the risk due to thermally-induced tube failure and severe accidents. There you get into severe accident space when you are supposedly more interested in -- or limited to design basis accident considerations. The Staff was then asked to go back and look at those issues in coming up with -- or to consider them in coming up with their rule. We met again with the Staff in March, and they outlined to us what they proposed to be their approach, which would be to look at an alternate way of doing things, basically to not go to rulemaking but to go back to essentially the previous approach with some enhanced -- . 47 well, I'm sorry, to use the current regulations and then also recommend a PRA implementation plan as a framework for coming up with any alternate proposals for regulating the steam generator tube issues. One of the things that we notices was that the -- or we commented on was that we felt that the 1061 approach to PRAs was something that should be applied across the board wherever you did PRAs and that wasn't evident in the first suggestion of the rule on the steam generator, on the proposed changes in the steam generator rule. We suggested that if they are going to use PRA they ought to be consistent with 1061. CHAIRMAN JACKSON: Well, given that, let me ask you a question then. So from your understanding, given everything you have said of the revised or current approach, would that involve then relaxations in the current tech spec air criteria? DR. SEALE: Not really. What we really understand now is that the proposed approach will be to use a generic letter to separate the compliance issues from the voluntary inspection issues or approaches that the utilities might use, and that if they do any risk assessment that they will base it on the criteria, the approaches set forth in 1061. The performance criteria for structures, operational leakage and accident leakage criteria are . 48 essentially consistent with what they have now, and essentially the structure criteria meet the ASME Code requirements, as we have talked about. The probabilistic conditional probability for rupture of one or more tubes is a scale going from five times ten to the minus two for one or more tubes to ten to the minus three for more than ten tubes. Spontaneous rupture is less than five times ten to the minus two per reactor year. These are criteria that are set forth in NUREG 0844. There is a history of success, if you will, with these criteria, and we think that is probably the appropriate approach to use. CHAIRMAN JACKSON: And so how do you say that squares with the approach that is being promulgated in the PRAs? DR. SEALE: Where they do use, where they come up with alternate approaches based on risk assessment, that that risk assessment should be done in a manner which is consistent with 1061, and in those risk assessments there are proposed performance or levels of allowed frequencies -- a thermal challenge frequency, as it is called, for high temperature tube -- for high temperature and elevated differential pressure failures of less than ten to the minus six per reactor year and these approaches then appear to be . 49 acceptable to us. We haven't gotten the final documents from the Staff, and we will be looking at them in the very near future. It's more of a progress report as to where we are. As I said earlier, went into this with some expectation that a risk approach would be feasible. We haven't been able to find -- we understand that the Staff hasn't been able to find, to come up with a delivery on that at this point. CHAIRMAN JACKSON: Are there any particular risk insights that did come out of the Staff's work on the assessment of severe accident induced steam generator tube ruptures that informed -- DR. SEALE: Well, I wouldn't call it an insight, but I would call it a signal as to a concern that we may find ourselves addressing more an more often, and that is that this was one case where what has been an issue that was strictly in design basis space intruded over into severe accident space in the context of the tube rupture problem as a result of a large break LOCA blowdown, and the whole question was exactly what the sequence of events were in the load so as to what would fail and in what order and so on. That brings up a question then as to whether or not in looking at these risk assessments that may be appropriate, when you do protrude, if you will, into severe . 50 accident space, what is going to be the response to that? Are you going to look at those limited concerns on severe accidents or are you going to rule them out of bounds? It is a policy issue that we may well have to face. And I think that's the most serious, well let's say a problem that you may very well be concerned with. CHAIRMAN JACKSON: Commissioner Rogers. COMMISSIONER ROGERS: No questions. CHAIRMAN JACKSON: Commissioner McGaffigan. COMMISSIONER McGAFFIGAN: No questions. CHAIRMAN JACKSON: Okay. I think we'll go on. DR. SEALE: Our next speaker is Dr. Powers, and I think you'll find his issues very interesting. DR. POWERS: I will speak to you a little bit the informed portion of risk informed and performance based regulation. I think you're well aware that when we speak of power operations that the NRC is superbly informed -- CHAIRMAN JACKSON: Speak a little more into the microphone. DR. POWERS: And has a tremendous expertise in the risks of power operations. It is, after all, a technology that the NRC developed. It's one that they've nurtured now for two decades. They've honed it with their own analyses, and they've honed it by seeing what the industry can do with it. . 51 There really is no comparable expertise on the risks associated with nuclear power and other modes of operation. Those are the low-power and shutdown modes of operation. There have been some scoping studies of what kinds of risks arise during shutdown and low-power operations, and what these scoping studies have shown us is that even when you spread the risks of shutdown operations over an entire calendar year, you still get results that are comparable to the risks you have during power operations. What you conclude from that is that the conditional risks of shutdown operations must be relatively high compared to the conditional risks during power operations. What we also know when we look at the records and operational experiences that we have incidents taking place during shutdown and low-power operations. The analyses that have been prepared for us for the AEOD show that over 50 percent of all the augmented inspection teams that have been sent to plants by the NRC are to address incidents that have occurred during low-power and shutdown operations. Some of these incidents are relatively serious. We have entered them into the ASP program, and find that they do have very high conditional core damage probabilities. We're concerned that this situation may actually get worse, that there are economic pressures on the industry, and they're responding by attempting to shorten . 52 the periods of shutdown operations. They still have the same work to do, so they're being asked to do more in shorter periods of time, and they may be trying to do it with fewer people or less-experienced people. At the same time, the industry is interested in decreasing the frequency that it has shut down for refueling and the like. That means there are fewer opportunities to test and exercise these procedures and practices they have during shutdown, and of course that is the prescription for having an increased error rate. We do find that the operators are under enormous pressures during shutdown operations because there are multiple concurrent evolutions taking place in the plant. It is a very harassed period of time. What ACRS has written to you and it has recommended that the NRC needs to develop an understanding concerning shutdown risks that's comparable to the understanding that it has during power operations, that the ACRS understands that this is a very big undertaking, the technology is not nearly as well developed for analysis of low-power and shutdown risks, and that the NRC will have to undertake a development of that technology including a development and understanding of what the success criteria are for shutdown operations. We think you need this understanding as you embark on this route toward risk-informed regulation. You need . 53 this understanding of risks not because it poses some great benefit to the industry, because what it does is allow you to focus your regulatory actions on those areas that will be truthfully risk-significant. That was essentially the substance of our letter. I do hope it was clear. CHAIRMAN JACKSON: Now do you feel that we have an adequate base experientially, or as you -- in terms of the technology on shutdown risks, PRA's to support ongoing rulemaking activities? DR. POWERS: To support ongoing rulemaking activities on shutdown risk, I don't think you have a risk intuition in this area. I don't think you can cast your rules in a quantitative risk framework. We've been making risk-based rules since this agency was formed, but to make it quantitative, our arguments have a quantitative understanding of the risks during shutdown operations, I don't think you have the technology or the information base to do it right now. Even our scoping studies -- they're quite frankly out of date -- the industry understands that this is a problem area for them, and they've instituted practices that our scoping studies have not reflected. They weren't in place at the time the scoping studies were done. So if I distinguish between a quantitative understanding of risk and a qualitative understanding of . 54 risk, no, you don't have a quantitative understanding of risk to base your decisions on. CHAIRMAN JACKSON: Is that broad-based, or does it relate to, you know, areas of large uncertainty like fire? DR. POWERS: In fire or -- you're speaking of fire in general or fire during the shutdown? CHAIRMAN JACKSON: During the shutdown. DR. POWERS: Fire during shutdown is as big problem. CHAIRMAN JACKSON: Right. DR. POWERS: As you know understanding the risks there we quite frankly don't have a good technology for doing fire in a quantitative risk framework, period. And it's no worse nor better in the shutdown operations. CHAIRMAN JACKSON: Okay, well I guess what I'm really trying to ask is that relative to shutdown in particular -- DR. POWERS: Um-hum. CHAIRMAN JACKSON: Is the effort better focused in areas such as fire risk? DR. POWERS: Oh, you're saying you can't do it all, let's do part of it, and maybe fire is a good place to do part of it? CHAIRMAN JACKSON: I think maybe it is. I'm asking. . 55 [Laughter.] DR. POWERS: Is it? I think if you look at the history of incidents, no, the problem is the evolutions in the plants -- CHAIRMAN JACKSON: Okay. DR. POWERS: Multiple concurrent activities leading to incorrect valve lineups, incorrect -- conflicting actions where you're having maintenance activities going on in a system that interfaces with a system that you're operating on. I don't think fire is where I would focus my efforts if I had to do a partial job. It's in the multiple concurrent evolutions, and I would pay particular attention to human performance and human error probabilities during these really intense activity times. It's very different than what we're used to in analyzing operator performance under a highly proceduralized single evolutions when the plant is at power. CHAIRMAN JACKSON: Okay. DR. SEALE: You essentially give time because of default trees. CHAIRMAN JACKSON: Yes. DR. POWERS: Yes. DR. SEALE: We don't know what -- CHAIRMAN JACKSON: Right. Right. DR. SEALE: I think we know what to do. We just . 56 need to learn how to do it. CHAIRMAN JACKSON: Yes. Commissioner Rogers. COMMISSIONER ROGERS: Just on this question of the coupling of low-power and shutdown operations. It seems to me that maybe the low-power operations really can be dealt with, I don't know, but within the general framework of operations, and any specifics with respect to low power could be focused on and maybe dealt with more simply. Shutdown is, it seems to me, a really different situation. You have a lot of different people in the plant, you know, it is a very different situation from any kind of power operation. DR. POWERS: I think in any strategy for developing a PRA, for attacking a PRA during the low power and shutdown operations you would really seriously think about taking your technology for power operations and evolving it into the lower power operation, I think you would think about redesigning your technology for shutdown. I'm sure that's true. I think we have got to take the steps to start doing that because this really is occupying an awful lot of the agency resources and if the benefits that we need to think about from PRA are not the benefits, the economic benefits to the industry and what-not, it's the focus of our regulations on the places where they have impact, then, my . 57 goodness, here is -- half of our risk is here and we need to focus. CHAIRMAN JACKSON: Commissioner McGaffigan. COMMISSIONER McGAFFIGAN: Do you have any idea of the cost of pursuing a research program to get us to the place you would like us to be, and also the time over which we would need to pursue that program to get to where you want us to be? DR. POWERS: There is probably an integral cost and you probably have a cost-time tradeoff here of some sort. The ACRS tried to be explicit in saying this is not something you can do in a slapdash fashion. You need to take the time to develop your program. I think in our discussions on that, we felt that resolution in this area to the point that you could have something comparable to an analysis of a set of representative plans. You were talking about a period of no less than five years -- some fraction of that in technology development and some fraction of that in the actual conduct of the analyses. We thought it would be a mistake to try to cut corners at this relatively immature level in our understanding, especially of the shutdown aspects of it. . 58 I think Commissioner Rogers is absolutely right. We might be able to evolve into the low power operations with a few clever analysts but the problem is you have to redefine success criteria for the shutdown sequence, because it is during shutdown you are very likely not to have safety systems. You are very likely to have the containment open to the outside. CHAIRMAN JACKSON: Is it worthwhile to have a focused research program -- DR. POWERS: I think you need one, yes. CHAIRMAN JACKSON: You have to have one? DR. POWERS: I think it is one of your high priority issues right now. COMMISSIONER McGAFFIGAN: And again, how many millions of dollars per year would be -- approximately -- DR. POWERS: Well, you know, if you stretch it out to seven years, you probably reduce the million dollar per year by some fraction but it is -- it is not a linear problem. COMMISSIONER McGAFFIGAN: It's on the order of a million dollars per year, isn't it? DR. POWERS: No, I think it's more on the order of two million dollars -- COMMISSIONER McGAFFIGAN: Two million dollars per year. . 59 DR. POWERS: -- is your minimum effort. I think if you go any less than that and you are just making no progress. I think you need -- CHAIRMAN JACKSON: What you want to do is you want to stoke your research program -- DR. POWERS: Right. CHAIRMAN JACKSON: -- then you dollar-load it -- DR. POWERS: Amen. Find out your needs first. CHAIRMAN JACKSON: Find out your needs so you can stoke it the right way. DR. POWERS: Yes, absolutely. Too often we are designing research programs on what we can do now rather than what we ought to be doing. CHAIRMAN JACKSON: That's right. I think we should go on. DR. SEALE: The next speaker here is Dr. Miller on the status of our review of the National Academy report. DR. MILLER: How much time do I have? CHAIRMAN JACKSON: Three minutes. DR. MILLER: Three minutes, okay. [Laughter.] DR. MILLER: I will skip a lot of things then. As you know, four years ago this committee initiated a study by the National Academy of Science to . 60 evaluate the situation with digital INC. That committee unfortunately didn't start their action until January of '95 and gave their first Phase I report in September and there they identified eight issues of importance and significance and which are listed in your briefing book and I'll not repeat here. The ACRS in October did agree that those issues were amongst the key issues that would be helpful to digital INC in the future. The Phase 2 report, which again the charge is listed in your briefing book and I'll skip that, began at that time and they submitted a written report in January of 1997 on those issues that they identified previously and then we had a presentation and I would say, characterize it as quite valuable dialogue with that committee in March of '97. During that meeting in March of '97, which is now just a couple months ago of course, there were a couple of other issues that came up which I thought were quite valuable introduced by individual committee members during the course of that discussion. Of course, the Phase 2 report then came up with 39 recommendations on those eight issues, of which the Staff has gone through those recommendations in some detail and I have also had the opportunity of going through the Staff's . 61 disposition of those. The Staff agreed with 34 of those recommendations quite clearly, in fact has even implemented a portion of one of those into the Standard Review Plan. I'd comment that during this time the Standard Review Plan was being updated to incorporate the framework of digital INC -- these things were going on in parallel, which was probably a plus or a minus, whichever way you want to look at it. And I have gone through the disposition. Now I have to say one caveat here. The ACRS as a committee has not reached consensus on this report. We have had some debate and so forth and there are certain areas where we are going to have to reach consensus in a subcommittee meeting in late May. From my point of view I agree with the Staff's disposition on all but one of those recommendations and I had good dialogue yesterday with the Staff, and I think we are coming to bring closure on even that one. As a consequence, we will have a meeting in May and we are going to address a number of issues including the Standard Review Plan. There will be several issues coming out of this report and I'll just list those, the kind of issues we are going to be dealing with in May. One of them is Generic Letter 95-02, which . 62 provides guidance on 5059 for digital upgrades. The second is the difference between analog and digital systems, specifically in sampling and also memory-sharing. The third is a comparison of what the Staff is doing with a couple of guidelines that were introduced in that report, and that is the FAA guideline and also the guideline that has been developed by the Canadians. The next one is Staff capability. In my view, the Staff Headquarters capability is quite good. I think that is a substantial change over the last several years at least, in that they are quite good today. There is a plan to expand the capability into the regions and I think we need to review and make certain the plan is being executed in a reasonably timely fashion. The last issue is one that probably has provided the most dialogue amongst the ACRS at least, and that's the balance between the guidance provided for the development process of software versus the final product testing or product evaluation. In order to facilitate this committee reaching some consensus on that, during the meeting in May the Staff has promised me that they will provide a very good tutorial through example on how they would implement the Standard Review Plan along with the guidance provided by this National Academy report to look at the balance between those, the process of software development and the final . 63 product evaluation -- so that will be an interesting meeting in late May and it promises a lot of interesting discussion amongst this committee in trying to reach consensus on that issue. To summarize, and I think we have consensus on this following statement, the impact of this study, we don't believe the findings of the Phase 2 report will lead to any substantial change in the regulatory framework which is being codified in the Standard Review Plan update for digital INC. This framework does speak to the major areas of charge for the Phase 2 report, and that's the areas of criteria for acceptance of digital INC and also the guidance of regulating advanced technology such as digital INC, so that was the charge of the committee but in the sense of the framework being developed it addresses that charge. I would say in my view that some time in June or thereabouts we will have a framework which will put us in a position where the regulatory framework and I think the Staff is moving towards they will have the capability of implementing that framework. It will not inhibit the use of advanced technology in INC systems in nuclear power plants in the next several years, and I am looking forward to seeing a lot of INC with advanced technology going into the power plants over the next several years. . 64 CHAIRMAN JACKSON: Let me just take -- DR. MILLER: That's all I have but that's a lot of information. CHAIRMAN JACKSON: The National Academy's report concluded that there are no generally accepted evaluation criteria for safety-related software. Question -- are you saying you agree or disagree, and if the agree, then the question is on what basis are guidelines and standards set? DR. MILLER: Repeat that first part -- CHAIRMAN JACKSON: On page 76, Conclusion 1 of the report -- DR. MILLER: Right. CHAIRMAN JACKSON: -- the National Academy report, the conclusion was that there are no generally accepted evaluation criteria for safety-related software. Do you agree? Does the committee agree or disagree with that conclusion? DR. MILLER: I would say we agree, yes. CHAIRMAN JACKSON: Okay, so if you agree, then what is the basis for the development of our guidelines, our own guidelines and standards? DR. MILLER: When they stated that, I think they stated it in the sense that they could not guarantee the software would be reliable, but I think in the context of . 65 the software within a total system, I think that criteria is available -- the total system meaning hardware and software together. I think the National Academy study and I think pretty much this committee would agree that as long as you look at software in the context of hardware and it's the total system, I think the criteria is there. Now other members of the committee may want to speak to that issue. CHAIRMAN JACKSON: Yes. Dr. Apostolakis? DR. APOSTOLAKIS: I think the fundamental basis for the development of the guides we have seen or the proposed guides is that if you control the process of development of software you will get a very reliable product and the Academy does not seem to think that this alone will do that. I think that is the heart of the issue here. As Dr. Miller said, this is something we are still discussing among ourselves and the Staff will come towards the end of May to educate us a little more about this, but this is the fundamental thing. It is done in other industries but I think there is a fundamental difference. In other places where they control the process very well, they have a better understanding of the failure modes of the product, so they . 66 know what to control. CHAIRMAN JACKSON: Are you telling me that the committee has not come down with a position on whether controlling the process of software development gives you the reliability you desire? DR. APOSTOLAKIS: That is correct. DR. MILLER: Yes. CHAIRMAN JACKSON: And is still under consideration? DR. APOSTOLAKIS: Yes. DR. MILLER: It is my view, and I say I am not certain where the committee is yet on this, that the Staff has provided the guidance necessary for reviewers to look at the final product and review that final product and its testing of that final product. CHAIRMAN JACKSON: But that guidance is referenced to controlling -- the control of the process for the development of the software. DR. MILLER: Also, the guidance has product evaluation. DR. APOSTOLAKIS: Testing. DR. MILLER: More particularly, testing of the product, and that is spelled out in a Branch Technical Position, which happened to be Number 14. CHAIRMAN JACKSON: Right, but the surrogate test . 67 for reliability is the test of the control of the process for software development? DR. APOSTOLAKIS: That is the primary emphasis, I believe, right now, yes, but there is also test of the computer program itself. It's part of the process. DR. KRESS: I think that you are absolutely right though. There is no way to take a piece of software and say how reliable is this piece of software in doing the job that I am asking you to. You cannot do that, and -- DR. MILLER: But with regard to the total system -- DR. KRESS: You can't really do it in the total system because the software is a part of it and you have to add that part into it, so you cannot do it. The technology does not exist and I think there is no recourse other than to rely on what process -- controlling the process. You have to do it and you are doing it on faith. There is no way after the fact to say this process results in a reliable -- you have intuition on it, you have judgment, but it is faith and that's where we're at. CHAIRMAN JACKSON: Is that consistent with the way the FAA does it? DR. KRESS: I'm sorry, I don't know how the FAA does it. . 68 DR. MILLER: We are going to get an evaluation of the FAA guideline but I believe they follow the same approach generally where you have high control of the process. I want to say that quality control of a process is not different than what we have done in the other areas. We have high quality control of the process of development -- CHAIRMAN JACKSON: I just want to make sure I understand where we are here. COMMISSIONER ROGERS: I don't have any questions. COMMISSIONER McGAFFIGAN: One of the recommendations that the Staff rejected consistent with their interpretation of 5059 was that we loosen up on what an unreviewed safety question is and allow the small changes in risk. Are you in agreement with the Staff's rejection of that recommendation? You said you were largely in agreement at this point. DR. MILLER: I don't want to use the word "disagreement" -- I believe that further clarification of the generic letter in the area of system level definition can be done to facilitate our use of digital INC. I think we can do that. I had a good discussion with one Staff member . 69 earlier this week on that issue. The other issue is defining the difference between simple and complex digital upgrades. I believe the Staff is going to do that in the form of developing some guidelines on use of PLCs. COMMISSIONER McGAFFIGAN: My only comment to you, and this might be future work, but if we get into rulemaking and so on in 5059, which we may well, following whatever comments we get on the Staff paper, this might be an area where you all may want to look at the interaction between the change and the rulemaking and the changes proposed in the rulemaking and what you want to accomplish in digital instrument control. DR. MILLER: Well, I have -- how do I put that? Of course, the ACRS spoke out on that issue already but I have some concern about what I saw in that potential rulemaking relating to digital INC. We will definitely be following that issue, as you probably could expect. Does that -- CHAIRMAN JACKSON: Okay. I think we should move along. DR. KRESS: Okay. The next on our agenda is Dr. Apostolakis, so George, I'm just going to ask you to hold it to three minutes. CHAIRMAN JACKSON: Three minutes. . 70 DR. APOSTOLAKIS: Okay. Actually, there is no issue here now because we said we didn't like that plan and the Staff relied that we don't like it either, so I understand they are working on it now and they will come back to us maybe towards the end of June, early July. CHAIRMAN JACKSON: Are you going to be reviewing it prior to June or are you going to wait till the end to take a look? DR. APOSTOLAKIS: We plan to let the Staff know that we would like to do this the way we did the Regulatory Guides that were just released and preliminary reaction from the staff is positive that they would like to come back to us. CHAIRMAN JACKSON: How did you do it relative to the guides that were just released? DR. APOSTOLAKIS: Oh, we had very frequent -- CHAIRMAN JACKSON: In process? DR. APOSTOLAKIS: In process, right, because they people are not defensive, you know, it is easier to argue, so I hope we are going to do this here too, so -- CHAIRMAN JACKSON: I have some questions. DR. APOSTOLAKIS: Okay. CHAIRMAN JACKSON: Have their been any lessons learned from the human reliability modelling performed as part of the IPEs? . 71 DR. APOSTOLAKIS: IPE? Yes. The state of-the- art is in mess. I think that was the main message. CHAIRMAN JACKSON: All right. What kind of database does the Agency have for human errors? DR. APOSTOLAKIS: Oh, we have a lot of incidents -- CHAIRMAN JACKSON: Is it a usable database in terms of modelling within this kind of framework? DR. APOSTOLAKIS: I believe the models that are being developed now, yes, they draw on that database. CHAIRMAN JACKSON: And how well is the human performance work coordinated across as well as within offices? DR. APOSTOLAKIS: Do I know that? [Laughter.] CHAIRMAN JACKSON: That's an opinion obviously by their facial expressions. DR. SEALE: That's part of the problem with the plant. DR. APOSTOLAKIS: The plant had a major problem with that. There was no coordination. Now I don't know whether the research, the ongoing research projects have that problem too, especially Athena -- I have no idea. CHAIRMAN JACKSON: Maybe that can be spoken of in . 72 the context of next week's meeting by the Staff. Okay. DR. SEALE: Okay. We have one last presentation and then I'll have a couple comments at the end. Dana, would you like to mention our letter to Congress? DR. POWERS: Well, let me just be very brief and say that we are by statute required to report to Congress on the state of reactor safety research. We have taken that task very seriously lately because we think the state of research is declining. There is a perception the industry has become static and all the problems are solved. We, on the other hand, see an industry that is about to go through big changes. The NRC needs a research program. It served it well in the past and will serve it in the future to respond to those changes so that the NRC is not the bottleneck to the evolution of the nuclear industry. That was essentially the thrust of our letter to Congress. We will be writing letter of a similar nature each year. We will try to coordinate with you on those, on producing those letters as best we can. CHAIRMAN JACKSON: Relative to what you just said, . 73 has the committee reviewed the Staff's proposed criteria for judging core capabilities? DR. POWERS: Certainly I have looked at them. We will in fact be reviewing them in a committee this afternoon with my presentations on that subject, and I think it is safe to say that we will have a vigorous discussion on those. CHAIRMAN JACKSON: I see. All right. Oh, I'm sorry, any questions? Commissioner McGaffigan? DR. SEALE: Well, I want to thank you very much for your time and your patience with the interest in our discussions and so on. I guess one last comment I would make of a substantial nature is that we try very hard to focus our interests or our questions on PRA, our treatment of PRA, on the benefits that will accrue to the NRC in its attention and expenditure of resources necessary to achieve the goals in the safety arena. We feel that the industry's benefits are the interest of these problems. Perhaps that's one reason we suggest that if we want to get some measure of industry benefit or the possible benefit to industry from PRA applications we should ask them to come up with those definitions, but we try not to get into that particular arena if we can. We think our emphasis is more appropriate on the NRC, how it does things. . 74 We again would like to thank you for your attention and your time, and if you have any questions, elaborating on any of the comments that have been made today, if you'll let our staff know, we'll try to get back to you. CHAIRMAN JACKSON: Let me make a few comments. Let me first thank you for another very informative briefing. You know, we focused on a number of issues that are related to regulatory effectiveness, and you can see that they're linked with our discussions on 5059 and related topics. So I'd encourage you, you know, as you continue to provide us with your perspective, that you be forward- looking in, you know, bringing developing concerns to the Commission's attention in order to help us be prepared for any future challenges. In that light I was particularly interested in the Committee's independent work on acceptance criteria for plant-specific application of safety goals, and deriving these lower-tier acceptance criteria, you know, is important from the point of view of consistency and traceability, and I hope you continue to pursue these and related activities in the future. I would also encourage you, to come back to a favorite topic, to take a close look at the adequacy of the guidance being provided by the staff relative to the use of . 75 uncertainty. DR. SEALE: Good. CHAIRMAN JACKSON: Versus point values in the decision-making process. You've heard comments from a number of us here. DR. SEALE: Good. CHAIRMAN JACKSON: These are issues to which the Commission and the staff continue to devote considerable time, and I think your involvement would be very helpful. Then finally, in closing, we expect to hear from the staff on the status of the various industry pilots with respect to the topics in question, graded QA, in-service inspection, service testing, and technical specifications, at next week's PRA implementation plan briefing. So unless my colleagues have any comments, we're adjourned. We'll take a break. We have another meeting that immediately follows. The break is 2 minutes. [Whereupon, at 10:49 a.m., the hearing was concluded.]
Privacy Policy |
Site Disclaimer |